STE WILLIAMS

Researchers have spotted a trend in targeted themed attacks using the App Engine Google Cloud Platform (GCP) to deliver malware via PDF decoys. The threat has so far been detected across 42 organizations, mostly in the financial sector but also within governments worldwide.

This attack is more convincing than traditional attacks because the URL hosting the malware redirects the host URL to Google App Engine, explain Netskope analysts in findings published today. Many decoys used were likely linked to threat actor group Cobalt Strike, they report.

Netskope’s discovery was made earlier this year, when researchers saw common detections across 42 of its customers in the banking and finance industry. Further investigation showed detections were triggered by attachments in eml files; analysis revealed attacks were abusing Google App Engine on the GCP as bait to deliver malware to targets.

“URL redirection mechanisms/features are widely used and abused by threat actors to deceive victims into believing the malicious files are being delivered from a trusted source,” says Ashwin Vamshi, a Netskope security researcher and author of the report. “The usage of themed PDF decoys with enticing emails is a perfect choice since the payload seems to be originating from a trusted source, and popular PDF viewers enable users to easily whitelist domains.”

Sneak Attack, PDF Style
PDF decoys typically arrive attached to emails designed to contain legitimate content and appear as though they’re coming from whitelisted sources. In this case, victims are tricked with a GoogleApp Engine URL, which is abused to redirect victims to malware. Because GCP is a trusted source among enterprise users, targets are unlikely to know they’re being duped.

Most PDFs were created using Adobe Acrobat 18.0 and contain the malicious link. All decoys use HTTPS URLs to deliver the payload. Once they execute the PDF decoy and click the link, victims are logged out of Google App Engine and a response status code 302 is generated for URL redirection. Victims are taken to a landing page where a malicious file is downloaded onto their machines. In all cases, GCP App Engine validated the redirection and delivered the payload.

The payload is a Microsoft Word document containing obfuscated macro code or PDF documents as the second-stage payload. When executed, it displays a message to victims prompting them to enable editing and content mode to view the file. If enabled, the macro is executed and downloads another stage payload, a tactic that makes attacks harder to analyze.

PDF readers typically alert users when a document connects to a website with a “remember this action” pop-up, researchers say. If users check the box, future URLs within the domain will connect without any prompt. Attackers can abuse this, launching several attacks without users seeing any kind of security warning after they approve redirection in their first notification.

Admins may also have appengine.google.com whitelisted for legitimate reasons, another factor that makes it easier for adversaries to succeed with this type of attack.

Cobalt Strikes Again
The Cobalt Strike threat group has a reputation for using various tactics, techniques, and procedures to target financial and banking firms using malware like Carbanak. It’s also known for using Cobalt Strike software, a white hat tool for conducting security assessments.

The pattern continues in this series of attacks, which hit a range of financial and government targets across geographies. Victims included OmniPay (Asia), Metrobank Philippines, Travelex foreign exchange business, SKB Bank and RGS Bank in Russia, Bancosol, BancNet Online, India’s Ministry of External Affairs, Accuity, Bank of Alexandria, and Standard Bank, South Africa.

“Based on the timeline of the emails sent to the potential targets, we expect the group to be actively carrying out attacks,” Vamshi says. The report notes that while emails were sent to targets from the threat actor, it’s possible the address may be spoofed with a forged sender.

Netskope reported the abuse to Google on Jan. 10. Google responded by saying the open redirector exists by design. For those unfamiliar, open redirectors take users from a Google URL to another site chosen by whoever constructed the link. Since the attached URL in these malicious files is an unvalidated redirect, users are unknowingly taken to a malicious page.

Users can recognize URL redirection abuse by hovering their mouse over hyperlinks before they click, Vamshi says. Organizations, especially financial institutions, should teach employees to recognize AWS, Azure, and GCP URLs so they can discern legitimate and malicious sites.

Related Content:

• 8 Tips for Monitoring Cloud Security
• Why Cybersecurity Must Be a Top Priority for Small Midsize Businesses
• ‘Anatova’ Emerges as Potentially Major New Ransomware Threat
• Enterprise Malware Detections Up 79% as Attackers Refocus

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/cyberattackers-bait-financial-firms-with-google-cloud-platform/d/d-id/1333729?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It’s been less than a year since the General Data Protection Regulation (GDPR) officially took effect, but a new study already shows that organizations that invested in data privacy to meet GDPR guidelines suffered fewer data breaches in the past year.

Cisco Systems’ new Data Privacy Benchmark Study, based on data from 3,200 security professionals worldwide, found that nearly 60% of organizations have met most or all GDPR requirements, and close to 30% expect to do so within a year. GDPR, which became enforceable on May 28, 2018, provides a standard data privacy law for the European Union, imposing stricter rules on the control and use of personally identifiable information as well as giving users more control over their data.

The most GDPR-ready organizations suffered fewer data breaches in the last year (74%) than organizations that aren’t as far along in their data privacy efforts, according to the study. Eighty percent of organizations less than a year from GDPR compliance were hit with a data breach, and nearly 90% of those who don’t expect to be GDPR-ready for more than a year experienced data breaches.

GDPR readiness also helped minimize the number of data records exposed as well as the resulting costs: The firms that were readier had 79,000 files exposed, versus 212,000 in orgs less mature in their data privacy efforts. While 64% of the not-ready-for-GDPR firms lost more than $500,000 last year in data breach costs, just 37% of the GDPR-ready ones experienced that level of costs.

The European Union’s regulation — which affects multinational firms worldwide — has been heating up of late: France’s data privacy agency earlier this week fined Google some $57 million in penalties for failing to disclose how it gathers and uses personal information of users. This is the first major fine for a US tech company under the new privacy law.

Robert Waitman, director of data privacy at Cisco, says his firm’s study also found that data privacy investments are helping to shorten sales cycles. “The length of delay has been cut in half now, which was surprising,” he says. “It’s shrunk so significantly because they are more experienced in answering companies’ data privacy questions.”

GDPR has its trade-offs, notes Waitman, but it’s already making a difference with improved data privacy. “Reflected in the data [in this report] are these tangential benefits of getting your data house in order,” he says.

Christian Vezina, CISO at OneSpan, says GDPR has upped the ante for due diligence of third parties when it comes to data privacy.

“Privacy is starting to be an important part of standard vendor assessment processes,” Vezina says. “Service organizations having a higher level of privacy maturity will benefit from a shortened sales cycle, as they will be in a position not only to demonstrate their compliance, but to assist their customers in meeting their own compliance obligations.”

Related Content:

• 6 Ways to Strengthen Your GDPR Compliance Efforts
• GDPR Oddsmakers: Who, Where, When Will Enforcement Hit First
• The High Costs of GDPR Compliance
• 6 Security Investments You May Be Wasting

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/cisco-study-finds-fewer-data-breaches-at-gdpr-ready-firms/d/d-id/1333728?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Metasploit can be found in every pen tester’s tool kit. Ditto for most hackers. That means many are now thinking through how a new version of Metasploit – the first major release since 2011 – is going to change their research and testing workflow. 

Metasploit 5.0, released earlier this month by Rapid7, offers a host of new features and capabilities, along with the promise of a faster, more regular update cycle for the product. “We’re on a new release schedule, so there’ll be new releases, hopefully every year, which kind of brings us to putting things out quicker and being more agile,” says Cody Pierce, principal product manager at Metasploit.

New capabilities carried with the first of the new-cycle releases begin with support for three languages: Go, Python, and Ruby. “If you’re a Go developer, or if you’re a Python developer, you can now write in the native language that you’re comfortable with,” Pierce says. “So if you want to write an exploit, or a scanner, or an integrated tool, there are now three languages. We’re kind of taking down those barriers to entry.”  

The development support continues with a new framework, JSON-RPC API, a common Web services framework that exposes all available APIs. “We’re already seeing people that are building new tools on top of it because it’s so much easier to integrate with,” Pierce says. That active tool-building activity is a critical consideration for the Metasploit team.

“We have the best community. Our community is always contributing new tools and new scanners, new exploits, and new payloads,” Pierce says. Another new capability, the database as a RESTful service, is intended to make those contributions even easier.

“If you’re building a tool for penetration testing, we don’t want you to worry about a database. We don’t want you to worry about your payloads or those fundamental things,” Pierce explains. “We want the framework to take care of that for you and let you just do the exciting work, or the novel research, or building the tool you actually want to build.” 

He expects some of the new tools to use expanded capabilities, such as the evasion modules and libraries now included with Metasploit 5.0. Pierce also believes that new tools and capabilities will come to the community because of the service-oriented nature of the new metashell. Multiple consoles can be deployed and draw on resources hosted essentially anywhere the Internet can reach.

At the heart of the new release and the new cadence is bringing capabilities out from the project development community and to the wider user base. “If you’re a contributor, if you’re a community member, you can always pull from the unstable branch on GitHub,” Pierce says. “I think that with the release cadence, what we’re saying is that we’re committed to bringing more stable features to the general public, and doing that more often, so that all these cool things that are sometimes buried in the unstable branch get into the stable branch faster.”

Related Content:

• New Threat Group Conducts Malwareless Cyber Espionage
• AutoSploit: Mass Exploitation Just Got a Lot Easier
• 2019 Attacker Playbook
• 7 Cool New Security Tools to be Revealed at Black Hat Europe

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities-and-threats/after-eight-years-metasploit-gets-its-first-major-update/d/d-id/1333731?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

From Equifax to Under Armour to the recent news from Marriott, it seems that every week brings a new headline regarding a major data or security breach. The Marriott hack is just the latest in a long line of high-profile cyberattacks, with the hotel giant revealing that a massive breach exposed the personal data of more than 500 million customers.

But though the big corporations seize the cyberattack headlines, America’s small and midsize businesses may have even more to lose when it comes to the ramifications of a breach. From the immediate damage (both financially and in terms of hours of lost productivity) to the lasting harm to a company’s reputation and brand credibility, the stakes for cybersecurity have never been higher for smaller businesses. According to the US National Cyber Security Alliance, an estimated 60% of small companies will go out of business within just six months of a cyberattack, illustrating the real-world consequences of inadequate cybersecurity measures.

As technology advances, so will the prevalence and scope of cyberattacks. Every day, the Internet of Things (IoT) is making our world more interconnected, with an estimated 20 billion loT devices expected to be deployed by 2020. With this increased connectivity and greater reliance on mobile technologies come additional points of vulnerability — and the potential for greater damage from cyberattacks launched by criminals, nation-states, and other bad-faith actors.

The Risk for Small and Midsize Companies
This is the new reality of the digital world, and public and private entities — from government agencies and multinational corporations to small and midsize businesses — must be prepared to place a higher priority on implementing cybersecurity measures.

In the case of small and midsize businesses, statistics show that they are not only just as vulnerable to a breach, but the consequences of such an event can be downright catastrophic. According to data gathered by the Ponemon Institute, the percentage of small businesses that have experienced a cyberattack climbed from 55% in 2016 to 61% in 2017. In Verizon’s 2018 Data Breach Investigations Report, 58% of malware attack victims were categorized as small businesses.

The most alarming statistics, however, relate to the potential monetary and long-term impact of a breach. The Ponemon study notes that in 2017, the average cost of cyberattacks on small and medium-size businesses was more than $2.2 million, with malware-related costs averaging more than $1 million in damages or theft of IT assets and more than $1.2 million as a result of the disruption to business operations. Those are staggering numbers — and they help explain why an estimated 60% of small companies go out of business within six months of a cyberattack.

How to Protect Yourself 
Given the high stakes that come with a potential breach, small and midsize businesses can take steps to protect their most vital and confidential information. To start, organizations must have a cybersecurity plan in place that will protect their assets and maintain the profitability of the business. Here are three recommendations for building out broader cybersecurity protocols:

• Have a cybersecurity audit performed by an outside source. Even if you are confident that your IT department has the organization covered, there are major benefits to having another set of eyes that are divorced from the daily processes of your business to evaluate potential vulnerabilities within the organization. While security and technological performance are both tied to IT, having an experienced cybersecurity professional devoted to just the security aspect may reveal unforeseen vulnerabilities.
• Create an organizationwide policy that fits the unique needs of your business. There is no one-size-fits-all approach when building out preventative cybersecurity measures and recovery protocols. This means each organization must sit down and identify what companywide information is invaluable to the business, where it is located, how potential hackers could gain access to this information, and what measures could be put in place to prevent or mitigate the damage of a cyberattack.  
• Implement awareness programs that emphasize the importance of proper “cyber hygiene.” Maintaining the digital security of an entire organization extends far beyond technology and firewalls. Human error often plays a significant role in a breach. Every employee, from the C-suite down, is responsible for exercising good judgment and following companywide cyber protocols. As such, implementing employee training programs is a critical way of informing and reminding employees of potential threats.

Bottom line: Investing in cybersecurity will protect the clients and IP revenue, and create business resilience, thus securing the future of your business.

Related Content:

• 2019 Attacker Playbook
• Shadow IT, IaaS the Security Imperative
• The Security Perimeter Is Dead; Long Live the New Endpoint Perimeter

Tom Ridge, former Secretary of the U.S. Department of Homeland Security; Chairman of Cybersecurity and Technology, alliantgroup
Tom Ridge served as the nation’s first Secretary of Homeland Security, leading an agency of more than 180,000 employees responsible for … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/why-cybersecurity-must-be-a-top-priority-for-small-and-midsize-businesses--/a/d-id/1333700?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cloud customers were hit with 681 million cyberattacks last year, according to analysts at cloud security provider Armor, which recently analyzed cloud attacks detected in 2018.

The most common cloud-focused threats leveraged known software vulnerabilities, involved brute-force and/or stolen credentials, targeted the Internet of Things (IoT), or aimed for Web applications with SQL injection, cross-site scripting, cross-site request forgery attacks, or remote file inclusion. Researchers based the list on volume; these are not the most advanced or lethal cloud attacks.

Yet they continue to work, are easy to access, and are fairly simple to use, they explained in a blog post on their findings. Any cybercriminal can rent an exploit kit containing attack tools for a reasonable amount of cash. For example, they said, the older and established Disdain Exploit Kit was charging rental fees starting at $80 per day, $500 per week, and $1,400 per month. Kits are designed to be accessible to cybercriminals at all levels and are constantly updated with new exploits.

“Organizations that ignore patching leave themselves open to attacks that can take time and resources away from their business and can cause a lot of damage,” said Corey Milligan, senior security researcher with Armor’s Threat Resistance Unit (TRU).

TRU predicts IoT attacks, DDoS campaigns, targeted ransomware, advanced phishing campaigns, and attacks targeting containers and cloud services will be prevalent in 2019.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/cloud-customers-faced-681m-cyberattacks-in-2018/d/d-id/1333721?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new phishing campaign is packing a triple-threat attack in an effort to convince users to help the criminals in their credential-harvesting efforts.

The new campaign, reported on Jan. 21 by researchers at AppRiver, tells victims that their email accounts are infected with not one but three “deadly viruses” and will be shut down for security reasons if they don’t immediately respond.

Those who do are taken to a hacked WordPress site chock-full of code that asks for credentials and stores them away in the attacker’s vaults if provided.

The true danger? “These generic style of credential gathering attacks are often used in follow-up attacks that are customized and typically financially-themed spearphishing such as Business Email Compromise (BEC) attacks,” according to AppRiver’s David Pickett. reporting blog states, is that,

Read more here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/new-phishing-campaign-packs-triple-threat/d/d-id/1333726?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

We’re in the dawn of the age of global cyberwarfare: Nation-state hackers are knocking out critical infrastructure. They’re disrupting lines of communication. They’re stealing military technology. They’re sowing discord and confusion.

