STE WILLIAMS

Hackers can potentially obtain access to Microsoft Office 365 emails and calendars even if multi-factor-authentication is in place, we were warned this week.

Cybercrooks are able to force their way into corporate Office 365 accounts, bypassing single sign-on or multi-factor authentication, by targeting older systems that aren’t well protected, email security biz Proofpoint has argued.

The trick, we’re told, is to target legacy services that use weak or known passwords, are not secured behind multi-factor-authentication, and, once commandeered, can be used to poke around inside a corporate structure. If you don’t know a target’s password, it could be phished via email or instant message.

This all may seem obvious, but apparently some people are being stung by it.

“The current wave of attacks mostly goes after Exchange Web Services and ActiveSync,” said Ryan Kalember, Proofpoint’s senior vice president of cybersecurity strategy, earlier this week. “A little real-time phishing gets mixed in, but is usually not necessary.”

Real-world examples

For example, Proofpoint said it recently saw an attacker access the Office 365 account of the chief exec of a 15,000-user financial services and insurance firm. The hacker viewed the CEO’s emails and calendar in order to sniff out an opportunity to run a sneaky scam.

Office 365 celebrates National Beer Day by popping out for a pint

READ MORE

At the same time the chief exec was in scheduled meetings with suppliers, the intruder used the compromised account to send an email to the chief financial officer asking for funds to be shifted. The unnamed financial services firm lost $1m over the course of several transfers, it is claimed.

Compromised Office 365 accounts in a 75,000-user real-estate investment biz were used to run another scam. Five executives, including some regional general managers, had their accounts compromised. With access to their Office 365 email, attackers managed to change the ABA routing numbers for corporate funds. The company lost over $500,000 as a result, according to Proofpoint.

By the most remarkable of coincidences, the security shop has released something called Proofpoint Cloud Account Defense (CAD) to detect and proactively protect against compromised Microsoft Office 365 accounts. Kalember explained the need for additional layers of defenses.

“It’s really hard for most orgs to cover all the interfaces to Exchange with MFA [multi-factor authentication],” Kalember told El Reg.

“Particularly with EWS [Exchange Web Services], you need to be 1) fully migrated to O365, 2) use Microsoft’s own MFA, and 3) in Modern Authentication mode. The tech can’t support native iOS/Android mail clients, etc.”

In other words, you may think you’re fully protected – but maybe you should double check, and increase defenses for all service interfaces, particularly concerning Exchange Web Services. Save yourself some pain in the future. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/13/2fa_o365_bypass_attacks/

The Ticketmaster breach was not a one-off, but part of a massive digital credit card-siphoning campaign.

Threat intel firm RiskIQ reckons the hacking group Magecart hit Ticketmaster only as part of a massive credit card card hacking campaign affecting more than 800 ecommerce sites.

Magecart has evolved tactically from hacking sites directly, to targeting widely used third-party software components. According to RiskIQ researchers, Magecart likely breached the systems of two third-party suppliers integrated with Ticketmaster websites – Inbenta and SociaPlus – and added to or replaced custom JavaScript modules with their digital credit-card copying code.

Malicious scripts injected into ecommerce websites can record the credit card data that customers enter into online payment forms before uploading the data to a server controlled by crooks.

Magecart

Magecart is well-known to RiskIQ, which has tracked its activities since 2015. The group’s credit card swiping attacks have continuously ramped up in frequency, sophistication, and impact, according to the threat intel firm.

RiskIQ researchers found that other suppliers, including web analytics provider PushAssist, CMS Clarity Connect, Annex Cloud, and likely many others, were also compromised by Magecart.

RiskIQ is tracking a highly-targeted Magecart campaign dubbed SERVERSIDE, which has used access to these third-party components to target victims including some of the world’s largest online brands.

“While Ticketmaster received the publicity and attention, the Magecart problem extends well beyond Ticketmaster,” said Yonathan Klijnsma, a threat researcher at RiskIQ. “We believe it’s cause for far greater concern—Magecart is bigger than any other credit card breach to date and isn’t stopping any day soon.”

Many publicly reported breaches are wrongly interpreted as individual events but are in reality part of the SERVERSIDE campaign.

According to Ticketmaster’s official statement, the security breach affected Ticketmaster International, Ticketmaster UK, GETMEIN! and TicketWeb from February 2018 until 23 June 2018. RiskIQ researchers found evidence the card slurper was active on additional Ticketmaster websites including Ireland, Turkey, and New Zealand as early as December 2017.

RiskIQ researchers also found that the Command and Control server used in the Ticketmaster attack has been active since December 2016.

More details of RiskIQ’s latest research into the Magecart hacking crew – together with indications of compromise – can be found in a blog post here.

El Reg asked firms named in the research – Ticketmaster, Inbenta, CMS Clarity Connect (via CMSWire), PushAssist and Annex Cloud – to comment. We’ll update this story as new information comes to hand.

Andrew Bushby, UK director at Fidelis Cybersecurity, commented: “This research not only shows that the Ticketmaster breach is much worse than we first thought, but it also exposes the very real security issue with third-party suppliers. Many organisations often learn of a breach through a third-party, or by other organisations that have been hit. It is therefore critical that companies have a better understanding of when sensitive data is leaving the enterprise – or else threat actors such as Magecart will wreak havoc on the network and endpoints.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/12/ticketmaster_breach_magecart/

Analysis Back in 2013, Canadian John Darrel Krokos got 11.5 years in a US jail for leading a massive cocaine smuggling ring. Two years later, his colleague Zaid Wakil was given a 20-year sentence.

What was unique about their cases – and another 20 people also taken down in the investigation by the US Drug Enforcement Agency (DEA) – was how they had been caught: through cracked phones.

In an affidavit connected to Krokos’ case, special agent Rachel Burkdoll revealed that she had sold encrypted BlackBerry phones to Krokos, which he then supplied to his colleagues as a way of communicating confidentially. He had no idea that Burkdoll was a government agent and the US government had retained all the phones’ encryption keys – giving them access to all the content of email and text messages between the two.

It was only a matter of time before the authorities had enough evidence to arrest the entire team and send them to jail for decades.

Incidentally, the affidavit [PDF] contains a fascinating list of pseudonyms for those that were involved. Just one example: “John Darrell Krokos, aka Hulk, aka yoyo hulk, aka JJ, aka Walter, aka Lord of the Beaches, aka Pilot, aka Ape, aka Captain, aka Tutor, aka Amy, aka Heavydee.”

It was a massive coup but also extremely difficult to pull off: getting a drug smuggler to trust your agent enough to buy phones from them was already a long shot. After Burkdoll was forced to reveal the technique in order to put Krokos in jail, it’s fair to say that other drug smugglers become exponentially more cautious over where they get their phones.

And so, around the same time that the technique was revealed, the DEA started looking at other ways to get into suspects’ phones.

Backing of Hacking

According to an special report published today by Human Rights Watch, America’s drug squad agents approached the infamous Italian company Hacking Team to help them install malware on other phones.

In particular, the DEA wanted to buy Hacking Team’s monitoring software for “perhaps 1,000” phones, specifically the BlackBerry 10 – which at the time was the phone of choice for drug smugglers in Latin America.

We know this because Hacking Team’s own emails were hacked and subsequently plastered all over Wikileaks. The most revealing was helpfully titled “Re: Second meeting with DEA.”

It was later revealed that the DEA had signed a $2.4m contract with Hacking Team, sparking Congressional queries that in turn led to the Department of Justice acknowledging that the government agents of the countries in question would “provide the targeted devices” and the DEA would install the software – something it admitted had happened 16 times with the software used to “collect real-time written communications…and location information.”

Amazingly, it turned out that the DEA had cancelled its contract with Hacking Team just days before the DoJ’s letter outlining its use of hacking software.

All of which leads to Human Rights Watch’s larger question: as useful as these techniques may be, what are the legal constraints around them?

The DoJ has so far refused to provide its policies over the provision of cracked phones or the addition of malware to suspects’ phones. The DEA may have cancelled its contract with Hacking Team when the details became public but it made no mention of the techniques behind the contract and it is all too probable that it currently has a different contract with another company to do the same thing.

So, um, your legal process?

It’s not clear what legal instruments and interpretations the DEA and other government department are using to authorize the real-time monitoring of suspects’ phones, or what level of legal authority they are seeking beforehand.

Wasn’t too hard, was it? UK has made ‘significant progress’ in spy control

READ MORE

Human Rights Watch notes that the same techniques may be being used to monitor people that aren’t smuggling drugs “including peaceful activists whose groups may be at risk of government monitoring and non-suspects who may obtain the compromised phones.”

In other words, if there aren’t sufficient safeguards in place for what many would view as a justifiable use of such intrusive techniques when it comes to drug smugglers, how can we be sure that the same techniques aren’t being used against others?

It’s not a theoretical exercise either: law enforcement personnel often share details of how they carried out specific exercises, especially if successful, and that information is not always put to the best use subsequently.

We give you the example of how cops in Maryland using cellphone-tracking technology to hunt down a man who stole $50 of chicken wings. The technology was only supposed to be used in sensitive counter-terrorism cases but a lack of controls meant it was used to find a food thief.

And then there was the constant surveillance of everyone in Greater Boston using cameras and techniques developed for Iraq, with the police avoiding public scrutiny by accepting funds from a Texas billionaire.

Limited?

Weird but true. So are there ordinary US citizens whose phonecalls and emails are being monitored on a constant basis because some billionaire paid for it, or because some local sheriff has a beef with somebody in his district?

It’s all too possible. Which is why Human Rights Watch wants to see the policies behind cracked phones and malware.

“Where surveillance is concerned, international human rights law requires any government that interferences with privacy or correspondence to comply with domestic and international law,” it notes. “The measure must also be limited to what is necessary and proportionate to achieving a legitimate aim.

“Surveillance should be authorized by a court or other body that is independent of the law enforcement, intelligence, or other agency implementing the surveillance.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/13/dea_cracked_blackberry_smartphones/

Roundup This week, when we weren’t watching the football and sobbing uncontrollably, we saw security headaches at NPM and Ticketmaster, and a priest in hot water with cybercrime charges.

But there’s always more in the security world. Here are a few other bits of security news from recent days.

Russians could be behind ‘cyber caliphate’

The US Senate is asking the Justice Department to look into the possibility that an Islamic extremist hacking group was actually the work of the Russian government.

Senators Ron Wyden (D-OR) and Cory Gardner (D-CO) have written a letter [PDF] to Attorney General Jeff Sessions asking for an investigation into whether ‘Cyber Caliphate,’ a group that targeted military families with a series of attacks in 2015, was just a front for APT28, a Kremlin hacking operation.

“If substantiated, the claims about APT28 posing as the Cyber Caliphate could be the first public evidence that influence operations have specifically targeted American military families,” the senators write.

“If left unchecked, such operations would threaten the personal liberty, financial security, mental health, and morale of our military families.”

Smart or spying TV?

Speaking of senators, Ed Markey (D-MA) and Richard Blumenthal (D-CT) have written to America’s trade watchdog, the FTC, demanding a probe into the privacy implications of smart TVs. They’re upset that internet-connected tellies could be used to spy on folks.

“Many Internet-connected smart TVs are equipped with sophisticated technologies that can track the content users are watching and then use that information to tailor and deliver targeted advertisements to consumers,” the pair wrote.

“Regrettably, smart TV users may not be aware of the extent to which their televisions are collecting sensitive information about their viewing habits.”

Windows fixes for Intel’s lazy CPU hole

Buried in the July 2018 Patch Tuesday release, Microsoft mitigated the LazyFP processor flaw – CVE-2018-3665 – for Windows 10, 8.x, Server 2008 R2, and Server 2012. It was believed modern Windows was immune to the security vulnerability in Intel chips, however, they are not – so get patching by grabbing and installing these updates.

Firebase admins: Wake up

If you use Firebase to store data for your mobile applications, then make sure they are secured – someone’s made a tool to scan for and identify vulnerable installations.

Hutchins moves to toss hacking charges

Reverse-engineer ace and accused hacker Marcus Hutchins is trying to have charges, filed against him by the FBI, that he developed malware dropped by a US federal district court in eastern Wisconsin.

In a fresh submission, Hutchins’ lawyers allege that investigators did not have the jurisdiction to charge the Brit with criminal acts when he was living in the UK at the time and had no interactions with anyone in the Milwaukee area where the case is being heard.

“None of Mr Hutchins’ acts is alleged to have occurred while he was in the United States or to have been directed toward the United States,” the motion argues.

If successful, the motion would have Hutchins’ charges tossed, and free the Brit to return home to Britain from America, where he is living while awaiting trial. Hutchins, best known for his work in stopping the WannaCry malware, was charged with allegedly creating and selling a banking malware known as Kronos back in 2014 and 2015.

Navy blue over contractor’s theft

A former electrical engineer faces decades in the clink after being convicted of stealing software and building plans from the US Navy.

Jared Sparks, 35, was convicted on six counts of trade secret theft, six counts of uploading trade secrets, and one count of transmission of trade secrets by a federal jury in Hartford, Connecticut.

The convictions stem from allegations that Sparks, working for Navy contractor LBI Inc, copied and uploaded thousands of files related to the company’s contracts with the Navy for underwater drones and buoys.

Sparks was found to have copied the docs to his personal Dropbox account with the aim of shifting the data with him to a new job at competing company Charles River Analytics.

“Jared Sparks stole thousands of documents—including proprietary designs and renderings – from his former employer when he left to work for a competitor,” Acting Assistant Attorney General John Cronan said of the conviction.

“Yesterday’s verdict sends a clear message that the Department of Justice is committed to protecting American intellectual property and will aggressively prosecute those who steal it.”

Experts worry (again) over attacks on power grid (again)

Stop us if you’ve heard this one before: the world’s power grids are dangerously prone to infrastructure attacks on their embedded hardware.

This time, it’s researchers with Applied Risk who are sounding the alarm (PDF) after discovering multiple vulnerabilities in hardware made by Schweitzer Engineering Laboratories, a company that develops the security systems power plants use to keep hackers out.

According to researcher Gjoko Krstic, the flaws could allow bad guys to do things like inject commands into servers and shut down key systems.

“An unauthenticated user can craft a malicious project and/or template file that will enable her to read arbitrary files within the context of an affected system allowing disclosure of valuable information via out of band channels,” Krstic said.

“It can also cause a denial of service scenario requiring an application restart, by running a malicious FTP server.”

Juniper patches up JunOS bugs

Before checking out entirely for the week, admins will want to check if their Juniper Networks gear needs an update.

The vendor has issued a patch to shore up CVE-2018-0030, a denial of service bug present in the Junos OS in MPC7/8/9, PTX-FPC3 (FPC-P1, FPC-P2) or PTX3K-FPC3 and PTX1K 15.1, 15.1F, 16.1, 16.1X65, 16.2, 17.1, 17.2, 17.2X75, 17.3, 17.4.

Juniper says the cards can be crashed by an attacker who sends specially-crafted MPLS packets to the targeted device. As there is no workaround for the issue other than installing a patch, Juniper is recommending customers check for and install the fix as soon as possible. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/14/security_roundup_july_13/

Promo No sooner have organisations fought off one type of security nightmare than another one looms even larger.

Security experts say that ransomware, having raged through high-profile organisations including the NHS, is becoming old hat. A more profitable and hard-to-trace strain of malware known as cryptojacking is replacing it as the biggest threat to large organisations.

Cryptojacking hackers install mining scripts or malicious malware onto computers of unsuspecting users to mine websites for cryptocurrencies. Their exploits have recently caused havoc at leading companies such as Tesla, and new strains are still appearing.

Understanding the ins and outs of cybercrime is the first step in spotting ever-evolving forms of malware and preventing their ravages. A webinar presented by Fraser Howard, principal threat researcher at SophosLabs, will help you to do just that.

Howard spends his days hands-on with Malware in the Sophos labs and so knows precisely how all the moving parts of malware-driven cybercrime fit together. All will be revealed in an interview with Sophos senior technologist Paul Ducklin.

The webinar starts at 2pm BST on Wednesday 18 July, and you can sign up here.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/13/cybercrime_webinar/

Scumbags are trying to extort money from netizens by threatening to leak to friends and family videos of their marks watching X-rated videos.

A Reg reader this week shared their story of being contacted by an extortionist who claimed to have obtained, through hacking our reader’s PC, compromising webcam footage of them engaging in an act of self-love while watching an adult website. No such video existed. Our tipster is also not the only one to receive one of these messages this month.

To help push the scam, the crooks had harvested some low-hanging fruit – a weak password scraped from a hacked forum our reader had frequented. The attacker showed the password to the reader in an attempt to convince them that the miscreant really was a hacker, and to pay up or else.

It’s probably easier to just paste the email so you can see what we mean:

I’m aware, [REDACTED], is your password. You don’t know me and you are probably wondering why you’re getting this email, right?

Let me tell you, I actually placed a malware on the adult video clips (porn) website and there’s more, you visited this site to experience fun (you know what I mean). While you were watching videos, your web browser began operating as a RDP (Remote control Desktop) that has a key logger which gave me accessibility to your screen and also webcam. Immediately after that, my software collected every one of your contacts from your Messenger, Facebook, as well as email.

What exactly did I do?

I made a double-screen video. First part displays the video you were viewing (you’ve got a fine taste ; )), and second part displays the recording of your web cam.

What should you do?

Well, in my opinion, $2900 is a fair price tag for our little secret. You will make the payment via Bitcoin (if you do not know this, search “how to buy bitcoin” in Google).

In this case, the extortionist is banking on the target reusing their leaked password for other more important websites and being convinced that those accounts have been compromised as well. In reality, the attacker probably only has the one password, harvested from a forum you likely visited several years ago, and only wants to get a quick payout.

Sextortion on the internet: Our man refuses to lie down and take it

READ MORE

As our source notes, this is likely going to be successful enough to win the scammers a few easy bucks. After all, no one relishes the thought of friends and family seeing them indulge in the pleasures of the palm or pinkie.

“These people have obviously managed to hack a small time forum somewhere, as the password is, indeed, one of the low level passwords I use on forums where I don’t give a flying about the account,” our tipster told us on Thursday.

“However, if they are sending these out to people, then the scare factor is going to be significant enough to push real buttons on some people.”

Fortunately, at least one of the accounts used by the scammers has been suspended by Microsoft.

If you receive this email, don’t panic. Don’t pay up. There most likely isn’t a video. Change your password, and consider using two-factor authentication and a password manager to keep your accounts secure going forward. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/13/hacker_extortion_scam/

Analysis Back in 2013, Canadian John Darrel Krokos got 11.5 years in a US jail for leading a massive cocaine smuggling ring. Two years later, his colleague Zaid Wakil was given a 20-year sentence.

What was unique about their cases – and another 20 people also taken down in the investigation by the US Drug Enforcement Agency (DEA) – was how they had been caught: through cracked phones.

In an affidavit connected to Krokos’ case, special agent Rachel Burkdoll revealed that she had sold encrypted Blackberry phones to Krokos, which he then supplied to his colleagues as a way of communicating confidentially. He had no idea that Burkdoll was a government agent and the US government had retained all the phones’ encryption keys – giving them access to all the content of email and text messages between the two.

It was only a matter of time before the authorities had enough evidence to arrest all the entire team and send them to jail for decades.

Incidentally, the affidavit [PDF] contains a fascinating list of pseudonyms for those that were involved. Just one example: “John Darrell Krokos, aka Hulk, aka yoyo hulk, aka JJ, aka Walter, aka Lord of the Beaches, aka Pilot, aka Ape, aka Captain, aka Tutor, aka Amy, aka Heavydee.”

It was a massive coup but also extremely difficult to pull off: getting a drug smuggler to trust your agent enough to buy phones from them was already a long shot. After Burkdoll was forced to reveal the technique in order to put Krokos in jail, it’s fair to say that other drug smugglers become exponentially more cautious over where they get their phones.

And so, around the same time that the technique was revealed, the DEA started looking at other ways to get into suspects’ phones.

Backing of Hacking

According to an special report published today by Human Rights Watch, America’s drug squad agents approached the infamous Italian company Hacking Team to help them install malware on other phones.

In particular, the DEA wanted to buy Hacking Team’s monitoring software for “perhaps 1,000” phones, specifically the Blackberry 10 – which at the time was the phone of choice for drug smugglers in Latin America.

We know this because Hacking Team’s own emails were hacked and subsequently plastered all over Wikileaks. The most revealing was helpfully titled “Re: Second meeting with DEA.”

It was later revealed that the DEA had signed a $2.4m contract with Hacking Team, sparking Congressional queries that in turn led to the Department of Justice acknowledging that the government agents of the countries in question would “provide the targeted devices” and the DEA would install the software – something it admitted had happened 16 times with the software used to “collect real-time written communications…and location information.”

Amazingly, it turned out that the DEA had cancelled its contract with Hacking Team just days before the DoJ’s letter outlining its use of hacking software.

All of which leads to Human Rights Watch’s larger question: as useful as these techniques may be, what are the legal constraints around them?

The DoJ has so far refused to provide its policies over the provision of cracked phones or the addition of malware to suspects’ phones. The DEA may have cancelled its contract with Hacking Team when the details became public but it made no mention of the techniques behind the contract and it is all too probable that it currently has a different contract with another company to do the same thing.

So, um, your legal process?

It’s not clear what legal instruments and interpretations the DEA and other government department are using to authorize the real-time monitoring of suspects’ phones, or what level of legal authority they are seeking beforehand.

Wasn’t too hard, was it? UK has made ‘significant progress’ in spy control

READ MORE

Human Rights Watch notes that the same techniques may be being used to monitor people that aren’t smuggling drugs “including peaceful activists whose groups may be at risk of government monitoring and non-suspects who may obtain the compromised phones.”

In other words, if there aren’t sufficient safeguards in place for what many would view as a justifiable use of such intrusive techniques when it comes to drug smugglers, how can we be sure that the same techniques aren’t being used against others?

It’s not a theoretical exercise either: law enforcement personnel often share details of how they carried out specific exercises, especially if successful, and that information is not always put to the best use subsequently.

We give you the example of how cops in Maryland using cellphone-tracking technology to hunt down a man who stole $50 of chicken wings. The technology was only supposed to be used in sensitive counter-terrorism cases but a lack of controls meant it was used to find a food thief.

And then there was the constant surveillance of everyone in Greater Boston using cameras and techniques developed for Iraq, with the police avoiding public scrutiny by accepting funds from a Texas billionaire.

Limited?

Weird but true. So are there ordinary US citizens whose phonecalls and emails are being monitored on a constant basis because some billionaire paid for it, or because some local sheriff has a beef with somebody in his district?

It’s all too possible. Which is why Human Rights Watch wants to see the policies behind cracked phones and malware.

“Where surveillance is concerned, international human rights law requires any government that interferences with privacy or correspondence to comply with domestic and international law,” it notes. “The measure must also be limited to what is necessary and proportionate to achieving a legitimate aim.

“Surveillance should be authorized by a court or other body that is independent of the law enforcement, intelligence, or other agency implementing the surveillance.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/13/dea_cracked_blackberry_smartphones/

Hackers can potentially obtain access to Microsoft Office 365-hosted emails and calendars even if multi-factor-authentication is thought to be in place, we were warned this week.

Cybercrooks are able to force their way into corporate Office 365 accounts, bypassing single sign-on or multi-factor authentication, by targeting older systems, according to email security biz Proofpoint.

The trick is to target legacy services that use weak or known passwords, are not secured behind multi-factor-authentication, and, once commandeered, can be used to poke around inside the corporate structure. If you don’t know the password, it could be phished via email or instant message.

This all may seem obvious, but apparently people are being stung by it.

“The current wave of attacks mostly goes after Exchange Web Services and ActiveSync,” said Ryan Kalember, Proofpoint’s senior vice president of cybersecurity strategy, earlier this week. “A little real-time phishing gets mixed in, but is usually not necessary.”

Real-world examples

For example, Proofpoint recently saw an attacker access the Office 365 account of the chief exec of a 15,000-user financial services and insurance firm. The hacker viewed the CEO’s emails and calendar in order to sniff out an opportunity to run a sneaky scam.

Office 365 celebrates National Beer Day by popping out for a pint

READ MORE

At the same time the chief exec was in scheduled meetings with suppliers, the intruder used the compromised account to send an email to the chief financial officer asking for funds to be shifted. The unnamed financial services firm lost $1m over the course of several transfers, it is claimed.

Compromised Office 365 accounts in a 75,000 user real-estate investment firm were used to run another scam. Five executives, including some regional general managers, had their accounts compromised. With access to their Office 365 email, attackers managed to change the ABA routing numbers for corporate funds. The company lost over $500,000 as a result, according to Proofpoint.

By the most remarkable of coincidences, the security shop has released something called Proofpoint Cloud Account Defense (CAD) to detect and proactively protect against compromised Microsoft Office 365 accounts. Kalember explained the need for additional layers of defenses.

“It’s really hard for most orgs to cover all the interfaces to Exchange with MFA [multi-factor authentication],” Kalember told El Reg.

“Particularly with EWS [Exchange Web Services], you need to be 1) fully migrated to O365, 2) use Microsoft’s own MFA, and 3) in Modern Authentication mode. The tech can’t support native iOS/Android mail clients, etc.”

In other words, you may think you’re fully protected – but maybe you should check again. Save yourself some pain in the future. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/13/2fa_o365_bypass_attacks/

American prosecutors have accused 12 suspected Russian spies of hacking Democrat and Hillary Clinton campaign officials to publicly leak their sensitive emails and potentially influence the 2016 US Presidential Election.

Deputy Attorney General Rod Rosenstein today announced criminal conspiracy charges against a dozen people he says worked on behalf of Russia’s GRU military intelligence agency to break into machines run by the DNC and the Clinton campaign, and steal and disclose those sensitive documents, in hope of tipping the outcome of the election in favor of Donald Trump.

An 11-count indictment charges Viktor Borisovich Netyksho, Boris Alekseyevich Antonov, Dmitriy Sergeyevich Badin, Ivan Sergeyevich Yermakov, Aleksey Viktorovich Lukashev, Sergey Aleksandrovich Morgachev, Nikolay Yuryevich Kozachek, Pavel Vyacheslavovich Yershov, Artem Andreyevich Malyshev, Aleksandr Vladimirovich Osadchuk, Aleksey Aleksandrovich Potemkin, and Anatoliy Sergeyevich Kovalev with conspiracy, money laundering, and identity theft, for their alleged work on behalf of Unit 74455, a branch of Russian intelligence.

According to an indictment [PDF], the group was behind the DCLeaks website and Guccifer 2.0 persona that funneled the materials to the public through an unnamed online outlet (cough, cough, WikiLeaks) to nudge national sentiment in Trump’s favor and Russia’s interests.

“Free and fair elections are hard-fought and contentious, and there will always be adversaries who work to exacerbate domestic differences and try to confuse, divide, and conquer us,” Rosenstein said. “So long as we are united in our commitment to the shared values enshrined in the Constitution, they will not succeed.”

It is claimed the hackers spear-phished DNC officials to lift their login credentials, infiltrated their computers and email inboxes, and siphoned off vital information on the pending election. The alleged snoops set up an encrypted backdoor tunnel into the DNC’s servers, and used it to exfiltrate gigabytes of information without being detected.

These files were then shared with websites and the wider internet to embarrass the Dems, derailing to some degree their bid to control Congress and the White House, it is claimed. The indictment also alleged that at least one US congressional candidate also sought out dirt from the hackers.

“On or about August 15, 2016, the Conspirators, posing as Guccifer 2.0, received a request for stolen documents from a candidate for the US Congress,” the indictment stated. “The Conspirators responded using the Guccifer 2.0 persona and sent the candidate stolen documents related to the candidate’s opponent.”

Rosenstein emphasized no Americans were charged or implicated in the indictments. However, folks poring over the legal paperwork clocked almost immediately that on the day Trump publicly called on Russian hackers to extract emails from Clinton’s systems, the alleged Kremlin-controlled miscreants struck – “for the first time,” according to the indictment.

July 27, 2016, Trump: “Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing.”

Indictment: That evening, Russian operatives targeted Clinton campaign emails “for the first time.” pic.twitter.com/fanyaAxwfJ

— Christopher Ingraham (@_cingraham) July 13, 2018

On July 27, 2016, then-candidate Trump said “Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing.” THAT SAME DAY Russian intel officers targeted, for the first time, Hillary Clinton’s personal office.

— Sen. Patrick Leahy (@SenatorLeahy) July 13, 2018

Here’s the full statement Trump made when calling for Russia to find the 30,000 missing emails on the day the indicted GRU campaign started targeting her campaign for the first time. https://t.co/FLbHTGVoeN

— Alexander J. Martin (@AJMartinSky) July 13, 2018

The document also noted that at least one person on Trump’s campaign staff had contact with the hackers in the lead-up to the election.

“On or about August 15, 2016, the Conspirators, posing as Guccifer 2.0, wrote to a person who was in regular contact with senior members of the presidential campaign of Donald J. Trump, ‘thank u for writing back . . . do u find anyt[h]ing interesting in the docs i posted?’ On or about August 17, 2016, the Conspirators added, “please tell me if i can help u anyhow . . . it would be a great pleasure to me,” the indictment stated.

“On or about September 9, 2016, the Conspirators, again posing as Guccifer 2.0, referred to a stolen DCCC document posted online and asked the person, ‘what do u think of the info on the turnout model for the democrats entire presidential campaign.’ The person responded, ‘[p]retty standard’.”

US, UK cyber cops warn Russians are rooting around in your routers

READ MORE

The President, who is visiting the UK right now and about to meet Russia’s supreme leader Vladimir Putin, maintains and insists that there was no collusion between Moscow and himself, his campaign, his family, and his staff, to scupper Clinton’s White House dream.

It could be argued that, like the Russian-booked Facebook ads, the leaked emails may not have changed the minds of American citizens, who by mid-2016, were well aware of the pros and cons of Hillary and Donald. On the other hand, according to the US Department of Justice, an attempt was at least made by the Kremlin to meddle with the presidential elections – and up with this we will not put.

Meanwhile, US elections are still potentially at the mercy of hackers. Political forecasters FiveThirtyEight warned in May they have been working with a researcher who found that “several states” in America were still vulnerable to attacks on their election websites.

They noted that webpages operated by Alabama and Nevada were both found to contain bugs that would allow scumbags to alter public information, potentially misleading voters and tipping the outcome of elections. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/13/russians_election_tampering/

A new report details issues with 18 states along with suggestions on what can be done.

With the cyberattacked 2016 elections as prelude and the 2018 mid-term elections looming, the House of Representatives Committee on Administration – Democrats has issued a report highlighting the 18 states considered most vulnerable to election-hacking.

Congress has appropriate $380 million to help states harden their systems and prepare their defenses, and the report measures the 18 at least partially on their requests to use part of that money.

The report sorts the vulnerable 18 into three tiers:

• TIER 1: “States that have the most serious election security vulnerabilities. These states rely exclusively on electronic voting machines that do not have a paper record. It is nearly impossible to determine if paperless voting machines have been hacked and if vote tallies have been altered.”
• TIER 2: “States that have significant election security vulnerabilities but may not be planning on using federal assistance to address their biggest vulnerabilities.”
• TIER 3: “States that have significant election security vulnerabilities and are using their federal funds to address those issues, though they need additional assistance to fully upgrade their election infrastructure.”

Tier 1 states with the most serious vulnerabilities are Delaware, Georgia, Louisiana, New Jersey, and South Carolina. The recommendations for each include changing the voting mechanism to include a paper trail, with individual additional suggestions based on their current state of IT readiness.

Tier 2 states are Arizona, Florida, Illinois, Indiana, Kansas, New Hampshire, Tennessee, Texas, and Wisconsin. In Tier 3 are Arkansas, Iowa, Pennsylvania, and Washington.

For more, read here.

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/congressional-report-cites-states-most-vulnerable-to-election-hacking/d/d-id/1332295?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple