STE WILLIAMS

Tupperware famously locks in food’s freshness, but hackers could not be locked out of the company’s e-commerce site. The primary Tupperware site, along with several localized versions, were compromised by digital credit card skimmer disguised inside an image file.

Researchers at Malwarebytes Labs discovered the malicious code when they noticed an anomaly in an iframe container. While the researchers say they don’t know what the infection vector was, the malicious campaign is ongoing and, at press time, still active.

The researchers note several details in the malicious code that indicate attackers less polished in their craft than other well-known criminal gangs are involved.

“This does indeed sound like the work of a new cybergang that has not scaled operations yet,” Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, told Dark Reading. “The domain name they chose to register was not customized to blend into their target victim’s normal website operations, and based on DNS resolution telemetry, it does not seem to have reached any meaningful scale. Nonetheless, this may be the blueprint of future similar attacks on other websites.”

Read more here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign?“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/tupperware-hit-by-card-skimmer-attack/d/d-id/1337409?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Workplaces continue to expand beyond the walls of the traditional office building and out into unsecured environments, increasingly relying on mobile devices. But as mobile usage increases, so do the security risks. According to the “Verizon 2020 Mobile Security Indes Report,” 67% of organizations say they are less confident in their security than their other IT assets, and 33% admit to having suffered a compromise involving a mobile device.

Even as enterprises begin to allow more and more access to sensitive information via mobile devices, there remain three mobile security problems that most security teams have yet to fix.

1. Allowing malware to be a distraction, when the real threat is mobile phishing: When it comes to modern cybersecurity threats, the conversation has largely been dominated by malware. The deluge of headlines warning of increased attacks across industries with catastrophic consequences serve as a distraction when it comes to mobile security. Wandera’s “Mobile Threat Landscape 2020” report found that just 13% of all organizations have experienced a malware incident on a mobile device, compared with the 57% of organizations that have experienced a mobile phishing incident.

   And phishing threats continue to evolve, with 81% of attacks now taking place outside of email. Instead, attackers are targeting victims via messaging apps or social media, where they have a better chance of luring users into fake profiles, promotions, and notifications. These tactics make it easier for bad actors to extract personal data and account credentials discreetly, leaving the user oblivious to the breach. Don’t be fooled by the constant malware headlines — organizations must remain vigilant when it comes to mobile phishing, as the threat posed by malware pales in comparison.

2. Misunderstanding application security: Even as the availability of apps for enterprises has increased, the emphasis on mobile app security has not kept pace. While mobile has the potential to make organizations more efficient, it presents a whole new set of challenges by expanding the footprint that IT needs to manage and secure, and the risks go far beyond simple malware.

   Currently, there are three areas that mobile businesses are struggling to tackle. First, persistent data leaks, such as the ones British Airways experienced in 2019 due to unencrypted check-in links across mobile platforms. Second, policies that allow apps with excessive permissions, which often lead to users unknowingly expose personal data. As we’ve learned on numerous occasions with WhatsApp, what’s secure today might be vulnerable tomorrow, and apps with excessive permissions require continuous monitoring. Finally, organizations need to set clear policies for governing and monitoring apps, specifically those that are used without direct approval from the IT department. For example, physicians who store sensitive patient data on personal tablets run the risk of exposing that information when they are introduced to untrusted software.

   One solution to this issue would be for organizations to consider vetting applications over time, rather than just one initial screening process at the onset. Continuous vetting is a proven method to address all three challenges and ensure your organization stays ahead of vulnerabilities and avoids catastrophe.

3. Trusting your mobile operating systems: The past year has taught us that even the most current operating systems aren’t necessarily the most secure. There is a common misconception that iPhones and Android devices are secure without requiring security software; and yet, both Apple and Google have demonstrated time and again that they are not immune to vulnerabilities. Earlier this year, Apple accidentally reopened a security flaw that introduced jailbreak risks, just weeks after discovering that hackers could remotely retrieve files from an iOS device by exploiting a vulnerability in iMessage.

   Similarly, Android device manufacturers are no strangers to controversy, as researchers discover new Android vulnerabilities on a regular basis, even on brand-new devices. Both of these examples prove again that mobile operating systems simply aren’t bulletproof. It’s time for organizations to implement a layered system of defense in order to mitigate attacks, should they slip through a hole in that organization’s mobile operating system of choice.

