Photo by ThisIsEngineering from Pexels

Breach Data Shows Attackers Switched Gears in 2020

source:  darkreading.com

Attackers focused more on ransomware, while the consolidation of data into large databases led to fewer reported breaches but more records leaked.

The number of data breaches declined by half last year — to less than 4,000 events — yet the number of leaked records more than doubled, as did the number of breaches that included a ransomware component, according to an annual analysis of breach events by Risk Based Security.

The diverging trends suggests that attackers are focusing more on ransomware, which is often not reported as a data breach if information is not exfiltrated. In addition, more than 80% of the at-risk records came from five events caused by misconfigured databases, suggesting that consolidation in the cloud may have led to more severe, if less frequent, data breaches.

 

Continue reading “Breach Data Shows Attackers Switched Gears in 2020”

Data Leak Exposes Details of Two Million Chinese Communist Party Members

source: infosecurity-magazine.com

Sensitive data of around two million members of the Communist Party of China (CPC) have been leaked, highlighting their positions in major organizations, including government agencies, throughout the world.

According to reports from The Australian newspaper, featured in the Economic Times, the information includes official records such as party position, birthdate, national ID number and ethnicity. It revealed that members of China’s ruling party hold prominent positions in some of the world’s biggest companies, including in pharmaceutical giants involved in the development of COVID-19 vaccines like Pfizer and financial institutions such as HSBC.

The investigation by The Australian centred around the data leak, which was extracted from a Shanghai server in 2016 by Chinese dissidents.

It noted that CPC members are employed as senior political and government affairs specialists in at least 10 consulates, including the US, UK and Australia, in the eastern Chinese metropolis Shanghai. The paper added that many other members hold positions inside universities and government agencies.

The report emphasized there is no evidence that spying for the Chinese government or other forms of cyber-espionage have taken place.

image - china tech

 

 

Beulah Graves

Product Management

In her report, The Australian journalist and Sky News host Sharri Markson commented: “What’s amazing about this database is not just that it exposes people who are members of the Communist Party, and who are now living and working all over the world, from Australia to the US to the UK, but it’s amazing because it lifts the lid on how the party operates under President and Chairman Xi Jinping.

“It is also going to embarrass some global companies who appear to have no plan in place to protect their intellectual property from theft, from economic espionage.”

In September, the Cybersecurity and Infrastructure Security Agency (CISA) and the US Department of Justice issued a joint advisory warning US government agencies and private sector companies to be on high alert for cyber-attacks by threat actors affiliated with the Chinese Ministry of State Security (MSS).

Jane May

Photographer

 

image - hacking

Billions Spent on U.S. Defenses Failed to Detect Giant Russian Hack

source:  nytimes.com

The broad Russian espionage attack on the U.S. government and private companies, underway since spring and detected only a few weeks ago, is among the greatest intelligence failures of modern times.

 

WASHINGTON — Over the past few years, the United States government has spent tens of billions of dollars on cyberoffensive abilities, building a giant war room at Fort Meade, Md., for United States Cyber Command, while installing defensive sensors all around the country — a system named Einstein to give it an air of genius — to deter the nation’s enemies from picking its networks clean, again.

It now is clear that the broad Russian espionage attack on the United States government and private companies, underway since spring and detected by the private sector only a few weeks ago, ranks among the greatest intelligence failures of modern times.

Einstein missed it — because the Russian hackers brilliantly designed their attack to avoid setting it off. The National Security Agency and the Department of Homeland Security were looking elsewhere, understandably focused on protecting the 2020 election.

The new American strategy of “defend forward” — essentially, putting American “beacons” into the networks of its adversaries that would warn of oncoming attacks and provide a platform for counterstrikes — provided little to no deterrence for the Russians, who have upped their game significantly since the 1990s, when they launched an attack on the Defense Department called Moonlight Maze.

Something else has not changed, either: an allergy inside the United States government to coming clean on what happened.

Continue reading “Billions Spent on U.S. Defenses Failed to Detect Giant Russian Hack”

Has Your Data Been Leaked to the Dark Web?

source:  cyberdefensemagazine.com

The part of the internet not indexed by search engines is referred to as the Dark Web. The Dark Web is however frequently misunderstood. The Dark Web is a network of forums, websites, and communication tools like email. What differentiates the Dark Web from the traditional internet is that users are required to run a suite of tools such as the Tor browser that assists in hiding web traffic. The Tor browser routes a web page request through a series of proxy servers operated by thousands of volunteers around the globe that renders an IP address untraceable.

The Dark Web is used for both illegal and respected activities. Criminals exploit the Dark Web’s anonymity to sell drugs and guns. Organizations like Facebook and the United Nations use the Dark Web to protect political and religious dissidents in oppressive nations. Legitimate actors like law enforcement organizations, cryptologists, and journalists also use the Dark Web to be anonymous or investigate illegal activities.

A 2019 study, Into the Web of Profit, conducted by Dr. Michael McGuires at the University of Surrey, shows that the number of Dark Web listings that could harm an enterprise has risen by 20% since 2016. Of all listings (excluding those selling drugs), 60% could potentially harm enterprises.

Continue reading “Has Your Data Been Leaked to the Dark Web?”

 

 

 

 

 

 

 

Three Critical Threats on the Horizon You Need to Prepare For

source: securityweek.com

October was National Cyber Security Awareness Month, which served as an important annual reminder for organizations to never let their guard down when it comes to protecting access to data. The most recent wave of data breaches (e.g., Simon Fraser University, TwitterUniversal Health Services, and Shopify) demonstrate that cyber adversaries no longer need to ‘hack’ in — instead they can log in using weak, stolen, or phished credentials. This takes on increased significance when it comes to privileged credentials, such as those used by IT administrators to access critical infrastructure. These types of credentials are estimated to be involved in 80% of data breaches. 

Today’s dynamic threatscape requires security professionals to adjust to an ever-expanding attack surface. It doesn’t matter where the data they need to protect resides, or who is ultimately trying to access the data — be it human or a machine. What counts is that they minimize the risk of data exfiltration. Period.

Continue reading “Three Critical Threats on the Horizon You Need to Prepare For”

source:  cyware.com

25 Vulnerabilities Chinese APT Groups Are Chasing Right Now

 

Cybercriminals are consistently scanning and exploiting publicly available security bugs. Recently, the National Security Agency (NSA) has published a 

report , detailing the top 25 vulnerabilities exploited by hackers, urging organizations in the U.S. public and private sectors to prioritize for action.

The top 25 vulnerabilities

According to the report, Chinese state-sponsored hackers were seen abusing these vulnerabilities to launch strategic hacking operations against a multitude of victim networks.
  • Most of these vulnerabilities belong to products related to remote access or external web services. Such products, accessible via the internet, are often exploited to gain initial access inside the victim’s network.
  • Exploits in the enterprise products including gateways (including Citrix ADC and Gateway, Symantec Messaging Gateway), VPN (Pulse Secure VPN), load balancers (F5 BIG-IP), etc. could provide direct remote access to the attackers.
  • Several vulnerabilities in the list target Windows OS and its services, such as Remote Desktop Services (Blukeep vulnerability), Netlogon (Zerologon), DNS server (SigRed), etc.
  • Additional products include business applications such as email servers (such as Microsoft Exchange, Exim mail), and application servers (such as Oracle WebLogic, Zoho ManageEngine, Adobe ColdFusion), that are being targeted by Chinese hackers.

Recent exploitation of these flaws

Not only Chinese hackers but several other low-level malware groups, ransomware gangs, and other state-sponsored hackers (including Russia, and Iran) were seen exploiting the above-mentioned vulnerabilities.
  • Threats actors such as TA505MuddyWater, and Ryuk were seen abusing the ZeroLogon vulnerability (CVE-2020-1472) to target public and private sector organizations.
  • Hackers were seen combining VPN (CVE-2019-11510) and Windows bugs to gain access to government networks, for which CISA and the FBI had issued prior warnings.
  • F5 BIG-IP (CVE-2020-5902), and Pulse Secure VPN servers (CVE-2019-11510) were also recently targeted by hackers.
  • In September, Iranian hacking group Pioneer Kitten was seen taking advantage of several unpatched vulnerabilities (CVE-2020-5902, CVE-2019-11510, and CVE-2019-19781) to target U.S. businesses and federal agencies.

The bottom line

The exploitation of such vulnerabilities could lead to the compromise of sensitive information related to a country’s policies, strategies, plans, and competitive advantage. Fortunately, all the vulnerabilities listed by researchers have patches available from their vendors. Thus, users are recommended to patch these and all other known vulnerabilities to avoid any undue risks to their infrastructure.

 

 

 

Creepy ‘Geofence’ Finds Anyone Who Went Near a Crime Scene

Police increasingly ask Google and other tech firms for data about who was where, when. Two judges ruled the investigative tool invalid in a Chicago case.

source:  wired.com

 

IN 2018, 23-YEAR-OLD Jorge Molina was arrested and jailed for six days on suspicion of killing another man. Police in Avondale, Arizona, about 20 miles from Phoenix, held Molina for questioning. According to a police report, officers told him they knew “one hundred percent, without a doubt” his phone was at the scene of the crime, based on data from Google. In fact, Molina wasn’t there. He’d simply lent an old phone to the man police later arrested. The phone was still signed into his Google account.

The information about Molina’s phone came from a geofence warrant, a relatively new and increasingly popular investigative technique police use to track suspects’ locations. Traditionally, police identify a suspect, then issue a warrant to search the person’s home or belongings.

Continue reading “Creepy ‘Geofence’ Finds Anyone Who Went Near a Crime Scene”

Report details how North Korean and Russian cybercriminals are cooperating

source:  scmagazine.com

Several companies, media outlets and the U.S. government have accused North Korean state-sponsored hackers of purchasing access to pre-hacked servers from criminal groups. But the connections to specific criminal groups have been a little more tenuous.

Now a new meta-analysis of previous reports from Intel 471 establish a likely connection to TrickBot.

TrickBot, as well as Dridex and TA505, are groupings of attacks linked to different Russian-speaking cybercriminals who sell access to victims’ machines in criminal forums. The North Korean Lazarus Group, which supplements an economy ravaged by sanctions with cybercrime, is known to use a variety of vectors to find initial access.

“I was skeptical about any North Korea / Russian criminal group links before writing this,” said Intel 471 chief executive Mark Arena, who wrote the report. “When open-source reporting is based on one or two instances of TrickBot and Lazarus in the same server, it’s possible that they were two separate attacks.”

Arena read through the various reporting on the overlap between criminal groups and Lazarus, contacted the researchers for information not contained in the reports and solicited additional information from other researchers.

What he found was a very clear chain in the reports showing TrickBot infections leading to malware only used infrequently in Lazarus-type attacks, which appears to be developed by Lazarus using the group’s fairly distinctive code.

Public reporting was less sufficient. A purported connection to Dridex appeared to be a researcher conflating different criminal groups. And when Arena contacted a BAE researcher who had given a presentation proposing a connection between TA505 and Lazarus, that researcher said the presentation was only meant to be taken as a theory. However, in speaking with practitioners who hadn’t made their work public, other people had independent suspicions of a link between the two that no longer appears to be active.

Arena told SC Media that knowing there is a connection between different actors gives defenders a chance to investigate a potential second problem when the first one is found. He added that if North Korea is likely to purchase access from one actor, it is likely to be willing to purchase from others. The choice of vendors shouldn’t be seen as set in stone.

““I was skeptical about any North Korea / Russian criminal group links before writing this…”  –Mark Arena,

source:  thecyberwire.com

At a glance.

  • FBI Director offers a harsh appraisal of Chinese cyberespionage.
  • Official concerns about Chinese cyber operations in France and India.

FBI Director offers a harsh appraisal of Chinese cyberespionage.

At a speech before the Hudson Institute yesterday, US FBI Director Wray denounced Chinese intelligence operations as serving Beijing’s ambitions to become the world’s dominant power. The Communist Party of China, Director Wray said, believes it’s in a “generational fight” to become the world’s sole superpower, and that Beijing’s assertiveness in cyberspace is a consequence of the strategy that flows from that belief. 

Continue reading “THE FBI’S TAKE ON CHINA’S CYBER OPERATIONS”

source: threatpost.com

 

A new devilish malware is targeting Windows systems with cryptojacking and DDoS capabilities.

Security experts have identified a self-propagating malware, dubbed Lucifer, that targets Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks.

The never-before-seen malware initially tries to infect PCs by bombarding them with exploits in hopes of  taking advantage of an “exhaustive” list of unpatched vulnerabilities. While patches for all the critical and high-severity bugs exist, the various companies impacted by the malware had not applied the fixes.

“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,” said researchers with Palo Alto Networks’ Unit 42 team, onWednesday in a blog post. “Applying the updates and patches to the affected software are strongly advised.”

The vulnerabilities targeted by Lucifer include Rejetto HTTP File Server (CVE-2014-6287), Oracle Weblogic (CVE-2017-10271), ThinkPHP RCE (CVE-2018-20062), Apache Struts (CVE-2017-9791), Laravel framework  CVE-2019-9081), and Microsoft Windows (CVE-2017-0144CVE-2017-0145, and CVE-2017-8464).

Continue reading “SELF-PROPAGATING LUCIFER MALWARE TARGETS WINDOWS SYSTEMS”