Financial Regulator of UK was spammed by almost a quarter of a million (240,000) malicious emails in the Q4 of the year 2020. The FOI data gives important highlights about the tremendous pressure that big organizations are facing to protect their assets. Griffin Law, a litigation firm, has filed an FOI with an influential London-based agency, the FCA (Financial Conduct Authority). As per Gov.UK, "The Financial Conduct Authority (FCA) regulates the financial services industry in the UK. Its role includes protecting consumers, keeping the industry stable, and promoting healthy competition between financial service providers."
Forward Air, a trucking and freight transportation logistics company said that it suffered a ransomware attack of $7.5 million. The attack has caused heavy damage to the company's Q4 financial results. The amount comes from "loss of less-than-load (LTL) trucking business" and not costs suffered that dealt with the incident. The loss mainly occurred because Forward Air had to temporarily pause electronic data operations with its customers. The ransomware incident happened last year on 15th December and was termed as a cyberattack using Hades ransomware.
The fear of scam messages may seem far now, and even distant. With the rise of well-engineered and sophisticated attacks in recent time, the threat of scam messaging attacks may seem low, however, they are still a persistent danger. SMS (short message service) scams are similar to email phishing attacks, they work through social engineering attacks. Popular as "Smishing" (SMS and phishing), the attacks try to lure victims into providing information and user access, which benefits the hacker.
An Iranian hacking group gained passage to an unsafe Israeli water facility ICS. The hackers also posted the video on the internet to show the credibility of the attack. Experts from OTORIO, an industrial cybersecurity firm, informed an Iranian hacking group hacked into the HMI (human-machine interface). Taking advantage of the insecure HMI system, hackers gained access and later posted the video.
Cybersecurity experts at Trend Micro found a macOS backdoor, which the experts believe is used by Vietnamese criminal actors named "oceanlotus." Famous as APT32 or "APT-C-00," the backdoor is highly resourced and resolute. Experts say that Ocenlotus targets government agencies and corporate organizations located explicitly in Southeast Asia. At the beginning of 2020, the criminal group launched Covid-19 espionage attack campaigns targeting China.
On 19 November,
E-Hacking News conducted an interesting interview with Sepio Systems. The company provides
its customers with the highest level of visibility, policy enforcement, and Rogue
Device Mitigation capabilities. The guest speaker for the interview was Mr.Bentsi
Ben-Atar, CMO, and Co-Founder, Sepio Systems.
Founded in 2016 by veterans from the Israeli Intelligence Community,
Sepio HAC-1 is the first platform that provides visibility, control, and
mitigation to zero trust, insider threat, BYOD, IT, OT, and IoT security
programs. Sepio is a strategic partner of Munich Re, the world’s largest
reinsurance company, and Merlin Cyber, a leading cybersecurity federal solution
provider.
1. Can you please introduce yourself to our readers?
Bentsi Ben-Atar: I am one of the co-founders for
Sepio Systems, the company was founded by a group of founders that have been
working together for almost 30 years now. We have a strong background in
cybersecurity and “rogue device
management” in general.
2. Can you please tell us about your company Sepio Systems?
The company deals with a very unique domain
within the cybersecurity industry and that’s the issue of managing the hardware
within the enterprises. What we have built is a solution that provides all the
aspects related to hardware access
control, we call it “HAC” and
our solution is called “HAC-1.”
We see that Enterprises are
struggling with three elements of hardware access control. The first one is the
fact they have limited visibility to whatever is connected and sometimes a very
significant gap between what people think is connected and to what is
actually connected. So, there are visibility gaps that need to be addressed and
they need to be addressed regardless of the device itself.
Once you have visibility and now you are aware
of your assets, then you can move to the policy enforcement features of your
enterprises. It means that now you can apply certain policies while you are
working from home and a different policy while you are at the office.
And once you have these two pillars
in place then you can move into the more interesting part of the solution, and
those are the security aspects. You know what devices are connected, you know
how to disable or mitigate any risk associated with it. Now you need to provide
the Rogue Device Mitigation.
3. Please explain to us about Hardware Access Control.
Hardware Access Control is the term
used to describe a solution that manages all aspects of hardware devices.
Hardware devices may be network elements possibly controlled by NAC (Network
Access Control or a USB peripheral connected to an endpoint (controlled by
EPS/EDR). HAC does not distinguish devices by its interface and provides an
aggregated holistic approach to hardware asset management.
4.
What are Rogue Devices and what is
their impact on the enterprises?
Rogue devices are devices that are
either hardware manipulated or firmware manipulated devices that are introduced
into the enterprises. The main channels for the attack vehicles are either the
supply chain which is a significant risk for enterprises as hardware
screening is a huge challenge.
The other popular attack vehicle is the human factor, in that case, human
beings will always be the weakest links because people can be threatened, they
could be paid off, they could be extorted. I think that history along the way
has shown that any human being has a weak point. If you, as a cybercrime
organization can extort a certain bank, gain access to a certain system, in
most of the cases you will get away with that.
5. Why do you think that these “Rogue Attacks” are on the rise?
We see a growing number of attacks that are
based on hardware tools. From the attacker's perspective, they have the option of
either going head to head against existing cybersecurity products, or they can
find an alternative path to the enterprises. There are a lot of hardware-based attacks
happening all around the world on critical infrastructures like banks, data
centres, retail, etc. It doesn’t get to the public eye in most cases due to
several reasons.
First, companies in most cases are
very reluctant to admit the fact that they have been breached through this
domain because it also implies on their level of physical security and no one
wants to admit that someone was able to plug in a rogue device. On the other
hand there are a lot of attacks that create a signature that may be wrongfully
attributed to other types of attacks.
One of the demos that we really love to do is
using and demoing the vulnerability of wireless keyboards and mouse, these
devices can be easily manipulated and spoofed. For example, let’s say you’re
sitting in your home or office, there could be a guy sitting in the next
building, it doesn’t have to be next to your endpoint. By using a very simple
publicly available payload that runs on a raspberry pi, you can actually spoof
the communication between that wireless keyboard and mouse. You can do a remote
keylogging, and most importantly, you can point that endpoint to a certain URL
that a certain piece of malware is waiting to be downloaded.
At the end, you even have to go over
the human factor which is convincing the user that this link is not a suspicious
link. So, there are a lot of obstacles that need to be dealt with. Compared
with the option of coming with out of bound raspberry pi with a spoofing
capability, you open up the browser independently, and forensic wise it would
look like this was an act of an employee within the organization.
So sometimes it would be attributed
to a phishing attack or wrongful doings of an employee while in real life the
story is completely different.
6. How do Sepio Systems counter these Rogue Devices?
Sepio Systems HAC-1 “dives deeper” into the the physical layer, revealing the true entity of a given device, not according by
what it “says” it is, but for what it is really is.These capabilities
are achieved through a unique algorithm, a combination of physical layer
fingerprinting and Machine Learning augmentation.
7. The Data Security Council of India (DSCI) has also talked about your
company. Can you please tell us more about this project and ‘Sepio Prime Rogue
Device Mitigation Solution?’
Without referring to any specific name (a
customer or not), our solution provides enterprises, especially the ones
concerned with their data. These enterprises can be financial institutes,
government agencies or other entities extremely concerned with the attack
vehicles.
We provide them with solutions that
cover two main interfaces. One is the USB interface and the other is the Network
interface. Our solution actually
monitors and analyses the physical layer information. It means that we don’t
look into user traffic, user log files. We read out all the physical layer
related information by analyzing it with an algorithm which is a combination of
physical layer fingerprinting and machine learning. We can actually detect the
existence of such passive devices.
One of the coolest features of our solution is that it doesn’t require a baseline or training period. Obviously in today’s cybersecurity atmosphere, no single solution
provides a complete seal for the entire enterprise. Therefore, the capability
with integrating other solutions is extremely important, and all these
solutions are easily integrated with our solutions so that we can actually
extend the visibility of the enterprise into the deeper layer.
8. Can you explain how this Layer-1 solution works?
Our solution is
actually comprised of two main functionalities. The first one deals with
Network Security and the second one deals with Peripheral Security/ End Point
security. The way
Network Security works are that we communicate with the existent networking
infrastructure by using read-only commands. The only thing the enterprise needs
to do is to provide restricted user credentials for our solutions.
Before our deployment, we actually
provide a list of commands that we will be using. Once we get the information,
we will compile it using an algorithm that is a combination of physical
fingerprinting and machine learning enhanced solution. The fingerprinting is extremely important because when we get a hit, we
can actually name the attack tool. The deployment process itself is
straight forward, it takes less than 24 hours to have everything up and
running.
The output and value of this solution are instantly delivered, you can actually see all the rogue devices and
visibility. In a very interesting
incident, we found a gaming console connected to a secured network, approved by
NAC but never reported.
Now, the second part of this
solution deals with the peripheral. It is a bit different because in the
endpoint case, the endpoints could be offline, and you want to make sure that
the mitigation, once a rogue device has been detected or even just a brief of
policy. The mitigation needs to be immediately so that the USB device will be
blocked. When the attacker comes in, they can configure their attack tools to
present the same façade as a legitimate device.
So, the difference between Network Security and End Point Security (algorithm wise) is the fact that on the peripheral we also fingerprint ‘known to be good’ devices, so that we have a full database of good devices and bad devices. One of the nicest features we also have is the ‘threat intelligence database,’ it means that every installation has a local copy of our threat intelligence database which includes a list of all ‘known to be vulnerable devices.’
9. Tell us more about the leadership team behind Sepio Systems?
Our leadership is something that we take great
pride in. We are a U.S-Israel based company, we are headquartered in Rockville,
Maryland. We have a very strong all-women U.S board which we take great pride
in, led by the current CISO for HSBC. We have interviews posted on social media
which I think are a fascinating array of women that bring tremendous
value to our company.
We have a strong backup from various
industry leaders and veterans from various government agencies. We perceive to
be kind of a task force to deal with this domain which was until now
significantly underserved.
10. During the COVID-19 pandemic, everyone has started working from home,
sometimes it can be a kid playing a video game on a pc. How does an
organization keep the family’s data separate from the employee’s? How do you
make sure that the family’s data is not being taken by your systems?
Enterprises first need to have a clear policy
about their equipment. Having a policy without the capability of enforcing it
is ineffective. First of all, the employee needs to understand the risks
associated with it. And for that, we have a very interesting video series called Captain RDM which actually illustrates very serious cases
in a non-technical way.
You can do one or two things. As a
CSO, we can issue (this is what a lot of enterprises do) a company-issued
device for it. If you are in need of an additional keyboard, we will provide you
with that. If this is not the case, we make sure to know that if a ‘known to be
vulnerable device’ is connected and block it.
For work from home cases, we have
allowed the ‘1 + 1’ option, it means that for every license that our user got
they were eligible for another license without any additional costs.
11. On your website, people talked about how Sepio Systems has efficiently
countered Rogue Device Threats and Internet of Threats (IoT)? Before we
conclude the interview, do you have anything to say about that?
One thing that we’ve learned is never disrespect your opponent. They
will always be innovative and smart. They are able to provide attack tools that
are cocooned within legitimate looking device in ways that you can only
imagine. When there is enough motivation for the attacking party for a specific
side, because its specifically lucrative target, they will find a way to get
into it even if it’s a data centre, or a highly secured facility, anything can
be achieved.
With IoT, smart nations and smart
cities coming up, a lot of hardware getting installed all over, and the Covid
pandemic making people work from home, this issue becomes more relevant. It is
more relevant today than it was yesterday and it is going to get even more
relevant as the days go by.
In a recent report by cybersecurity firm Kaspersky, experts explained how there were certain modifications in attack campaign strategies and plans against industrial organizations. In 2018, Kaspersky had issued a report describing the use of Teamviewer and RMS (Remote Manipulator System) related to the attack campaign. However, since that attack, the hackers have evolved in techniques and attack strategies, becoming more effective and sophisticated.
From the start of this year, according to government agencies, the 2020 U.S. presidential election was said to be one of the "safest" elections to be conducted to date. Compared to the 2016 U.S. elections, voting machines are almost risk-free; the systems leave no trace of the paper record's history. Also, this time, the government has gone all-in to ensure election security from criminal actors. Chris Krebs, director of DHS (Department of Homeland Security) cybersecurity, in an election awareness video said he's never been more sure of a safe election than this.
University of Vermont's health network suffered a cyberattack, which has impacted its network infrastructure. The attack has hit six Vermont and New York hospitals. Spokesperson Neil Goswami says that the FBI is currently working with the network and Vermont department of public safety to look into the issue. President of the University of Vermont Medical Center in Burlington, Dr. Stephen Leffler, in a news conference, said that patients in need are getting the possible health services and treatment is not affected.
Cybercriminals are attacking the U.S. healthcare systems, destroying the network infrastructures, and stealing critical data. The U.S. federal agencies have issued an alarm that healthcare is in great danger of cyberattacks and intrusions. Hackers have become more active in attacking healthcare networks. The rise in hacking attempts had led to a risk of breach of patient privacy, which is a critical issue during the Covid-19 pandemic, as the cases are at an all-time high.
In a recent cybersecurity incident, the U.S. government issued a statement claiming that state-sponsored Russian hackers attacked the U.S. agencies and successfully breached the government networks. CISA (Cybersecurity and Infrastructure Security Agency) and FBI (Federal Bureau of Investigation) issued a joint report regarding the issue, confirm the U.S. government officials.
Businesses have increasingly adopted IoT devices, especially amid the COVID-19 pandemic to keep their operations safe. Over the past year, the number of IoT devices employed by various organizations in their network has risen by a remarkable margin, as per research conducted by Palo Alto Networks' threat intelligence arm, Unit 42.
Cyberattacks during the Covid-19 pandemic exposed the flawed systems of cybersecurity. We should glance at these attacks and learn new ways to strengthen cybersecurity infrastructure from experience.
Cybercriminals are using a newly created Artificial Intelligence bot to generate and share deepfake nude images of women on the messaging platform Telegram. The Italian Data Protection Authority has begun to investigate the matter following the news by a visual threat intelligence firm Sensity, which exposed the 'deepfake ecosystem' — estimating that almost 104,852 fake images have been created and shared with a large audience via public Telegram channels as of July 2020.
In a recent cybersecurity incident, Iran has confirmed that it suffered two significant cyberattacks. One such attack even targeted Iran's government organizations. IT department of the Iranian government reported that the hackers attacked Iran's two major institutions. However, no hacking group has claimed responsibility for the attack as of now. The Iranian government is yet to confirm whether the actors involved in the breach were domestic or foreign. The earlier target of the attacks happened on Monday and Tuesday is still not confirmed by the government.