Mobile deployments represent a new set of security challenges for which organizations haven’t yet accounted. Few have policies in place to ensure that effective adoption of mobile devices doesn’t compromise the security of the corporate data used on these devices. Moving forward, organizations must establish formal documentation guiding employees on how to securely work remotely. Additionally, they should incorporate mobility into the security operations workflow so company data is protected no matter where workers are physically located. The NIST Guidelines for Managing the Security of Mobile Devices in the Enterprise is a step in the right direction, but we still have a long way to go, and now is the time to get started.

Related Content:

• 7 Tips to Improve Your Employees’ Mobile Security
• Working from Home? These Tips Can Help You Adapt
• The Perfect Travel Security Policy for a Globe-Trotting Laptop
• Assessing Cybersecurity Risk in Today’s Enterprise

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Security Lessons We’ve Learned (So Far) from COVID-19.“

Michael J. Covington, Ph.D., is a seasoned technologist and the Vice President of Product Strategy for Wandera, a leading provider of mobile security. Michael is a hands-on innovator with broad experience across the entire product life cycle, from planning and RD to … View Full Bio

Article source: https://www.darkreading.com/mobile/3-mobile-security-problems-that-most-security-teams-havent-fixed-yet/a/d-id/1337339?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A vast majority (68.8%) of SAP users believe their business placed inadequate focus on IT security during SAP implementations, researchers report in a new study on SAP security. More than half (53.4%) said it was “very common” to find SAP security flaws in the audit process. 

Turnkey Consulting researchers polled more than 100 SAP customers, all of whom were at the managerial level or above, across the UK, Europe, Asia, and the US. Their goal was to learn the cost and effects of SAP security remediation; to do this, they asked about participants’ current security position, perceived costs to fix it, and plans for security in future SAP implementations.

Respondents expect SAP audit findings for at least 80% of companies, indicating a broad belief that auditors will focus on SAP as a business-critical system. But they are not confident in their SAP environments: one-fifth of SAP customers don’t have the skills and tools to effectively protect their SAP applications and environments; 64.5% said they have “some” skills and tools.

Taking a closer look at specific areas of concern, 93.2% believe it’s likely an SAP audit would reveal access management problems. Most (86.4%) think it’s “common” or “very common” to have audit findings related to privileged or emergency access. This may indicate a broad lack of effective controls for privileged access management, or low confidence in current controls.

Overall, it seems these concerns are driving a stronger focus on security. Nearly 75% of respondents anticipate IT security will be a higher priority in future SAP deployments; 89.6% say security specialists should be recruited to support SAP S/4 HANA transformation initiatives.

Read the full report here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign?“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/security-not-a-priority-for-sap-projects-users-report/d/d-id/1337419?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Image Source: Adobe Stock: Wladimir1804

For small and midsize businesses, cyberattacks can hurt in a big way – and if they lead to data breaches, the pain can be devastating.

A landmark survey of more than 1,000 SMBs last fall by the National Cyber Security Alliance found that while 88% believe they are “somewhat likely” a target for cybercriminals, nearly 30% already experienced a data breach in the past year. And of the group that was breached, 37% suffered a financial loss, 25% filed for bankruptcy, and 10% went out of business.

SMBs today have a wide range of security outsourcing options to choose from to tighten up their security defenses. While it remains unclear just how much the rapidly changing economic impact of the COVID-19 pandemic will affect small (less than 100 employees) and midsize (100 to 999 employees) business in the long term, cybercriminals aren’t slowing down their activity, either.

Here is a look at some providers of security services for SMBs. This list draws from reports and research on managed security service providers (MSSPs) published in the past year by analysts including Gartner, Forrester, and IDC. Through extensive interviews with the vendors, only the companies that actually have programs for SMBs made the list.

This is not a comprehensive list of all security services out there for SMBs, so feel free to add others in our Comments section below.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/cloud/10-security-services-options-for-smbs--------------/d/d-id/1337354?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Why invest in top-shelf malware just to have it be turned away by antivirus tools again and again? Why launch a cyberattack like that when your target is already full of perfectly good attack tools, just waiting for you?

More and more threat actors are coming to that conclusion. As cyber defenses improve, adversaries are shifting to stealthy “living-off-the-land” (LotL) attacks that defy many automated security measures. 

Here are some ways to begin countering the threat.    

What Is LotL?
The term “living off the land” refers to fileless, malware-less attacks that turn a system’s own native tools against them. Bad actors use perfectly legitimate programs and processes to perform malicious activities, thereby blending into a network and hiding among the legitimate processes to pull off a stealthy exploit.

