image
By Waqas Critical Bug in Medical Infusion Pumps lets Attacker Remotely install Unauthorized Firmware to Change Medication Dosages. Researchers at CyberMDX, a healthcare security firm, have identified two different vulnerabilities in Becton Dickinson Alaris Gateway Workstations (AGW) used by hospitals in medical infusion pumps. One of the bugs is so severe that it carries a critical rating […] This is a post from HackRead.com Read the original post: Vulnerable infusion pumps can be remotely accessed to change dosages

Source

image
A ransomware attack on Belgian airplane manufacturer ASCO this week is the latest in a string of incidents that show the unique danger lurking in this type of malware campaign. The rise of ransomware has cost companies millions to remediate – both in making payments and in system restoration and downtime – and should be prompting organizations of all sizes to take preventative measures. ASCO, one of the world’s largest airplane suppliers, said this week that it shut down production in its factories in Canada, Germany and the U.S. after a ransomware infection crippled its plant in Zaventem, Belgium. About 1,000 of its 1,400 workers have been given leave for the week as the company works to remediate the issue, according to German media outlets. Whether ASCO has paid the ransom is unclear, but the impact on its operations is clearly severe. “Airplane manufacturer ASCO being hit by ransomware continues [the] trend of cybercriminals focusing their efforts on industry and manufacturing as their targets – recognizing the hugely costly and disruptive effect such a shutdown will have on the business,” said Shlomie Liberow, technical program manager at HackerOne, via email. “Public understanding of ransomware is on the rise, so if ASCO reacts quickly and in a way that keeps relevant stakeholders informed, hopefully it will see no lasting damage to reputation.” A String of High-Profile Incidents According to Verizon’s 2019 Data Breach Investigations Report (DBIR), ransomware attacks are still going strong, accounting for nearly 24 percent of incidents where malware was used. And according to the FBI’s Internet Crime Report, 1,493 ransomware attacks, resulting in losses of $3.6 million, were reported in 2018. And that represents only those attacks that were reported to directly to the FBI. Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. *Join Threatpost *and a panel of experts from Malwarebytes, Recorded Future and Moss Adams as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers. Also, while ransomware attacks are on the rise, so too is the scope of the attacks. Chris Dawson, threat intelligence lead at Proofpoint, said that recent incidents point to threat actors attempting to take advantage of deeper pockets and higher stakes to demand much larger ransoms – as opposed to previous campaigns, targeting individuals, that demanded hundreds of dollars to unlock an individual PC. This is exemplified in a string of high-profile ransomware attacks on large municipalities, manufacturers and other companies over the past year, of which the ASCO incident is a continuation. In 2018, several Atlanta city systems were crippled after a ransomware attack extorted the municipality for $51,000. Although Atlanta officials were vocal about not paying the ransom, the city ended up spending $2.6 million to recover. These expenditures covered incident response and digital forensics, additional staffing and Microsoft Cloud infrastructure expertise. The city of Baltimore is another recent victim of ransomware, which hit in May and halted some city services like water bills, permits and more. Like Atlanta, Baltimore officials refused to pay the $76,000 ransom – but ended up dishing out $18.2 million in restoration costs and lost revenue. And in one of the most high-profile cases, Norsk Hydro fell victim in March to a serious ransomware attack that forced it to shut down or isolate several plants and send several more into manual mode. The attack ultimately cost the aluminum giant $40 million. Don’t miss Threatpost’s upcoming webinar on ransomware! “The RobbinHood attack on the city of Baltimore fits with a theme that we’ve observed as ransomware in the malicious email space has largely dried up,” Dawson said in an email. “Instead of targeting individuals in high-volume email campaigns as we saw frequently in 2016 and 2017, threat actors are now using ransomware in targeted attacks against key targets for much larger ransoms. As with Norsk Hydro and other targeted organizations, it appears that threat actors make use of existing network and endpoint compromises to then load ransomware on vulnerable devices.” That said, of course, in addition to these, plenty of non-household names are hit every day, too. The Aftermath and the Payment Dilemma A ransomware attack will be costly and damaging, no matter the organization’s size: According to a SentinelOne report, the average cost of a ransomware attack is more than $900,000. This includes the ransom itself, downtime and lost productivity, remediation, legal costs and more. “Businesses face numerous cyberthreats from hackers, but ransomware is particularly insidious and common,” Daniel Markuson, a digital privacy expert at NordVPN, told Threatpost. “When ransomware infects a server, it quickly spreads to encrypt all of the files on that server. Obviously, this can be disastrous for a business – all of its payroll, customer information, contracts and trade secrets all rendered inaccessible. Once it’s deployed, the hacker simply demands a ransom from the company before unlocking their files. That’s only if they’re honest, however.” Regarding whether to pay, many organizations find themselves in a dilemma when hit by ransomware. The choice is often either to pay the ransom and hope the cyberattackers keep their word and deliver the decryption keys, or to pay a cybersecurity firm to perform remediation and cleanup, which can cost more than the actual ransom. The latter path is more ethical, avoiding sending money into criminal pockets. But the choice “to pay, or not to pay?” can be hard. “It’s easy to say that companies should never pay, but it’s also quite unrealistic,” said Brett Callow, spokesperson for Emsisoft, in an interview with Threatpost. “The reality is that making payment may be the only option that will enable a company to become operational again within a reasonable period of time. It’s very much a case of ethics versus business necessity.” He added, “it may be the only recovery option available. Second, some companies may believe that payment is the fastest route to becoming operational again. Third, in some instances, they may believe that making payment will enable them to avoid the matter coming to the attention of the public and their shareholders.” Although some decryptor tools are available, remediation firms themselves often have no options to give their customers, if those customers haven’t fully backed up their data, according to at least one researcher. “I have no doubt that there are many firms out there that offer ‘sophisticated tools and tactics’ to decrypt victims files for a hefty fee,” Tyler Moffitt, security analyst at Webroot, said by email. “It also doesn’t surprise me that the majority of the time all these firms do is pay the ransom and then charge the victim a premium. This is pretty much the only chance that these assistance firms would be able to actually retrieve files. Retrieving them without paying the ransom is very rare and again only available when criminals make mistakes, so for the most part getting these encryption keys is impossible without paying the ransom and dealing with the criminals directly.” Ransomware can also have devastating effects on reputation, in addition to the hard costs associated with an attack. That’s something that payment won’t fix, but being transparent about what’s happened and why can go a long way to softening this particular blow, according to HackerOne’s Liberow. For example, Norsk Hydro admitted the gritty details, such as the fact that it had to close down operations in several locations, and the fact that the incident cost it at least $40 million in the first week. “Norsk showed the world that while ransomware is costly and devastating in the moment, it doesn’t have to have a lasting effect on reputation as the open and transparent way Norsk dealt with the attack resulted in a rise in share price,” Liberow noted. Interestingly, Radiohead’s recent response to a ransomware attack – which involved releasing a trove of 18 previously unheard outtakes from their album “OK, Computer” rather than pay a $150,000 ransom demand – demonstrates the positive brand power of a non-negotiation philosophy in the face of cybercriminals, according to Peter Groucutt, managing director of Databarracks; it thwarted the criminals’ efforts while bringing good publicity. “Releasing a collection of unheard songs, demos and outtakes, while unconventional, was a PR masterstroke by Radiohead,” Groucutt said. “This obviously isn’t a viable tactic for most businesses dealing with a ransomware attack, but we can learn from Radiohead’s defiance.” Prevention is the Best Medicine The best approach to ransomware is to take your company off the target list. Basic security hygiene is the first step. “Difficult as it may seem to prevent these attacks, when it comes to ransomware, prevention is always better than cure,” Liberow said. “This means ensuring all systems are up to date with the latest patches and that there are no security vulnerabilities or weaknesses which could leave an organization exposed to attackers.” Another crucial aspect of preparing for an attack is simply to make sure you have an extra copy of your files available. “To reduce the damage of any potential ransomware attacks, keep periodic secure backups of your data,” Markuson said. “This means that if a hacker breaks in and infects your business with ransomware, you can ignore their demands and rebuild your systems with the backed-up data (however, don’t forget that they may also have copied some of your data for themselves).” The sheer pervasiveness of the ransomware scourge should be pushing all companies to invest in backups, Groucutt added. “Given that ransomware attacks are becoming increasingly commonplace, there’s no excuse to be unprepared,” he said. “Agreeing to pay a ransom demand isn’t conducive to long-term security, and emboldens cybercriminals to continue to use this method. There is also a risk of looking like an easy target, potentially inviting further attacks.” Lindsey O’Donnell also contributed to this report. Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. *Join Threatpost *and a panel of experts from Malwarebytes, Recorded Future and Moss Adams as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.

Source

image
With the number of unique cyberincidents continuing to grow, ransomware-based attacks in particular are on the rise in 2019, researchers said. Ransomware trojan-based infections jutted up from 9 percent in the fourth quarter of 2018 to 24 percent in the first quarter of 2019, said Positive Technologies researchers in their Cybersecurity Threatscape report for the first quarter of 2019. “[A]ttackers are now earning less money from ‘traditional’ ransomware,” said researchers in the report. “This is probably due to the educational efforts of cybersecurity experts urging users not to pay a ransom for file recovery. Be that as it might, attackers keep inventing new ways to manipulate users.” The report outlined popular trends in the malware space – such as growing popularity of multimodular trojans and ransomware, and decreasing popularity of malicious cryptomining. Overall, cyberincidents grew by 11 percent from the first quarter of 2018 according to the report. Ransomware When it comes to ransomware, “the share of ransomware Trojans will remain high so long as there are people willing to pay a ransom,” researchers said. In particular, ransomware attackers are looking in 2019 to reinvent the game with new tricks and tactics. CryptoMix hackers, for example, tricked victims by promising to donate ransom payments to a children’s charity. A panel of experts will discuss further ransomware trends in our upcoming Threatpost webinar. And, “a new version of ransomware offers PayPal as a payment option,” researchers said. “If users choose to pay using PayPal, they are taken to a fake PayPal page. All credentials and payment information entered on the fake page are then stolen by attackers, who can withdraw money from victims’ accounts or sell this data on the Dark Web.” [Note: Threatpost will further discuss ransomware trends during our free Threatpost webinar, June 19 at 2 p.m. ET. *Join Threatpost *and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.] In addition to these new ploys, ransomware threat actors are also looking for larger targets with deeper pockets – and more personal data that they could lose. That includes institutions (such as Jackson County, Georgia, which paid $400,000 to restore IT infrastructure) and healthcare firms (including Columbia Surgical Specialists which paid $15,000 for file recovery). Modular Trojans Malware combining multiple types of Trojans – such as the DanaBot trojan, which functions as banking malware and also a password information stealer – is becoming more and more widespread, researchers said. “Due to its flexible modular architecture, this malware can perform many different functions,” researchers said. “For example, it can display advertising and steal user data at the same time.” Multifunctional trojans have become a new favorite for malicious cryptominers, who are finding mining to be less profitable. The share of hidden mining, or malicious cryptomining attacks, has decreased, with attacks reaching 7 percent share of overall attacks compared with 9 percent in the fourth quarter of 2018. Because malicious actors can’t profit from cryptomining alone, they are turning to multipurpose trojans, such as a new trojan dubbed CookieMiner that not only installs a hidden miner on a victim’s computer, but also steals credentials and payment card information. “Hackers have started to upgrade miners, turning them into multifunctional Trojans,” said researchers. “Once inside a system with low computational power on which mining is uneconomical, such Trojans start acting as spyware and steal data.” Future Researchers said that in the future, attackers will continue to rely on old-school tactics like malware and social engineering – but with new tricks up their sleeves. “We predict growth in the number of attacks in Q2 2019,” said researchers with Positive Technologies. “Malware and social engineering will remain the favored tools of attackers.” Meanwhile, to stay safe, companies can create systems for centralized administration of updates and patches, deploy antivirus software, use automated software audit tools and utilize web application firewalls. Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. *Join Threatpost *and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.

Source

image
Beyond Patch Tuesday, this week was crammed with privacy and security related news. In this week’s Threatpost podcast, editors Tara Seals and Lindsey O’Donnell discussed the top news from the week. That includes: A federal lawsuit alleging that Amazon is recording children who use its Alexa devices, without their consent or knowledge. Telegram’s CEO pointing the finger squarely at China as the culprit responsible for the distributed denial of service (DDoS) attack that it suffered on Wednesday. A critical flaw in the popular note-taking extension Evernote that could have allowed attackers to steal personal data – including emails and financial transactions – from millions. [ ](http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/10152212/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe) For direct download click here. Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. *Join Threatpost *and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.

Source

image
XENOTIME, the APT group behind the TRISIS industrial control system (ICS) event, has expanded its focus beyond the oil and gas industries, according to researchers. The group has recently been seen probing the networks of electric utility organizations in the U.S. and elsewhere – perhaps a precursor to a dangerous attack on critical infrastructure that could cause physical damage or loss of life. “Offensive government programs worldwide are placing more emphasis and resources into attacking and disrupting industrial processes like oil, power and water,” said Sergio Caltagirone, vice president of threat intelligence at Dragos. He told Threatpost that “This means more attacks are coming. People will die, we just don’t know when.” Researchers at Dragos first identified the change in targeting by XENOTIME (which FireEye previously attributed to a Russian government-owned technical research institute in Moscow) in late 2018. The attacks have continued into 2019. “Multiple ICS sectors now face the XENOTIME threat; this means individual verticals – such as oil and gas, manufacturing or electric – cannot ignore threats to other ICS entities because they are not specifically targeted,” according to an analysis Dragos posted on Friday. Traditionally, offensive ICS operations are so expensive and difficult that groups will focus and specialize on a sector and geography – such as Middle Eastern oil and gas, the firm pointed out. XENOTIME’s investment and interest in attacking ICS across geographic and industry boundaries – Dragos said it’s the first APT to achieve this transition – is a disturbing harbinger of things to come, researchers said. “Attacking any industrial sector requires significant resources, which increase as capabilities and targeting expand,” according to the firm. “The high resource requirement previously limited such attacks to a few potential adversaries, but as more players see value and interest in targeting critical infrastructure – and those already invested see dividends from their behaviors – the threat landscape grows.” Further, the expansion is expected to continue, according to Caltagirone. “XENOTIME, the most dangerous cyberthreat in the world, provides a prime example of threat proliferation in ICS,” he said. “What was once considered an ‘oil and gas threat’ is now an electric threat too. XENOTIME is now targeting dozens of electric power utilities in at least the North American and Asia-Pacific regions, and continues to target oil and gas worldwide. Dragos expects this overlapping targeting will continue across sectors, from power, to water, to manufacturing and more.” From TRISIS to Crisis? The 2017 TRISIS (aka TRITON or HatMan) malware attack on a Saudi Arabian petrochemical facility targeted safety systems and was designed to cause loss of life or physical damage. The malware directly interacted with and controlled Triconex safety instrumented system (SIS) controllers, which are sold by Schneider Electric. SISes are the last line of automated safety defense for industrial facilities, designed to prevent equipment failure and catastrophic incidents such as explosions or fire. The malware managed to cause this fail-safe system to shut down (though a final-stage destructive attack never came). TRISIS lives on in memory because to date, only a handful of malware, such as the infamous Stuxnet and Industroyer/Crash Override strains, has had the ability to impact the physical process of an ICS installation. TRISIS has not appeared elsewhere since 2017, but it’s worth noting that the same malware framework showed up in a second incident recently, according to FireEye researchers. Following the 2017 attack, XENOTIME expanded its operations to include oil and gas entities outside the Middle East, Dragos noted. Additionally, the group compromised several ICS vendors and manufacturers in 2018, providing potential supply-chain threat opportunities and vendor-enabled access to target ICS networks. “XENOTIME operations since the TRISIS event in 2017 included significant external scanning, network enumeration and open-source research of potential victims, combined with attempts at external access,” the researchers said. “This activity emphasized North American and European companies.” Then, it expanded in terms of industrial sector: In February 2019, Dragos identified a persistent pattern of activity attempting to gather information and enumerate network resources associated with U.S. and Asia-Pacific electric utilities. “This behavior could indicate the activity group was preparing for a further cyberattack, or at minimum satisfying the prerequisites for a future ICS-focused intrusion,” the researchers said. “The activities are consistent with Stage 1 ICS cyber kill chain reconnaissance and initial access operations, including observed incidents of attempted authentication with credentials and possible credential-stuffing, or using stolen usernames and passwords to try and force entry into target accounts.” None of the electric-utility targeting events has resulted in a known, successful intrusion into victim organizations to date, but Dragos said that the persistent attempts and expansion in scope is cause for definite concern. “XENOTIME is the only known entity to specifically target safety instrumented systems (SIS) for disruptive or destructive purposes,” according to the research. “Electric utility environments are significantly different from oil and gas operations in several aspects, but electric operations still have safety and protection equipment that could be targeted with similar tradecraft.” To prepare for a potential onslaught, ICS operators should be ramping up now, said Caltagirone. “Industrial control system owners and operators need to establish an authoritative understanding of their environments and begin searching for threat behaviors now, while preparing responses for the inevitable,” he told Threatpost. “Utilities, companies and governments must work cooperatively around the world and across industrial sectors to jointly defend lives and infrastructure from the increasing scope and scale of offensive critical infrastructure cyberattacks.” Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. *Join Threatpost *and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.

Source

image
A federal lawsuit is alleging that Amazon is recording children who use its Alexa devices, without their consent or knowledge. Alexa is the built-in voice assistant shipped with devices like Amazon Echo, Amazon Dot, Fire TV and some third-party gadgets. “Alexa routinely records and voiceprints millions of children without their consent or the consent of their parents,” reads the complaint, which is seeking class-action status. It was filed in Seattle this week on behalf of a 10-year-old girl. Meanwhile, another, almost identical suit was filed this week in California Superior Court in Los Angeles, on behalf of an 8-year-old boy. “It takes no great leap of imagination to be concerned that Amazon is developing voiceprints for millions of children that could allow the company (and potentially governments) to track a child’s use of Alexa-enabled devices in multiple locations and match those uses with a vast level of detail about the child’s life, ranging from private questions they have asked Alexa to the products they have used in their home,” the California suit states. If the allegations are true, the tech giant would be in violation of laws governing recordings in at least eight states, including California, Florida, Maryland, Massachusetts, Michigan, New Hampshire, Pennsylvania and Washington, which require all parties to consent to a recording, regardless of their age. It would also mean that Amazon has been fraudulent in its child privacy policy, which states, “You choose whether to give us permission to collect Child Personal Information from your child. If you have not given us permission to collect Child Personal Information, we may make available certain voice services intended for children (e.g., certain Alexa kid skills), and we may process your child’s voice recordings to provide these services, but we will not store those voice recordings.” The federal lawsuit disputes that Amazon is taking such care. “But Alexa does not do this,” the lawsuit claims. “At no point does Amazon warn unregistered users that it is creating persistent voice recordings of their Alexa interactions, let alone obtain their consent to do so.” The complaints describe how Alexa devices function – by being called to service with a wake-word, usually “Alexa.” It goes on to allege that Alexa captures, records and stores all voices indiscriminately after being woken up, even though the platform is capable of distinguishing different speakers. In a media statement, Amazon reiterated its stance: “Amazon has a longstanding commitment to preserving the trust of our customers and their families, and we have strict measures and protocols in place to protect their security and privacy,” the company said. “For customers with kids, we offer FreeTime on Alexa, a free service that provides parental controls and ways for families to learn and have fun together.” It’s unclear what evidence the plaintiffs have against Amazon; the federal lawsuit only alleges that “Amazon’s intentional and unlawful recording caused Plaintiff and the Class members injury to their dignity, well-being and security;” the California litigation states “Amazon’s intentional and unlawful recording violated Plaintiffs and the Class members’ right to privacy in their confidential communications.” Both plaintiffs are asking for a jury trial, however, so presumably more details will come to light. More than 100 million Alexa devices have been sold worldwide, and this isn’t the first privacy complaint that Amazon has faced over the home assistant’s recording practices. In December, Amazon admitted that it inadvertently sent 1,700 audio files containing recordings of Alexa interactions by a customer to a random person. After a newspaper investigation exposed the snafu, characterized it as a “mishap” that came down to one employee’s mistake. And earlier in 2018, a couple said that an Alexa-enabled Echo device had recorded a conversation of them – without them knowing – and then sent an audio file to one of their contacts. Other privacy issues around the gadgets have also stirred debate. In April, reports emerged that employees at Amazon were given broad access to geolocation information for Alexa users – thus uncovering their home addresses and even satellite pictures of their houses generated from a service such as Google Earth. Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. *Join Threatpost *and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.

Source

image
A widespread campaign is exploiting a vulnerability in the Exim mail transport agent (MTA) to gain remote command-execution on victims’ Linux systems. Researchers say that currently more than 3.5 million servers are at risk from the attacks, which are using a wormable exploit. Specifically under attack is a flaw in Exim-based mail servers, which run almost 57 percent of the internet’s email servers. Attackers are exploiting the flaw, discovered last week, to take control of the victim machines, search the internet for other machines to infect, and to initiate a cryptominer infection. “These kinds of attacks have big implications for organizations,” said researchers with Cybereason in a post on Thursday. “The recovery process from this type of attack is costly and time-consuming.” Exim mail servers are open-source MTAs, which essentially receive, route and deliver email messages from local users and remote hosts. Exim is the default MTA included on some Linux systems. The Flaw The flaw stems from improper validation of recipient address in the deliver_message() function in the server. The vulnerability (CVE-2019-10149), which has a critical severity score of 9.8 out of 10 on the CVSS v3 scale, was discovered on June 5 in Exim versions 4.87 to 4.91. Exim version 4.92 is not vulnerable. “A patch exists already, is being tested, and backported to all versions we released since (and including) 4.87,” according to a recent security advisory. “The severity depends on your configuration. It depends on how close to the standard configuration your Exim runtime configuration is. The closer the better.” An initial wave of attacks on this vulnerability – which involved attackers pushing out exploits from a malicious command-and-control (C2) server – was first discovered June 9 by researcher Freddie Leeman. “Just detected the first attempts to exploit recent #exim remote command execution (RCE) security flaw (CVE-2019-10149),” he said in a tweet. “Tries to downloads a script located at http://173.212.214.137/s (careful). If you run Exim, make sure it’s up-to-date.” Just detected the first attempts to exploit recent #exim remote command execution (RCE) security flaw (CVE-2019-10149). Tries to downloads a script located at http://173.212.214.137/s (careful). If you run Exim, make sure it’s up-to-date. @qualys pic.twitter.com/s7veGBcKWO — Freddie Leeman (@freddieleeman) June 9, 2019 Then more recently, researchers with Cybereason tracked a second wave of attacks which they believe are launched by a different attacker. The Worm Attack The more recent and sophisticated campaign first installs an RSA private authentication key on the vulnerable SSH server for root authentication. Once remote command-execution is established, the attacker then deploys a port scanner, to sniff out other vulnerable servers and installs a coin-miner. In addition, the campaign appears to be “highly pervasive” with extra measures – such as installing several payloads at different stages including the port scanner and coin-miner – for persistence on the infected system. “It is clear that the attackers went to great lengths to try to hide the intentions of their newly-created worm,” researchers said. “They used hidden services on the TOR network to host their payloads and created deceiving windows icon files [which is actually a password protected zip archive containing the coin miner executable] in an attempt to throw off researchers and even system administrators who are looking at their logs.” Researchers said that they are still looking for further information about the attack, but in the meantime urged users to patch every Exim installation in their organization and make sure that it is updated to the most recent version, Exim version 4.92. “The prevalence of vulnerable Exim servers (3,683,029 across the globe according to Shodan) allows attackers to compromise many servers in a relatively short period of time, as well as generate a nice stream of cryptocurrency revenue,” researchers said. Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. *Join Threatpost *and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.

Source

image
Do threat actors carry out phases of their attack on different days of the week? Do threats use the same infrastructure for exploitation and control? These may not be the sort of questions that cybersecurity professional usually think about, but their implications can actually have an important impact of how to better align resources and strategies to detect and defend against attacks. For the Q1 2019 Threat Landscape Report, threat analysts at FortiGuard Labs were given leeway to roam across the threat landscape they work with daily and share some stories of interest from their cyber threat data that did not necessarily relate to the primary topics or flow of the main report. This quarter, they chose to dig into data from the company’s web filtering service. Here is what they found. What and Why Weekdays vs weekends. Researchers wanted to see if threat actors conduct phases of their attacks on different days of the week to further demonstrate that cybercriminals are always looking to maximize opportunities. When they compared web-filtering volume from two Cyber Kill Chain phases during weekdays and weekends, they discovered that pre-compromise activity is roughly three times more likely to occur during the work week. This is largely due to the fact that pre-compromise activity requires someone to click on a phishing email or perform some other action, whereas post-compromise activities that rely on command-control services do not have this requirement and can occur anytime. Cybercriminals understand this, work to maximize opportunity during the week when Internet activity is taking place. The web filtering service blocks and then logs attempts to access malicious, hacked, or inappropriate websites. Analysts have applied various categorizations to this activity, like the type of website being sought and the phase of the Cyber Kill Chain in which it occurs. The overwhelming majority of blocks in Q1 occurred in the exploit (initial attack) and control (manipulation of data) phases. This stands to reason, given that devices visiting these malicious URLs are often directed there (e.g. via phishing) for the purpose of exploitation and/or for ongoing command-and-control instructions after successful exploitation. Comparison of web filtering volume for two Cyber Kill Chain phases during weekdays (blue) and weekends (orange). In the figure below, the contrast is clear between pre- and post-compromise activity over the quarter. The blue dots signify weekdays and orange dots weekends. WWWW Every bit of knowledge that can be gained on how attackers work offers at least some improvement over the baseline. In this case, it may make sense to consider differentiating weekday and weekend filtering practices and in prioritizing threat discovery activities. Shared infrastructure. An additional aspect of the web filtering data that researchers found worthy of attention was the degree to which different threats shared infrastructure (namely, URLs). The figure below displays this overlapping infrastructure in a circular network diagram. Each node represents malware or botnet communication activity generated by threats during the control stages of the Kill Chain. The thickness of lines represents the number of domains shared between threats at each stage. The size of each node corresponds to the total volume detected in Q1. This data fuels several interesting observations. Infrastructure sharing among web filtering detections in Q1 2019. For instance, some threats appear to leverage this community-use infrastructure to a greater degree than unique or dedicated infrastructure. In fact, nearly 60% of all analyzed threats shared infrastructure. IcedID, the #9 threat by volume in the web filter data this quarter, offers a good example of this “why buy/build when you can borrow” behavior. Like so many others, it shared nearly two-thirds of the domains it contacted with other threats. Finally, and perhaps most intriguing: when threats share infrastructure, they also tend to do so within the same stage in the Kill Chain. Similarly, while many different threats may share the same domain during the exploitation phase of an attack, it would be unusual for that threat to leverage a domain for exploitation and then later leverage it for C2 traffic. Security Tactics for People, Processes and Technology Attack vectors, like the ones just discussed, underscore the need for organizations to rethink their strategy to better future-proof and manage cyber risks. An important first step involves treating cybersecurity more like a science – doing the fundamentals really well – and then implementing an intentional layered strategy that uniquely covers all aspects of the network. As IT teams seek to create a layered security environment, there are several tactics they should consider: People – Training makes the difference between employees being an organization’s critical front-line cybersecurity asset or its greatest liability. Employees need to be trained in basic cyber hygiene practices like creating strong passwords, not reusing or sharing those passwords, identifying illicit urls and email sources, and not clicking links in emails from unknown senders. IT teams can also improve cybersecurity at the employee level with access management policies, such as the implementing the principle of least privilege. Processes – IT security teams should have a cyber incident response plan in place. They should also not only ensure that proper backups are taking place and being stored off-network, but that those backups are regularly being tested. The collection, analysis, and sharing of threat research across teams, devices, and network environments is also critically imperative. Finally, IT teams must know what assets are online, where those assets are, and then be able to prioritize their access to and consumption of resources based on which are most business-critical. Technology – It’s important for IT teams to not implement isolated point solutions as they layer their defenses, but instead choose tools based on their ability to be integrated and automated so they can share real-time threat intelligence. This integrated approach creates a comprehensive solution that can facilitate rapid detection and mitigation of threats across the entire distributed network. Deception technology is another tactic IT teams should make use of. Effective deception strategies make it harder for an adversary to determine which assets are fake and which are real, while tripwires embedded in these false signals increase the ability to detect an intruder. Finally, segmenting corporate networks limits exposure of critical data if there is a breach. Adapting Security Strategy Last quarter offered insight into how attackers are currently operating and how they continue to evolve. For example, different stages of their attacks occur on different days, and they tend to share infrastructure. In response, IT security teams can be on the lookout for these activity identifiers and adjust their detection and filtering practices accordingly. It is also clear that building a layered defense approach that factors in people, processes, and technology will minimize the impact of such attacks, even as they continue to evolve. (Derek Manky is Chief of Security Insights and Global Threat Alliances at Fortinet. He has more than 15 years of cybersecurity experience and helps customers formulate security strategy.__)

Source

image
By Uzair Amir Instagram down? You are not alone; Instagram is down for everyone. Another day, another service outage at social media giant Facebook. Yes, the photo and video-sharing social networking service Instagram has been hit by a worldwide service outage forcing its website and applications to go offline. According to the Instagram’s outage map displayed on DownDetecter, […] This is a post from HackRead.com Read the original post: Instagram down: Social networking site suffering service outage

Source

image
A critical flaw in the popular note-taking Evernote extension could have allowed attackers to steal personal data – including emails and financial transactions – of millions. Specifically impacted was the Evernote Web Clipper extension for the Chrome browser, which lets users capture full-page article, images, selected text, emails and more. The Evernote extension is extremely popular, putting the personal data of than 4.6 million users at risk, researchers said. “Upon successful exploitation, a visit to a hacker-controlled website would compromise the visitor’s private data from affected 3rd-party websites,” researchers with Gaurdio, who discovered the flaw, said in an analysis this week. “In their Proof-of-Concept (PoC), Guardio has demonstrated access to Social media (reading and posting content), Financial transaction history, private shopping lists, and more.” Researchers disclosed the flaw to Evernote on May 27; a fix was confirmed on June 4. Evernote users are urged to update to version 7.11.1 or later. Evernote did not immediately respond to a request for comment from Threatpost. The Vulnerability In order to enable the Evernote extension’s functionalities (such as highlighting or screenshotting the content of websites), a JavaScript file is injected into web pages that use the extension. However, a logical coding error (CVE-2019-12592) left a function – used to pass a URL from the site to the extension’s namespace – unsanitized. That means that attackers could inject their own script into the webpage – granting them access to sensitive user information. “The exploit is triggered by the malicious website and causes Evernote’s internal infrastructure to inject an attacker controlled payload into all iframes contexts,” researchers said. In a proof of concept video (below), researchers broke down how an attacker might exploit the flaw. A user first must be persuaded to go to the attacker’s malicious website, perhaps from an email or social media link. That malicious website then silently loads hidden, legitimate iframe tags of targeted websites. An iframe tag is an HTML document embedded inside another HTML document on a website. These iframe tags have injected payload customized for each targeted website, that could steal cookies, credentials, private information, perform actions as the user and more, researchers said. Evernote has faced security incidents over the years, saying in 2013 that attackers had compromised user information like email addresses and hashed passwords. And in 2014, Evernote fell victim to a distributed denial of service (DDoS) attack that shut down the service for hours. Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. *Join Threatpost *and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.

Source