Monthly Archives: May 2017

US Defense Contractor left Sensitive Files on Amazon Server Without Password

Sensitive files linked to the United States intelligence agency were reportedly left on a public Amazon server by one of the nation’s top intelligence contractor without a password, according to a new report.

 
UpGuard cyber risk analyst Chris Vickery discovered a cache of 60,000 documents from a US military project for the National Geospatial-Intelligence Agency (NGA) left unsecured on Amazon cloud storage server for anyone to access.
The documents included passwords to a US government system containing sensitive information, and the security credentials of a senior employee of Booz Allen Hamilton, one of the country’s top defense contractors.

Although there wasn’t any top secret file in the cache Vickery discovered, the documents included credentials to log into code repositories that could contain classified files and other credentials.

Master Credentials to a Highly-Protected Pentagon System were Exposed

Roughly 28GB of exposed documents included the private Secure Shell (SSH) keys of a Booz Allen employee, and a half dozen plain text passwords belonging to government contractors with Top Secret Facility Clearance, Gizmodo reports.
What’s more? The exposed data even contained master credentials granting administrative access to a highly-protected Pentagon system.

 
The sensitive files have since been secured and were likely hidden from those who didn’t know where to look for them, but anyone, like Vickery, who knew where to look could have downloaded those sensitive files, potentially allowing access to both highly classified Pentagon material and Booz Allen information.

“In short, information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level,” Vickery says.

Vickery is reputed and responsible researcher, who has previously tracked down a number of exposed datasets on the Internet. Two months ago, he discovered an unsecured and publicly exposed database, containing nearly 1.4 Billion user records, linked to River City Media (RCM).

Vickery is the one who, in 2015, reported a huge cache of more than 191 Million US voter records and details of nearly 13 Million MacKeeper users.

Both NGA and Booz Allen are Investigating the Blunder

The NGA is now investigating this security blunder.

“We immediately revoked the affected credentials when we first learned of the potential vulnerability,” the NGA said in a statement. “NGA assesses its cyber security protections and procedures constantly with all of its industry partners. For an incident such as this, we will closely evaluate the situation before determining an appropriate course of action.”

However, Booz Allen said the company is continuing with a detailed forensic investigation about the misstep.

“Booz Allen takes any allegation of a data breach very seriously, and promptly began an investigation into the accessibility of certain security keys in a cloud environment,” a Booz Allen spokesperson told Gizmodo.

“We secured those keys, and are continuing with a detailed forensic investigation. As of now, we have found no evidence that any classified information has been compromised as a result of this matter.”

Booz Allen Hamilton is the same consulting firm that employed whistleblower Edward Snowden when he disclosed the global surveillance conducted by the NSA. It is among top 100 US federal contractor and once described as “the world’s most profitable spy organization.”

 

via:  thehackernews

Researchers Release Patch for NSA-linked "EsteemAudit" Exploit

Security researchers at enSilo have released a patch to keep vulnerable systems protected from a recently released Windows exploit allegedly used by the National Security Agency (NSA)-linked Equation Group.

Dubbed EsteemAudit, this exploit targets a remote desktop protocol (RDP) bug and can be abused to move laterally within a compromised organization’s network, as well as to infect victims with ransomware or backdoors, or to exfiltrate sensitive information.

The exploit might not be as popular as the EternalBlue exploit, which fueled large infections such as WannaCry or Adylkuzz, but it could prove as devastating.

EsteemAudit was made public last month when the hacking group known as the Shadow Brokers decided to release a new set of exploits and tools allegedly stolen from the NSA-linked Equation Group last year. Soon after, Microsoft said the vulnerabilities had been patched in March.

The hackers initially put the tools up for auction, but decided to release some of them for free after failing to attract buyers. Last week, the Shadow Brokers announced plans to launch a subscription service and share more exploits to members for a monthly fee.

Unlike EternalBlue, which affects a variety of Windows versions, EsteemAudit only works on Windows XP and Windows Server 2003, which supposedly limits its overall impact. However, this also means that an official patch is unlikely to arrive from Microsoft, as it no longer offers support for these platform iterations.

Because of that, enSilo decided to release a persistent patch for these systems and keep users safe from attacks possibly leveraging the exploit. The decision was fueled by the fact that a large number of machines continue to use Windows XP and Server 2003, the researchers say.

“Upon login for each session, Windows will create a new instance of winlogon. The patch will be loaded into winlogon.exe (only if it is an RDP session) to perform in memory patching (hotpatching) of EsteemAudit. Any attempt to use EsteemAudit to infect the patched machine will inevitably fail,” enSilo explains.

Installing this patch, however, doesn’t render Windows XP or Server 2003 systems fully secure, as hundreds of other vulnerabilities impacting them still exist and will never be patched. This patch resolves only the vulnerability exploited by EsteemAudit and works on both x86 and x64 platform versions.

The patch is available for download on enSilo’s website and is installed by an installation program after accepting the terms of usage. Uninstallation is supported by signaling an event (which will remove the patch in memory) and unregistering the patch from loading into subsequent RDP sessions.

“The patch for Windows XP and Server 2003 supports silent installation and does not require a reboot, which helps users avoid the required downtime typically associated with patch installations. Upon patching, any attempt to use an EsteemAudit exploit to infect a patched machine will inevitably fail,” the researchers say.

 

via:  securityweek

It Takes Criminals Just 9 Minutes to Use Stolen Consumer Info–FTC says

Federal Trade Commission experiment lured hackers to learn about how they use stolen consumer information.

The Federal Trade Commission (FTC)’s Office of Technology conducted an experiment to learn how hackers use stolen information. Experts created a database of fake consumer credentials and posted them twice on a site that hackers use to make stolen data public.

This false information was made realistic by using popular names based on Census data, US-based addresses and phone numbers, common email address naming strategies, and one of three types of payment info (online payment service, bitcoin wallet, and credit card). Following the second posting of fake data, it took hackers just nine minutes to try and access it.

There were more than 1,200 attempts to access the information, which hackers tried to use to pay for things like food, clothing, games, and online dating memberships. The FTC advises consumers to stay safe with two-factor authentication, which prevented the thieves from gaining access.

Read more details here.

 

via:  darkreading

GE patches flaws allowing attackers to ‘disconnect power grid at will’

Researchers have discovered a significant software flaw in the energy grid equipment sold by General Electric (GE) that could allow even lone attackers with limited resources to “disconnect sectors of the power grid at will”.

Until last week, this alarming sentence was little more than a one part of a placeholder for July’s Black Hat conference, advertising a session by three researchers from New York University.

Last week, however, GE suddenly announced that it had issued fixes for five of the six flaws, with the last on its way.

Black Hat sessions specialise in telling the world about new flaws and proof-of-concept attacks, but it is unusual in this sector for the mere publication of a public presentation to spur PR into action like this.

The researchers have only released the barest details of the issue but we know it is in the General Electric Multilin product line. Boasts the Black Hat briefing note:

Essentially, we completely broke the homebrew encryption algorithm used by these protection and management devices to authenticate users and allow privileged operations.

This doesn’t sound good, nor the fact that the researchers promise a live demo of the compromise as part of a “budget” attack.

The importance of this being the fact that “to date, cyber-attacks against power systems are considered to be extremely sophisticated and only within the reach of nation-states”.

The two best documented energy grid attacks – the 2015 and 2016 attacks on Ukrainian power stations – were pinned on hackers backed by the resources of a nation state. If the sessions serves up something that would be possible by anyone, even that that assumption will start to wilt.

GE reacted by telling Reuters:

We have been in the process of issuing notifications and providing product upgrades to our affected customer base on available firmware updates to address this issue.

The flaw had not been used to cause power outages and only involved GE protection relays dating from the 1990s, “before current industry expectations for security”.

One might point out that energy infrastructure installed in the 1990s by vendors such as GE will still affect a lot of equipment in the US and beyond. Finding and patching that equipment could take a lot of effort for an industry not used to the luxury of downtime.

The counter-argument is that compromising energy systems still requires a lot of understanding of the target. It’s not clear that a bedroom attacker would have the ability to do this, nor the ability to exploit all aspects of the attack remotely.

It does at least serve to remind us how security researchers have gone from being nuisance to saviour.  Patching energy grid systems is the sort of problem the world must find a way to live with.

 

via: nakedsecurity

PlayKey is reviving the cloud gaming market by allowing you to buy or bring your own games

What if you’ve wanted to join the PC gaming community, but don’t have the means to purchase a PC that costs thousands of dollars? PlayKey has a unique approach to virtualization/cloud gaming with payment tiers that determine stream quality, the ability to play games by either purchasing them from PlayKey, or making use of your own Steam game library.

PlayKey’s business is based around its servers located in Amsterdam, London and Frankfurt, while being headquartered in Russia. During Tuesday’s Startup Alley, I spoke with Vadim Andreev, PlayKey’s VP of gaming strategy, about the specs and the requirements of using the service at its best settings: “Users can use their own Steam library with our service, buy the game from Steam directly, or purchase the key and subscription from us.”

Additionally, Playkey isn’t stepping on the toes of publishers or Valve, as they’re technically working as a collaborating partner for purchasing game keys, while also running a virtualization service to help those games.

With this two-lane approach, I think there’s potential here for enabling a gamer who wants to play PC games, but can’t afford a gaming PC. After all, if you do stop using the service, you still technically own and have the rights to play the game — but then you’ll need a gaming PC.

One of the key differences between PlayKey and failed cloud gaming competitors of the past, is their optimized server runtime (thus lowering operating costs). PlayKey can run different 20 game sessions (or users), simultaneously on the same server with multiplayer support. Monitoring tools are also available, allowing you to see packets lost, game FPS, resolution and more.

PlayKey supports 150 games, including a ton of AAA titles like, Grand Theft Auto: V, The Witcher 3, Mafia III, Deus Ex: Mankind Divided, Bioshock: Infinite, and The Elder Scrolls V: Skyrim, with more added every month. Their catalogue also includes a few non-Steam games, like Overwatch, Elder Scrolls: Online and EVE: Online.

In order for PlayKey to work, you’ll needs a minimum download internet speed of 10MBps, required for PlayKey to stream at 720p resolution and 30 FPS, under a $10 monthly subscription. However, if you opt for the $20 monthly plan, you can stream games at 60FPS 1080p HD resolution, at ultra settings, with the minimum requirement of a 20Mbps internet connection.

So, just how would you be able to start streaming?

You start off by signing-up, paying $20 for the HD subscription (for example), then purchase your game key from Steam or Playkey directly (or just logging in with your own Steam ID and library). A virtualized window will appear on-screen, where PlayKey initializes the launcher and the game begins to run in fullscreen. Also, if you’re worried about game saves: cloud sync is supported and still tied to your Steam account, including social and screenshot features.

If you’re not ready to take the cloud gaming plunge, you can also demo PlayKey for 30 minutes, so I’d say give it a shot.

 

via:  techcrunch

Subtitles hack threatens Millions of PCs, Smart TVs, Tablets and Smartphones

Security experts from security firm Check Point warn of a subtitles hack threatens Millions of devices.

According to the experts at Check Point, hackers could exploit a new attack vector that uses malicious subtitles to compromise devices via their media players.

Millions of users worldwide can be targeted due to security vulnerabilities in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time, and stream.io.

“Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles.” states the analysis shared by Check Point. “By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io. We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years.”

The patch for these vulnerabilities are available for download, users should apply them immediately.

According to the security firm, approximately 200 million video players and streamers are currently exposed to subtitle attack.

“We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years,” continues the analysis. “Hacked in Translation.”

The attackers can craft malicious subtitle files that once executed by a user media player can allow attackers to take complete control over any type of device (i,e, laptops, smart TVs, tablets, and smartphones).

Unlike other attack vectors well known to security firms, this hacking technique is very subtle because subtitles are perceived harmless text files and are not subject to the inspection of security solutions.

subtitles hack infographic_hack_in_translation_v6-1024x946

In subtitles hack, the subtitle can be manipulated by attackers for several malicious purposes.

“This method requires little or no deliberate action on the part of the user, making it all the more dangerous,” states Check Point.

Check Point analyzed vulnerabilities in media players that allow a remote attacker to execute code and gain control full control of the targeted system.

The researchers were able to exploit a flaw in the popular VLC player to trigger a memory corruption issue and to gain control of a PC. Similar successful tests allowed the researchers to demonstrate subtitles hack on other players.

Check Point presented a proof of concept attack, says victims are persuaded to visit a malicious website that uses one of the streaming video players, or they are tricked into running a malicious subtitle file on their system that they intentionally downloaded for use with a video.

“By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device. The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more,” wrote Check Point.

Check Point plans to disclose the technical details of the tests only when software updates will be provided to the users.

Below the list of update currently available:

 

via: securityaffairs

7-Year-Old Samba Flaw Lets Hackers Access Thousands of Linux PCs Remotely

samba-remote-code-exploit

A 7-year-old critical remote code execution vulnerability has been discovered in Samba networking softwarethat could allow a remote attacker to take control of an affected Linux and Unix machines.

 
Samba is an open-source software (re-implementation of SMB networking protocol) that runs on the majority of operating systems available today, including Windows, Linux, UNIX, IBM System 390, and OpenVMS.

 
Samba allows non-Windows operating systems, like GNU/Linux or Mac OS X, to share network shared folders, files, and printers with Windows operating system.

The newly discovered remote code execution vulnerability (CVE-2017-7494) affects all versions newer than Samba 3.5.0 that was released on March 1, 2010.

“All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it,” Samba wrote in an advisory published Wednesday.

Linux version of EternalBlue Exploit?

samba-remote-exploit-shodan

According to the Shodan computer search engine, more than 485,000 Samba-enabled computers exposed port 445 on the Internet, and according to researchers at Rapid7, more than 104,000 internet-exposed endpoints appeared to be running vulnerable versions of Samba, out of which 92,000 are running unsupported versions of Samba.

 
Since Samba is the SMB protocol implemented on Linux and UNIX systems, so some experts are saying it is “Linux version of EternalBlue,” used by the WannaCry ransomware.

 
…or should I say SambaCry?

 
Keeping in mind the number of vulnerable systems and ease of exploiting this vulnerability, the Samba flaw could be exploited at large scale with wormable capabilities.

 

 

Home networks with network-attached storage (NAS) devices could also be vulnerable to this flaw.

Exploit Code Released! (Bonus: Metasploit Module)

metasploit-samba

The flaw actually resided in the way Samba handled shared libraries. A remote attacker could use this Samba arbitrary module loading vulnerability to upload a shared library to a writable share and then cause the server to load and execute malicious code.

 
The vulnerability is hell easy to exploit. Just one line of code is required to execute malicious code on the affected system.

simple.create_pipe(“/path/to/target.so”)

However, the Samba exploit has already been ported to Metasploit, a penetration testing framework, enabling researchers as well as hackers to exploit this flaw easily.

Patch and Mitigations

The maintainers of Samba has already patched the issue in their new versions Samba versions 4.6.4/4.5.10/4.4.14, and are urging those using a vulnerable version of Samba to install the patch as soon as possible.

 
But if you can not upgrade to the latest versions of Samba immediately, you can work around the vulnerability by adding the following line to your Samba configuration file smb.conf:

nt pipe support = no

Once added, restart the network’s SMB daemon (smbd) and you are done. This change will prevent clients from fully accessing some network machines, as well as disable some expected functions for connected Windows systems.

 
While Linux distribution vendors, including Red Hat and Ubuntu, have already released patched versions for its users, the larger risk is that from NAS device consumers that might not be updated as quickly.

 
Craig Williams of Cisco said that given the fact that most NAS devices run Samba and have very valuable data, the vulnerability “has potential to be the first large-scale Linux ransomware worm.”

 
Update: Samba maintainers have also provided patches for older and unsupported versions of Samba.


Meanwhile, Netgear released a
security advisory for CVE-2017-7494, saying a large number of its routers and NAS product models are affected by the flaw because they use Samba version 3.5.0 or later.

 
However, the company currently released firmware fixes for only ReadyNAS products running OS 6.x.

 

via:  thehackernews

WordPress Launches Public Bug Bounty Program

The WordPress security team announced the launch of a public bug bounty program that covers the WordPress content management system (CMS) and several related assets.

WordPress has been running a private bug bounty program for roughly seven months and it has now decided to make it public.

The program is hosted on the HackerOne platform and it covers the WordPress CMS and other open-source projects, including BuddyPress, bbPress and GlotPress. Researchers can also report flaws discovered in the WordPress.org (including subdomains), WordCamp.org, BuddyPress.org, WordPress.tv, bbPress.org and Jobs.WordPress.net websites.

White hat hackers have been advised to submit vulnerability reports that include detailed information on the flaw and proof-of-concept (PoC) code. Participants have also been asked to avoid privacy violations and causing damage to live WordPress sites, and give developers a reasonable amount of time to address security holes before their details are made public.

The list of vulnerabilities that experts can report includes cross-site scripting (XSS), cross-site request forgery (CSRF), server-side request forgery (SSRF), remote code execution and SQL injection.

The bug bounty program does not cover vulnerabilities affecting plugins – these should be reported to the app’s developer, but the WordPress plugins team should be alerted as well.

While exceptions may exist, the WordPress security team says it’s typically not interested in basic information disclosure issues, mixed content warnings, lack of HTTP security headers, brute force attacks, XSS flaws that can only be exploited by users with elevated privileges, and reports generated by automated scans.

The WordPress security team has not provided any information on rewards, but it did say that seven researchers have so far earned more than $3,700, which indicates an average of roughly $500 per vulnerability report. The bounties will be paid out by Automattic, the company behind WordPress.com, which runs its own bug bounty program on HackerOne.

According to WordPress developers, the CMS currently powers more than a quarter of the top ten million websites on the Internet. Given the platform’s popularity, it’s no surprise that researchers often find security holes, including serious vulnerabilities that end up being exploited to hack thousands of websites.

Hopefully, the launch of a public bug bounty program will streamline vulnerability reporting to avoid the disclosure of unpatched flaws by researchers who are frustrated with the lack of communication.

 

via:  securityweek

Cyber Risk Management: What’s Holding Us Back?

Organizations Are Struggling to Operationalize Their Knowledge of Risk.

Over the past year, cyber risk management has gained a lot of attention in the media and among practitioners. Even though risk management has been proven to optimize business performance and lead to better investment decisions, many organizations have still not adopted this concept when it comes to their enterprise security model. Last week’s WannaCry ransomware attack is a stark reminder that a risk-based approach to security is long overdue. WannaCry is the last cyber-attack to expose the industry’s inability to find and fix threats that really matter. So what’s holding organizations back from implementing cyber risk management?

Consider these facts… last Friday, the world faced the biggest cyber-attack yet, with more than 300,000 organizations in more than 200 countries falling victim to the WannaCry ransomware. The malware exploited a known vulnerability in the Microsoft Windows SMB Server, for which the vendor had provided a patch on March 14, 2017. Unfortunately, many organizations had not patched or were simply running on operating systems that had reached their end of life (e.g., Windows XP and Windows Server 2000) and do not receive new security updates. While the attack’s impact has been massive, the story behind it is very characteristic of any successful cyber-attack — hackers are exploiting known vulnerabilities and are betting on the fact that organizations don’t know how to fix what really matters.

That’s where cyber risk management comes into play. Many industry standard bodies (e.g., Payment Card Industry) and government regulators (e.g., Office of the Comptroller of the Currency, SEC) have taken steps to propagate the usage of risk management by incorporating its core principles into their regulations. These refreshed guidelines are designed to address several factors including scarcity of resources, the disruptive effect of big data in the context of cyber security, market volatility, regulatory changes, and the need for better, faster decision making.

However, many organizations are still struggling to operationalize their knowledge of risk in order to optimize business investments and performance. Let’s look at the factors that are preventing organizations from adopting a risk-based approach to security and what can be done to overcome them.

Risk Culture

When implementing cyber risk management practices, it is essential to instill a risk-aware culture at all levels and across all functional areas of the organization. Lack of buy-in from all stakeholders is one of the most common hurdles to making the transition from a compliance- to risk-driven approach to security. There are many examples of organizations that hired a first-time Chief Risk Officer in an attempt to force the transition, but failed due to the fact that the individuals required to implement the new practices on a day-to-day basis were still stuck in their antiquated compliance views. To be successful, risk management must avoid a gap between senior management and the rest of the organization when it comes to understanding and embracing risk management concepts and benefits. To address this roadblock, a well thought out training program is required for current and incoming employees.

Risk Management Perceptions

Although risk management was initially introduced to increase shareholder value, not all companies understand its benefits. It is important to realize that there is no one-size-fits all approach, but rather the benefits and costs of risk management are dependent on factors such as organizational size, complexity, vertical industry, and location. Considering these factors when planning the scope of a cyber risk management implementation will increase the odds that its benefits will be more clearly understood and supported across the organization.

Risk Technology

Instead of relying on employees to implement cyber risk management in silo-based fashion using antiquated tools such as spreadsheets to document their findings, organizations should consider the use of an intelligence-driven and platform-based system. Pitfalls to look out for include making sure that the derived risk scores are based on a scientific approach that take a multitude of factors (i.e.., vulnerability risk rating, IP reputation, accessibility, and business criticality) into account rather than singling out for instance just the external risk exposure of an organization. In this context, it is essential to assure proper integrations with internal security intelligence data sources to secure investments into existing IT and security tools and to leverage the data to unify with external threat data and business criticality.

Organizations that address the above-mentioned inhibitors to cyber risk management head-on, can significantly reduce the time it takes to identify their cyber risk exposure, quickly orchestrate remediation, and monitor the results. In case of the WannaCry outbreak, a properly implemented cyber risk management program would have identified the exposure and business criticality of the threat weeks prior to the attack, giving the organization plenty of time to patch systems in a controlled and orderly fashion.

 

via:  securityweek

APT3 Hackers Linked to Chinese Ministry of State Security

Independent researchers and experts from threat intelligence firm Recorded Future are confident that the cyber espionage group tracked as APT3 is directly linked to the Chinese Ministry of State Security (MSS).

While much of the security community typically tries to avoid making attribution statements, arguing that false flags make this task difficult, there are some individuals and companies that don’t shy away from accusing governments of conducting sophisticated cyberattacks.

A mysterious group called “intrusiontruth,” which claims to focus on investigating some of the most important advanced persistent threat (APT) actors, has recently published a series of blog posts on APT3, a group that is also known as UPS Team, Gothic Panda, Buckeye and TG-0110.

The cyberspies, believed to be sponsored by China, have been active since at least 2009, targeting many organizations in the United States and elsewhere via spear-phishing, zero-day exploits, and various other tools and techniques. Researchers noticed last year that APT3 had shifted its attention from the U.S. and the U.K. to Hong Kong, where it had mainly targeted political entities using a backdoor dubbed “Pirpi.”

Intrusiontruth has conducted an analysis of APT3’s command and control (C&C) infrastructure, particularly domain registration data. Their research led to two individuals, named Wu Yingzhuo and Dong Hao, who apparently registered many of the domains used by the threat actor.

Both these individuals are listed as shareholders for a China-based security firm called the Guangzhou Boyu Information Technology Company, or Boyusec. In November 2016, the Washington Free Beacon learned from Pentagon intelligence officials that this company had been working with Chinese telecoms giant Huawei to develop spyware-laden security products that would be loaded onto computers and phones. The unnamed officials said Boyusec was “closely connected” to the Chinese Ministry of State Security.

Intrusiontruth concluded that either Boyusec has two shareholders with the same name as members of APT3, or Boyusec is in fact APT3, which is the more likely scenario.

Recorded Future has dug deeper to find more evidence connecting APT3 to China’s MSS. In a report published on Wednesday, the company said it had attributed the group directly to the MSS with “a high degree of confidence.”

Researchers pointed out that in addition to Huawei, which claimed to use Boyusec for security evaluations of its corporate intranet, Boyusec was also a partner of the Guangdong Information Technology Security Evaluation Center (Guangdong ITSEC), and the organizations have been collaborating on an active defense lab since 2014.

Guangdong ITSEC is apparently a subordinate of the China Information Technology Evaluation Center (CNITSEC), which, according to academic research, is run by the Ministry of State Security.

Experts believe many of the ministry’s subordinates, particularly ones at provincial and local levels, have legitimate public missions and act as a cover-up for intelligence operations.

“Companies in sectors that have been victimized by APT3 now must adjust their strategies to defend against the resources and technology of the Chinese government. In this real-life David vs. Goliath situation, customers need both smart security controls and policy, as well as actionable and strategic threat intelligence,” Recorded Future said in its report.

 

via:  securityweek