Search This Blog

Showing posts with label Information Security. Show all posts

Declaring War Against Cyber Negligence

Amidst perhaps the most widespread and impactful cyberattack in history, American businesses and government agencies alike must take a drastically different approach to cybersecurity. Unfortunately, many cybersecurity professionals have become complacent and have become far too dependent on a handful of well-marketed tools designed for yesterday’s threats that underperform against modern attacks.

It is far easier for cybersecurity manufacturers to deliver services from their own cloud. It may be less expensive for the vendor but relying on a “trusted 3rd party” for your security is a foundational vulnerability that has been proven to be disastrous for you as a customer.

We are currently in a state of cyber-warfare. Nation-states regularly use their practically limitless resources and technical sophistication to overpower companies and government agencies. Cybersecurity professionals need to shift their focus from “indicators of compromise” to data protection, which will limit how widespread these vicious digital attacks can have an impact.

Most cloud providers claim they alone provide the “best cloud protection” and brag billions spent on beefing up the many layers surrounding their server farms to reassure their clients that “everything will be alright.” But will it?

Vulnerabilities from security vendors will likely continue far into the future. While much of the industry has moved towards promoting “zero-trust” infrastructures, they often forget to remove themselves from the client’s circle of trust. Instead, everyone from individuals to multinationals should take security into their own hands. Firewalls, antivirus, and network monitoring tools indeed still have their place, but a shift must be taken to provide more independence between the owner of data and its protectors.

Active Cypher, a California-based cybersecurity startup led former-Microsoft/Cisco/U.S. intelligence with decades of experience protecting (and at times stealing data), has led the charge against what it calls “cyber-negligence”.

“IT organizations need to stay nimble, test and adopt new approaches quickly, and don’t be afraid to throw out solutions that were simply inherited,” says Active Cypher’s CEO, Mike Quinn.

Active Cypher has pioneered a unique, independent security infrastructure that provides its clients the automated tools, proprietary cryptography, and advanced anti-ransomware sensors to control their data with the utmost precision. Yet unlike the numerous SaaS applications which plague the market and create undue “man-in-the-Middle” vulnerabilities, Active Cypher deploys and operates its software directly within the client’s tenant. Cryptographic keys, the soft underbelly of security, are held not by Active Cypher, who knows well it may be a target of state actors and cybercriminals but by the client alone. Once deployed, the security solution uniquely runs alone without contact with any 3rd party home base.

While the solution Active Cypher provides is certainly not an end-all, it gives a much-needed last line of defence against increasingly menacing (and successful) threats. “We believe cybersecurity is a human right. Something that is sacrosanct and should be upheld with the highest degree. Yet, too many executives still see it as just another budget line within often ballooning IT budgets without considering what kind of impact a security breach will have on their brand, and ultimately their revenue,” explains Mike Quinn.

Based in Newport Beach, California, with partners and operations across the US and in Western Europe, Active Cypher and the rest of its industry saw an uptick in business when Covid-19 forced companies to rapidly extend its security frontier to its employee’s homes.

“It has become increasingly clear that the focus for cybersecurity needs to be on data protection. Once the perimeter is breached, and it will be, there’s nothing to stop them. We’ve built great systems to observe and record cyber theft in action but little to defend the data inside.” says Devin Jones, Active Cypher’s new Chief Product Officer and a veteran of both Cisco, Juniper Networks, and a variety of cyber-startups.

Active Cypher uncovered that many major companies had regulated the management of vital security infrastructures to the “back-office” of IT but often hadn’t evolved and updated systems, like the prolific Active Directory in years. The result was growing technical messes that left gaping holes in security. Active Cypher also encountered a level of defeatism; one company declined to expand and solidify its cybersecurity posture, choosing instead to continue to pay ransomware demands at the cost of an astounding $1million per month. In this firm’s view, it was easier to keep paying and therefore avoid the risk of negative press surrounding disclosures of data breaches.

“But thankfully, not all companies have been so lethargic. We are thrilled to be working with a variety of innovating clients ranging from state agencies, healthcare providers, and sports teams who understand that the success of their future protection should be in their own hands. Active Cypher provides them with the tools to own their own destiny,” says Devin Jones.

As IT organizations across the nation take time over the next few weeks to uncover the extent of their firm’s exposure to recent and still unfolding cyberattacks, one only hopes they seek to not simply install a short-lived patch but take a leap towards the zero-trust, zero-vendor contact future; only then can cyber-negligence be finally tackled.

TruKno TTP based Threat Intelligence Platform

TruKno’s ThreatBoard is a platform that helps security professionals uncover the root causes behind emerging cyber-attacks, Improving proactive defense postures..

TTP Based Threat Intelligence

Trukno, a Community-based Threat Intelligence Platform uncovering the root causes behind the latest cyber-attacks, is set to release their open-access beta December 22nd.

Every second a new attack in cyberspace takes place, according to a report by Acronis, 32% of all major companies are attacked at least once a day. Unless the outcome of these attacks are notable (like the FireEye breach), the reports of these attacks often get buried in the never-ending flow of new cyber information. These reports, when in the hands of the right people, oftentimes contain valuable intelligence on the Tactics, Techniques, and Procedures used by adversaries. This knowledge can help cyber defenders better assess risk and take proactive measures to prevent these same attack techniques from being effective against their organization. It can give valuable insights on where to funnel resources for more effective defense postures.

Hunt Smarter, not Harder.

Traditionally, uncovering root causes and criteria behind emerging cyber attacks is done in one of two ways:

    1. Manually scrolling through vendor blogs, government reports, and news outlets to find long-winded reports of cyber-attacks (trivial & time-intensive)

    2. Getting hand-curated, confidential reports from your threat intelligence team (requires multiple employees dedicated full-time to threat analysis)

The thing is, cyber security professionals rarely have time to do the manual sourcing, and even if they did, there is no certainty they would be able to find that one attack report that is relevant to their situation. Additionally, Threat intelligence analysts are in high demand and low supply, making them reserved for only the most mature security operations. 

TruKno’s AI engine ensures with a high level of confidence that not breach, campaign, or attack report goes unnoticed. It is actively keeping a pulse on the industry’s leading intelligence sources, identifying critical reports in real-time. TruKno’s analyst team then does manual analysis on these reports, identifying affected industries, technologies, actors, malware, and more. Most importantly, TruKno analyses these cyber-attacks through the lens of the MITRE ATT&CK Framework, offering a universal lexicon and database of observed threat techniques. 

TruKno wants to make TTP-based threat intelligence the foundation of any organization’s (or individual’s) Security posture. 

E Hacking news had a discussion with TruKno’s Founding Team: 

Manish Kapoor (Founder & CEO), Ebrahim Saed (Co-Founder & CTO), and Noah Binstock (Co-Founder & COO), in which we talked about the importance of TTP-Based Security and their upcoming beta release on the 22nd.

Manish Kapoor discussed the origins of TruKno:

 “Trukno was founded with the mission of arming security professionals with the information they need to keep us safe. The name itself is a translation of Gyaan, or True Knowledge. It is the clarity that comes from knowing the right information, at the right time.”

Before Founding TruKno, Manish spent 10 years helping the world’s largest service providers better understand the evolving threat landscapes to build better cybersecurity solutions for their customers. 

“My job required me to always be up to date with the latest emerging attacks, but there was no way for me, as a busy professional, to quickly and accurately stay up to date with new adversarial techniques and procedures. I knew there had to be a better solution than scrolling through hundreds of articles a day.”

Manish commented on the ‘gray-space’ between advanced intelligence tools reserved for advanced analysts at mature security organizations, and tools available to the cyber security community as a whole.

“There are a lot of incredible intelligence tools out there. The issue is, they are reserved for a very select group within the industry due to price point and complexity. Cyber security is a team sport, and a winning team is built up of individuals. There is a need for universal tools that can benefit all security stakeholders.”

Noah Binstock, Head of Operations at TruKno, also commented on their mission and the power of accessible intelligence.

“Informed decision making starts with having a full understand of the subject matter, this is true no matter what industry you are in. People are at the core of cybersecurity, and it is our mission to arm them with the tools they need to make the best decisions on behalf of us all.”

TruKno built its foundation off of the MITRE ATT&CK Matrix, a globally accessible knowledge base of adversary tactics and techniques based on real-world observation.

“We are seeing MITRE ATT&CK become a staple in many security organizations, and we align very closely with their mission of empowering the cyber community as a whole. We use the ATT&CK Framework to offer a common lexicon for all defenders”

Ebrahim Saed, the CTO of TruKno, is at the core of TruKno’s technical capabilities, allowing TruKno users to access an infinite database of cyber intelligence with no load time on the user end. He commented on the importance of responsive & user-friendly interfaces when it comes to intelligence.

“Gathering the intelligence is one thing. The real differentiator is making this critical intelligence instantly available, all at the users fingertips.”

Ebrahim is currently developing a mobile application for TruKno as well, enabling users to access real-world intelligence anywhere anytime. 

The Product:

Since its founding in October of 2018, TruKno has interviewed over 500 cybersecurity professionals, from Threat Analysts to CISOs, working in close collaboration with the cybersecurity community during product development. Here is what they are unveiling:

CyberFeed: 

Trukno’s CyberFeed is a free, customizable cybersecurity news manager to help the community easily access and organize the industry’s top intelligence and news channels. Access key articles while avoiding information overload. 

ThreatBoard: 

TruKno’s Threat Intelligence platform, ThreatBoard uses an AI engine to identify cyber-attacks as they are first reported on the web. They are then broken down by TruKno’s analyst team, extracting & curating key information, affected Industries, Technologies, Actors, Malware, and more. Additionally, Techniques behind these latest breaches are documented and paired with MITRE’s ATT&CK Framework, enabling users to identify potential risks to their organization based off of real-world observations. 

Upcoming Features: 

    • TruKno has already developed team collaboration functionalities, enabling users to securely collaborate on intelligence from Threatboard with their teams. They are waiting for key user feedback before they release team collaboration (TeamBoards).

    • Cyberfeed is currently being developed to allow users to upload their own source URLs, social media intelligence feeds and more. Sharing functions will also be enabled to empower the security community to easily share valuable resources.

    • TruKno is actively finding new ways to present the data being extracted from these reports and are currently improving interoperability between Threatboard analysis and the MITRE Organization’s ATT&CK Framework. 

    • TruKno’s AI effort, led by Dr. Rob Guinness, is constantly improving, automating more and more analysis, meaning more insights.

    • The team is currently working with key industry stakeholders to enable API integration with TruKno’s intelligence data, enabling more actionable intelligence for security teams.

Hunt Smarter, Not Harder

In short, TruKno’s goal is to help the cyber security community get the intelligence they need to help keep us safe. TTP based threat intelligence is a valuable lens for all security professionals, and they hope that their tools can help make it a community staple.

The TruKno Open beta is live at  www.TruKno.com

Russian expert warned about the dangers of password theft during video conferencing

Anton Kardanov, head of the information security sector at AT Consulting, warned that motion recognition systems can be used by cybercriminals to steal the personal data of users during video conferences. According to him, a special algorithm can read the movement of hands over the keyboard if they fall into the field of view of the camera, which poses risks to the user's privacy.

“The Artificial intelligence (AI) algorithm with high precision can restore the typed text if the video shows the movement of the arms and shoulders," said Mr. Kardanov.

It is reported that the program first removes the background and turns the image into gray tones, and then focuses on the hands — as a result, the algorithm leaves only the contours of the hands and shoulders and monitors their movements. They are used to restore the text typed on the keyboard.

Thus, an attacker can recognize passwords, passport data, Bank card numbers, and other information that the user types on the keyboard during a video call.

Meanwhile, Maxim Smirnov, commercial Director of IVA Technologies, believes that visual recognition of hand movements and, in particular, text typed on the keyboard is quite realistic, but developers will have to work hard on the quality and accuracy of the technology, which is not an easy task.

"Remote work and video conferences are our new reality, as well as new opportunities for fraudsters and new threats to users", said Sergey Zabula, head of the group of system engineers for working with partners, Check Point Software Technologies in Russia.

Earlier, Group-IB also reported possible attacks using motion recognition technology. According to the company, you can protect yourself from scammers by hiding important information from the camera's field of view.

Security Experts gave tips on how to protect online conferences from hackers

Video conferencing services attracted the attention of hackers because they gained huge popularity during the coronavirus pandemic. 

On Thursday, attackers disrupted a court hearing in the case of a Florida teenager accused of organizing the hijacking of a number of Twitter accounts. The hearing was held via the Zoom video conference service. The attackers disguised their names as CNN and the BBC and gained access to the conference, after which they began broadcasting pornographic videos and swearing. After that, the court session was postponed.

According to Artem Gavrichenkov, technical director of Qrator Labs, the phenomenon of Zoom-bombing, when attackers identify vulnerable conferences and enter them with the aim of espionage and hooliganism, became widespread in April, and by May-June it became widespread.

“To limit the access of attackers to sensitive content, all conferences should be password protected, and this password should be provided only to a limited number of people,” advised Gavrichenkov.

Denis Gavrilov, the consultant of the information security Center of Jet Infosystems, also recommends setting up a "waiting room" if there is such functionality in the platform, this will limit user access to the conference without the approval of the organizer.

Kaspersky Lab cybersecurity expert Dmitry Galov noted that it is necessary to download the program for a computer only from the official website, and for a smartphone - from official app stores.

"As our experts found out, in the spring of this year, the number of malicious files whose names contain references to popular services for online conferences (Webex, Zoom, etc.) has almost tripled compared to last year,” said he.

Anastasia Barinova, Deputy head of the Group-IB, advises using Zoom analogs at all. "To minimize the risks, I would recommend considering Zoom analogs: Google Meet, GoToMeeting, or Cisco's WebEx service," advised she.

Earlier E Hacking News reported that Russia will develop a similar Zoom platform for video communication by the beginning of the new school year.


Amazon Transcribe Can Automatically Shroud the User's Personal Information from Call Transcripts?


Amazon Transcribe, the AWS-based 'speech-to-text service, recently came up with a significant new feature which, if executed effectively, can spontaneously shroud the user's personal information from call transcripts. 

This new feature permits Transcript to consequently recognize data like a Social Security number, Credit card number, bank account number, name, email address, phone number and mailing address and redact that. The apparatus consequently replaces this data with '[PII]' in the transcript. 

There are, obviously, different apparatuses/tools that can expel PII from existing reports. Regularly these are cantered around data loss prevention tools and intend to shield the information from spilling out of the organization when you share records and documents with outsiders. With the Transcript tool probably a portion of this information will never be accessible for sharing (except if, a copy of the audio is maintained)


One of the most mainstream use cases for Transcript is to make a record of customer calls. By default, that includes exchanging information like the user's name, address or a credit card number. In some cases there are even call centres which stop the recording when the user is about to exchange credit card numbers, for instance, but that’s may not always be the case. 

Transcribe in total, currently supports 31 dialects which of those, it can transcribe six 'in real time' for subtitling and other use cases.

Moscow metro launched a new secure Wi-Fi network


MaximaTelecom launched a closed network in the Moscow metro, which will be free for users who agree to watch ads. Most likely, the company, operating in the metro for seven years, decided to do it after the scandal with the data leak.

It should be noted that MaximaTelecom is the Russian telecommunication company engaged in the development and commercialization of public wireless networks since 2004; the operator of Europe's largest public Wi-Fi network.

The company MaximaTelecom begins open testing of the closed Wi-Fi network in the Metropolitan using Hotspot 2.0 technology. Since January 2019, testing of this network was available only to employees of the company.

According to Boris Volpe, MaximTelecom CEO, Wi-Fi in the Moscow metro will become the largest secure public network in Europe after the introduction of Hotspot 2.0 technologies. Open technology testing will take three months.

According to a company representative, this network has protection against automatic connection to phishing points. In addition, the Hotspot 2.0 technology includes radio encryption. Thus, the user is protected from traffic interception between the access point and the client device.

It is interesting to note that the launch of the new network could be a delayed reaction of the company to the scandal with the leak of user data. Recall that in April programmer Vladimir Serov reported a major vulnerability in Wi-Fi of MaximaTelecom. According to him, it allowed attackers to obtain phone numbers of all connected passengers, as well as unencrypted data about users, such as phone number, gender, age.

MaximaTelecom recognized the existence of the vulnerability and reported that it was promptly closed turning off the option to store data on the movement of users between stations. Roskomnadzor sent a request to find out details, but violations of the rights of users were not recorded.

"With the development of LTE services by mobile operators, the need for Wi-Fi services in the subway, encrypted or not, is reduced," commented MForum expert Alexei Boyko.

Earlier E Hacking News reported that it was found out that Tele2 is monitoring subscribers using a dangerous script. The company gets access to the data due to the mass implementation of scripts via CDN.

Ransomware Attack Leaves Johannesburg without Power




A key electricity supplier for the largest South African city, Johannesburg, experienced a massive ransomware attack which led to the shutdown of the city's computer systems on Thursday.

In a series of tweets, City Power announced that the ransomware virus encrypted all their databases, applications and networks; all of which is being reconstructed by their ICT department.

They further told that the customers may not be able to access their website and may not be able to purchase electricity units until the issue has been sorted out by their ICT department.

As the website continued to be offline, the victims resorted to social media in order to report the issues occuring with their electricity supplies.

The type of ransomware employed in the attack is still a matter of question, however, with the magnitude, the power of this cyber power attack can be gauged. Besides, restricting customers from buying pre-paid electricity, it also affected the attempts made by City Power to respond to localized blackouts.

Commenting on the matter, a spokesman for City Power said, for the people affected, "These are the people on the pre-paid system[s] and would at any given day buy electricity,"

"Those people were not able to access the system." he added.




The Cyber Attack Response Center opened in Nizhny Novgorod


In the Russian city Nizhny Novgorod the largest Regional Cyber Attack Response Center was opened. The Center was established by Rostelecom-Solar, a subsidiary of Rostelecom, which is the operator of the systems supporting the operation of the public services portal and biometric identification in banks.
Solar JSOC Centers are already operating in other Russian cities such as Moscow, Samara and Khabarovsk. These subdivisions protect more than 110 largest Russian organizations from hacker attacks.  Federal agencies, regional administrations, financial organizations, energy companies apply to Rostelecom-Solar for information security.
The Center in Nizhny Novgorod has become the largest regional Center for monitoring and responding to cyber attacks.  The organization employs more than 70 information security professionals. The Center will be responsible for the security of all regional clients around the clock. The average response time to eliminate cyber attacks is 30 minutes.
This is a serious team of highly qualified experts in information security, able to provide customers with full protection against cyber threats, – said Igor Lyapunov, Vice President of Rostelecom for information security, General Director of Rostelecom-Solar.
All this work is impossible without qualified personnel.  This was one of the reasons why Nizhny Novgorod was chosen to create the Solar JSOC. The city has a number of universities that train IT specialists.
According to Igor Nosov, the Deputy Governor of the Nizhny Novgorod Region, today the Nizhny Novgorod Region ranks third in Russia in terms of the number of IT professionals. "We are proud of our IT companies. Today, about 700 such companies operate in the region, including the world's leading companies. And the fact that we are leaders in the IT sphere makes the problem of information security even more urgent for us.”
It is planned that the Regional Center will work closely with universities, implement internship and employment programs. Every year, more than 70 graduates and senior students participate in the Solar JSOC internship program, about 30 of them receive a job offer.

It is worth noting that now, cyber attacks are in the top 5 largest and most serious challenges facing Russia. Moreover, hacker targets are changing. Previously, the task was to seize cash, now hackers are going to gain control over the management of information systems. EhackingNews recently reported on a DDoS attack during the Presidential Straight Line.

Chinese Hackers Attacked Eight Major Technology Service Providers




Eight largest technology service providers were attacked by the hackers of China’s Ministry of State Security; they attempted to access sensitive commercial information and secrets from their clients across the world.

In December, last year, a vicious operation was outlined in formal charges filed in the U.S.; it was designed to illegally access the Western intellectual property with motives of furthering China’s economic interests.

According to the findings made by Reuters, the list of the compromised technology service providers include Tata Consultancy Services, Dimension Data, Hewlett Packard Enterprise, Computer Sciences Corporation, HPE’s spun-off services arm, IBM, DXC Technology, Fujitsu and NTT Data.

Furthermore, various clients of the service providers such as Ericsson also fall prey to the attack.
However, IBM previously stated that it lacks evidence on any secret commercial information being compromised by any of these attacks.

Referencing from the statements given by HPE, they worked diligently for their “customers to mitigate this attack and protect their information.” Meanwhile, DXC told that it had, “robust security measures in place” in order to keep their clients secure.

Commenting on the matter and denying the accusations and any sort of involvement in the attacks, the Chinese government said, “The Chinese government has never in any form participated in or supported any person to carry out the theft of commercial secrets,”

“While there have been attacks on our enterprise network, we have found no evidence in any of our extensive investigations that Ericsson’s infrastructure has ever been used as part of a successful attack on one of our customers,” a spokesperson of Ericsson told as the company said, it doesn’t comment on specific cybersecurity matters.



A new type of fraud was discovered in WhatsApp


The Russian edition Cnews reported that ESET experts warned users of WhatsApp messenger about a new type of fraud.

At this time, users began to receive a message with a special offer on the occasion of the tenth anniversary of the messenger. The attackers promise 1 TB of free Internet traffic, moreover, this traffic can be used without Wi-Fi.

Users must follow simple steps to get a huge amount of free traffic: follow a special link, answer a number of questions, and send the same survey to his 30 contacts.

ESET experts believe that the ultimate goal of attackers is to distribute intrusive advertising without the consent of users. It turned out that this scheme really works; users who want to get a gift are playing a game of the scammers.

Analysts of the anti-virus company conducted an investigation, during which they managed to find the site of cybercriminals, which was used for several phishing campaigns. This is a type of fraud aimed at obtaining personal data of users. Fraudsters launched more than 66 phishing services from the same domain. All fake promotions were sent to subscribers under the guise of well-known brands – Adidas, Rolex, etc.

An interesting fact is that the scammers have already used such schemes to deceive WhatsApp users. In early May, it became known that the victims received a letter with an offer to get a premium account in the Spotify service. The attached link led to a phishing site similar to the official music platform portal.

It should be noted that WhatsApp posted on its website a publication in which it announced that WhatsApp will sue the organizers of mass mailings starting from December 7, 2019. Also, WhatsApp prohibits the use of the application for non-personal purposes. The messenger warns that it will collect evidence of illegal activity not only on its own platform. Moreover, in the fight against violators will be used technical means.

The Ministry of Internal Affairs of the Russian Federation to create a portal for complaints against hackers


In Russia, a special resource that will allow better fight against hackers to be created. Citizens themselves will be able to inform on hackers who either suffered from hackers or simply noticed some violations.

The concept of the service is the collection of information on cybercrime from citizens and legal entities, as well as government agencies, and then accumulating it in one system. The resource will be continuously and automatically collect data about the threats.

It will be possible to tell about violations by phone, e-mail, messenger, SMS and social networks. The database of the resource will also be updated due to the already existing systems in Russia: for example, a Unified Biometric System, a Portal of Public Services.

Citizens and government agencies will be able to use the service for free. Today in Russia there is no single place to collect information about cybercrime, access to which could be obtained by all interested citizens.

The system is being created by the Russian organization Data Economy. The organization was created to provide services in the Development of the Digital Economy in Russia supporting socially significant projects and initiatives. The founders of the organization are the Russian Government, ASI, Russian Post, Sberbank, a number of telecommunications and IT companies.

However, an employee of one of the IT companies said that the effectiveness of this system is sharply questionable, as the data from the public resource will be in the hands of attackers very soon and will only help them quickly modify the attack to be unnoticed.

It is interesting to note that the concept of a single portal was approved by the organization Data Economy and sent for approval to the Cabinet of Ministers. The total amount of financing of the national project for the next six years is more than 1.5 trillion rubles.

According to Russians, Assange is a freedom fighter and an altruist


According to a survey by the Russian Public Opinion Research Center, the majority of Russians believe that the founder of WikiLeaks Julian Assange is a freedom fighter and an altruist.

According to 45% of Russians, Assange promotes the principles of freedom of speech and freedom of the media, publishing secret materials. In addition, 40% of survey participants believe that Assange acted in the interests of the world community.

Most Russians believe that “Assange wanted to open the eyes of the world community to cases of corruption, crimes, scandals in different countries."

However, a quarter (27%) of those surveyed believe that Assange violated the law with his publications. According to 17% of Russians, Assange sought to take revenge on his enemies and attract attention.

The survey was conducted on April 13, 2019, among 1600 Russians over 18 years old. The survey method was a telephone interview.

It should be remembered that on April 11 the British court found Assange guilty of the violation of conditions of release on bail. The journalist was arrested at the Embassy of Ecuador in London. where he asked for political asylum in 2012. He never left the diplomatic mission building for fear of arrest and extradition to the United States, where he is accused of publishing secret documents of the State Department.

Hackers from Fancy Bear were accused of attacking the Ministry of Defense of Spain

The authoritative Spanish online edition Español citing anonymous sources reported on April 12 that Russian hackers from Fancy Bear were responsible for the attacks on the Spanish Ministry of Defense at the beginning of the year.

This conclusion was made by investigators after analyzing the methods of cybercriminals. Hackers used the same scheme as they did during the hacking the servers of the US Democratic Party in 2016, after which the hacker group became known worldwide.

It is noted that the virus was introduced through external e-mail in order to gain access to the "technological secrets of the military industry."

According to experts, the computers of the Defense Department were under the complete control of hackers for three months. And only in March it became known that the computer network of the Ministry of Defense of Spain was hacked using a virus.

It should be noted that foreign politicians and journalists associate this hacker group Fancy Bear with the Russian authorities. They believe that the purpose of cybercriminals is "to undermine democracy." However, the connection of the hacker group Fancy Bear with the authorities or intelligence services of Russia has not been proven. This statement is based solely on speculation and assumptions.

US intelligence warns of Russian cyber attacks to interfere in the Ukrainian elections


It has long been known about Moscow's plans to influence the results of the presidential election in Ukraine. In recent years, Western countries have a new tradition of accusing Russia of such interference.

In the National Intelligence Agency of the USA believes that Russia will use cybertechnology for interference in the presidential election in Ukraine on March 31. This was stated by the Head of the National Intelligence Agency Dan Coats at the hearings in the US Senate Intelligence Committee.

Also, Dan Coats said that hackers from Russia can make attacks during the upcoming US elections in 2020.

It is known that the United States is ready to protect Ukraine from Russian interference in the elections, as declared by the President Donald Trump's national security advisor, John Bolton, during a visit the capital city of Ukraine (Kiev) in August last year.

In turn, the Head of the Foreign Intelligence Service of Ukraine Egor Bozhok recently said that the Russian Special Services received 350 million $ to interfere in the Ukrainian elections.

"The Kremlin will definitely try to interfere in the elections in Ukraine because Russia used to do this with the United States and African countries" - said the Head of the Security Service of Ukraine Vasily Gritsak.

The Security Service of Ukraine, the National Police and the Prosecutor General's Office are ready to resist Russian interference and know where Moscow can strike. Most actively Moscow is trying to make an information attack on Ukraine through TV screens. In addition, Russia uses information propaganda, cyber provocations, financially supports candidates and will try to capture polling stations.

Apple's Delayed Response On FaceTime Flaw has put their Commitment to Security into Questioning


On 19th of January, an Arizona based teenager, Grant Thompson while using Apple’s FaceTime discovered an unusual bug which allows eavesdropping on the person being called. Thompson deduced the same when he was able to eavesdrop on the friend he called before the call was even answered.

Immediately after, Grant’s mother, Michele Thompson attempted to inform Apple of the hack by sending a video of the flaw which put to risk the privacy of millions of iOS users. When her warning did not fetch any response from the company, she resorted to other channels of communication like emailing, faxing and tweeting. She even tried to connect with Apple’s security department via Facebook.

It was on Friday, Ms. Thompson’s warning was entertained and she was encouraged by the product security team of Apple to create a developer account and then file a formal bug report.

On Monday, acknowledging the presence of the flaw, Apple said, “identified a fix that will be released in a software update later this week.” However, the company left unaddressed the question of how the flaw passed through quality assurance and what took the officials so long to respond to Ms.Thompson’s warnings.

The Group Facetime was disabled by Apple and it was said that the same is running on a fix but the fact to be noticed is that the company hurried to take action when a different developer brought the issue to their knowledge after it was also being addressed in an article which went viral.

As Apple is known for its unassailable security and the continuous advertising of its bug reward program, the delay in the responses and the preventive measures taken by the company has put its commitment to safety and security into questioning.

Insisting on their commitment to safety, the company’s chief executive, Tim Cook tweeted, “we all must insist on action and reform for vital privacy protections.”

How the flaw works?

It is a highly rare security flaw which allows such remote access and is so simple to be executed. After adding a second individual to the group FaceTime call, one can access the audio and video of the initial person called without even requiring him to answer the call.

Referencing from the statements given by Patrick Wardle, the co-founder of Digita Security, “If these kinds of bugs are slipping through, “you have to wonder if there are other problematic bugs that other hackers are exploiting that should have been caught.”



Students Hack Student Information System; Change Attendance, Grades, and Lunch Balance Data


Two students at Bloomfield Hills High School are the main suspects of a hack into the school’s Student Information System called MISTAR. The students are believed to have made changes to the grades, attendance records, and lunch balances of about twenty students and themselves.

The hack was discovered when an employee logged into his account and noticed an error, after which the school investigated the issue and learned about the attack.

The students are suspected to have exploited a now-resolved vulnerability in the school systems to gain access.

“With the assistance of a forensic investigator, we determined that a report that may have contained the usernames and passwords for the Parent Portal may have been run,” the school said in an FAQ on its website after the attack. “As a precaution, a letter will be mailed to all parents detailing how to change their Parent Portal credentials. Should we determine that additional information contained within MISTAR was accessed without authorization, we will provide impacted individuals with notification.”

The school has announced that it will be resetting all Parent Portal passwords on Monday, May 21, 2018, which will then require all parents/guardians to reset their individual password upon returning to the system.

While the investigation is ongoing and the school is still reviewing its digital security, it has said that, “Modifications will be made as necessary to our internal practices and the district plans to conduct internal staff and student training in addition to what has been provided in the past or is normal, ongoing training.”

“We are committed to using this unfortunate incident to teach our students about digital citizenship and help support them in making better digital decisions,” the school further announced.


In a YouTube video, Bloomfield Hills High School superintendent Robert Glass said that the punishment for the culprits of the attack is likely to be severe.

“Cyber hacking is a federal crime and we're working with the proper authorities to determine the appropriate discipline and legal ramifications," he said. "Due to student privacy laws, we're not able to disclose more information but we can assure you that we're working within the full extent of the Student Code of Conduct and the full extent of the law."

The school has also established a support hotline, aside from their FAQ page, where parents can reach out to learn more or have their questions about the hack answered.

Pavel Durov says they are Not closing Telegram service in Russian and Iran


Just a few days ago, Russian and other media reported that Telegram CEO Pavel Durov is ready to close his business in Russia or Iran. However, Durov denied in his VKontakte(VK) account that it is an incorrect information.

In the VK post, he said that Telegram will to continue to provide a secure messaging service in problem markets like Russia and Iran, despite the pressure of regulators and the threat of blocking. But, the media came up with different headlines saying "Durov announced his readiness to close Telegram", "Durov threatened to close Telegram in Russia". However, Durov said that some Russian media like Meduza, Vedomosti, DP.ru has provided correct information.

"Russian media often quote inaccurate translations of what I publish on Twitter and my channel." Durov said in VK.

Recently, Iran opened a criminal case against Telegram CEO stating that the Telegram is being used by pedophile for distributing child pornography.

"I am surprised to hear that. We are actively blocking terrorist and pornographic content in Iran. I think the real reasons are different." Durov responded to the accusation in his twitter account.

Recall that just a few weeks ago, the Russian Federation threatened to block Telegram and reported that this encrypted messenger was actively used by Islamic radicals during the preparation of the bombings in Saint-Petersburg subway. The head of the Ministry of Communications and Mass Media said: "Telegram will be blocked, if it will work not in accordance with the current Russian legislation".

Durov hopes that the legal situation in the Russian Federation and Iran will change in future.

- Christina

 

Telegram founder agrees to register in Russia but won't share user data



The Telegram's founder Pavel Durov has agreed to register the company in Russia, after getting pressure from the local authorities.

Few days ago, the Russian communications regulator Roskomnadzor has demanded Telegram to provide information about the messaging app and company details.  The authorities also said this encrypted messaging app is being used by terrorists to plan attacks.

The authorities asked to give access to decrypt messages in order to catch terrorists. Authorities threatened to ban the Telegram, if the company fails to do so.

At first, Durov didn't agree with the demands.  Now, he is agreed to register the company with the Russian government.

"If the Telegram is banned in Russia, it will not happen because we refused to provide details about our company" Durov said in the social network VK.

Roman Jelud, a Professor from dataVoronezh State University, shared his opinion to Regnum that news about "Telegram ban" itself is a PR stunt.  This will only help the Telegram to gain more number of users.  Few days back itself, Roman said that Durov is using this for his PR and eventually Durov is going to agree to provide the required five points of information.

Though Durov says that they are only registering the company in Russia and will not share the users' secret data with the government, it will be hard to know whether it is true or not.

Russia is not only the government that is interested in the Telegram messenger. Last week, Durov stated that US Federal officers want to add a backdoor to the app.

- Christina

ATM malware attacks are on the rise

In the past few months prevalence of hacking ATM has increased.

Some time ago 3 ATM’s have been attacked in India. It was found that the hackers used the Malware "GREENDISPENSER".


In this article we will look at methods of hacking ATM. Artur Garipov, Senior Research Specialist at Positive Technologies, helped us to understand how such hacks work and explained to us different methodologies .

For example, very famous virus is Tyupkin (PadPin), which steals card information.Sometimes attackers put fake ATMs, skimmers (devices that make "snapshot" dump of your credit cards) and so on. But that is a topic for another article.

In our opinion (EHN) ATM malware continues to evolve.  For example, new Malware GreenDispenser is new breed in ATM's hacking. It provides an attacker the ability to walk up to infected ATM and drain its cash vault.

When installed, GreenDispenser may display an "out of service" message on the ATM. But attackers can drain the ATM’s cash vault and erase GreenDispenser. Hackers don't leave information how the ATM was robbed.

GreenDispenser is similar in functionality to PadPin but has some unique functionality, such as date limited operation and form of two-factor authentication.

We believe that we are seeing the dawn of new criminal industry targeting ATMs!

Artur commented that there are 2 types of ATM's hacking: 1) remote access 2) physical access.

If physical access hackers can just steal ATM on truck, or they can hook ATM on car and so on. In this case, they stolen the whole thing in order to cut ATM in a safety place, to open ATM physically.


We must understand that ATM consists of 2 parts which is hidden by cover. The upperpart is called service area. There are the simple computer and devices for working: card acceptance, fiscal registrar, and so on. This is the brain that controls the ATM.

The lower part is the safe with money. It contains tapes with different denomination of the bill.  When you remove the currency and you hear the buzzing - this is dispenser prepare to give you the necessary bills of different value from the tapes.

There are more technology-based ways to hacking.  Everything is simple. You need only open service area. You can do it by lock pick or use a special service keys. And sometimes you need just push hard on the hatch metal cover of ATM.

Further, the dispenser must switched off from the computer and connected to its prepared computer which gives command to give all banknotes. And that's all that is needed. The attacker can leave the crime scene with all the cash.

Also there are cases when the attacker had access to the internal network of the Bank. And through it attacker infected the equipment of ATMs or remotely taken control over them. With the help of this software he was able to give the same command to the dispenser to give all cash.

Interview with the researcher Arthur Garipov on ATM Hacking:


What are the methods used by attackers to infect the ATM with
GreenDispenser? 

I can not give an exact answer to the question. It is necessary to look in detail code of a GreenDispenser.

Methods for infecting of the ATM may be different. It can be simply installation with a regular software and temporary disconnection of the ATM from the network, for the purpose of infection.

For a more detailed answer it is necessary to understand how the ATM interract with processing center.
And what is the system of control and administration of these devices.
Most often, these solutions are vendor-dependent and differ not only between banks, but also between ATMs.

a. Consider the interaction of ATM and processing center.
Most often, the interaction goes through the Internet provider, inside the tunnel (VPN).
It is very problematic to break down the tunnel, to make a fake processing center - is not easy too.
But very often there is an opportunity to turn off VPN, to be in the same network with an ATM, and then Conduct an attack on some ATM service that will lead to RCE (remote code execution).
On the other hand, attackers can attack the processing center itself, and make changes to the system of updates.
In some cases, the ATM system is updated remotely. Through the update server. Sometimes this is a local installation.

b. But most often the installation of malware occurs locally.


An attacker just opens the service area of the ATM. At its core inside it is a regular computer, with an attached ATM peripheral. Next, he can locally install the Trojan.

For such purposes, special guys are hired. Such announcements, with such tasks, can be found in darknet, or in specific forums.

The new version of Ploutus malware "Ploutus-D" targets ATMs using KAL’s Kalignite platform, what are the other latest and popular
platforms targeted by malware?
 I did not have to work with this system (Kalignite). Perhaps there is some specific here. Malware, in general, attacks the security of the operating system. And the platform and API system through which it works can be easily changed from one to another.


APIs for the ATM middleware is not well documented, How the attackers
were able to write malware that interacts with the middleware?
 I will not agree. Documentation on the Internet is at the moment is more than enough. Everything is easy to find in the main search engines. The key to knowing the keywords:
https://wenku.baidu.com/view/aa32823987c24028915fc3be.html
And for practice it's enough ATM.
Http://www.ebay.com/sch/i.html?_from=R40&_trksid=p2050601.m570.l1313.TR0.TRC0.H0.Xatm.TRS0&_nkw=atm

NDA’s do not protect.

How do you find presence of this malware in ATM machines?
Unfortunately, most often this is the result of the investigation of the incident.
But there are, of course, other approaches.

What are the other security measures needs to be taken in order to
prevent this malware attack?
This is a separate very large topic for discussion. But it is worthwhile to understand that, more often than not, hacking
ATM is "locally". It is for this purpose that a button is installed on the ATMs. Unfortunately, the attackers also know about it.

Do you think hackers and cyber criminals will weaponize ATM malware
like GreenDispenser with a worm like engine(as used by w32 blaster or
w32 funlove)? What happens to the world if w32 blaster carries Green
Dispenser in it?
Such systems should exist. The question is, it will be more difficult to detect.
And the purpose of such systems is a targeted attack. Specific bank, specific billing.

No app can stop CIA from reading your messages, says Pavel Durov



In an article titled "What does the "Year Zero" and "Vault 7" stuff from Wikileaks mean?", Pavel Durov, the Founder of social network Vkontakte and messenger Telegram, explained how CIA can read your messages even if you are using a secure messaging application.

Durov said that the hackers do not need to directly hack the targeted applications. Instead, they can exploit the vulnerabilities in the mobile operating systems to access your sensitive information and messages.

"To put 'Year Zero' into familiar terms, imagine a castle on a mountainside. That castle is a secure messaging app. The device and its OS are the mountain. Your castle can be strong, but if the mountain below is an active volcano, there's little your engineers can do." he explained. "So in the case of 'Year Zero', it doesn't matter which messenger you use."

He explained that the hackers can gain access to your keyboard that allows them to know which key you press.

"No app can hide what shows up on your screen from the system. And none of this is an issue of the app." said Durov

The founder of the Telegram urged the main developers of operating systems and devices, such as Apple, Google or Samsung, immediately start fixing their vulnerabilities.

He said that normal users do not need to worry about this. But, if the CIA is on your back, it doesn't matter which messaging apps you use as long as your device is running iOS or Android.