But they’re also attacking nonpolitical “civilian” targets — businesses, schools, hospitals, and the like — to reap the rewards of low-hanging political fruit. These attacks comprise what some call “trickledown cyberwarfare,” and these civilian data stores are the new battleground.

For example, about three years ago, the US Department of Defense issued a warning that foreign nation-state hackers were targeting not only government contractors with advanced persistent threats (APTs), but also academic institutions. The FBI reportedly issued a similar warning on the same day, indicating that Chinese hackers were equally interested in compromising sensitive data held by commercial enterprises in the US – specifically including companies in aerospace, entertainment/media, healthcare, and telecommunications networks.

Both warnings came on the heels of a substantial attack originating in China against the University of Virginia — specifically targeting two employees conducting work related to China. The school was noted for its numerous connections to large government contractors and intelligence agencies in the US, as well as to the DoD in general.

The Attraction of Civilian Data Targets
Unfortunately, this is par for the course for private-sector businesses and NGOs. Sometimes the breach is to get a critical piece of political or military information to be used later. Sometimes it’s to steal intellectual property or research so that the hacking nation can get a competitive boost in the economic and/or military might. Sometimes it’s to cull some personal information about someone with the right security clearance — which may mean orchestrating a super-breach, compromising several million other accounts along the way.

Notably, these breaches aren’t about anything so pedestrian as identity theft or credit card fraud. Instead, the goal is to use the information gleaned as a jumping-off point — to allow escalated access to yet more critical information. This is especially the case with healthcare organizations, where the right juicy health-record tidbit about a well-placed employee (or family member thereof) of a government arm can be used to extort some small amount of extra information or escalated access, turning that employee into an inside-attack threat.

This may sound conspiracy-theory-esque, but enterprises have been seeing these very real threats over the past few years — and will see them in greater numbers through 2019 and beyond. Nation-state hackers aren’t going after the private sector and academia in the absence of anything better to do. They’re doing it because their efforts can pay off big dividends in the long run when it nets them secret and useful economic, military, and national-security information down the road.

Plus, it’s often a heck of a lot easier to hack a company or academic institution than it is to hack a federal agency or military contractor because the former isn’t often paying enough attention. It may know where its data originated or is supposed to be, but it may not be able to identify all of the places where its data has migrated.

And that’s assuming we’re talking about data that a given organization already perceives as important. As we’ve seen with these types of attacks, though, one man’s junk is another man’s treasure.

How to Duck and Cover
Therefore, organizations need to be far more informed about their data — and not just the data they perceive as top priority. To best guard their data stores, organizations have to rely on more than their internal priorities alone because so many other perspectives and variables are at play.

The only thing they can do, then, is to watch their data. All of it.

This task is less daunting when applied as the first, foundational step of an infosec strategy. Once you’ve begun monitoring all data across the board, you can easily apply analytics to the activity logs generated from your data monitoring, building a model of your entire data user population. Now you can more effectively analyze all data user-data interactions — without yet having had to identify (much less prioritize) a single bit of data.

After all, whether they are common criminals or sophisticated cyberwarriors, we know that attackers will always want to break into our databases. So we need to be looking at the databases. Otherwise, we’re asleep at the switch.

Related Content:

• 2019 Attacker Playbook
• Putting the S in SDLC: Do You Know Where Your Data Is
• Stealthy New DDoS Attacks Target Internet Service Providers
• Why Cyberattacks Are the No. 1 Risk

Terry Ray has global responsibility for Imperva’s technology strategy. He was the first US-based Imperva employee, and has been with the company for 14 years. He works with organizations around the world to help them discover and protect sensitive data, minimize risk for … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/collateral-damage-when-cyberwarfare-targets-civilian-data/a/d-id/1333707?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple