STE WILLIAMS

Slack has fixed a bug that allowed attackers to hijack user accounts by tampering with their HTTP sessions. The flaw could have allowed attackers to pilfer users’ cookies, giving them full account access. They could also have automated those attacks at scale, said the researcher who discovered it, Evan Custodio.

The bug uses a sneaky trick called HTTP smuggling, which takes advantage of how back-end servers process requests using this protocol. Browsers use HTTP to ask web servers for pages and other resources. Those requests generally go through multiple servers. A front-end proxy server might send it to one of several back-end servers, for example. The front-end server often serves as a clearinghouse for requests from different browsers, meaning that different peoples’ sessions with web applications mingle in the same traffic stream.

The problem lies in the way that HTTP communications announce themselves. This announcement, known as an HTTP header, has to tell the server where the request ends. It does this in one of two ways.

The first uses a Content-Length header that tells the server how many bytes long the request is. The second uses a Transfer-Encoding: chunked header. This tells the server that the content comes in chunks, which end with a zero-sized chunk.

An HTTP request is only supposed to use one of these headers, but HTTP smuggling attacks use both of them to confuse the front-end and back-end servers. The idea is to make each server process the request differently.

Custodio discovered that Slack was susceptible to a variant of the HTTP smuggling attack called CLTE, in which the front-end server uses the Content-Length header while the back-end server uses the Transfer-Encoding one. Each header specifies a different amount of content to process, causing the front-end server to process more content than the back-end one.

The part of the content that the back-end server ignores is the malicious content. It still sees this content, but the attack causes it to interpret that text as the start of the next HTTP request, enabling the attacker to replace the next request’s legitimate header with their malicious one. Because the front-end server blends requests from different people in the same stream, this lets them affect someone else’s communications with the back-end server.

The researcher worked out a way to steal a user’s session data using this technique. He used the CLTE flaw to attach a malicious HTTP GET request that caused a 301 redirect error. Slack used the malicious URL as the redirect location.

Because this GET request replaces the header of a victim’s own HTTP request, it redirects that victim’s traffic to the malicious URL, Custodio explained, giving an attacker access to their session cookies (effectively owning their account). He added:

[…] it is my opinion that this is a severe critical vulnerability that could lead to a massive data breach of a majority of customer data. With this attack it would be trivial for a bad actor to create bots that consistantly [sic] issue this attack, jump onto the victim session and steal all possible data within reach.

Custodio posted the discovery via Slack’s HackerOne bug bounty program in November, and Slack fixed it in 24 hours. He won a $6,500 bounty and got the go-ahead to make it public on 11 March.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/i-F9hS91EoQ/

A most entertaining piece of threat research from Check Point gives a unique insight into the “working” life of a Nigerian email spammer who made thousands of dollars from stolen credit cards alone in recent years.

The scammer in question, whose true identity was known to Check Point, was by day “a leader, a content creator, an entrepreneur and an innovator; an accomplished business administrator; a renaissance man who is adored by his colleagues,” as the infosec biz put it.

Yet, behind that facade of respectability, “Dton” (a made-up name to, er, spare his blushes) was in fact an email spammer – a spammer working as part of a Nigerian cybercrime syndicate that generates its ill-gotten gains through buying and using stolen credit card details.

Check Point chronicled Dton’s alternate lifestyle in great detail, setting out how his boss monitored him with a remote-access trojan (RAT) to ensure Dton generated a suitable return on investment for the syndicate. The scammer made $100,000 over seven years, which compares very favourably with Nigeria’s average annual salary of between $5,000 and $6,000.

Dton worked hard at both of his lives. His cybercriminal boss was a bit of a hard case (aren’t they all?) and controlled his output through a shared Gmail inbox. Dton’s criminal job was a bit of a drudge, really: the syndicate gave him around $1,000 a year which he had to spend buying stolen card data from Ferrum, a cybercrime marketplace.

Having bought the card data, Dton then patiently tried them out at online retailers, one by one, until he was able to make a false transaction. This criminal operation netted him and his handlers, by Check Point’s estimation, around $100,000 in total – and possibly more – between 2013 and 2020.

Unsatisfied by his criminal works, and perhaps irritated by his boss’ Panopticon-style surveillance of him (which didn’t stop his “manager” questioning why or how Dton had logged into his Yandex email account), Dton decided to go freelance. According to Check Point, he invested in tools including the AspireLogger key logger, and RATs such as Nanocore and Azorult. Having done so, he would pack his malware into a Word document macro before firing it out to a list of spam targets using Turbomailer.

