STE WILLIAMS

Ransomware attacks against individual endpoints are so passé. According to reports out this week from two security research teams, financially motivated cybercriminals are updating their ransomware playbooks in search of bigger payoffs from their victims. Increasingly, they’re making more money by putting bigger game in the crosshairs, namely networked business assets such as file shares, servers, network hosts, and infrastructure-as-a-service cloud infrastructure.

A new study from researchers at Vectra shows that the biggest threat to enterprises from ransomware today is malicious encryption of shared network files. Whereas ransomware attacks against isolated endpoints should be no big deal to recover from with any modicum of backup procedures, ransomware targeting of file shares is much more likely to trigger “all-hands-on-deck” emergencies. First of all, attackers are able to do a lot more damage with minimal action by taking advantage of the scale of share volume availability to numerous local systems. It takes only a single access point to lock access to documents across numerous departments or divisions at a targeted organization.

“In a volume-sharing system, a single infected host could encrypt an entire networked volume, resulting in a global impact on the target organization’s business and systems,” the report explains.

What’s more, in many instances, these shared volumes are themselves used as a part of backup procedures for other systems so recovery can become quite tricky without offline backups.

“The files must be recovered from the most recent cold backup if the ransom is not paid,” the report says. “Backup systems attached to a network are also at risk, which is why cold offline backups are critical for recovery.”

The potential risk — and payout for extortionary criminals — increases tremendously when ransomware attackers can successfully target cloud provider infrastructure and storage shares. The Vectra report points to several high-profile attacks against cloud hosting firms DataResolution.net and iNSYNQ as examples of the dynamic at play.

“The fallout from ransomware attacks against cloud service providers is far more devastating when the business systems of every cloud-hosted customer are encrypted,” says Chris Morales, head of security analytics at Vectra. “Today’s targeted ransomware attacks are an efficient, premeditated criminal threat with a rapid close and no middleman.”

According to Vectra’s study, the volume of these attacks is on the decline, but that could simply be a factor of criminals getting more discriminating and more effective with ransomware targeting. There are plenty of new and effective ransomware techniques and malware families deluging enterprises with these network-centric attacks. For example, in the past month, there have been two waves of attacks specifically targeted against enterprise storage devices from QNAP Network and Iomega.

And just this Monday, the industry saw more evidence of the evolution of the ransomware strain MegaCortex, which targets important files on servers and network hosts and is tied to attacks that have asked for as much as $5.8 million from large organizations. New analysis out from researchers with Accenture iDefense shows a version 2 of MegaCortex floating around that shifts this from a very manual ransomware tool to something with automated self-execution features.

“The authors of MegaCortex v2 have redesigned the ransomware to self-execute and removed the password requirement for installation. The changes suggest that the malware authors traded some security for ease of use and automation,” writes Leo Fernandes, senior manager for malware analysis and countermeasures at Accenture iDefense. “Potentially, there could be an increase in the number of MegaCortex incidents if actors decide to start delivering it through email campaigns or dropped as a secondary stage by other malware families.

Related Content:

• Ransomware Used in Multimillion-Dolalr Attacks Gets More Automated 
• Destructive Malware Attacks Up 200% in 2019
• LockerGoga, MegaCortex Ransomware Share Unlikely Traits
• 8 Head-Turning Ransomware Attacks to Hit City Governments
  

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/enterprises-must-be-wary-of-ransomware-targeting-network-file-shares-and-cloud-assets/d/d-id/1335466?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security incidents happen all the time, but when one actually strikes an organization, security professionals often find themselves uncertain whether it needs to be disclosed to the public or shared with law enforcement right away.

For example, back in 2006, an unknown user gained unauthorized access to a large number of electronic records on the McCombs School of Business computers at the University of Texas in Austin. But before disclosing what happened, it took the time to determine what information was accessed, lost, or possibly modified, as well as how long the issue had been going on. UT-Austin also needed to understand exactly what information about the security incident it was able to share with the public. 

“UT-Austin said what happened, who it affected, what the potential impact was to the people involved, and what they were going to do to help these people,” says Greg White, director of the Center for Infrastructure Assurance and Security at The University of Texas at San Antonio (UTSA).

Clearly the university understood that planning and preparation was critical for security teams to know what to do in the event of an incident. Planning should start when an application is first architected or when features are added, according to Tim Mackey, principal security strategist at Synopsys CyRC (Cybersecurity Research Center).

“It is at this point that decisions surrounding the type of data being collected and processed are made,” Mackey says.

Once an application is architected, the incident response plan should be updated — at least in an ideal world. In reality, though, it might be time for organizations to dust off the old playbooks.

Do You Really Have a Breach?
Sometimes organizations will make efforts to keep security incidents tightly under wraps; however, that can backfire if the news gets out, as was the case for Uber in 2017 when it came out the company had paid $100,000 to conceal a 2016 data breach.

“What makes this one stand out is absolutely the time duration,” McAfee Labs vice president Vincent Weafer told Dark Reading in 2017. “It’s almost a year ago that the actual event occurred; we’re just finding out about it now.”

If a company is evasive and only discloses a little at a time, it could potentially come across as an effort to hide something or an indication that they don’t really know what they are doing. “Neither of these are good from a public relations standpoint,” UTSA’s White says.

On the other hand, last last month Capital One announced that an unauthorized user had accessed customer data. The announcement went public only 10 days after the security incident was detected.

When companies haven’t been transparent about potential compromises, the public is less inclined to be forgiving. That said, a lack of disclosure isn’t always an indication that organizations are withholding information. According to Benjamin Wright, attorney and SANS senior instructor, it is very common for people to misinterpret evidence. In order to avoid damage to brand, he says, companies need to analyze with great vigor.

“In a modern enterprise, you can get thousands of alerts in a day, all giving some piece of information that there could be a problem. All of these little pieces of information are forms of evidence, which can be very hard to interpret,” Wright says.

Often the tendency is to leap to conclusions, says Wright, who cautions companies to do their homework before reaching any legal conclusions. “They have to get the appropriate kinds of experts to really look at what happened and interpret them in a realistic way,” he says.

Though it may feel frustrating to stakeholders who are anxious to know whether something happened and to what extent the business has been impacted, security teams must be thorough, UTSA’s White says. 

He also agrees that thorough analysis is critical. “It will take some time to get an accurate picture to be able to fully disclose what has happened,” he says. “In some cases you can make a quick guess, but to get accurate information out it will take more time.”

White adds: “Another thing [is to consider] how you might be enhancing security in the future to ensure this doesn’t happen again.”

We Know the What, but How Do We Disclose?
In the US, data breach reporting requirements vary by state and the type of data exfiltrated. For instance, the state of Connecticut mandates that breaches “based on harm” are disclosed within 90 days and require government notification. In South Carolina, though, breaches causing harm must be disclosed within the “most expedient time possible and without unreasonable delay.” Law enforcement only needs to be notified if more than 1,000 residents have been affected.

According to Synopsys’ Mackey and “The Summary of US State Data Breach Notification Statutes” published by Davis Wright Tremaine, the reporting process is based on where the user resides, not where the organization’s primary locations are.

“For national or global organizations, this significantly complicates any incident response as even US-based companies may do business with EU residents and thus potentially trigger GDPR requirements,” Mackey explains. 

Law enforcement can be called on to support an investigation, but Mackey says it’s not reasonable to expect they’ll be in a position to guide your full response.

Related Content:

• Why Every Organization Needs an Incident Response Plan
• How to Create Smarter Risk Assessments
• Security Considerations in a BYOD Culture
• The 10 Essentials of Infosec Forensics

Image Source: rnl via Adobe Stock

Kacy Zurkus is a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition’s security portfolio. Zurkus is a regular contributor to Security Boulevard and IBM’s Security Intelligence. She has also contributed to several publications, … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/slow-your-roll-before-disclosing-a-security-incident/b/d-id/1335428?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

BLACK HAT USA 2019 – Las Vegas – Researchers from Check Point Software Technologies are once again warning about what they describe as a dangerous security weakness in the WhatsApp messaging application that can be abused to spread fake news and carry out various online scams.

In a technical presentation here yesterday, Check Point researchers Roman Zaikin and Oded Vanunu explained how an attacker could exploit the issue to alter the text of someone else’s reply, change the identity of a message sender, or trick a user into sharing something publicly in a group that they might not have intended to share.

The researchers first surfaced the same issues in August 2018 in a report that described how attackers could intercept and manipulate WhatsApp messages in private and group chat settings. In a blog and in comments at the time to Dark Reading, Vanunu identified the issue as having to do with WhatsApp’s failure to validate certain message parameters before encrypting and sending messages to the intended recipient.

Since then, Facebook-owned WhatsApp has fixed the issue that allowed attackers to trick users in a group chat into thinking they were sharing something in private when, in fact, it was visible to everyone else, he said.

However, the other two issues remain unmitigated and continue to give attackers a way to abuse WhatsApp in dangerous ways, Vanunu said. From Check Point’s perspective, the vulnerabilities present a major threat and need to be addressed urgently, he noted.

“WhatsApp is not just an application. It is an infrastructure of more than 1.5 billion users with more than 56 billion messages per day,” Vanunu said.  

WhatsApp’s massive footprint makes it a big target for criminals attempting to spread fake news and carry out other malicious activities, he said. In some countries, including India and Brazil, rumors spread via WhatsApp have even resulted in the deaths of innocent people, Vanunu said.  In many countries, WhatsApp is also used for business application, so it is important that the issue gets resolved, he added.

According to Vanunu and Zaikin, WhatsApp’s end-to-end encryption is strong and not the problem. Rather, the issue lies in the communication that happens between an individual’s WhatsApp mobile app and its Web version when a user logs in.

Vanunu and Zaikin reverse-engineered the communication and identified several message parameters being exchanged between WhatsApp’s mobile version and Web version. Among them were parameters pertaining to the content of the message, and those that identified the message sender and the contact or the group to which the message was intended.

The researchers found they could intercept the communication and manipulate the data associated with each parameter before any of it was encrypted. For instance, an attacker could use the “quote” feature in WhatsApp that references a previous message to change the identity of the original sender or alter the original message entirely. WhatsApp does not validate the data and instead just accepts the altered content, encrypts it, and forwards it to the intended recipient.

WhatsApp did not respond to a request for comment. But in a statement responding to Check Point’s original report last year, the company denied any security issue. It likened the issue to someone altering the contents of an email to put words into the mouth of the sender.

A lot of it also has to do with how WhatsApp works. WhatsApp has noted that when someone replies to a message, the WhatsApp client copies the text available within the app and creates a kind of graphical representation that helps people follow the conversation. The reason for providing a sort of “quick reply” option is to help identify the source within the user’s chat log if one exists.

WhatsApp has stressed that with its end-to-encryption, it does not store any messages on its own servers and therefore has no single reference point of any messages that is off the device itself. As a result, the only way to validate any data in messages being sent would be to log all messages, which would undermine privacy protections. It would also make it impossible to deliver messages to groups when a single person is not connected to it and undermine the ability for users to quote a message prior to a new group member, WhatApp said.

Related Content:

• Weakness in WhatsApp Enables Large-Scale Social Engineering
• WhatsApp Founder to Depart Facebook Amid Privacy, Encryption Dispute
• Email, Social Media Still Security Nightmares

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/whatsapp-messages-can-be-intercepted-manipulated/d/d-id/1335473?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

FaceApp, an app that offers special effects for photographs, has been downloaded and installed by more than 150 million people worldwide, according to consumer tech journalist John Koetsier, writing in Forbes. Koetsier writes that the most popular of these special effects is an artificial intelligence (AI)-enhanced photo filter that ages any faces in the photograph. This feature has gotten even more popular lately, leading to the app’s privacy being called into question on a global scale.

FaceApp is developed and published by Wireless Lab, a company with headquarters in St. Petersburg, Russia. While Wireless Lab and its staff are based in Russia, company founder Yaroslav Goncharov told Forbes that all the app’s storage and cloud resources are in the US and that the data collected by the app is hosted in the US, not Russia. Because FaceApp has such close ties to Russia, American political officials have raised concerns about the overall security of the app. But the potential issues go beyond where the data is hosted.

Here are three risks to unpack before deciding to use FaceApp:

Risk 1: Terms and Conditions
As with any social media app, the terms are the bulk of your contract and the primary mechanism that is supposed to protect you (the user). But terms are also a way for many companies to indicate what they anticipate they’ll do with your information in the future, often long before actually acting on these plans.

I’ve been in the security space for nearly 30 years, but FaceApp’s set of terms are among the worst I have seen, for example:

● You assign FaceApp irrevocable global rights to use your images or data as it sees fit without any need to compensate or inform you.
● FaceApp can continue to hold your images and data even after you have requested your information be deleted.
● The company reserves the right to share the data with any third party it chooses without any need to inform you.
● It reserves the right to host the data in any country it chooses.

As shocking as some of the terms are, you will find very similar language in many well-known social media apps, including Facebook, according to Dalvin Brown, in USA TODAY. This approach is almost certainly incompatible with legislation such as GDPR, which means Wireless Lab is ignoring international privacy regulations.

In response to widespread criticism, Goncharov is quoted in Forbes suggesting that the company might consider updating its terms. However, the company still hasn’t made any concrete promises. For now, FaceApp’s terms make it seem as if the company is absolutely collecting your data, has long-term plans for it, and is not obligated to listen to any request or demand you may have about the future of that data.

Risk 2: Murky international legal regulations around data privacy
It’s not just the terms and conditions that are problematic. Wireless Lab is operating in a country that has very different legal processes and privacy legislation than the US, and this should be a significant red flag. If it does something you don’t like, you likely have very little or no legal recourse.

As this story has developed, it has become clear to me that Wireless Lab’s statement that the app is wholly hosted in the US may not be the complete picture. Host records indicate that one of the hosts the app communicates with is, in fact, in Russia. While it’s not clear what data is being sent to this Russian host, the fact that it’s there — even after the developer stated everything is in the US — is concerning.

Risk 3: FaceApp’s Endgame
FaceApp has an unprecedented level of access to data from 150 million users. What could the company’s endgame be? This is where we have to speculate. To start, we should first look at what it is harvesting:

● Your photos and contextual personal information.
● Your phone information (browser, serial number, IP address, configuration information, some location information).
● Details about your other apps, the OS on your phone, social media accounts and apps.
● Cookies, sign-in tokens, and any authentication information you share with it (for example, if you choose to log in with Facebook, it gets access to your Facebook access tokens and profile information).
● If the app is downloaded on Android, it can access your call history, contacts, logs, more-detailed location information, messages, and more.

This list is certainly not exhaustive; it merely encompasses the most obvious data to which the app has immediate access.

What could the company be doing with this data? On the obvious end of the spectrum, detailed information about more than 150 million people is something advertisers would pay good money for. But from an intelligence perspective, this is a highly useful and current database of people all over the world and their connections.

For example, a current, AI-enhanced database like this is something that people developing facial recognition need. One of the biggest flaws in current facial recognition technology is that it is only as good as the data used to train it. As a result, most models are skewed toward faces from the region where the technology was developed. A database like this could provide an extremely diverse catalog of real faces to train facial recognition technology.

Whatever the company’s endgame is, one thing is very clear: As consumers, we need to get better at policing those with whom we share our data. The fact that almost all social media applications and services have consumer-unfriendly terms should be of great concern. As the saying goes: “If you’re not paying for it, you’re not the customer; you’re the product being sold.” It’s never been more important to heed this warning.

Related Content:

• Russian Nation-State Hacking Unit’s Tools Get More Fancy
• Demystifying New FIDO Standards Innovations
• Keep Your Eye on Digital Certificates
• Answer These 9 Questions to Determine if Your Data Is Safe

Marc Rogers is the executive director of cybersecurity at Okta. With a career that spans more than 20 years, Marc has been hacking since the 80’s and is now a white-hat hacker. Prior to Okta, Marc served as the head of security for Cloudflare and spent a decade managing … View Full Bio

Article source: https://www.darkreading.com/endpoint/yes-faceapp-really-could-be-sending-your-data-to-russia/a/d-id/1335429?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

North Korean state-sponsored hackers have stolen a reported $2 billion from banks and cryptocurrency exchanges over the past three years, using the cash to fund nuclear weapons research, according to a Reuters report published this week.

North Korea, officially known as the Democratic People’s Republic of Korea (DPRK), has developed significant and sophisticated cyber capabilities over the past decade. While other nations have occasionally conducted cyberattacks for financial gain, the DPRK’s intelligence arm, the Reconnaissance General Bureau, has focused much of its effort on stealing money to fund the national economy and, specifically, the nation’s nuclear aspirations.

A report by a Panel of Experts to the United Nations Security Council, published in March, pointed to a series of attacks in 2018 as a demonstration of North Korean actors sophistication and persistence. In those heists, the attackers transferred tens of millions of dollars from banks to accounts in 30 different countries and Hong Kong, where the funds were immediately withdrawn almost simultaneously in tens of thousands of transactions. 

“These more recent attacks show how the Democratic People’s Republic of Korea has become an increasingly sophisticated actor in cyberattacks for financial gain, with tools and tactics steadily improving,” states the report by the Panel of Experts.

The Reuters article, published on August 5, puts a number on the level of disruption caused by North Korean hackers and cites an unnamed United Nations report that seems close in content to the previously released Panel of Experts report. While the cumulative sum of $2 billion will likely raise collective eyebrows in the security community, given the nation’s past activities and known successes, it should come as little surprise. 

North Korea continues to double down on its financial heists, including the recent targeting of banks in attacks using mass withdrawals from ATMs, says Vikram Thakur, a researcher with Symantec’s security response team. North Korea’s state-sponsored activities have been linked to the $81 million stolen from the Central Bank of Bangladesh and at least $571 million stolen from three cryptocurrency exchanges. 

“They have learned so much quickly,” he says. “For the past two years, their sole focus has been money, money, money. … We don’t see other nation-state mandated groups going after money.”

The nation-state hacking teams are focused mainly on targets in developing countries in Southeast Asia and the Middle East, he says. 

The most well-known group attributed to North Korea is the Lazarus Group, which has conducted operations since at least 2009. Initial attacks mainly focused on political objectives: The MyDoom worm, which took down US and South Korean sites in 2009, has been linked to North Korea and the Lazarus Group, as has the 2014 compromise of Sony Pictures and the subsequent release of the company’s private information.

In 2016, however, the Lazarus Group started focusing on cyber operations that would transfer large sums of money to North Korea using the world’s banking infrastructure. The theft of $81 million from the Central Bank of Bangladesh and a second stymied attack on a commercial bank in Vietnam were both blamed on the North Korean cyber operations group. The destructive 2017 WannaCry ransomware attacks, which failed to generate much revenue, has also been linked to North Korea state-sponsored hackers.

“North Korea’s engagement in a wide range of criminal and terrorist activities is part of its broad national strategy, which employs asymmetric operations and surprise attacks to overcome North Korea’s conventional national power deficit,” stated open-source intelligence firm Recorded Future in a July report on North Korean Cyber Activity.

The UN Panel of Expert report is part of the UN Security Council’s Resolution 1874, passed in 2009, which implements sanctions against North Korea for violating nuclear non-proliferation accords. A report, issued in March, cited North Korea’s cyber operations as a significant factor that should be considered in future sanctions against the nation.

Ironically, the Panel of Experts was the focus of the DPRK’s cyber operations as well.

“Cyberattacks against the Panel continued to hamper its ability to report on the implementation of sanctions according to its mandate,” the group stated in the report. “In addition, the Panel notes that unauthorized disclosures of Committee proceedings and Panel internal reports and activities are damaging.”

North Korea’s Lazarus Group continues to focus on cryptocurrency. A March 2019 report by security firm Kaspersky Lab found that the group had launched a new operation that has command-and-control servers capable of control malware on both Windows and Mac operating systems.

“Financial gain remains one of the main goals for Lazarus, with its tactics, techniques, and procedures constantly evolving to avoid detection,” the company said.

With additional reporting by Kelly Jackson Higgins.

Related Content:

• The ‘Opsec Fail’ That Helped Unmask a North Korean State Hacker
• Matching Wits with a North Korea-Linked Hacking Group
• SWIFT Confirms Cyber Heist At Second Bank; Researchers Tie Malware Code to Sony Hack
• ‘WannaCry’ Rapidly Moving Ransomware Attack Spreads to 74 Countries
• 6 Ways The Sony Hack Changes Everything

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/north-korean-cyber-ops-reportedly-stole-$2b-to-fund-weapons-programs/d/d-id/1335467?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Former Obama administration cybersecurity official Mick Baccio has been hired as the chief information security officer (CISO) for Pete Buttigieg’s presidential campaign.

According to Politico, which broke the news, this appears to be the first time a 2020 presidential campaign has brought in a staff CISO. Concerns in the wake of Russian meddling in the 2016 presidential election has caused some campaign officials and security experts to examine how candidates can better lock down their campaign systems’ security.

“Our campaign is committed to digital security, and hiring a full-time CISO is one way we’re protecting against cyberattacks,” a Buttigieg campaign spokesperson told Politico. 

Read more here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/analytics/buttigieg-campaign-adds-a-ciso-/d/d-id/1335470?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple