image
Only about half of enterprises are satisfied with their ability to detect cybersecurity threats, according to a survey from Forrester Consulting – with respondents painting a picture of major resource and technology gaps hamstringing their efforts to block cyberattacks. According to the just-released 2020 State of Security Operations survey of 314 enterprise security professionals, enterprise security teams around the world feel that they struggle with the growing pace, volume and sophistication of cyberattacks. A whopping 79 percent of enterprises covered in the survey have experienced a cyber-breach in the past year, and nearly 50 percent have been breached in the past six months. It turns out that businesses are under constant attack, with the average security operations team receiving more than 11,000 security alerts daily. Unfortunately, thanks to manual triage processes and disparate and legacy security tools permeating most environments, 28 percent of alerts are simply never addressed, the survey, released Thursday, found. Only 47 percent of organizations noted that they are able to address most or all of the security alerts they receive in a single day; and out of those that are addressed, almost a third are false positives. In fact, according to the report findings, only 13 percent of the surveyed organizations are using automation and machine learning to analyze and respond to threats. Nearly 20 percent of alerts are manually reviewed/triaged by an analyst. …

Source

image
As states deal with re-opening and in some cases, re-closing, the reality is that for many organizations, remote work will play a significant role in business through 2020 and beyond. And so will increased cybercriminal activity, as demonstrated by a 131 percent increase in viruses and about 600 new phishing attacks a day when the pandemic started. Initially, we saw a number of phishing attacks directly related to COVID-19 (including ones purporting to be from the Centers for Disease Control and Prevention). Later, these attacks centered on stimulus packages and unemployment insurance, before evolving to subjects like vaccines and the stock market. Now, attackers are using a variety of relevant subjects –everything from “staycations” to boat rentals and food deliveries. And they aren’t just using email for these attempts – online ads and mobile apps are just a couple of other tactics used. Even if organizations have created more flexible remote-work policies to better accommodate the needs of their employees in the short term, these businesses must ensure that their teleworker strategies can support and secure remote connectivity long-term. Clarity from Crisis Due to the pandemic, CISOs initially faced the incredible pressure of maintaining business continuity with almost 100 percent of the workforce shifting to working from home, in just a couple of days. Many successful approaches that we have seen for this are based on a careful analysis of existing capabilities, so that…

Source

image
The operators of the Maze ransomware have added a fresh trick to their bag of badness: Distributing ransomware payloads via virtual machines (VM). It’s a “radical” approach, according to researchers, meant to help the ransomware get around endpoint defense. That’s according to researchers with Sophos Managed Threat Response (MTR), who said that the threat actors were recently seen distributing the malware in the form of a VirtualBox virtual disk image (a VDI file). The VDI file itself was delivered inside of a Windows MSI file, which is a format used for installation, storage and removal of programs. In order to set up the VM on the target, “the attackers also bundled a stripped down, 11-year-old copy of the VirtualBox hypervisor inside the .MSI file, which runs the VM as a ‘headless’ device, with no user-facing interface,” researchers said, in a Thursday posting. The VM would run as a trusted application, which helps the ransomware conceal itself. Also, most endpoint solutions only have visibility into physical drives, not VMs – virtual environments usually require their own separate security monitoring solution. “Since the…ransomware application runs inside the virtual guest machine, its process and behaviors can run unhindered, because they’re out-of-reach for security software on the physical host machine,” Sophos explained in an earlier blog post. “The data on disks and drives accessible on the physical machine are attacked by the ‘legitimate’ VboxHeadless.exe…

Source

image
The U.S. Justice Department this week indicted seven Chinese nationals for a decade-long hacking spree that targeted more than 100 high-tech and online gaming companies. The government alleges the men used malware-laced phishing emails and "supply chain" attacks to steal data from companies and their customers. One of the alleged hackers was first profiled here in 2012 as the owner of a Chinese antivirus firm. Image: FBI Charging documents say the seven men are part of a hacking group known variously as "APT41," "Barium," "Winnti," "Wicked Panda," and "Wicked Spider." Once inside of a target organization, the hackers stole source code, software code signing certificates, customer account data and other information they could use or resell. APT41's activities span from the mid-2000s to the present day. Earlier this year, for example, the group was tied to a particularly aggressive malware campaign that exploited recent vulnerabilities in widely-used networking products, including flaws in Cisco and D-Link routers, as well as Citrix and Pulse VPN appliances. Security firm FireEye dubbed that hacking blitz "one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years." The government alleges the group monetized its illicit access by deploying ransomware and "cryptojacking" tools (using compromised systems to mine cryptocurrencies like Bitcoin). In addition, the gang targeted video game companies and their customers in a bid to steal…

Source

image
The Mozi botnet, a peer-2-peer (P2P) malware known previously for taking over Netgear, D-Link and Huawei routers, has swollen in size to account for 90 percent of observed traffic flowing to and from all internet of things (IoT) devices, according to researchers. IBM X-Force noticed Mozi’s spike within it’s telemetry, amid a huge increase in overall IoT botnet activity. Combined IoT attack instances from October through June is 400 percent higher than the combined IoT attack instances for the previous two years. “Attackers have been leveraging these devices for some time now, most notably via the Mirai botnet,” according to IBM. “Mozi continues to be successful largely through the use of command-injection (CMDi) attacks, which often result from the misconfiguration of IoT devices. The continued growth of IoT usage and poor configuration protocols are the likely culprits behind this jump. This increase may have been fueled further by corporate networks being accessed remotely more often due to COVID-19.” Mozi first sauntered onto the scene in late 2019 targeting routers and DVRs, and has been analyzed a couple of times by various research teams. It’s essentially a Mirai variant, but also contains snippets from Gafgyt and IoT Reaper – it’s used for DDoS attacks, data exfiltration, spam campaigns and command- or payload-execution. IBM observed Mozi using CMDi for initial access to a vulnerable device via a “wget” shell command, then altering permissions to allow the threat…

Source

image
Apple has updated its iOS and iPadOS operating systems, which addressed a wide range of flaws in its iPhone, iPad and iPod devices. The most severe of these could allow an adversary to exploit a privilege-escalation vulnerability against any of the devices and ultimately gain arbitrary code-execution. The bugs were made public Wednesday as part of Apple’s release its iOS 14 and iPadOS 14 security changelogs. In total, Apple addressed 11 bugs in products and components, including AppleAVD, Apple Keyboard, WebKit and Siri. A list of CVEs can be found below. Apple does not rate its security bugs, but a cursory review of CVE descriptions indicate a wide range of concerning vulnerabilities that were patched. The Siri bug for instance allows a person with physical access to an iPhone to view notification contents from the lockscreen. Another bug was tied to maliciously crafted 3D Pixar files, called Universal Scene Description (USD), which could allow an adversary to execute arbitrary code on specific-model iOS devices. High-Severity Privilege-Escalation Bug: CVE-2020-9992 According to researchers at IBM’s X-Force, one of the most significant bugs patched by Apple is a privilege-escalation vulnerability impacting Apple iOS and iPadOS (up to 13.7). Tracked as CVE-2020-9992, the vulnerability could be exploited if a target were tricked into opening a specially crafted file. “An attacker could exploit this vulnerability to execute arbitrary code on a paired device during a debug…

Source

image
Google is taking the step of prohibiting “stalkerware” in Google Play, along with apps that could be used in political-influence campaigns. Effective October 1, apps that would allow someone to surreptitiously track the location or online activity of another person will be removed from the internet giant’s official online store. According to Google, stalkerware is defined as “code that transmits personal information off the device without adequate notice or consent and doesn’t display a persistent notification that this is happening.” This includes apps that can be used to monitor texts, phone calls or browsing history; or GPS trackers specifically marketed to spy or track someone without their consent. Abusers can use such apps for the purposes of harassment, surveillance, stalking and they can even lead to domestic violence, critics say. Google also specified that any consent-based tracking-related apps distributed on the Play Store (telemetry apps used by enterprises to keep tabs on employee activity) must comply with certain parameters. For instance, they can’t market themselves as spying or secret-surveillance solutions (such as apps that go with surveillance cameras, stealth audio recorders, dash cams, nanny cams and the like). Apps also can’t hide or cloak tracking behavior or attempt to mislead users about such functionality, and they have to present users with a “persistent notification and unique icon that clearly identifies the app,” according to a Wednesday…

Source

image
Five alleged members of the APT41 threat group have been indicted by a federal grand jury, in two separate actions that were unsealed this week. APT41 (a.k.a. Barium, Winnti, Wicked Panda or Wicked Spider) is known for nation-state-backed cyber-espionage activity as well as financial cybercrime. The Department of Justice alleges that the group “facilitated the theft of source code, software code-signing certificates, customer-account data and valuable business information,” which in turn “facilitated other criminal schemes, including ransomware and cryptojacking.” The five suspected perpetrators, all of whom are residents and nationals of the People’s Republic of China (PRC), are charged with hacking more than 100 victim companies in the United States and abroad, including software-development companies, computer-hardware manufacturers, telecom providers, social-media companies, video-game companies, nonprofit organizations, universities, think tanks and foreign governments, as well as pro-democracy politicians and activists in Hong Kong. According to John Hultquist, senior director of analysis at Mandiant Threat Intelligence, APT41 has been the most prolific Chinese threat actor tracked by the firm in the last year. “This is a unique actor, who carries out global cyber-espionage while simultaneously pursuing a criminal venture,” he said via email. “Their activity traces back to 2012, when individual members of APT41 conducted primarily financially motivated operations…

Source

image
As students head back to the classroom, the spate of ransomware attacks against schools is continuing. The latest is a strike against a California school district that closed down remote learning for 6,000 elementary school students, according to city officials. The cyberattack, against the Newhall School District in Valencia, affected all distance learning across 10 different grade schools, Newhall Superintendent Jeff Pelzel told the Los Angeles Times. He said the cybercriminals struck overnight Sunday into Monday morning, and that he noticed something awry after getting consistent error messages when trying to access Outlook and email. Shortly after, it became apparent that the district had been victimized by malware. Interestingly, there has been no extortion demand yet, Pelzel told the outlet. But meanwhile, Newhall’s servers have been shut down while a forensic investigation plays out, and the kids are back to using pencil and paper to work on take-home assignments. [ View this post on Instagram ](https://www.instagram.com/p/CFIIUu_gbNe/?utm_source=ig_embed&utm_campaign=loading) Please see letter from Mr. Pelzel, which was emailed to parents today, 9/14/2020. A post shared by Newhall School District (@newhallsd) on Sep 14, 2020 at 11:29am PDT The news comes as officials issue warnings on increased ransomware attacks in the education sector, largely tied to remote learning and the increased use of technology for instruction – which widens the attack surface. The…

Source

image
U.S. authorities today announced criminal charges and financial sanctions against two Russian men accused of stealing nearly $17 million worth of virtual currencies in a series of phishing attacks throughout 2017 and 2018 that spoofed websites for some of the most popular cryptocurrency exchanges. The Justice Department unsealed indictments against Russian nationals Danil Potekhin and Dmitirii Karasavidi, alleging the duo was responsible for a sophisticated phishing and money laundering campaign that resulted in the theft of $16.8 million in cryptocurrencies and fiat money from victims. Separately, the U.S. Treasury Department announced economic sanctions against Potekhin and Karasavidi, effectively freezing all property and interests of these persons (subject to U.S. jurisdiction) and making it a crime to transact with them. According to the indictments, the two men set up fake websites that spoofed login pages for the currency exchanges Binance, Gemini and Poloniex. Armed with stolen login credentials, the men allegedly stole more than $10 million from 142 Binance victims, $5.24 million from 158 Poloniex users, and $1.17 million from 42 Gemini customers. Prosecutors say the men then laundered the stolen funds through an array of intermediary cryptocurrency accounts — including compromised and fictitiously created accounts — on the targeted cryptocurrency exchange platforms. In addition, the two are alleged to have artificially inflated the value of their ill-gotten…

Source