Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Cybersecurity industry shakes with NSA leak


After an unknown hacking group released hacking tools from National security agency, top notch tech companies in the world are scrambling to patch their systems and software to protect themselves and customers from attacks.

An unknown group of hackers, Shadow Brokers dumped data online last weekend and claimed to steal it from the Equation Group, a top-of-the-line APT believed to be associated with the NSA. The data dump affected firewall makers, Cisco and Fortinet’s products.

While the anonymous group’s origin is unknown, cyber security experts have authenticated the cache of NSA hacking tools of what appeared to be developed by the NSA for its more controversial activity: surveilling, spying and hacking. Computer Security analysts who have studied the files are mostly convinced they came from the agency.

The Shadow Brokers said they had more such files, which they would sell to the highest bidder. So far, the Shadow Brokers have released about 300 megabytes of data comprising a total of over 50 attack tools that would let attackers bypass firewalls that organizations rely on to defend against external attacks.

A former NSA employee recognized details in the leaked files.

The revelation has once again raised the tension between the two sides of NSA's dual mission: breaking into computer networks overseas in search of useful intelligence about foreign governments and terrorists and helping protect America's networks against foreign spies and other hackers.

After the custom-made malware has been made online, American corporations are relying on cyber security against digital attacks from criminals and spies.

Now, many cyber security experts are asking why the NSA would stockpile so many of these kinds of security vulnerabilities without telling the affected companies.

"The policy question we have to ask ourselves is what's an acceptable amount of time for the NSA to keep these exploits exclusively, before being legally compelled to disclose them," says Jeremiah Grossman, head of security strategy at cyber security firm SentinelOne.

The leak also raises questions about the nature of nation-state hacking, and how much spy agencies know about flaws in software that they aren't revealing to tech companies and the public.
Read more »

Healthcare sector hard hit by Locky Ransomware


The healthcare sector in United States, Japan, Korea and Thialand  are hard hit by a massive Locky ransomware campaign that is spotted this month.

The researchers at FireEye said that they used .DCOM attachment that can be easily macro-enabled Office 2007 Word documents.

According to the researcher Ronghwa Chong,  macro-based Locky ransomware is a new tactic for cybercriminals, it is distributed via spam campaigns with the payload delivered via JavaScript attachments.

“These detection spikes and change in tactics suggest that the cybercriminals are investing more to infect systems and maximize their profits,” Chong wrote. “Additionally, we have observed that the delivery of Dridex via this distribution channel seems to have stopped, or nearly so, which could explain why we are seeing the Locky uptick.”

In  this June only  researchers found a new version of the Locky ransomware being distributed via a resurgence of the Necurs botnet.

“Each email campaign has a specific ‘one-off’ campaign code that is used to download the Locky ransomware payload from the malicious malware server,” Chong noted.

Healthcare sector is not the only sector which is affected by the Locky,  telecom, transportation and manufacturing industries are also affected by this.

Read more »

Hidden costs of cyberattack

Cyberattacks have many adverse affects both physically and financially on any organization and the impacts vary on the nature and severity of the event.
CFO insights has recently released a report in which they have included seven costs which are not so apparent but are important in the calculation of total cost of a cyberattack.
While common perceptions of financial loss in a cyberattack include the loss of company by theft of personally identifiable information, payment data, and personal health information, discussions in this report focus on customer notification, credit monitoring, and the possibility of legal judgments or regulatory penalties.

Below the surface costs

Cases of intellectual property (IP) theft, espionage, data destruction, attacks on core operations, or attempts to disable critical infrastructure have more significant impact on organizations than they seem and they often lead to additional costs which are more difficult to quantify and often hidden from public view.
In a recent Deloitte study, “Beneath the surface of a cyberattack: A deeper look at business impacts,” the report identified 14 business impacts of a cyber incident as they play out over a five-year incident response process. The direct costs commonly associated with data breaches accounted for less than 5% of the total business impact in these impacts.

1. Insurance premium increases

Insurance premium increases are the additional costs an insured entity might incur to purchase or renew cyber risk insurance policies following a cyber incident.
As not much data was available on premium increases after a cyberattack, Deloitte conducted its own informal research among providers of cyber insurance and found that it was common for policyholder to face 200% increase in premiums for the same coverage and at times even denied coverage until stringent conditions are met following a cyber incident.
The research found that future costs is influences vastly by willingness and depth of information provided by the policyholder upon review of the incident, the policyholder’s plans to improve incident handling or other aspects of its security program, anticipated litigation and assumptions concerning the company’s level of cybersecurity ‘maturity’.

2. Increased cost to raise debt

Cost to raise debt is directly proportional to credit rating. When credit rating drops, cost to raise debt increases. The victim’s organization faces higher interest rates for borrowed capital either when raising debt or when renegotiating existing debt. During the months when cyber incidents are prevalent, organizations are perceived as higher-risk burrowers. During the research Deloitte analysed the credit rating of nine public companies and observed an average Standard and Poor’s credit rating of ‘A’, and assessed these companies against companies that had recently suffered a cyber incident. The research came to the conclusion that a cyber attack incident downgraded the credit rating by one level.

3. Operational disruption or destruction

Impact of operational disruption or destruction includes losses tied to manipulation or alteration of normal business operations and costs associated with rebuilding operational capabilities which includes need to repair equipment and facilities, build temporary infrastructure, divert resources from one part of the business to another or increase current resources to support alternative business operations to replace the function of systems that have been temporarily shut down. It could also include losses associated with the inability to deliver goods or services.

4. Lost value of customer relationships

Loss of customers immediately after a breach affects an organization adversely. Economists and marketing teams track the customer loss by attaching a “value” to each customer or member to quantify how much the business must invest to acquire that customer or member. Then the particular customer or member is analysed on the amount of revenue he will generate for the business over time. These numbers are then evaluated per industry and organization to take out an estimate of the investment needed to attract and acquire new customers.

5. Value of lost contract revenue

Value of lost contract revenue includes revenue and ultimate income loss, as well as lost future opportunity associated with contracts that are terminated due to a cyber incident. Deloitte estimated the value of the contracts in test cases both before and after the cyberattack was assessed. Following a cyberattack, if the company were to lose contracts, there would be a decrease in revenues. Then the present value of cash flows that the company would earn over the term of the contracts was determined.

6. Devaluation of trade name

Devaluation of trade name is cost category referring to the loss in value of the names, marks, or symbols an organization uses to distinguish its products and services. While a brand name is associated with the name of a specific company or a specific product; a trade name relates to an organization as a whole. To determine the financial impact on the value of trade name, the likely value of the trade name both before and after the cyber incident has to be assessed. To value the trade name, Deloitte employed the relief-from-royalty method. The relief-from-royalty method, commonly used to value IP assets estimates the value by analyzing what another entity would have to pay to license the company’s trade name. Analysis involved establishing a reasonable “royalty fee” for similar types of IP, and the analysis of profit margins across the industries to which the text cases belong.

7. Loss of intellectual property

Loss of IP is cost associated with loss of exclusive control over trade secrets, copyrights, investment plans, and other proprietary and confidential information that can lead to loss of competitive advantage, loss of revenue, and lasting and potentially irreparable economic damage to the company. The value of IP is estimated by approximating how much another party would pay to license that IP.
Read more »

Pokemon Go Ransomware attacks as Windows 10 app


Attackers have unleashed new ransomware to take advantage of those unable to download the widely popular mobile game, Pokemon Go. Ransom_POGOTEAR.A was recently discovered by Trend Micro masquerading as a Pokemon GO application for Windows 10 app. It was originally spotted by Michael Gillespie, a security researcher who has identified and decrypted plenty of other locker programs.

The malware is an updated version of the Hidden Tear, an open-sourced piece of ransomware released last August 2015, with the intention of educating people. The ransomware scans a victim’s drive and encrypts any file with a certain extension – as per usual.

The Hidden Tear ransomware isn’t new. In January 2015, Trend Micro discovered a hacked website in Paraguay that distributed ransomware detected as RANSOM_CRYPTEAR.B. The website was compromised by a Brazilian hacker and that the ransomware was created using a modified Hidden Tear code. Prior to this discovery, when the source code of Hidden Tear was made public for educational purposes, the creator was very specific about not using Hidden Tear as ransomware.

The ramsomware is designed to create a ‘Hack3r’ backdoor account in the victim’s Windows machine. Once the user downloads and installs the ransomware, it creates a user account and adds it to the Administrator group. It then hides the account by configuring a Windows registry key from the login screen. Another feature creates a network share on the victim’s computer which attempts to spread itself via removable media. Once the executable is copied to removable drives, it creates an autorun file so the ransomware runs each time someone accesses the removable drive. The executable is also copied to the root of other fixed drives. This way, the Pokemon GO ransomware will run when the victim logs into Windows.

The ransomware is currently targeting Arabic-speaking users, following the move by many Arab countries to ban or limit the game. It locks a user’s files, presenting them with a Pikachu themed ransom note. In addition, the screensaver executable is also embedded with an image of “Sans Titre”, which means ‘Untitled’ in French which can be the developer's origin.

The ransomware has a static AES encryption key of “123vivalalgerie”. Additionally, the command & control server (C&C) uses a private IP address which means it cannot connect over the Internet. This shows the ransomware is still under development. Once it is fully released, the purpose of the shared network will become clear.

“While most ransomware infections encrypt the data, delete themselves, and then display a ransom note, leaving no traces; this ransomware’s developers only encrypt the files so that the victim pays the ransom. Inlike others, it creates a backdoor account in WINDOWS so that the developer can gain access to a victim's computer at a later date,” said Lawrence Abrams of Bleeping Computer who analyzed the PokemonGo ransomware.

After displaying ‘.locked’ on each infected file, a ransom message in Arabic is displayed unto the screen instructing the user to contact ‘me.blackhat20152015@mt2015.com’ for payment procedure.

The backdoor could allow a hacker to remotely connect to a victim’s computer at a later stage to perform other malicious tasks.

This isn't the first time researchers have run into fake copies of the popular smartphone virtual reality game.

At the time of Pokémon Go's release back in early July, researchers came across an APK that claimed to be a copy of the game available on a non-Google URL which turned out to be a malicious program that loaded the DroidJack remote access trojan (RAT) onto users' Android devices.

This is, however, the first documented case of ransomware that has taken on the hit smartphone game's identity.

To avoid ransomware, users are encouraged to regularly back up files and to have an updated security solution. With the introduction of game in new regions and increasing craze around it, cybercriminals will find more ways to capitalize on it. Users should remain vigilant of threats that may ride along the popularity of such games.
Read more »

UK Tops Europe's Online Drug Sales

(pc-Google Images)
Drug dealers in UK earn more than their European counterparts and make huge profits from the global online drugs market. In a research by Rand Europe, UK drug dealers made £1.7m in online sales and grabbed a 16% share of the global online drugs market. The US has the largest market share with 35.9 per cent.

Commissioned by the Netherlands government, Rand Europe trawled the eight largest drug marketplaces on the dark web. Rand acknowledged that the most common drug sold on the dark web is cannabis, which accounts for 33 per cent of sales. It is followed by prescription medication such as Xanax, stimulants, ecstasy- type drugs and psychedelics.

The study noted that the transactions were dominated by drugs commonly only bought for recreational use at parties, with the likes of heroin and crack cocaine not popular online.

"A possible explanation for these differences between online and offline markets may be that crypto-market purchases typically require an element of planning, which may not suit the daily use of dependent users of, for instance, heroin," the report said.

The online drug bazaar was pioneered by Silk Road, which was shut down in 2013. Users were able to use untraceable encryption programmes and Bitcoin to purchase a wide range of narcotics and other goods.
Read more »

Thailand Proposes Special SIM Card To Track Foreign Tourists

(pc- Google Images)
Thailand is considering a plan to issue a special SIM card to foreign tourists that would allow authorities to track their mobile phones. The plans have been approved in principle by National Broadcasting and Telecommunications Commission, the country’s telecommunications regulator, which intends to catch those who overstay their visa.

The commission said the plan would apply to tourists only, backtracking on an earlier announcement that it would cover all foreigners, including residents on long-term visas, the Bangkok Post and other media reported.

The commission’s Secretary General, Thakorn Tanthasit, suggested that the plan would not only help catch terrorists and criminals but also help find travellers who were in trouble or had gone missing.

“We are not limiting any rights. The National Broadcasting and Telecommunications Commission has no authority to check on the location of users,” said Tanthasit. “But if tourists commit wrong, or there is a court warrant, we will then forward the warrant to a mobile phone operator and seek cooperation.”

The commission, however, did not say how the special sim cards would differ from standard ones, which can already be tracked. Nor did it explain how it would overcome logistical hurdles, such as distributing to such huge numbers of people or dealing with visitors who have access to cards registered to Thai nationals.

While the proposal has been approved by the NBTC, Tantasith said the organisation would consult with police, tourism authorities and tour operators before deciding whether to implement it.
Read more »

Personal Data Of Democrats Hacked And Posted Online

(pc- google images)
A hacker going by the name “Guccifer 2.0” is claiming credit for the release of personal cell phone numbers and private email addresses of Democratic House members.

The hacker believed to be linked to Russian military intelligence agency 'Fancy Bear', also breached the contact information for staff members, campaign aides and former congressional Democrats, including House Minority Leader Nancy Pelosi.

“Guccifer 2.0” also uploaded files to a blog post that contains login information to subscription services used by the Democratic Congressional Campaign Committee, including Lexis-Nexis and Washington newspapers.

The Guccifer 2.0 Twitter account said that it would provide “the major trove” of stolen information from the DCCC, including emails, to WikiLeaks, which has already published information from a similar breach of the Democratic National Committee. The same Twitter account sent a message to The Wall Street Journal that said the hacker had acted alone, not as part of a team.

Hours after the information was posted online, an email list-serve run by the Democratic Caucus sent a notice to recipients informing them to “change passwords to all email accounts that you use” and also to “strongly consider changing your non-House email addresses if possible.” The mail also asked them to “be extremely suspicious” before opening any emailed links or attachments and to consider changing passwords for banking accounts, among other things.

A number of US intelligence officials believe the most likely culprit for stealing the DCCC data, as well as a large batch of records from the Democratic National Committee, are hackers backed by the Russian government.
Read more »

Cisco acknowledges two vulnerabilities of NSA hack to be real

Firewall maker, Cisco has provided a workaround for one of two vulnerabilities that was disclosed in the Shadow Brokers data dump and issued an advisory on the other which was patched in 2011 in order to raise awareness among its customers. There was no fix available presently for the other flaw.
An unknown group of hackers, Shadow Brokers dumped data online this weekend and claimed to steal it from the Equation Group, a top-of-the-line APT believed to be associated with the NSA. The data dump affected Cisco and Fortinet’s products.
In a security advisory Cisco said both the flaws listed in the archive directory as EPICBANANA and EXTRABACON could be used to breach its Adaptive Security Appliance (ASA) software used in its firewalls; both of the vulnerabilities enable remote code execution.
The data being offered for sale by the Shadow Brokers is dated between 2010 and 2013, so unpatched programming blunder has been lingering in Cisco hardware for years. Whoever knew about the hole, didn't tell the manufacturer of the vulnerable gear.
Fortinet also said that some of its products released prior to August 2012 contained a vulnerability that would allow an attacker to take execution control over a firewall. It also urged users of versions lower than 4.x to upgrade to 5.x immediately.
Most of the exploits in dump are for high-end enterprise networking gear, including Cisco, Juniper and Fortinet firewalls.
Researchers at Kaspersky Lab confirmed a connection between the available tools up for auction and previous exploits and malware frameworks belonging to the Equation Group.
The new flaw, EXTRABACON uses a buffer overflow vulnerability in Cisco's ASA, PIX, and Firewall Services Module. The exploit would allow an attacker to take full control of the firewall system. The target device should be set up with the snmp-server enable command, the attacker must know the SNMP community string, and the devices are only vulnerable to IPv4 traffic. Once the exploit is successful, it would allow malware to be installed and all traffic monitored.
The EPICBANANA exploit can be used to bring down Cisco's ASA Software (version 8.4.1 or earlier) using invalid commands, and then run code on the system. The attacker must be locally authenticated on the system and must know the telnet or SSH password for the software. However, once that's been achieved, typing in certain invalid commands will allow the exploit to work.
Cisco said it has not yet released software updates for ASA that address the zero-day vulnerability; there are workarounds as well that Cisco recommends until patches can be applied.
The Shadow Brokers also claim that their exploits will work on firewalls from Juniper Networks and TopSec, but neither company has publicly acknowledged the leak. The Shadow Brokers say they have additional yet-to-be-released exploits and are offering the data for sale in a Bitcoin auction. The group is asking for 1 million bitcoin (around $568 million at current rates), but the auction has yet to receive any significant bids.
If the auction is unsuccessful, the vulnerabilities contained in the data may come to light. Wikileaks has claimed to have access to the data and says it will publish a “pristine copy” soon.
“We had already obtained the archive of NSA cyber weapons released earlier today and will release our own pristine copy in due course,” read WikiLeaks tweet.
There are less chances of anyone bidding on it if WikiLeaks releases it.
Read more »

Hackers claim they hacked NSA-Linked group

A group of mysterious hackers calling themselves "Shadow Brokers" claims to have hacked  is the source code to a vaunted, likely state-sponsored hacking group many believe is hacked a group linked to the NSA and dumped a bunch of its hacking tools.

The Shadow Brokers are auctioning source code purportedly from the Equation Group and are  asking for 1 million bitcoin to release more files.

“Attention government sponsors of cyber warfare and those who profit from it,” writes the Shadow Brokers in an auction notice, which journalist Brian Krebs said, "reads like a script."

“How much you pay for enemies cyber weapons? Not malware you find in networks… We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons.”

The auction will hold in a very usual method, they told all the interested parties to send their max offer in bitcoin. The group will keep all the funds, and says it will send the highest bidder the code. 

If the action raises 1 million bitcoin — about half a billion dollars — Shadow Brokers promises to put even more files out for sale.

The files were initially posted to the code-sharing site GitHub, which has since disabled access.
Read more »

Twitter reinstates DNC hacker’s account


Twitter has reinstated a suspended account of a hacker known as ‘Guccifer 2.0’ who publicised leaked personal data belonging to Democrat politicians but now Wordpress has censored his website.
The hacker had leaked the sensitive data of 193 current and ex-Congress members on August 12.
House Democratic Minority Leader Nancy Pelosi (D-CA) said she received “obscene and sick calls” calls after her contact details were released by the hacker. In a letter to party colleagues, Pelosi also advised them to change their contact numbers.
"I am changing my phone number, and I advise you to do so as well," said Pelosi.
Twitter did not state any reason for chucking Guccifer’s account off the platform and reinstating it within 24 hours but the hacker’s attempts to disseminate the information via Wordpress site were undone after the web platform censored the web page hosting the hacked data.
“Some content on this page was disabled on August 13, 2016 upon receipt of a valid complaint regarding the publication of private information,” a note on the hacker’s site read which was followed by a link of WordPress policy on sharing private information.
Technical analysis of the leak and security companies have asserted that the hack had links to Russia though Putin has been denying the charges. Guccifer too has denied accusations of being associated with the Russian state. US intelligence chief James Clapper said there wasn’t enough evidence to point the finger just yet.
The hack is followed a breach of the Democratic Congressional Campaign Committee (DCCC) late last month. More than 19,200 emails from DNC members were published via whistle-blowing website Wikileaks in July.
Guccifer, however, has now promised to hand emails and materials from the DCCC hack to Wikileaks.

“#Guccifer2 I'll send the major trove of the #DCCC materials and emails to #wikileaks keep following...,” read Guccifer’s tweet on August 13.
Neither Twitter nor WordPress has commented over data leak.
Concerns have been raised about the impact on DCCC officials. Besides contact information, the latest leak contained documents relating to the election campaign and details about some Democratic politicians' staff members.
Affected House representatives have been advised to change passwords to government and personal accounts.
The FBI is leading an investigation into the leaks.
Read more »

Volkswagen vulnerable to hacking

After being in controversy for more than a year, Volkswagen is again in the news for their vulnerability in locking system that can be hacked  through a hacking of the keyless entry systems.

The University of Birmingham's School of Computer conducted a  17-page long study and found that hackers can use a $40 battery-powered RF transceiver to essentially clone the automaker's Remote Keyless Entry system and lock or unlock a VW vehicle whenever they like.

Authors Flavio Garcia and David Oswald studied more than 100 million VW, Audi, Seat, Skoda cars sold since 1995, and found that they can be exploited by the simple hacking of the RKE's cryptographic key.

"We discovered that the RKE systems of the majority of VW Group vehicles have been secured with only a few cryptographic keys that have been used worldwide over a period of almost 20 years," the study noted.

The study also involved German security firm, Kasper & Oswald, according to them at least 10 other car brands are vulnerable to similar hacking schemes. Those studies will be released later.

"We were kind of shocked," Timo Kasper told the BBC. "Millions of keys using the same secrets - from a cryptography point of view, that's a catastrophe."

The researchers are currently working with Volkswagen on solving the issue.

The models that are not affected by the issue include the Golf, Tiguan, Touran and Passat, a VW spokesperson said. 
Read more »
Subscribe to: Comments (Atom)