crime – Page 224 – STE WILLIAMS

IT now stands for Intermediate Targets: Tech providers pwned by snoops eyeing up customers – report

library
crime | hacking | security

Miscreants are hacking into Saudi Arabian IT providers in an attempt to compromise their real targets: said providers’ customers, according to Symantec.

The security software giant said this week its attack investigation team has observed the cyber-gang, dubbed Tortoiseshell, infiltrating the networks of off-premises cloud businesses and tech suppliers in the hope of gaining access to their users, and siphon off data, spy, and do other mischief

Symantec said the hacking crew, active from at least July of last year through July of this year, compromised hundreds of computers within 11 service providers, and exploited this high level of access to menace its actual targets.

“This is an unusually large number of computers to be compromised in a targeted attack,” Symantec said in a summary on Wednesday.

“It is possible that the attackers were forced to infect many machines before finding those that were of most interest to them.”

The operation is a highly effective new spin on the supply-chain attack concept, in which a crook uses a partner company as the point of entry to a target’s network.

Hey China, while you’re in all our servers, can you fix these support tickets? IBM, HPE, Tata CS, Fujitsu, NTT and their customers pwned

“IT providers are an ideal target for attackers given their high level of access to their clients’ computers,” Symantec noted.

“This access may give them the ability to send malicious software updates to target machines, and may even provide them with remote access to customer machines.”

It also makes detection of an incoming threat by the targets themselves nearly impossible until it is too late. In at least two of the cases, the hackers ended up being able to navigate the provider’s network with domain admin clearance, we’re told.

This means the snoops would be able to not only access everything on the IT provider’s network, but also create additional accounts and remotely control machines, potentially.

The Symantec team noted the attackers used some of the same malware as the Iran-based OilRig cyber-espionage group, though we’ve been cautioned against drawing any connections, as those tools have been in the public domain since they were leaked in April.

Because it was the service providers that were infected, Symantec can’t say who the ultimate targets were, and there is of yet no way to definitively connect the attack to any group or nation. ®

GitHub gobbles biz used by NASA, Google, etc to search code for bugs and security holes in Mars rovers, apps…

library
crime | hacking | security

On Wednesday, Microsoft’s GitHub said it has acquired Semmle, a San Francisco-based software analysis platform for finding vulnerabilities in code. No price was disclosed.

GitHub CEO Nat Friedman said Semmle’s code analysis engine provides developers with a way to write queries for code patterns and variations, which allows flaws to be identified and fixed.

The gobbled biz’s platform, LGTM (short for Looks Good To Me), is used by Google, Mozilla, NASA and Uber, among others. It has helped find more than 100 CVE-listed security holes in open-source projects to date.

LGTM relies on QL queries, and these declarative queries, once written, can be shared, so bad patterns found in one project can be easily spotted elsewhere. Here’s QL query NASA’s JPL used to find variations on a manually identified bug in the space agency’s Curiosity’s entry, descent and landing software:

import cpp

from Function f, FunctionCall c, int i, int a, int b
where f = c.getTarget()
  and a = ((ArrayType)c.getArgument(i).getType()).getArraySize()
  and b = ((ArrayType)f.getParameter(i).getType()).getArraySize()
  and a  b
select c.getArgument(i), "Array of size " + a
       + " passed to $@, which expects an array of size " + b + ".",
       f, f.getName()

The ability to share QL queries turns out to be a good fit for GitHub’s developer community and for the sort of collaboration that improves security. And in time, it should augment GitHub’s automated security fixes.

“Software security is a community effort; no single company can find every vulnerability or secure the open source supply chain behind everyone’s code,” said Friedman. “Semmle’s community-driven approach to identifying and preventing security vulnerabilities is the very best way forward.”

GitHub’s stated goal is to make the entire security process, from vulnerability identification to repair, more like a pull request – simple and potentially automated.

“The combination of GitHub and Semmle is, for lack of a better term, synergistic,” said Stephen O’Grady, co-founder of IT consultancy RedMonk, in an email to The Register. “Semmle’s value add has been about reducing the time to discovery of vulnerabilities and increasing the reach of that same discovery. Integrating that into GitHub should result in more secure outputs from GitHub hosted projects.”

O’Grady said Semmle should benefit from the deal too, through access to telemetry from GitHub’s systems, which he expects will enhance Semmle’s code analysis.

GitHub says it’s in the early stages of integrating Semmle with its systems. In preparation for expected security enhancements, GitHub has been approved as a CVE Numbering Authority for open source projects. This will allow it to issue CVEs for security advisories opened on GitHub, ensuring greater dissemination of vulnerability information. ®

Sponsored:
Technical Overview: Exasol Peek Under the Hood

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/18/github_code_analysis_biz_semmle/

Scotiabank slammed for ‘muppet-grade security’ after internal source code and credentials spill onto open internet

library
crime | hacking | security

Exclusive Scotiabank leaked online a trove of its internal source code, as well as some of its private login keys to backend systems, The Register can reveal.

Over the past 24 hours, the Canadian financial giant has torn down GitHub repositories, inadvertently left open to the public, that contained this sensitive information, after The Register raised the alarm. These repositories featured, among other things, software blueprints and access keys for a foreign exchange rate system, mobile application code, and login credentials for services and database instances: a potential gold mine of vulnerabilities for criminals and hackers to exploit.

We were tipped off to the security blunder by Jason Coulls, an IT pro based in the Great White North, who discovered the data sitting out in the open, some of which was exposed for months, we’re told. As well as Scotiabank, GitHub, and payment and card processors integrated with the bank, were also alerted prior to publication.

By the time you read this, the GitHub repositories, which presumably were accidentally misconfigured by Scotiabank’s techies, should be hidden or removed. Below is a screenshot we were able to take of some of the leaked source code.

Code red … The insides of Scotiabank’s ‘digital payments dashboard’ system

A spokesperson for Scotiabank was not able to comment on the screw-up at the time of writing, though they acknowledged its security team is probing the matter.

Among the hundreds of files of documentation and code, which appear to have been created by developers working on versions of Scotiabank’s mobile apps for Central and South America, were credentials and keys to access some of the bank’s backend systems and services dotted around the world. Among the more sensitive blueprints was code and login details for what appeared to be an SQL database system of foreign exchange rates.

“They have a foreign exchange (FX) rate SQL Server database that has had its credentials and public-private keys in the open for months,” Coulls told El Reg. “Knowing that there is a known potential for someone to tweak FX rate data, the integrity of the bank is diminished accordingly.”

The substantial code collection also included source for integrating the bank’s systems with payment services, including Samsung and Google Pay as well as US credit-card processors Visa and Mastercard, and others.

Ta-ta, security: Bungling Tata devs leaked banks’ code on public GitHub repo, says IT bloke

Having such a vast library of digital blueprints on the public internet may have left Scotiabank and its 25 million-plus customers wide open to attack, should the code be analyzed and found to be exploitable. Bear in mind, back in 2017, Coulls discovered that the Canadian giant’s digital banking unit, supposedly its high-tech offshoot, was not only using security certificates that had expired five months prior, but much of its code had not been thoroughly audited or debugged, it seemed.

According to Coulls, this latest gaffe isn’t the first time Scotiabank has spilled its internal secrets online.

“In my experience, this muppet-grade security is perfectly normal for Scotiabank, as they usually leak information once every three weeks on average,” Coulls mused.

“Scotiabank had [IBM] AS/400 and DB2 instances where the credentials and connection information is public. They regularly leak source code for everything, from customer-facing mobile apps to server-side REST APIs. They also leak customer data. If they ever claimed that security is a top priority, I would dread to see how they handle low priority things.”

We’ll let you know if Scotiabank has any further comment. ®

Sponsored:
Technical Overview: Exasol Peek Under the Hood

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/18/scotiabank_code_github_leak/

The Top ‘Human Hacks’ to Watch For Now

library
crime | hacking | security

Social engineering is as old as mankind. But its techniques have evolved with time. Here are the latest tricks criminals are using to dupe end users.

Social engineering is the art of manipulating humans — but Chris Hadnagy calls it “hacking the human.” And the president and CEO of Social-Engineer LLC has seen a lot of it while fighting the good fight to educate people about human manipulation for the past 16 years. These days, with lots of money to be made off of deception, social engineering criminals use modern tricks to gain access to information, money, or secure buildings.

“When it comes to human hacking, not much is different over the last couple thousand years,” Hadnagy says. “But what we see [changing] is the way attackers are thinking through attacks.”

So, too, are the technologies that are helping them be even more effective.

Research firm CyberEdge reports that the number of organizations hit with at least one successful social engineering attack per year is around 79%. And according to Proofpoint’s recent “Human Factor” report, more than 99% of cyberthreats the company observed required human interaction to execute, signifying the importance of social engineering in successful cyberattacks against an organization.

“Individual users [are] the last line of defense,” says Kevin Epstein, vice president of threat operations for Proofpoint. “To significantly reduce risk, organizations need a holistic, people-centric cybersecurity approach that includes effective security awareness training and layered defenses that provide visibility into their most attacked users.”

Social Media ‘Pretexting’
Even with increasing awareness about social engineering through education, social engineering continues to be very effective.

One of the reasons the stakes are higher now, and why social engineering is impacting so many, is because of social media, Hadnagy says. Spear-phishing messages, a common form of social engineering that targets a specific person, are often created using information collected from social media sites.

Hadnagy says a vast majority of spear-phishing messages now contain details from social media. “People put so much information on social media it is giving the attackers a leg up in developing pretexts for attacks,” he says.

Snooping through social media accounts helps attackers craft a phony, but believable, reason (or “pretext”) to approach their victim. Indeed, social media sites are now a playground for criminals looking for details they can use to pull off a variety of cons. Criminals create fake social media profiles to collect information from people they connect with in order to pretext. By learning more about their targets, attackers can later craft convincing messages and convince their targets to click on a malicious link or send money to a fake charity, for example.

“Impersonating legitimate accounts makes a scam seem much more realistic, so users are more likely to fall for scams that are posted by an account spoofing a credible person or organization,” says Ashlee Benge, Threat Researcher at ZeroFOX. “An impersonating scam page may post a promotional link offering free or discounted items, linking to what is actually a phishing attack or a site containing some other malicious content.”

Hadnagy says this social media pretexting technique is frequently used in business email compromise/email account compromise attacks. According to the FBI’s latest report, BEC/EAC attacks cost Americans $1.3 billion in 2018, with some victims being hit for $50,000 at once.

Social media sites are also a place where scammers can cast a wide net and hope for the best. Creating malicious content around popular news stories is one strategy often employed.

“Often, scams shadow news cycles,” Benge says. “Scammers use current events for inspiration, and we often see spikes in scams related to major world events. We also see spikes in domains registered related to current events. For example, immediately after the Capital One breach, we observed many new typosquatting domains registered related to the breach.”

Vishing SMiShing
You’ve surely received these calls. “Hello, this is Microsoft support. Your computer is infected.” Vishing, which is a scam that involves simply calling the victim to obtain sensitive information, is a massively popular way to target people, Hadnagy says.

“The phone – it is huge. Vishing vectors are being used in so many attacks. Calls to support phish, calls to get credentials, calls to breach a network,” he said. “We have seen it all.”

And while many of us are now using our mobile phones for much more than calls, social engineers are one step ahead, finding ways to exploit mobile phones and use them for scams in other ways.

SMS messages are now a common conduit for scams, ZeroFOX’s Benge adds. Just like an emailed phishing message, a SMiShing ruse involves sending a link to a malicious site with the hopes that the recipient will click. SMS and messaging applications are just other avenues for social engineers to reach their mark.

Last Line of Defense
In response to this sophistication of social engineering attacks and the threat they pose to security in organizations, Hadnagy has been hosting his SEVillage as an adjacent event at multiple security conferences in recent years. SEVillage includes multiple tracks of education around social engineering, as well as capture-the-flag competitions for security professionals.

Next year, he is launching a national SEVillage event in Orlando, Florida, that builds on the concept he initially created. The objective is to move beyond security professionals and help people from all professional backgrounds to recognize and use social engineering in their daily life. It is education all kinds of people truly need and will be focused on learning and connecting with other people, Hadnagy says.

“Social engineering is the largest used vector today. How can we learn to defend? One of the ways is to learn to use and then recognize social engineering vectors in everyday life,” he says.

Related Content:

Image via Wikipedia: Maquette Trojan Horse, used in the movie Troy, a gift from Brad Pitt to the Turkish town Çanakkale Photo: Fredrik Posse, May 2006

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/the-top-human-hacks-to-watch-for-now/b/d-id/1335845?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

How Cybercriminals Exploit Simple Human Mistakes

library
crime | hacking | security

A new report explores how attackers identify psychological vulnerabilities to effectively manipulate targets.

“People make mistakes” is a common and relatable phrase, but it’s also a malicious one in the hands of cybercriminals, more of whom are exploiting simple human errors to launch successful attacks.

The Information Security Forum (ISF) explored the topic in “Human-Centered Security: Addressing Psychological Vulnerabilities,” a new report published today. Human vulnerabilities, whether triggered by work pressure or an attacker, can expose a company to cybercrime. As more organizations fear “accidental insiders,” addressing these vulnerabilities becomes critical.

In its report, ISF cites a stat from FireEye, which last year reported 10% of attacks contained malware such as viruses, ransomware, and spyware. Ninety percent of incidents were more targeted — for example, impersonation scams, spear-phishing attacks, and CEO fraud.

“What was clear for me is that if we are going to really try to address some of the more emerging threats that are targeting individuals, then we need to understand some of the ways in which users behave and why they behave,” says ISF managing director Steve Durbin. He points to a “total shift” in the way employees can be managed to optimize security. After all, he says, most don’t turn up for work each day with the intent to cause harm to the the company.

The brain has to process a lot of information before it arrives at a decision; however, humans are limited in the amount of time they have to make a choice with the data they have. This is why the mind seeks cognitive shortcuts, or “heuristics,” to alleviate the burden of decision-making. Heuristics help people more efficiently solve problems and learn new things, but they may lead to cognitive biases that contribute to poor judgment or mistakes in decision-making.

So long as companies don’t understand the implications of cognitive biases, researchers say, they will continue to pose a significant security risk. ISF’s report lists 12 biases, all of which can have different effects on security. One example is “bounded rationality,” or the tendency for someone to make a “good enough” decision based on the amount of time they have to make it.

Bounded rationality can prove dangerous during a cyberattack, when tensions run high and an analyst may make a “good enough” decision based on the data and tools at their disposal.

Another bias commonly seen in the workplace is “decision fatigue,” or a decrease in mental resources after a series of repetitive choices. At the end of a long day, employees tend to lean toward easier decisions, which may not be the best decisions. “The attacker knows by conducting the attack in late afternoon, it’ll provoke poor decision-making,” Durbin explains.

Creating the Attacker’s Advantage
Each of these vulnerabilities gives attackers an opportunity to strike. While many of their tactics remain the same, they have also grown in sophistication and cost-effectiveness. Criminals can use “social power” to exert influence over others and manipulate them into making mistakes.

There are six different types of social power: reward power, which promises a reward if the task is complete; coercive power, which uses punishment to influence behavior; referent power, which uses the “cult of personality” to manipulate followers of celebrities; informational power, which uses specific information to convince a target the attacker is legit; and expert power, which attackers use to impersonate someone with expertise — someone who should be trusted.

Psychologically savvy attackers can leverage these tactics in several different types of attacks. Spear-phishing is most common and increasingly popular, says Durbin, but other techniques are becoming popular, too. Whaling, for example, is a type of phishing email designed to hit a single, high-value target, usually a senior executive or someone with privileges access. Criminals use a long-term approach, employing different forms of social power over a period of time to build credibility.

Baiting, another tactic, is similar to phishing but promises a reward to entice the target: Free music or movie downloads may be traded for credentials to a certain website. Smishing, or social engineering done via text messages, is likely to become much more popular as people are less aware of cyberattacks arriving via SMS. Vishing, or social engineering via phone, lets attackers use their voice to build a rapport. Some criminals are using AI to become more convincing.

“The phone has tended to be something that has remained out of the more commercial phishing and attack scenarios that we’ve seen,” Durbin says. “We’re starting to see it emerging now.” And while the voice impersonation tactic requires access to the right technology, he anticipates this is an area that will grow. With the right tech, the attack isn’t difficult.

What’s important to remember about human-focused cybercrime is this isn’t about employees being less intelligent or more negligent, he continues. “This is human nature. If you catch us on the wrong day or catch us in a certain way, we will behave accordingly,” Durbin adds. “You don’t actually know how the individual is feeling on a particular day.”

What You Can Do
Researchers recommend reviewing your organization’s security culture, starting from the most senior roles. This can inform a better understanding of how different departments value security and pinpoint which areas have more human vulnerabilities. From there, security leaders can identify threats, tailor responses, and help employees handle stressful situations.

Security admins should also aim to understand how employees use technology, controls, and data. Consider how these interactions may vary across locations and cultural settings, and brainstorm how controls and technologies can be designed around the person using them.

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Poll Results: Maybe Not Burned Out, But Definitely ‘Well Done’.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/how-cybercriminals-exploit-simple-human-mistakes/d/d-id/1335847?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

WannaCry Detections At An All-Time High

library
crime | hacking | security

More than 12,000 variants of the infamous malware are targeting systems that are still open to the EternalBlue exploit – but the potential danger is low, Sophos warns.

More than two years after the WannaCry outbreak made ransomware a household name, the critical Windows vulnerability exploited by the malware remains unpatched on many systems worldwide.

Security vendor Sophos Wednesday reported that in August 2019 alone, it had detected and blocked more than 4.3 million attempts by WannaCry-infected hosts to spread some version of the malware to systems running the company’s endpoint security software. Most of the failed attacks have been targeted at systems based in the US.

A Sophos analysis of attack data gathered over a three-month period between October 2018 and December 2018 showed there were more than 5.1 million similar attempts.

WannaCry detections in fact appear to be at an all-time high, Sophos said in a report summarizing its analysis of the malware, but there’s some good news here: virtually all of the more than 12,000 WannaCry variants in circulation currently are broken and cannot encrypt data on infected systems.

So while WannaCry variants continue to be very active, the malware’s potential to damage systems is low—and probably explains why concerns over the persisting infections have remained low as well.

“The vulnerability that caused WannaCry to spread rapidly remains an ongoing threat,” says Andrew Brandt, principal researcher at Sophos. “The enterprise tendency to defer patching for some kinds of critical updates may, in some limited cases, do more harm than what it attempts to prevent.”

And while the thousands of variants in the wild currently may not be encrypting infected systems, impacted organizations should not overlook fact that their systems remain vulnerable in the first place adds Peter Mackenzie, global malware escalations manager at Sophos.

“All of the samples we analyzed had the capability to spread to new machines,” he notes. “The fact that the final payload was corrupted didn’t change the fact that malware was taking up network bandwidth and copying unwanted files to your machines.”

Significantly, the vulnerability that WannaCry exploited continues to be heavily exploited by other malware, such as the TrickBot worm, which then leads to a targeted Ryuk ransomware attacks, Mackenzie cautions.

WannaCry impacted some 200,000 computers in 150 countries in May 2017. The malware took advantage of a critical security flaw in Microsoft’s SMB protocol that allows Windows users to share files. The malware spread in wormlike fashion from one vulnerable system to another using EternalBlue, a zero-day exploit belonging to the NSA that was publicly leaked in a massive data dump before the WannaCry outbreak.

Microsoft had issued a patch for the SMB flaw prior to WannaCry. But millions of systems were still unpatched when the malware began spreading rapidly, causing widespread concerns.

The outbreak ended as suddenly as it began when two UK-based security researchers discovered a hidden feature in WannaCry that caused the malware to stop spreading if it discovered a specific Web domain name was live. By simply registering the domain name, the researchers effectively shut down WannaCry.

In its report this week Sophos theorized one potential reason the “kill-switch” was included in the code was because the attackers—later identified as North Korea’s Lazarus group—needed a way to stop the malware when they wanted.

A Clear Persisting Threat

Since the original outbreak, security researchers have reported discovering numerous variants of WannaCry in the wild. Sophos’ analysis showed that a vast majority of the current collection of over 12,000 WannaCry variants contain code altered from the original sample.

The alterations have allowed the new samples to bypass the kill switch mechanism and spread freely to systems that have not yet implemented the Microsoft patch. But the alterations also appear to have broken the encryption component in the malware – rendering it ineffective.

Mackenzie says many new variants are likely simply the result of data corruption or incomplete file transfer via EternalBlue. “Nobody’s creating them per se, but the act of copying back and forth so often may introduce errors in replication which then magnify over time.”

Fortunately, unlike biological threats, there’s no chance of a “superstrain” of WannaCry resulting from such mutation, he says. He adds it’s hard to estimate how many systems still remain vulnerable to the EternalBlue exploit, though the number could well be in the millions.

The reason why threat actors are not going after those systems with a functional encryption component is likely because there are better ways of distributing ransomware these days, Mackenzie says, pointing to the so-called “automated active attack” model used by malware like SamSam.

Meanwhile, the motive for launching WannaCry may have been broader than ransomware, Brandt says. “WannaCry has been roundly attributed to the DPRK, who may not have actually cared very much for collecting ransom so much as sowing chaos and destruction across the West in retaliation for sanctions and perceived slights and threats.”

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/endpoint/wannacry-detections-at-an-all-time-high/d/d-id/1335848?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Saudi IT Providers Hit in Cyber Espionage Operation

library
crime | hacking | security

Symantec identifies new ‘Tortoiseshell’ nation-state group as the attackers.

In what appears to be a coordinated and targeted cyber espionage campaign, the networks of several major IT providers in Saudi Arabia were attacked in the past year as a stepping-stone to the attackers’ ultimate targets in that region.

Researchers at Symantec say the attackers have been operating since July 2018 and appear to be a previously unidentified threat group, which Symantec has christened Tortoiseshell. The group infiltrated at least 11 organizations, mostly in Saudi Arabia and including large IT providers, employing both off-the-shelf tools and its own custom attack malware. And in two of the infected organizations, the attackers obtained domain-level administrative access, so the attackers had access to all machines on those networks.

The researchers say Tortoiseshell does not appear to be related to any existing groups in the Middle East. But one of its victim organizations was infiltrated via a backdoor associated with the Iranian nation-state group Oilrig (aka APT34). Even so, Symantec says there’s no confirmed connection that indicates Tortoiseshell is actually Oilrig.

“There’s no code overlap or shared infrastructures” with other groups, says Jon DiMaggio, a senior threat intelligence analyst with Symantec. “So we put this activity into its own bucket.”

Symantec does not tie specific nations to threat groups unless they’ve been identified by the US government.

At a time when many nation-state hacking groups have ditched custom tools and malware for legitimate, off-the-shelf IT tools to remain under the radar, Tortoiseshell bucks the trend a bit with a combination of its own custom backdoor plus some legit IT tools such as PowerShell to camouflage its activity. Its Backdoor.Syskit, based on Delphi and .NET, can download and run other tools and tasks.

“My theory is they [nation-states] are primarily going to use whatever tools in the environment they can because it helps them avoid detection. The only reason to create a custom tool is if you need to do something that was present in that environment,” DiMaggio says.

Symantec did not identify the targeted industry sector or sectors of the Tortoiseshell victims.

In one interesting twist that’s atypical of most targeted attacks, two of the victim networks suffered infections of several hundred machines. “That’s noisy for a targeted attack,” DiMaggio notes. The attackers may have struggled a bit to get to the actual victim machine they needed, hence the high number of infected machines.

Symantec says the initial attack vector is unknown at this point, but one of the victims may have been hit via a compromised Web server. “For at least one victim, the first indication of malware on their network was a web shell,” according to Symantec’s threat report on Tortoiseshell, published today. “This indicates that the attackers likely compromised a web server, and then used this to deploy malware onto the network.”

The attack steals details about the victim machine, including IP configuration, applications, system information, and network connections.

John Bambenek, director of cybersecurity research at ThreatStop, says he found the three Syskit backdoor hashes shared by Symantec in the Tortoiseshell report match Yara rules connected to Charming Kitten, aka APT35, an Iranian nation-state group. Charming Kitten is best known for targeting victims in the US, Israel, and the UK, who work in the academic research, human rights, and media industries.

It’s unclear what the overlap means – nation-stage groups sometimes share or reuse others’ tools. And as Symantec and other security researchers note, attribution gets harder all the time as these groups get more sophisticated.

Bambenek says Iran is likely to continue expanding its cyber espionage and other hacking operations even in the wake of the latest economic sanctions by the US. Cyber operations are relatively inexpensive, he notes.

Meanwhile, Saudi Arabia’s oil and gas industry long has been a major cyber target for Iran, starting with its data-destruction attack on Saudi Aramco in 2012, as well as the infamous Shamoon and Triton attacks. And the recent drone attacks on Saudi oil facilities which were attributed to Iran by US officials, have escalated tensions in the Middle East.

Supply Chain for the ‘Win’

Supply-chain attacks over the past few years have become a more popular and effective way for nation-states to reach their targeted victims. The number of supply chain attacks jumped 78% in 2018, according to Symantec’s data. “IT providers are an ideal target for attackers given their high level of access to their clients’ computers. This access may give them the ability to send malicious software updates to target machines, and may even provide them with remote access to customer machines,” Symantec said in its report.

“The Tortoiseshell hacks illustrate why IT providers are a classic target for third-party attacks: Such providers have administrative access to numerous customers and many of them lack basic security controls,” said Giora Omer, head of security architecture at Panorays, a security-as-a-service firm that provides automated supply chain management.

Tortoiseshell’s supply-chain attack method is yet another example of how Iran’s cyber espionage machine has matured. Earlier this year, FireEye officially christened an Iranian hacking team it has been tracking for more than four years, as APT39 – the same group of hackers that Symantec already calls Chafer and CrowdStrike calls Helix Kitten. APT39 steals personal information for use in monitoring, tracking, and surveillance operations by the nation.

“They’re generally stealing data … in bulk and then processing it” for usefulness, Benjamin Read, senior manager of cyber espionage analysis at FireEye told Dark Reading in a previous interview.

Meantime, a new RAND report released today on nation-state hacking found that Iran is less likely to use cyberattacks for coercion than Russia and North Korea. Instead, Iran is more about retaliation. “Iranian cyber operations appear more focused on retaliating against regional neighbors and the West, rather than serving a direct coercive purpose,” the RAND report said.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/saudi-it-providers-hit-in-cyber-espionage-operation/d/d-id/1335850?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Analytics exec nicked as Ecuador tries to rush through privacy laws after massive data leak

library
crime | hacking | security

The head of Novaestrat, the data analytics company at the centre of the huge leak revealed on Monday involving personal information about more than 20 million Ecuadorian citizens, has been taken into custody.

Once the leak was made known, the country’s federal authorities announced a formal investigation. Within hours, local police swooped on Novaestrat’s office to confiscate computer equipment, with Ecuador’s interior minister Maria Paula Romo dramatically tweeting pictures of the raid in the early hours of Tuesday morning.

Esta tarde / noche la @PoliciaEcuador realizó el allanamiento del local señalado como domicilio de #Novaestrat que es además el domicilio de uno de sus directivos.

Allanamiento se hizo con orden de juez en el marco de la investigación que conduce @FiscaliaEcuador pic.twitter.com/toD79a1FDO

— María Paula Romo (@mariapaularomo) September 17, 2019

Curiously, this office was also said to be the home of its general manager, William Roberto G (Roberto Garces), who was arrested at the scene and taken to the Esmeraldas province. The arrest was confirmed by the state attorney general, referring to the Novaestrat executive as its “legal representative” and outlining its reasons as follows:

The [raid] was carried out to collect elements on an alleged crime of violation of privacy, after [the authorities] learned about the leakage of information from about 20 million Ecuadorians, including about 7 million minors [and people already deceased].

The data allegedly came from a server located in the United States owned by Novaestrat, a consulting firm that provides services such as data analysis and software development.

During the raid, electronic equipment, computers and storage devices were seized, as well as documentation among other elements. Prosecutors will continue to conduct more actions to investigate the alleged crime.

The Novaestrat website and its social media pages are currently offline.

Minister of Telecommunications and Information Society, Andrés Michelena Ayala, during the press conference on the Novaestrat leak

It remains unclear what specific charge is to be made against Garces, if any. Ministry of Telecommunications and Information Society officials had announced on Monday that the ministry was to hold its own investigation into what had happened, but seemed to suggest that Novaestrat held the data legitimately, probably as the result of a contract with the previous government administration. So it’s not going to be a hacking charge.

There was also a hint that the existence of a database on an unprotected server wasn’t itself proof that Novaestrat had misused the data or that anyone else had accessed it during its leaky phase with malicious intent. So it may not be any type of criminal charge.

Will it be data privacy? Ecuador’s laws in this area are out of date and telecoms minister Andrés Michelena Ayala had to admit to journalists that his ministry had been thrashing out a new data privacy law for the last eight months. Bad timing.

The president insisted that this legislation be “expedited” – i.e. rushed through full of mistakes – and set before parliament by Thursday this week. The minister said he would comply.

It also remains unclear why Ecuador’s government would entrust personal data for its entire population to a consultant working from a home office. It’s the gig economy gone mad. ®

Uni sysadmins, don’t relax. Cybercrooks are still after your crown jewels, warns NCSC

library
crime | hacking | security

Cybercrims are still likely to affect universities and other educational institutions online with ransomware, reckons GCHQ offshoot the National Cyber Security Centre.

Attacks by online criminals and nation states alike are “rising”, the NCSC warned in a report published today.

Sarah Lyons, deputy director for economy and society at the British security centre, said: “NCSC is working closely with the academic sector to ensure that, wherever the threat comes from, they are able to protect their research and their universities in cyberspace.”

While cybercriminals are most likely to deploy ransomware and other nasties “through untargeted attacks”, the impact of their nefarious deeds is generally more than trivial. Attackers, said the NCSC, are generally quite likely to succeed because they exploit the “open and outward facing” nature of academic institutions.

“Using sources such as a university’s website, it is straightforward to identify who to target, how to reach them, and to establish a credible story with which to approach them,” said the NCSC.

Phishy story

They’re not alone in highlighting the risk from phishing: back in April, academic infosec bods from Jisc, formerly known as the Joint Information Systems Committee, warned that a pen-test exercise had seen them successfully phish every single university they targeted.

Aside from organised crime and thieves looking to pick a cyber-pocket through the use of cyber-tools in the cyber-domain, British universities also need to be on the lookout for state-backed threats as well.

“Cyber,” opined NCSC, “offers a deniable route to obtain information that is otherwise unavailable to them. It is likely exploited instead of, or in conjunction with, traditional routes to gain access to research, such as partnering, ‘seconded students’, or direct investment.”

Last year, an Iranian campaign to steal login credentials from Western universities was brought to public light. The scam played on the old technique of setting up fake login pages to man-in-the-middle the victims’ credentials for academic repositories.

“Many of the fake pages were linked to university library systems, indicating the actors’ appetite for this type of material,” the NCSC said of the Iranians’ doings.

Once inside, state-backed hackers normally go for information of high commercial or military value, NCSC warned.

Bulk personal data, technical information, sensitive research and intellectual property are all types of information that attackers of both broad flavours are interested in – and should therefore be defended accordingly.

Attacks

Not all attacks are known or traceable. The University of Edinburgh was targeted last year with a DDoS attack, while King’s College London (no stranger to IT woes) suffered what appears to be a brute-force attack against public-facing login pages.

Defending against these kinds of attacks is a combination of the usual methods: train people, staff and students alike, in what a suspicious approach looks like, deploy multi-factor authentication to make it harder for remote attackers to log in, and take a good look at your institution’s network architecture and internal controls.

“We believe that state espionage will continue to pose the most significant threat to the long-term health of both universities and the UK itself,” concluded the NCSC. “There’s a realistic possibility that the threat will increase in-line with increased scrutiny of foreign direct investment and the minimising of other avenues to gain insight and advantage.” ®

How Ransomware Criminals Turn Friends into Enemies

library
crime | hacking | security

Managed service providers are the latest pawns in ransomware’s game of chess.

Hundreds of dental offices across the country were hit with ransomware recently after managed service provider (MSP) Digital Dental Record was compromised. Sadly, I partly saw this coming.

Sometimes predicting these kinds of attacks makes being right feel oh so wrong. This was one of those times. It was only a few weeks ago when I sat with Dark Reading’s Kelly Jackson Higgins in DEF CON’s Chillout Lounge, predicting this type of attack would be the next big thing.

As someone whose job it is to learn as much as possible about the online criminal ecosystem, I often spot trends before they make mainstream headlines. This type of attack was high on my list of attacks likely to increase.

Service Providers Under Fire
Supply chain attacks aren’t new. They’ve been increasing in frequency, however, and gaining more attention. While there are many types of supply chain attacks, this particular type — compromising a service provider to gain access to its customers — is becoming more popular among skilled ransomware crews.

There were incidents following similar malicious playbooks a few years ago, but those targets were point-of-sale service providers. Back then, the goal wasn’t to install ransomware but to steal credit cards from as many locations as possible.

Now the idea has been adapted to targeted attacks against niche MSPs. The goal: Hold all of its clients for ransom.

The most infamous attack to date, occurring only days after my prediction to Kelly, crippled 22 municipalities in Texas. Now, 400 dental practices are in the hotseat.

Now’s the Time for Change
Managing IT can be hard, especially for small and midsize businesses lacking the necessary resources. It probably seemed like a great idea for these small dental practices to outsource IT to Digital Dental Record.

They’re not alone. The managed services industry is growing extremely fast with businesses struggling to manage the technology required to run a modern establishment.

With attacks on MSPs on the rise, MSPs need to step up their security game, regardless of the kind of specialized services they provide. We’ve seen criminals exploit vulnerabilities in the popular Kaseya and Bomgar remote management platforms to gain access to their customers (Kaseya was used in a ransomware attack against MSPs back in June), and we’re seeing criminals phish MSP employees to gain access to these systems and abuse them to deploy malware to their customers.

Now’s the time if we want to nip this problem in the bud.

We must see mandatory adoption of multifactor authentication for employees who have administrative privileges reaching into tens or hundreds of customer networks.

We must end the use of shared credentials for gaining access to client networks.

We must see more secure remote access solutions, ideally protected by multifactor authentication and behind VPNs. No more using Virtual Network Computing and Remote Desktop Protocol on the open Internet.

And remote management tools like Kaseya and Bomgar must be kept up to date, especially in the wake of security advisories like those we have seen in the past year.

It’s not all bad news, though. Many security problems are massively distributed, making fixes difficult. But in this space, there are a smaller number of MSPs that need to take action to harden their security posture.

Do you work for an MSP? Look at your tools and determine whether they’re attractive targets for an attack like this. All client access should be limited to VPNs, conduct regular penetration tests of both your own and your clients’ networks, and be sure to stay on top of security advisories from the vendors you rely on for your tools. If we take this seriously and improve our defenses, the crooks will move on to greener pastures.

Related Content:

Chester Wisniewski has been involved in the information security industry since the late 1980s. He is currently a principal research scientist in the Office of the CTO at Sophos. Chet divides his time between research, public speaking, writing and attempting to communicate … View Full Bio

Article source: https://www.darkreading.com/risk/how-ransomware-criminals-turn-friends-into-enemies/a/d-id/1335778?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple