source:  thecyberwire.com

At a glance.

  • FBI Director offers a harsh appraisal of Chinese cyberespionage.
  • Official concerns about Chinese cyber operations in France and India.

FBI Director offers a harsh appraisal of Chinese cyberespionage.

At a speech before the Hudson Institute yesterday, US FBI Director Wray denounced Chinese intelligence operations as serving Beijing’s ambitions to become the world’s dominant power. The Communist Party of China, Director Wray said, believes it’s in a “generational fight” to become the world’s sole superpower, and that Beijing’s assertiveness in cyberspace is a consequence of the strategy that flows from that belief. 

Continue reading “THE FBI’S TAKE ON CHINA’S CYBER OPERATIONS”

source: threatpost.com

 

A new devilish malware is targeting Windows systems with cryptojacking and DDoS capabilities.

Security experts have identified a self-propagating malware, dubbed Lucifer, that targets Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks.

The never-before-seen malware initially tries to infect PCs by bombarding them with exploits in hopes of  taking advantage of an “exhaustive” list of unpatched vulnerabilities. While patches for all the critical and high-severity bugs exist, the various companies impacted by the malware had not applied the fixes.

“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,” said researchers with Palo Alto Networks’ Unit 42 team, onWednesday in a blog post. “Applying the updates and patches to the affected software are strongly advised.”

The vulnerabilities targeted by Lucifer include Rejetto HTTP File Server (CVE-2014-6287), Oracle Weblogic (CVE-2017-10271), ThinkPHP RCE (CVE-2018-20062), Apache Struts (CVE-2017-9791), Laravel framework  CVE-2019-9081), and Microsoft Windows (CVE-2017-0144CVE-2017-0145, and CVE-2017-8464).

Continue reading “SELF-PROPAGATING LUCIFER MALWARE TARGETS WINDOWS SYSTEMS”

source: securityweek.com

 

image - phishing

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even worse if a stolen identity belongs to a privileged user, who has even broader access, and therefore provides the intruder with “the keys to the kingdom”.

According to a 2019 study, 74 percent of respondents whose organizations have been breached acknowledged the incident exploited privileged account access. This number closely aligns with Forrester’s estimate that 80 percent of security breaches involve compromised privileged credentials. By leveraging a “trusted” identity a hacker can operate undetected and exfiltrate sensitive data sets without raising any red flags. As a result, it’s not surprising that most of today’s cyber-attacks are front ended by phishing campaigns. So, what can organizations do to prevent their users from falling for the bait of these attacks? 

The Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security defines phishing as “an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails [or text messages] are crafted to appear as if they have been sent from a legitimate organization or known individual. These emails [or SMS messages] often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user may then be asked to provide personal information, such as account usernames and passwords that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code.”

Continue reading “PHISHING ATTACKS: BEST PRACTICES FOR NOT TAKING THE BAIT”

source: nakedsecurity.sophos.com

If you’re a Naked Security Podcast listener, you’ll have heard Sophos’s own Peter Mackenzie telling some fairly wild ransomware stories.

Peter works in the Managed Threat Response (MTR) part of our business – in his own words, if your network’s on fire, he’s one of the people who will rush in to try to fix it.

As you can imagine, plenty of his deployments come in the aftermath of ransomware attacks.

A few years ago ransomware criminals typically used what’s called the “spray-and-pray” approach – or what might more appropriately be called “spray-and-prey”, given the entirely predatory nature of these attacks.

A ransomware gang might have emailed a malicious attachment to ten million people, relying on ten thousand of them opening it up and getting scrambled, and then banking (figuratively and literally) on three thousand or so of the victims being stuck with little alternative but to pay up $350 each, for a total criminal pay-check of $1,000,000.

Make no mistake, those early ransomware criminals, such as the crooks behind malware such as CryptoLockerLocky and Teslacrypt, extorted millions of dollars, and their crimes were no less odious or destructive overall than what we see today.

But today’s ransomware criminals tend to pick entire organisations as victims.

Continue reading “INSIDE A RANSOMWARE GANG’S ATTACK TOOLBOX”

source: securitymagazine.com

 

A new study from FICO found a large percentage of Americans currently do not take the necessary steps to protect their passwords and logins online.

As consumers reliance on online services grows in response to COVID-19, the study examined the steps Americans are taking to protect their financial information online, as well as attitudes towards increased digital services and alternative security options such as behavioral biometrics.

