STE WILLIAMS

Campaign views, arriving in public preview, aims to share more context around how attackers targeted an organization and whether its defenses worked.

Campaign views, a new capability arriving in public preview for Microsoft’s Office 365 Advanced Threat Protection (ATP), aims to provide greater context around email attack campaigns so organizations can learn how they were targeted and whether their defenses held up.

Attackers behind an email campaign typically use a crafted pattern or template for their messages. Emails are sent in waves, each of which is slightly varied to effectively bypass defenses or trick victims. Identifying this template, which defines the entire campaign, can help security teams pinpoint weaknesses in their defenses and prevent similar attacks in the future.

The problem is, it’s difficult for businesses to spot a comprehensive email attack campaign by looking at individual messages. If an attacker breaks into an organization and someone clicks a bad link, campaign views helps locate vulnerable users so remediation steps can be taken to limit the breach. The tool collects and correlates attacker-specific data, like sending domains, IP addresses, and URLs to help security practitioners adopt a more proactive approach to defense.

Office 365’s ATP protection stack already aims to block zero-day phishing and malware attacks with a layered defense system made up of tools to address protection at the perimeter, sender intelligence, content filtering, and post-delivery protection. These capabilities are meant to help pinpoint threats during mail flow and after email delivery. Campaign views takes a step back to provide more of a bird’s-eye view of a particular attack.

“Because these are brand-new attacks and our goal is to protect even the first user, these defenses operate even before campaign views comes together,” says Girish Chander, group program manager with Office 365 security. “The focus of campaign views is to layer on top of these protections to help security teams get a glimpse of the entire campaign that hit them.”

This tool is a more advanced way to cluster emails in a specific campaign based on the similarity of email template, payload, and other traits, even as factors like sending IP and sending address change. Its goal is to increase the effectiveness of SOC teams who were trying to identify campaigns within the organization by searching for all emails containing a specific attribute (sender, URL, etc.), which Chander says is a less effective technique. Campaign views leverages intelligence from the Microsoft intelligence security graph to better identify attacks.

In a single view, security teams can learn details about an entire campaign, including when it started, the sending pattern and timeline, how long it has been ongoing, and how many people fell victim to the attack. Admins can view the list of IP addresses and senders involved with orchestrating the attack and assess which emails were blocked, delivered to junk or quarantine, or delivered to the employee’s inbox. In addition to seeing all URLs used in the attack, security teams using Office 365 ATP Threat Explorer can learn if any users clicked on the phishing link.

(Image: Microsoft)

By seeing who fell for an attack and how, admins can learn who needs their credentials reset and who should be enabling multifactor authentication. Further, a broader view of a campaign can inform admins of poor security configurations that attackers are exploiting to gain access. A view of indicators of compromise gives admins the data they need to investigate other messages that exhibit the same characteristics and take remediation actions.

“It is, unfortunately, not uncommon to see poor configurations in organizations, such as ‘tenant allows’ of a broad swatch of sending domains or IP,” says Chander. “These tenant allows override any ATP catch and deliver the email to the inbox.” Because a lot of these flawed configurations have existed for some time, people often don’t know about them.

“However, what we’re finding is that when customers see the scale of the impact of these poor configurations, it becomes more contextual and urgent to deal with them,” he adds.

In reviewing an attack campaign, security teams should prioritize learning who was compromised and ensuring they’re protected to prevent the attack from spreading. In some cases, clicks were blocked by Safe Links, but the block was overridden by the victim. Microsoft notes there’s a high chance victims may have fallen for an attack hosted on a malicious site, either by handing over credentials to the fraudulent site or being hit with drive-by malware.

Microsoft reports early preview users of campaign views have identified multiple configuration flaws. One discovered a domain allow list was exploited by an attacker; as a result, 34% of phishing messages detected by ATP were rescued and then delivered to employee inboxes. Customers also report the tool make it easier to explain threats to the CISO and business peers.

Related Content:

• 10 Security ‘Chestnuts’ We Should Roast Over the Open Fire
• The Human Factor: 5 Reasons Why Cybersecurity Is a People Problem
• Password-Cracking Teams Up in CrackQ Release
• Success Enablers or Silent Killers?

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Criminals Hide Fraud Behind the Green Lock Icon.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/microsoft-campaign-views-offers-full-look-at-office-365-attacks/d/d-id/1336561?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The key, only one-third the length of most commercial encryption keys, took more than 35 million compute hours to break.

How safe is “safe”? That’s the question at the heart of research into breaking encryption keys — research that has led a team in France to the most complex encryption algorithm to date. At 240 characters long, the new record bests the old decryption record by 8 characters, though it still falls far short of the complexity of the algorithms used in commercial cryptography today.

In order to break the encryption generated by the RSA algorithm, researchers used a network of computers to deliver the 35 million compute hours required to solve the problem. While mathematically and computationally interesting, the result is not seen as a harbinger of the end of effective encryption. 

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Criminals Hide Fraud Behind the Green Lock Icon.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/scientists-break-largest-encryption-key-yet-with-brute-force/d/d-id/1336560?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Stories about privacy blunders by big companies always attract a lot of attention.

When that big company is Apple, you can replace ‘a lot’ with ‘a whole lot’.

And Apple likes to make public pitches about the privacy its products provide, like the video here:

So, when renowned investigative cybersecurity journalist Brian Krebs recently published a quizzical article entitled The iPhone 11 Pro’s Location Data Puzzler, tongues began to wag.

What puzzled Krebs is that the privacy interface for Location Services on his iPhone didn’t seem to work as he expected, which he rightly thought was worth investigating carefully.

After all, thanks to GPS, modern smartphones can work out where you are with astonishing precision, even when you’re offline and have no other positioning data to refer to.

Apps that do clever things with your location have therefore ended up among both the most useful and the most feared software on smartphones.

On one hand, you need never get lost again in an unfamiliar city – no more stumbling around at midnight desperately trying to find the purple building that’s the landmark for where you turn left (or is it right?) to reach your hotel.

On the other hand, the downside of streaming your location to an online service in case you get lost on the way back to your hotel is that someone, somewhere, is clocking up an excruciatingly detailed record of exactly where you’ve been.

Heck, many countries use GPS tracking tags as a form of judicial punishment, as an alternative to keeping convicted criminals in prison.

With that in mind, voluntarily letting yourself be tracked, perhaps by multiple apps and websites at the same time, might suddenly seem like a terribly bad idea.

Safeguarding your location

Apple provides a pretty decent system for controlling how apps use your location:

On the Settings → Privacy → Location Services page, you can choose, for each app, when it’s allowed to use your location data:

Never does what it says – the app can call the iOS functions to retrieve your location, but won’t get anything back; and Always is similarly obvious.

There’s also While Using the App, a middle ground that all location-aware apps admitted to the App Store must now support.

While Using says that the app can only track you while it’s the foreground app on your phone – as soon as you switch to another app or lock your phone, this setting cuts off access to your location.

In other words, if you can’t see the app, it can’t see you.

The confusion starts here

This is where Krebs decided that Apple – or, more precisely, his smart new iPhone 11 Pro – had confused him.

He explicitly turned every app’s setting to Never, while leaving the main Location Services slider turned on.

Krebs inferred that turning every individual switch off would produce the same result as turning the master switch off.

But it doesn’t, in the same way that there’s an important difference between isolating your home’s main circuit breaker, and going round the house turning off every light, plug and appliance individually at the wall.

Krebs started seeing the telltale arrow from time to time when he started using a new iPhone 11 Pro, even with all the individual settings on Never…

…a behaviour he couldn’t reproduce on an iPhone 8. (In the interests of science, he went back and tried.)

Something’s changed

Conclusion: something had changed, and it had privacy implications!

But what?

At first, Apple wasn’t terribly helpful, apparently saying simply that:

We do not see any actual security implications […] The icon appears for system services that do not have a switch in Settings.

In other words, the master switch was there to deal with any system components that didn’t have a switch of their own.

Nevertheless, the unanswered part of the question was, “What new system components have recently been added that don’t have a switch of their own and are provoking this previously unseen behaviour?”

A couple of days after the first article came out, Krebs finally received an answer from Apple to fill in the missing detail, so he was able to report as follows:

Apple disclosed that this behavior is tied to the inclusion of a short-range technology that lets iPhone 11 users share files locally with other nearby phones that support this feature, and that a future version of its mobile operating system will allow users to disable it.

This feature, known as Ultra Wideband (UWB), is basically a peer-to-peer wireless data transfer protocol that uses a much wider range of frequencies than regular Wi-Fi, but at much lower power to reduce interference.

But UWB isn’t allowed everywhere in the world.

A few countries have regulated its use, apparently for fear that it might mess with existing radio communications, and Apple therefore added system software that uses your location data, as long the master location switch is turned on, to disable UWB automatically as required.

Mystery unravelled!

No room for ambiguity

The moral of this story is that there is no room for ambiguity or confusion in software components where users manage their privacy.

We assumed that the master switch only existed because there were location-related features for which there were no individual control sliders.

Krebs assumed from the layout and behaviour of the very same configuration page that the master switch was redundant if all apps were turned off anyway.

Both assumptions are reasonable, but only one can be correct.

So, if you’re a programmer or a user interface designer, you need to go out of your way to avoid security ambiguity in your configuration screens.

Apple, for example, knowing that UWB support on the iPhone 11 Pro would produce location usage warnings in a way that hadn’t happened before, could easily have tweaked the message under the master switch to clarify the situation.

Ironically, Apple is now planning to add a separate control switch for the new UWB feature; let’s hope it accompanies this update with a list of any other iOS services that could cause the location arrow to pop up but that still don’t have their own switches.

And another thing…

While we’re on the topic of user interface design, here’s a long-standing bugbear of ours in Location Services.

Once you’ve turned the location master switch off, you can no longer inspect, let alone adjust, the per-app settings that will apply as soon as you turn it back on:

This means that you can’t tidy up your location settings to improve your privacy without potentially leaking location data while doing so.

If you install a new app and want to make certain that it’s set to Location Services → Never, you have to risk giving it temporary access to your location by turning the master switch on just to get access to turn the app-specific switch off.

(We’d also like a quick-press button to Turn All Apps to Never in one go, for when we decide we want to opt out of everything, instead of wading through the whole app list to make sure we didn’t miss one…

…but that might just us being fussy.)

Readers, what do you think?

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1A-Ftqr67sM/

A jailed hacker who profited from the Angler Exploit Kit has been ordered to sell his £5,000 Rolex watch after the National Crime Agency (NCA) applied to confiscate £270,000 of criminal proceeds from him.

Zain Qaiser, 25, formerly of Barking in London, has been ordered to pay £270,864.47 to the British state following a confiscation order hearing held at Kingston Crown Court last week.

Back in April, His Honour Judge Timothy Lamb QC sentenced Qaiser to six-and-a-half years in prison for his malware exploits.

The NCA claimed in a statement today that Qaiser would face an extra two years in prison unless he paid the £270,000 within three months – including the forced sale of a £5,000 Rolex watch currently in the possession of the not-quite-police-force.

“Qaiser spent the proceeds of his criminality on stays in high-end hotels, prostitutes, gambling, drugs and luxury items including a £5,000 Rolex watch,” the agency said in a statement.

NCA investigator Nigel Leary, the agency’s head of ops in its national cyber crime unit, declared: “Confiscation orders are a key tool in allowing us to pursue illegally obtained assets and preventing convicted criminals from funding luxury lifestyles on their release.”

Having confessed to 11 offences including blackmail, fraud, money laundering and Computer Misuse Act crimes, Qaiser was eligible for a confiscation order. These, as law firm Hodge Jones and Allen explains on its website, are aimed at destroying any wealth gained by crooks from their criminal lifestyles.

It appears that Qaiser has obtained three months’ grace to pay instead of being forced to stump up immediately as is usual.

Ransomware spread through porno ad networks

Qaiser himself was part of a gang that posed as legitimate pornography companies in order to distribute malware through online ad networks, with the NCA saying at the time of his sentencing that he was involved in spreading both the Angler Exploit Kit and the Reveton ransomware family.

Reveton locked the target’s browser and displayed a message claiming to be from a police agency and demanding an upfront “fine”, payable in Bitcoin, to evade criminal proceedings for some imaginary transgression. The fines were paid to Qaiser’s ransomware gang. Each ransom was worth between $300 and $1,000, according to the NCA, with Qaiser having scored around £700,000 in total.

When the ad networks realised that Qaiser’s brand of smut was far worse than the filth they usually carried, they tried to stop the gang. Qaiser responded by DDoSing them and threatening to plant child abuse images on the company directors’ devices, the NCA claimed in previous public statements.

Although the Londoner was first arrested in July 2014 a trial planned for February 2018 was abandoned after he was sectioned under the Mental Health Act. During his enforced stay at Goodmayes Hospital in Ilford, police claimed the hospital Wi-Fi had been used to access ad networks that Qaiser used during his crime spree.

A Bitcoin account linked to Qaiser was said to have contained in excess of £100,000 worth of the cryptocurrency after his arrest, with the man himself having no job and not having declared any legitimate sources of income. ®

Sponsored:
From CDO to CEO

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/09/zain_qaiser_confiscation_order_270k/

Criminals are using free certificate services to apply real security certs to fraudulent sites – and to take advantage of victims looking for surfing safety.

The “green lock” icon, harbinger of safe browsing, is becoming a trap for unwary consumers. Already abandoned by Google for its Chrome browser, the green lock is an increasingly unreliable indicator of safety, and its near-ubiquity is to blame.

In its “State of E-Commerce Phishing” report for 2019, NormShield reported that the number of potential phishing domains registered in 2019 was up by 11% over 2018. But the number of phishing domains with legitimate certificates for encryption more than tripled in the same time.

“Year over year, month over month, phishing is becoming more prevalent,” says Bob Maley, NormShield’s CSO. “The bad actors are getting these phishing domains and registering them. Then they are standing up phishing sites on those domains that are essentially clones of the various e-commerce sites to fool the end user into believing they’re on a legitimate e-commerce site.”

Part of that successful camouflage is the green lock icon that indicates encrypted legitimacy to users. It became a problem through products and services designed to make it easier for small organizations to properly protect their websites: Free and open certificate authorities like Let’s Encrypt provide the same level of encryption (and same appearance of legitimacy) to criminal phishing sites they provide to legitimate small businesses.

At this time of year, especially, researchers see an increase in criminals registering typo-squatting and phishing domains that are a single character different from a legitimate domain, Maley says. Other techniques for tricking victims include domains with two letters transposed from those of a legitimate site and those with common misspellings of well-known domains.

In addition, criminal sites don’t even have to trick the user into clicking on an “almost right” link. Researchers at Babel Street have found criminals using domain redirection to take users typing innocuous URLs, such as metropolitanbaptistchurch.org, to a variety of different sites selling both legal and counterfeit drugs. URL redirection can add a significant layer of obfuscation to criminal phishing (and commerce) sites.

And those criminal domains of all types are multiplying at a high rate. The NormShield report predicts there will be more than 9,000 phishing domains targeting just the top 50 commerce websites by the end of 2019. Maley says the proliferation of these sites and the increased email traffic during the end-of-year holiday shopping season makes this a highly lucrative — and very effective — time of year for criminals.

So what is a company or individual to do to protect themselves from these threats? According to the report, one tip for organizations setting up filters and anti-malware rules is to look for the registrar for the domain; criminals have a very real fondness for free and low-cost registrars, with Go-Daddy the No. 1 registrar, responsible for roughly 30% of the phishing domains.

For users, the researchers have two pieces of advice, one obvious and one subtle. The obvious tip is to avoid clicking on URLs that come in holiday promotional email, especially those that promise entry to sweepstakes and contests. Instead, users should type in the address of retailers’ sites by hand, being careful not to make typos.

The more subtle tip is to watch the behavior of password managers. These are tied to specific, legitimate URLs in order to fill in account information. If a password manager balks or unexpectedly refuses to provide credentials, it could be, Maley says, a strong indication that the website is not what it claims to be.

Related Content:

• Account Fraud Harder to Detect as Criminals Move from Bots to Sweat Shops
• Mega-Breaches are Forcing Us to a Passwordless World: Are We Finally Ready?
• 7 Ways to Hang Up on Voice Fraud
• Financial Institutions on the Hook for Data Breaches this Holiday Shopping Season
• 2019 State of the Internet: A Year in Review, from Akamai

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/theedge/criminals-hide-fraud-behind-the-green-lock-icon/b/d-id/1336549?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

As mergers and acquisitions continued to shape the security industry throughout 2019, these deals were most significant.

(Image: Nespix stock.adobe.com)

This year has been a significant one for mergers and acquisitions in cybersecurity. A strong pattern of MA activity in the first half of 2019 continued into the second as large companies sought to create more sophisticated platforms, and smaller businesses continued consolidation.

“The bottom line is we’re on pace for record growth in 2019 and definitely a bigger year than 2018,” says Hank Thomas, CEO at Strategic Cyber Ventures, who notes the industry is on pace to reach $17 billion in total for MA activity for 2019.

While the stream of MA activity remained fairly constant from the first half of 2019 into the second, the past six months brought a few overall larger deals, notes Jeff Pollard, Forrester vice president and principal analyst for security and risk professionals. Deals involving Broadcom, Sophos, and VMware, underscored another trend of enterprise players investing in security.

The first half of 2019 was marked with acquisitions by companies expanding their portfolios, Pollard explains. We saw Carbonite aiming to become more of a software provider with Webroot, and Palo Alto Networks expanding its offerings with Demisto, Twistlock, and Puresec, he notes.

January through June “was more focused on companies trying to flesh out what they have now,” he continues. Toward the second half of 2019,  smaller companies began partnering with other smaller companies to become medium-size businesses, as opposed to large firms trying to get bigger. As big organizations continue to buy more midsized companies, it creates an opportunity for some of the smaller players to get together and create a larger company.

“If you’re small and looking at smaller, but together you’re midsize, that’s now an attractive target for you,” Pollard explains.

Another key MA driver is a lack of sophistication in today’s security platforms, Thomas points out. Many of the point tools companies rely on are “very much just features,” he says. CISO are looking to consolidate their data feeds and dashboards; to do security orchestration, automation, and response. The problem is, they don’t have a sufficiently advanced platform.

“I think we’ll continue to see consolidation occur because there’s a demand for that,” he adds.

Here, security experts share the most noteworthy MA deals from July through December and what these acquisitions mean for this changing industry. See anything they missed? Please feel free to share your thoughts in the Comments section.

Related Content:

• 6 Top Nontechnical Degrees for Cybersecurity
  
• Microsoft Issues Advisory for Windows Hello for Business
• Leveraging the Cloud for Cyber Intelligence
• StrandHogg Vulnerability Affects All Versions of Android

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “10 Security ‘Chestnuts’ We Should Roast Over the Open Fire.”

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/application-security/10-notable-cybersecurity-acquisitions-of-2019-part-2/d/d-id/1336548?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Romanian nationals stole some $4 million in a vast malware, botnet, and cryptocurrency operation.

Bucharest, Romania citizens Bogdan Nicolescu, and Radu Miclaus, 37, have been sentenced in US prison for their roles in the Bayrob Group cybercrime operation that infected and took control of some 400,000 computers and stole $4 million.

Nicolescu, 37, received a 20-year sentence, and Miclaus, 37, an 18-year sentence. The two men, as well as another Romanian national, Tiberiu Danet, were arrested in 2016 and charged by US authorities in December of that year. The Bayrob group first began infecting computers in 2007 with its own malware that it sent via phishing emails posing as Western Union, Norton Antivirus, and the IRS. 

The gang stole credit card and other information from the infected machines and then sold them on the Dark Web. The infected machines served as a botnet army to attack and infect other machines and also were used for cryptocurrency mining, according to the US Department of Justice.

Read more here. 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Criminals Hide Fraud Behind the Green Lock Icon.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/two-bayrob-cybercrime-members-sentenced-to-20-and-18-years-in-prison/d/d-id/1336552?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

At least two companies may have been dealt even more damage than the shipping giant, which lost nearly its entire global IT infrastructure.

The unprecedented 2017 NotPetya malware attack on global shipping giant Maersk has been well documented, but according to the organization’s top cybersecurity executive, several other companies suffered equally if not even more devastating damage but have yet to publicly reveal the incidents.

Speaking at Black Hat Europe 2019, A.P. Moller Maersk A/S Chief Information Security Officer Andrew Powell said he believes globally approximately 600 companies were damaged by NotPetya around the time of the Maersk attack. Powell said that’s because the source of the attackswas traced back to an application called M.E.Doc, a financial application that the Ukrainian government essentially requires any company to use if it is doing business in the country.

According to published reports, NotPetya was the key element in a nation-state-sponsored cyberattack campaign targeting the government of Ukraine. Instead, the malware proved to be far more virulent.

“Any company doing business in Ukraine and filing a tax return [in 2017] was hit,” Powell said. “Very big companies in the U.S. got hit hard, two of them harder than us.” Powell declined to name the companies and did not elaborate on how he came to know about these other organizations’ NotPetya incidents. All told, estimates indicate the attack and recovery effort have cost Maersk nearly $300 million to date.

Published reports indicate NotPetya wreaked havoc all over the globe in nearly all industries. In the U.S., pharmaceutical giant Merck and shipping giant FedEx both lost more than $300 million from NotPetya as a result of cleanup and lost business.

Powell, a longtime information security executive, previously worked as a vice president for Capgemini, and spent nearly 30 years with the United Kingdom Royal Air Force, including serving as its CIO.

“We weren’t alone,” Powell said. “Maersk is one of the few companies that has been transparent about what happened. We haven’t tried to disguise it or shy away from it.”

An argument could be made, however, that Maersk had little choice. The Copenhagen-based shipping company, which transports approximately 20% of all global shipments, found itself virtually paralyzed by NotPetya in a matter of minutes.

Maersk NotPetya attack: What happened
In retrospect, Powell said, Maersk wasn’t well prepared to cope with an attack as sophisticated and crippling as NotPetya. In early 2017, he said, its cybersecurity maturity, like many manufacturing and logistics companies, was relatively low. Even though digital processes had become critical to Maersk’s day-to-day operations, computer networks and server infrastructure weren’t considered mission critical; what really mattered, according to the company, was its high-profile physical assets such as ports, ships, and shipping containers. Hence digital assets were minimally protected.

So once a Maersk user in its Odessa office was infected, it spread through the Maersk global network faster than anyone imagined possible.

“Within seven minutes,” Powell said, “most of the damage was done.”

And that damage was staggering. According to Powell, NotPetya destroyed 49,000 laptops, more than 1,000 applications, all printing and file-sharing systems were knocked offline, its enterprise service bus and VMware vCenter cloud-management servers were ruined, and its DHCP and Active Directory servers were rendered useless.

What proved to be especially devastating, Powell added, was that both its primary and backup Active Directory systems were taken out, a scenario Maersk never thought possible. “[NotPetya] was designed to destroy online backups specifically, preventing recovery using online backup methods,” Powell said. “We had no copies of our Active Directory. We thought we had nothing to restart the network with.”

How Maersk recovered
Fortunately, a stroke of good luck came when IT leaders learned that the company’s Lagos office had suffered a power outage during the NotPetya attack. Its IT systems – including its copy of the company’s Active Directory – were undamaged. The Lagos AD node was physically removed, flown to Copenhagen, and used to rebuild the rest of the network. However, the AD recovery process alone took more than a week. Clearly, Powell said, it was a scenario Maersk should have planned for. “Nine days for an Active Directory recovery isn’t good enough,” Powell said. “You should aspire to 24 hours; if you can’t, then you can’t repair anything else.”

Continued on next page

Article source: https://www.darkreading.com/threat-intelligence/maersk-ciso-says-notpeyta-devastated-several-unnamed-us-firms/a/d-id/1336558?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Some people are so rude.

They hold up traffic while they pull donuts in their fume-spewing, garish Lamborghinis; they inflict epilepsy-threatening laser shows on their wedding guests; they remove adorable lion cubs from their lion mothers to film the animals on their oriental carpets…

@FBI @NCSC @TheJusticeDept Members of Evil Corp are living a lavish lifestyle, funded by the life savings of their… twitter.com/i/web/status/1…

—
National Crime Agency (NCA) (@NCA_UK) December 05, 2019

…and they allegedly run Evil Corp (a.k.a TA505) – the threat group behind the ZeuS and Dridex banking Trojans that have siphoned tens of millions out of banks and bank customers’ accounts over nearly a decade.

If you can pry him out of his Lamborghinis – and Russia – you might be able to claim a $5 million bounty on the head of the man of whom I speak: Maksim “Aqua” Yakubets. Yakubets, 32, of Moscow, was indicted in the US on Thursday for allegedly being that head honcho of Evil Corp.

Yakubets is the star of many Richie Rich-kid brag videos like the one above, showing off things like his crashing of a hoverboard, his fondling of Lamborghini controls, and his disregard for traffic laws. The UK’s National Crime Agency (NCA) released a slew of photos and video montages showing the lavish lifestyle of Yakubets and his alleged cronies, of which there are quite a few.

One of his alleged cronies was also indicted in the US on Thursday: Igor Turashev, 38, from Yoshkar-Ola, Russia, for his alleged role in the “Bugat” malware conspiracy – another name for Dridex, which is also known as Cridex.

For its part, the NCA has been working on the group’s core malware strains – Dridex – since 2014. The NCA says that unraveling Dridex has involved “unprecedented” cooperation between itself, the FBI and the National Cyber Security Centre.

The NCA calls Evil Corp “the world’s most harmful cybercrime group,” responsible for deploying malware causing financial losses worth hundreds of millions of pounds in the UK alone. On Thursday, the US State Department, in partnership with the FBI, announced a reward of up to $5 million under the Transnational Organized Crime Rewards Program for information leading to the arrest and/or conviction of Yakubets.

It’s the largest ever bounty for a cybercriminal to date, the Justice Department (DOJ) said.

Indictment

A federal grand jury in Pittsburgh returned a 10-count indictment, unsealed on Thursday, against Yakubets and Turashev, charging them with conspiracy, computer hacking, wire fraud, and bank fraud, in connection with the distribution of Bugat/Dridex.

Peter Mackenzie, Sophos’s Global Malware Escalations Manager, calls Dridex “the most advanced banking Trojan in the world” – one that’s cost organizations and individuals millions of dollars over the years. It also has strong links to high-profile targeted BitPaymer ransomware attacks and is normally deployed via Emotet.

As we’ve explained in the past, Emotet is malware that’s designed to evade detection, dig in hard and multiply.

It’s a banking Trojan that injects code into the network stack of infected Windows computers, inserts itself into software modules that can then steal address book data and perform denial of service (DoS) attacks on other systems, and serves up a host of other Trojans.

In fact, as Peter has noted before, he believes Emotet’s raison d’être is to cluster-bomb endpoints with as many Trojans as possible. Some will explode right away, most can be removed safely, and a few will squirrel themselves away for years to come in places where people forget to check, then wait “for that unlucky victim to step on them.”

The sum of all that nastiness = an incredible amount of time and hard work spent fighting Dridex, Peter says.

Dridex has NOT dried up

Unfortunately, court indictments aren’t going to mop up Dridex anytime soon. On Thursday, the US Department of Homeland Security (DHS) warned that Dridex malware attacks targeting private-sector financial firms through phishing campaigns are still going strong.

According to the Cybersecurity and Infrastructure Security Agency (CISA), via the US National Cyber Awareness System, the phishing emails are using a combination of legitimate business names and domains, professional terminology, and urgent language that tries to get its targets to click on attachments. The sender email addresses are sometimes simulating individuals ([email protected]), sometimes admin accounts ([email protected], [email protected]), or “do not reply” addresses ([email protected]).

The subject lines and names of attachments can include typical terms such as “invoice”, “order”, “scan”, “receipt”, “debit note”, and “itinerary”, among others.

Sometimes, the message bodies are empty, and sometimes they’re chock full of text providing context for whatever pretext the attackers have adopted. Sometimes the messages say that the content has been scanned for viruses, and sometimes the text directs victims to a link or attachment.

CISA has a long list of mitigations that organizations can take to reduce risks, as well as tips on how security admins can configure their organizations’ defenses to detect Dridex and to avoid potential attacks. If your company is in retail or finance, you’re hopefully already on alert, given that Evil Corp/TA505 is known for focusing mainly on those sectors.

One last photo of Yakubets

We know that even if Yakubets gets caught, the organization he’s allegedly running likely won’t crumble: the NCA says that he’s allegedly employed dozens of people to run Evil Corp’s operation from the basements of Moscow cafes.

At any rate, one previous arrest proved to be barely a bump in the road for these guys: in 2015, the NCA and FBI took down the Dridex botnet and arrested Andrey Ghinkul, a Dridex distributor known as “Smilex.”

Within weeks, Evil Corp adapted the malware and infrastructure to resume its criminal activities.

But let’s hope that this last image will hopefully, at least in part, counterbalance all those Lamborghinis and laser-show wedding images by leading some bounty hunter to bring one more Evil Corp boss to justice:

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/nU-wUMypTSA/

Facebook has sued a company for allegedly inflicting a malicious extension on victims’ browsers to steal their Facebook logins, take over their ad accounts, run bad ads, and then use the victims’ own payment information to pay for the ads.

The company filed the suit on Thursday. It’s against a Hong Kong company called ILikeAd Media International Company Ltd. and against two individuals: Chen Xiao Cong and Huang Tao.

According to the complaint, ILikeAd promoted itself as a “one-stop comprehensive solution to advertisers” hoping to market their wares on Facebook.

Facebook said that the defendants sometimes used celebrities’ photos to lure people into clicking on the deceptive ads – a practice known as “celeb bait.”

Facebook alleges that starting around 2016, Tao created the malicious extension and registered two domains to serve as command and control servers. They promoted it through various sites and forums. When victims installed the extensions, the malware stole their Facebook logins.

Facebook alleges that Cong, on behalf of ILikeAd, designed the malware to disable security notifications in order to let it run under the radar, with victims being none the wiser.

That’s not the only notification that the malware disabled. ILikeAd allegedly used the malware to extract data that showed whether the victims had an ad account, had previously paid for ads, how much they spent, and the balance on their ad account. The malware enabled ILikeAd to allegedly run ads via their victims’ ad accounts – and on the victims’ dime.

Like the disabled security notifications, the malware also turned off notifications that would have alerted users that an unrecognized device had accessed their account and that ads had been run on it. It also locked in those changes, meaning that victims couldn’t revert to turning the notifications back on.

The ads that ILikeAd allegedly ran on the hijacked ad accounts were meant to deceive: according to the complaint, the ads directed users to landing pages associated with counterfeit goods, male enhancement supplements, and diet pills, all of which violate Facebook’s Advertising Policies.

In order to sidestep the platform’s ad review, Facebook says that ILikeAd used “cloaking”: a way to disguise a link’s true destination by showing one version of an ad’s landing page to Facebook’s systems and a different version to Facebook users.

Facebook said in the complaint that it’s paid out more than $4 million to reimburse the victims for the bad ads that were run on their accounts. It also said that ILikeAd is still running the scheme.

It’s looking for a permanent injunction against ILikeAd and everybody who works for it and wants an unspecified amount in damages, restitution and court costs.

Jessica Romero, Facebook’s director of platform enforcement and litigation:

Creating real world consequences for those who deceive users and engage in cloaking schemes is important in maintaining the integrity of our platform.

About a year ago, Facebook itself got lawsuited into creating a scam ads reporting tool, and donating £3m to a consumer advocate group, by UK financial expert Martin Lewis.

Lewis’s name and face had been slathered on all sorts of financial scams that he’d never endorse. He wound up dropping the lawsuit he brought against Facebook over the frauds: to Facebook’s credit, it responded without a court order.

Facebook is not the only one dealing with bad ads. Around that time, there was a rash of YouTube subscribers getting spammed by celebrity imposters.

Fighting social media-delivered, fake-celebrity-encrusted flimflam is like playing whack-a-mole: smack down one, and another pops up. If Facebook’s allegations in this lawsuit prove true, we’re talking about a mole that’s packing malware, so good luck to the platform in its hunt.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/PXMa1EXeC34/