STE WILLIAMS

An online beauty store owned by Procter Gamble was compromised by Magecart in May in a campaign that only ended today. First Aid Beauty, a site purchased by PG earlier this year, went offline following notification of the attack from security researcher Willem de Groot.

First Aid Beauty used the Magento e-commerce platform, which patched 56 security vulnerabilities earlier in October. In the heavily obfuscated attack code, de Groot says, the criminals selected specifically for US customers and remained dormant when a user connected from a Linux system.

The malicious code captured included card number, expiration date, card owner name, and CVV code — everything required for a “card not present” credit card transaction.

For more, read here.

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/online-beauty-store-hit-by-magecart-attack/d/d-id/1336183?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The third quarter of 2019 brought the rise of keylogger Agent Tesla, the decline of phishing-delivered ransomware-as-a-service (RaaS), and attackers’ continued preference for exploiting the CVE-2017-11882 Microsoft Office vulnerablity to deliver phishing campaigns.

Emotet began to surge toward the end of last quarter, according to Cofense’s Q3 2019 Malware Trends Report, the latest report in a series of phishing updates throughout the year. Summer lulls are not uncommon for cybercriminals, says threat intelligence manager Mollie MacDougall, as attackers and targets take more holidays. Emotet’s summer break contributed to the quiet.

It wasn’t completely silent on the phishing front. Researchers saw a shift from mostly information stealers in the second quarter, to keyloggers, namely Agent Tesla, in the third. The change doesn’t necessarily reflect a broader shift to keyloggers; nor does it relate to a specific campaign. The unconfirmed likelihood, MacDougall says, is Agent Tesla was “cracked,” enabling unpaid access to the service and increasing its popularity. Paid users of the keylogger can access an easy-to-use Web interface and customer support via Discord, enabling simpler propagation.

“Threat actors presumably saw an opportunity to leverage a cheap solution that does not require much effort for decent profit, namely in the form of credentials or sensitive information,” she adds.

Throughout the second and third quarters, researchers saw little change in the significant delivery mechanisms used to spread malware. The most common method, as seen in more than 600 incidents, is Microsoft Office vulnerability CVE-2017-11882, which remains a “prolific technique” for attackers to spread malware through phishing attacks, researchers report.

The memory corruption vulnerability, now patched, had existed for 17 years before a fix was released in Nov. 2017. This remote code execution bug exists in Microsoft Office when the software fails to properly handle objects in memory. It’s exploited using Office attachments, which may range from Excel spreadsheet, to Word docs, to RTF files. When a victim clicks a malicious document, the exploit is triggered and usually downloads a “stage two” malware.

Following CVE-2017-11882, the other two most common delivery mechanisms were Office macros and Windows Script Component (WSC) downloaders. Attackers’ consistent use of the same delivery mechanisms could change as the holidays approach and Emotet reemerges, driving innovation among cybercriminals who may start using new variants and tactics.

“Around the holidays, phishing emails with malware often demonstrate a change in trend, opting for holiday greeting cards and graphics or sound with underlying nefarious code,” says MacDougall. Emotet’s operators typically pause around Russian Orthodox Christmas, she points out, and the threat typically experiences a resurgence in activity right before then – activity reserachers began to see ramp up toward the end of the third quarter, MacDougall notes. Researchers anticipate Emotet’s operators will increase its volume and sophistication.

Another notable trend third quarter was the drop in RaaS, which has decreased as attackers swap large-scale campaigns for narrowly focused ones. GandCrab was taken offline; Sodinokibi, the ransomware that shares some of its code base, has seen a low rate of dissemination. Targeted attacks let cybercriminals keep a lower profile and benefit from a higher return ratio.

“The decline of RaaS may continue, but we definitely expect more targeted ransomware campaigns to continue and likely increase,” says MacDougall, noting it is “key” to differentiate betwteen RaaS and targeted ransomware campaigns going after high-value target. “With the sustained decline in active RaaS families in the last two years, that model seems to have been tabled as unlucrative as compared to other TTPs,” she adds of RaaS campaigns.

For more sophisticated attackers, targeted ransomware campaigns are bringing in larger payouts, especially as insurance companies contribute to ransom payments. The combination of insurers’ involvement, along with stories of how companies struggled to recover without paying ransom, may lead to a “test-the-water” resurgence in RaaS further down the road.

Looking ahead to the fourth quarter and beyond, MacDougall anticipates attackers will continue to use delivery mechanisms that work best, often abusing software features that are essential to daily business operations along with known vulnerabilities. Emotet is predicted to remain in operation for “as long as possible” with periods of quiet for updates and retooling. Finally, she expect more election-focused campaigns as both nation-states and non-state groups aim to influence the 2020 elections with information operations and cyber espionage.

Related Content:

• 8 Ways Businesses Unknowingly Help Hackers
• 40% of Security Pros Job Hunting as Satisfaction Drops
• Apple Boots 17 Trojan-Laden Apps From Mobile Store
• Mobile Users Targeted With Malware, Tracked by Advertisers

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Developers: The Cause of and Solution to Security’s Biggest Problems.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/operations/microsoft-office-bug-remains-top-malware-delivery-vector/d/d-id/1336182?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Whether in the private or federal space, there’s one thing all IT security teams must deal with: making the most of limited resources to protect sensitive information. And while budgets are slow to increase, threats develop fast. Anyone with an Internet connection can now launch a cyberattack from anywhere in the world by just pressing a button.

How can IT professionals effectively stretch their limited resources across their entire security domain? This is a dilemma that federal agencies have been dealing with for decades, and their solutions are something that anyone building a security infrastructure in the private sector should consider.

Lesson 1: Focus on the Fundamentals
Government agencies are responsible for some of the most sensitive information on the globe. What makes public sector cybersecurity more effective than a private enterprise with five times their overall IT operating budget? They know where to focus their limited resources, and they do the heavy work up front.

Private sector IT teams often fall victim to a common problem: being reactive instead of proactive in their approach to cybersecurity. In many cases, it’s only after a breach that a company will decide it’s finally time to invest in security infrastructure. Unfortunately, by that point, the goal is no longer to prevent an attack. It’s to prevent it from happening again.

This reactive approach in the private sector often stems from the notion that since the organization has never been attacked before, there is no reason to spend precious resources planning for something that may not happen at all. With competing IT priorities, private sector organizations often choose to put off spending money on security tools, especially with competing IT priorities.

The reality, of course, is that no organization can afford to wait. Worse, an organization that holds off on creating a robust security infrastructure until it is hit by its first attack will spend much more time and resources remediating the threat than it would have spent preventing the threat. By 2021, cybercrime will be a $6 trillion industry. Organizations should do all they can now to avoid becoming a part of that statistic.

Lesson 2: Know Your Weaknesses
Every organization or business has unique vulnerabilities. Security teams should focus their cybersecurity efforts on the weakest areas to get the most out of their security investments.

For example, ransomware attacks usually target small and midsize businesses, local governments, and other organizations without strong backup strategies in place. Conversely, most small and midsize businesses will never need to worry about being the focus of an attack signature coming out of a foreign nation-state. For the US government, however, counter-intelligence is a constant threat.

With a little research and some basic planning, organizations can triage potential threats and immediately make huge strides in protecting against the most prominent cybersecurity concerns facing them and their industry.

Lesson 3: Create a Culture Around Security
Protecting citizen data and other sensitive information is a core part of the mission for most federal agencies, and everyone who interacts with that data is responsible for it — not just the IT team. Federal employees all recognize security concerns. Private sector organizations have a tendency to silo security, making protection the job of a select few. However, as the saying goes, a chain is only as strong as its weakest link, and every person in the organization represents a link.

Conversely, not having a mutual understanding of security culture across the organization can become problematic quickly. For example, it’s easier today than ever before for just about anyone to procure working space outside of their organization’s environment, whether that be spinning up an Amazon Web Services spot, creating a shared drive, or opening up a survey. Each of these instances opens up another attack surface that an organization’s IT team may not even be aware of. Everyone, including federal agencies, can do better at preventing shadow IT on their networks by getting out in front of it with bring-your-own-device policies and regular communication with the business around IT needs and priorities.

In addition to having a strong internal culture of security, the federal government makes a habit of sharing information externally, not only with its own government sector but across the whole of government. Private enterprises often shy away from being public about security breaches or they work only with similar businesses to share security information. The problem with this approach is that security teams are unaware of many avoidable security threats that could have been stopped with a larger and more open communication network.

Lesson 4: Take Advantage of Security Resources
The government has dedicated a significant amount of resources to develop security guidelines that are publicly available. Examples include the NIST Special Publication series that deals with issues in cybersecurity policy and procedures, the NIST Cyber Security Framework, which gives a great example of how to create an overall security architecture, and US CERT, an agency which provides ongoing updates around current cybersecurity issues. Anyone can review these guidelines and get solid recommendations on how to build a cybersecurity framework, how to staff it, and how to maintain it. These resources are a great place for organizations to start and will go a long way toward keeping them safe from cyberattacks and security breaches. 

Related Content:

• 7 SMB Security Tips That Will Keep Your Company Safe
• SOC Operations: 6 Vital Lessons Pitfalls
• The AI (R)evolution: Why Humans Will Always Have a Place in the SOC

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Developers: The Cause of and Solution to Security’s Biggest Problems.”

Greg Kushto joined Force 3 in 2014 and is the Vice President of Sales Engineering. In this role, he is responsible for creating comprehensive security solutions for Force 3’s client base within both the public and private sector, and ensuring that customers properly align … View Full Bio

Article source: https://www.darkreading.com/risk/4-security-lessons-federal-it-pros-can-teach-the-private-sector/a/d-id/1336157?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

When Black Hat Europe returns to London this December it brings with it a smorgasbord of practical cybersecurity tools and teachings, including a bunch of great Cryptography Briefings that aim to give you an edge when it comes to implementing (or cracking) encryption.

Practical Side-Channel Attacks Against WPA-TKIP promises to show you some new tricks for attacking WPA-TKIP Wi-Fi network encryption, an outdated standard now that the Wi-Fi Alliance has released the more secure WPA3 protocol. Researchers will demonstrate how WPA-TKIP is still being used on over 40% of the Wi-Fi networks they tested across the U.S., Germany, and Belgium. Expect to walk away with a much better understanding of the flaws in WPA-TKIP, and how to analyze and exploit them in your own work.

In Chain of Fools: An Exploration of Certificate Chain Validation Mishaps the folks at Duo Security will walk you through the implications of poor cryptographic API design, how insecure certificate chain validation implementations can be exploited and how widespread usage of APIs like Android SafetyNet can be found in certain verticals. You’ll also get useful advice for both implementers and cryptographic API authors, like how to choose misuse-resistant cryptographic APIs and what to do when faced with misuse-prone cryptographic primitives.

How to Break PDF Encryption promises detailed insights and results from the analysis of PDF encryption tests on 27 of the most popular PDF viewers on the market. Researchers will also demonstrate two novel techniques for breaking the confidentiality of encrypted documents and walk you through responsible identification and disclosure processes.

Get more information on these and lots of other useful content in the Briefings schedule for Black Hat Europe, which returns to The Excel in London December 2-5, 2019.

For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/get-up-to-speed-on-the-latest-cryptographic-techniques-at-black-hat-europe/d/d-id/1336176?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Fredrick “Flee” Lee is CISO at Gusto, a cloud-based payroll, benefits, and human resource management software provider. Along with his fun-sounding nickname, he has a playful view on how to get organizationwide buy in on security: Get people to fall in love with the security team.

“The key to building and instilling a security culture within an organization is to make security lovable,” Lee says. “Security can’t hide behind their hoodies, so to speak. Security should be the most approachable team in the room so that other teams within the organization want to actively engage with [them], instead of skirting around [them].” 

Security is serious, Lee explains, but you want your security team to be approachable — to be seen as the helpers, he says. Nail that and suddenly security isn’t seen as a roadblock or barrier; it’s the team who’s going to go out and find solutions to securely enable products and features that weren’t possible in the past. 

At Gusto Lee says he accomplishes this by conducting security team-building and offsite activities with colleagues from other teams, and by having an open-door policy and office hours so anyone, from any division, can feel welcome to approach with questions. He also offers lab-based training for developers.

“You don’t get someone to fall in love with a sport by throwing the rule book at them,” Lee says. “You let people experience it. At Gusto, we’ve implemented lab-based training with an emphasis on collaboration. Our security pros don’t go up to a whiteboard and dictate what to do to developers as a lecture. Instead, we create learning modules that enable developers to think like hackers. We let them wear the hoodie, so to speak. That way we create champions and evangelists who get their teams excited about security.” 

Lee also makes sure to keep his security folks visible year-round by seating them among the teams they support.

“That way they’re viewed as part of the team, instead of a compliance layer,” he says.

Next Stop: Cybersecurity Utopia?
Jon Check, too, sees the need for security to be personable. The senior director of cyber protection solutions at Raytheon Intelligence, Information and Services has been working lately on educating others about what he calls “Cyberlandia” – the optimum state of cyber readiness featuring happy employees who feel empowered and energized to face whatever threats are thrown their way.

“A healthy, positive workplace culture is an organization’s greatest cybersecurity deterrent,” Check says. “Instead of taking a reactive stance to adversarial threats, corporations should invest their time, budgets, and energy into a crucial asset that isn’t often discussed: a corporate culture rooted in employee well-being.”

A people-first approach to designing security is the first step to reaching Cyberlandia, Check says. It requires a soft touch when communicating with employees.

“Given the sensitive work within the cybersecurity sector, there are always high-stress and high-risk discussions in the workplace,” he says. “An effective manager will strategically disclose this information to those who need to hear it, knowing that misplaced information could cause undue stress across the office.”

Speak Softly – and Lose the Big Stick
Indeed, the soft skills of communication are essential to building security culture, says Geoff Belknap, CISO at LinkedIn. But while the security team doesn’t want to instill fear and scare people into secure behavior — that isn’t effective, Gusto’s Lee says — it is still essential to be honest and frank about what’s at stake when it comes to risk mitigation.  

“I do think there’s an interpersonal element of security culture that can get overlooked. Historically, security teams have taken on the ‘policing’ role in an organization — enforcing security practices and emphasizing the negative consequences of mistakes,” Belknap says. “The problem with this mindset is that it creates an adversarial dynamic of ‘us versus them,’ when in reality, security affects the entire organization and should be everyone’s responsibility.

It’s all about creating a security-aware culture, he adds. As part of that, it’s critical for security teams to convey why security is a priority for everyone using language that employees from all levels of the organization can understand.

“Avoiding jargon or falling back on ‘that’s just the way it is’ when you’re explaining things will go a long way toward fostering understanding throughout the organization,” Belknap says.

Related Content:

• How to Build a Rock-Solid Cybersecurity Culture (Part 1)
• ‘Culture Eats Policy for Breakfast’: Rethinking Security Awareness Training
• You Gotta Reach ‘Em to Teach ‘Em
• Securing DevOps Is About People and Culture

(Image: Leigh Prather via Adobe Stock)

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/building-a-cybersecurity-culture-whats-love-got-to-do-with-it/b/d-id/1336174?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple