Tag Archives: Threat

Ransomware attacks shaking up threat landscape — again

Ransomware is changing the threat landscape yet again, though this time it isn’t with malicious code.

A spike in ransomware attacks against municipal governments and healthcare organizations, coupled with advancements in the back-end operations of specific campaigns, have concerned security researchers and analysts alike. The trends are so alarming that Jeff Pollard, vice president and a principal analyst at Forrester Research, said he expects local, state and city governments will be forced to seek disaster relief funds from the federal government to recover from ransomware attacks.

“There’s definitely been an uptick in overall attacks, but we’re seeing municipality after municipality get hit with ransomware now,” Pollard said. “When those vital government services are disrupted, then it’s a disaster.”

In fact, Forrester’s report “Predictions 2020: Cybersecurity” anticipates that at least one local government will ask for disaster relief funding from their national government in order to recover from a ransomware attack that cripples municipal services, whether they’re electrical utilities or public healthcare facilities.

Many U.S. state, local and city governments have already been disrupted by ransomware this year, including a massive attack on Atlanta in March that paralyzed much of the city’s non-emergency services. A number of healthcare organizations have also shut down from ransomware attacks, including a network of hospitals in Alabama.

The increase in attacks on municipal governments and healthcare organizations has been accompanied by another trend this year, according to several security researchers: Threat actors are upping their ransomware games.

Today’s infamous ransomware campaigns share some aspects with the notable cyberattacks of 20 years ago. For example, the ILoveYou worm used a simple VB script to spread through email systems and even overwrote random files on infected devices, which forced several enterprises and government agencies to shut down their email servers.

But today’s ransomware threats aren’t just using more sophisticated techniques to infect organizations — they’ve also built thriving financial models that resemble the businesses of their cybersecurity counterparts. And they’re going after targets that will deliver the biggest return on investment.

New approaches

The McAfee Labs Threats Report for August showed a 118% increase in ransomware detections for the first quarter of this year, driven largely by the infamous Ryuk and GandCrab families. But more importantly, the vendor noted how many ransomware operations had embraced “innovative” attack techniques to target businesses; instead of using mass phishing campaigns (as Ryuk and GandCrab have), “an increasing number of attacks are gaining access to a company that has open and exposed remote access points, such as RDP [remote desktop protocol] and virtual network computing,” the report stated.

The concept of ransomware is no longer the concept that we’ve historically known it as.
Raj SamaniChief scientist, McAfee

“The concept of ransomware is no longer the concept that we’ve historically known it as,” Raj Samani, chief scientist at McAfee, told SearchSecurity.

Sophos Labs’ 2020 Threat Report, which was published earlier this month, presented similar findings. The endpoint security vendor noted that since the SamSam ransomware attacks in 2018, more threat actors have “jumped on the RDP bandwagon” to gain access to corporate networks, not just endpoint devices. In addition, Sophos researchers found more attacks using remote monitoring and management software from vendors such as ConnectWise and Kaseya (ConnectWise’s Automate software was recently used in a series of attacks).

John Shier, senior security advisor at Sophos, said certain ransomware operations are demonstrating more sophistication and moving away from relying on “spray and pray” phishing emails. “The majority of the ransomware landscape was just opportunistic attacks,” he said.

That’s no longer the case, he said. In addition to searching for devices with exposed RDP or weak passwords that can be discovered by brute-force attacks, threat actors are also using that access to routinely locate and destroy backups. “The thoroughness of the attacks in those cases are devastating, and therefore they can command higher ransoms and getting higher percentage of payments,” Shier said.

Jeremiah Dewey, senior director of managed services and head of incident response at Rapid7, said his company began getting more calls about ransomware attacks with higher ransomware demands. “This year, especially earlier in the year, we saw ransomware authors determine that they could ask for more,” he said.

With the volume of ransomware attacks this year, experts expect that trend to continue.

The ransomware economy

Samani said the new strategies and approaches used by many threat groups show a “professionalization” of the ransomware economy. But there are also operational aspects, particularly with the ransomware-as-a-service (RaaS) model, that are exhibiting increased sophistication. With RaaS campaigns such as GandCrab, ransomware authors make their code available to “affiliates” who are then tasked with infecting victims; the authors take a percentage of the ransoms earned by the affiliates.

In the past, Samani said, affiliates were usually less-skilled cybercriminals who relied on traditional phishing or social engineering tactics to spread ransomware. But that has changed, he said. In a series of research posts on Sodinokibi, a RaaS operation that experts believe was developed by GandCrab authors, McAfee observed the emergence of “all-star” affiliates who have gone above and beyond what typical affiliates do.

“Now you’re seeing affiliates beginning to recruit individuals that are specialists in RDP stressing or RDP brute-forcing,” Samani said. “Threat actors are now hiring specific individuals based on their specialties to go out and perform the first phase of the attack, which may well be the initial entry vector into an organization.”

And once they achieve access to a target environment, Samani said, the all-stars generally lie low until they achieve an understanding of the network, move laterally and locate and compromise backups in order to maximize the damage.

Sophos Labs’ 2020 Threat Report also noted that many ransomware actors are prioritizing the types of data that certain drives, files and documents encrypt first. Shier said it’s not surprising to see ransomware campaigns increasingly use tactics that rely on human interaction. “What we’ve seen starting with SamSam is more of a hybrid model — there is some automation, but there’s also some humans,” he said.

These tactics and strategies have transformed the ransomware business, Samani said, shifting it away from the economies of scale-approach of old. “All stars” affiliates who can not only infect the most victims but also command the biggest ransoms are now reaping the biggest rewards. And the cybercriminals behind these RaaS operations are paying close attention, too.

“The bad guys are actively monitoring, tracking and managing the efficiency of specific affiliates and rewarding them if they are as good as they claim to be,” Samani said. “It’s absolutely fascinating.”

Silver linings, dark portents

There is some good news for enterprises amid the latest ransomware research. For one, Samani said, the more professional ransomware operations were likely forced to adapt because the return on investment for ransomware was decreasing. Efforts from cybersecurity vendors and projects like No More Ransom contributed to victims refusing to pay, either because their data had been decrypted or because they were advised against it.

As a result, ransomware campaigns were forced to improve their strategies and operations in order to catch bigger fish and earn bigger rewards. “Return on investment is the key motivator to the re-evolution or rebirth of ransomware,” Samani said.

Another positive, according to Shier, is that not every ransomware campaign or its affiliates have the necessary skills to emulate a SamSam operation, for example. “In terms of other campaigns implementing similar models and techniques, it’s grown in the past 18 months,” he said. “But there are some limitations there.”

On the downside, Shier said, cybercriminals often don’t even need that level of sophistication to achieve some level of success. “Not everyone has the technical expertise to exploit BlueKeep for an RDP attack,” he said. “But there’s enough exposed RDP [systems] out there with weak passwords that you don’t need things like BlueKeep.”

In addition, Samani said the ransomware operations that earn large payments will be in a position to improve even further. “If you’ve got enough money, then you can hire whoever you want,” Samani said. “Money gives you the ability to improve research and development and innovate and move your code forward.”

In order to make the most money, threat actors will look for the organizations that are not only most vulnerable but also the most likely to pay large ransoms. That, Samani said, could lead to even more attacks on government and healthcare targets in 2020.

Shier said most ransomware attacks on healthcare companies and municipal governments still appear to be opportunistic infections, but he wouldn’t be surprised if more sophisticated ransomware operations begin to purposefully target those organizations in order to maximize their earnings.

“[Threat actors] know there are organizations that simply can’t experience downtime,” Shier said. “They don’t care who they are impacting. They want to make money.”

Go to Original Article
Author:

Threat Stack Application Security Monitoring adds Python support

Threat Stack has announced Python support for its Threat Stack Application Security Monitoring product. The update comes with no additional cost as part of the Threat Stack Cloud Security Platform.

With Python support for Application Security Monitoring, Threat Stack customers who use Python with Django and Flask frameworks can ensure security in the software development lifecycle with risk identification of both third-party and native code, according to Tim Buntel, vice president of application security products at Threat Stack.

In addition, the platform also provides built-in capabilities to help developers learn secure coding practices and real-time attack blocking, according to the company.

“Today’s cloud-native applications are comprised of disparate components, including containers, virtual machines and scripts, including those written in Python, that serve as the connective tissue between these elements,” said Doug Cahill, senior analyst and group Practice Director, Cybersecurity at Enterprise Strategy Group. Hence, the lack of support for any one layer of a stack means a lack of visibility and a vulnerability an attacker could exploit.

Application Security Monitoring is a recent addition to Threat Stack Cloud Security Platform. Introduced last June, the platform is aimed at bringing visibility and protection to cloud-based architecture and applications. Threat Stack Cloud Security Platform touts the ability to identify and block attacks such as cross-site scripting (XSS) and SQL injection by putting the application in context with the rest of the stack. It also allows users to move from the application to the container or the host, where it is deployed with one click when an attack happens, according to the company.

“[Application Security Monitoring] … provides customers with full stack security observability by correlating security telemetry from the cloud management console, host, containers and applications in a single, unified platform,” Buntel said.

To achieve full stack security and insights from the cloud management console, host, containers, orchestration and applications, customers can combine Threat Stack Application Security Monitoring with the rest of the Threat Stack Cloud Security Platform, according to the company.

Cahill said customers should look for coverage of the technology stack as well as the lifecycle when looking to secure cloud-native applications, because such full stack and lifecycle support allows for threat detection and prevention capabilities “from the code level down to the virtual machine or container to be implemented in both pre-deployment stages and runtime.”

“Cloud security platforms, which integrate runtime application self-protection functionality with cloud workload protection platforms to provide full-stack and full lifecycle visibility and control, are just now being offered by a handful of cybersecurity vendors, including Threat Stack,” he added.

Threat Stack Application Security Monitoring for Python is available as of Wednesday.

Threat Stack competitors include CloudPassage, Dome9 and Sophos. CloudPassage Halo is a security automation platform delivering visibility, protection and compliance monitoring for cybersecurity risks; the platform also covers risks in Amazon Web Services and Azure deployments, according to the company. CloudGuard Dome9 is a software platform for public cloud security and compliance orchestration; the platform helps customers assess their security posture, detect misconfigurations and enforce security best practices to prevent data loss, according to the company. Sophos Intercept X enables organizations to detect blended threats that merge automation and human hacking skills, according to the company.

Go to Original Article
Author:

Experts on demand: Your direct line to Microsoft security insight, guidance, and expertise – Microsoft Security

Microsoft Threat Experts is the managed threat hunting service within Microsoft Defender Advanced Threat Protection (ATP) that includes two capabilities: targeted attack notifications and experts on demand.

Today, we are extremely excited to share that experts on demand is now generally available and gives customers direct access to real-life Microsoft threat analysts to help with their security investigations.

With experts on demand, Microsoft Defender ATP customers can engage directly with Microsoft security analysts to get guidance and insights needed to better understand, prevent, and respond to complex threats in their environments. This capability was shaped through partnership with multiple customers across various verticals by investigating and helping mitigate real-world attacks. From deep investigation of machines that customers had a security concern about, to threat intelligence questions related to anticipated adversaries, experts on demand extends and supports security operations teams.

The other Microsoft Threat Experts capability, targeted attack notifications, delivers alerts that are tailored to organizations and provides as much information as can be quickly delivered to bring attention to critical threats in their network, including the timeline, scope of breach, and the methods of intrusion. Together, the two capabilities make Microsoft Threat Experts a comprehensive managed threat hunting solution that provides an additional layer of expertise and optics for security operations teams.

Experts on the case

By design, the Microsoft Threat Experts service has as many use cases as there are unique organizations with unique security scenarios and requirements. One particular case showed how an alert in Microsoft Defender ATP led to informed customer response, aided by a targeted attack notification that progressed to an experts on demand inquiry, resulting in the customer fully remediating the incident and improving their security posture.

In this case, Microsoft Defender ATP endpoint protection capabilities recognized a new malicious file in a single machine within an organization. The organization’s security operations center (SOC) promptly investigated the alert and developed the suspicion it may indicate a new campaign from an advanced adversary specifically targeting them.

Microsoft Threat Experts, who are constantly hunting on behalf of this customer, had independently spotted and investigated the malicious behaviors associated with the attack. With knowledge about the adversaries behind the attack and their motivation, Microsoft Threat Experts sent the organization a bespoke targeted attack notification, which provided additional information and context, including the fact that the file was related to an app that was targeted in a documented cyberattack.

To create a fully informed path to mitigation, experts pointed to information about the scope of compromise, relevant indicators of compromise, and a timeline of observed events, which showed that the file executed on the affected machine and proceeded to drop additional files. One of these files attempted to connect to a command-and-control server, which could have given the attackers direct access to the organization’s network and sensitive data. Microsoft Threat Experts recommended full investigation of the compromised machine, as well as the rest of the network for related indicators of attack.

Based on the targeted attack notification, the organization opened an experts on demand investigation, which allowed the SOC to have a line of communication and consultation with Microsoft Threat Experts. Microsoft Threat Experts were able to immediately confirm the attacker attribution the SOC had suspected. Using Microsoft Defender ATP’s rich optics and capabilities, coupled with intelligence on the threat actor, experts on demand validated that there were no signs of second-stage malware or further compromise within the organization. Since, over time, Microsoft Threat Experts had developed an understanding of this organization’s security posture, they were able to share that the initial malware infection was the result of a weak security control: allowing users to exercise unrestricted local administrator privilege.

Experts on demand in the current cybersecurity climate

On a daily basis, organizations have to fend off the onslaught of increasingly sophisticated attacks that present unique security challenges in security: supply chain attacks, highly targeted campaigns, hands-on-keyboard attacks. With Microsoft Threat Experts, customers can work with Microsoft to augment their security operations capabilities and increase confidence in investigating and responding to security incidents.

Now that experts on demand is generally available, Microsoft Defender ATP customers have an even richer way of tapping into Microsoft’s security experts and get access to skills, experience, and intelligence necessary to face adversaries.

Experts on demand provide insights into attacks, technical guidance on next steps, and advice on risk and protection. Experts can be engaged directly from within the Windows Defender Security Center, so they are part of the existing security operations experience:

We are happy to bring experts on demand within reach of all Microsoft Defender ATP customers. Start your 90-day free trial via the Microsoft Defender Security Center today.

Learn more about Microsoft Defender ATP’s managed threat hunting service here: Announcing Microsoft Threat Experts.

Go to Original Article
Author: Microsoft News Center

Global cryptomining attacks use NSA exploits to earn Monero

A new threat group has launched cryptomining attacks around the globe and is using exploits from the National Security Agency to spread its malware.

The threat group, dubbed ‘Panda,’ was revealed this week in a new report from Cisco Talos. Christopher Evans and Dave Liebenberg, threat researcher and head of strategic intelligence, respectively, at Cisco Talos, wrote that although the group is “far from the most sophisticated” it has been very active and willing to “update their infrastructure and exploits on the fly as security researchers publicize indicators of compromises and proof of concepts.”

“Panda’s willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information,” Evans and Liebenberg wrote in a blog post. “Our threat traps show that Panda uses exploits previously used by Shadow Brokers and Mimikatz, an open-source credential-dumping program.”

The NSA exploits include EternalBlue, which attacks a vulnerability in Microsoft’s Server Message Block (SMB) protocol. The researchers first became aware of Panda’s cryptomining attacks in the summer of 2018 and told SearchSecurity that over the past year they’ve seen daily activity in the organization’s honeypots.

“We see them in several of our honeypots nearly every day, which tells me they’re targeting a large portion of the internet,” Evans said. “Our honeypots are deployed throughout the world, and I’ve never seen a geographic focus of their attacks in the data. The applications they target are widely deployed, and without patching are easy targets.”

Since January, the researchers saw Panda’s cryptomining attacks changing by targeting different vulnerabilities — first a ThinkPHP web framework issue, then an Oracle WebLogic flaw — and using new infrastructure both in March and again over the past month.

“They also frequently update their targeting, using a variety of exploits to target multiple vulnerabilities, and [are] quick to start exploiting known vulnerabilities shortly after public POCs become available, becoming a menace to anyone slow to patch,” the researchers wrote. “And, if a cryptocurrency miner is able to infect your system, that means another actor could use the same infection vector to deliver other malware.”

Liebenberg told SearchSecurity, “It appears that instead of employing good OpSec they focus on volume. That’s one reason why they’ll keep using old, burned infrastructure while still deploying new ones.” 

Evans and Liebenberg said in their research that the Panda group has made approximately 1,215 Monero (a cryptocurrency that emphasizes privacy), which equates to almost $100,000 today. One Monero is currently equal to $78, but the value of Monero has fluctuated — beginning the year around $50 and peaking over $110 in June.

The researchers have confirmed Panda cryptomining attacks against organizations in the banking, healthcare, transportation, telecommunications and IT services industries. Evans and Liebenberg also told SearchSecurity that the best way for organizations to detect if they have been attacked would be to “look for prolonged high system utilization, connections to mining pools using common mining ports (3333, 4444), watching for common malware persistence mechanisms, watching for DNS traffic to known mining pools and enabling the appropriate rules in your IDS.”

Go to Original Article
Author:

USBAnywhere vulnerabilities put Supermicro servers at risk

Security researchers discovered a set of vulnerabilities in Supermicro servers that could allow threat actors to remotely attack systems as if they had physical access to the USB ports.

Researchers at Eclypsium, based in Beaverton, Ore., discovered flaws in the baseboard management controllers (BMCs) of Supermicro servers and dubbed the set of issues “USBAnywhere.” The researchers said authentication issues put servers at risk because “BMCs are intended to allow administrators to perform out-of-band management of a server, and as a result are highly privileged components.

“The problem stems from several issues in the way that BMCs on Supermicro X9, X10 and X11 platforms implement virtual media, an ability to remotely connect a disk image as a virtual USB CD-ROM or floppy drive. When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass,” the researchers wrote in a blog post. “These issues allow an attacker to easily gain access to a server, either by capturing a legitimate user’s authentication packet, using default credentials, and in some cases, without any credentials at all.”

The USBAnywhere flaws make it so the virtual USB drive acts in the same way a physical USB would, meaning an attacker could load a new operating system image, deploy malware or disable the target device. However, the researchers noted the attacks would be possible on systems where the BMCs are directly exposed to the internet or if an attacker already has access to a corporate network.

Rick Altherr, principal engineer at Eclypsium, told SearchSecurity, “BMCs are one of the most privileged components on modern servers. Compromise of a BMC practically guarantees compromise of the host system as well.”

Eclypsium said there are currently “at least 47,000 systems with their BMCs exposed to the internet and using the relevant protocol.” These systems would be at additional risk because BMCs are rarely powered off and the authentication bypass vulnerability can persist unless the system is turned off or loses power.

Altherr said he found the USBAnywhere vulnerabilities because he “was curious how virtual media was implemented across various BMC implementations,” but Eclypsium found that only Supermicro systems were affected.

According to the blog post, Eclypsium reported the USBAnywhere flaws to Supermicro on June 19 and provided additional information on July 9, but Supermicro did not acknowledge the reports until July 29.

“Supermicro engaged with Eclypsium to understand the vulnerabilities and develop fixes. Supermicro was responsive throughout and worked to coordinate availability of firmware updates to coincide with public disclosure,” Altherr said. “While there is always room for improvement, Supermicro responded in a way that produced an amicable outcome for all involved.”

Altherr added that customers should “treat BMCs as a vulnerable device. Put them on an isolated network and restrict access to only IT staff that need to interact with them.”

Supermicro noted in its security advisory that isolating BMCs from the internet would reduce the risk to USBAnywhere but not eliminate the threat entirely . Firmware updates are currently available for affected Supermicro systems, and in addition to updating, Supermicro advised users to disable virtual media by blocking TCP port 623.

Go to Original Article
Author:

Data-driven operating model propels Adobe’s digital business success

Adobe stands as a textbook case of a software company that faced the threat of digital disruption head-on and emerged a winner. The company’s move from selling Photoshop software disks in a box to selling subscription-based digital media services online is based in no small part on its building a data-driven operating model.

Leading the data effort is Mark Picone, vice president for information and data services at Adobe. He works to ensure that data is curated, accurate and useful to the front-line teams that “turn the knobs on the business.”

In a video from the recent MIT Sloan CIO Symposium, Picone highlights the approaches Adobe teams took to build a data architecture that broke down data silos and consequently improved Adobe’s business analytics efforts.

“We treat the data as a product,” Picone explains. “Having a product approach to what we’re building allows us to build once and serve many and create a set of capabilities that is very impactful.”

Editor’s note: This transcript has been edited for clarity and length.

What role do data services play in digital transformation at Adobe? What is the model?

Mark Picone: Our job really is to be an enabler for the company and enable the company to be data driven. There are a lot of things that make that very difficult. You can say data is developed, and it’s created all over the place. But how can you create a [data-driven operating] model such that the data is stitched together, it’s curated, it’s governed, it’s the right data, it’s correct? [Only] then can you create mechanisms to be able to better communicate with customers, or engage the customers or just better understand your business.

[The] single view of the customer … is based on very strong governance techniques and a unified data architecture.
Mark PiconeAdobe

We’ve done that with this data-driven operating model. The data-driven operating model has really allowed us to look across all of the silos that we had four or five years ago that really was as a result of going to the cloud and going into subscriptions and rationalize that together to create a single view of the customer.

That single view of the customer, though, is based on very strong governance techniques and also a unified data architecture. Combined with that, we are able to take what I call an ‘outside-in approach’ of creating customer journeys.

The customer journey — which, for our consumer-based business, [involves products like] Photoshop, InDesign, and Illustrator — [the customer steps are] discover, try, buy, use and renew. Across every one of those steps, we actually assigned owners and organizations to own those different KPIs [key performance indicators] within that journey step — and, then, to create calls to action.

That outside-in approach allowed us to create data sets and analytical experiences that we now use to run the entirety of our digital media business. And it’s been transformational from a number of different points.

When we close the business every week, there’s a group of over 100 people that get together and look at the single source of truth … journey step by journey step, and they understand what’s happening in that market. Did our annual recurring revenue go up or down? What was traffic? What were the ads? What were the promotions? And they basically use that to turn the knobs on the business. … They do that on a week-in, week-out basis. …

How can data play a role in achieving operational efficiencies?

Picone: The operational efficiencies come [from] reporting the same metrics up to management in the same way. There’s no question about what that metric is. …

But, really, the true value is in how we run that business. The way we do ad spend has radically changed, the way we do targeting and testing has radically changed because we now have a purview of every product across every geography, across every route to market.

And, when you make those decisions now, you actually see how the annual recurring revenue took place for [individual] customers over time. It is the same thing when we do A/B targeting. …

We’ve taken this whole [data-driven] digital operating model and created a playbook. And this didn’t happen when we created, it happened after we actually did it, and we said, ‘Wow, there’s a lot of reusability here.’ — not just from a systems and a capabilities perspective, like platforms, governance and data architecture, but really from the methodology. The methodology really allows us to have this inside-out approach of understanding all of your data assets, categorizing them, creating a database that has the lowest level of granularity, gets curated and is ready for analytics. …

Then, you combine that with that top-down approach, which is customer journey steps, assigned organizations and processes, and that yields actionable results. And we’re actually taking that [digital business] model and rolling it out to other parts of our business, even internal organizations and finance — as an example, procurement to pay. …

We treat the data as a product. We are an internal team. Our customers are all largely internal — although the data we create personalizes real-time experiences within the products. …

And we’ve introduced a step over the past year that we call ‘code development.’ And that’s where we really open source the data. So, now, the data is available for others to bring their engineers or third parties, whatever the case may be, to come into our environment and actually build data assets and expand the nucleus of what we call our ‘unified data architecture.’

So, having a product approach to what we’re building allows us to build once and serve many and create a set of capabilities that is very impactful. We are spending less and less time creating data sets and visualizations and more time creating capabilities that will actually enable the entirety of the organization.

View All Videos

Go to Original Article
Author:

British Airways data breach may be the work of Magecart

The British Airways data breach may have been the handiwork of the threat actor group known as Magecart.

Security researchers at the threat intelligence company RiskIQ Inc., reported that they suspect Magecart was behind the late August British Airways data breach, based on their analysis of the evidence. The Magecart group focuses on online credit card skimming attacks and is believed to be behind the Ticketmaster data breach discovered in June 2018.

British Airways reported it had suffered a breach on Sept. 6 that affected around 380,000 customers. The company said personal and payment information were used in payment transactions made on the website and the mobile app between Aug. 21 and Sept. 5.

In a blog post published a week later, RiskIQ researcher Yonathan Klijnsma said that because the British Airways data breach announcement stated that the breach had affected the website and mobile app but made no mention of breaches of databases or servers, he noticed similarities between this incident and the Ticketmaster breach.

The Ticketmaster breach was caused by a web-based credit card skimming scheme that targeted e-commerce sites worldwide. The RiskIQ team said that the Ticketmaster breach was the work of the hacking group Magecart, and was likely not an isolated incident, but part of a broader campaign run by the group.

The similarities between the Ticketmaster breach and the reports of the British Airways data breach led Klijnsma and the RiskIQ team to look at Magecart’s activity.

“Because these reports only cover customer data stolen directly from payment forms, we immediately suspected one group: Magecart,” Klijnsma wrote. “The same type of attack happened recently when Ticketmaster UK reported a breach, after which RiskIQ found the entire trail of the incident.”

Klijnsma said they were able to expand the timeline of the Ticketmaster activity and discover more websites affected by online credit card skimming.

“Our first step in linking Magecart to the attack on British Airways was simply going through our Magecart detection hits,” Klijnsma explained. “Seeing instances of Magecart is so common for us that we get at least hourly alerts for websites getting compromised with their skimmer-code.”

He noted that in the instance of the British Airways data breach, the research team had no notifications of Magecart’s activity because the hacking group customized their skimmer. However, they examined British Airways’ web and mobile apps specifically and noticed the similarities — and the differences.

The fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets.
Yonathan Klijnsmathreat researcher, RiskIQ

“This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately,” Klijnsma wrote. “This particular skimmer is very much attuned to how British Airway’s (sic) payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.”

Klijnsma also said it was likely Magecart had access to the British Airways website and mobile app before the attack reportedly started.

“While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets,” he wrote.

Magecart, RiskIQ noted, has been active since 2015 and has been growing progressively more threatening as it customizes its skimming schemes for particular brands and companies.

In other news

  • President Donald Trump signed an executive order this week that imposes sanctions on anyone who attempts to interfere with U.S. elections. After Russian interference in the 2016 U.S. presidential election, there are fears that there will be further interference in the upcoming 2018 midterm election. In response to those fears, Trump signed an executive order that sanctions would be placed on foreign companies, organizations or individuals who have interfered with U.S. elections. The order says that government agencies must report any suspicious, malicious activity to the director of national intelligence, who will then investigate the report and determine its validity. If the director of national intelligence finds that the suspect group or individual has interfered, there will be a 45-day review and assessment period during which the Department of Justice and Homeland Security will decide whether sanctions are warranted. If they are, the foreign group or individual could have their U.S. assets frozen or be banned from the country.
  • A vulnerability in Apple’s Safari web browser enables attackers to launch phishing attacks. Security researcher Rafay Baloch discovered the vulnerability and was also able to replicate it in the Microsoft Edge browser. Baloch published the proof of concept for both browser vulnerabilities early this week, and while Microsoft had addressed the issue in its August Patch Tuesday release — citing an issue with properly parsing HTTP content as the cause — Apple has yet to issue any patches for it. The vulnerability in Safari iOS 11.3.1 could thus still be used to spoof address bars and trick users into thinking they are visiting a legitimate site that is actually malicious.
  • The hacker known as “Guccifer” will be extradited to the U.S. to serve a 52-month prison sentence. A Romanian court ruled that the hacker, who is known for exposing the misuse of Hillary Clinton’s private email server before the 2016 U.S. presidential election and whose real name is Marcel Lehel Lazar, will be extradited to America to serve his 52-month sentence after finishing his seven-year sentence in Romania — his home country. Lazar pleaded guilty in May 2016 to charges of unauthorized access to a protected computer and aggravated identity theft. Lazar is believed to have hacked into the accounts of around 100 people between 2012 and 2014, including former Secretary of State Colin Powell, CBS Sports’ Jim Nantz and Sidney Blumenthal, a former political aide to Bill Clinton and adviser to Hillary Clinton.

North Korea hacking threat still looms despite summit

Times may be changing for diplomatic relations between North Korea and the U.S., but the threat of North Korean hacking still looms.

This week’s summit between President Donald Trump and North Korean leader Kim Jong Un could lead to improved relations between the two countries and a possible denuclearization plan for North Korea. However, it’s unclear what impact, if any, the summit may have on nation-state cyberattacks coming from the country. According to various reports from the summit, the talks between Kim and Trump did not include any provisions concerning cyberattacks, and several cybersecurity companies have said there is evidence that North Korean hacking attacks may be ramping up this year.

Several notable cyberattacks have been attributed to the North Korean government in recent years, including the 2014 breach of Sony Pictures and last summer’s global WannayCry ransomware attacks. In addition, the FBI and the Department of Homeland Security recently issued a security advisory tying two well-known malware campaigns, Joanap and Brambul, to the North Korea hacking group Hidden Cobra, also known as Lazarus Group.

Priscilla Moriuchi, director of strategic threat development at Recorded Future, a threat intelligence provider based in Somerville, Mass., told SearchSecurity that while Kim’s regime wants to increase the country’s role in the international community, there’s no indication the government has curbed its hacking efforts.

In fact, she said there are signs that the opposite may be occurring.

“What we can say from looking at the data is that there are two stories: the data story, which shows us that North Korea increasingly cares about being monitored and watched, and that they are taking measures to hide their activity online; and the diplomacy story, where it’s telling the rest of the world that it’s ready to denuclearize and be more transparent,” Moriuchi said. “And the two stories just don’t match up.”

Recorded Future published research in April that showed a massive increase in anonymization of North Korean internet activity. “We conducted the research back in July, and we saw, for example, that less than 1% of all web browsing activity was anonymized — they didn’t even use HTTPS most of the time, let alone [virtual private networks (VPNs)],” she said, either because they didn’t care about hiding activity or because they didn’t know they could anonymize traffic. “But six months later, it was a completely different story — there was about a 12,000% increase in anonymization services and technology.”

Recorded Future issued another report last week detailing an increasingly large presence of U.S. technology in North Korean networks and usage by North Korean leadership, despite economic sanctions that prevent such trade. Moriuchi said North Korea has “professionalized sanctions evasion” over the last three-plus decades and found various ways to exploit weaknesses in U.S. export controls.

“We think this is a problem for two reasons. First, there are gaping holes in U.S. export control regime, and they’re being exploiting by this rogue nation,” she said. “Second, the U.S. government doesn’t want U.S. technology being used in cyberattacks from North Korea to harm businesses and government agencies.”

If Kim agrees to a denuclearization plan, there may be less incentive for the government to drops its hacking operations. Ross Rustici, senior director of intelligence services at Boston-based threat detection vendor Cybereason, believes North Korea’s hacking operations are a crucial bargaining chip for Kim and also present a unique threat to the Trump administration.

“North Korea currently lacks many options to force the U.S. into working inside a START [Strategic Arms Reduction Treaty] framework. Almost all of its military and foreign policy capabilities are defensive at this point,” Rustici wrote in a research post last month, prior to the summit. “The one exception is its cyberprogram. And, unfortunately, this is one domain where North Korea can impact the Trump brand in a way that it could not against any other President.”

Several vendors have reported increased sophistication and capabilities from suspected North Korean hacking groups this year. For example, Dragos Inc., a security firm based in Hanover, Md., that specializes in industrial control systems (ICS), published a threat report on a group it calls Covellite, which the company said uses malware and infrastructure similar to Hidden Cobra.

Dragos noted that Covellite, which had targeted U.S. organizations in the past, had recently abandoned North American companies and focused its attacks on European and Asian companies. Dragos also said that while Covellite lacks ICS-specific capabilities at this time, the group’s “rapidly improving capabilities, and history of aggressive targeting” made it a primary threat to the ICS industry.  

In addition to Hidden Cobra, FireEye earlier this year reported that another North Korean hacking group known as APT37 had demonstrated increased capabilities, including the use of an Adobe Flash zero-day vulnerability in attacks on South Korean targets. “Our analysis of APT37’s recent activity reveals that the group’s operations are expanding in scope and sophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware,” FireEye wrote, adding it has “high confidence” that the group is working on behalf of the North Korean government.

Threat hunting technology is on the rise, so are threats

More companies are adopting threat hunting functions, according to a recent survey from Crowd Research Partners, but detection of advanced threats remains elusive.

Threat hunting typically involves human security analysts identifying impending incidents or attacks that automated threat detection systems may have missed. The frequency of threats and the potential damage and impact of security incidents continue to outpace the capabilities of security operations centers (SOC), Crowd Research Partners’ “2018 Threat Hunting Report” found.

Fifty-eight percent of IT security professionals said cyberthreats against their organizations had doubled during the past 12 months; only 8% indicated threats decreased. SOCs, on average, missed 39% of threats, with the majority of attacks discovered in one to seven days for 58% of organizations. The average dwell time for attackers was 30 days.

The top challenges facing SOCs, according to those surveyed, included the following:

  • detection of advanced cyberthreats — hidden, unknown and emerging threats (55%);
  • lack of skilled personnel (43%);
  • lack of confidence in threat detection technologies (36%);
  • too much time wasted on false alerts (35%);
  • slow response time to find or detect advanced threats (31%);
  • outdated SIEM and SOC infrastructure (29%); and
  • lack of proper reporting tools (28%).

In order to offset some of these challenges, the report found that approximately one-third of the organizations surveyed had outsourced threat hunting to a managed security service provider.

Crowd Research Partners conducted an online survey of more than 461 security and IT professionals in the Information Security Community group on LinkedIn. The survey features respondents from industries such as technology (17%); financial services, banking and insurance (14%); telecommunications (6%); and healthcare (5%). Government cybersecurity professionals represented 20% of those surveyed.

Mix of analysts and tools

According to the survey, 40% of respondents reported that security analysts at their organizations used threat hunting platforms, up 5 percentage points from a similar survey in 2017. Benefits ranged from improved detection of advanced threats to less time spent coordinating events. The top indicators of compromise most frequently investigated by security analysts included behavior anomalies (67%), IP addresses (58%), domain names (46%), denied or flagged connections (46%) and file names (32%).

Security operations centers had more analysts hunting in 2018, at 17%, compared with 14% in 2017. More than half, however, have five or fewer analysts in their SOCs dedicated to threat hunting, the report found.

While security operations centers at some organizations are maturing, along with a greater awareness of threat hunting, 33% of those surveyed indicated limited SOC capabilities when it came to emerging threats; 28% said their SOC was advanced; 24% reported it was compliant, but behind the curve; and only 15% said their SOC was cutting-edge. 

Companies used a variety of tools for threat hunting. The top technologies included the following:

  • next-generation firewalls, intrusion prevention systems and antivirus software (55%);
  • SIEM (50%);
  • antiphishing or other messaging security software (49%);
  • threat intelligence platforms (39%);
  • enrichment and investigation tools (34%); and
  • vulnerability management (32%).

The majority of threat hunting was performed in-house (56%). Some companies used a hybrid of in-house and service provider (22%); others outsourced threat hunting (11%). Meanwhile, 11% of survey respondents reported that their organizations did “no proactive threat hunting.”

Security analysts at 60% of the organizations said they do not currently use threat hunting platforms or techniques. However, six out of 10 organizations indicated plans to build a threat hunting program in the next three years, according to the “2018 Threat Hunting Report,” which is produced in partnership with multiple vendors.

Barriers to adoption ranged from lack of budget (45%) to untrained personnel (7%). The tools desired most often for threat hunting included threat intelligence (69%), user and entity behavior analytics (57%), automatic detection (56%), and machine learning and automated analytics (56%).

According to proponents of threat hunting programs, such as David Bianco, who served as a technology adviser for Sqrrl Data Inc., before the startup company was acquired by Amazon Web Services earlier this year, one of the benefits is security teams can take what they find and use it to improve automated detection.

Microsoft announces new intelligent security innovations to help businesses manage threats from cloud to edge

Amid evolving digital threats, an innovative IoT security solution, integrated threat intelligence and advanced protection in Microsoft 365 help simplify cybersecurity for businesses

SAN FRANCISCO — April 16, 2018 At a news conference on Monday, Microsoft Corp. announced several new intelligent security tools and technologies to help enterprises more easily secure their data and networks against today’s biggest threats as well as address emerging threats aimed at IoT and edge devices. These new solutions build on Microsoft’s longstanding approach to delivering innovation that customers and partners can build upon to strengthen the broader ecosystem against cyberattacks from the cloud to the edge.

“As last year’s devastating cyberattacks demonstrated, security threats are evolving and becoming even more serious,” said Brad Smith, president of Microsoft. “The tech sector’s innovations need to accelerate to outpace security threats. Today’s steps bring important security advances not just to the cloud, but to the billions of new devices that are working on the edge of the world’s computer networks.”

Securing a new generation of connected devices: announcing Azure Sphere

Microsoft is harnessing the power of the intelligent cloud to address emerging threats against a new class of connected devices, those relying on a chip the size of a thumbnail called a microcontroller unit (MCU). MCU-powered devices are already the most populous area of computing with roughly 9 billion new devices every year. They are found in everything from toys and household appliances to industrial equipment — and attackers are starting to target them. To bring security to this next generation of connected devices, Microsoft is introducing Azure Sphere, the industry’s first holistic platform for creating highly secured, connected MCU devices on the intelligent edge. Featuring an entirely new class of MCUs with more than five times the power of legacy MCUs, an OS custom built for IoT security, and a turnkey cloud security service that guards every Azure Sphere device. With Azure Sphere, Microsoft extends the boundaries of the intelligent edge, to power and secure an entirely new category of devices.

“As our homes become more connected, we place significant value on the security of connected devices, so we can focus on continuing to deliver an exceptional customer experience,” said Brian Jones, director of Product Strategy and Marketing at Sub-Zero Group Inc. “Microsoft’s approach with Azure Sphere is unique in that it addresses security holistically at every layer.”

Microsoft 365 Intelligent Security Solutions: Simplifying Security

As security threats become more complex, companies are increasingly finding that the intelligence and threat protection tools they need to remain a step ahead of attackers are in the cloud. Today, Microsoft introduced several new intelligent security features for its Microsoft 365 commercial cloud offering designed to help IT and security professionals simplify how they manage security across their enterprises:

Advanced tools that make it easier to prevent threats before they happen

  • To help teams stay prepared and ahead of threats, Microsoft today released Microsoft Secure Score and Attack Simulator. Secure Score makes it easier for organizations to determine which controls to enable to help protect users, data and devices by quickly assessing readiness and providing an overall security benchmark score. It will also let organizations compare their results to those with similar profiles using built-in machine learning. Attack Simulator, a part of Office 365 Threat Intelligence, lets security teams run simulated attacks — including mock ransomware and phishing campaigns — to event-test their employees’ responses and tune configurations accordingly.

Automated threat detection and remediation to free up security operations teams

  • With the latest Windows 10 update, now in preview, Windows Defender Advanced Threat Protection (ATP) works across other parts of Microsoft 365 to include threat protection and remediation spanning Office 365, Windows and Azure. Also available today in preview, and with the upcoming Windows 10 update, are new automated investigation and remediation capabilities in Windows Defender ATP, leveraging artificial intelligence and machine learning to quickly detect and respond to threats on endpoints, within seconds, at scale.
  • Conditional Access provides real-time risk assessments to help ensure that access to sensitive data is appropriately controlled, without getting in the way of users’ productivity. Microsoft 365 is now adding the device risk level set by Windows Defender ATP to Conditional Access in preview to help ensure that compromised devices can’t access sensitive business data.

Stronger partnerships to give customers more integrated solutions

  • The intelligence data used to quickly detect and respond to threats improves as more relevant signals are added. Machine learning tools are only as good as the data they receive. Microsoft’s security products are informed by the trillions of diverse signals feeding into the Microsoft Intelligent Security Graph. Today, Microsoft announced a preview of a new security API for connecting Microsoft Intelligent Security Graph-enabled products as well as intelligence from solutions built by customers and technology partners to greatly enhance the fidelity of intelligence.

Most security tools report an attack from a single limited perspective, offering insight into one piece of a potentially larger threat. By connecting individual tools to the Intelligent Security Graph, security teams get new perspectives and more meaningful patterns of data to speed up threat investigation and remediation. The new API is in early testing with a select group of cybersecurity industry leaders that are collaborating with Microsoft to shape its development. The group, which includes Anomali, Palo Alto Networks and PwC, joined Microsoft today to share their own early exploration of the API and how it may improve each company’s ability to protect their mutual customers.

  • Microsoft also is announcing a new Microsoft Intelligent Security Association for security technology partners so they can benefit from, and contribute to, the Intelligent Security Graph and Microsoft security products. Members of the association will be able to create more integrated solutions for customers that provide greater protection and detect attacks more quickly. Palo Alto Networks and Anomali join PwC and other existing partners as founding members of the new association.

Microsoft is partnering with customers through their digital transformation by making it easier for them to help keep assets secure from the cloud to the edge.

More information on Microsoft’s security announcements can be found at the Microsoft Security News site.

Microsoft (Nasdaq “MSFT” @microsoft) enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more.

For more information, press only:

Microsoft Media Relations, WE Communications, (425) 638-7777,

[email protected]

Note to editors: For more information, news and perspectives from Microsoft, please visit the Microsoft News Center at http://news.microsoft.com. Web links, telephone numbers and titles were correct at time of publication, but may have changed. For additional assistance, journalists and analysts may contact Microsoft’s Rapid Response Team or other appropriate contacts listed at http://news.microsoft.com/microsoft-public-relations-contacts.

 

The post Microsoft announces new intelligent security innovations to help businesses manage threats from cloud to edge appeared first on Stories.