Tag Archives: cybersecurity

Security Never Sleeps- Uber Breach, LA Cybersecurity

FTC: Uber Failed To Protect 100,000 Drivers In 2014 Hack

“Uber lacking security in several areas”

The Federal Trade Commission had ruled that Uber must upgrade its security systems after reviewing its current programs and finding them lacking. The review revealed evidence that a 2014 data theft had been twice as large as originally reported,where details of 100,000 drivers leaked to an intruder. The leak was made possible when the cybercriminal  was able to view driver data on an Amazon Web Services store in plain text.

Los Angeles plans to launch a cybersecurity threat-sharing group with city businesses

“Expected to lead as part of larger trend between state and business”

The city of Los Angeles has now officially announced a collaboration of cybersecurity threats with businesses that operate in the city. Industry organizations and federal agencies have made certain agreements that threat-share with each other in the past, however none have reached the scope and incorporation of SME’s that Los Angeles is orchestrating. Initial partners include video game production firm Riot Games, law firm O’Melveny and Myers and mall operator Westfield.

Automating cloud compliance

“Headchange needed for quality security”

Security systems are often viewed by individuals and firms as point-in-time activities. Standards and regulations are often based on this model, especially in cloud computing where customers are generally more in flux and rarely static. But in reality, constant compliance, auditing, and assurance programs are the only real way to ensure the viability of your protection.

Greed drives malevolent insider to steal former employer’s IP

“Remote IP theft”

Design and engineering firm Allen & Hoshall has fallen victim to a growing trend in IP crime. Remote theft of company data and ideas is growing, and Jason Needham, after founding the competing firm HNA-Engineering, helped himself to their ideas and research remotely via hacking.

Enjoy your read? Check out our other content here.

10Fold Security Never Sleeps- Financial Malware, TalkTalk Breach

When it comes to cybersecurity, companies need force fields, not walls

“Dire threats seem almost imperceptible”

The public often views recent headlines like the DNC or HBO data breaches and don’t work up too much anxiety over their own personal information security or insidious malware programs lurking online. However, these occurences are growing increasingly common, and nearly everyone’s sensitive information could be at risk.

TalkTalk fined £100,000 for long-forgotten 2014 data breach

“Reputation has been revived as well as legal fees”

The TalkTalk data breach of 2014 has long since faded from public view, but the associated government proceedings certainly have not. The incident saw hackers accessing the personal details of over 150,000 customers, earning the firm over £400,000 in relevant fines.

‘Hack the Air Force’ challenge most successful military bug bounty yet

“Over 200 public facing bugs found”

 The Air Force has continued its “Hack the Air Force” program which crowdsources cybersecurity testing on its public systems. This uncovered 207 patchable security flaws in about one month that could be exploited y hackers and malware, prompting Marten Mickos, chief contractor of HackerOne, to comment “It was the most successful [Department of Defense] bug bounty so far.”

Uptick in Malware Targets the Banking Community

“Incredible amount of money stolen in recent months”

New and even relatively archaic tactics have allowed cybercriminals to make off with vast sums of cash from many financial institutions of late, with both traditional banks and cryptocurrency funds being looted. Banking and financial malware has been a growing concern among researchers, and recent trends do not ease those fears.

Enjoy your read? Check out our other content here.

10Fold- Security Never Sleeps- 187

Undetected For Years, Stantinko Malware Infected Half a Million Systems

“Massive botnet remained under the radar for five years”

Half a millions devices have been infected by a rogue botnet, dubbed Stantinko. ESET researchers warn that affected systems can “execute anything on the infected host.” The malware has powered a huge adware campaign since at least 2012, largely targeting Russia and Ukraine, but remained hidden via code encryption until now.

Network Spreading Capabilities Added to Emotet Trojan

“Emotet Trojan spreads malware on internal networks”

Fidelis Cybersecurity researchers have identified a new variant of the Emotet Trojan that can distribute malicious programs on internal systems. Recent WannaCry and NotPetya incidents have shown us just how efficient and costly these attacks can be if they spread, increasing concerns among security researchers on greater prevalence in the future.

US Banks Targeted with Trickbot Trojan

“Necurs spreads to financial institutions”

New Emotet banking Trojan signals increasingly complex attacks on the finance industry. An official blog post had subsequently confirmed that a ‘security alert is ongoing related to the discovery, the effects of which are continuing.

Healthcare Industry Lacks Awareness of IoT Threat, Survey Says

“Three quarters of IT decision makers report that they are ‘confident’ they’re secure”

Healthcare networks are filled with IoT devices, but a study has found that the majority of IT experts claim that security systems for many of these are not adequately protected despite many believing that they are.

Kansas data breach compromised millions of Social Security numbers In 10 States

“Over 5.5 million potentially compromised”

A breach of the Kansas Department of Commerce may have given hackers access to millions of social security numbers, putting the department on the hook for credit monitoring services for all victims. The SSN’s had not been previously reported. The Kansas News Services obtained the information through an open records request.

Enjoy your read? Check out our other content here.

My First Trendjack Experience at 10Fold

As a new addition to the 10Fold team, as well as being new to the cybersecurity practice in general, it has been important for me to monitor the news on a daily basis in order to get familiar with trending topics and identify what it is my clients can speak to with authority. Although many stories have caught my eye in the last two months since I started these daily news sweeps, the NotPetya cyber attack stood out to me above all others.  

Peyta/NotPetya/ExPetr/GoldenEye is an ongoing cyberattack that started Tuesday, June 26. It began with a cyberattack in Kiev, Ukraine, where this malware went on to hit around 2,000 computer systems, specifically targeting computers running the Microsoft Windows Operating system. While many people originally believed it to be a form of ransomware similar to the recent ‘Petya’ attacks, this malicious software has been categorized as a  “wiper.” It’s designed to cause mayhem and wipe computers – and is not actually ransomware – which is why this ongoing attack has adopted so many names. It’s similar, but also different in a lot of ways.

Although there were corporations and public sector agencies affected in more than 65 countries all over the world, Ukraine and Russia were hit the hardest, including Ukraine government ministries, banks, utilities, telecom operators, an airport and other major companies. Also attacked were Russian oil giant Rosneft and Russian web security firm group-IB. Computers at the Chernobyl nuclear plant were compromised as well, forcing workers to manually monitor radiation levels, which have their own inherent security and safety challenges. Others hit include companies in the UK, Germany, China and U.S., British advertising giant WWp, French Industrial group Saint-Gobain, Shipping giant A.P. Moller-Maersk, Cadbury, pharmaceutical companies, hospitals and many more.

What was interesting about Petya was that after encrypting files on the PC, it demanded $300 worth of Bitcoin Cryptocurrency in order to supposedly unlock them. It turned out that as the story evolved, the ransomware was later categorized as a wiper, as previously stated, and the computer’s’ files were completely destroyed. Some security experts claim that this attack is more harmful than WannaCry, because rather than spreading only via a weakness in Windows’ SMB, the NotPetya malware can also spread by finding passwords on the infected computer to move from system to system. It extracts passwords from memory and local filesystem. Once inside a corporate network, it works its way from computer to computer, destroying the infected machines’ filesystems.

There has yet to be a solid explanation on the attackers’ motive and what they were after. Researching the attack, NATO said it was likely launched by a state actor or by a non-state actor with support and approval from a nation state since the operation was extremely complex and likely very expensive. The Russian government has been suspected as a possible origin for NotPetya. The latest rumors suggested that it spread by accident by a Ukrainian tax software company, named MeDoc.

NotPetya is continually evolving and more information is exposed every day. As one of the more significant organized attacks in 2017, it should bring awareness to the fact that many are unprotected. Even though large-scale attacks like this are not new, they are important to watch because each time around they are getting stronger and more sophisticated.   

It will be fun keeping an eye on more of these trends as they pop up. The next one I’ll dive into is the recent disclosures of public cloud leaks from organizations using the popular AWS services!

By Kory Buckley

Enjoy your read? Read our other blog content here.

 

 

Sources:

http://spectrum.ieee.org/tech-talk/computing/it/notpetya-latest-ransomware-is-a-warning-note-from-the-future

https://www.reuters.com/article/us-cyber-attack-ukraine-backdoor-idUSKBN19Q14P

http://www.darkreading.com/attacks-breaches/petya-or-not-global-ransomware-outbreak-hits-europes-industrial-sector-thousands-more/d/d-id/1329231

https://www.theverge.com/2017/7/2/15910826/nato-response-petya-attack-state-actor-russia-ukraine

http://www.csoonline.com/article/3204547/security/petya-wannacry-and-mirai-is-this-the-new-normal.html

https://www.forbes.com/sites/thomasbrewster/2017/07/05/notpetya-hackers-demand-256000-in-bitcoin-to-cure-ransomware-victims/#5f709ac86cf9

10Fold Reveals 10 Largest Breaches of 2016

Nearly Three Billion Personal Records Breached Around the World

SAN FRANCISCO, CA–(Marketwired – Jan 19, 2017) – 10Fold, a full-service B2B technology public relations agency with a specialization in cybersecurity, today announced that in 2016, more than 2.8 billion personal records were breached on social and file-sharing platforms, email providers and government databases around the world. In its second annual year-in-review, 10Fold analyzed the largest data breaches of 2016, then ranked the top 10 from greatest to least.

“If 2015 was the year of the healthcare data breach — breaches impacted nearly 40 million people — then 2016 was the year of the social media breach. Four of the top 10 breaches were social media related and impacted more than 640 million people,” said Angela Griffo, vice president of the cybersecurity practice at 10Fold. “But the biggest surprise of the year was Yahoo revealing that the information of more than 1.5 billion people had been stolen by attackers. Regardless of an attacker’s motive, any compromised information leaves users susceptible to identity theft and fraud.”

News reports about the 10 largest data breaches discovered in 2016, which are listed below, indicated that each attack affected 49 million users or more. 10Fold selected these data breaches based on independent research collected throughout 2016 and cross-referenced the information with third-party resources, including ID Theft Resource Center and Information is beautiful.

10 Largest Data Breaches of 2016:

1. Yahoo: 1.5 Billion Users — The Yahoo data breach is possibly the largest email provider data breach in history. When Yahoo first confirmed the breach in September 2016, the company revealed the breach impacted 500 million user accounts. The stolen account information included names, dates of birth, telephone numbers, passwords, and security questions and answers. In December, the company revealed an additional one billion users had been affected by the breach, bringing the grand total of affected users to 1.5 billion.

2. FriendFinder Network: 412 Million Users — In October, a number of sites in the FriendFinder Network were hacked, resulting in a data breach that affected 412 million users. According to LeakedSource, the sites affected included Adult Friend Finder, Cams and Penthouse. The breached data encompassed 20 years of user information and included user names, emails, passwords, joining dates and the date last visited. A significant amount of the user information released was the stored data of users who had previously attempted to delete their accounts. Of the total records breached and released, 15 million came from deleted accounts.

3. Myspace: 360 Million Users — In May, the prolific cyberhacker Peace sold the data of 360 million Myspace users. Released user information included names, passwords and secondary passwords. According to Time Inc., the information was from an older 2013 Myspace platform. Only those profiles that existed prior to the site’s relaunch were affected. The new site now includes stronger user account security.

4. LinkedIn: 117 Million Users — In May, it was announced that cyberhacker Peace had sold 117 million emails and encrypted passwords on the dark web for roughly $2,200.

5. VK Russia: More than 100 Million Users — In June 2016, it was reported that hacker Peace was selling the data of 100 million VK users for roughly $570. The information released contained usernames, emails, unencrypted passwords, locations and phone numbers. What’s more, the original hack occurred between 2011 to 2013.

6. Dailymotion: 87.6 Million Users — In October 2016, France-based video sharing site Dailymotion reports indicated that hackers released the usernames and emails of 87.6 million users. According to the Dailymotion blog post, the breach was due to an external security problem. While the company claimed the hack was limited — roughly 18.3 million user accounts were associated with encrypted passwords — all partners and users were still advised to reset their passwords for safekeeping. Dailymotion is the 113th most-visited website in the world.

7. Tumblr: 65 Million Users — In May, 65 million Tumblr accounts were found for sale on the dark web. A cyberhacker using the alias Peace sold the data for $150. According to security researcher Troy Hunt, the data contained email and password information.

8. DropBox: More than 60 Million Users — In August 2016, Dropbox announced that it had reset the passwords of more than 60 million users after the company discovered that an old set of Dropbox user credentials was taken. While the company suspects that the records were originally obtained in 2012, the breach was not discovered and users were not notified until 2016. The released information contained usernames and encrypted passwords. It has been reported that a senior Dropbox employee verified the released data is legitimate.

9. Philippines’ Commission on Elections: 55 Million Voters — On March 27, a hacker group posted the entire database of the Philippines’ Commission on Elections (COMELEC) online. The attackers also shared three links where the information of 55 million registered voters in the Philippines could be downloaded. The distributed data included email addresses, passport numbers and expiration dates, and fingerprint records — information that cannot be replaced or reset. Various reports suggest this breach is the biggest government-related data breach in history.

10. Turkish Citizenship Database: 49.6 Million Citizens — In April 2016, the entire Turkish citizenship database was hacked. Attackers released the personal information of 49.6 million citizens. The information released included details that are found on a standard Turkey identification card, including national identifier, name, parents’ names, gender, birthdate, city of birth and full address. According to reports, hackers validated the data by publishing details of Turkey’s president and former prime minister Recep Tayyip Erdogan. It’s suspected that the hack was politically motivated, based on the following statement found in the released database: “Who would have imagined that backwards ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure?”

Visit 10Fold at Security Never Sleeps During RSA
This year 10Fold is hosting its seventh annual Security Never Sleeps luncheon at RSA, which features a moderated panel discussion and audience Q&A with the cybersecurity industry’s leading executives, media and analysts. The event takes place on Wednesday, February 15 from 11:30 a.m. to 1:30 p.m. PST. Interested in attending this – Invitation Only – event ? Please send an email to: events@10fold.com and we’ll contact you to discuss your potential participation.

About 10Fold
10Fold is a leading North American public relations firm with regional offices in San Francisco, Pleasanton and Capistrano Beach, California. As a privately owned company founded in 1995, 10Fold provides strategic communications and content expertise to B2B organizations that specialize in networking, IT security, cloud, storage, Big Data, enterprise software, AppDev solutions, wireless, and telecom. The award-winning, highly-specialized account teams consist of multi-year public relations veterans, broadcasters and former journalists. 10Fold is a full-service firm that is widely known for its media and analyst relations, original content development, corporate messaging, social media and video production capabilities (through its division ProMotion Studios). For more information, visit www.10fold.com or follow us on Twitter (@10FoldComms) and Facebook (www.facebook.com/10FoldComms).

10Fold- Security Never Sleeps- 118

Tesco Acknowledges, Apologizes for Compromise of Over 40,000 Accounts

“Cash stolen from about half of accounts accessed”

One of the biggest hacking events on a bank in United Kingdom history occurred Monday, ending with nearly 40,000 accounts compromised according to Tesco CEO Benny Higgins. “Online criminal activity” was reported by the firm over the weekend, and it was later reported that 15% of its total accounts had shown signs of fraudulent withdrawal. The bank has issued various statements on the refunding of cash thefts to date.

RCE Flaw in Bopup Found

“Enterprise IM manager has significant security breach”

Cybersecurity service firm Trustwave has found a remote code execution flaw in Bopup Communications servers, a buffer overflow that cybercriminals to exploit the application. A packet is able to be sent to a remote administration port and allows for remote execution of commands on the communication sites servers.

Controversial Cybersecurity Law Passes in China

“Watchdog organizations warn of human rights violations”

Greater control over the internet in China has many worried about implications towards businesses and individual rights. While the government added certain amendments to address these concerns, it did little to appease critics. Many corporations have announced that the law will force them out of the country, while Sophie Richardson of Human Rights Watch has declared that the requiring of local storage data is in violation with many international treaties.

Moxa Ethernet Products Found to Have Serious Issues

“Critical and moderate vulnerabilities found”

Several security flaws have been detected in Taiwan based Moxa Industrial Ethernet products, according to an advisory recently distributed by ICS-CERT. The Moxa OnCell LTE cellular gateways, AWK Wireless AP/bridge/client products, TAP railway wireless units, and WAC wireless access controllers have improper authentication and other vulnerabilities.

 

 

10Fold- Security Never Sleeps- 114

A PREDATOR to Fight DNS Domain Abuse

“Intended to block malicious domain registration”

Princeton University, Google and several other institutions have been able to develop a program that will allow the detection and stop of bad actors that look to register domain names for malicious purposes. Details of the new Proactive Recognition and Elimination of Domain Abuse at Time of Registration was presented at the ACM conference last week.

“Booter” Services Going Extinct?

“Research shows potential measures that could prevent mass attacks”

Web-based contracted cyber criminals, whose services are known as “booter” or “stresser” attacks, may soon be prevented from engaging in further nefarious activities soon. German researchers have studied patterns that come about when malicious actors mass-scan the internet in attempts to find website weaknesses, or DDoS attacks.

Many Joomla Sites Hacked via Recently Patched Flaws

“Flaws could be exploited to upload a backdoor of vulnerable websites”

Fewer than 24 hours that a new patch was made available to fix serious flaws in Joomla websites, researchers had already witnessed several events in which bad actors were able to overtake privilege escalations and create access points allowing for remote execution of commands. The two most critical concerns which are now patched, CVE-2016-8869 and CVE-2016-8870, could allow for serious backdoor authorization if a hacker is well versed in their trade.

Controversial Chinese Cybersecurity Law Looks Likely to Pass

“Foreign governments and business groups eager to protest”

The Chinese Parliament has now readied its third draft of a widely criticized new law that will officially codify the sanctions it has placed over the internet within its own borders. The bill will be presented for a vote on the seventh of this month, and is met with vast opposition from many sectors of society which all claim that its inherent vagueness would allow discrimination against firms abroad on an arbitrary basis.

 

 

10fold- Security Never Sleeps- 101

Nearly Half of State Voter Registrations Attacked by Russian Hackers

“Four were cracked, leaving speculation on security of upcoming election”

As we covered in our last installment, cyber security threats from the Russians have been on the rise in this year’s voting season. We can see now that these fears may have some legitimacy, as Russian hackers were successfully able to enter several voter registration systems in the U.S.

James Comey, Director of the FBI released in his statement that “There’s no doubt that some bad actors have been poking around.” Among those attempted to be breached were what many political analysts consider to be this year’s electoral ‘swing states’, including Arizona and Illinois.

GAO Claims Issue at FDA Cybersecurity Systems

“Confidential health data potentially at risk”

Security firewalls and 80 other weaknesses were found in the Food and Drug Administration’s computer programs. This lack of proper security would allow hackers to breach confidential health information. The information was made public after the GAO, the Government Accountability Office, made 15 instructional changes to beef up security measures after an extensive audit undertaken to strengthen government agencies from potential cyber attacks.

Ransomware Spread Increases

“Weak desktop credentials biggest point of most common point of contact”

Stolen credentials for widespread remote administration application TeamViewer has been largely used to insert ransomware software ‘Surprise’, according to a research team in March. The number of attacks have increased significantly of late, adopted by more highly effective cybercriminals noting its success from their lesser-known counterparts.

The cyberattacks began long before the TeamViewer insertion via RPD servers, but started as crude password generator attacks. This recent development allows criminals to be far more effective in their theft and hacking techniques.

Tofsee Malware Now Distributed Via Spam

“Experts believe the new method is more profitable for hackers”

While malware program Tofsee has been around since 2013, its current spam distribution method is fairly new. The RIG exploit kit that recently oversaw the spread of the malware has stopped circulating, leaving spammers to employ their bots to pick up the slack. Cybercriminals often use Tofsee to engage in , including click fraud, cryptocurrency mining, DDoS attacks and sending spam.

 

10Fold – Security Never Sleeps – 98

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: Researchers have encountered a denial-of-service botnet that’s made up of more than 25,000 Internet-connected closed circuit TV devices. Scammers are spreading JavaScript malware disguised as a Facebook comment tag notification. The Threat Group 4127 that hit the Democratic National Committee also went after 1,800 other targets with info interesting to Russian government, says SecureWorks. The whitehats from Kaspersky Lab provided a free tool that allowed victims to decrypt their precious data without paying the ransom, which typically reaches $500 or more.

Large botnet of CCTV devices knock the snot out of jewelry website – Publication: Ars Techinca – Reporter name: Dan Goodin

The unnamed site was choking on an assault that delivered almost 35,000 HTTP requests per second, making it unreachable to legitimate users. When Sucuri used a network addressing and routing system known as Anycast to neutralize the attack, the assailants increased the number of HTTP requests to 50,000 per second. The DDoS attack continued for days, causing the Sucuri researchers to become curious about the origins of the attack. They soon discovered the individual devices carrying out the attack were CCTV boxes that were connected to more than 25,500 different IP addresses. The IP addresses were located in no fewer than 105 countries around the world.


Facebook comment tag malware scam targets Chrome users – Publication: SC Magazine – Reporter name: Robert Able

A user will receive a notification in their app and/or in their email about a friend tagging them in a comment and, upon clicking the link, malware is downloaded to their device, according to Hackread. Currently the malware is only targeting Chrome and one analyst on the network question and answer site Stack Exchange said the file is a typical obfuscated JavaScript malware, which targets the Windows Script Host to download the rest of the payload.


Google Accounts Of US Military, Journalists Targeted By Russian Attack Group – Publication: Dark Reading- Reporter name: Sara Peters

A Russian attack group used the Bitly URL-shortener to disguise malicious links in order to carry out spearphishing campaigns not only against the Democratic National Committee, but also against some 1,800 Google accounts of US military and government personnel and others.


New and improved CryptXXX ransomware rakes in $45,000 in 3 weeks – Publication: Ars Technica- Reporter name: Dan Goodin

Earlier this month, the developers released a new CryptXXX variant that to date still has no decryptor available. Between June 4 and June 21, according to a blog post published Monday by security firm SentinelOne, the Bitcoin address associated with the new version had received 70 bitcoins, which at current prices is valued at around $45,228. The figure doesn’t include revenue generated from previous campaigns.

10Fold – Security Never Sleeps – 97

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: A remote desktop access service called GoToMyPC was hacked this weekend and is urging all users to immediately change their passwords; The number of network infections generated by some of the most prolific forms of malware — such as Locky, Dridex, and Angler — has suddenly declined; on Friday night a hacker made off with $50 million of virtual currency after hacking the DAO (Decentralized Autonomous Organization); and a new variety of ransomware called RAA has been discovered.

GoToMyPC hit with hack attack; users need to reset passwords – Publication: PCWorld – Reporter name: Nick Mediati

According to a post published to GoToMyPC’s system status page, the remote desktop access service experienced a hack attack this weekend, and it’s now requiring all users to reset their passwords before logging in to the service.


Malware infections by Locky, Dridex, and Angler drop — but why?  – Publication: ZDNet – Reporter name: Danny Palmer

The number of network infections generated by some of the most prolific forms of malware — such as Locky, Dridex, and Angler — has suddenly declined. Instances of malware and ransomware infection have risen massively this year, but cybersecurity researchers at Symantec have noticed a huge decline in activity during June, with new infections of some forms of malicious software almost at the point where they’ve completely ceased to exist.


A $50 Million Hack Just Showed That the DAO Was All Too Human – Publication: WIRED- Reporter name: Klint Finley

Sometime in the wee hours Friday, a thief made off with $50 million of virtual currency. The victims are investors in a strange fund called the DAO, or Decentralized Autonomous Organization, who poured more than $150 million of a bitcoin-style currency called Ether into the project.


New RAA ransomware written in JavaScript discovered – Publication: SC Magazine UK – Reporter name: Doug Olenick

A new variety of ransomware called RAA has been discovered that has the somewhat unusual attribution of being coded in JavaScript instead of one of the more standard programming languages making it more effective in certain situations.