This year’s shift to a near 100% WFH workforce by the Global 5000 has significantly changed the behaviors of trusted insiders, a DTEX Systems report reveals.
Key findings include a 450% increase in employees circumventing security controls to intentionally mask online activities and 230% increase in behaviors that indicate intent to steal data.
The data was collected during interviews with hundreds of customers and Global 5000 organizations representing a diverse sample set of businesses that varied by size, industry, and geography.
“Our findings indicate that in 2020 the equilibrium of employee security and trust has been broadly disrupted and is currently in chaos,” said Mohan Koo, CTO at DTEX Systems.
“Trusted insiders once thought to be reliable and responsible are changing their behaviors and increasing the risk of data loss, external attack and regulatory compliance violations for their employers.”
56% of companies reported remote workers actively bypassed security controls to intentionally obfuscate online activity. This is more than 4.5 times higher than 2019 which represents a 450% increase in the first eight months of 2020.
- More than 70% of the escalated incidents visible to the security and HR teams included at least one attempt to circumvent a second security control to exfiltrate data without detection.
- Companies reported remote workers most commonly attempted to intentionally bypass the corporate VPN to mask their online activities.
72% of companies surveyed saw data theft attempts by a departing employee wanting to take protected IP with them or a new employee looking to inject IP from a previous employer. This represents an increase of 2.3 times, or 230%, over similar behaviors seen in 2019.
Over 40% of incidents proactively detected flight risk behavior as well as abnormal reconnaissance or data aggregation activities.
The growth in premeditated data theft attempts and intentional activity masking behaviors by employees strongly suggests that companies are facing a heightened risk of data loss as virtual employment models become the norm, furloughs are extended and reduction-in-force actions continue.
The findings in this report highlight the lack of adoption and ineffectiveness of network and endpoint cybersecurity, employee monitoring and data loss prevention tools and suggest that organizations need to prioritize the human-element and workforce behavior in relation to data, process and machines as a pillar of their next-generation security and IT technology strategies.
In a recently released report by the UK National Cyber Security Centre (NCSC), whose findings have been backed by Canada’s Communications Security Establishment (CSE) and the US NSA and CISA (Cybersecurity and Infrastructure Security Agency), the agency has warned about active cyber attacks targeting biomedical organizations that are involved in the development of a COVID-19 vaccine.
On Friday, BitSight researchers shared the results of a study that looked for detectable security issues at a number of companies who play a big role in the global search for a vaccine, and found compromised systems, open ports, vulnerabilities and web application security issues.
Biomedical orgs under attack
The report details recent tactics, techniques and procedures (TTPs) used by APT29 (aka “Cozy Bear”), which the NCSC and the CSE believe to be “almost certainly part of the Russian intelligence services.”
The agencies believe that the group is after information and intellectual property relating to the development and testing of COVID-19 vaccines.
“In recent attacks (…), the group conducted basic vulnerability scanning against specific external IP addresses owned by the organisations. The group then deployed public exploits against the vulnerable services identified,” the report states.
Among the flaws exploited by the group are CVE-2019-19781 (affecting Citrix’s Application Delivery Controller (ADC) and Gateway), CVE-2019-11510 and CVE-2018-13379 (affecting Pulse Secure VPN endpoints and Fortigate SSL VPN installations, respectively) and CVE-2019-9670 (affecting the Synacor Zimbra Collaboration Suite).
The group also uses spear-phishing to obtain authentication credentials to internet-accessible login pages for target organizations.
After achieving persistence through additional tooling or legitimate credentials, APT 29 uses custom malware (WellMess and WellMail) to execute arbitrary shell commands, upload and download files, and run commands or scripts with the results being sent to a hardcoded Command and Control server. They also use some malware (SoreFang) that has been previously used by other hacking groups.
The report did not identify the targeted organizations nor did it say whether the attacks were successful and whether any information and IP has been stolen.
Biomedical orgs open to cyber attacks
As many security researchers pointed out, Russian cyber espionage groups aren’t the only ones probing these targets, so these organizations should ramp up their security efforts.
BitSight researchers have recently searched for security issues that attackers might exploit. They’ve looked at 17 companies of varying size that are involved in the search for a COVID-19 vaccine, and found:
- 25 compromised or potentially compromised machines (systems running malware/bots, potentially unwanted applications, spam-sending machines and computers behaving in abnormal ways) in the past year
- A variety of open ports (i.e., exposed insecure services that should be never exposed outside of a company’s firewall): Telnet, Microsoft RDP, printers, SMB, exposed databases, VNC, etc., which can become access points into a company’s network
- Vulnerabilities. “14 of the 17 companies have vulnerabilities and six of them have very serious vulnerabilities (CVSS score > 9). 10 companies have more than 10 different active vulnerabilities.”
- 30 web application security issues (e.g., insecure authentication via HTTP, insecure redirects from HTTPS to HTTP, etc.) that could be exploited by attackers to eavesdrop on and capture sensitive data, such as credentials, corporate email, and customer data.
“These findings are not abnormal when compared to other groups of large companies (e.g. the Fortune 1000), but given the heightened threat environment, they do provide cause for concern,” the researchers pointed out.
“It only takes a misconfigured piece of software, an inadvertently exposed port, or an insecure remote office network for a hacker to gain entry to systems that store scientific research, intellectual property, and the personal data of subjects involved in clinical trials.”
The global pandemic has seen the web take center stage. Banking, retail and other industries have seen large spikes in web traffic, and this trend is expected to become permanent.
Global brands fail to implement security controls
As attackers ramp up efforts to exploit this crisis, a slew of high-profile attacks on global brands and record-breaking fines for GDPR breaches have had little impact on client-side security and data protection deployments.
In many cases, this data leakage is taking place via whitelisted, legitimate applications, without the website owner’s knowledge. What this report indicates is that data risk is everywhere and effective controls are rarely applied.
Key findings highlight the scale of vulnerability and that the majority of global brands fail to deploy adequate security controls to guard against client-side attacks.
This website supply chain leverages client-side connections that operate outside the span of effective control in 98% of sampled websites. The client-side is a primary attack vector for website attacks today.
Websites expose data to an average of 17 domains
Despite increasing numbers of high-profile breaches, forms, found on 92% of websites expose data to an average of 17 domains. This is PII, credentials, card transactions, and medical records.
While most users would reasonably expect this data to be accessible to the website owner’s servers and perhaps a payment clearing house, the analysis shows that this data is exposed to nearly 10X more domains than intended.
Nearly one-third of websites studied expose data to more than 20 domains. This provides some insight into how and why attacks like Magecart, formjacking and card skimming continue largely unabated.
No attack is more widespread than XSS
Standards-based security controls exist that can prevent these attacks. They are infrequently applied.
Unfortunately, despite high-profile risks and the availability of controls, there has been no significant increase in the adoption of security capable of preventing client-side attacks:
- Over 99% of websites are at risk from trusted, whitelisted domains like Google Analytics. These can be leveraged to exfiltrate data, underscoring the need for continuous PII leakage monitoring and prevention. This has significant implications for data privacy, and by extension, GDPR and CCPA.
- 30% of the websites analyzed had implemented security policies – an encouraging 10% increase over 2019. However…
- Only 1.1% of websites were found to have effective security in place – an 11% decline from 2019. It indicates that while deployment volume went up, effectiveness declined more steeply. The attackers have the upper hand largely because we are not playing effective defense.
Your payment card information got stolen but you don’t know how, when and where? Maybe you shopped on one of the 570 webshops compromised by the Keeper Magecart group (aka Magecart Group 8) since April 1, 2017.
Magecart Group 8’s modus operandi and targets
The list of the online shops hit by the criminals has been released by researchers from Gemini Advisory, who managed to compile it after gaining access to the group’s dedicated attack server that hosts both the malicious payload and the exfiltrated data stolen from victim sites.
“Analysis revealed that the Keeper group includes an interconnected network of 64 attacker domains used to deliver malicious JS payloads and 73 exfiltration domains used to receive stolen payment cards data from victim domains.
Their research also revealed that:
- Over 85% of the victim sites operated on the Magento CMS, 5% WordPress, and 4% Sophify
- The group tried to disguise its malicious attacker domains as legitimate services (e.g., the attacker domain closetlondon[.]org attempted to imitate closetlondon.com) and tried to imitate popular website plugins and payment gateways
- The majority of victim e-commerce sites was hosted in the U.S., followed by the U.K., the Netherlands, France, India, etc.
“The 570 victim e-commerce sites were made up of small to medium-sized merchants and were scattered across 55 different countries,” the researchers shared.
“Victims with the top Alexa Global Ranking received anywhere from 500,000 to over one million visitors each month and were responsible for selling electronics, clothing, jewelry, custom promotional products, and liquor.”
The attackers likely targeted small and medium-sized retailers because they are less likely to have a dedicated IT security team, to implement CMS and plugin patches promptly, and to have security measures in place and attack detection capabilities.
The profitability of Magecart attacks
The researchers estimated that the group may have generated over $7 million USD from selling compromised payment cards between 2017 and today.
“With revenue likely exceeding $7 million and increased cybercriminal interest in CNP [Card Not Present] data during the COVID-19 quarantine measures across the world, this group’s market niche appears to be secure and profitable,” they noted, and said that they expect the group to continue launching increasingly sophisticated attacks against online merchants across the world.
For the end users – i.e., the online shoppers – it’s all the same and, unfortunately, there is little they can do to protect themselves against the threat of getting their payment card info skimmed.
There were seven major application DDoS attacks over the previous month — two of which lasted 5-6 days, Imperva reveals.
Additionally, the team found that 47% of account takeover (ATO) attacks were aimed at loyalty programs and streaming services, where bad actors attempted to use stolen credentials to gain unauthorized access to online accounts to carry out malicious actions such as data theft, identity fraud or fraudulent e-commerce transactions.
The report also showed continued signs of site traffic recovery across various industries following the lift in shelter-in-place orders, as schools across the world reopened and employees returned to workplaces.
Increasing length of application DDoS attacks
Seven major application DDoS attacks over 150,000 requests per second (RPS) were identified. Two of the attacks lasted five and six days consecutively — an unusual occurrence, as most (70% of those in May) DDoS attacks typically last less than 24 hours.
Additionally, while the average DDoS event in April originated from 300 IPs, these two major events were from 28,000 and 3,000 unique IPs. Additionally:
- The most targeted industries overall were news (38%), business (25%) and financial services (19%).
- Top countries from which DDoS attacks originate are China (26%), US (15%) and the Philippines (7%).
ATO attacks are focused at loyalty program cards and streaming services
Out of the total ATO attacks, 47% were aimed at loyalty programs and streaming services. In one example, 13.5 million ATO attempts were registered over three days.
Across all ATO attacks, the average attack size per site was about 100,000 attempts, distributed over 2,000 IPs on average. This means that each IP sent no more than two requests per day, classifying as a “low and slow” attack — where a botnet uses multiple devices, each sending only a handful of requests, to masquerade its attack with legitimate traffic.
COVID-19 affects cyber traffic and attack trends, while recovery continues
As the coronavirus crisis escalated, changes in traffic and attack trends across multiple industries and countries were previously examined. In May, as more countries reopened schools and less students were at home, overall traffic to education sites went down by 20%.
Additionally, with many returning to work and spending more time commuting, the use of entertainment sites — specifically radio streaming services — increased by 11% overall.
Cloud platforms and automated tools: The main source of attacks against govt sites
Cloud platforms and automated tools are the main source of attacks against government sites in the United States. A total of 65% of the attacks against law and government sites in the US originated from cloud platforms using automated tools written in the Python programming language.
Database vulnerabilities spike
Ten new database vulnerabilities were published in May, and almost half held a high severity score of greater than seven, with one reaching a critical score of greater than nine per the Common Vulnerability Scoring System (CVSS). Most of the vulnerabilities were published on May 12, 2020 as part of SAP Security Patch Day.
Overall Cyber Threat Index score remains at a ‘high’ level
Although the number of attacks declined by 28%, the Cyber Threat Index score went up by 32 points due to more high- and medium-risk vulnerabilities and an increase in high volume and longer duration DDoS attacks.
“In May, we were surprised to find two unusually long DDoS attacks lasting 5-6 days. As methods to carry out DDoS have become more advanced, leading to increased accessibility to those with no technical skills, we have historically seen that most attackers would rather not waste time and resources on achieving their proof of impact,” said Nadav Avital, head of security research at Imperva.
“For example, in Imperva’s 2019 Global DDoS Threat Landscape Report, we found that about 29% of attacks lasted 1-6 hours while 26% lasted less than 10 minutes. Longer attacks — such as the ones conducted in May — suggest they are the work of more professional bad actors who use their own botnets to carry out persistent assaults.”
Credit card details, online banking logins, and social media credentials are available on the dark web at worryingly low prices, according to Privacy Affairs.
- Online banking logins cost an average of $35
- Full credit card details including associated data cost $12-20
- A full range of documents and account details allowing identity theft can be obtained for $1,500
Forged documents including driving licenses, passports, and auto-insurance cards can be ordered to match stolen data.
The research team scanned dark web marketplaces, forums, and websites, to create the price index for a range of products and services relating to personal data, counterfeit documents, and social media.
Online banking logins cost an average of $35
Online banking credentials typically include login information, as well as name and address of the account holder and specific details on how to access the account undetected.
Full credit card details including associated data costs: $12-20
Credit card details are usually formatted as a simple code that includes card number, associated dates and CVV, along with account holders’ data such as address, ZIP code, email address, and phone number.
A full range of documents and account details allowing identity theft can be obtained for $1285.
Criminals can switch the European ID for a U.S. passport for an additional $950, bringing the total to $2,235 for enough data and documents to do any number of fraudulent transactions.
Malware installation on compromised systems is prevalent
Remote installation of software on 1,000 computers at a time allows criminals to target the public with malware such as ransomware in various countries with a 70% success rate.
Stolen data is very easy to obtain
The general public needs to not only be aware of how prevalent the threat of identity theft is but also how to mitigate that threat by applying due diligence in all aspects of their daily lives.
Magecart attackers have compromised web shops belonging to large retail chains Claire’s and Intersport and equipped them with payment card skimmers.
The compromise of Claire’s online store and that of its sister brand Icing has been flagged by Sansec researchers.
The skimmer was served from a domain made to look like it might belong to the company (claires-assets.com), and it was added to the two online stores between April 25th and 30th.
“The malware was added to the (otherwise legitimate) app.min.js file. This file is hosted on the store servers, so there is no “Supply Chain Attack” involved, and attackers have actually gained write access to the store code,” the researchers pointed out.
“The skimmer attaches to the submit button of the checkout form. Upon clicking, the full ‘Demandware Checkout Form’ is grabbed, serialized and base64 encoded. A temporary image is added to the DOM with the __preloader identifier. The image is located on the server as controlled by the attacker. Because all of the customer submitted data is appended to the image address, the attacker now has received the full payload. Immediately, the image element is removed.”
How the attackers managed to compromise the web shops is still unknown, but they started planning the attack a month before actually executing it. In fact, they registered the malicious domain a day after Claire’s announced that they will be temporarily close all of their brick and mortar stores due to COVID-19.
ESET researchers have pointed out the compromise of Intersport’s web store and said that the company fixed the issue within several hours of ESET letting them know.
Sansec researchers say that an initial hack happened on Apr 30th and then another one on May 14th:
Intersport stores got hacked on Apr 30th, cleaned on May 3rd, then hacked again on May 14th. pic.twitter.com/RabcjPzzWd
— Sansec (@sansecio) June 15, 2020
Only the localized Intersport web shops serving customers from the Balkans region have been compromised.
It is still unknown how long the skimmers went unnoticed.
None of the compromised web shops sport a prominent notification about the breach and payment card info theft. Claire’s notified the payment card networks and law enforcement, and let’s hope they will contact affected customers directly once they determine the extent of the compromise and theft.
Companies should have protections in place to notice this and other types of breaches soon after they happen, but unfortunately many don’t.
If you’re paying for your purchases with payment cards – whether online or in physical stores – you should regularly check your account statements for unauthorized charges and report them quickly.
The ease and speed at which new cloud tools can be deployed is also making it harder for security teams to control their usage, IBM Security reveals.
According to the data, basic security oversight issues, including governance, vulnerabilities, and misconfigurations, remain the top risk factors organizations must address to secure increasingly cloud-based operations.
Additionally, an analysis of security incidents over the past year sheds light on how cybercriminals are targeting cloud environments with customized malware, ransomware and more.
With businesses rapidly moving to cloud to accommodate remote workforce demands, understanding the unique security challenges posed by this transition is essential for managing risk.
While the cloud enables many critical business and technology capabilities, ad-hoc adoption and management of cloud resources is also creating complexity for IT and cybersecurity teams.
According to IDC, more than a third of companies purchased 30+ types of cloud services from 16 different vendors in 2019 alone. This distributed landscape can lead to unclear ownership of security in the cloud, creating policy “blind spots” and potential for shadow IT to introduce vulnerabilities and misconfiguration.
Cloud environment threats and challenges
- Complex ownership: 66% of respondents surveyed say they rely on cloud providers for baseline security; yet perception of security ownership varied greatly across specific cloud platforms and applications.
- Cloud applications opening the door: The most common path for cybercriminals to compromise cloud environments was via cloud-based applications, representing 45% of incidents in IBM X-Force IRIS cloud-related case studies. Cybercriminals took advantage of configuration errors as well as vulnerabilities within the applications, which often remained undetected due to employees standing up new cloud apps on their own, outside of approved channels.
- Amplifying attacks: While data theft was the top impact of attacks in the cloud, hackers also targeted the cloud for cryptomining and ransomware3 – using cloud resources to amplify the effect of these attacks.
“The cloud holds enormous potential for business efficiency and innovation, but also can create a ‘wild west’ of broader and more distributed environments for organizations to manage and secure,” said Abhijit Chakravorty, Cloud Security Competency Leader, IBM Security Services.
“When done right, cloud can make security scalable and more adaptable – but first, organizations need to let go of legacy assumptions and pivot to new security approaches designed specifically for this new frontier of technology, leveraging automation wherever possible. This starts with a clear picture of regulatory obligations and compliance mandate, as well as the unique technical and policy-driven security challenges and external threats targeting the cloud.”
Who owns security in the cloud?
Organizations that rely heavily on cloud providers to own security in the cloud, despite the fact that configuration issues – which are typically users’ responsibility – are most often to blame for data breaches (accounting for more than 85% of all breached records in 2019).
Additionally, perceptions of security ownership in the cloud varied widely across various platforms and applications. For example, 73% of respondents believed public cloud providers were the main party responsible for securing software-as-a-service (SaaS), while only 42% believed providers were primarily responsible for securing cloud infrastructure-as-a-service (IaaS).
While this type of shared responsibility model is necessary for the hybrid, multi-cloud era, it can also lead to variable security policies and a lack of visibility across cloud environments. Organizations who are able streamline their cloud and security operations can help reduce this risk, through clearly defined policies which apply across their entire IT environment.
Top threats in the cloud: Data theft, cryptomining and ransomware
In order to get a better picture of how attackers are targeting cloud environments, incident response experts conducted an in-depth analysis of cloud-related cases the team responded to over the past year. The analysis found:
- Cybercriminals leading the charge: Financially motivated cybercriminals were the most commonly observed threat group category targeting cloud environments, though nation state actors are also a persistent risk.
- Exploiting cloud apps: The most common entry point for attackers was via cloud applications, including tactics such as brute-forcing, exploitation of vulnerabilities and misconfigurations. Vulnerabilities often remained undetected due to “shadow IT,” when an employee goes outside approved channels and stands up a vulnerable cloud app. Managing vulnerabilities in the cloud can be challenging, since vulnerabilities in cloud products remained outside the scope of traditional CVEs until 2020.
- Ransomware in the cloud: Ransomware was deployed 3x more than any other type of malware in cloud environments, followed by cryptominers and botnet malware.
- Data theft: Outside of malware deployment, data theft was the most common threat activity observed in breached cloud environments over the last year, ranging from personally identifying information to client-related emails.
- Exponential returns: Threat actors used cloud resources to amplify the effect of attacks like cryptomining and DDoS. Additionally, threat groups used the cloud to host their malicious infrastructure and operations, adding scale and an additional layer of obfuscation to remain undetected.
“Based on the trends in our incident response cases, it’s likely that malware cases targeting cloud will continue to expand and evolve as cloud adoption increases,” said Charles DeBeck, IBM X-Force IRIS.
“Malware developers have already begun making malware that disables common cloud security products, and designing malware that takes advantage of the scale and agility offered by the cloud.”
Maturing cloud security leads to faster security response
While the cloud revolution is posing new challenges for security teams, organizations who are able to pivot to a more mature and streamlined governance model for cloud security can reap significant benefits in their security agility and response capabilities.
The survey found that organizations who ranked high maturity in both Cloud and Security evolution were able to identify and contain data breaches faster than colleagues who were still in early phases of their cloud adoption journey.
In terms of data breach response time, the most mature organizations were able to identify and contain data breaches twice as fast as the least mature organizations (average threat lifecycle of 125 days vs. 250 days).
As the cloud becomes essential for business operations and an increasingly remote workforce, organizations should focus on the following elements to improve cybersecurity for hybrid, multi-cloud environments:
- Establish collaborative governance and culture: Adopt a unified strategy that combines cloud and security operations – across application developers, IT Operations and Security. Designate clear policies and responsibilities for existing cloud resources as well as for the acquisition of new cloud resources.
- Take a risk-based view: Assess the kinds workload and data you plan to move to the cloud and define appropriate security policies. Start with a risk-based assessment for visibility across your environment and create a roadmap for phasing cloud adoption.
- Apply strong access management: Leverage access management policies and tools for access to cloud resources, including multifactor authentication, to prevent infiltration using stolen credentials. Restrict privileged accounts and set all user groups to least-required privileges to minimize damage from account compromise (zero trust model).
- Have the right tools: Ensure tools for security monitoring, visibility and response are effective across all cloud and on-premise resources. Consider shifting to open technologies and standards which allow for greater interoperability between tools.
- Automate security processes: Implementing effective security automation in your system can improve your detection and response capabilities, rather than relying on manual reaction to events.
- Use proactive simulations to rehearse for various attack scenarios: This can help identify where blind spots may exist, and also address any potential forensic issues that may arise during attack investigation.
Google has released a patch for CVE-2020-0096, a critical escalation of privilege vulnerability in Android that allows attackers to hijack apps (tasks) on the victim’s device and steal data.
Dubbed StrandHogg 2.0 because its similar to the StrandHogg vulnerability exploited by hackers in late 2019, it affects all but the latest version of Android. The good news is, though, that there is no indication it is being actively used by attackers.
About StrandHogg 2.0 (CVE-2020-0096)
Like StrandHogg before it, CVE-2020-0096:
- Doesn’t need the target device to be rooted and doesn’t require any specific permissions
- Allows hackers to hijack nearly any app, i.e., to insert an overlay when the app is opened. The overlay take the form of a login screen, request for permissions, etc.
Unlike StrandHogg, StrandHogg 2.0:
- Can attack nearly any app on a given device simultaneously at the touch of a button (and not just one app at a time)
- Is more difficult to detect because of its code-based execution.
“The key difference between StrandHogg (1.0), and StrandHogg 2.0 is that the former uses an attribute called taskAffinity to achieve the task hijacking,” Promon researchers explained.
“For the attacker, the disadvantage of taskAffinity is that it has to be compiled into AndroidManifest.xml of the malicious app, in plaintext. While taskAffinity has many legitimate uses, it still means that this serves as a tip-off to Google Play Protect to detect malicious apps exploiting StrandHogg (1.0).”
StrandHogg 2.0 uses a different method for task hijacking that leaves no markers. Also, hackers can use obfuscation and reflection to make static analysis of the malicious app difficult.
Promon researcher John Høegh-Omdal says that malware that exploits StrandHogg 2.0 will be harder for anti-virus and security scanners to detect.
Who’s affected and what to do?
According to Promon’s research, the vulnerability affects all Android versions below Android 10 (with the caveat that early Android versions (<4.0.1) have not been tested). Google has released a patch to Android ecosystem partners in April 2020 and a fix for Android versions 8.0, 8.1, and 9 to the public in May 2020.
“Attackers looking to exploit StrandHogg 2.0 will likely already be aware of the original StrandHogg vulnerability and the concern is that, when used together it becomes a powerful attack tool for malicious actors,” says Tom Lysemose Hansen, CTO and founder of Promon.
As with StrandHogg, users are advised to be wary of permission pop-ups that don’t contain an app name and apps that they have already logged into asking for login credentials.
“Android users should update their devices to the latest firmware as soon as possible in order to protect themselves against attacks utilising StrandHogg 2.0. Similarly, app developers must ensure that all apps are distributed with the appropriate security measures in place in order to mitigate the risks of attacks in the wild,” Hansen advises.
These measures include setting all of the app’s public activities to launchMode=”singleTask” OR launchMode=”singleIn stance” in AndroidManifest.xml.
Cyber crooks deploying web credit card skimmers on compromised Magento websites have a new trick up their sleeve: favicons that “turn” malicious when victims visit a checkout page.
Favicons and card skimmers
Favicons is a file containing one or more small icons associated with a website and are usually displayed in the browser’s address bar, on the tab in which a website has been opened, and in the bookmarks.
“The goal [with online credit card skimmers is] to deceive online shoppers while staying under the radar from website administrators and security scanners,” Malwarebytes researcher Jérôme Segura explained.
In this latest approach, the crooks registered a new website purporting to offer thousands of images, icons and favicons for download (myicons[.]net) and made it an exact copy of the legitimate iconarchive.com site by loading it as an iframe.
Several e-commerce sites were loading a Magento favicon from this domain, Segura noted, but at first glance, the favicon image was clean.
The script would override the PayPal checkout option with its own drop down menu for MasterCard, Visa, Discover and American Express. The entered information would be exfiltrated to a remote server controlled by the crooks.
The new trick is part of ongoing attacks
“Given the decoy icons domain registration date, this particular scheme is about a week old but is part of a larger number of ongoing skimming attacks,” the researcher noted.
In fact, the IP of the server on which the malicious icon was hosted was flagged as part of an attack infrastructure nearly a month ago by Sucuri researchers, who tied it to a gang “known for using quite a few interesting tricks in their skimmers.”
It’s difficult for consumers to spot this type of attack and endpoint security solutions may or may not detect it. It’s on site owners to keep their websites secure and to quickly spot malicious changes.
The U.S. Department of Justice’s Cybersecurity Unit has released guidelines for organizations that want to gather cyber threat intelligence from dark web forums/markets but, at the same time, want to stay on the right side of the (U.S. federal criminal) law.
The document focuses on “information security practitioners’ cyber threat intelligence-gathering efforts that involve online forums in which computer crimes are discussed and planned and stolen data is bought and sold. It also contemplates situations in which private actors attempt to purchase malware, security vulnerabilities, or their own stolen data—or stolen data belonging to others with the data owners’ authorization—in Dark Markets.”
It was compiled based on input from the US DOJ’s various divisions, the FBI, the U.S. Secret Service and the U.S. Treasury Department’s Office of Foreign Asset Control. In it, DOJ’s Cybersecurity Unit advises organizations on how to avoid becoming a perpertrator (consult with legat counsel, ask the FBI’s opinion before engaging in some legally murky activities) and a victim (institute security safeguards and adhere to cybersecurity practices that will minimize the risk of being victimized).
DOs and DON’Ts
- Gather cyber threat intelligence passively
- Access forums lawfully (by obtaining login credentials legitimately, for entirely fake personas)
- Ask questions and solicit advice on the forum (but document that they are doing that just for the purpose of gathering info, not committing a crime)
- Access forums unlawfully (by using stolen credentials, impersonating the identity of an actual person, including a government official, or using an exploit)
- Surreptitiously intercept communications occurring on a forum
- Provide the forum operator with malware or stolen personal info in order to gain access to the forum or provide other forum participants with useful information, services, or tools that can be used to commit crimes in order to get their trust
- Solicit or induce the commission of a computer crime
- Assist others engaged in criminal conduct (through advice or action)
- Involve their legal department in operational planning
- Share information about an ongoing or impending computer crime uncovered during intelligence gathering activities with law enforcement
Cybersecurity companies that monitor dark markets for specific types of information as a service to their customers – whether that’s stolen customer records offered for sale, malware or security vulnerabilities that target their customers’ networks or products – have additional specific things to take into consideration when attempting to purchase it (e.g., buying the data from a foreign terrorist organization is unlawful, and so is buying malware that is designed to intercept electronic communications surreptitiously).
In 2019, healthcare data breaches collectively affected over 27 million individuals, according to Bitglass.
Categories of breaches
- Hacking or IT incidents: Breaches related to malicious hackers and improper IT security
- Unauthorized access or disclosure: All unauthorized access and sharing of organizational data
- Loss or theft: Breaches enabled by the loss or theft of endpoint devices
- Other: Miscellaneous breaches and leaks related to items such as improper disposal of data
Number of records exposed in healthcare breaches doubles
According to the findings, the total number of records breached more than doubled from 2018 to 2019. This same doubling also occurred between 2017 and 2018, revealing a dramatic upward trend over the last few years.
Corresponding with this, the average number of individuals affected per breach reached 71,311 in 2019, nearly twice that of 2018 (39,739). Additionally, this was the first time since 2016 that the number of breaches reached over 300 – the 386 incidents in 2019 represented a 33% increase over 2018.
“This is not particularly surprising given the fact that threat actors are maturing their capabilities and adapting to security measures organizations put in place, like multi-factor authentication.
“Healthcare databases are heavily targeted by cybercriminals as they hold a wealth of sensitive information like medical histories, Social Security numbers, personal financial data, and more. This means that healthcare firms must employ the appropriate technologies and cybersecurity best practices to ensure all data within their IT systems is secure around the clocks.”
- The cost per breached record in healthcare was $429 in 2019. Last year, with 27.5 million records exposed, data breaches cost healthcare organizations $11.8 billion.
- Around 24 million people were affected by healthcare breaches due to Hacking and IT Incidents. This category was followed by Unauthorized Access or Disclosure, which affected 2.5 million people.
- Texas had the most healthcare breaches in 2019 with 47 incidents, nearly twice the number of California, which came in second place at 25.
- Lost or stolen devices has consistently had the biggest annual decrease over the past few years, dropping from 148 in 2014 to 42 in 2019.
- The total number of records breached has more than doubled each year; from 4.7M in 2017 to 11.5M in 2018, and to 27.5M in 2019.
Although 96 percent of the 1,850 senior leaders within large organizations have a data sanitization policy in place, 31 percent have yet to communicate it across the business, according to a Blancco survey.
Twenty percent of respondents also don’t believe their organization’s policies are finished being defined. Overall, over half of organizations (56 percent) do not have a data sanitization policy in place that’s being effectively communicated across the full company on a regular basis. This is increasing the risks of potential data breaches.
Not taking direct responsibility for IT asset erasure – 22 percent of employees are responsible for the management and control of their own end-of-life IT equipment when they leave the organization. Another 22 percent place this responsibility with their line manager.
If data sanitization policies haven’t been communicated to either party effectively, the chances of sensitive information being leaked as a consequence of insufficient erasure increase dramatically.
Leaving equipment languishing in storage areas
87 percent of global enterprises admitted not sanitizing assets as soon as they reach end-of-life, while 31 percent reported taking more than a month to sanitize these devices. This puts companies at risk of equipment loss, theft, and data breaches.
Performing offsite erasure
34 percent of enterprise organizations are sanitizing PCs and laptops offsite at end-of-life. Working with a third-party provider to sanitize equipment offsite isn’t necessarily a bad thing, but it does present certain risks, particularly if organizations don’t have complete visibility into the chain of custody for their IT assets and have no way to prove that the data on their assets wasn’t compromised during the transportation process.
Any external contractor needs to provide detailed audit trails for the entire chain of custody and certified erasure at end-of-life for these assets.
Lacking clear ownership of data sanitization policies
Although 68 percent of respondents felt that ownership of data sanitization policies is clearly communicated within their organization, when asked who was responsible for their implementation, 18 percent of enterprises stated the DPO, 18 percent the Head of Operations, 17 percent the Head of IT Operations and 11 percent the CISO.
This lack of clear ownership could suggest enterprises consider data sanitization to be a “‘checkmark”’ exercise that must be done to satisfy compliance or operational requirements and that they are not taking data risks seriously.
“The lack of robust data sanitization policies across global enterprises is alarming,” said Fredrik Forslund, Vice President, Enterprise and Cloud Erasure Solutions at Blancco.
“If they fail to formulate and communicate these policies effectively, at every stage of the data lifecycle, they risk putting significant amounts of potentially sensitive data at risk. It is vital they put processes in place, with clear ownership, and auditability for control, assigned to their senior leadership team to mitigate these risks.”
Flexible workers least likely to comply with data sanitization policies
A third of the enterprises surveyed also felt that flexible workers were the least likely to comply with data sanitization policies, while 40 percent believed contractors or freelancers were the least likely to understand or comply with their data sanitization policy.
There is not only a lack of clear ownership around the implementation of data sanitization policies but also a lack of accountability regarding how enterprises are complying with them.
The responsibility is spread across different job roles including the Head of Compliance (30 percent), Head of IT Operations (15 percent), Head of Operations (14 percent), Head of Legal (11 percent) and DPO (9 percent), leaving enterprises open to compliance breakdown and fines.
Key U.S. and Canada findings
Thirty-three percent of respondents in the U.S. and Canada also believe that flexible workers, who work at home or remotely, are the least likely to comply with data sanitization policies – implying that they may pose a security risk.
Thirty-two percent of employees in enterprises in the U.S. and Canada are responsible for the management and control of their own end-of-life IT equipment when they leave the organization. Nineteen percent place this responsibility with their line manager.
More than a third (32 percent) of enterprises in the U.S. and Canada also stated that they are placing their Head of Compliance in charge of complying with their data sanitization policies which is encouraging. However, only nine percent are giving this responsibility to their DPO.
Key U.K. findings
Despite 97 percent of U.K. companies having a data sanitization policy in place, more than a third (37 percent) have yet to communicate it across the business. Overall, nearly half of companies (42 percent) do not have a data sanitization policy in place that’s being effectively and regularly communicated across the organization.
20 percent of employees in U.K. companies are responsible for the management and control of their own end-of-life IT equipment when they leave the organization. 35 percent place this responsibility with their line manager.
Worryingly, 58 percent of U.K. enterprises also reported not being aware of when their organization’s IT security policy was last updated and 56 percent aren’t clear about what it contains, the highest percentage points from all the countries surveyed.
Amid significant increases in both malware and network attacks, multiple Apache Struts vulnerabilities – including one used in the devastating Equifax data breach – appeared for the first time on WatchGuard’s list of most popular network attacks in Q3 2019.
Massive fallout from the Equifax breach
The report also highlights a major rise in zero day malware detections and, increasing use of Microsoft Office exploits and legitimate penetration testing tools.
Apache Struts 2 Remote Code Execution enables attackers to install Python or make a custom HTTP request to exploit the vulnerability with just a few lines of code and obtain shell access to an exposed system. This threat was accompanied by two additional Apache Struts vulnerabilities on the top ten network attacks list in Q3 2019, as overall network attacks increased in volume by 8%.
The massive fallout from the Equifax breach put the severity of this vulnerability on full display and should serve as a reminder of how important it is for web admins to patch known flaws as soon as possible.
“Our latest threat intelligence showcases the variability and sophistication of cybercriminals’ growing playbook. Not only are they leveraging notorious attacks, but they’re launching evasive malware campaigns and hijacking products, tools and domains we use every day,” said Corey Nachreiner, CTO, WatchGuard Technologies.
“As threat actors continue to modify their tactics, organizations of every size must protect themselves, their customers and their partners with a set of layered security services that cover everything from the core network to endpoints, to the users themselves.”
Attackers continue to favor Microsoft Office exploits
Two malware variants affecting Microsoft Office products made WatchGuard’s top ten list of malware by volume, as well as the top ten most-widespread malware list last quarter. This indicates that threat actors are doubling down on both the frequency with which they leverage Office-based attacks, as well as the number of victims they’re targeting.
Both attacks were primarily delivered via email, which highlights why organizations should increasingly focus on user training and education to help them identify phishing attempts and other attacks leveraging malicious attachments.
Zero day malware instances spike to 50%, as overall malware detections rise
After stabilizing at around 38% of all malware detections over the past several quarters, zero day malware accounted for half of all detections in Q3. The overall volume of malware detected increased by 4% compared to Q2 2019, with a massive 60% increase over Q3 2018.
The fact that half of malware attacks in Q3 were capable of bypassing traditional signature-based solutions illustrates the need for layered security services that can protect against advanced, ever-evolving threats.
Cybercriminals may be leveraging legitimate pentesting tools for attacks
Two new malware variants involving Kali Linux penetration testing tools debuted on WatchGuard’s top ten list of malware by volume in Q3. The first was Boxter, a PowerShell trojan used to download and install potentially unwanted programs onto a victim’s device without consent.
The second was Hacktool.JQ, which represents the only other authentication attack tool besides Mimikatz (which dropped in prevalence by 48% compared to Q2, and 16% compared to Q3 2018) to make the list.
It’s unclear whether the rise in these detections comes from legitimate pentesting activities or malicious attackers leveraging readily available open source tools. Organizations must continue to leverage anti-malware services to prevent data theft.
Malware attacks targeting the Americas increase drastically
More than 42% of all malware attacks in Q3 2019 were aimed at North, Central and South America; up from just 27% in Q2. This represents a significant geographic shift in focus for attackers compared to last quarter, as EMEA and APAC (which were tied for the top regional malware target in Q2) accounted for 30% and 28% of all malware attacks in Q3, respectively.
Although the specific motivations are unclear, this trend indicates attackers are bringing new malware campaigns online that specifically target users in the Americas region.
Organizations aren’t moving quickly enough on cybersecurity threats linked to the drive toward using personal mobile devices in the workplace, warns a QUT privacy researcher.
QUT’s Dr Kenan Degirmenci
BYOD security challenges everywhere
Dr Kenan Degirmenci from QUT’s Science and Engineering Faculty’s School of Information Systems said workers worldwide expected to take their work with them whenever and wherever. But he warned Bring Your Own Device (BYOD) had opened up a can of worms for employers and employees alike.
“The breakneck speed of digital transformation brought with it opportunities as well as threats,” he said.
“Organizations don’t appear to be keeping up with the pace of change, deliberately putting the brakes on digital transformation because it comes with security challenges.”
Dr Degirmenci said, nonetheless, by 2021 the BYOD and enterprise mobility market which incorporates segments such as software, security, data management and network security is estimated to grow to $73 billion globally.
Data breaches including stealing of personal information are also on the rise for all kinds of businesses and workplaces.
Often employees use their personal devices, but many don’t know if their employer has a policy in place to protect their data and usage.
“Some organizations wary of malware or theft of data can track employees’ locations during work and non-work hours, wipe data, as well as access private emails and photos,” Dr Degirmenci said.
The research involved a case study of two multinational companies and a survey of almost 550 employees from the United States, Germany and South Korea about BYOD to work.
Taking on BYOD risks
Dr Degirmenci said the multinational companies from the survey used mobile device management (MDM) to monitor, manage and secure devices of employees.
“American employees placed greater emphasis on BYOD risks compared to Germany and South Korea,” he said.
Australia ranked similarly to the United States in terms of its “individualist-type culture” and while workers wanted increased flexibility there were drawbacks to using their own devices. New technologies and digital capabilities are also omniscient across the education sector with schools enacting BYOD.
“We’ve recommended BYOD security management be improved, particularly for countries like America and Australia.”
Expect unprecedented levels of online data theft this holiday season due to a lack of deployed client-side security measures.
Disturbing lack of security measures
Tala Security highlights the widespread vulnerability resulting from integrations that enable and enhance website functionality. These integrations, which exist on nearly every modern website operating today, allow attackers to target PII and payment information.
98% of the Alexa 1000 websites were found to be lacking security measures capable of preventing attacks. In related warnings, both the FBI and the PCI Council cautioned that hackers are targeting online credit card information.
“Online merchants and website owners must recognize the critical need for client-side security. The fundamental driver of online commerce — consumer trust — is at stake as attackers target widespread client-side vulnerabilities to steal credentials, credit card numbers, financial data and other PII,” said Aanand Krishnan, CEO and co-founder of Tala Security.
Key findings from the survey
- Only 2% of Alexa 1000 sites have implemented effective controls to prevent personal, financial and credential theft.
- User form data sent, captured on forms available on 98% of websites, is exposed to 10 times more domains than intended by the website owner. This creates a massive opportunity for data theft from attackers.
- The average website relies on 31 third-party integrations, which provide nearly two-thirds of the content customers view on their browsers. This content is delivered via client-side connections that lack effective security controls.
- Most consumers will be surprised to learn that only one-third of the content rendering on their browser is owned, created and served by the owner of the website. The remaining two-thirds is served via client-side connections that lack effective security.
- Although 27% of website owners attempt to deploy security measures, only 2% succeed in deploying effective policies capable of preventing client-side attacks.
The post Macy’s online store compromised in Magecart-style attack appeared first on Help Net Security.
Mobile apps that work with Bluetooth devices have an inherent design flaw that makes them vulnerable to hacking, a research has found. Where is the issue? The problem lies in the way Bluetooth Low Energy devices communicate with the mobile apps that control them, said Zhiqiang Lin, associate professor of computer science and engineering at The Ohio State University. “There is a fundamental flaw that leaves these devices vulnerable – first when they are initially … More
The post The way Bluetooth devices ‘talk’ to apps leaves them vulnerable appeared first on Help Net Security.
There has been a rampant growth of look-alike domains, which are often used to steal sensitive data from online shoppers. Venafi analyzed suspicious domains targeting 20 major retailers in the U.S., U.K., France, Germany and Australia and found over 100,000 look-alike domains that use valid TLS certificates to appear safe and trusted. According to the research, growth in the number of look-alike domains has more than doubled since 2018, outpacing legitimate domains by nearly four … More
The post Trusted certificates make phishing websites appear valid appeared first on Help Net Security.