The study found that a large percentage of Americans are not taking the necessary precautions to secure their information online. For example, only 42 percent are using separate passwords to access multiple accounts; 17 percent of respondents have between two to five passwords they reuse across accounts; and four percent use a single password across all accounts. Additionally, less than a quarter (23 percent) of respondents use an encrypted password manager which many consider best practice; 30 percent are using high-risk strategies such as writing their passwords down in a notebook.

“We’re seeing more cyber criminals targeting consumers with COVID-19 related phishing and social engineering,” said Liz Lasher, vice president of fraud portfolio marketing at FICO. “Because of the current situation, many consumers are only able to access their finances digitally, so it’s vital to remain vigilant against such scams and take the right precautions to protect themselves digitally.”

Continue reading “PROTECTION WHEN BANKING ONLINE”

source: wired.com

Five years ago, the Department of Defense set dozens of security hygiene goals. A new report finds that it has abandoned or lost track of most of them

THE UNITED STATES federal government isn’t known for robust cybersecurity. Even the Department of Defense has its share of known vulnerabilities. Now a new report from the Government Accountability Office is highlighting systemic shortcomings in the Pentagon’s efforts to prioritize cybersecurity at every level and making seven recommendations for shoring up DoD’s digital defenses.

The report isn’t a checklist of what DoD should be doing to improve cybersecurity awareness in the abstract. Instead, GAO looked at three DoD-designed initiatives to see whether the Pentagon is following through on its own goals. In a majority of cases, DoD has not completed the cybersecurity training and awareness tasks it set out to. The status of various efforts is simply unknown because no one has tracked their progress. While an assessment of “cybersecurity hygiene” like this doesn’t directly analyze a network’s hardware and software vulnerabilities, it does underscore the need for people who use digital systems to interact with them in secure ways. Especially when those people work on national defense.

“It’s everyone’s responsibility to understand their part in cybersecurity, but how do you convince everyone to follow the rules they’re supposed to follow and do it consistently enough?” says Joseph Kirschbaum, a director in GAO’s defense capabilities and management team who oversaw the report. “You’re never going to be able to eliminate all the threats, but you can manage them sufficiently, and a lot of DoD’s strategies and plans are good. Our concern is whether they’re doggedly pursuing it enough so they’re able to do the risk management.”

Continue reading “THE PENTAGON HASN’T FIXED BASIC CYBERSECURITY BLIND SPOTS”

source: fastcompany.com

By making encryption free and easy, Let’s Encrypt solved one of the web’s biggest problems. Its secret? A maniacal focus on automation and efficiency.

Let’s Encrypt issued its one billionth digital certificate a few weeks ago. Run by the nonprofit Internet Security Research Group (ISRG), the service provides these certificates to websites for free, allowing your browser to create a secure and validated connection to a server that’s effectively impenetrable to snooping. The pandemic hasn’t halted the group’s progress: It says it’s now issued over 1,080,000,000 certificates.

That Let’s Encrypt doesn’t charge for this service is a big deal. A digital certificate for a website—also useful for email servers and other client/server systems—used to cost hundreds of dollars a year for a basic version and even more for a more comprehensive one. For smaller sites, that cost alone was a barrier.

While the price had dropped significantly before Let’s Encrypt began issuing its certificates at no cost in 2015, and some commercial issuers had offered free certificates on a limited basis, encrypting a site was no trivial matter. It required technical expertise and the ability to puzzle through command-line configurations. (Though I’ve been running websites since 1994, renewing and installing certificates had remained one of my bugbears before Let’s Encrypt.)

Let’s Encrypt didn’t set out to launch a price war and thereby destroy an existing marketplace. By making encryption free and simple, the organization has been a large part of an industrywide shift to encrypt all web browsing that has doubled the number of secure sites from 40 to 80 percent of all sites since 2016.

As executive director and cofounder of ISRG Josh Aas says, the organization wants everyone to be able to “go out and participate fully in the web without having to pay hundreds of dollars to do something.” Setting the cost at zero benefits each site’s users and the internet as a whole.

Google tracks opt-in information from Chrome browser users about the type of connections they make. It shows that secure connections rose from 39 percent (Windows) and 43 percent (Mac) in early 2015 to 88 and 93 percent respectively on April 11, 2020. One source indicates that Let’s Encrypt now supplies 30 percent of all website digital certificates. Two hundred million websites now use its certificates, the organization says.

This dramatic increase in web encryption protects people from some unwanted commercial tracking and snooping by malicious parties and government actors alike. It took Let’s Encrypt as a catalyst to put it within the reach of every website.

BLOCKING UNPRECEDENTED SNOOPING

After the revelation of the scope and nature of wide-scale, routine data collection by U.S. national security agencies added to the already-known and suspected habits of other democracies and repressive countries, tech firms shifted heavily into encrypting connections everywhere they could. That meant more encryption between data centers run by the same company (as Google added starting in 2013), encryption of data at rest stored on servers, and browser makers calling users’ attention to unprotected web sessions.

Continue reading “HOW A NONPROFIT YOU’VE NEVER HEARD OF MADE THE WEB SAFER FOR EVERYONE”

source:  darkreading.com

Tests on the fingerprint scanners of Apple, Microsoft, and Samsung devices reveal it’s possible to bypass authentication with a cheap 3D printer.

Researchers armed with a $2,000 budget and 13 smartphones, laptops, and other devices found it’s possible to bypass fingerprint authentication with duplicate prints made on a cheap 3D printer. Their tests yielded around an 80% success rate on average; however, the attack isn’t easy.

Fingerprint scanners made their way into the mainstream around 2013, when Apple introduced TouchID in the iPhone 5. Biometric authentication has been made available on several kinds of devices: laptops, smartphones, padlocks, USB drives. Even though hackers were able to bypass TouchID shortly after its release, fingerprint authentication is generally considered a more secure means of authentication than the password for most people, on most types of devices.

Scanner technology has evolved to include three types of sensors: optical, capacitive, and ultrasonic. Each of these sensors reacts differently depending on the materials and collection techniques. The most common type is capacitive, which uses the body’s natural electrical current to read prints. Optical sensors use light to scan the print’s image. Ultrasonic sensors, the newest type and commonly used for on-screen sensors, use an ultrasonic pulse to bounce off the finger; the echo is read by the fingerprint sensor. This type of sensor proved the easiest to bypass.

Continue reading “RESEARCHERS FOOL BIOMETRIC SCANNERS WITH 3D-PRINTED FINGERPRINTS”

source: threatpost.com

The DarkHotel group could have been looking for information on tests, vaccines or trial cures.

The World Health Organization (WHO) has attracted the notice of cybercriminals as the worldwide COVID-19 pandemic continues to play out, with a doubling of attacks recently, according to officials there. Problematically, evidence has also now apparently surfaced that the DarkHotel APT group has tried to infiltrate its networks to steal information.

Alexander Urbelis, cybersecurity researcher/attorney at Blackstone Law Group, told Reuters that he personally observed a malicious site being set up on March 13 that mimicked the WHO’s internal email system. Its purpose was to steal passwords from multiple agency staffers, and Urbelis noted that he realized “quite quickly that this was a live attack on the World Health Organization in the midst of a pandemic.”

The attack appeared to be aimed at achieving a foothold at the agency rather than being an end unto itself: “The targeting infrastructure seems to focus on certain types of healthcare and humanitarian organizations that are uncommon for cybercriminals,” Costin Raiu, researcher at Kaspersky, told Threatpost. “This could suggest the actor behind the attacks are more interested in gathering intelligence, rather than being financially motivated.”

As for the “why” of the attack, which was thwarted, Raiu said that information about remediation for coronavirus – such as cures, tests or vaccines – would be invaluable to any nation-state’s intelligence officials.

Continue reading “WHO Targeted in Espionage Attempt, COVID-19 Cyberattacks Spike”

source: scmagazine.com

Amid sharply falling public markets and spiraling panic around the rapid proliferation of the coronavirus (a.k.a. Covid-19), the cybersecurity industry seems to be well poised for sustainable growth despite some foreseeable turbulence.

Publicly traded security companies and some specific niches will unescapably suffer in a short term, however, private cybersecurity companies and later-stage startups with sufficient reserves of cash may rapidly gain new clients and markets. That is not to say that the industry will enjoy an absolute and everlasting success but, contrasted to other sectors of the economy, will be in a comparatively good shape.

Let’s have a look at the five underpinning reasons for a bright future in the cybersecurity industry among the coronavirus havoc:

Many traditional businesses will flee online

Countries affected by the coronavirus now actively restrain or even flatly prohibit a wide spectrum of daily activities including attending schools, visiting public places and restaurants, let alone international travel and conferences. Unsurprisingly, most of the affected businesses will have now to swiftly reinvent themselves and adapt to the new reality or see revenues hit extremely hard.

A considerable number of offline processes will somehow migrate to the Internet, replacing consultations with doctors and lawyers with agile video calls, favouring Zoom and WebEx for internal business meetings, delivering food and goods to homes instead of eating out or weekend shopping in overcrowded malls.

Continue reading “FIVE REASONS WHY COVID-19 WILL BOLSTER THE CYBER-SECURITY INDUSTRY”