Author Archive

A new headache for ransomware-hit companies. Extortionists emailing customers

Cybercriminal extortionists have adopted a new tactic to apply even more pressure on their corporate victims: contacting the victims’ customers, and asking them to demand a ransom is paid to protect their own privacy.

At the end of March, Bleeping Computer reported that the Clop ransomware gang had not stopped at threatening hacked companies and contacting journalists, but had taken the additional step of direct emailing victims’ customers whose details had been found in stolen data.

Organizations whose customers and commercial partners have been contacted include a hacked bank, a manufacturer of business jets, an online maternity clothing store.

Separately, security blogger Brian Krebs reports that a chain of gas convenience stores and a university in the United States have been similarly singled out for such unwanted attention following a ransomware attack.

It appears that similar emails have been sent, encouraging recipients to apply pressure on the organization that is being extorted to pay up – or personal data will be published.

A typical email reads as follows:

Good day! If you received this letter, you are a customer, buyer, partner or employee of <victim organization>. The company has been hacked, data has been stolen and will soon be released as the company refuses to protect its peoples’ data. We inform you that information about you will be published on the darknet ( <link> ) if the company does not contact us. Call or write to this store and ask to protect your privacy!!!!

This is just the latest example of how ransomware gangs have raised the pressure on their victims. Initially, ransomware attacks simply locked companies out of their data until a ransom was paid. Then, cybercriminals exfiltrated sensitive data and threatened to release it if their demands were not met. Some ransomware gangs even created websites to publicize their successful hacks, publishing the equivalent of “press releases” about those customers who would not pay up.

In perhaps the most disgusting ransomware attacks I have ever read about, one gang stole the private details of confidential psychotherapy sessions at a chain of Finnish therapy clinics, and threatened patients that they would be released if payment was not made.

It must be hard enough for any organization to handle a ransomware attack, without also having the headache of your extortionists actively contacting your staff, customers, or partners in an attempt to apply even more pressure on you to pay up.

via:  tripwire

Wormable Gitpaste-12 Botnet Returns to Target Linux Servers, IoT Devices

A new wormable botnet that spreads via GitHub and Pastebin to install cryptocurrency miners and backdoors on target systems has returned with expanded capabilities to compromise web applications, IP cameras, and routers.

Early last month, researchers from Juniper Threat Labs documented a crypto-mining campaign called “Gitpaste-12,” which used GitHub to host malicious code containing as many as 12 known attack modules that are executed via commands downloaded from a Pastebin URL.

The attacks occurred during a 12-day period starting from October 15, 2020, before both the Pastebin URL and repository were shut down on October 30, 2020.

Now according to Juniper, the second wave of attacks began on November 10 using payloads from a different GitHub repository, which, among others, contains a Linux crypto-miner (“ls”), a file with a list of passwords for brute-force attempts (“pass”), and a local privilege escalation exploit for x86_64 Linux systems.

The initial infection happens via X10-unix, a binary written in Go programming language, that proceeds to download the next-stage payloads from GitHub.

“The worm conducts a wide-ranging series of attacks targeting web applications, IP cameras, routers and more, comprising at least 31 known vulnerabilities — seven of which were also seen in the previous Gitpaste-12 sample — as well as attempts to compromise open Android Debug Bridge connections and existing malware backdoors,” Juniper researcher Asher Langton noted in a Monday analysis.

Included in the list of 31 vulnerabilities are remote code flaws in F5 BIG-IP Traffic Management User Interface (CVE-2020-5902), Pi-hole Web (CVE-2020-8816), Tenda AC15 AC1900 (CVE-2020-10987), and vBulletin (CVE-2020-17496), and an SQL injection bug in FUEL CMS (CVE-2020-17463), all of which came to light this year.

It’s worth noting that Ttint, a new variant of the Mirai botnet, was observed in October using two Tenda router zero-day vulnerabilities, including CVE-2020-10987, to spread a Remote Access Trojan (RAT) capable of carrying out denial-of-service attacks, execute malicious commands, and implement a reverse shell for remote access.

Aside from installing X10-unix and the Monero crypto mining software on the machine, the malware also opens a backdoor listening on ports 30004 and 30006, uploads the victim’s external IP address to a private Pastebin paste, and attempts to connect to Android Debug Bridge connections on port 5555.

On a successful connection, it proceeds to download an Android APK file (“weixin.apk”) that eventually installs an ARM CPU version of X10-unix.

In all, at least 100 distinct hosts have been spotted propagating the infection, per Juniper estimates.

The complete set of malicious binaries and other relevant Indicators of Compromise (IoCs) associated with the campaign can be accessed here.

via:  thehackernews

5 strategies for CISOs during a time of rapid business transformation

A survey of business leaders by PwC finds the pandemic is causing rapid changes in the roles CISOs play, and offers five tips for ensuring that security remains stable as we enter a new normal.

A study of business leaders by PwC has found that the role of chief information security officers (CISOs) have grown considerably due to the COVID-19 pandemic, with 40% saying they’re now having to fill both an operational role and the role of a digital transformation leader.

One of the major reasons CISOs are being pushed so hard could be because PwC found 40% of businesses have sped up digital transformation efforts due to pandemic shutdowns, with many having already advanced to year two or three of their five-year transformation plans.

All of these changes call for new modes of leadership and a complete transformation of organizational cybersecurity models, PwC argues, and it uses its survey’s findings to provide five moves CISOs should take to be sure cybersecurity keeps up with the evolution of the enterprise.

1. New strategies, and new modes of security leadership, are needed

Ninety-six percent of respondents said they’re adjusting their cybersecurity plans due to COVID-19, and the biggest evolution in security strategies seems to be baking security and privacy into every business decision.

Other security strategies that CISOs said they’re considering are new processes for budgeting, more granular quantification of risks, increasing interactions between CISOs and CEOs/boards, and increasing resilience testing for low-likelihood, but high-impact, events.

Increasing confidence, PwC said, requires putting a dollar amount on cyber risks. “The economics of cybersecurity has long focused on the cost side (compliance, updating capabilities, and so on). This must change,” the report said.

Costs should instead be considered as part of the overall business budget “in a strategic, risk-aligned, and data-driven way.” Evaluate the costs of security projects, the costs of compliance, the costs of risk reduction, and the value of cybersecurity investments in order to build a prioritized list of what needs to be done first in order to meet business objectives.

“This kind of rigor and sophistication will be increasingly demanded—especially as the markets and regulators hold CEOs and board members more accountable for cybersecurity and privacy,” the report said.

3. Do everything possible to level the playing field against attackers

Investing in cybersecurity innovation is essential, PwC said. Zero trust architecture, real-time threat intelligence, endpoint solutions, and other tools have all grown in recent years, and getting in on the ground floor with new security products can be the key to closing the gap between rapidly-evolving cyberthreats and security.

The next major evolution in security will be cloud products, the report found, with 76% of respondents saying they’ve already moved their security operations to the cloud. Cloud products, PwC said, are dynamic, nimble, and are secure by design, while in-house legacy systems are static and insecure in their default state.

“CISOs who transition their organization to the cloud are able to build-in hygiene mechanisms from the beginning—in automated ways. They’re also able to eliminate friction from the system and simplify service delivery to their customers,” the report said.

4. Account for every possible scenario

Resiliency plans need to account for everything, PwC said, from highly likely, low-impact attacks to unlikely but devastating ones.

The report recommends drawing up a likelihood-impact grid (axes from low to high likelihood, and low to high impact) and using that to allocate your efforts and budget. Don’t ignore lower risk attacks, but plan according to the threats most devastating to your industry and company.

“More than three-quarters of executives in our Global DTI 2021 survey say that ‘assessments and testing, done right, can help them target their cybersecurity investments,'” the report said.

5. Build security teams with the future in mind

Fifty-one percent of respondents said they plan to increase the size of their cybersecurity teams in the next year, to which PwC said it’s essential to hire for 21st-century skills.

The most sought-after traits that respondents cited were analytics skills, communication skills, critical thinking, and creativity: “Shaping the future of cybersecurity — one that is in step with the business — means hiring the people who are ready to work collaboratively with others to tackle new, as-yet-undiscovered problems and analyze information,” the report said.

Hiring from within by training existing employees should be considered as well, and the report also found that managed security services providers can be a good solution when talent is hard to find as well, with 90% of respondents saying they use or plan to use managed service providers in the future.

via:  techrepublic.

Amazon Discloses Security Incident Involving Customers Email Addresses

Amazon informed some of its customers about a security incident that involved the unauthorized disclosure of their email addresses.

News of the security incident emerged over the weekend of October 23 when multiple users took to Twitter to voice their confusion over an email they had received from Amazon.

In an email notification obtained by Bleeping Computer, the tech giant explained that it had fired an employee after they unlawfully disclosed some customers’ email addresses to a third party.

Screenshot of Amazon’s email message obtained by Bleeping Computer.

We are writing to let you know that your e-mail address was disclosed by an Amazon employee to a third-party in violation of our policies. As a result, we have fired the employee, referred them to law enforcement, and are supporting law enforcement’s criminal prosecution.

No other information related to your account was shared. This is not a result of anything you have done and there is no need for you to take any action. We apologize for this incident.

At the time of writing, there was some confusion about how many former Amazon employees had been responsible for the security incident.

Motherboard wrote that it had obtained another statement from Amazon. In it, the tech giant explained that more than one insider had perpetrated the disclosure.

“The individuals responsible for this incident have been fired,” the statement read. “We have referred the bad actors to law enforcement and are supporting their criminal prosecution.”

Neither statement indicated how many customers the security incident is believed to have affected.

The event described above wasn’t the first time Amazon fired some of its employees for improper data disclosure. Back in January 2020, for instance, TechCrunch reported that Amazon had terminated a number of employees for sharing customers’ phone numbers and email addresses with a third party.

News of this latest incident highlights the need for organizations to defend themselves against insider threats. To do this, they need to focus on taking proactive measures for the purpose of deterring malicious insiders as well as detecting malicious insider activity while it’s in progress.

via:  tripwire

Publishers face hit from upcoming Apple privacy controls

Privacy changes in Apple’s upcoming iOS 14 operating system upgrade have drawn an increasing amount of attention before a fall release (mainly from those who benefit from the advertising industry) – and Facebook made its strongest statement yet about what the changes could mean, suggesting it could halve revenues from its Audience Network business, a multibillion-dollar operation.

Digital publishers are also bracing for the impact, which could take away a sizable chunk of the revenues they draw from iPhone users.

Apple’s change involves the collection of its advertising identifier for users, called the IDFA – a tag that can help advertisers connect a click on an ad with an eventual app install on a device. Apps will be required to ask users whether they can be tracked, and if most users opt out, it could deal a heavy blow to an industry already reeling from the COVID-19 pandemic.

“When every publisher is fighting for every last advertising cent, this couldn’t come at a worse time,” DMG Media’s Martin Clarke tells the WSJ.

While Apple won’t prohibit tracking – instead putting the onus on app makers to get permission – one concern among publishers is the language being used to inform users of their rights. Europe’s GDPR left it to publishers to formulate that language, but claims of a “harshly worded prompt” from Apple lead many to believe a vast majority of users will opt out.

And the result may be ad-tech firms (many of whom expect ad rates to drop by up to 40%) writing off the Apple identifier. Branch Metrics’ Alex Austin tells WSJ that the firm’s assuming IDFA is “dead for everything we’re doing.”

And while not every publisher will see the same impact, the ones who moved faster into “programmatic” ad buying (and tend to have large numbers of iPhone users) could see meaningful impact.

via: seekingalpha

Jack Daniel’s Manufacturer Was Target of Apparent Ransomware Attack

Brown-Forman Corp., a manufacturer of alcoholic beverages including Jack Daniel’s and Finlandia, said it was hit by a cyber-attack in which some information, including employee data, may have been impacted.

The company, which is based in Louisville, Kentucky, said in a statement it was able to prevent its systems from being encrypted, which is normally caused by ransomware attacks. It provided few other details about the incident, including when it happened or how the hackers accessed the data.

“We are working closely with law enforcement, as well as world class third-party data security experts, to mitigate and resolve this situation as soon as possible,” the company said. “There are no active negotiations.”

In ransomware attacks, hackers typically encrypt a company’s files and demand a payment to unlock the files. In some instances, hacker groups post snippets of stolen files on websites, or send them to the media, to pressure companies to pay. Such attacks have increased in recent years against all kinds of businesses and government agencies, including cities and school districts.

In this instance, a message sent anonymously to Bloomberg claimed to have hacked Brown-Forman and compromised its internal network. The alleged hackers said they copied 1 terabyte of confidential data and promised to share it online. The website named by the attackers goes to a page that lists victims of Sodinokibi ransomware, which emerged in 2019 and has spread across the globe, according to McAfee LLC. Also known as REvil, the ransomware code is maintained by one group of people and distributed by affiliates, a model known as ransomware as a service, McAfee said.

“An attempt at dialogue with the company did not bring any results,” the alleged hacker said.

via: bloomberg

Decryption Tool Released for WannaRen Ransomware

Security researchers released a decryption tool that enables victims of WannaRen ransomware to recover their files for free.

On August 19, Bitdefender announced that it had made a WannaRen decryption utility publicly available for download.

The security firm urged victims of this ransomware to save the decryptor somewhere on their computer after completing the download process.

Once they click on the saved “BDWannaRenDecryptor.exe” file, they should click “Yes” and give the decryptor the permissions it needs to modify files on the infected device. They should then agree to the end user license agreement.

With a “test folder” containing pairs of encrypted/not-encrypted files, victims can instruct the tool to scan their entire machine for encrypted files as part of the recovery process.

Bitdefender also recommended that users select the “Backup files” option.

A screenshot of the WannaRen decryptor’s dialog box. (Source: Bitdefender)

News of this decryption utility arrived several months after WannaRen first attracted the attention of the security community.

In April 2020, 360 Security Center was among the first to witness the ransomware circulating in the wild and demanding ransoms of 0.05BTC (worth approximately $600 at the time of writing).

A close look by 360 Security Center at WannaRen revealed that the ransomware had originated from Hidden Shadow, a digital crime organization which has a history of exploiting EternalBlue for the purpose of moving laterally on infected networks and distributing banking trojans.

The security firm found that WannaRen arrived with a PowerShelld downloader containing this same propagation method.

It’s not always possible for security researchers to develop a decryption tool for a ransomware family. Sometimes, the code reveals no apparent weaknesses that allow for the creation of such a utility.

Acknowledging that reality, organizations and users alike should take steps to prevent a ransomware infection from occurring in the first place. This resource serves as an excellent starting point.

via: tripwire

Here’s who’s hiring right now

Companies from industries spanning from technology to retail are hiring to meet increased demand caused by the coronavirus pandemic. Below is a regularly updated list of companies hiring right now.

While we’d like to feature all opportunities on this page, we want to highlight those that will be relevant to the greatest number of LinkedIn members. Search the #HiringNow hashtag to see other possible job openings. Also, be sure to use that hashtag in posts if you’re offering or know of employment opportunities. You can also find additional opportunities on the LinkedIn jobs page.

For those of you in Canada, see a list of companies hiring in your country by clicking here.

Also, for those looking for the latest information about job seeking during this difficult and unusual time, you can find the #GetHired guide here:

Microsoft to permanently close all of its retail stores

The company will also “reimagine” three of its existing stores, specifically the ones in London, New York City, and Sydney, as Microsoft Experience Centers.

Microsoft is pulling the plug on its retail store experience. After launching its first physical store more than 10 years ago, the company is permanently closing all its physical retail outlets across the world, David Porter, corporate VP for Microsoft Store, said in a LinkedIn post on Friday.

“As part of our business plan, we announced a strategic change in our retail operations, including closing Microsoft Store physical locations,” Porter said. “Our retail team members will continue to serve customers working from Microsoft corporate facilities or remotely and we will continue to develop our diverse team in support of the overall company mission and objectives.”

In revealing the decision, Porter said that Microsoft’s hardware and software sales have been shifting online, while its lineup has evolved to digital products, including Microsoft 365 as well as content for gaming and entertainment. Porter touted growth in traffic to and the company’s digital Xbox and Windows storefronts that see as many as 1.2 billion monthly customers across 190 markets.

Further, the coronavirus lockdown seemed to show Microsoft that it could provide sales and technical support to buyers and customers

without maintaining a physical presence. The company’s shift to a remote workforce due to COVID-19 still allowed it to support individuals and organizations.

“Our retail sales team helped small businesses and education customers digitally transform; virtually trained hundreds of thousands of enterprise, government and education customers on remote work and learning software; and helped customers through support calls,” Porter said. “The team supported communities hosting more than 14,000 online workshops and summer camps and helped more than 3,000 schools and 1.5 million students celebrate virtual graduations.”

In line with the store closures, Microsoft employees will offer sales, training, and support from their corporate offices as well as remotely, Porter said. The company also aims to enhance its digital storefronts where people can buy products, receive training, and get technical support. One new service slated for these online storefronts will be 1:1 video sales support.

The existing retail stores in London, New York City, and Sydney and on the Redmond campus will be “reimagined as new spaces,” according to Porter. Specifically, the locations in London, New York, and Sydney will be turned into Microsoft Experience Centers, designed to serve consumer, small business, education, and enterprise customers. At these centers, people will be able to try out Microsoft products, view product demos, explore device bars, and learn about Microsoft technology.

Also on tap at these Experience Centers will be consultations for small business and education customers and training seminars for enterprise customers. Plus, the centers will allow customers to schedule appointments for support and Answer Desk visits and offer a variety of community events and workshops. However, purchasing will be available only through Microsoft’s digital storefronts.

Borrowing a page from Apple, Microsoft opened its first retail store in the US in October 2009 to sync with the launch of Windows 7. Over the years, the number of US stores climbed to 72 locations across 31 states. Expanding beyond the United States, Microsoft kicked off stores in Australia, Canada, Puerto Rico, and England, for a total of 82 worldwide.

The Microsoft store was an attempt to sell products and services, offer support and training, and provide customers with a more personal one-on-one approach. But unlike Apple, Microsoft failed to squeeze much success or profitability out of its retail store experience. One factor lies in a core difference between the two companies.

Apple designs and sells its own hardware and software, mostly for individual consumers who can enjoy and benefit from an in-store experience. Microsoft is a more nebulous company that creates and sells software to run on devices from other vendors, while its direct target audience consists of enterprise customers less likely to venture to a store for sales or support.

via:  techrepublic

Zoom Not Offering End-to-End Encryption to Free Users to Help Law Enforcement

Zoom’s chief executive revealed on Tuesday that free users will not be offered end-to-end encryption as the company wants to assist the FBI and local law enforcement in their investigations.

Zoom’s popularity has increased significantly since the start of the COVID-19 pandemic due to many people being forced to work and study from home. This popularity has also attracted the attention of privacy and security experts, who have identified some serious issues in the video conferencing service, as well as the attention of bad actors who have started abusing the platform.

Zoom has promised to take action and it has already started implementing measures that would help it address security and privacy concerns.

One of these measures is related to end-to-end encryption. Zoom does encrypt communications between clients and its servers, but it currently does not offer true end-to-end encryption, which would prevent even the company itself from gaining access to the content of customers’ communications.

Last month, the company published a detailed draft of the cryptographic design it plans on using for its upcoming end-to-end encryption feature, which it said would be offered to paying customers and schools.

During a conference call following the release of financial results for the first quarter of fiscal year 2021, Zoom CEO Eric Yuan told investors that they do not want to offer this kind of protection to free users, which are more likely to abuse the platform, as the company wants to work with the FBI and local law enforcement if people use Zoom for “bad purposes.”

In a long thread on Twitter, Alex Stamos, who was hired by Zoom as an outside advisor on cybersecurity, shared some details on the company’s plans for end-to-end encryption, which he says “are complicated by the product requirements for an enterprise conferencing product and some legitimate safety issues.”

Stamos, who in the past worked as CSO at Yahoo and Facebook, said Zoom does not proactively monitor meeting content and it does not plan on doing so in the future. He says the vast majority of abuse comes from people who use Zoom for free and the company plans on taking measures that would “create friction and reduce harm.”

Stamos pointed out that if end-to-end encryption is enabled, Zoom’s Trust and Safety team will not be able to enter a meeting they believe to be abusive — this is now possible without end-to-end encryption — and there will be no backdoor to facilitate such access. Stamos also noted that some meeting features are also incompatible with end-to-end encryption. This is why end-to-end encryption will be opt-in “for the foreseeable future.”

“So we have to design the system to securely allow hosts to opt-into an E2E meeting and to carefully communicate the current security guarantees to hosts and attendees,” Stamos said.

Zoom’s revenue for the first quarter was $328 million and the company expects to generate up to $1.8 billion this fiscal year, with an estimated profit of up to $380 million.

via:  securityweek