“Traditionally, attackers have exploited a target environment and then pushed their own tools onto target machines, including backdoors, rootkits, harvesting tools, and more,” says Ed Skoudis, a security veteran and instructor with the SANS Institute. “With living-off-the-land techniques, the attacker uses the compromised machine itself, and components of its operating system, to attack that system further and to spread to other machines in the environment. So the compromised machine’s operating system becomes, in essence, the attacker’s toolkit. The attacker uses its resources and place on the network to undermine the entire targeting environment.”

In other words, criminals have realized that the most subtle and effective way to wield control over a system is to use the exact same operating system components and methods used by system administrators, Skoudis says.  

Some of the tools commonly exploited for LotL attacks include PowerShell scripts, VB scripts, WMI, Mimikatz, and PsExec. These are administrative and troubleshooting tools that are already in the environment and won’t set off alarm bells when an attacker uses them.

A well-known example of an attack that utilized LotL techniques was the 2017 to 2018 outbreak of the Petya/NotPetya ransomware, which used a software supply chain attack as the initial vector to compromise an update process in a software accounting program.

Good Defenses Make LotL Attacks Likelier
LotL attacks aren’t new. Chester Wisniewski, principal research scientist at Sophos, says they’re the result of even better defenses in security. In other words, security teams are a victim of their own success.

“These tactics have been around for decades but in recent years have become mainstream,” Wisniewski says.

In fact, in 2019 most attacks in CrowdStrike’s research and incident reporting were “malware-free” for the first time. 

“Security defenses and patching have improved dramatically in the last five years,” Wisniewski says, “making it harder to run malicious code on any given system. System tools are often whitelisted and can be the only process allowed to run on a secured system, making them obvious targets for an attacker. These changes in tactics are driving security tools to focus more on behaviors and less on specific file samples.”

Adds Skoudis: “With application whitelisting, attackers often find that their own tools simply won’t run on the target operating system. But the operating system components themselves will still run, so attackers use those. It’s quite pernicious — the operating system is a treasure trove of programs and scripts the attacker can abuse.”

Every type of environment is susceptible to this kind of attack, the researchers say. But attackers are more likely to use LotL techniques in environments that are particularly locked down or well-monitored.

“If the environment is weak or badly instrumented, attackers do not have to resort to live-off-the-land attacks. But in especially secure networks, attackers have this option for being even [stealthier and more] effective,” Skoudis says.

Once they have managed to find ways to co-opt admin tools for their own purposes, Wisniewski says attacks can range widely: ransomware operators using software deployment tools to deliver the ransomware code, for example, or nation-state actors using Mac and Linux PCs as a place to hide while they handcraft attack tools using built-in scripting languages like Perl, Python, or even C++. 

“We also see malware abusing the Windows operating system’s built-in features like a hostile, mutant MacGyver variant, dominating the machine using only its wits and the tools it can fashion out of local materials,” he says.

Defending Against LotL Attacks
Because LotL attacks take advantage of commonly used tools, obviously that makes them very difficult to detect. But Skoudis recommends “purple teaming” — having red teamers apply LotL tactics in an exercise to ensure that blue teamers and SOC personnel can detect and thwart these techniques. He also suggests whitelisting practices with this in mind.

“Application whitelisting does go a long way in blocking attackers, provided that it is tuned to prevent execution of various unusual programs in the operating system that are often abused in these attacks,” he says.

Skoudis directs security teams to the LotL project page on GitHub for a list of binaries, scripts, and libraries that are often abused in LotL attacks — like bash, cmdkey, shell32, rundll32, and over 100 others.  

Most rank-and-file users have no need to run many of those programs, and organizations can configure their application whitelisting tools to prevent execution of the most suspicious of them, he says.

Wisniewski recommends a blend of behavioral-based detection and monitoring strategies to try and stay on top of LotL-based attacks.

“Since living-off-the-land attacks take advantage of existing system tools that are often whitelisted or overlooked by security tools that rely on static detection techniques, implementing tools that take behavior into consideration is essential,” he says.

Also important, Wisniewski says, “is raising alerts for humans to investigate when these tools are used outside of planned maintenance windows. By employing proactive security with 24/7 monitoring by both automated software and threat hunting experts, organizations can more quickly and effectively identify, investigate, and mitigate anomalous behavior. Combining the best tools with the brightest minds to neutralize active threats with speed and precision, while limiting recurrence, is the best approach for defending against these attacks.”

Related Content:

• Most Cyberattacks in 2019 Were Waged Without Malware 
• Three Ways Your BEC Defense is Failing, and How to Do Better
• 6 Active Directory Security Tips for Your Poor, Neglected AD
• How Data Breaches Affect the Enterprise

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/how-to-evict-attackers-living-off-your-land/b/d-id/1337420?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple