STE WILLIAMS

Source: BuzzFeedVideo

What security-related videos have made you laugh? Let us know! Send them to [email protected].

Beyond the Edge content is curated by Dark Reading editors and created by external sources, credited for their work. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/how-private-are-you/b/d-id/1335969?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A cybercrime campaign that starts with phishing, uses Bit.ly and Pastebin to pass commands, and results in the theft of the victim’s user credentials, cryptocurrency wallets, and web history may have cost as little as $160 to run and likely infected thousands of systems every week, according to two researchers with security firm Prevailion.

The campaign, which the firm calls the MasterMana botnet, keeps costs down by hosting it on a single virtual private server and using public services as drop boxes for documents that contain encrypted commands, according to the firm’s October 2 analysis. The attack highlights the asymmetry between attackers and defenders — with a few hundred dollars, attackers can breach defenses that may cost hundreds of thousands or millions of dollars annually, says Danny Adamitis, director of intelligence for Prevailion.

“When it came down to monetary cost, the only thing that these actors were paying for was the $100 for one Trojan and the $60 a month for a virtual private server from one particular provider,” Adamitis says. “You can cause so much mayhem for so little money.”

While a great deal of industry focus is on opportunistic attacks that could potentially affect hundreds of thousands of systems, or targeted attacks that home in on a few dozen victims, the bargain-basement infrastructure used by MasterMana shows that even small-time attacks can be a worry for companies if they’re conducted by relatively skilled attackers, Adamitis says.

In their analysis of the botnet, Prevailion’s researchers argued that the balance between sophistication and low-cost techniques hit a sweet spot that many advanced persistent threats (APTs) miss. The attack is “sophisticated enough to avoid automated detection through third-party services and obfuscation, while remaining below APT-level sophistication to avoid drawing attention to their campaign,” Adamitis and Adam Flatley, vice president of tailored intelligence, wrote in the analysis.

The attack starts with phishing e-mails requesting information about the targeted company’s products. While the e-mail messages are not very well constructed, thousands of victims have apparently opened the attached Microsoft Excel file. If the victim opens the attachment, either a macro will run and connect to Bit.ly or, in another case, the attackers used a vulnerability from 2017. While Prevailion did not see other file formats used in the attack, the company has seen other analyses citing malicious documents in Microsoft’s other file formats, including Word, PowerPoint, and Publisher.

The Bit.ly link led to a Blogspot page, which then ran malicious JavaScript code that, in turn, downloaded and ran code from Pastebin. The multiple redirections make it harder to analyze the code and automatically assess whether the application is malicious, Adamitis says. The code created scheduling tasks and modified a registry key, which provides persistence and can download the remote access trojan (RAT).

Using statistics provided by Bit.ly and Pastebin, Adamitis estimated that 2,000 systems interacted with the botnet sites every week. Although that doesn’t mean that 2,000 system were infected each week, the number suggests that the activity continues to make the botnet a threat.

“This is one of those attacks that should be threat modeled and you should worry about, because this type of approach is going to affect a large number of people,” Adamitis says.

Many attributes of the attack are hallmarks of the Gorgon Group, a Pakistan-affiliated team of cybercriminals, according to Prevailion. The Gorgon Group does not just focus on financial fraud and cybercrime but also conducts attacks against government organizations and has been linked to attacks against Spain, Russia, the United Kingdom, and the United States. The group has used a variety of software tools in the past, including njRAT, QuasarRAT, and Remcos, according to MITRE’s ATTCK framework.

The Prevailion researchers recommend that companies protect their systems with updated security software, firewalls, and some form of attack detection. Both of the initial file-infection vectors — using a macro to install software and exploiting a 2-year-old vulnerability — would be caught by most forms of modern endpoint security.

In addition, properly updated endpoint security software would have stopped the RAT from running, according to the researchers’ analysis.

Related Content

• Hackers Still Outpace Breach Detection, Containment Efforts
• New ‘Crypto Dusting’ Attack Gives Cash, Takes Reputation
• Attackers Try to Evade Defenses with Smaller DDoS Floods, Probes
• Criminals Using Web Injects to Steal Cryptocurrency
• Pakistan: The Latest Cyberspying Nation

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The Inestimable Values of an Attacker’s Mindset Alex Trebek.“

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/mastermana-botnet-shows-trouble-comes-at-low-cost/d/d-id/1335970?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Google is building a “password checkup” tool into its account controls to improve password habits by telling people if their passwords are weak and when they have been compromised.

This marks an expansion of Google’s Password Checkup browser extension, which has accumulated more than 1 million downloads and warned half of users to a compromised password since it was launched earlier this year. Password Checkup is available for the Google Web dashboard and Android devices; later this year, it will be built into the Chrome browser.  

Starting today, Google has embedded Password Checkup into its password manager (passwords.google.com), which stores passwords for users who save them in Google Chrome. Here, they can view the passwords stored in Chrome and check their strength and security. Password Checkup and the password manager are built into each person’s Google account.

Password Checkup will inform users if their password has been compromised in a third-party breach, if passwords are reused across different websites, or if they should be strengthened.

Weak passwords continue to put people at risk. Today Google also published the findings from a password study conducted with the Harris Poll. Nearly one-quarter of US adults have used passwords including “abc123,” “Password,” “123456,” “Iloveyou,” “111111,” “Qwerty,” “Admin,” “Welcome,” or some variation. Nearly 60% have incorporated a name or birthday into a password. Researchers say 75% of respondents struggle to keep track of their passwords.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The Inestimable Values of an Attacker’s Mindset Alex Trebek.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/googles-password-checkup-tool-tells-you-when-passwords-are-leaked/d/d-id/1335971?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Media reports that Google may have used a quantum computer to crack a problem even the fastest supercomputers could not solve is a significant milestone on the journey to large-scale quantum computing. For cybersecurity professionals who have been waiting for this milestone, this should be the proverbial starting pistol to begin ensuring their infrastructure is agile and resilient.

Quantum supremacy — the point at which a quantum computer can solve a problem that classical computers cannot — is the long-chased milestone that proves that quantum computing can be more than just a science project. In a paper briefly posted on the NASA website — and then taken down — Google engineers reportedly described using a quantum processor to solve a specific calculation in three minutes and 20 seconds that would have taken the most advanced classical supercomputer 10,000 years. Quantum computers process information with qubits, which behave according to quantum mechanics and offer a new bag of tools — such as superposition and interference of states, quantum entanglement, and the uncertainty principle. This makes them fundamentally different, and more powerful than classical computers.

While scientifically and technologically significant, the real-world relevance of Google’s potential achievement is extremely limited. We’re still far from the large-scale, noiseless quantum computer that will break current encryption standards. And that’s good, because it provides organizations around the world — from enterprises and governments to security solution providers and original equipment manufacturers — the time necessary to begin protecting their networks, connected devices, and confidential data. But it is a wake-up call — and the time to prepare may be shorter than some think.

Because quantum computers can solve problems that confound classical computers, they will also be capable of cutting through some of the most common public key cryptographic algorithms used globally. This means all the data — from financial records and medical charts to military orders and diplomatic communiques — that moves safely around the world today, as well as connected devices that rely on embedded security to remain trusted and protected, will be vulnerable to exposure with a large-scale quantum computer.

Such data is already vulnerable to a “harvest and decrypt” attack, in which a hacker steals encrypted data with long-term value — Social Security numbers, military information — and sits on it until a quantum computer can crack the encryption and unlock the secrets. Likewise, it’s quite possible that many connected devices with long useful lives — including cars and smart sensors being designed today — will still be in use when quantum computers are widespread. For these reasons, the need to think about quantum-safe computing is now — and not something to put off for a few more years. Think about how rapidly the digital age advanced and overtook industries that did not adapt.

The good news: There are robust cryptographic approaches that are resistant to the capabilities of a quantum computer. (Disclosure: ISARA is among of handful of teams working to make these mathematical approaches practical in commercial applications.) Implementing them, though, is likely to take several years. The time to prepare is now, even though we do not know for certain when a quantum computer will be powerful enough to break current encryption.

What every good IT manager does know is that there rarely is a system upgrade that goes exactly as planned. And for many organizations, changing cryptography is logistically challenging, costly, and time consuming. Encryption is embedded so deeply into most systems that upgrading it will require a full risk assessment to identify all of the parts of a company’s infrastructure that use cryptography and where the most vulnerable components of a network are so that a proper migration plan can be established.

Cryptographic agility — commonly defined as the ability to respond and adapt to the ever-changing cybersecurity environment, needs, and threats — allows organizations and OEMs to easily change cryptographic algorithms without major changes to the surrounding infrastructure. Although not a field that has been at the forefront of the technology industry, it will be vital in the coming years. The National Institute of Standards and Technology advocates this type of agility.

The computer industry has been able to depend on current standards for decades; however, we now know that, as in so many areas of technology, flexibility is the key to long-term success when it comes to maintaining the effectiveness of our underlying security. Being nimble in the quantum age will be essential as powerful quantum computers undoubtedly unlock entirely new fields of research and potentially drive the need for even more rapid responses in the future.

Google has shown us that another major milestone on the road to large-scale commercial quantum computing may have been achieved. The message here is that quantum computing development is real and it’s evolving fast. We should react by developing our crypto-agility strategies so that we’re ready to implement quantum-safe security when the time is right.

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The Inestimable Values of an Attacker’s Mindset Alex Trebek.”

Scott Totzke is chief executive officer and cofounder of ISARA Corporation, a Waterloo, Ontario-based security solutions company that offers production-ready quantum-safe tools and agile technologies needed to enable simplified and seamless cryptographic migrations. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/advanced-threats/quantum-safe-cryptography-the-time-to-prepare-is-now/a/d-id/1335935?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new West African cybercriminal group is targeting vendors with a technique called “vendor email compromise,” which it has used to successfully compromise more than 700 employee email accounts at more than 500 companies in at least 14 countries, Agari researchers report.

The Agari Cyber Intelligence Division (ACID) began watching Silent Starling in July. Researchers say the group has three primary members in Nigeria, though the group is believed to be larger. Activity started in 2015 and mostly consisted of romance scams and check fraud before pivoting to business email compromise (BEC) in 2016 and vendor email compromise (VEC) in 2018.

BEC is an increasingly common enterprise threat, costing organizations up to $300 million each month, the US Treasury Department reports. Payment invoice scams, which made up nearly half of all fraudulent transactions in 2018, cost businesses more than $1.5 billion that year. This is likely to grow as criminals gain access to, and abuse, legitimate email accounts, Agari reports.

VEC puts a new spin on an old threat. In traditional BEC scams, attackers pretend to be high-ranking employees to request wire transfers from the finance department. Silent Starling, the first group spotted using VEC, instead targets vendors with a low-and-slow approach that ultimately leads to a higher payout.

ACID was researching BEC attacks in July when one suspicious email requested a wire transfer. The team engaged with the attacker, requesting bank account numbers to complete the transfer and continuously saying the bank rejected them. For months the attacker sent numbers for different mule accounts used to launder money, eventually giving 13 to ACID.

Researchers sent the mule account data to law enforcement and financial partners but continued to investigate Silent Starling, discovering a sophisticated operation that takes far more time, patience, and research to pull off. A new report published today details the findings.

Inside A VEC Attack
It starts with an email, says Crane Hassold, senior director of threat research at Agari. Silent Starling typically compromises an employee account with a OneDrive or DocuSign-spoofed phishing attack. When they obtain credentials, the attackers set up forwarding rules so the employee’s emails are forwarded to an inbox they control. Then they sit, wait, and observe.

“A number of the accounts they were able to compromise were employees in accounts receivable, CFOs, [and] office managers involved with day-to-day financial transactions,” he says. OneDrive is by far the most common phishing page, intended to lift enterprise credentials that are generally worth more because they can be exploited in several different ways, he adds.

To maximize its effectiveness, Silent Starling needs to understand the workflow of its target. Attackers analyze emails to personalize the messages they send to the organization’s employees, customers, and partners. This is what sets VEC scams apart: By collecting intel on transactions, conversations, and exchanges, attackers can learn how people communicate and how a vendor structures its invoicing process. As a result, they’re well-equipped to create emails that are “virtually undetectable,” researchers say in their report – even more so as their fraudulent emails are sent from a legitimate account.

When the opportunity arrives, attackers uses this intelligence to slip into the transaction process: They send a fake invoice to the target vendor’s client, updating the customer with new banking details. The client, who doesn’t notice the email is fake, then sends money directly to the attackers.

Small Targets, Big Payoff
What’s interesting about Silent Starling’s approach is it targets smaller victims, Hassold explains. Its biggest target was a US-based company with only a couple hundred employees; its smallest had only a couple. These vendors are a jumping-off point so the group can take money from its real targets: the much-larger organizations paying smaller firms to perform a specific service.

Still, the group doesn’t have specific organizations in mind. It seems the initial credential phishing is only “lightly targeted,” with attackers sending many messages to compromise email accounts and looking through those emails to identify employees in the finance department. In one instance, Silent Starling compromised email accounts of 39 people at a single company. Since late 2018 it has received copies of more than 20,000 emails from compromised inboxes.

“Vendor email compromise is going to be a big threat in the next 12 to 18 months,” Hassold says. In a basic CEO spoofing attack, an operator may be able to net $10,000 to $15,000 before raising a red flag. A VEC attack enables criminals to slip right into the vendor payment process.

“Because there are mimicking real payments of hundreds of thousands of dollars, the payoff can be significantly higher,” he explains. “It’s very different and much more sophisticated.”

Related Content:

• 281 Arrested in International BEC Takedown
  
• 7 Truths About BEC Scams
  
• ‘Lone Wolf’ Scammer Built a Multifaceted BEC Cybercrime Operation
  
• Cisco Webex Zoom Bug Lets Attackers Spy on Conference Calls

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The Inestimable Values of an Attacker’s Mindset Alex Trebek.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/new-silent-starling-attack-group-puts-spin-on-bec/d/d-id/1335977?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A substantially greater number of real-time operating systems (RTOSes) powering critical medical, industrial, and enterprise devices, are affected by a set of recently discovered security vulnerabilities than were originally reported.

Armis, which earlier this year disclosed as many as 11 zero-day bugs in VxWorks RTOS—an OS embedded in over two billion devices—this week described five other similar operating systems that also contain the flaws as well.

The vulnerabilities allow attackers to remotely take control of systems and execute code of their choice on them to change their function, steal data, cause denial-of-service attacks, and other digital mayhem. The list of devices impacted by the flaws includes SCADA systems and industrial controllers, patient monitors, MRI machines, firewalls, and network-connected printers.

Armis identified the five products newly discovered as being vulnerable as ThreadX by Microsoft; Operating System Embedded (OSE) from Enea; Integrity by Green Hills; Itron from the Tron Forum; and Nucleus RTOS by Mentor. Also impacted is ZebOS, a routing framework from IP Infusion that many network component manufacturers use in routers, switches, and other products, Armis said.

Older versions of these operating systems support IPnet, the same VxWorks TCP/IP stack in which Armis first discovered the 11 zero-day vulnerabilities. That’s because the original developer of IPnet was a company called Interpeak, which sold the TCP/IP stack as a third-party library to multiple OS and device makers for several years.  

Armis’ updated report prompted warnings this week from the US Food and Drug Administration and the Department of Homeland Security.

The stack was usually sold as a “one-time chunk of code” under a perpetual license mode—sometimes directly and sometimes via resellers, Armis said. Organizations that purchased it received little or no further updates and in many cases those who purchased the software under a perpetual license cannot be traced.

In 2006, Wind River, the developer of VxWorks, acquired Interpeak. Since then, other RTOS vendors have gradually stopped integrating IPnet in their products.

Even so, there are many devices—with very long life cycles—online today with operating systems containing one or more of the 11 security flaws, Armis said. “This combination of embedded, and at times, untraceable code which receives no updates creates a time bomb for any bug discovered in the original code,” the vendor warned in a report this week.

When Armis originally reported the so-called URGENT/11 bugs in July, the company estimated that some 200 million devices running versions of VxWorks spanning a 13-year period were open to exploit. The new discovery suggests that potentially millions of additional medical, enterprise, and industrial devices are impacted as well, the vendor noted.

Broad Exposure

Ben Seri, vice president of research at Armis, says it’s hard to put a finite number on the additional exposure. Devices that Armis has confirmed are vulnerable include the popular Alaris infusion pumps from Becton Dickinson, various Canon and Ricoh printers, and a component used by certain HP Proliant servers. “Combining these examples, we estimate the additional impact is within millions of devices,” he says.

Impacted device manufacturers will need to choose whether to upgrade their systems to newer RTOS versions that do not use IPnet, or they will need to contact Wind River to obtain patches. The latter might prove difficult, since the patches that Wind River has developed are only for the latest version of IPnet, Seri notes.

Some vulnerable devices also lack the capability to update entirely, which is what makes these vulnerabilities so important to protect against, he says. Mitigations include limiting the connectivity of any critical device and implementing network segmentation that limits network access to vulnerable devices. “In addition, there are various firewall and IDS rules that can be put in place, to prevent certain vulnerabilities from becoming a threat to medical devices, and this too can help reduce the risk,” Seri says.

From an exploitation standpoint, the vulnerabilities present few challenges. Most of the flaws are what Seri describes as basic memory corruption issues such as stack and heap overflows that attackers have attacked for years. Even so, “reaching full remote-code-execution through these vulnerabilities would require some customization of an exploit, for each type of impacted device,” he says.

The FDA said the vulnerabilities pose a threat to certain medical devices and hospital networks and urged device manufacturers to conduct risk assessments and find out from their operating system vendor about patch availability. It also urged healthcare providers to notify patients using medical devices impacted by the flaws and advised healthcare IT staff to monitor logs for URGENT/11 exploits.

In its advisory, the DHS provided an updated list of all operating systems impacted by the vulnerabilities and suggested mitigations for them.

“One of the biggest challenges towards addressing URGENT/11 is going to be quite simply the lack of visibility into what is vulnerable,” says Craig Young, security researcher for Tripwire’s Vulnerability and Exposure Research Team.

Vendors typically do not market their products based on their protocol software stack, and heuristic checks for URGENT/11 are likely difficult especially for those concerned about crashing their systems, he says. “A good starting point, however, is to use network stack fingerprinting techniques to identify likely VxWorks derived products and contact vendors for updates.”

Young says the most likely risk from attacks is disruption. Many of the flaws rely on the ability to deliver corrupt datagrams to the targeted device over a network. “In a lot of cases, routers, switches, or basic security devices will filter this traffic such that the attacker effectively must originate attack traffic on the same physical network segment as the target.”

The likelihood of adversaries exploiting the vulnerabilities to launch widescale attacks are low he says. “I would, however, expect that several intelligence agencies are already capable of using this to get code execution on specific targets of value,” Young adds.

Related Content:

• Series of Zero-Day Vulnerabilities Could Endanger 200 Million Devices
• DHS Tests Remote Exploit for BlueKeep RDP Vulnerability
• Industry Insight: Checking Up on Healthcare Security
• 7 Breaches Hacks That Throw Shade on Biometric Security

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The Inestimable Values of an Attacker’s Mindset Alex Trebek“

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/millions-more-embedded-devices-contain-vulnerable-ipnet-software/d/d-id/1335976?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

When spouses, colleagues, domestic partners, and random strangers install software to spy on a victim, the “stalkerware” can be a disturbing tool of abuse. And it’s a tool that’s part of a problem that is growing in size and scope.

A new report, “The State of Stalkerware in 2019,” from Kaspersky Lab, shows that from January to August 2019 there were more than 518,223 cases globally when the company’s technologies either registered the presence of stalkerware on users’ devices or detected an attempt to install it. That represents a 373% increase from the same period in 2018.

The report draws a distinction between stalkerware, which can report location, message contents, and call destinations; and spyware, which can deliver full screenshot and keystroke information to the installer. In both cases, the software can do its work without detection. Fortunately, neither stalkerware or spyware is readily available from a legitimate app store: The threat actor must download the software from an app-specific location and then gain access to the victim’s device to side-load the monitoring app.

According to Kaspersky, the Russian Federation is the nation where stalkerware is installed most often, with India, Brazil, the US, and Germany rounding out the top five.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The Inestimable Values of an Attacker’s Mindset Alex Trebek.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/stalkerware-on-the-rise-globally/d/d-id/1335979?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple