Cybercrime Week in Review 26 September 2015
Introducing the Defensive Framework for Spear Phishing (PhishLabs)
Spear phishing is the preferred attack method for advanced threat actors. Well-crafted spear phishing attacks easily slip past layers of defenses and target the only vulnerability that cannot be patched – people. The vast majority of headline data breaches in recent years have all begun with spear phishing attacks. If your organization has intellectual property, customer data, or critical systems that are valuable, your employees are being targeted with spear phishing emails.
Inside Target Corp., Days After 2013 Breach (Krebs on Security)
In December 2013, just days after a data breach exposed 40 million customer debit and credit card accounts, Target Corp. hired security experts at Verizon to probe its networks for weaknesses. The results of that confidential investigation — until now never publicly revealed — confirm what pundits have long suspected: Once inside Target’s network, there was nothing to stop attackers from gaining direct and complete access to every single cash register in every Target store.
IBM tackles ‘shadow IT’ with a new cloud security tool for enterprises (CSO)
If there’s one thing that can strike terror into a CIO’s heart, it’s the security implications of the cloud; if there’s another, it’s the “bring your own” technology trend. Combine the two, and you’ve got the motivation behind IBM’s new Cloud Security Enforcer.
The OPM breach deepens: 5.6 million federal employees’ fingerprints stolen (ZDNet)
It took weeks before the Office of Personnel Management (OPM) admitted that almost 22-million federal employee personnel and security records had been cracked in two separate attacks. Months later, the OPM and Department of Defense (DoD) confessed that “Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million.”
Global Security Spend Set to Top $75bn in 2015 (Info Security)
Global spending on information security is set to grow by close to 5% this year to top $75bn, according to the latest figures from analyst Gartner.
Chinese leader denies hacks, opens door for cybersecurity accord (CNET)
Security researchers say they have uncovered clandestine attacks across three continents on the routers that direct traffic around the Internet, potentially allowing suspected cyberspies to harvest vast amounts of data while going undetected.
Malware Warning: Banks, Customers, ATMs Under Fire (Bank Info Security)
The new warnings center on three types of unrelated malicious code. For starters, malware has been spotted in the wild that is being used to drain cash from ATMs in Mexico, although security researchers warn that it could go global. The Shifu banking Trojan, meanwhile, has moved beyond Japan and is now being used to target customers of four U.K. banks. Finally, the notorious Neutrino crimeware has gotten an upgrade, allowing it to scrape POS device memory and steal payment-card data.
In other Security News…
Hilton Hotels Breach, More OPM Fingerprints Stolen, Apple’s XcodeGhost
According to independent security journalist Brian Krebs, multiple sources in the banking industry have found evidence of potential credit card fraud that suggests hackers compromised the point-of-sale systems in gift shops and restaurants at a large number of Hilton Hotel properties across the US. Franchise properties may also be affected, including Embassy Suites, Doubletree, Hampton Inn and Suites, as well as Waldorf Astoria Hotels & Resorts. Krebs reported the company is investigating the claims.
The Office of Personnel Management (OPM) announced that when hackers infiltrated its systems earlier this year, they got away with approximately 6 million fingerprints – a significant increase from the 1.1 million previously reported. OPM’s response aimed to reassure those potentially affected, adding: “Federal experts believe that, as of now, the ability to misuse fingerprint data is limited.” In the meantime, an interagency working group – including the FBI, DHS and DOD – will review how adversaries could potentially exploit this information in the future.
Apple was forced to deep clean its App Store after several cybersecurity firms found that dozens, if not thousands, of Chinese apps contained embedded malware. In what is believed to be the first large-scale attack on Apple’s App Store, BBC reported hackers created a counterfeit version of Apple’s software – dubbed XcodeGhost – to be downloaded by developers. Apple released a list of the most popular apps impacted, which includes Wechat, DiDi Taxi, Gaode Map and Angry Bird 2.
Facebook hinted at plans to finally introduce the highly requested “dislike button” and, of course, hackers quickly jumped at the opportunity. Hackread reported scammers started a new campaign that rapidly spread through Facebook, misleading users that clicking a link could give them early access to the button. The scam attempts to gather personal information, install malware, or takeover the account to share the malicious link with users’ Facebook friends.
A Morgan Stanley employee fired in connection with the company’s data breach has pleaded guilty to downloading confidential data from hundreds of thousands of customer accounts. The former financial advisor Galen Marsh copied the names, addresses, account numbers and investment information of approximately 730,000 accounts, including those of Wealth division clients. Marsh agreed not to appeal any prison sentence of up to 37 months – sentencing is scheduled for December.
Adobe issued an update this week, patching nearly two dozen critical vulnerabilities in Adobe Flash Player, which could “potentially allow an attacker to take control of the affected system,” warned the security bulletin. Windows and Mac users are urged to update to Flash Player version 19.0.0.185; Unix users should update to 11.2.202.521.
Malvertisers recently hit the highly trafficked websites Forbes and Realtor.com, redirecting visitors to the Neutrino and Angler exploit kits. Security researchers reported eight Forbes URLS attached to news stories published in 2012 and 2015 in one of the attacks. The kits appeared to have exploited Flash, Java, Silverlight and numerous other browser vulnerabilities through the malicious ads, which ran from September 8 – 15. Forbes quickly responded to the issue and has since shut down the malware-serving ads.
Notable news stories and security related happenings:
Techie Finds 1.5 MEELLION US Medical Records Exposed on Amazon’s AWS. “It has been claimed that the names, addresses, and phone numbers, along with biological health information including existing illnesses and current medications, were posted in the clear to Amazon S3 storage servers by insurers using Systema Software.” (Source: The Register)
South Korean Child Monitoring App Beset by Vulnerabilities, Privacy Issues. “Researchers with the Canadian watchdog group Citizen Lab discovered 26 vulnerabilities and design flaws in Smart Sheriff, a children’s monitoring app that gained popularity this summer when its use was essentially mandated by the Korean government.” (Source: Kaspersky Labs’s ThreatPost)
Cyberattack 101: Why Hackers Are Going After Universities. “These aren’t college kids trying to change their grades. They’re potentially “nation-state actors” much like the hackers who have targeted large corporations in the past, said Michael Oppenheim, intelligence operations manager at Internet security firm FireEye.” (Source: NBC News)
Kardashian Website Exposes User Info for Hundreds of Thousands of Fans. “The Kardashians are often called “over-exposed,” but a flaw in recently launched websites for the celebrity family offered exposure of an entirely different kind: the names and email addresses of more than half a million users.” (Source: InfoSecurity Magazine)
Majority of UK Businesses have been Targeted by Cyber Criminals. “The government has warned that 90% of major businesses have faced a cyber attack in the past year, with 74% of small businesses also victims of cyber crime.” (Source: Computer Weekly)
Insurance and Education Should be Weapons in Fight Against Cyber-crime. “The majority of businesses do not have cyber security insurance, with many not even aware such protection exists – and even those that do have insurance in place may find themselves at a loss if they don’t have the correct cover. The solution may be to mandate more data sharing and raise public awareness, according to speakers at a roundtable organised by software security company Kaspersky Lab.” (Source: Banking Technology)
Starbucks Stays Schtum, After Patching Critical Website Vulnerabilities. “Starbucks has patched three critical vulnerabilities on its website, but it still hasn’t respond to the security researcher who first found the bugs. Mohamed M. Fouad, an Egyptian security researcher, recently published a post on his blog that explains the severity of his discovery.” (Source: Graham Cluley’s Blog)
More Genuine iPhone Apps May Still be Infected with Malware Following Massive App Store Hack. “Cunning hackers from China managed to sneak malware into what’s generally thought of as an impenetrable target, Apple’s App Store. They created a custom version of the Xcode program developers use to create iPhone apps, thus injecting the malware payload right into the apps that Apple staff would later approve.” (Source: BGR)
Number of XcodeGhost-infected iOS Apps Rises. “As the list of apps infected with the XcodeGhost malware keeps expanding, Apple, Amazon and Baidu are doing their best to purge their online properties of affected apps, malicious Xcode installers, and C&C servers used by the attackers to gather the stolen information and control the infected apps/devices.” (Source: Help Net Security)
The Ethics of AdBlocking. “Adblocking is becoming a more and more contentious topic in recent days. Publications, understandably, do not want people to block ads – they derive much of their revenue from them. Users find them to be intrusive and often feel that they impede their usage of a site; and, given the recent meteoric rise of malvertising, ads can often become downright dangerous. Where is the balance between the desires of publishers and the safety of users?” (Source: IT Security Guru)
OPM Fingerprint Breach 5 Times Larger Than Originally Thought. “The federal government’s main employment body turns out to have significantly undershot its estimates as to how many people were affected by the breach that was uncovered in the summer. The number of people whose prints were lifted, so to speak, was originally thought to be about 1.1 million.” (Source: InfoSecurity Magazine)
Your iOS 9 Lockscreen Can Be Bypassed in 30 Seconds. “Apple iOS is believed to be one of the most secure and advanced mobile operating systems on the market. However, this recently discovered security flaw found within the newly released version of iOS, which is iOS 9, has been demonstrated by numerous users through their YouTube channel.” (Source: HackRead)
Why Healthcare Is a Big Target for Advanced Malware. “A healthcare record is worth about 10 times as much as a credit card to fraudsters and other cybercriminals because of the wealth of data in those records, which includes names, dates of birth and Social Security numbers as well as other clinical, insurance and financial data, Slocum says.” (Source: Data Breach Today)
NHS-approved Apps Found ‘Leaking’ ID Data. “Many NHS-accredited smartphone health apps leak data that could be used for ID theft and fraud, a study has found. The apps are included in NHS England’s Health Apps Library, which tests programs to ensure they meet standards of clinical and data safety. But the study by researchers in London discovered that, despite the vetting, some apps flouted privacy standards and sent data without encrypting it.” (Source: The BBC)
Project Zero Bod Says Antivirus Black Market is Growing. “Google troublemaker Tavis Ormandy, whose credits include turning up security vuln in popular antivirus products, reckons he’s identified an active market in antivirus exploits.” (Source: The Register)
Privacy-conscious Employees, Not Security-concerned IT Pros, are Behind BYOD Delays. “A majority of employees have chosen not to participate in their company’s BYOD program because they don’t want the IT department to have visibility into their personal data and apps through enterprise mobility management products. Surprisingly, 38 percent of IT admins surveyed are also not participating in their firm’s BYOD program for the same reason.” (Source: Fierce Mobile IT)
Hackers are Selling Your Data on the ‘Dark Web’… for Only $1. “Hackers responsible for data breaches at companies often put the information they have stolen on the dark web for others to buy and make use of for financial gain.” (Source: CNBC)
Using External URL Shorteners for Internal Needs May Lead to Sensitive Data Leaks. “Using external URL shortener services to create better-looking links to internal company documents, sensitive files and internal websites is a practice that company employees should avoid, says security researcher Shubham Shah, as it can result in those documents being accessed by individuals with malicious intentions.” (Source: Help Net Security)
Yet Another Pre-installed Spyware App Discovered on Lenovo Computers. “A factory refurbished Thinkpad shipped with Windows 7 and a scheduler app that ran once a day, collecting usage data about what you do with your computer and exfiltrating it to an analytics company. The fact that this was taking place was buried deep in the user ‘agreement’ that came with the machine.” (Source: Boing Boing)
Social Media Can Quickly Take Down Your Business if Not Monitored. “Cyber intrusions have dominated news and media headlines the past few years. Incidents of data and personal identifiable information theft are constant reminders of how dangerous cyberspace has become whether perpetrated by nation states, their agents, or cyber criminals. However, in the midst of cyber espionage and cyber theft, organizations may lose track of an equally important part of their business operations – protecting their brand.” (Source: Norse Crop’s Dark Matters)
Healthcare Sector 340% More Prone to IT Security Threats. “Hackers are much more likely to use certain forms of malware to target healthcare organisations: They are 450% more likely than average to be hit by the Cryptowall ransomware, a Trojan that encrypts files on a user’s device and asks for payment to release the data.” (Source: Computer Weekly)
Be Careful in Putting Your Cybertrust in Google, Microsoft and Apple. “While there are many arguably great benefits that come with using technology and services from tech giants such as the ones mentioned above, some common issues tend to plague complex systems. The complexity of the system in and of itself generally makes it more difficult to secure every aspect of it. There might be more resources available for increasing the security of the system, but the belief that the infrastructure tech giants offer is more secure is simply a false perception of security. Even giants have security holes.” (Source: CSO Online)