Search This Blog
Load More
Trendy Right Now

Popular Posts

Banner
Showing posts with label Cybersecurity. Show all posts
Vulnerability report
Cybersecurity Home Camera IoT Vulnerabilities and Exploits Vulnerability report

Hackers Exploit Camera Vulnerabilities To Spy On Parents

 

Various zero day vulnerabilities in home baby monitor could be compromised that lets threat actors hack into camera feed and put malicious codes like malware. The security issues were find in the IoT gadgets, made by China based developer Victure, that were found by BitDefender experts. In a security report, BitDefender revealed about the stack-based buffer flaw present in ONVIF server Victure PC420 component camera that allows hackers to plant remote codes on the victim device. When compromised, hacker can discover cameras (not owned by them) and command devices to broadcast camera feeds to third party and exploit the camera firmware. 

"When choosing a baby monitor, the security aspect should trump features or price point.This is because similar vulnerabilities have been used in the past by threat actors to directly communicate with children, thus exposing them to interactions with adults outside the family’s circle of trust," Daily Swig reports. As of now, Victure isn't aware about the complete attack scenerio, but it believes that the hacker could exploit the vulnerabilities and spy on residents using these cameras constantly or let other users do the same. 

Cloud users rely on using camera and cloud features and according to experts, around 4 million cameras across the world are impacted by the issue. The vulnerability impacts Victure PC420 firmware variants 1.2.2 and earlier. BitDefender released a report on the vulnerabilities after trying to contact Victure to inform them about the issues. BitDefender tried to make various attempts to get in touch with the company to offer them assistance to deal with the issues. The firm then decided to release a report on the issue to let users know about the vulnerabilities, as their privacy is on stake when their devices are connected. 

Experts advice users to stop using devices immediately and residents should give security priority rather than device." We have been warning about the dangers of vulnerable video equipment for years and we started this vulnerability research project to help parents protect their privacy, as well as their children’s. Sometimes, vendors choose to ignore these gaping holes and leave customers exposed instead" said the researcher to Daily Swig.
Read more »
malware
Cyber News Cyber Security News Cybersecurity Malicious actor malware

VIP72: 15-Year-Old Malware Proxy Network Goes 'Dark' Without Notice



A 15-year-old cybercrime anonymity service called VIP72, in the past, allowed a large number of cybercriminals to cover up their actual location by routing traffic via dozens of hacked computers seeded with malware – suddenly went offline for a period of two weeks and has not shown any signs of return. 

Similar to other proxy networks advertised on the darknet and other cybercrime forums, VIP72 also routed its clients' traffic via systems that have been infected by malware. Employing the malicious service, users could choose network nodes in almost any of the countries to relay their traffic as they conceal themselves behind some unsuspecting user's URL. 

Over the past few days, the darknet has been flooded with  "R.I.P" texts for the malware proxy network, VIP72 that went dark without any prior notice. Initially, the authors of VIP62 told their customers that they will be back online shortly, indicating it's a maintenance issue that's restricting their operations. “Sorry for the inconvenience but we're performing some maintenance at the moment. We'll be back online shortly!”, read a notice titled “We'll be back soon!” 

It was updated to read, “Socks client will be unavailable within next 5 (FIVE) days for planned upgrades. We will resume normal work of socks client till the end of this week. All active subscriptions will have +8 days to existed paid period.” 

“—We only work on web vip72.com and sellvip72.com/en. Do not access fraudulent websites on google search e.g: vip72.cx, .us etc...”, the notice further read in 'red' letter font. 

Originally set up in 2006, VIP72, had a long run assisting malicious actors in concealing their real location via a well-founded proxy service. Basically, the proxying service of VIP72 effectively obscured the identity and true location of malware campaigners by routing their traffic via multiple network bounces. In a nutshell, VIP72 essentially offered its customers safety from the security police. 

However, ironically enough, the U.S.-hosted proxy service itself has presumably faced something serious, perhaps, a case of policing. Other experts speculate, that VIP72 might have experienced trouble in competing against newly emerged sophisticated anonymity network services. Although the reason behind VIP72's sudden disappearance remains unclear and the website has gone offline for two weeks now, the proxy service is still accessible to some of the users, which makes sense as the compromised hosts would still be infected with the malware and will indefinitely continue to forward traffic for as long as they remain under the effect of proxy malware.
Read more »
Ransomware
Apple Cybersecurity Hacking Attack Ransomware

Hackers Attack Apple Prior to Launch Event, Demand Ransom

 

On the day when Apple was ready to declare a new series of products at its Spring Load Event, there happened a leak from an unexpected quarter. The infamous cybercrime gang REvil took the responsibility for stealing data and schematics from Apple's supplier 'Quanta computer' relating unreleased products. The gang also threatened to sell the data to the highest bidder if the target failed to pay a ransom of $50 Million. For the credibility of the attack, the hackers release caches of docs relating to upcoming MacBook Pros. iMac schematics have also been added since the last attacks. 

The suspenseful timing and links to Apple raise controversy about the attack. However, it is also a reflection towards the rising no of disturbing ransomware incidents that appear today. Hackers have evolved through years of developing their mass data encryption techniques to log targets out of their own devices. Presently, these gangs are more focused towards data theft and extortion as their primary means of attacks, while demanding hefty ransoms in the process. 

"Our team is negotiating the sale of large quantities of confidential drawings and gigabytes of personal data with several major brands. We recommend that Apple buy back the available data by May 1," said REvil in the stolen data post. Since the start, ransomware attacks have involved capturing the victim's device, encrypting files, and then demanding ransom through simple transactions, in return for providing the decryption key. 

Now, however, hackers have moved towards a unique approach, along with encrypting the files, they steal files and threaten to leak them, this gives them leverage over their victim, assuring ransom payment. Even if the victim recovers his data, the risk of a hacker leaking his data still persists. The Wired reports, "and in the past couple of years, prominent ransomware gangs like Maze have established the approach. Today incorporating extortion is increasingly the norm. And groups have even taken it a step further, as is the case with REvil and Quanta, focusing completely on data theft and extortion and not bothering to encrypt files at all."
Read more »
Ransomware
Blockchain Cybersecurity Ransomware

Experts Confirm Shady Ransomware Business, Block-chain Transactions on Rise


 

Chainalysis, a blockchain investment firm, recently published a report that confirms that ransomware operating cybercrime groups don't always work in their own arena and often switch ransom suppliers, also called RaaS services, in a look-out for better profits. ZD Net says, "by taking out legitimate avenues for converting funds and reaching real-world profitability, Chainalysis believes RaaS operations would have a hard time seeing a reason to operate when they can't profit from their work." 

The research looked into Bitcoin funds transactions from victims to cybercriminals, and how the stolen money was split between various hacking groups active in the ransomware cyber attack. It also analyzed money laundering. However, to grasp these things, a surface knowledge of present ransomware is required. The ransomware landscape in the present time operates in the same way a modern business does. 

Today, many coders exist which build and rent these ransomware strains through RaaS service, similar to how modern software is offered today. Few coders are selective in renting these ransomware strains to a very limited group of people or groups better known as "affiliates," whereas some coders rent it to any user who has signed up for its use. In cyberattack incidents, it is usually these affiliates who are behind the orchestration of such attacks. The affiliates usually hack into government or corporate networks using emails, and then use these rented ransomware strains obtained via RaaS to infect and encrypt the systems. 

In a few incidents, experts observed, the affiliates have also been in multiple groups. Few specialize in intrusion and getting access, these are called initial access vendors, whereas others are well versed with spreading the initial access of hacked networks to maximize the ransomware damage. Chainalysis report, "while we can’t say for sure that Maze, Egregor, SunCrypt, or Doppelpaymer have the same administrators, we can say with relative certainty that some of them have affiliates in common. We also know that Maze and Egregor rely on the same OTC brokers to convert cryptocurrency into cash, though they interact with those brokers in different ways."
Read more »
Spam
Cybersecurity phishing Phishing emails Spam

Financial Conduct Authority of UK Hit by 2,40,000 Spam Mails, Some Contain Malware

 

Financial Regulator of UK was spammed by almost a quarter of a million (240,000) malicious emails in the Q4 of the year 2020. The FOI data gives important highlights about the tremendous pressure that big organizations are facing to protect their assets. Griffin Law, a litigation firm, has filed an FOI with an influential London-based agency, the FCA (Financial Conduct Authority). As per Gov.UK, "The Financial Conduct Authority (FCA) regulates the financial services industry in the UK. Its role includes protecting consumers, keeping the industry stable, and promoting healthy competition between financial service providers." 

The firm says that FCA was spammed with around 240,000 malicious emails (also unsolicited) during the course of the last three months of 2020, an average of 80,000 emails per month. November observed the highest mails-84,723, whereas October had 81,799 and December 72,288. Most of the mails were listed as "spams" whereas more than 2400 mails had malware containing trojans, bugs, worms, and spyware, says the report. Fortunately, the FCA had blocked all the malicious emails that it received, however, the main threat isn't from these mails but from targeted spear-phishing campaigns. Tim Saddler, CEO, Tessian, emphasizes that phishing emails have become a persistent threat today because it is easy to target humans than to hack machines. 

Tim said, "cyber-criminals, undoubtedly, want to get hold of the huge amounts of valuable and sensitive information that FCA staff have access to, and they have nothing but time on their hands to figure out how to get it." He further says, "it just takes a bit of research, one convincing message or one cleverly worded email, and a distracted employee to successfully trick or manipulate someone into sharing company data or handing over account credentials." 

This is not the first time when the Regulator has sidelined its cybersecurity issue. In February last year, Regulator had to apologize on public forums when it accidentally posted personal information (including name and address) of the few users who had lodged complaints against the agency. The irony is, the data leak happened as a Regular's solution to an FOI request.
Read more »
Ransomware attack
Cybersecurity Ransomware Ransomware attack

Trucking Company Forward Air Hit by Ransomware, Suffers Heavy Loss of $7.5 Million

 

Forward Air, a trucking and freight transportation logistics company said that it suffered a ransomware attack of $7.5 million. The attack has caused heavy damage to the company's Q4 financial results. The amount comes from "loss of less-than-load (LTL) trucking business" and not costs suffered that dealt with the incident.  The loss mainly occurred because Forward Air had to temporarily pause electronic data operations with its customers. The ransomware incident happened last year on 15th December and was termed as a cyberattack using Hades ransomware. 

The attack compelled Forward Air to shut down its IT systems offline and close down electronic operations to deal with the issue. As per Freight waves, a trucking news site, the cyberattack had had a huge impact on the company's daily operations as the workers and employees couldn't get the required files to pass through the customs. Though the company says that everything is back to normal now, the SEC (Security and Exchange Commissions) filing and the large amount that the company had to pay tells otherwise. This is why cybersecurity experts always recommend being safe in the first place than to actually deal with a ransomware attack.  

Freight Waves reports, "While the cause is not disclosed, the wording of the Forward Air note is similar to what other companies will state when they are under a cyberattack. Additionally, the failure of the website and the fact that the source at the 3PL said emails to Forward Air were bouncing often are marks of a cyberattack." 

The SEC filing didn't mention Forward Air paying any ransom amount nor about any cyber insurance policy. Coveware, a company that deals in ransomware payment negotiations, published a report last week which said that the organizations are refraining to pay ransoms now as they've realized that the hacking groups don't always delete the stolen data.  Today, the companies choose to build again from scratch instead. Though the ransom payments saw a decline, the year 2020 was the highest ransomware year.  As per the report from Chainalysis, 2020 observed a total ransom payment worth $350 Million, 311% more than 2019.   
Read more »
E-Commerce
Credit Card Theft Cybersecurity Dark Web E-Commerce

E-Commerce Theft: Dark Web Card Payment Store ValidCC Shut Down


A dark web market handled by a cybercrime group, Valid CC has been hacking online merchants and stealing payment credentials for more than six years. Last week, Valid CC closed down abruptly. The owners of Valid CC say that a law enforcement operation seized their servers. The operation aimed to seize and capture the store's infrastructure. A number of online shops sell "card not present" or "CNP" payment data on the internet. The payment data may be stolen from credit cards of e-commerce stores, but it's mostly sourced from cybercriminals and threat actors.  

However, in the case of Valid CC, experts believe that the store attacked and hacked hundreds of e-commerce merchants. The hackers seeded websites with hidden card skimming codes that stole personal information and payment credentials when a customer went through the checkout stage.   Group-IB, a Russian based cybersecurity firm, had published a report last year where it briefed about the operations of Valid CC, highlighting that Valid CC was responsible for hacking around 700 e-commerce stores. Besides this, Group IB identified another group "UltraRank" responsible for attacking additional 13 third-party suppliers that offered software components to these online stores spread across Europe, America, and Asia.  

Experts believe that UltraRank orchestrated a series of cyberattacks, which were earlier attributed to three different cybercrime groups by cybersecurity firms. "Over five years….UltraRank changed its infrastructure and malicious code on numerous occasions, as a result of which cybersecurity experts would wrongly attribute its attacks to other threat actors,” said Group-IB. It adds, “UltraRank combined attacks on single targets with supply chain attacks.” Valid CC's muscle man on various platforms- a hacker who goes by the handle of SPR, notified customers that the shop would be shut down from 28 January, following a law enforcement operation that sealed Valid CC's operations. 

According to SPR, Valid CC lost access to more than 600,000 unsold payment card accounts, a very heavy blow to the store's inventory.  As a result, Valid CC lost its proxy and destination servers, and now it can't open and decrypt the back-end, says SPR.  Group-IB reports, "the store’s official representative on underground forums is a user with the nickname SPR. In many posts, SPR claims that the card data sold in the ValidCC store was obtained using JS sniffers. Most of SPR’s posts are written in English, however, SPR often switches to Russian, while communicating with customers. This might indicate that ValidCC is probably managed by a Russian speaker."  
Read more »
SMS
Cybersecurity phishing SMS

Users on Alert as Text Scamming Attack on The Rise


The fear of scam messages may seem far now, and even distant.  With the rise of well-engineered and sophisticated attacks in recent time,  the threat of scam messaging attacks may seem low, however, they are still a persistent danger. SMS (short message service) scams are similar to email phishing attacks, they work through social engineering attacks. Popular as "Smishing" (SMS and phishing), the attacks try to lure victims into providing information and user access, which benefits the hacker.  

Present SMS hacking techniques 
The SMS scam warns users of a new, packaging delivery, which is considered to be better and effective than before. If the user replies, the hacker steals user data for money theft, identity theft, or stealing sensitive organization data.  In one particular attack, the message leads the victim to a website and then rewards with a small gift (a smartphone, for instance) in return, for filling a survey. The attackers ask for credit card credentials for shipping and then steals the money.  Similarly, another SMS scam variant uses fake bank messages for its attack. The hacker lures the victim to give away their banking credentials, and if the victim does so, the attacker uses Emotet malware to infect their devices.  Whereas in some scams, the victim is threatened with violence if he doesn't pay the ransom. The approaches in all these attacks may be different, but they all share a common goal, which is to gain access to personal information. In all these attacks, the victim is asked to open a link or go to a website, the hackers use these malicious links and websites to steal user data.  Some other scam campaigns use relief funds, food aids, bank, covid-19, or jury duty to fool the victim. It is quite difficult to grasp the content of these attacks, however, in the future, these attacks would be even more sophisticated and dangerous, with brand new content.   

Why these attacks are successful. 
Scammers are constantly striving to attack smartphone users, which is a part of a larger threat campaign series. The hackers here have the upper hand, first, they always come up with new techniques to attack users, secondly, in most of cases, victims are not even aware of these attacks. About social engineering, the initial stage is misdirection, where the user is excited and they become assured about whatever texts they receive.  For example, "you've got a text but there's a problem with your credit card."  A different variant of this theme delves into people's likes or interests to get their attention.  An attacker might use an emotional text to trigger user action.  This is why people often receive scam texts which have- Fire! Politics! Lottery! Crime! Hackers use these event references to trigger user action and make them click on a link, or open a website.  

How to protect yourself from scams.  
It is crucial for users to know how to stay safe from these scams and attacks. Application security, mobile data protection, and mobile phone security are the key components here.  Here's what a user can do: 

1. Avoid responding to suspicious messages, especially texts that ask you to click a link. Contact the source to confirm whether the information is authentic.  You may get a text from the delivery service, asking you to click the link to confirm, visit the website instead.  

2. Do not get tricked by messages or brands that seem to be genuine. Fake branding is one of the most common ways of fooling users.  

3. If possible, always report a scam text to be safe in the future. Most importantly, do not think that scamming is a threat of the past. 

In reality, these attacks are on the rise, evolving daily with new techniques. As an organization, staff must undergo training to identify and report scam texts and to be always prepared for the challenges.
Read more »
US Government
AI Artificial Intelligence Cybersecurity Information Security risk US Government

Trukno: "On A Mission To Deliver Cyber Intelligence, Not Cyber News"

 

Trukno: Virtual Threat Intelligence Analyst to launch their Broad Beta Version on 22nd December. Every second a new attack in cyberspace takes place, according to a report by Acronis 32% of companies are attacked at least once a day and to keep up with these threats and attacks is a mind picking process. There are two ways of keeping up with Cyber Security- a) being updated with cyber blogs or b) hiring your own cyber threat analyst. But Trukno is a platform that provides a virtual threat intelligence analyst for people who want to keep up with cybersecurity, be up to date on recent attacks as well as to know the threat actors and attack landscape trend with their syndicated search engine and threat curator. 

Set to launch their Broad Beta version on 22nd December, for individuals who are full-time cybersecurity analysts as well as for the majority of people who want to know the how and happenings in cybersecurity in a much faster, easier, and detailed way. 

Ehacking news had a discussion with Trukno CEO and Founder Manish Kapoor, Co-Founder Noah Binstock, and Team about their platform, how it works, features and advantages. 

I'm sharing below the details from the interview with you all, read to know about Trukno and how you can set up a beta account for yourself: 

The Story Behind Trukno Mr. Manish (CEO and Founder): We formed Trukno in Oct 2018 in Denver Colorado. Before that I was in Cisco, which is a big networking company also very focused on Cybersecurity, I was there for 10 years and what I did day to day was to help the world’s largest service providers like AT&T, Telstra help them understand the latest going on in cybersecurity and based upon that help them build cybersecurity services they could sell to their enterprise customers using Cisco system products - that was the essence of what my team and I did and when you do that you’re going in front of the world’s largest cybersecurity companies so they know what they’re talking about in cybersecurity and hence I had the constant pressure to keep up with cybersecurity latest threats and how those could be turned into new services and I tell you it’s easier said than done. In preparation, I would blog hop from one blog to another and very quickly I started to realize, there is a difference between keeping up with cyber news vs. keeping up with cyber threats. 

The whole process would take me hours leaving me more confused and that's when I realized something is missing either I don't have the right tools or there must be a better way since then we have probably talked to 504 folks in cybersecurity from Cisco to stock analyst to researchers and we realized that this problem was not just isolated for me that problem exists for the cyber community in general. So what tools that exist today in cybersecurity are targeted for deep-dive practitioners who want to see the bits and bytes and it's a full-time job just to keep up with it and only the largest corporations in the world can hire dedicated threat intelligence analysts and everybody else who wants to keep up with cyber threats really struggles. So that is the problem we are trying to solve, and the mission we are on is to deliver cyber threat intelligence and not cyber security news. We intend to do so in the most efficient comprehensive and affordable way to the masses so that is the story behind Trukno.  

Mr. Noah (Co-founder): We found that when it comes to threat researchers and external strategic analysts there is often one position that is providing these reports for an organization and what we realized is that those reports and those patterns and findings these people are curating; they have benefits of all cybersecurity and not just the organization they are working for, so we are actually trying to find ways to scale that information. The objective information about external threats landscapes and the inner workings and patterns that are occurring in front of our eyes so we can give that to organizations and individuals without access to a dedicated intelligence analyst.

Trukno Breakdown and Features: 

Newsfeed: A news feed that you can create based on your interests; it's basically a news feed from a hundred and fifty sources for people who want to keep up with cybersecurity news at one place and users can create their own feed and have all their news sources at one place 

Dashboard: You can choose your interests of information using filters from industry, Technology, Malware, and actors. The sweet thing about this threat analyst is you can go from shallow to deep in a way that’s organized and detailed. It informs you about threat actors, breach specifics; how many times the threat was used thus the user gets very detailed information in a very short time. 

My Boards (and Team Collaboration):  You can assign Custom Tags to threats, breaches, and discussions; and comment and converse with your team. 

Trukno Vision: Mr. Manish: Our Vision is to get critical vital threat information to the broad cyber community; you don’t have to have PhD. to keep up with cyber threats. That is what we believe. That is the reason we are going to the extent of not only breaking down TTPs (Tactics, techniques, and procedures) but breaking down text associated with that TTPs in each specific breach because we want to make it a ten-second visual that gives you the summary verses a thirty-minute read. 

How it works: Mr. Manish: What we are doing is with all this curation is we are building an automated engine which is AI-driven but with human intervention to maintain quality analysis and to do that we break down every single article until the AI takes over. That is to say, It’s a combination of Artificial and Human Intelligence as 90% of the breaches use the same TTPs and on a day to day basis there are new threats surfacing that have never been seen before and AI is not going to be able to that on its own; it will always be human aided AI. So our AI will become more and more efficient with more training data but it will always be human intelligence aided. 

Next Step: Mr. Manish: Add more sources for people who want more content, people who want details we will give them IUCs, people who want news feed but more flexibility customization we’ll add custom URL capabilities and people who want more collaboration, we’ll be adding integration slack and some basic team capabilities on our side. 

How is this threat intelligence different from MITRE? Mr. Manish: Think of MITRE as a US government organization, and it has created all the rules and regulations but you won’t go to MITRE to know what happened an hour ago, what breach happened, and how that happened in the MITRE framework. So, we are creating a dashboard that uses the MITRE framework to pull all that information together. 

EndNote: Mr. Manish: We are truly on a mission to solve this very critical problem in society, cybersecurity has become one of the biggest problem facing humanity and we think that cybersecurity is not about IT, bigger boxes, and fancy software; it's about threat risk management - the importance of knowing the right threats at the right time is so critical and right now it is so hard to do that we truly believe we can move the needle on this thing with the platform to make it simple, affordable and comprehensive – that’s our mission and that's what we stand for. 

The Trukno broad beta will be open for everyone, to avail go to their website (https://www.trukno.com/). In their Beta version, all features are free for everyone, with the full version coming in the first quarter of next year will have a freemium model that is free News Feed and My Board and subscription-based Dashboard.
Read more »
Vulnerabilities. IoT
COVID-19 Cybersecurity Interviews IoT devices IOT Security Ransomware attack Technology Vulnerabilities. IoT

Active Cypher: Great Deal of Orchestration of Our Intelligence in AI into Existing Systems

 
Active Cypher: The company is built upon a socially responsible fabric, that provides information security for individuals and corporations in an increasingly complex digital age. The guest speaker for the interview was Mr. Michael Quinn, CEO, and Mr. Caspian Tavallali, COO Active Cypher. Active Cypher’s Ransom Data Guard utilizes a combination of Active Cypher’s proprietary encryption orchestration, smart AI, and advanced endpoint protection. 
 
Please tell us about your company Active Cypher? 
 

I am Michael Quinn, CEO of Active Cypher. We are a data protection company; we have an ethos within a company that the data needs to be able to protect itself wherever it is created. We have built a product line that offers those capabilities of protection against ransomware attacks through protecting data at the file level in the server environment and in the cloud. What our product allows us to do is be crypto agile. We can work with numerous encryption schemes. Once we are installed we basically back out of the situation and allow the client to run and trust their own data. 

 
Your company talked about game-changing software “Ransom Data Guard” that will protect organizations against ransomware threats. Please describe more about it. 
 
What we developed is a capability where understanding what ransomware has to do in order to take control of the device in a user environment. We built a product just before the Covid-19 and work from home culture started and we realized that people are using shared environments on the same device at home. So we basically allow the organization to encrypt the data down to the device level and protect it. The ransomware protection that we provide basically allows us to manage the files in such a way that they are not accessible to external sources like ransomware. We put this product along with our cloud fortress product to make sure that we were meeting compliance regulations. What we found after working with the law firms is we allow the companies to meet compliance through this capability if the product was ransomed or even if it was exfiltrated because we encrypt the data so the actual data itself is useless. On the ransomware side, the beauty of it is we allow a lot of flexibility in how the data can be stored and used. 
 
Besides ransomware protection, what are the other solutions Active Cypher provides? 
 
We do a great deal of orchestration of our intelligence in AI into existing systems, we integrate into Microsoft tools as well as we have APIs that can write to any of the tools that are out there. We don’t bring in to replace anything or add to anybody’s burden, we integrate into it with our information.  
 
Let’s say somebody opens a doc. file or they load up a doc. file which has an exploit. How do you handle that? 

If somebody uploads an exploit or malware and when it’s opened, because of the process we use to interrogate the document for its integrity, we will stop any process that is trying to intervene with the environment and we’ll put a warning out. What will happen is you’ll get an alert from us, let’s say you open up a “wannacry” as an example, you will get a screenshot saying “your device has been ransomed.” The reality is you can still open all your files. What we do is, with our cloud fortress product, we do a real-time backup. 
 
At a time when hospitals and medical institutions are struggling with Covid-19, how has Active Cypher protected them from ransomware threats? 

In most of the hospitals and medical environments, their IT staff lacked the sophistication to understand what was happening. Earlier, the attackers were not really trying to damage the data, they were trying to ransom it and return it. Now what the attackers are doing is, that they are actually getting into the environment and not going after the data because most of the hospitals have upgraded their capabilities along with using our products. Now, the hackers are attacking the IoT (internet of things) at the device level, which is more life-threatening. What we have done to help healthcare institutions is basically putting a “Data Guard” which is the stand-alone ransomware product on devices. 
 
How do you handle the GDPR (General Data Protection Regulation) and Privacy requirements when it’s the home environment? 

With “Data Guard,” the way the product is designed, it can be installed on a consumer device. In that environment it allows people to protect what they have like personal data or business data that they have on their device is protected. And that’s the simplicity of Data Guard, is the fact that it protects your device and the files on it and ensures that ransomware can’t launch successfully.  
 
With cyberattacks rising, is there any advice you can give to our readers on cybersecurity? 

Everybody has to be aware, you don’t have to be afraid. With the stress of work, particularly with this remote work environment, the user has to be more diligent. So, ease of use and awareness are probably the keys to maintaining good data hygiene.
Read more »
Israel
Cybersecurity Iran Israel

Iranian Hackers Attack Israel Water Facility, Gain Access To HMI Systems

 

An Iranian hacking group gained passage to an unsafe Israeli water facility ICS. The hackers also posted the video on the internet to show the credibility of the attack. Experts from OTORIO, an industrial cybersecurity firm, informed an Iranian hacking group hacked into the HMI (human-machine interface). Taking advantage of the insecure HMI system, hackers gained access and later posted the video. 

In the video published on December 1, 2020, the hackers claim an attack on a recycled water facility in Israel. "The reservoir's HMI system was connected directly to the internet, without any security appliance defending it or limiting access. Furthermore, at the publication time, the system did not use any authentication method upon entry. It gave the attackers easy access to the design and the ability to modify any value in the system, allowing them, for example, to tamper with the water pressure, change the temperature, and more. All the adversaries needed was a connection to the world-wide-web and a web browser," reports the OTORIO blog post. 

By gaining access, it might have let the hackers communicate with the water facility's process. For this, the hackers may have modified the parametric values like temperature and water pressure. The administrators secured the system on December 2; however, the system was still unprotected online. OTORIO says, "however, the system is still accessible through the internet without any barrier. Although this may prevent unskilled adversaries from accessing the system, those with a minimal toolbox can most likely compromise the system." 

As of now, experts don't know if the attack caused any damage. Cybersecurity experts believe the hacking group behind the attack is "Unidentified Team," which posted the video on its Telegram channel. The group has also attacked other institutes in the past, including American educational websites. "In the Israeli reservoir case, even minimal steps, such as authentication and restricting access, were not taken. This led to an easy compromise of the system. To fully protect SCADA devices, a more active approach should be applied. This includes secure remote access (e.g., VPN), access restriction based on Firewall rules, and active defense-in-depth methods," says OTORIO.
Read more »
Vietnam
Backdoor Cybersecurity macOS Vietnam

Experts Discover New macOS Backdoor, Link Attack Campaign to Vietnamese Hackers

 

Cybersecurity experts at Trend Micro found a macOS backdoor, which the experts believe is used by Vietnamese criminal actors named "oceanlotus." Famous as APT32 or "APT-C-00," the backdoor is highly resourced and resolute. Experts say that Ocenlotus targets government agencies and corporate organizations located explicitly in Southeast Asia. At the beginning of 2020, the criminal group launched Covid-19 espionage attack campaigns targeting China. 

After analyzing different C&C domains used by the sample, Trend Micro suggests that organizations not download any suspicious link or open any unknown attachment, keep systems updated, and ensure employee cybersecurity to stay safe. Compared to Oceanlotus' earlier malware variants, the current sample presents correlations in coding and dynamic behavior. The similarity in behavior hints at the sample's link to the criminal group. A file incorporated in the attack campaign shows a Vietnamese name. According to this information, experts believe that the new malware targeted Vietnamese users. 

The new sample pretends to work as a word document, but it is an app packed into a Zip archive in reality. The app uses special characters to avoid detection. According to TrendMicro, the operating system views the app bundle as an unsupported directory. It means that it uses the "open" command is used to administer the file. The cybersecurity experts found two files in the app bundle. A word file that is shown during the execution process and shell script which does malicious tasks routinely. 

According to security week, "the shell script is responsible for deleting the file quarantine attribute for the files in the bundle and for removing the file quarantine attribute of files in the system, copying the Word document to a temp directory and opening it, extracting the second-stage binary and changing its access permissions, then deleting the malware app bundle and the Word document from the system. The second stage payload is responsible for dropping a third-stage payload, creating persistence, changing the timestamp of the sample using the touch command, and deleting itself. Featuring encrypted strings, the third-stage payload contains two main functions: collecting and sending operating system information to the command and control (C&C) servers, receiving additional communication information, and performing backdoor activities."
Read more »
Security Solutions
Cybersecurity firmware New Technology Security Solutions

Interview Spotlight: Israeli Hardware Solutions, Sepio Systems

On 19 November, E-Hacking News conducted an interesting interview with Sepio Systems. The company provides its customers with the highest level of visibility, policy enforcement, and Rogue Device Mitigation capabilities. The guest speaker for the interview was Mr.Bentsi Ben-Atar, CMO, and Co-Founder, Sepio Systems.

Founded in 2016 by veterans from the Israeli Intelligence Community, Sepio HAC-1 is the first platform that provides visibility, control, and mitigation to zero trust, insider threat, BYOD, IT, OT, and IoT security programs. Sepio is a strategic partner of Munich Re, the world’s largest reinsurance company, and Merlin Cyber, a leading cybersecurity federal solution provider.

1.       Can you please introduce yourself to our readers?

Bentsi Ben-Atar: I am one of the co-founders for Sepio Systems, the company was founded by a group of founders that have been working together for almost 30 years now. We have a strong background in cybersecurity and “rogue device management” in general.

2.       Can you please tell us about your company Sepio Systems?

The company deals with a very unique domain within the cybersecurity industry and that’s the issue of managing the hardware within the enterprises. What we have built is a solution that provides all the aspects related to hardware access control, we call it “HAC” and our solution is called “HAC-1.

We see that Enterprises are struggling with three elements of hardware access control. The first one is the fact they have limited visibility to whatever is connected and sometimes a very significant gap between what people think is connected and to what is actually connected. So, there are visibility gaps that need to be addressed and they need to be addressed regardless of the device itself.

Once you have visibility and now you are aware of your assets, then you can move to the policy enforcement features of your enterprises. It means that now you can apply certain policies while you are working from home and a different policy while you are at the office.

And once you have these two pillars in place then you can move into the more interesting part of the solution, and those are the security aspects. You know what devices are connected, you know how to disable or mitigate any risk associated with it. Now you need to provide the Rogue Device Mitigation.

 

3.       Please explain to us about Hardware Access Control.

Hardware Access Control is the term used to describe a solution that manages all aspects of hardware devices. Hardware devices may be network elements possibly controlled by NAC (Network Access Control or a USB peripheral connected to an endpoint (controlled by EPS/EDR). HAC does not distinguish devices by its interface and provides an aggregated holistic approach to hardware asset management.

 

4.       What are Rogue Devices and what is their impact on the enterprises?

Rogue devices are devices that are either hardware manipulated or firmware manipulated devices that are introduced into the enterprises. The main channels for the attack vehicles are either the supply chain which is a significant risk for enterprises as hardware screening is a huge challenge. The other popular attack vehicle is the human factor, in that case, human beings will always be the weakest links because people can be threatened, they could be paid off, they could be extorted. I think that history along the way has shown that any human being has a weak point. If you, as a cybercrime organization can extort a certain bank, gain access to a certain system, in most of the cases you will get away with that.

 

5.       Why do you think that these “Rogue Attacks” are on the rise?

We see a growing number of attacks that are based on hardware tools. From the attacker's perspective, they have the option of either going head to head against existing cybersecurity products, or they can find an alternative path to the enterprises. There are a lot of hardware-based attacks happening all around the world on critical infrastructures like banks, data centres, retail, etc. It doesn’t get to the public eye in most cases due to several reasons.

First, companies in most cases are very reluctant to admit the fact that they have been breached through this domain because it also implies on their level of physical security and no one wants to admit that someone was able to plug in a rogue device. On the other hand there are a lot of attacks that create a signature that may be wrongfully attributed to other types of attacks.

One of the demos that we really love to do is using and demoing the vulnerability of wireless keyboards and mouse, these devices can be easily manipulated and spoofed. For example, let’s say you’re sitting in your home or office, there could be a guy sitting in the next building, it doesn’t have to be next to your endpoint. By using a very simple publicly available payload that runs on a raspberry pi, you can actually spoof the communication between that wireless keyboard and mouse. You can do a remote keylogging, and most importantly, you can point that endpoint to a certain URL that a certain piece of malware is waiting to be downloaded.

At the end, you even have to go over the human factor which is convincing the user that this link is not a suspicious link. So, there are a lot of obstacles that need to be dealt with. Compared with the option of coming with out of bound raspberry pi with a spoofing capability, you open up the browser independently, and forensic wise it would look like this was an act of an employee within the organization.

So sometimes it would be attributed to a phishing attack or wrongful doings of an employee while in real life the story is completely different.

 

6.       How do Sepio Systems counter these Rogue Devices?

Sepio Systems HAC-1 “dives deeper” into the the physical layer, revealing the true entity of a given device, not according by what it “says” it is, but for what it is really is.These capabilities are achieved through a unique algorithm, a combination of physical layer fingerprinting and Machine Learning augmentation.

7.       The Data Security Council of India (DSCI) has also talked about your company. Can you please tell us more about this project and ‘Sepio Prime Rogue Device Mitigation Solution?’

Without referring to any specific name (a customer or not), our solution provides enterprises, especially the ones concerned with their data. These enterprises can be financial institutes, government agencies or other entities extremely concerned with the attack vehicles.

We provide them with solutions that cover two main interfaces. One is the USB interface and the other is the Network interface. Our solution actually monitors and analyses the physical layer information. It means that we don’t look into user traffic, user log files. We read out all the physical layer related information by analyzing it with an algorithm which is a combination of physical layer fingerprinting and machine learning. We can actually detect the existence of such passive devices.

One of the coolest features of our solution is that it doesn’t require a baseline or training period. Obviously in today’s cybersecurity atmosphere, no single solution provides a complete seal for the entire enterprise. Therefore, the capability with integrating other solutions is extremely important, and all these solutions are easily integrated with our solutions so that we can actually extend the visibility of the enterprise into the deeper layer.

8.       Can you explain how this Layer-1 solution works?

Our solution is actually comprised of two main functionalities. The first one deals with Network Security and the second one deals with Peripheral Security/ End Point security. The way Network Security works are that we communicate with the existent networking infrastructure by using read-only commands. The only thing the enterprise needs to do is to provide restricted user credentials for our solutions.

Before our deployment, we actually provide a list of commands that we will be using. Once we get the information, we will compile it using an algorithm that is a combination of physical fingerprinting and machine learning enhanced solution. The fingerprinting is extremely important because when we get a hit, we can actually name the attack tool. The deployment process itself is straight forward, it takes less than 24 hours to have everything up and running.

The output and value of this solution are instantly delivered, you can actually see all the rogue devices and visibility. In a very interesting incident, we found a gaming console connected to a secured network, approved by NAC but never reported.

Now, the second part of this solution deals with the peripheral. It is a bit different because in the endpoint case, the endpoints could be offline, and you want to make sure that the mitigation, once a rogue device has been detected or even just a brief of policy. The mitigation needs to be immediately so that the USB device will be blocked. When the attacker comes in, they can configure their attack tools to present the same façade as a legitimate device.

So, the difference between Network Security and End Point Security (algorithm wise) is the fact that on the peripheral we also fingerprint ‘known to be good’ devices, so that we have a full database of good devices and bad devices. One of the nicest features we also have is the ‘threat intelligence database,’ it means that every installation has a local copy of our threat intelligence database which includes a list of all ‘known to be vulnerable devices.’


9.       Tell us more about the leadership team behind Sepio Systems?

Our leadership is something that we take great pride in. We are a U.S-Israel based company, we are headquartered in Rockville, Maryland. We have a very strong all-women U.S board which we take great pride in, led by the current CISO for HSBC. We have interviews posted on social media which I think are a fascinating array of women that bring tremendous value to our company.

We have a strong backup from various industry leaders and veterans from various government agencies. We perceive to be kind of a task force to deal with this domain which was until now significantly underserved.

10.   During the COVID-19 pandemic, everyone has started working from home, sometimes it can be a kid playing a video game on a pc. How does an organization keep the family’s data separate from the employee’s? How do you make sure that the family’s data is not being taken by your systems?

Enterprises first need to have a clear policy about their equipment. Having a policy without the capability of enforcing it is ineffective. First of all, the employee needs to understand the risks associated with it. And for that, we have a very interesting video series called Captain RDM which actually illustrates very serious cases in a non-technical way.

You can do one or two things. As a CSO, we can issue (this is what a lot of enterprises do) a company-issued device for it. If you are in need of an additional keyboard, we will provide you with that. If this is not the case, we make sure to know that if a ‘known to be vulnerable device’ is connected and block it.

For work from home cases, we have allowed the ‘1 + 1’ option, it means that for every license that our user got they were eligible for another license without any additional costs.

11.   On your website, people talked about how Sepio Systems has efficiently countered Rogue Device Threats and Internet of Threats (IoT)? Before we conclude the interview, do you have anything to say about that?

One thing that we’ve learned is never disrespect your opponent. They will always be innovative and smart. They are able to provide attack tools that are cocooned within legitimate looking device in ways that you can only imagine. When there is enough motivation for the attacking party for a specific side, because its specifically lucrative target, they will find a way to get into it even if it’s a data centre, or a highly secured facility, anything can be achieved.

With IoT, smart nations and smart cities coming up, a lot of hardware getting installed all over, and the Covid pandemic making people work from home, this issue becomes more relevant. It is more relevant today than it was yesterday and it is going to get even more relevant as the days go by.

 

 

 


Read more »
malware
Coronavirus Cybersecurity HDFC Bank India malware

Cyber Attacks in India At A Steady Rise as Per India's Cybersecurity Chief

 

National Cyber Security Coordinator Lt Gen (retd) Rajesh Pant recently discussed cyberattacks in India 'having gone up a multifold' in the current environment and alluded to 'China' as a "major challenge" from a cybersecurity perspective for India.

"In such unprecedented times, you mentioned two Cs the challenge of corona and the challenge of cyber. Actually, at the perch which I sit, there are 3 Cs. The third 'C' of course is on our northern border, which is another challenge that we are facing”, Pant said at an event coordinated by the largest private sector lender HDFC Bank. 

He had assumed control over the role of India's cybersecurity chief, later added that almost consistently, 4 lakh malwares are found and 375 cyber-attacks are witnessed. 

Apart from falling prey to voice call-based frauds, individuals ought to likewise be cautious about the click-baits, which are conveyed to extract data from an internet user. 

"This disease of just clicking on the link, this is another reason where the malware drops,” he stated, requesting everyone to contemplate the ongoing cases of frauds at City Union Bank where an individual entered the core banking system through a simple click, and furthermore the ones at Bangladesh Bank and Cosmos Bank. 

"The issue is some of us get unaware and that's how problems start occurring. It's a question of being conscious all the time, not a question of not knowing," said chief risk officer of HDFC Bank Jimmy Tata, as HDFC Bank launched the 'Mooh Bandh Rakho' campaign with the Bank authorities stating that the objective is to zero in on the youth, to spread awareness through different mediums, including more than 1,000 secure banking workshops and furthermore even a rap-song.

Pant had likewise before called for setting up a dedicated industry forum for cybersecurity to develop trusted indigenous solutions for check cyber-attacks. 

“Last year, our official figures were Rs 1.25 lakh crore lost due to cybercrimes in India. Ransomware attacks are increasing every day and these criminals have been working from home. They have no qualms. They are heartless people. They are attacking hospitals because they know in an emergency hospital will pay,” Pant had said at an event organized by industry body Ficci.
Read more »
Teamviewer
Cybersecurity RMS Teamviewer

Hackers Use RMS and Teamviewer To Attack Industrial Enterprises

 

In a recent report by cybersecurity firm Kaspersky, experts explained how there were certain modifications in attack campaign strategies and plans against industrial organizations. In 2018, Kaspersky had issued a report describing the use of Teamviewer and RMS (Remote Manipulator System) related to the attack campaign. However, since that attack, the hackers have evolved in techniques and attack strategies, becoming more effective and sophisticated. 

Attack Details 
  • Experts believe that the hackers have been found using fakes of legal documents that work as an instructional manual for industrial enterprises in recent attacks. The records, experts believe, were hacked in the earlier threats that hackers use to target industries. 
  • In a recent threat, hackers targeted various industries in Russia, and their primary target was the energy sector. Besides this, the hackers attacked logistics, mining, construction, engineering, metal industry, manufacturing, and oil sectors. 
  • The hackers use remote control softwares like Teamviewer and RMS for communicating during the attacks. Earlier, hackers used c2c (command-and-control) servers for the attacks. 
  • Hackers use Mimikatz utility and spyware to steal login credentials for the attacks. They also use it to attack other systems in industrial enterprises. 
  • The final aim of hackers is to take out money from industrial organizations. 

Recent attack details 
  • In recent attacks, experts noticed that various APT groups used simple hacking methods that were very effective in targetting industrial infrastructure. 
  • In a recent incident, Hacking group MontysThree APT deployed espionage attacks against an international video production and architecture company. They used PhysXPluginMfx (a third-party MAXScript exploit) and steganography for the attacks. 
  • In a similar espionage attack, hackers used infected payload as a plugin for the attacks against industrial enterprises. 

Summary 
While attacking industrial organizations, threat actors use simple but effective hacking methods that yield brilliant results. The change in hacking methods has put cybersecurity on an alert. To be safe from these attacks, experts recommend organizations to keep their cybersecurity operations updated and make it their priority. Kaspersky says, "Phishing emails used in this attack are, in most cases, disguised as business correspondence between organizations. Specifically, the attackers send claim letters on behalf of a large industrial company."
Read more »
US Elections
Cybersecurity Russia US Elections

Ahead of U.S. Presidential Elections, Experts Express Cybersecurity Concerns

 

From the start of this year, according to government agencies, the 2020 U.S. presidential election was said to be one of the "safest" elections to be conducted to date. Compared to the 2016 U.S. elections, voting machines are almost risk-free; the systems leave no trace of the paper record's history. Also, this time, the government has gone all-in to ensure election security from criminal actors. Chris Krebs, director of DHS (Department of Homeland Security) cybersecurity, in an election awareness video said he's never been more sure of a safe election than this. 

Security officials released the video last month, informing about election cybersecurity. However, the harsh reality is, the Russian cyberattacks during the 2016 elections have not entirely disappeared. To avoid the recurrence of that episode, experts suggested that the government spend billions of dollars building a robust cybersecurity system; however, Congress spent only a fraction of that. Meanwhile, social media companies dominate control over influence operations and propaganda on social media; the government seems to take no action. Cybersecurity experts insist the social media is still spreading fake news, and American users in some way have helped the spread of this fake news. 

Potential Vulnerabilities 

According to NPR, "experts agree that actual votes themselves would probably be the most difficult part of an election to hack successfully. The problem has only gotten tougher. In 2016, nearly 28 million voters cast ballots that did not have a corresponding paper trail: a major cybersecurity red flag." Meanwhile, almost every American suspects that some foreign foe may impact the vote count; no evidence suggests that such a thing happened in the 2016 presidential elections. It includes the incident where Russian hackers breached into the registration databases. 

"Stark says that the way officials can demonstrate through public auditing is a process that not every state uses. Even among the countries that do some audit, only a few do what is considered the "gold standard" of post-election audits, called risk-limiting audits. Sen. Ron Wyden, D-Ore., has proposed legislation to mandate such audits nationwide, but election reforms have gained little to no traction with the Republican-controlled Senate," says NPR.
Read more »
Ryuk Ransomware
Cybersecurity Healthcare Ryuk Ransomware

University of Vermont Health Network Suffers Cyberattack, Six Hospitals Affected

 

University of Vermont's health network suffered a cyberattack, which has impacted its network infrastructure. The attack has hit six Vermont and New York hospitals. Spokesperson Neil Goswami says that the FBI is currently working with the network and Vermont department of public safety to look into the issue. President of the University of Vermont Medical Center in Burlington, Dr. Stephen Leffler, in a news conference, said that patients in need are getting the possible health services and treatment is not affected. 

He also said that patient appointments are not affected, and the surgeries are postponed for tomorrow due to the network's disruption. "Patients may experience delays at Central Vermont Medical Center in Berlin and Champlain Valley Physicians Hospital in Plattsburgh, New York, he said. And patients of physician practices at Elizabethtown Community Hospital in Elizabethtown, New York, may experience slight delays," says Dr. Goswami. Earlier, the FBI and other federal agencies had notified that they had probable data confirming an increase in cyberattacks on the healthcare industry in the U.S. 

Cybersecurity experts say that the Ryuk ransomware has attacked at least five hospitals this week and is expected to impact a hundred more. The FBI, however, has not confirmed whether the attack on UVM was caused by ransomware. It is still looking into the issue of a potential cyberattack and local and state agencies. Even Dr. Leffler confirms that he has not been contacted for any ransom to date. UVM Medical Centre had an idea that something wasn't right, and in response, it had closed down its network systems to protect patient information. 

As per Dr. Leffler, no patient information has been leaked, and data is also safe, and that the hospital is looking into the incident. However, it will take some time for the health network to restore and for services to be regular. According to the health department, "Vermonters may continue to get coronavirus testing through Health Department-led clinics, but the results reported through the UVM Medical Center will be affected." Health officials say that no patient data has been compromised, and all records are safe.
Read more »
U.S
Cybersecurity FBI Healthcare U.S

U.S Suffers A Massive Wave Of Cyberattacks In Healthcare Industry, FBI Issues Alert

 

Cybercriminals are attacking the U.S. healthcare systems, destroying the network infrastructures, and stealing critical data. The U.S. federal agencies have issued an alarm that healthcare is in great danger of cyberattacks and intrusions. Hackers have become more active in attacking healthcare networks. The rise in hacking attempts had led to a risk of breach of patient privacy, which is a critical issue during the Covid-19 pandemic, as the cases are at an all-time high. 

The FBI and other agencies in a joint report mentioned that they had verified information about cyberattacks on U.S. healthcare providers and hospitals. The warning also emphasized that few criminal groups are now targetting the healthcare industry to steal critical data and disrupt health care services. The ransomware attacks can scramble data into jargon. Only the security keys that the hacker has can reassemble data. The hacker demands payment in turn for providing the security keys. According to cybersecurity experts, the criminal groups had attacked more than five U.S hospitals until this week, and the figures can go up to a hundred. The election is almost near, and a Russian hacking group attacks the healthcare systems. 

According to the Guardian, "The federal alert was co-authored by the Department of Homeland Security and the Department of Health and Human Services." The attack's motive is not clear, but it seems that it was most likely to be money. Cybersecurity firm Mandiant says that this is the most dangerous cyber threat ever witnessed in the U.S. Another firm, Hold Security, states that it is the first time they have seen a massive cyberattack of such scale in the U.S. 

We should note that the attack's timing before the elections and during the pandemic makes it a severe cyber threat. In the past 18 months, the U.S has experienced a wave of ransomware attacks, with targets like schools, government authorities, and cities. "The cybercriminals launching the attacks use a strain of ransomware known as Ryuk, which is seeded through a network of zombie computers called Trickbot that Microsoft began trying to counter earlier in October," reports the Guardian.
Read more »
FBI
Cybersecurity Energetic Bear FBI

Russian Hackers Infiltrate U.S Government Networks and Steal Data

 

In a recent cybersecurity incident, the U.S. government issued a statement claiming that state-sponsored Russian hackers attacked the U.S. agencies and successfully breached the government networks. CISA (Cybersecurity and Infrastructure Security Agency) and FBI (Federal Bureau of Investigation) issued a joint report regarding the issue, confirm the U.S. government officials. 

"The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high-value assets to exfiltrate data. To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities," reports FBI and CISA. 

According to the U.S. agencies, the hacking group is called Energetic Bear (code name used by the cybersecurity industry). The hacking group is also infamous as Koala, Crouching Yeti, Havex, Dragonfly, TeamSpy, Berserk Bear, and TEMP. Isotope. From February 2020, the hackers targeted multiple US SLTT (state, local, territorial, and tribal) government networks. According to the FBI and CISA, the hackers also attacked aviation industry companies. As per the reports, Energetic Bear was able to attack government network infrastructures. By October 2020, it also stole data from two government servers. The attacks mentioned in the current CISA and FBI reports were also mentioned in a previous joint advisory report. In the earlier report, the agencies revealed how the Energetic Bear attacked the U.S. government's networks using Windows bugs and VPN appliances. 

The present joint report links the attacks to the hacking group. It also provides information about the group's tactics and strategies. As per the experts, the Russian hackers used common vulnerabilities to breach the network gears and exfiltrate data. According to Cyberscoop, "IP addresses used in the hacking were previously employed by the TEMP. Isotope group, according to Mandiant. The hackers exploited a recently revealed vulnerability in a protocol that Microsoft uses to authenticate its users. CISA, on Sept. 18, ordered all federal civilian agencies to update their software to address the flaw because of the risk it carried."
Read more »
IOT Security
Cybersecurity Hacking the Internet of Things IoT IoT devices IOT Security

Internet of Things (IoT): Greater Threat for Businesses Reopening Amid COVID-19 Pandemic

 

Businesses have increasingly adopted IoT devices, especially amid the COVID-19 pandemic to keep their operations safe. Over the past year, the number of IoT devices employed by various organizations in their network has risen by a remarkable margin, as per research conducted by Palo Alto Networks' threat intelligence arm, Unit 42. 
 
While looking into the current IoT supply ecosystem, Unit 42 explained the multi exploits and vulnerabilities affecting IoT supply chains. The research also examined potential kinds of motivation for exploiting the IoT supply chain, illustrating how no layer is completely immune to the threat.  

The analysis of the same has been reported during this year's National Cybersecurity Awareness Month (NCSAM), which is encouraging the individual's role in protecting their part of cyberspace and stressing personal accountability and the significance of taking proactive measures to strengthen cybersecurity. 
 
The analysis also noted that supply chain attacks in IoT are of two types – through a piece of hardware modified to bring alterations in a device's performance or from software downloaded in a particular device that has been affected to hide malware. 
 
While highlighting a common breach of ethics, the research mentioned the incorporation of third-party and hardware components without making a list of the components added to the device. The practice makes it hard to find how many products from the same manufacturer are infected when a vulnerability is found on any of the components. Additionally, it also becomes difficult to determine how many devices across various vendors have been affected in general, by the vulnerability.

"The main goals for cyberespionage campaigns are maintaining long-term access to confidential information and to affected systems without being detected. The wide range of IoT devices, the access they have, the size of the user base, and the presence of trusted certificates make supply chain vendors attractive targets to advanced persistent threat (APT) groups..." the report stated. 
 
"In 2018, Operation ShadowHammer revealed that legitimate ASUS security certificates (such as “ASUSTeK Computer Inc.”) were abused by attackers and signed trojanized softwares, which misled targeted victims to install backdoors in their system and download additional malicious payloads onto their machines." 
 
While putting things in a cybercrime perspective, the report noted - "The potential access and impact of compromising a large number of IoT devices also make IoT vendors and unprotected devices popular choices for financially motivated cybercriminals. A NICTER report in 2019 shows close to 48% of dark web threats detected are IoT related. Also in 2019, Trend Micro researchers looked into cybercriminals in Russian-, Portuguese-, English-, Arabic-, and Spanish-speaking marketplaces and discovered various illicit services and products that are actively exploiting IoT devices." 
 
The report stressed the need to "enlist" all the devices connected to a certain network as it will help in identifying devices and their manufacturers, enabling administrators to patch, monitor, or even disconnect the devices when needed. There are instances when all the vulnerable devices are unknown in the absence of a complete list, therefore it is imperative to have complete visibility of the list of all the connected devices in order to defend your infrastructure. 
Read more »
Subscribe to: Posts (Atom)