Originally seen on: Zdnet by Charlie Osborne, February 7th, 2019
Be careful if you are sent an image from a suspicious source.
Opening a cute cat meme or innocent landscape photo may seem harmless enough, but if it happens to be in a .PNG format, your Android device could be critically compromised due to a new attack.
In Google’s Android security update for February, the tech giant’s advisory noted a critical vulnerability which exists in the Android operating system’s framework.
All it takes to trigger the bug is for attackers to send a crafted, malicious Portable Network Graphic (.PNG) file to a victim’s device. Should the user open the file, the exploit is triggered.
Remote attackers are then able to execute arbitrary code in the context of a privileged process, according to Google.
Android versions 7.0 to 9.0 are impacted.
There are no current reports of the vulnerability being exploited in the wild. However, given the ease in which the bug can be exploited, users should accept incoming updates to their Android builds as soon as possible.
As vendors utilizing the Android operating system roll out security patches and updates at different rates, Google has declined to reveal the technical details of the exploit to mitigate the risk of attack.
Google’s bulletin also outlined remote code execution flaws impacting the Android library, system files, and Nvidia components. Elevation of privilege and information disclosure security holes have also been resolved.
Source code patches for the .PNG issue, alongside other security problems raised in the bulletin, have also been released to the Android Open Source Project (AOSP) repository.
In January, researchers revealed the existence of a new malvertising group called VeryMal. The scammers specifically target Apple users and bury malicious code in digital images using steganography techniques to redirect users from legitimate websites to malicious domains controlled by the attackers.
Originally Seen: Cybersecurity.com on August 21, 2018 by Sean Lyngaas
The Russian intelligence office that breached the Democratic National Committee in 2016 has spoofed websites associated with the U.S. Senate and conservative think tanks in a further attempt to sow discord, according to new research from Microsoft.
The tech giant last week executed a court order and shut down six internet domains set up by the Kremlin-linked hacking group known as Fancy Bear or APT 28, Microsoft President Brad Smith said.
“We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group,” Smith wrote in a blog post. “We’re concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections.”
The domains were constructed to look like they belonged to the Hudson Institute and International Republican Institute, but were in fact phishing websites meant to steal credentials.
The two think tanks are conservative, yet count many critics of U.S. President Donald Trump and Russian President Vladimir Putin among their members. The International Republican Institute lists Sen. John McCain, R-Ariz, and former Republican presidential candidate Mitt Romney as board members. The Hudson Institute and International Republican Institute also have programs that promote democracy and good governance worldwide.
There is no evidence that the domains had been used to carry out successful cyberattacks, according to Microsoft. The company says it continues to work with both think tanks and the U.S. Senate to guard against any further attacks.
The attacks come as more and more instances of cyberattacks directed at the 2018 midterm elections come to light. Last month, Russian intelligence targeted Sen. Claire McCaskill, a critic of Moscow and a red-state Democrat who faces a tough reelection bid in Missouri. Additionally, a number of election websites have been hit with DDoS attempts during their primary elections.
“We are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States,” Microsoft’s blog post read. “Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France.”
Smith also announced that Microsoft was providing cybersecurity protection for candidates, campaigns and political institutions that use Office 365 at no additional cost.
Greg Otto contributed to this story.
Scam website launched phone call, connected victims to “Lance Roger at Apple Care.”
Originally seen on ArsTechnica by: SEAN GALLAGHER –
India-based tech support scams have taken a new turn, using phishing emails targeting Apple users to push them to a fake Apple website. This phishing attack also comes with a twist—it pops up a system dialog box to start a phone call. The intricacy of the phish and the formatting of the webpage could convince some users that their phone has been “locked for illegal activity” by Apple, luring users into soon clicking to complete the call.
Scammers are following the money. As more people use mobile devices as their primary or sole way of connecting to the Internet, phishing attacks and other scams have increasingly targeted mobile users. And since so much of people’s lives are tied to mobile devices, they’re particularly attractive targets for scammers and fraudsters.
“People are just more distracted when they’re using their mobile device and trust it more,” said Jeremy Richards, a threat intelligence researcher at the mobile security service provider Lookout. As a result, he said, phishing attacks against mobile devices have a higher likelihood of succeeding.
This particular phish, targeted at email addresses associated with Apple’s iCloud service, appears to be linked to efforts to fool iPhone users into allowing attackers to enroll them into rogue mobile device management services that allow bad actors to push compromised applications to the victim’s phones as part of a fraudulent Apple “security service.”
I attempted to bluff my way through a call to the “support” number to collect intelligence on the scam. The person answering the call, who identified himself as “Lance Roger from Apple Care,” became suspicious of me and hung up before I could get too far into the script.
Running down the scam
In a review of spam messages I’ve received this weekend, I found an email with the subject line, “[username], Critical alert for your account ID 7458.” Formatted to look like an official cloud account warning (but easily, by me at least, discernable as a phish), the email warned, “Sign-in attempt was blocked for your account [email address]. Someone just used your password to try to sign in to your profile.” A “Check Activity” button below was linked to a webpage on a compromised site for a men’s salon in southern India.
Meanwhile, an animated dialog box on the screen urged the target to make the call because their phone had been “locked due to illegal activity.” Script on the site scrapes data from the “user agent” data sent by the browser to determine what type of device the page was visited from:
window.defaultText='Your |%model%| has been locked due to detected illegal activity! Immediately call Apple Support to unlock it!';
While the site is still active, it is now marked as deceptive by Google and Apple. I passed technical details of the phishing site to an Apple security team member.
The scam is obviously targeted at the same sort of audience as Windows tech support scamswe’ve reported on. But it doesn’t take too much imagination to see how schemes like this could be used to target people at a specific company, customers of a particular bank, or users of a certain cloud platform to perform much more tailored social engineering attacks.
When it comes to security, having high expectations for security vendors and large vendors with deep pockets is reasonable given that customers usually pay a premium believing the vendors will devote significant resources to secure their products. Unfortunately, as with most other security teams, companies often don’t have enough resources or organizational fortitude to ensure security is incorporated into all of the enterprise’s software development.
But even the most secure software development can enable security issues to slip through the cracks. When you add in an outsourced hardware or software development team, it’s even easier for something to go unnoticed.
So while vendors might talk a good talk when it comes to security, monitoring them to ensure they uphold their end of your agreement is absolutely necessary.
One case where a vulnerability apparently escaped notice was uncovered when researchers at Modzero AG, an information security company based in Winterthur, Switzerland, found that a bug had been introduced into HP laptops by a third-party driver installed by default.
The vulnerability was discovered in the Conexant HD Audio Driver package, where the driver monitors for certain keystrokes used to mute or unmute audio. The keylogging functionality, complete with the ability to write all keystrokes to a log file, was probably introduced to help the developers debug the driver.
We can hope that the HP keylogger vulnerability was left in inadvertently when the drivers were released to customers. Modzero found metadata indicating the HP keylogger capability was present in HP computers since December 2015, if not earlier.
It’s difficult to know whether static or dynamic code analysis tools could have detected this vulnerability. However, given the resources available to HP in 2015, including a line of business related to application and code security, as well as the expectations of their customers, it might be reasonable to assume HP could have incorporated these tools into their software development practices. However, the transfer of all of HP’s information security businesses to a new entity, Hewlett Packard Enterprise, began in November 2015, and was completed in September 2017, when Micro Focus merged with HPE.
It’s possible that Modzero found the HP keylogger vulnerability while evaluating a potential new endpoint for an enterprise customer. They could have been monitoring for open files, or looking for which processes had the files open to determine what the process was doing. They could have been profiling the individual processes running by default on the system to see which binaries to investigate for vulnerabilities. They could even have been monitoring to see if any processes were monitoring keystrokes.
Enterprises can take these steps on their own or rely on third parties to monitor their vendors. Many enterprises will install their own image on an endpoint before deploying it on their network — the known good images used for developing specific images for target hardware could have their unique aspects analyzed with a dynamic or runtime application security tool to determine if any common vulnerabilities are present.
Originally seen on: Bleepingcomputer.com
‧ Binary options and synonymous products
‧ Cryptocurrencies and related content (including but not limited to initial coin offerings, cryptocurrency exchanges, cryptocurrency wallets, and cryptocurrency trading advice)
The ban will enter into effect across all of Google’s advertising network, including ads shown in search results, on third-party websites, and YouTube.
Some ads will be allowed, but not many
But the ban is not total. Google said that certain entities will be able to advertise a limited set of the banned services, including “cryptocurrencies and related content.”
These advertisers will need to apply for certification with Google. The downside is that the “Google certification process” will only be available for advertisers located in “certain countries.”
Google did not provide a list of countries, but said the advertisers will have to be licensed by relevant financial services and “comply with relevant legal requirements, including those related to complex speculative financial products.”
Prices for almost all cryptocurrencies fell across the board today after Google’s announcement, and most coins continued to lose value.
Scams and phishing sites to blame
While Google did not provide a backdrop to the reasons it banned cryptocurrency ads, they are likely to be the same to the ones cited by Facebook —misleading ads being abused to drive traffic to financial scams and phishing sites.
There’s been a surge in malware and phishing campaigns targeting cryptocurrency owners ever since Bitcoin price surged in December 2016 [1, 2]. Just last month, Cisco Talos and Ukrainian police disrupted a cybercriminal operation that made over $50 million by using Google ads to to drive traffic to phishing sites.
A report published by “Big Four” accounting firm Ernst & Young in December 2017 reveals that 10% of all ICO (Initial Coin Offering) funds were lost to hackers and scams, and cryptocurrency phishing sites made around $1.5 million per month. The company says that cryptocurrency hacks and scams are a big business, and estimates that crooks made over $2 billion by targeting cryptocoin fans in the past years.
Furthermore, a Bitcoin.com survey revealed that nearly half of 2017’s cryptocurrencies had already failed.
The recent trend of using the overhyped cryptocurrency market and ICOs for financial scams is also the reason why the US Securities and Exchange Commission (SEC) has started investigating and charging people involved in these practices.
This constant abuse of the cryptocurrency theme was the main reason why Facebook banned such ads on its platform, and is, most likely, the reason why Google is getting ready to implement a similar ban in June.
Last Seen: March 2018 on Tech Target
An increase in fileless malware, including PowerShell malware, was reported in McAfee Labs’ December 2017 Threat Report. Discover how enterprises can defend again fileless attacks.
It can be easy to dispute or question industry reports from top security vendors because the data is often collected from those vendors’ customers, and it is frequently used to show how the vendors’ products can better protect enterprises.
However, these reports can often help enterprises improve their information security programs. Antimalware companies often use this data-driven tactic to dig into specific examples of threats so enterprises can determine if they are adequately protected from those threats.
In this tip, we’ll discuss PowerShell malware, the specific example of the Emotet Trojan and enterprise defenses for these threats.
PowerShell malware and the Emotet Trojan
McAfee reported a surge in fileless attacks in 2017’s Q3 in which malicious code in macros used PowerShell to execute malware. One notable piece of fileless malware was the Emotet Trojan.
Before getting into the details of the threat, it’s important to note than when a vendor report states that the highest number of incidents for a specific malware type was observed, that doesn’t necessarily mean that the number is all that meaningful. The amount of malware detected only matters to an antimalware company in terms of how many resources they need to analyze the malware, report on it and ensure that their customers are adequately protected.
When a report references fileless attacks, it also doesn’t necessarily mean that no files were used in the attack. Fileless usually means that no files were left behind on a system for persistence, but files were used in the attack.
The fileless aspect could also mean that PowerShell, cmd or WMIC were used as part of the attack to execute code on the endpoint. This could include downloading a file or writing data to the registry to create a persistence mechanism on the endpoint.
Emotet is a type of banking Trojan that is distributed by botnets; it spams recipients to socially engineer them into opening a malicious attachment — usually a Word document that has a malicious macro. When the macro runs, it calls a PowerShell, cmd or WMIC command to download malware onto the endpoint for persistence.
While files are used in several different parts of the attack, the fileless aspect occurs when PowerShell or cmd is used to download the next step in the attack. Unlike using a downloader to download a piece of malware to the endpoint, the fileless approach can help to avoid potential detection.
Enterprise defenses against PowerShell malware
Since responding to malware threats is absolutely critical, ensuring your enterprise is prepared is important. We’ve discussed fileless malware at length, but malware is constantly evolving and, thus, security tools must do the same.
Some tools have incorporated functionality to address fileless attacks, while other new endpoint security tools have emerged to address these threats and current attacks. However, attacks continue to use known vulnerabilities or insecure functionality, as well as legitimate tools and functions like PowerShell, to take over endpoints.
Your next step should be to check how your existing security tool vendors address Emotet because many different endpoint security vendors have different methods and advice on how to protect your enterprise. One common method among these tools is blocking executables or changes to the system via signatures, behavioral monitoring, or a combination of both detecting and monitoring common methods for persistence, such as preventing the Run registry keys from being modified.
Some of the tools specifically block Microsoft Word from calling out to PowerShell, which can block a malicious PowerShell command from executing on the system.
Examining infected systems on your network to determine how they were infected can identify which security controls need to be updated to properly protect your endpoints.
While the world is changing faster than anyone may realize or want to admit, some of the basics have stayed the same. Ensuring that you are regularly updating your information security program to identify which security controls are properly working is necessary to manage information security risk and protect your enterprise from the Emotet Trojan.
Originally seen: December 2017 on Tech Target
Cloud environments are no less susceptible to ransomware than other environments. However, they have properties that can make response and preparedness different. For example, they might employ different notification and communications channels, they might involve different personnel, and there may be a different control set in use. It can behoove organizations to think through ransomware in the cloud the same way they prepare for ransomware for internal systems and applications.
Ransomware in the cloud
Using an infrastructure as a service (IaaS) platform gives the cloud customer more visibility into the underlying OS than other cloud models, but this, in turn, means that issues, like patching — particularly in the case of legacy or special purpose systems — are just as complex as in other environments, and therefore may take longer than one might like.
The issue is that an IaaS environment might be susceptible to ransomware. What is different with IaaS, though, is how the organization discovers the ransomware, how it responds and how it protects against the threat. As a practical matter, different personnel are often responsible for direct oversight of IaaS workloads compared to other technology.
For example, cloud is conducive to shadow IT. It can be hard for enterprise security teams to identify and manage shadow cloud applications used by employees and lines of business across an organization. Will a development team, business team or other non-IT organization plan for — and be ready to remediate — ransomware in the cloud to the same extent as the technology organization?
Even if shadow IT isn’t a factor for an organization, initial notification of a ransomware event might come through a different channel than expected. For example, notifications could come from a relationship manager for larger deployments; a defined escalation channel with the service provider, which might be a business team; or through a provider-maintained service portal.
Also, keep in mind that both the resolution and implementation of specific countermeasures might need to be done through different channels. As an example, if a key activity in response to a rapidly proliferating ransomware, like WannaCry, is to proactively patch, the manner in which you affect this might vary for the cloud — an enterprise might need to schedule a maintenance window with its provider, for instance.
Aside from IaaS, other cloud models can be impacted, as well. Even SaaS isn’t immune — consider storage such as Dropbox, Google Drive, etc. Typically, these services work by syncing local files to the cloud; for a small organization, this might constitute its primary storage, backup or data sharing mechanism. What happens when the local files are encrypted, deleted, overwritten with garbage or otherwise compromised by ransomware? Those changes will be synced to the cloud.
Mitigation strategies for cloud ransomware
What can organizations do to prepare for ransomware in a cloud environment? There are a few things that can make response significantly easier. Probably the most effective thing organizations can do — for both cloud environments and for any other environment — is to specifically exercise response and escalation procedures.
For example, a tabletop exercise can be very helpful in this regard. A tabletop exercise defuses the primary question: will you pay the ransom? Invariably, someone will suggest paying it regardless of law enforcement and others arguing against it — discussing this specifically ahead of time helps clarify pros and cons when adrenaline levels aren’t off the charts.
Secondly, working through alert and response scenarios ahead of time means you get answers to key questions: how will you be notified of an event? Who will be notified, and what notification pathways correspond to specific cloud relationships? Also, what is required to take responsive action in each of those channels?
It’s also a useful idea to undertake a systematic risk assessment specifically for ransomware. You might, for example, look at backup and response processes to ensure that, should data be specifically targeted by ransomware that seeks to render it inaccessible, the organization has thought through protection and recovery strategies at the technical level.
For an IaaS relationship, think through and test backup and response services that service providers might offer, technical controls that they offer and the countermeasures the organization already employs. This level of risk analysis is probably already done for the enterprise as a whole, but you should take measures to specifically extend that to cloud relationships. This can be somewhat time-consuming for organizations that have numerous service provider relationships in place, but this effort can be folded into a broader activity that has value beyond just ransomware — for example, malware mitigation more generally, data gathering about cloud relationships, threat modeling, cloud governance or other activities that involve the systematic analysis of cloud relationships.
The arguably harder situation in the event of ransomware in the cloud is the intersection of SaaS and smaller organizations — specifically, the possibility of corruption of cloud storage through synchronization of ransomware-impacted files to a remote storage repository. Specific measures to prevent this are available, such as keeping a manually synced or time-initiated mirror of data at another repository, assuming that the volume in question isn’t such that this is prohibitively expensive.
Alternatively, backup solutions that keep prior iterations of data can provide a means of recovery even if the primary storage location is compromised. Regardless of what method an organization employs, though, the most important thing is to think through it in advance and view protection measures critically.
Chime in and let us know what you are doing to stay proactive.
A hacking group that calls itself Fancy Bears posted email messages allegedly from officials at the International Olympic Committee (IOC), the U.S. Olympic Committee (USOC) and other associated groups, like the World Anti-Doping Agency (WADA). There’s no confirmation yet that the email messages are authentic, but Fancy Bears focuses on anti-doping efforts that got Russia banned from this year’s Olympic Games.
“The national anti-doping agencies of the USA, Great Britain, Canada, Australia, New Zealand and other countries joined WADA and the USOC under the guidance of iNADO [Institute of National Anti-Doping Organisations],” Fancy Bears said on its website. “However, the genuine intentions of the coalition headed by the Anglo-Saxons are much less noble than a war against doping. It is apparent that the Americans and the Canadians are eager to remove the Europeans from the leadership in the Olympic movement and to achieve political dominance of the English-speaking nations.”
Fancy Bears is believed to be the same hacking group known as Fancy Bear that claimed responsibility for the 2016 hack on the U.S. Democratic National Committee, which interfered in the 2016 presidential election. Fancy Bear hackers have been linked to Russia’s military intelligence unit, the GRU, by American intelligence officials.
The batch of email messages Fancy Bears posted is from 2016 through 2017 and mainly focuses on discrediting Canadian lawyer Richard McLaren, who led the investigation into Russia’s widespread cheating in previous Olympic Games. It was because of the findings in his investigation that many Russian athletes are banned from the 2018 games in Pyeongchang, South Korea.
The IOC declined to comment on the “alleged leaked documents” and whether or not they are legitimate.
It’s not clear how Fancy Bears allegedly breached the IOC email. However, in 2016, the same group targeted WADA with a phishing scheme and released documents that focused on previous anti-doping efforts following the 2016 Summer Olympics. In that case, the hacking group released the medical records for U.S. Olympic athletes Simone Biles, Serena and Venus Williams and Elena Delle Donne. The medical records showed that these athletes were taking prohibited medications, though they all obtained permission to use them and, thus, were not violating the rules. This release happened in the midst of McLaren’s investigation into the widespread misconduct by Russian athletes.
In one email released in this week’s dump, IOC lawyer Howard Stupp complained that the findings from McLaren’s investigation were “intended to lead to the complete expulsion of the Russian team” from the 2016 Summer Games in Rio de Janeiro and now from the 2018 Pyeongchang Games.
What do you think about this alleged Olympics hack?
ITG remains committed to their clients day in and day out. Whenever you need someone, you know who to call. Mike and the ITG team care so much about the clients that they want to spread the word. Although it may be strange if Mike stood on a rooftop yelling about all the ways they can help someone, we figured the clients could tell you best. We recently interviewed Linda from NYACP, New York Chapter American College of Physicians, to get her take on ITG and to find out more about what she does!
NYACP is a not-for-profit professional service organization providing education, advocacy and quality improvement/practice management for 12,000 internal medicine physicians in New York state. Linda loves that her work focuses on improving healthcare and helping members achieve success in the ever-changing practice environment.
In a world of such uncertainty and change, wouldn’t you want to feel that passion? Every business will suffer from technological issues, updates and threats to operations by viruses and other intrusions. Lucky for Linda, her limited IT experience was in hiring the right consultant. She has better peace of mind within the company since working with ITG. She has been able to learn more about technology as her business grew and came to better understand the impact of technology and interoperability. This allows her to feel more comfortable with her entire IT infrastructure allowing her to focus more on management and operations.
She was first introduced to ITG by word of mouth from colleagues. After interviewing others and assessing the best choice, Linda chose ITG because of their experience and local reach. She has not been disappointed, and its been years working together! When asked what the process is like to work with ITG she said: “They are a sound, reliable partner, they respond to our needs expeditiously and completely.” She considers the ability to ask questions and get “helpful, meaningful information in easy to understand language (and Diagrams!!!)” to be the best value for a busy executive.
Did you Know……….
- Her favorite part of working with ITG is “the staff, the reliability of their recommendations and their service”!
- There are laws and regulations in place that require companies to take measures to prevent data breaches and other attacks.
You too can have the peace of mind in your day to day life by partnering with a company that cares about your business, answers questions and immediately responds to concerns. Reach out to ITG today and speak with the team about how they can help!
Article By: Rob Shapland of First Base Technologies LLP
The Cloud Security Alliance recently released its 2017 report on “The Treacherous 12,” a detailed list of the most significant cloud security threats. The list was compiled by surveying industry experts and combining the results with risk analysis to determine the threats that are most prevalent to organizations storing data in the cloud.
An interesting observation is how similar cloud security threats are to the risks of storing data anywhere else. The data in the cloud is still stored in a data center, and it can still be accessed by hackers via many of the same methods they have always used, such as email phishing, weak passwords and a lack of multifactor authentication.
There seems to be a general opinion among many organizations that storing your data in the cloud — specifically in infrastructure as a service — outsources the security completely, with an almost out of sight, out of mind attitude. However, as cloud service providers will point out, there is a shared responsibility model that means although the cloud provider may be in charge of the underlying infrastructure, your organization is responsible for the security of the applications and data that reside on that hardware.
The top cloud security threats
The key cloud security threats worth highlighting from “The Treacherous 12” report are the insider threat, the risk of data loss and insufficient due diligence. They demonstrate the casual attitude many organizations have about the use and management of cloud services.
There are many cases where organizations use cloud services as a way of bypassing what is seen as an overly restrictive IT department, whereas, in reality, the IT team is trying to protect the data. By bypassing the IT team and signing up for cloud services without their consent, the business can think it’s becoming more agile in its approach, but, in reality, it is circumventing restrictions that were designed to reduce the risk of a data breach.
There are many different SaaS providers offering tools and services to organizations with slick marketing and promises of positive ROI. However, the due diligence that is done on these services is lacking, which may be surprising.
For example, if your organization outsources its HR data to a small SaaS company, performing security due diligence on it should be a key prerequisite. That company may spend only a fraction of what your organization spends on security, and it may be a very attractive target for hackers because of the data it stores. Your organization’s data may be far more likely to be stolen through that third party.
You also may be reliant on that organization’s backups to prevent data loss; storing critical data on another company’s network leaves your organization at even greater risk. There is also the added risk of insider attacks; the employees of the SaaS company have not been through your vetting procedures, and its processes for monitoring staff may not be as robust as yours.
Overall, the Cloud Security Alliance’s report successfully highlights the key cloud security threats and just how similar those risks are to storing data anywhere else. It provides a timely reminder to ensure that enterprises treat the data they store in the cloud with the same care and attention that it would if it were storing it on premises.
Are you convinced yet? Our MSS services are a proactive and detective service to reduce security risks. Call us today to find out how we can help prevent the inevitable 518-479-3881.