Despite his growing interest in online fraud techniques, Dton appeared to be unaware that the RAT on his own machine was exfiltrating his very own personal data and mixing it in with the lists of stolen information he himself was creating. Nonetheless, the “entrepreneur” struck out on his own, engaging a custom RAT coder to write him a unique piece of malware – and, just for good business sense, managed to infect the coder’s device with the RAT while the two were discussing their terms and conditions.

“Let us repeat that: Dton, whose business model is infecting many innocent victims with RATs, and whose work is subject to strict surveillance by infecting his own machine with a RAT, commissioned a malware developer to write a personalized RAT for him and then had that developer’s machine compromised with a RAT. There is a decent chance that your brain just got infected with a RAT by reading this sentence,” commented Check Point.

The tale came to an end when Dton, irritated by paying $800 a pop to have someone else pack his malware binaries for him, tried to blag a 90 per cent discount on a subscription to the datap packer service, which charged $300 for a lifetime subscription. Naturally, datap’s operator, one “n0$f3ratu$” told him to go forth and multiply – so an aggrieved Dton filled out Interpol’s online “contact us” webform with all the incriminating information he had on n0$f3ratu$ before screenshotting it and trying to use it as blackmail material to get his discount.

n0$f3ratu$ was unhappy with this:

Kiss my ass OR suck my cock! Your choice! When you fill that form please tell them how you tried [to] get money from me. 300$ Dude you are lucky we will never meet face to face.

“And thus Dton reached the crowning achievement of his career – majorly angering the technical people on whose work his entire livelihood depended. Way to go, Dton,” commented a bone-dry Check Point.

As an entertaining tale, it’s a good one. But this also gives a much deeper insight into the lifestyle and motivation of an email spammer. To him it’s all about the money and return on investment. While Check Point didn’t supply any guesstimates about how much of the stolen card cash stayed with Dton rather than being passed back up the cybercrime syndicate’s chain, his primary motivation was undoubtedly financial.

With that in mind, ordinary folk can take simple precautions: guard your online banking credentials like gold bars, don’t open unsolicited email attachments and above all, don’t enable macros on documents you aren’t expecting to receive. ®

Sponsored:
Webcast: Why you need managed detection and response

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/17/nigerian_spammer_deep_dive/

The private equity firm will buy Checkmarx from Insight Partners, which will continue to own a minority interest.

Private equity firm Hellman Friedman will acquire application security company Checkmarx from Insight Partners for a $1.15 billion valuation, the companies reported today. Insight Partners, which acquired Checkmarx in 2015 for $84 million, will continue to own a minority interest.

Tel Aviv-based Checkmarx was founded in 2006 by CTO Maty Siman, who continues to lead the organization with CEO Emmanuel Benzaquen. Its technology provides static and interactive application security testing, software composition analysis, and application security training and skills development so businesses can better detect vulnerabilities in their software. Checkmarx  employs more than 700 employees and reports more than 1,400 customers in 70 countries.

Today’s acquisition, which aims to further drive the company’s growth, arrives at a time when businesses are placing stronger focus on secure software development. “As cybersecurity threats continue to intensify, we strongly believe that embedding security early in the software development lifecycle is critical,” said HF partner Tarim Wasim in a statement on the news.

Read the full release here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Beyond Burnout: What Is Cybersecurity Doing to Us?“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/hellman-and-friedman-acquires-checkmarx-for-$115b/d/d-id/1337322?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The tendency by many attackers to wait for the right time to strike gives defenders an opening, FireEye says.

Many threat actors tend to lurk around compromised networks for days before deploying ransomware, giving victim organizations a chance to prevent the attacks if they can spot the initial activity quickly enough.

Researchers from FireEye Mandiant recently reviewed more than two years’ worth of ransomware attack data to see what trends they could spot. The researchers wanted to identify common characteristics around initial intrusion vectors, average attacker dwell time on a compromised network, and the time of day when attackers typically tended to deploy ransomware.

Their study showed that in a majority of incidents, attackers waited at least three days after breaking into a network to identity key systems to target with their ransomware. Such post-compromise ransomware deployment is growing in popularity because it is often more damaging for victims and more profitable for attackers than other models, says Kelli Vanderlee, manager, intelligence analysis at FireEye.

By spending time in a victim environment, malicious actors are often able to identify important assets, like backups and network segments storing valuable data and key systems that can be used to disseminate their ransomware widely. “This more effective targeting and deployment gives the threat actors more leverage against a victim, allowing them to demand higher ransoms and net higher profits,” Vanderlee says. Post-compromise reconnaissance also provides attackers with additional opportunities for follow-on activity, like data theft for sale or extortion.

At the same time, though, the dwell time between initial compromise and ransomware deployment gives organizations a chance to neutralize the attack before it even has a chance to unfold, Vanderlee says. “In most cases ransomware is not executed until days after the initial intrusion, which means it is possible for defenders to prevent ransomware encryption before it starts if they can catch the first signs of activity quickly enough,” she says.

According to Vanderlee, the Ryuk ransomware family is most frequently deployed post-compromise. Other families deployed in a similar manner include Clop, Bitpaymer, Doppelpaymer, Lockergoga, Maze, and Sodinokibi.

Tactical Deployment Strategy
FireEye’s research also showed that in more than three-quarters (76%) of the incidents, attackers deployed the ransomware on a victim network outside normal office hours. Twenty-seven percent of the attacks the security vendor studied happened on weekends. About half (49%) occurred before 8 a.m. or after 6 p.m. on weekdays. Less than a quarter (24%) took place during office hours.

Attackers appear to be favoring off-hours on the assumption that response and remediation would be slower. “When ransomware is executed during business hours, it is more likely that network defenders will be able to respond quickly, potentially stopping the spread of ransomware in a network or preventing additional executions,” Vanderlee says. 

The trend highlights the need for emergency planning, Vanderlee says. Organizations need to have security technology and staff in place 24/7 in order to catch the first signs of malicious activity. They also need to have clear and redundant escalation plans so that when an incident happens, the correct stakeholders are notified as quickly as possible.

Drive-by-downloads, weak and unprotected Remote Desktop Protocol (RDP) services, and phishing with a malicious link or attachment were the most common initial infection vectors in the ransomware attacks in FireEye’s study. RDP attacks, where threat actors log in remotely to a system on a target environment via the RDP protocol, were especially common in 2017,  but they appear to have declined somewhat in popularity since then.

Over the same period, phishing, in particular, and drive-by-downloads have gained in popularity as a way for attackers to try and get an initial foothold on a target network, FireEye said.

Last year ransomware attacks costs businesses and other organizations a staggering $11.5 billion in losses. Among the most targeted were state and local government entities, critical infrastructure organizations, and entities in the healthcare sector.

Related Content:

• Ransomware Damage Hit $11.5B in 2019
• Ransomware Increasingly Targeting Small Governments
• DHS’s CISA Warns of New Critical Infrastructure Ransomware Attack
• 7 Cloud Attack Techniques You Should Worry About 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Beyond Burnout: What Is Cybersecurity Doing to Us?“

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/many-ransomware-attacks-can-be-stopped-before-they-begin/d/d-id/1337329?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Legislation should protect the good hackers who are helping to keep us safe, not just go after the bad.

The arrest and exoneration of two Coalfire employees caught breaking into an Iowa county courthouse in September 2019 highlight the challenges our legal system faces in addressing the fast pace of cybersecurity in an increasingly connected world. The circumstances show the dire need for collaboration among different teams to raise overall levels of security across both cyber and physical systems.

Coalfire hired these individuals as hackers to test physical security systems. They found the front door of the courthouse in Dallas County, Iowa, unlocked and set off the alarm deliberately to notify law enforcement. They were arrested, charged as criminals, jailed, and now have permanent arrest records — simply for doing their jobs.

The Iowa episode should be a warning sign to the entire security industry and a wake-up call to legislators that better protections are required for the cybersecurity community and the work they do defending our institutions against cybercrime. Today, cybersecurity testers have very little legal protection, and a Cybersecurity Good Samaritan law would protect those who perform critical investigative work to test our cyber defenses around the clock. This law should seek to provide criminal and personal liability protection for conducting cybersecurity engagements when they are:

1. Working as an employee of a cybersecurity firm or division
2. Under contract with the entity they are performing work
3. Have documentation on the scope and approach of the engagement
4. Are performing reasonable tasks related to the engagement

(Note: This would still allow clients to go after the firms they hire but would protect the individuals from being personally liable.)

“Hacker” brings to mind cybersecurity sleuths who crack codes, steal passwords, compromise devices, install ransomware, and illegally transfer funds. As the US becomes more sophisticated in protecting the digital world, physical systems are becoming a target — one with an attack surface that’s relatively easy to penetrate. Gaining physical access is one of the easiest ways to hack into a network. This could include accessing paper records, installing equipment or software on the network, or simply putting in covert backdoor systems.

The concept of combining physical attacks and cyberattacks to test a system is nothing new. The term “red teaming” is used in the industry to describe a method of system testing based on thinking and acting like a bad guy. Red teams help businesses to see how break-ins and business disruptions occur, to test strength and durability of their defenses, to identify where vulnerabilities exist, and to expose weaknesses that could be considered negligent and contributing to a breach. 

The risks of conducting red teaming increase as more bad guys hide themselves in cyberspace. Law enforcement and the legal system have the power to interpret the legality of our work. In the Iowa case, the issue had nothing to do with system defenses or specific laws, but rather it came down to the authority of the state versus the authority of the local county to dictate and enforce. Consequently, the two pen testers took the heat. This nonaccountability is archaic and not keeping pace with the realities of the cyberworld where threats are escalating and system testing — be it ballot boxes or courthouse locks — is becoming the new normal for US businesses and institutions.   

The cybersecurity industry needs to do a better job of identifying and publishing best practices. The National Institute of Standards and Technology (NIST) has developed many best practices that are used as the basis for testing today, including the Common Vulnerability Scoring System (CVSS), Common Vulnerability Exposures (CVEs), National Vulnerability Database, the adopted Security and Privacy Controls 800-53, the Cyber Security Framework, and the Penetration Testing Execution Standard (PTES).

But when it comes to service order templates and legal language to use as a best practice for red teaming, there is very little out there. The vast majority of penetration-testing companies are small, with fewer than 100 employees and limited legal or financial resources. Contract language should be publicly available and open to input.  

In addition to industry best practices, better legislation is needed to protect cybersecurity professionals working under contract. The physical addresses or virtual addresses (known as IP addresses) that are given to test the scope of work often lack specifics and turn out to be way off the mark. Penetration testers are typically able to push through and get the job done, but increasingly these testers are taking huge risks when an assignment shifts and local authorities (like those in Iowa) are taken off-guard.

We need legislation to protect the good hackers, not just go after the bad. A Cybersecurity Good Samaritan law would allow the good guys to do their jobs and foster more collaboration between private and public sector cyber defenses. This would help to drive positive change across the entire industry as information security and physical security continue to converge.  

Related Content:

• 7 Ways to Get the Most Out of a Penetration Test
• How Enterprises Are Attacking the Cybersecurity Problem
• Crowdsourced vs. Traditional Pen Testing
• The End of Pen Testing As We Know It?

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Beyond Burnout: What Is Cybersecurity Doing to Us?“

Tom McAndrew is the CEO of Coalfire, a security risk advisory to public and private sector organizations including government agencies and private businesses. He is recognized on the FCW Federal 100 and by ICS2 as one of the top senior security leaders in North America. … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/needed-a-cybersecurity-good-samaritan-law/a/d-id/1337268?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Only half of respondents to a recent Dark Reading study felt confident that their third-party business partners would, at least, tell them if a compromise occurred.

 

In an interconnected world, incident response is rarely performed in a vacuum. Whether efforts are coordinated with partners, suppliers, customers, or peers, working in concert with other teams can be a huge factor in the success of a particular incident response. In a recent Dark Reading research report we asked cybersecurity professionals how well their IR teams communicated with their partner teams. The results don’t indicate catastrophe, but there’s still considerable room for improvement.

Just over half of those responding to the survey, 53%, said that they at least communicate with partners if an compromise occurs. Only 10% of professionals said that they have regular communication with partners — the rest leave the communications until there’s a likely (or certain) compromise.

That leaves 47% who have no confidence in the effectiveness of their partner communications, particularly when it comes to partners telling them that a compromise has occurred. Aside from the 7% of professionals who are blissfully unaware of the state of partner communications, 40% say that there is some communication — they just worry that it won’t be enough to help with the cyber wolves come knocking at their partners’ doors.

Download the full research report, The State of Cybersecurity Incident Response, here. 

Related content:

• 3 Tips to Stay Secure When You Lose an Employee
• Avoiding the Perils of Electronic Communications
• Why Threat Intelligence Gathering Can Be a Legal Minefield
• Assessing Cybersecurity Risk in Today’s Enterprise
• State of Cybersecurity Incident Response

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/infosec-pros-uncertain-about-relationships-with-partner-security-teams-/b/d-id/1337328?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

VMware has released security patches for a trio of bugs in its desktop-class virtualization products.

The most serious of the holes, CVE-2020-3947, is a vulnerability in VMware Workstation and Fusion that can be exploited by a miscreant or malware in a guest VM to gain code execution on the host box via the vmnetdhcp component.

As you might imagine, this is particularly bad if you are relying on virtualization to isolate malware samples during research, for instance, or if you are running untrusted guests on an installation of VMware’s desktop software.

“Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial-of-service condition of the vmnetdhcp service running on the host machine,” VMware said of the bug.

The second fix is for CVE-2020-3948 in VMware Workstation and Fusion with Cortado Thinprint: a privilege-escalation bug that arises in Linux virtual machines on Windows and macOS hosts when Virtual Printing is enabled. Patching the flaw (or turning off printing) closes the flaw.

The third bug, assigned as CVE-2020-5543, is a privilege-escalation flaw present in VMware Horizon Client, VMRC and Workstation. That bug, given a rating of 7.3 (not terrible, but you want to fix it) is due to a misconfigured file in the Windows version of the VM tool.

“The folder containing configuration files for the VMware USB arbitration service was found to be writable by all users,” VMware says of the bug.

In each case, users can protect themselves from attack by updating their machines to the latest available version of the software. ®

Sponsored:
Practical tips for Office 365 tenant-to-tenant migration

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/17/virtual_machines_patch/

Roundup We hope everyone is staying healthy and safe. It’s time for another Reg roundup of security news you may have missed.

Hackers raid coronavirus-hit cruise operator, lift people’s personal data

Carnival, operator of coronavirus-hit Princess Cruises as well as the Holland America Line, admitted this month it was hacked between April and July last year.

The intruders swiped, from staff email accounts no less, customer info including names and addresses; Social Security numbers; government-issued ID, such as passport numbers and driver’s license numbers; credit card and financial account information; and health-related information.

Cryptocurrency led cops to alleged mastermind of sexual-assault web exchange

Dutch citizen Michael Rahim Mohammad, 32, has been charged with owning and operating Dark Scandals, a public-facing and Tor-hidden website through which warped netizens shared 2,000 videos of adults being raped, child sexual abuse, and similar assaults.

According to prosecutors in a federal district court in the US capital, Mohammad, aka Mr Dark, required his customers to produce and upload their own sickening videos before being granted access to the dark-web site, or by transferring money to a cryptocurrency address Mohammad controlled.

It was the latter of those two methods that eventually led Homeland Security and IRS investigators and police in Europe to Mr Dark and his operation, it is claimed. The IRS’s chief crime-fighter Don Fort described the site’s contents as “the most disgusting I’ve encountered in 30 years of law enforcement.”

Vimeo says account info taken from infected user PCs

Video sharing site Vimeo believes a malware infection has targeted some of its user accounts for theft.

Register reader David Smith told us that he received a notification from Vimeo that his account had been accessed by a stranger and frozen. This was unusual as Smith said the account was not connected to any other service, and used a unique randomly-generated password, ruling out a credential-stuffing attack and third-party data leak.

We reached out to Vimeo, and the service said it believes Smith, like others, may have been infected with malware that was targeting Vimeo accounts in particular.

“We became aware of a list of compromised email and password combinations captured from malware. We ran these credentials through our system to see if they matched those of any of our users,” Vimeo said.

“In cases where there were matches, we took the proactive step of resetting account passwords and notifying users. Based upon the information we have, it is likely that the user’s credentials were compromised due malware.”

Users who get similar notifications should, of course, run a thorough antivirus scan and then change their passwords.

Trail of Bits blasts Voatz app

The mobile app at the center of the Iowa Democratic Caucus voting debacle was even more bug-ridden than first thought.

A probe by experts at Trail of Bits found that the Voatz app contained scores of potentially serious exploitable flaws.

“Our security review resulted in seventy-nine (79) findings,” the biz reported. “A third of the findings are high severity, another third medium severity, and the remainder a combination of low, undetermined, and informational severity.”

Comcast leaks ‘unlisted’ phone numbers

Some 200,000 customers in the US who had paid Comcast to keep their numbers private now have a bone to pick with the cable giant after it inadvertently make the numbers public on its Ecolisting director service for months last year.

Comcast is said to be offering the exposed customers $100m worth of credits.

US county hit by ransomware

In a show of particularly bad timing, the Durham County government in North Carolina was hit earlier this month by a ransomware infection.

Telly news station WRAL reports that the county had to shut down some of its network and office phone systems to stop the spread of the malware infection. Fortunately, essential services like 911 and public information lines, as well as utility bill payment portals, were not impacted by the infection.

Man gets four years for Snapchat threats

A man from Texas is going to be spending a few years behind bars for menacing people on social networks.

The Eastern Texas District Court sentenced 23-year-old Rahul Ramesh Joshi to 48 months in prison after he was found to have used multiple accounts across a number of services, including Snapchat, to threaten at least five women.

Microsoft takes down Necurs botnet

One of the larger cybercrime botnets is being dismantled in a takedown effort spearheaded by Microsoft.

The Redmond giant says its security team is working with local authorities in 35 countries to takedown Necurs, a massive botnet believed to have as many as nine million PCs under its control.

The botnet is used to send out huge volumes of spam (with some infected PCs producing millions of emails each month) and has also been distributing trojans and banking malware as well.

Deer.io owner arrested

The operator of a popular dark market service has reportedly been caught by police.

It is said that the owner of deer.io, a site that had hosted a number of smaller markets trading in stolen account credentials, was arrested in New York and is now awaiting trial.

During its seven year run, it is estimated that the site trafficked in some $17m worth of stolen logins.

Coronavirus maps used to spread malware

It happens every time, without fail: a major catastrophic event occurs, and some enterprising scumbag uses the public panic to get malware out. The COVID-19 coronavirus is no exception.

Reason Security reports that a crook has embedded info-stealing malicious code into an application billing itself as a coronavirus infection map.

Netizens looking for information about the deadly pandemic are tricked into downloading and running the Windows software, only to find themselves infected with a trojan that harvested their cookies and account logins.

“The new malware activates a strain of malicious software known as AZORult. AZORult is an information stealer and was first discovered in 2016. It is used to steal browsing history, cookies, ID/passwords, cryptocurrency and more,” Reason reports.

“It can also download additional malware onto infected machines. AZORult is commonly sold on Russian underground forums for the purpose of collecting sensitive data from an infected computer.”

EU’s Entso-E reports office network attack

The European Network of Transmission System Operators, an electric utility industry group, said hackers were recently able to infect systems and gain access to its internal network.

Fortunately, this was just an office network, and no industrial systems or intellectual property were ever at risk.

“It is important to note that the ENTSO-E office network is not connected to any operational TSO system,” the group said.

“Our TSO members have been informed and we continue to monitor and assess the situation.” ®

Sponsored:
Practical tips for Office 365 tenant-to-tenant migration

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/17/security_roundup_march_13/

Interview Nurses are among the groups most heavily targeted by email scammers because of the value of the data they can access, according to email security biz Proofpoint’s Adenike Cosgrove.

Cosgrove, an infosec strategist for Proofpoint, told The Register that not only are nurses and other frontline healthcare professionals at the top of phishing target lists, but that a healthcare worker asked her for advice on security best practice – rather than her own organisation’s security team.

Explaining how the worker had watched a video of a public talk she had given about infosec, Cosgrove says: “This lady personally had to call all of the patients affected by [a previous] incident. First time she’d ever engaged with security in any way. She reached out to me and said, ‘We’ve got an annual meeting of our key clinicians across the country, meeting in London; we’d really appreciate it if you could speak to our nurses, doctors, dentists and all sorts, about cybersecurity.”

With today seeing the UK’s GCHQ unit NCSC issue fresh warnings over phishers using the current coronavirus situation as fresh bait to lure targets into opening malware-laden email attachments, Cosgrove’s description of this incident ought to have corporate infosec teams paying more attention to how approachable they are to their own colleagues.

Making the point, Cosgrove says: “She didn’t feel she could reach out to her security team and ask someone internally to deliver this presentation, and identify someone that was speaking in a language she could understand.”

Proofpoint, says Cosgrove, found that “for hospitals and for surgeries, nurses and AE and all of that, nurses are the most targeted roles. Why? Again, they have access to all of the data. The first people you see in a hospital is a nurse. They’re looking at your records, updating your records. They’re then directing you where you need to go within the hospital.”

Proofpoint itself, an email security firm, has published research into phishing and some of its findings were rather topical.

Cosgrove described one such incident: “One interesting threat that we’ve seen is criminals pretending to be a hospital in Nashville, Tennessee. There’s an Excel document within the email, which says ‘Here are your HIV results; open the Excel document to view the results’.”

She added:

The vast majority of people who do blood tests on a regular basis are going “oh my god, I need my results”. They download the spreadsheet, enable macros, etc. The user doesn’t know they’ve compromised themselves; their organisation doesn’t know they’ve downloaded a remote access trojan; they’re not doing anything that’s going to trigger any alerts just yet. It’s quietly monitoring all the credentials of the user. When the criminals steal those creds, they now have legitimate access to that person’s webmail, enabling internal phishing from a real email address.

It’s not just healthcare people either, Cosgrove told us: “Criminals are targeting HR professionals too. Their job is to open those emails, open those Word documents. Their job is to enable the macros so they can read the CVs!”

Linking this with the earlier example of the healthcare organisation whose staffers didn’t feel they could talk to their own IT security team, she says: “We blanket-train people into saying don’t enable macros, don’t open Word documents, yet HR professionals get emails they’re not expecting every single day. Their job is to open them! So now you’re telling me that I shouldn’t do my job? This is why security loses credibility with the business.”

“As a profession,” she enthused, “we could get closer to the end user. We need to speak their language. We need to understand how they work. And we need to help them do their jobs securely. Again, telling HR not to open Word documents? That’s pointless advice. But telling HR ‘Hey, we’ve developed tech to sandbox attachments so you can safely open that email’, that’s more realistic.”

While the covid-19 coronavirus pandemic continues infecting humanity, the other style of infection that Reg readers are used to hearing about (no, not Cupid’s measles) continues unabated. Keep your teams alert and your co-workers in the loop. ®

Sponsored:
Webcast: Why you need managed detection and response

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/16/proofpoint_interview/

In an impeccable instance of horrible timing, the US government’s Department of Health and Human Services (HHS) says it fended off a cyberattack by online scumbags.

The department told The Reg on Monday it was on the receiving end of what was believed to be a failed distributed denial of service (DDoS) assault the previous day.

The attack – presumably not a load of citizens hitting Uncle Sam’s web servers looking for information – did not, we’re told, have had any serious impact on operations, but with American’s desperate for information about the coronavirus pandemic, the attempted takedown came at the worst possible time.

“HHS has an IT infrastructure with risk-based security controls continuously monitored in order to detect and address cybersecurity threats and vulnerabilities,” a spokesperson for the department told The Register.

“On Sunday, we became aware of a significant increase in activity on HHS cyber infrastructure and are fully operational as we actively investigate the matter.”

The timing of these probings and forays is unwelcome: folks are turning to official sources for details on how to cope with the novel coronavirus. With states and cities across America taking unprecedented steps to slow the spread of the COVID-19 virus, government officials are more than taxed with public awareness efforts.

Zoom goes boom, Teams tears at seams: Technology stumbles at the first hurdle for this homeworking malarkey

READ MORE

Fortunately, in this case it might have been the department’s own planning that prevented an outage, as the extra headroom in capacity appears to have absorbed the assault.

“Early on while preparing and responding to COVID-19, HHS put extra protections in place,” El Reg was told. “We are coordinating with federal law enforcement and remain vigilant and focused on ensuring the integrity of our IT infrastructure.”

At the time of writing, the HHS website remained fully operational.

Sadly, it seems that the pattern of utter scum targeting health agencies is a global affair. Administrators in the hospital at University Hospital Brno in the Czech Republic report receiving similar cyberattacks.

“According to [the hospital director], some computer operations are limited, but examinations and acute operations work, but staff writes information on paper,” local news reports.

“The medical facility canceled the planned operations and diverted some patients to nearby hospitals.” ®

Sponsored:
Webcast: Why you need managed detection and response

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/16/hhs_reports_cyberattack/