image
Both the Google Chrome and Mozilla Firefox teams are cracking down on web browser extensions that steal user data and execute remote code, among other bad actions. Browser extensions are add-ons that users can install to enhance their web surfing experience – they offer the ability to do everything from setting a special search wallpaper to displaying continuous weather data to language translation. This group also includes things such as ad blockers and security scanning. While extensions are useful, they can also introduce danger. In addition to intentionally malicious browser extensions that compromise users, legitimate offerings are also common targets for cybercriminals who look to exploit vulnerabilities in their code. Google Bans Paid Extensions In this case, Google said that after becoming aware of a widespread pattern of pernicious behavior on the part of a large number of Chrome extensions, it has disabled extensions that contain a monetary component – those that are paid for, offer in-browser transactions and those that offer subscription services. It’s a temporary measure, according to the internet giant – but one that doesn’t yet have a timeline for resolution. “Earlier this month the Chrome Web Store team detected a significant increase in the number of fraudulent transactions involving paid Chrome extensions that aim to exploit users,” it said in a notice, issued Friday. “Due to the scale of this abuse, we have temporarily disabled publishing paid items….

Source

image
A mid-January spam campaign by criminals behind the popular Necurs botnet shows a dramatic drop in skill and savvy by perpetrators. In a shift from sending sophisticated messages with lethal payloads, Necurs botnets are now peddling get-rich-quick spam within what researchers are calling “amateur” campaigns. The lowering of the Necurs bar, according to IBM X-Force researchers, is tied to the fact cybergangs are attempting to up their game and adopt new and more sophisticated attacks that are harder to defend against and spending less time cooking up deadly Necurs-based spam attacks. Necurs, a prolific and globally dispersed spam and malware distribution botnet, has long been a formidable threat since it was first spotted in 2012. The botnet’s popularity stems from its ability to sneak past spam filters, resulting in high infection rates for its cybercrime clientele and the spreading of malware GameOver Zeus, Dridex,Loki and TrickBot. However, researchers say that a desire for more targeted attacks and a stronger foothold in networks has forced adversaries over the past year to turn away from Necurs in favor of alternative malware. Most notably, cybercrime groups are now eyeing Emotet as a preferred means of attack over Necurs. Emotet started out as a banking trojan but eventually evolved into a botnet used to distribute malware in enterprise attacks. “Things are changing and with major banking Trojan botnets moving away from Necurs and to distribution through inter-gang…

Source

image
Aleksei Burkov, an ultra-connected Russian hacker once described as "an asset of supreme importance" to Moscow, has pleaded guilty in a U.S. court to running a site that sold stolen payment card data and to administering a highly secretive crime forum that counted among its members some of the most elite Russian cybercrooks. Aleksei Burkov, seated second from right, attends a hearing in Jerusalem in 2015. Andrei Shirokov / Tass via Getty Images. Burkov, 29, admitted to running CardPlanet, a site that sold more than 150,000 stolen credit card accounts, and to being the founder and administrator of DirectConnection — a closely guarded underground community that attracted some of the world's most-wanted Russian hackers. He pleaded guilty last week in a Virginia court to access device fraud and conspiracy to commit computer intrusion, identity theft, wire fraud and money laundering. As KrebsOnSecurity noted in a November 2019 profile of Burkov's hacker nickname ‘k0pa,' "a deep dive into the various pseudonyms allegedly used by Burkov suggests this individual may be one of the most connected and skilled malicious hackers ever apprehended by U.S. authorities, and that the Russian government is probably concerned that he simply knows too much." Membership in the DirectConnection fraud forum was heavily restricted. New members had to be native Russian speakers, provide a $5,000 deposit, and be vouched for by three existing crime forum members. Also, members needed to have a…

Source

image
New York State may soon ban municipalities from paying ransomware demands in the event of a cyberattack. State Senators Phil Boyle, George M. Borrello and Sue Serino introduced Senate Bill S7246 earlier this month, in response to the rising tide of cyberattacks targeting government agencies and municipal entities across the country. Some of these – such as Riviera Beach and Lake City in Florida – have paid the ransom, after remediation was deemed to be more expensive than shelling out to the hackers. Others, such as New Bedford, Mass., and the city of Atlanta, have ridden out the infection without paying up. In the latter case, the city ended up spending $2.6 million to recover, with expenditures for incident response and digital forensics, additional staffing and Microsoft Cloud infrastructure expertise. Though cybersecurity experts have noted that the decision to pay or not to pay is a complex one, dictated by individual circumstances, budget and risk to data. The bill, S.B. S7246, proposes a blanket policy in New York State that’s aimed at removing the incentive for ransomware operators to keep targeting its agencies, towns and cities. To accommodate the expected remediation costs, the bill proposes the creation of a “Cyber Security Enhancement Fund.” This would be earmarked for municipalities with populations of less than a million residents to upgrade their security postures. “A small investment in local government cybersecurity now, can help stop cybercriminals from…

Source

image
The U.K. government has unveiled a proposed law aimed at securing internet of things (IoT) devices, which have historically been riddled with basic security issues. The drafted law, announced on Monday, comprises three main mandates for IoT manufacturers. First, all consumer IoT device passwords must be unique (and not resettable to universal factory settings). IoT device manufacturers must also provide a public point of contact so that anyone can report a flaw, to be “acted on in a timely manner;” and, manufacturers must also explicitly state the minimum length of time for which devices will receive security updates at the point of sale. “Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety,” Matt Warman, U.K. Minister for Digital and Broadband, said in a statement. “It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.” The regulation was developed by the Department for Digital, Culture, Media and Sport after an extensive consultation period that kicked off in May 2019, when the U.K. announced it was accepting regulatory proposals for IoT security regulation. The U.K. government said that it aims to “deliver the legislation as soon as possible.” Security experts like Ken Munro, partner at Pen Test Partners, applauded the proposed law: “There is clearly broad support for the proposed regulation of consumer smart devices,…

Source

image
Ransomware costs more than doubled in the fourth quarter of 2019, with the average ransom payment skyrocketing to $84,116, a 104 percent surge up from $41,198 in the third quarter. Researchers said that the leap up in ransomware costs are due in large part to some attackers pushing variants such as Ryuk and Sodinokibi harder into the lucrative enterprise space. Here criminals can attempt to extort companies with deep pockets for seven-figure ransom payouts. “In Q4, ransomware actors also began exfiltrating data from victims and threatening its release if the ransom was not paid. In addition to remediation and containment costs, this new complication brings forth the potential costs of 3rd party claims as a result of the data breach,” said researchers with Coveware in an analysis published this week, which aggregated anonymized ransomware cases handled by Coveware’s incident response team. Costs from ransomware attacks can vary, including the cost of a ransom payment if one is made, the cost of remediation efforts to a network and its associated hardware devices. Costs beyond the attack itself also include lost revenue from downtime and even brand damage if business interruption is severe enough. Downtime Increases In addition to ransom payments skyrocketing, the average downtime that a ransomware attack causes for a company also increased from 12.1 days in the third quarter of 2019 to 16.2 days in the fourth quarter. This uptick was also linked to a higher prevalence of…

Source

image
Cisco Systems has fixed a high-severity vulnerability in its popular Webex video conferencing platform, which could let strangers barge in on password-protected meetings – no authentication necessary. A remote attacker would not need to be authenticated to exploit the flaw, according to Cisco. All an attacker would need is the meeting ID and a Webex mobile application for either iOS or Android. After the attackers input the meeting ID into their mobile Webex application, the browser then requests to launch the device’s Webex mobile application, allowing them to enter the meeting – sans a password. “The vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications,” said Cisco in a Friday advisory. “An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser.” One caveat to the attack is that unauthorized attendees would be visible in the attendee list of the meeting as a mobile attendee – meaning their presence could be detected by others in the meeting. However, if left undetected, an attacker would be able to eavesdrop on potentially secretive or critical business meeting details. Affected are Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites for versions earlier than 39.11.5 (for the former) and 40.1.3 (for the latter). Cisco fixed this vulnerability in versions 39.11.5 and later and 40.1.3 and later for Cisco…

Source

image
A newly-introduced bill is proposing sweeping privacy reforms to a controversial government surveillance program, which has been previously used by the National Security Agency (NSA) to vacuum up the call records of millions of Americans. The “Safeguarding Americans’ Private Records Act” was introduced Thursday by Sen. Ron Wyden (D-WA) and Sen. Steve Daines (R-MT). In particular the bill sharply curtails the Section 215 of the Patriot Act, which gives the government broad power to ask businesses for their records relating to someone who might be involved in terrorism. The bill closes loopholes in vague language used by Section 215 for justifying mass surveillance sans warrant. For instance, while Section 215 originally stated that the government could collect telephone data if it was deemed “relevant” to an international terrorism, the bill cracks down on that broad language by limiting the types of criminal cases that are “relevant.” It also specifies how long data that’s been collected can be retained for and includes measures for more transparency around government data collection. “The bill ends the authority for the NSA’s massive phone record program… It prohibits the warrantless collection of cell site location and GPS information as well as browsing history and internet search history, and ensures that the government cannot conduct collection for intelligence purposes that would violate the Fourth Amendment in the criminal context,” said Wyden in his introduction to…

Source

image
If you're running a business online, few things can be as disruptive or destructive to your brand as someone stealing your company's domain name and doing whatever they wish with it. Even so, most major Web site owners aren't taking full advantage of the security tools available to protect their domains from being hijacked. Here's the story of one recent victim who was doing almost everything possible to avoid such a situation and still had a key domain stolen by scammers. On December 23, 2019, unknown attackers began contacting customer support people at OpenProvider, a popular domain name registrar based in The Netherlands. The scammers told the customer representatives they had just purchased from the original owner the domain e-hawk.net — which is part of a service that helps Web sites detect and block fraud — and that they were having trouble transferring the domain from OpenProvider to a different registrar. The real owner of e-hawk.net is Raymond Dijkxhoorn, a security expert and entrepreneur who has spent much of his career making life harder for cybercrooks and spammers. Dijkxhoorn and E-HAWK's CEO Peter Cholnoky had already protected their domain with a "registrar lock," a service that requires the registrar to confirm any requested changes with the domain owner via whatever communications method is specified by the registrant. In the case of e-hawk.net, however, the scammers managed to trick an OpenProvider customer service rep into transferring the domain to…

Source

image
A honeypot set up to observe the current security landscape in smart manufacturing systems observed numerous threats—including cryptomining malware and ransomware—in just a few months, highlighting the new threats that industrial control systems (ICS) face with increased exposure to the internet. While in the past ICS networks were traditionally proprietary and closed systems, the advent of the Internet of Things (IoT) has created manufacturing systems that have exposed devices and network ports to the internet. This also makes these systems vulnerable to more threats from bad actors – which could have dire implications when it comes to manufacturing plants or critical infrastructure. To further study these threats, researchers with Trend Micro simulated the fake smart factory system last year in what they called “our most realistic honeypot to date,” according to their report. “We created an environment that could lure cybercriminals into carrying out attacks and at the same time give us an all but unimpeded look at their actions,” they said. Developing the Honeypot To make the system seem real to hackers, researchers completely mimicked an entire factory, including programmable logic controllers, a human-machine interface (HMI) and other components. They even went so far as to create a fake company with a website (see image) — a rapid prototyping consultancy firm complete with employees, working contact channels and a client base comprised of large anonymous…

Source