STE WILLIAMS

Establishing an entree into the security world can be a maddeningly slow process. For those of us already here, it can be can be an opportunity to help others.

If you looked only at my educational career and résumé, I’m the last person you would expect to go into a career in technology. And yet I’m not unique in this regard; this is a very common situation for people in the infosec industry. You might wonder how we all ended up here and what lessons we can offer to those wishing to start their careers (even via a more traditional path). Here’s my story.

People usually assume that because I have a technical job, I must have a degree in computer science. I don’t. I dropped out of college and worked as a florist before starting at a security software company. I had never even heard of computer security as a career path.

After leaving my last florist job, my next adventure started with one lucky step: I took a temp job as an office manager’s assistant. When I had downtime from my regular duties, I offered to do odd jobs for other departments, including the malware research labs. After my temp job ended, I sought a position working in the labs.

My first position was as the email equivalent of the dreaded auto-attendant: “Your sample is very important to us! Your email will be answered as quickly as possible, in the order in which it was received.” To motivate and decrease grumpiness from recipients of this auto-reply, I started adding links to educational resources in my reply templates. Sometimes the resources I needed didn’t exist and I ended up having to create them by asking malware analysts what they wanted people to know.

The process of figuring out how to educate the people who were coming to us for help educated me too. Each new thing I learned gave me another idea for how to make my job — and the job of the malware analysts I worked with — easier and more pleasant, and allowed me to take on more of the work of our analysts. Eventually, I had automated much of the process of frontline response and was primarily doing the work of a malware analyst. By the time I left, I was helping to design automation to speed up the malware analysis process.

Much of what I did for the first few years was metaphorically scrubbing latrines for the department, but it was work I thoroughly enjoyed because it gave me a chance to learn new things almost every day. My willingness to do scut work provided me with an amazing opportunity to get a foothold in an industry that is notoriously difficult to break into. Whether you’re looking to get into the industry with no official education or experience, or you’ve got a degree and are still having a hard time getting in, here are two things you can do to improve your odds.

Establish a Good Reputation
Much of what made achieving my first official security job title possible was a matter of establishing my reputation within the research labs as someone who was willing to do even the most onerous tasks quickly, enthusiastically, and effectively. I moderated the impatience of grumpy inquirers so that analysts could focus on malware samples. I created department-wide tool repositories as I learned what the tools did. I created documentation for our whole process so that it was repeatable by new hires as well as by automation.

Even if you don’t have the good fortune of working at a company with an established security group, there are plenty of industry-wide groups that you can join and where you can offer your assistance — and learn important skills in the process.

Be Indispensable
A common theme I hear frequently is about how many people get into this industry from surprisingly diverse past careers because they took on a huge problem that no one else had the time or inclination to address. Before their first day in an official security role, they had already created handy tools, or they created much-needed documentation, or they spread information to help people via public blogs or forums. They took time to help others, and thus became indispensable to people who already work in this industry. When a suitable position became available, their lack of technical experience or training was a nonissue because we, collectively, could not afford to be without them.

Establishing a good reputation in this industry is absolutely essential, and it can be a maddeningly slow process. Because of the sensitive nature of the work we do, you must have more than just knowledge and experience to establish your career; someone already in this industry must vouch for you. But this can be an opportunity too, for those of us willing to put ourselves out there to help others.

Related Content:

• 10 Women in Security You May Not Know But Should
  
• Bridging the Cybersecurity Talent Gap
• WEF: 217 More Years Until Women and Men Reach Economic Equality
• Majority of Men Think Women Have Equal Opportunity to Advance in Cybersecurity Career

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info. 

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/lessons-from-my-strange-journey-into-infosec/a/d-id/1332263?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Somebody tried to board a plane in Miami with Python on their hard drive. What’s the big deal? It’s just a high-level programming language for general-purpose programming, for Pete’s sake!

…oh …I see …it was AN ACTUAL PYTHON – a ball python, crammed into some pantyhose, stuffed into a hard drive, hidden in checked luggage, bound for Barbados.

The US Transportation Security Administration (TSA) on Tuesday put up an Instagram post in which it said that its agents had “prevented a young Ball Python from flying the friendly skies” on Sunday.

The would-be snake smuggler was a woman on her way to Barbados. She had stuffed the snakelet into some pantyhose, then stuck it in a hard drive that she put into her checked luggage. Going by photos posted on the TSA’s Instagram post, the python didn’t suffocate, though it probably would have liked to stuff its owner into a hard drive and see how she liked it.

The python was handed over to the US Fish Wildlife Service, and the service cited and fined the would-be snake smuggler for unspecified transgressions that should have included aggravated infliction of meme generation involving Samuel L. Jackson.

A TSA spokeswoman told the Miami Herald that an officer had discovered an “organic mass” inside an electronics device, which raises security flags. A TSA bomb expert was called into the baggage screening room to investigate the hard drive’s innards, and that’s when he discovered the mass was a live snake.

TSA spokeswoman Sari Koshetz told the newspaper that while the snake wasn’t a terrorist threat, there are plenty of times when wild animals in the cargo hold are in fact quite dangerous. Like, say, the crocodile that chewed through its plastic container (Warning: Tupperware is not recommended for transport of flesh-tearing reptiles) and was found loose in the cargo hold of a plane headed to Melbourne. Koshetz:

While this mass inside the electronic device was obviously not an imminent terrorist threat to the traveling public, the interception did prevent a possible wildlife threat on an aircraft. Animals of many species have been known to escape and chew through wires with fatal results.

Tell us about it! We’ve already brought you the shocking (get it??!!) news about squirrels possibly wreaking cyber outages with their rodenty chewing through wires, not to mention the RAT that gobbled up $17,500 in an ATM. Oh, excuse me, that would be the lowercase rat, one of which literally ate a smorgasbord of cash when it got in through a network cable access hole but then couldn’t quite figure out how to get back out.

In closing, we all need to heed TSA agent Bob Burns recommendations about what we should and shouldn’t bring onboard airplanes, including Satan’s pizza cutter. That thing will poke your eye out. Probably some innards, too.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/OxSq19bGvcQ/

Undercover analysts recently came across an average-skill hacker peddling highly sensitive military data about tanks, drones, techniques to mitigate improvised explosive devices (IEDs) and more… who for the life of him couldn’t find a buyer.

He was a hacker sadsack, the researchers said: the hacker didn’t know how much to charge for what he was pushing, didn’t know where to sell it, and didn’t know who might want to buy it.

Business Insider quoted Andrei Barysevich, a researcher at Recorded Future, which on Tuesday posted a report about the discovery made by its threat intelligence team, known as the Insikt Group:

He had no knowledge of how much this data may cost and where and whom to sell it to.

Recorded Future says that its Insikt Group first spotted the attempted sale of what it believes are US Air Force and Army documents on 1 June, while monitoring criminal activities on the deep and dark web. As of Tuesday, as far as the Insikt Group can tell, the hacker still hadn’t drummed up any business, in spite of slashing his dark-web asking price to $150.

Business Insider reports that the hacker is believed to live in “a poverty-stricken country in South America.” He blamed lack of bandwidth for a slow internet connection that kept him from downloading as much information as he had hoped to get before he found a willing buyer. Eager for a quick sale, he was open to freely handing out samples to analysts.

In spite of his wonky connection, the English-speaking hacker claimed to have access to manuals for the MQ-9 Reaper – a “hunter-killer” drone that’s considered to be one of the most advanced and lethal military technologies commissioned in the past two decades – the M1 Abrams battle tank, a tank platoon training course, a crew survival course, and documents pertaining to IED mitigation tactics.

In the weeks that followed the discovery of the hacker’s attempted sale, undercover Insikt Group analysts kept the conversation going. The team verified that the hacker’s wares were legitimate, managed to identify the name and country of residence of somebody associated with a larger group that it believes the hacker’s subgroup is part of, and learned that the documents had been leaked via a previously disclosed FTP vulnerability in Netgear routers that dates back to 2016.

That remote-access hole would be Netgear’s CVE-2016-582384, which we wrote up in December 2016.

As Netgear reported at the time, and which Recorded Future pointed out, all it would have taken to protect a device from this well-known, easily exploited attack is a simple, 6-step process to change the default user name on a Netgear router from admin (ouch!) and the password from password (ay, yi, yi…).

The hacker used the Shodan search engine to look for misconfigured routers that use a standard port 21. Once attackers hit on a high-profile target found via Shodan, they can then compromise a system and steal its files.

That’s how the hacker first got into the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at the Creech Air Force base in Nevada. He stole a cache of sensitive documents, including Reaper maintenance course books and the list of airmen assigned to Reaper AMU. Such books aren’t classified on their own, but adversaries can use them as a tool to assess any weaknesses that military equipment such as unmanned aerial vehicles (UAVs) might have.

The captain had just completed the Cyber Awareness Challenge and should have hardened his computer’s defenses to ward off unauthorized access, Recorded Future pointed out:

In this case, setting the FTP password.

The hacker caught the eye of Recorded Future analysts when he registered as a new member of a hacking forum and tried to sell the MQ-9 Reaper drone documents.

After he put the Reaper documents up for sale, the hacker listed another set of military documents, but this time, he didn’t disclose the source of his find. Recorded Future figures that, given the content, they were apparently stolen from the Pentagon or from an Army official.

This second set contained more than a dozen training manuals on the subjects of IED defeat tactics, an M1 Abrams tank operation manual, a crewman training and survival manual, and tank platoon tactics. Again, the documents weren’t classified, but most weren’t supposed to be shared with anybody but government agencies and contractors.

When he wasn’t Shodan-scooping unsecured military systems or looking for new, vulnerable computers to pounce on, he was whiling away the time by watching sensitive, live footage from border surveillance cameras and airplanes, the hacker told an Insikt Group analyst. He also bragged about accessing footage from an MQ-1 Predator flying over Choctawhatchee Bay in the Gulf of Mexico: he posted a screenshot captured from the aircraft’s video footage.

Recorded Future alerted US officials to the breaches, after which the vulnerable computers were taken offline, ultimately cutting off the hacker’s access. The firm is now working with the Department of Homeland Security (DHS) on its investigation.

Barysevich told Business Insider that the hacker’s “above amateur” abilities gave researchers the impression that he might have been part of a group within a larger group. In other words, the attacker(s) seem to have had about enough wherewithal to exploit a simple vulnerability:

I wouldn’t say that they possess skills of highly advanced threat-actors. They have enough knowledge to realize the potential of a very simple vulnerability and use it consistently.

Insikt Group notes that military secrets aren’t the standard wares up for sale on the dark web. In fact, it’s “incredibly rare” to find such listings, the group said. Rather, most sales concern sensitive data such as personally identifiable information (PII), login credentials, financial information, and medical records.

Given the type of sensitive documents a mediocre hacker can exfiltrate from vulnerable military systems that are easily sourced with a tool such as Shodan, we can only imagine what “a more determined and organized group with superior technical and financial resources” could achieve, the group warned.

Unfortunately, the government – the keeper of some of the most sensitive data out there – is lagging when it comes to defending it, Insikt Group said:

The government is consistently lagging behind when it comes to the security training of its employees and protection of state secrets. Sadly, very few understand the importance of properly securing wireless access points (WAP), and even fewer use strong passwords and understand how to spot phishing emails.

Did somebody say “How to spot phishing emails?” We can help: check out the list of telltale signs we gave when we covered the Netflix phishing campaign.

Strong passwords? Here’s how to make them:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/TtA25jIYZwk/

Some financially-motivated hackers go straight for the money. Others, however, take a more circuitous route, going after information that they can use for profit. That’s what criminals convicted this week did until they were caught in 2015, earning millions in ill-gotten gains in the process.

Former hedge fund manager Vitaly Korchevsky and securities trader Vladislav Khalupsky were convicted in federal court this week. They took part in a five-year fraud that saw them trade on the information in illegally-accessed press releases.

The pair worked with hackers to break into newswire services in New York and Toronto. The hackers would then access embargoed press releases and quarterly earnings releases before the public got to see them.

A sneak peek

These releases often generate significant movements in the companies’ stock price because they give the market a chance to measure their performance against its expectations. If a company has earned less than the market expects, shares can drop, and vice versa.

The companies writing these releases typically upload them to news services ahead of time so that they are ready to publish. The duo was part of a criminal enterprise that hacked into the news services to get the information ahead of everyone else and trade on it.

A collection of hackers based in the Ukraine collaborated with traders in the US to execute the scam. The hackers gained access to the newswire press releases, stealing over 100,000 of them before they were publicly issued.

Hacking techniques included stealing the login credentials of legitimate users, and installing malware to secure further access and cover their tracks.

The hackers would forward the press releases to the traders. The traders would then action trades via multiple brokerage firms, using several entities and individuals’ names to try and obfuscate what they were doing.

Inside an international press release-stealing ring

Court documents filed in 2015 (and provided here courtesy of The Register) give some more detail on the scam. Between 2011 and 2014, a group of traders organized by Aradiy Dubovoy, based in Alpharetta, Georgia, used this information to make more than 1,400 trades, leading to a profit of more than $31m.

The traders maximised their trading power by using options, which enabled them to use leverage and make more money. Another group of foreign trading entities, with close links to Dubovoy’s group, made 804 trades overall, for a total profit of $45.1m.

In one 2011 example, the traders purchased stock in the firm Caterpillar in the window between the company uploading its Q3 earnings to a news service and the public announcement. When the earnings were revealed, stock in the company rose $4.38. The Dubovoy group and the foreign trading entities pocketed $724,000 in profits.

The traders also profited $513,000 from stock in food manufacturer TreeHouse, $511,000 in network equipment company Brocade, $1.37m in VMware, and $1.09m in RadioShack, among others.

The hackers procuring these releases received either a flat fee or a cut of the profits, which they would evaluate by monitoring the traders’ accounts. The traders often told the hackers which press releases to get.

Khalupsky, who had split his time between New York and Ukraine, helped the Dubovoy group set up its offshore accounts, and helped wire money for them. Korchevsky worked with him, and made over 600 illegal trades, profiting around $17.5m. Sentences could amount to 20 years, according to the DoJ.

Milliseconds matter

Trading on information accessed before everyone else is known as ‘front running’, and it is a relative of insider trading. It’s something that the government and financial markets are understandably nervous about.

In 2016, hackers gained access to a test system that enabled companies to practice submitting corporate filings to the SEC’s EDGAR database. The SEC subsequently said that the hack “may have provided the basis for illicit gain through trading.”

While some criminals work with windows ranging from minutes to hours, those windows are getting narrower.

In 2013, gold futures rocketed in a 30-second window after the Federal Reserve announced that it wouldn’t rein back on its quantitative easing policy. Someone traded on that information for a huge profit exactly as the information dropped at 2PM eastern time.

Once released, information from the Federal Reserve takes 7 milliseconds to reach Chicago, where futures are traded. The trades happened before the news arrived there. Thanks to low-latency flash trading, this seemingly tiny time difference is significant, and it raised eyebrows at Chicago-based research firm Nanex. The company concluded that someone had access to the information beforehand and programmed their trades in advance.

Another potentially weak point is the lockup room system used to secure information before it is released at government agencies like the Department of Labor. These lockup rooms are closely guarded to ensure that information doesn’t leak ahead of time and give some people a front-running opportunity.

In 2012, after a five-year investigation, officials pulled the credentials of some news agencies and recommended that the Department replace the computer equipment in the lockup room. Quartz has a great story about vulnerabilities in the US systems for keeping financial data secret and then distributing it at the right time.

All of which goes to show that knowledge is power. And these days, when gaining access to it, every millisecond counts.

Follow @DannyBradbury
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/iPVxQuKcn-Q/

Google is reportedly adding a new feature to its phone app that is sure to please beleaguered phone users everywhere: Built-in screening for nuisance callers.

The Google Phone app, found on Google’s own Nexus and Pixel phones, already uses a database of known nuisance numbers to screen spam and scam callers. The new feature, called ‘Call Screen’, will go further by screening unknown or suspicious numbers.

According to Android Police, which analysed the code, the call screen feature will ask an incoming caller a series of questions and then transcribe their responses in real time. You can either read their responses as text, or perhaps hear their answers.

This feature would enable you to tell if a telemarketer or scammer – whether human or automated – was trying to reach you. You could then choose whether to talk to them or not.

Call screening for Google Phone sounds a lot like the beginnings of an automated personal assistant that can save you from wasting your time on unwanted calls. It isn’t the first time that Google has helped its users filter out nuisance callers. Google Voice includes a call screening feature that lets you deal with calls based on their caller ID (or lack thereof), setting up custom messages and routing options. You can also manually block callers.

There are phone apps available that do similar things. PrivacyStar uses a database of known nuisance numbers to warn you and block calls.

Other apps take a different approach. RoboKiller, available for Android and iOS, does more than screen. It intercepts spam calls for you using a blacklist of known spam numbers, and keeps them talking using audio recordings. When dealing with human callers, this wastes a nuisance callers’ time helping to make their business model less profitable, the company says.

By recording the calls, the company also creates an audio pattern of the call that it stores. It uses the audio fingerprint to identify the same call coming from other numbers, which is particularly useful for identifying robocalls that use rapidly changing telephone numbers.

Then there is the Jolly Roger Telephone Company, set up by a frustrated telemarketing recipient – an online service that focuses on keeping callers busy. It features a range of bots designed to keep telemarketers talking for as long as possible, enabling you to listen to the calls afterwards, although because it is not an app on your phone it takes a little more setting up.

Adding AI to the mix would add some interesting possibilities. Google recently released its Duplex system. It’s is an AI assistant designed to make human-sounding calls for you, booking hair appointments and such. The system, which lets people know that it is a robot when calling them, is sure to make the world more efficient and less joyful in equal parts. It begins testing this summer.

Could a Duplex-style assistant be trained to fool human telemarketers into having a realistic conversation, keeping them on the phone for longer and further draining their company’s profits? If so, there is sure to be a host of frustrated nuisance call recipients ready and willing to give it a try!

Follow @DannyBradbury
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/uEn-kA1xFqo/

A former Apple engineer has been hit with federal trade secrets theft charges after trying to lift Cupertino’s autonomous car tech on behalf of Alibaba.

The California Northern District Court will hear the case (PDF) of Xiaolang Zhang, an engineer who in 2015 was hired to work on the Cupertino music seller’s ultra-secretive self-driving car project. He was designing and testing circuit boards before leaving in April of this year to join an Alibaba and Foxconn-backed Chinese startup called Xiaopeng Motors.

According to prosecutors, Zhang took two circuit boards and a server as well as copies of files and information from two databases containing the details of Apple’s worst kept secret since the iPhone with the intent of moving it with him to China.

The theft was said to have taken place between April 28 and April 30, the day Zhang announced his resignation from Apple. Prosecutors believe that during that stretch, Zhang lifted both the hardware and data from Cupertino headquarters with the aim of taking the information to his new employer.

Apparently, Zhang was less than discrete in his efforts, making it fairly easy for Apple security to catch him.

“Apple’s database security team found that in the days just prior to April 30, 2018, Zhang’s Apple network activity increased exponentially compared to the prior two years of his employment,” the criminal complaint reads.

“The majority of his activity consisted of both bulk searches and targeted downloading copious pages of information from the confidential database applications.”

According to the South China Morning Post, Zhang was lifted by cops earlier this week when he attempted to fly out of San Jose Airport. Xiaopeng Motors is said to be looking to wash its hands of the matter, denying all knowledge of Zhang’s plans. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/12/fbi_apple_stealing/

Dark web shops are selling access to computers on corporate networks for less than the cost of a short cab ride.

Security researchers at McAfee have uncovered a network of so-called Remote Desktop Protocol (RDP) shops on the dark web which sell access to compromised IT systems, sometimes for as little as $10 a pop – which includes “access linked to security and building automation systems of a major international airport”.

RDP is a proprietary Microsoft protocol, that allows a user to access another computer through a graphical interface, a powerful tool for sysadmins. The tech can also be abused by hackers, hence the growing trade in illicit login credentials. RDP access can be used by crooks to control remote systems and abuse them as jump boxes to commit other crimes.

RDP access can be used as an entry point to send spam, create false security alerts, steal data and credentials, mine cryptocurrencies, and more.

During the recent Samsam ransomware campaign against several US institutions, compromised RDP access was used to carry out the attack, which led to ransom demands of as much as $60,000.

Monero mining via RDP advertised on a cybercriminal forum. Click to enlarge

These RDP shops are growing in size and abundance on the dark web. According to McAfee, the sizes of the inventory of compromised infrastructures hawked online ranges from 15 to more than 40,000 RDP connections. The largest active shop covered by the study was held by Ultimate Anonymity Service (UAS), a Russian business.

The advertised systems ranged from Windows XP through to Windows 10. Windows 2008 and 2012 Server were the most abundant systems, with around 11,000 and 6,500, respectively, for sale. Prices ranged from around $3 for a simple configuration to $19 for a high-bandwidth system that offered access with administrator rights, McAfee said.

The same RDP machines are sometimes sold at different shops, indicating the use of resellers as part of a sophisticated underground market. In addition to selling RDP, some of these illicit outlets offer a “lively trade in social security numbers, credit card data, and logins to online shops”.

McAfee came across multiple government systems being sold worldwide and dozens of connections linked to healthcare institutions, from hospitals and nursing homes to suppliers of medical equipment.

Blackpass.bz, one of the most popular RDP shops thanks to the wide range of services it offers. Click to enlarge

Attackers simply scan the internet for systems that accept RDP connections and launch a brute-force attack with popular tools such as Hydra, NLBrute or RDP Forcer to gain access. These tools combine password dictionaries with credentials leaked through data breaches.

McAfee offered tips on basic RDP security measures: enterprises should be using complex passwords and two-factor authentication to ward off brute-force RDP attacks. In addition, sysadmins should consider blocking RDP connections over the open internet. Locking out users and blocking IPs that have too many failed login attempts is another possible defence against brute-force RDP attacks. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/12/rdp_desktop_black_market/

Palo Alto Networks is trying to raise $1.5bn in cash for “potential acquisitions” and “strategic transactions”, the company said today – though it claims not to have any buyout targets in mind just yet.

The company, which recently hired a new chief exec, former Google and Softbank bloke Nikesh Arora, said that of the $1.5bn it hopes to raise, $1.48bn should end up as cash ready to splash on… well, whatever it fancies.

The loan notes which form the legal basis for the fundraising exercise pay 0.75 per cent interest and mature in 2023.

Once fees are deducted, the cash will be spent on “general corporate purposes” including “working capital, capital expenditures, potential acquisitions, strategic transactions, the payment of amounts due upon conversion, at maturity or upon repurchase of Palo Alto Networks’ outstanding 0 per cent Convertible Senior Notes due 2019 and repurchases of Common Stock pursuant to Palo Alto Networks’ stock repurchase program”.

It added: “Palo Alto Networks, however, does not currently have any agreements or understandings with respect to any such material acquisitions or strategic transactions.”

New CEO Arora also reportedly invested $20m of his own cash into Palo Alto Networks stock, representing a hefty vote of confidence.

Last year the firm bought infosec machine-learning biz Lightcyber for $105m and a couple of years before that snapped up Israeli endpoint protection company Cyvera for $200m, including $88m in cash. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/12/palo_alto_1_5_bn_loan_notes/

The number of organisations affected by cryptomining malware in the first half of 2018 ramped up to 42 per cent, compared to 20.5 per cent in the second half of 2017, according to a new report from Check Point.

The top three most common malware variants seen in the first half of 2018 were all cryptominers: Coinhive (25 per cent); Cryptoloot (18 per cent); and JSEcoin (14 per cent). All three perform online mining of the Monero cryptocurrency – often without a user’s knowledge, much less consent – when a surfer visits a web page that harbours cryptomining code.

Locky was the leading ransomware variant hitting organisations globally in the first six months of 2018, ahead of WannaCry and Globeimposter. Locky spreads mainly via spam emails containing a downloader, disguised as a Word or Zip attachment. WannaCry used a Windows SMB exploit called EternalBlue to spread while Globeimposter is distributed by spam campaigns, malvertising and exploit kits.

Cloud infrastructures appeared to be a growing target among hackers during the first six months of this year. Check Point further noted an increase in the number of malware variants targeting multiple platforms (mobile, cloud, desktop etc).

“Up until the end of 2017, multi-platform malware was witnessed in only a handful of occasions,” the security researchers said, “but, as predicted, the rise in the number of consumer-connected devices and the growing market share of operating systems which are not Windows has led to an increase in cross-platform malware. Campaign operators implement various techniques in order to take control over the campaigns’ different infected platforms.”

There were several incidences of mobile malware that originated from the supply chain. Infected devices are being sold to consumers so that new Android smartphones come pre-pwned with malicious code. Mobile malware is increasingly disguised as genuine applications on app stores. These nasties include banking trojans, adware and sophisticated remote access trojans (RATs), Check Point added.

Check Point’s Cyber Attack Trends: 2018 Mid-Year Report is based on threat data collected between January and June 2018. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/12/malware_sitrep/

The facility’s process control system and emergency-detection system were infected, Interfax Ukraine reports.

Ukraine’s SBU Security Service reportedly detected and shut down a cyberattack that used VPNFilter malware on network equipment in a chlorine station that supplies water treatment and sewage plants.

Interfax-Ukraine reported that the LLC Aulska station in Auly was hit with a VPNFilter infection intended to disrupt operations at the chlorine station.  

“Specialists of the cyber security service established minutes after [the incident] that the enterprise’s process control system and system for detecting signs of emergencies had deliberately been infected by the VPNFilter computer virus originating from Russia. The continuation of the cyber attack could have led to a breakdown in technological processes and a possible accident,” the SBU wrote on its Facebook page, according to the report.

VPNFilter is a stealthy and modular attack platform that includes three stages of malware. The first establishes a foothold in the device and can’t be killed with a reboot; the second conducts cyber espionage, stealing files, data, as well as a self-destruction feature; and the third stage includes multiple modules including a packer sniffer for nabbing website credentials and Modbus SCADA protocols.

Ukraine was one of the first targets initially found with infected IoT devices in May, when VPNFilter was first discovered by researchers at Cisco Talos. The attackers behind VPNFilter – thought to be the Russian military hacker team Fancy Bear aka APT28 – also built a subnetwork aimed at Ukraine, complete with its own command and control server.

ICS/SCADA expert Robert Lee says the initial reports out of Ukraine don’t provide sufficient details to confirm the attack could have caused a physical attack. “What we know right now about VPNFilter indicates that there was nothing in the malware to support the scenario of physical damage and operational impact that was described,” says Lee, CEO and founder of Dragos.

He says there are other possible scenarios for a physical attack, such as the attackers “directly using that access,” but the SBU’s report doesn’t specifically indicate that.

“In this case we need more details,” he says. “Obviously the SBU is doing good work, but the rest of the community would benefit from more insight, as the scenario presented leaves many questions.”

In its initial research on the malware in May, Cisco Talos found that VPNFilter includes “an exact copy” of Black Energy, the malware used in attacks that ultimately shut out the lights in western Ukraine in 2015.

Read more here. 

 Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/ukraine-security-service-stops-vpnfilter-attack-at-chlorine-station/d/d-id/1332282?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple