STE WILLIAMS

For most Americans, Tax Day is a red-flag deadline on the calendar. For cybercriminals, it’s one day out of a season marked with scams to deceive victims out of money and personal data.

Seasonal threats are common among cybercriminals, who often exploit holidays, news, or global events for attack opportunities, says Limor Kessem, IBM global executive security adviser with its X-Force team. One of the biggest lures is tax season in the United States. “They start in January, and they drag it out until May, even June,” she says. After Tax Day, they can capitalize on people waiting to receive responses on their tax returns, refunds, or payment notifications.

Tax fraud is an old problem manifesting in new ways as more people file taxes online. The IRS expects more than 90% of tax returns will be prepared electronically using tax return software, RiskIQ reports in its “2019 Tax Season Threat Roundup.” People eager to cash in on tax returns are promising targets for cybercriminals, who spoof popular e-filing tools to exploit them.

IBM X-Force researchers recently discovered several of these ongoing tax-themed campaigns, three of which affect businesses as well as consumers. Attackers attempt to trick victims with messages appearing to be from major accounting, tax, and payroll services, including ADP and Paychex. Malicious Microsoft Excel attachments packed Trickbot, a common banking Trojan that infects devices to steal data and follow up with wire fraud from the owner’s account.

“Trickbot itself it very focused on businesses,” says Kessem of the enterprise angle. “They’re out to empty those business accounts.” While organizations have long been targeted with banking Trojans, the emergence of Trickbot in tax season campaigns is fairly new this year, she adds.

Researchers from IBM X-Force believe the size of the firms spoofed indicates attackers will likely be successful in tricking their customers. Businesses and individuals who use services from ADP and Paychex will likely expect to receive emails from their service providers around tax season, they point out.

All the attackers need is one person to believe a fake email, and they’re in. “They want to get that one foothold,” Kessem says. “They want someone who will believe their email and get infected with the malware.” From there, Trickbot is equipped to move laterally on a network.

It’s one of many campaigns with malware payloads mixed into tax-related emails. Late last year, Proofpoint researchers detected campaigns luring targets with urgent subject lines (“Your IRAS 2018 Tax Report,” “IRS Update for 1099 Employees”). These malicious messages, which typically rely on advanced social engineering techniques to alarm their victims, distributed a variety of remote access Trojans: Orcus RAT, Remcos RAT, and NetWire among them.

Tax Fraud? There’s An App for That
Taxpayers filing via a mobile app should be on alert for fraudulent apps, RiskIQ reports. While most apps for tax filing are secure and don’t store data on the device, fake mobile apps often impersonate popular tax-filing services to get people to give up sensitive data. While many are hosted on third-party stores, they’ve also been seen on official Google and Apple app stores.

There are ways to spot fake apps, RiskIQ researchers point out, using a fraudulent HR Block app as an example. For starters, there is no developer listed – a major red flag – and it requires more permissions than necessary: record audio, camera access, and download data without notification. The app could effectively spy on the unknowing user, even if that person isn’t using his phone.

The Industry of Identity Fraud
You don’t need to be a skilled hacker to hack Tax Day, Carbon Black found in a new report on tax fraud and identity theft on the Dark Web. Cybercriminals have long sold identity and banking data online. Now researchers say the economy around tax identity theft has grown.

“Identity theft has really gone beyond a pickpocket or creation of a credit card in your name,” says Tom Kellermann, chief cybersecurity officer at Carbon Black. “I would call it robbery of your financial future. They can commandeer … your financial identity and use it in perpetuity.”

It’s easy and cheap for even unskilled hackers to pull off: Dark Web marketplaces sell W-2 and 1040 forms for between $1.04 and $52. Names, Social Security numbers, and birthdates are similarly inexpensive, with prices ranging from $0.19 to $62. For $1,000, a relatively inexperienced hacker can buy authenticated access to a US bank account, file a fake tax return, claim the refund, and cash out through a cryptocurrency exchange to get a $100+% return on investment.

The evolution in tax fraud can be seen in lower prices for tax identity theft on the Dark Web, sellers working to differentiate their products, and new products being developed. And identity theft can lead to credit card and home equity loan fraud, which pack long-term damage.

“Wealth goes beyond the money [victims] have; it’s lines of credit that can be established in their name,” Kellermann says. Home equity fraud is easy with a stolen W-2; victims don’t know until it’s too late. “This highlights the fact that if you can compromise someone’s W-2s, the first step is to get the refund, and the second and third steps are far more nefarious,” he adds.

Related Content:

• Stop Mocking Start Enabling Emerging Technologies
• Microsoft Patch Tuesday Fixes Windows Bugs Under Attack
• 6 Essential Skills Cybersecurity Pros Need to Develop in 2019
• 7 Malware Families Ready to Ruin Your IoT’s Day

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/tax-hacks-how-seasonal-scams-cause-yearlong-problems/d/d-id/1334408?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In 2018, the Wi-Fi Alliance released the first major update to Wi-Fi Protected Access (WPA) in more than a decade: WPA3. WPA3 offers more robust encryption and privacy, as well as a simplified process for devices to log onto a secure network. According to a pair of researchers,  the login process also includes vulnerabilities that could render WPA3 far less secure than is promised.

The vulnerabilities were unearthed by Mathy Vanhoef of New York University Abu Dhabi—one of the researchers behind the October 2017 discovery of the KRACK vulns in WPA2—and Eyal Ronen of Tel Aviv University and KU Leuven.

Vanhoef and Ronen write in their recent paper that there are flaws in the handshake process that can allow efficient and low-cost attacks on the passwords used as part of network credentials.

In particular, they write that the existing standards that the WiFi alliance chose for WPA3 brought both timing and cache-based side-channel vulnerability issues to the Simultaneous Authentication of Equals (SAE) handshake that is a key piece of WPA3’s improvement over WPA2.

The SAE handshake is commonly known as Dragonfly; the researchers have thus dubbed this new set of vulnerabilities Dragonblood.

Kevin Robinson, vice president of marketing for the Wi-Fi Alliance, is eager for people not to panic about the vulnerability. “Not all WPA3 personal devices are affected,” he says, adding, “The small number of devices that are affected with these issues can all be patched through software updates without any impact on the devices’ ability to work well together.”

The devices vulnerable to the attacks presented by Vanhoef and Ronen are those that allow side-channel collection of data by attacking software that has been installed on the device, and those that use specific, unsuitable cryptographic elements as part of their hashing process.

The attack comes as part of the process that allows a legacy WPA2 device to attach to a WPA3-enabled access point; the resulting “downgrade” operation opens up the process to a brute-force dictionary attack on the passwords used for authentication.

“A WPA3 network that is not in transition mode [connecting a WPA2 device to the WPA3 access point] is not susceptible to the problems that the researcher highlighted,” says Robinson. So, “…the best way is to get people over to the new security protocol.” He points out that, “The Wi-Fi Alliance always intended for [transition mode] to be a temporary measure that would then ultimately be disabled once the network devices have moved over to WPA3.”

Mitigating the vulnerability discovered by Vanhoef and Ronen boils down to two things: transitioning to a fully WPA3 network as rapidly as possible, and installing all patches and updates to WPA3-enabled equipment already installed.

What about transparency?

But the researchers also took aim at what they see as a root cause of the vulnerability: a flawed process for developing the WPA3 standard. “…we believe that our attacks could have been avoided if the Wi-Fi Alliance created the WPA3 certification in a more open manner.”

“The Wi-Fi Alliance does follow the recommended practice of using existing security standards,” says Robinson in response.

Explaining that the Wi-Fi Alliance does not itself develop basic authentication protocols, he says, “The IEEE has a robust standardization process and the IEEE introduced simultaneous authentication of equals for 802.11 in 2011, allowing significant time for broad, multi-stakeholder input.” As for why the Wi-Fi Alliance chose to use the protocol, Robinson says, “No other protocol with similar benefits existed within 802.11 at the time the Wi-Fi Alliance was evaluating technologies.”

Now, researchers like Vanhoef and Ronen are probing the implementations of WPA3 and that, says, Robinson, is how the process should work. “[Researchers are] finding issues and industry is responding in a very rapid and proactive manner,” Robinson says, adding “and this is all a healthy dynamic.”

Related content:

• Lessons Learned from a Hard-Hitting Security Review
• RF Hacking Research Exposes Danger to Construction Sites
• The Security Perimeter Is Dead; Long Live the New Endpoint Perimeter
• The Coolest Hacks of 2018
• New Bluetooth Vulnerabilities Exposed in Aruba, Cisco, Meraki Access Points

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/dragonblood-vulnerabilities-seep-into-wpa3-secure-wifi-handshake/d/d-id/1334407?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The North Korean government has rolled out a new malware variant, dubbed HOPLIGHT, targeting US companies and government agencies, the US Department of Homeland Security and the Federal Bureau of Investigation warned April 10. 

The US advisory and malware analysis report, or MAR, offered details on nine different executable files that use valid certificates and encrypted connections to download files to a compromised system and send information back to attacker-controlled servers.

Taken together, the malicious programs can read, write and move files, gather information on the targeted system, manipulate processes and services, and connect back to a remote host.

“Seven of these files are proxy applications that mask traffic between the malware and the remote operators,” according to the MAR. “The proxies have the ability to generate fake TLS (transport layer security) handshake sessions using valid public SSL (secure sockets layer) certificates, disguising network connections with remote malicious actors.”

The report also listed 15 Internet addresses associated with the malware’s infrastructure.

“DHS and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity,” the agencies stated in an advisory.

‘A history of attacking with vindictiveness’

The malware is part of North Korea’s cyber toolset which the US refers to under the codename HIDDEN COBRA.

Over the past decade, North Korea—officially known as the Democratic People’s Republic of Korea (DPRK)—has joined Iran, Russia, and China as a frequent cyber actor, with a particular focus on currency generation and attacks that support the DPRK’s political aims. 

In 2014, attackers—identified as the North Korean group Lazarus—stole e-mail files, business-sensitive files, and e-mail accounts from Sony Pictures, purportedly in retribution for the movie studio’s film, The Interview. In the years since the attack, the North Korean group, also referred to as APT38 by security firms, has focused on stealing money from financial institutions—targeting as much as $1.1 billion–by attacking the SWIFT banking system, using ransomware, such as WannaCry, to extort money from firms, and compromising systems with crypto-mining software to generate cryptocurrency.

Recent diplomatic talks between the United States and North Korea have not slowed the pace of DPRK’s hackers, according to Adam Meyers, vice president of intelligence at CrowdStrike, a cybersecurity services firm.

“Interestingly, despite participating in diplomatic outreach, DPRK has remained active in both intelligence collection and currency-generation schemes,” he said.

The latest analysis by the US government describes methods of detecting the HOPLIGHT toolset—an incremental improvement of North Korean cyber operations—using indicators of compromise (IOCs) and information about the infrastructure and code. 

“The fact that they are putting these out there is really cool,” says Adam Kujawa, director of Malwarebytes Labs at Malwarebytes. “I’m glad that they are sharing this data, because with IOCs, people can identify what the threats are.”

Among the details: One file contains a public secure sockets layer (SSL) certificate with a payload that appears to be encoded with a password or key, the MAR stated. Another file does not contain any certificates, but drops four files onto the target systems and repeatedly attempt to connect the servers at the listed IP addresses.

Kujawa notes that the analysis does not mention where the executables came from, whether found on a third-party server or on a compromised system. And with compilation dates stretching back to May 2017, some of the files are nearly two years old.

However, companies should take the threat seriously, says Chris Duvall, senior director of The Chertoff Group, a cybersecurity consultancy. North Korea has shown little hesitation in attacking companies or nation-state targets.

“There is a history of attacking with vindictiveness,” he says. “Financial institutions and critical infrastructure and healthcare, in particular, should be on their toes and watch out for this.”

Related Content

• The ‘Opsec Fail’ That Helped Unmask a North Korean State Hacker
• Inside the North Korean Hacking Operation Behind SWIFT Bank Attacks
• 19 Minutes to Escalation: Russian Hackers Move the Fastest
• Data on 997 North Korean Defectors Targeted in Hack
• US to Charge North Korea for Sony Breach, WannaCry
•  

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/new-hoplight-malware-appears-in-latest-north-korean-attacks-say-dhs-fbi/d/d-id/1334406?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Recent Microsoft security patches are causing older machines running Sophos or Avast software to freeze or fail to boot entirely after they’re applied, both companies report.

The problem affects Windows 7, 8.1, Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2 PCs with “any Sophos Windows endpoint or server product,” except Sophos Central Intercept X. It does impact Intercept X Advanced and Intercept X Advanced with EDR. PCs fail to boot when the newest monthly and security-only updates are applied and the computer is restarted.

“Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to freeze or hang upon restart after installing this update,” Microsoft reports.

For now, Microsoft has temporarily blocked devices from receiving the update if Sophos Endpoint is installed until a solution is available. Sophos urges users not to perform the update; those who have and haven’t rebooted are advised to avoid doing so until the update is removed.

Avast says Windows machines, in particular those running Windows 7, are locking up or freezing on startup when certain security updates are applied. Customers have reported problems with PCs using Avast for Business and Avast CloudCare on Windows. Some are unable to log in; some can log in after “a very extended period of time,” Avast warns users. It’s worth noting Microsoft has not publicly commented on the Avast issue or blocked updates for PCs.

Read the Sophos advisory here and Avast advisory here to learn more.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/microsoft-patches-are-freezing-older-pcs-running-sophos-avast/d/d-id/1334403?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Like a triage nurse, security professionals have to prioritize the data that will help them best identify problems and keep the organization, its data, and devices safe from intruders and cyberattacks.

However, logging and monitoring all relevant events from across the IT environment can be challenging. For instance, some common log sources, such as servers, firewalls, Active Directory, intrusion detection systems, and endpoint tools, are fairly easy to ingest and parse. But other sources that are particularly valuable for incident response (IR) are difficult to manage at scale and rarely ingested because of the effort it takes.

In fact, a new 451 Research survey of 150 large enterprises found that enterprise security information and event management (SIEM) platforms are only ingesting logs from about 45% of their organizations’ log-producing systems. This means teams risk missing critical information that could indicate a compromise and affect their overall security posture.

To maximize the benefits of logging, organizations must evaluate and adapt existing processes to fit current needs and threats, as well as consider logging additional — often overlooked — sources that are invaluable for IR and threat-hunting exercises. Here are five log sources that should be prioritized.

1. Database Logs
Database logging poses challenges for a number of reasons. Administrators often avoid enabling features, like auditing, that could impact server performance. Auditing databases and tables is very difficult given the large number of database servers resident in the typical enterprise environment. In addition, security teams struggle to gain access and visibility into operations occurring in databases created by third parties that have restrictions on viewing the data or table structures.

To gain sufficient visibility into the databases without enabling auditing functions, consider correlating built-in rules and alerts into your SIEM if database activity monitoring is present. You could also create stored procedures that watch for specific actions, and write an event log with the record ID, date, and time of the violating record entry to trigger an alert.

2. Web Server Logs
Of the major data breach vectors, holes in web applications – which typically have access to highly sensitive customer account information – represent the greatest percentage, according to the “2018 Verizon Data Breach Investigations Report.” Unfortunately, security teams have the least visibility into web application logs.

In addition, parsing web server logs is challenging because they are often in a multi-line or custom format and logged in a nonstandard way to a text file or database, as opposed to the native web server log, such as Microsoft IIS or Apache. If you’re using standard web server logs, be sure to enable all the relevant fields since the default W3C layout in IIS doesn’t capture some critical elements, such as page size and cookie values. Logging events from a web application firewall (WAF) already watches for potentially malicious actions.

3. Domain Name System Logs
DNS server logs provide rich information about what sites users visit, and they show whether any malicious applications reach out to command-and-control sites. However, DNS also is a common tunneling protocol for exfiltrating data since firewalls typically allow the data out. DNS logs are challenging because of the volume of data, their multi-line format, and the difficulty posed in exporting them.

Consider using BIND, Infoblox, or even Microsoft’s new Analytical Event Logging method, which uses a more standard logging format rather than the traditional debugging and flat file importing. The new Analytical logs have significant performance gains over the debug method, and the events are stored in the common Windows Event Log format.

4. Cloud Platform Logs
Enterprises are rapidly adopting cloud services, including Amazon Web Services, Google Cloud Platform, Microsoft Azure, Salesforce, and Dropbox, to store data and applications. However, many such services don’t have consistent logging formats and require different parsers and methods of logging events from various applications housed on the platform. Building parsers to scale to the number of events is a challenge for most teams, but effectively prefiltering data before ingesting will prevent overwhelming your SIEM or logging tool by handling only the actionable events.

Cloud application security broker (CASB) solutions may not be all-encompassing enterprise platforms, but they provide granular auditing capabilities at the application or service level and need to have the same logging and monitoring considerations as full cloud platforms. CASB solutions are essential for IR and forensic investigations since alerting on unauthorized access to cloud services can signal potential insider threats.

5. Physical Security Logs
It is extremely valuable to monitor for insider threats logs from camera systems, biometric/card access readers and alarm systems. Combining these with evidence correlated from servers, workstations, firewalls, VPNs, and remote access devices is essential to demonstrate whether credentials were stolen and establish insider location at specific points in time. However, the physical security team and the IT security team tend not to work together, which makes it difficult to gather and correlate the different log sources. Despite that, it’s not impossible to ingest logs from the disparate systems. The focus should be on things like unauthorized physical access to remote facilities, visitor/contractor access to unauthorized areas, and after-hours alarm triggers.

Stay Alert  
These five log sources are helpful in improving visibility into the entire enterprise security environment, but enterprises need to be smart about how they handle all the new alerts generated by their security products. The 451 Research report found that 43% of enterprises are unable to act on at least a quarter of the alerts, and nearly half said their SIEM, endpoint detection and response, and other data-capture systems were overwhelming their security operations capacity.

A good best practice is to create a roadmap with all of the possible log sources and have IT teams work with affected business units to set priorities, taking into account the level of effort ingesting will require and the potential risks that will be mitigated by doing so. Having security teams work with the data or application owners ahead of time ensures they can review the actionable event types together and disoverer where the source owners might need more visibility.  

Related Content:

• Inside Incident Response: 6 Key Tips to Keep in Mind
• Threat Hunting 101: Not Mission Impossible for the Resource-Challenged
• Care and Feeding of Your SIEM
• DNS Hijacking Campaign Targets Organizations Globally

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Joe Partlow is currently the chief information security officer at ReliaQuest, an enterprise cybersecurity company. He has been involved with InfoSec in some capacity or role for over 15 years, mostly on the defensive side. Current projects include mobile and memory … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/in-security-all-logs-are-not-created-equal/a/d-id/1334332?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple