This digest of cybersecurity news is curated by the Internet Security Alliance and Direct Computer Resources (DCR). DCR has been an ISA Board Member since 2008.
Your failure to apply critical cybersecurity updates is putting your company at risk from the next WannaCry or Petya
ZD Net, August 21 — Some organisations are still failing to take basic cybersecurity precautions by not applying critical patches and leaving themselves open to cyberattacks -- even when updates have been available for months. This poor approach to security and patch management is detailed in Fortinet's Threat Landscape Report for Q2 2017. It highlights network and device hygiene as one of the most neglected areas of cybersecurity today — a failing that, if rectified, could go a long way to preventing future attacks. The researchers behind the report use the global spread of WannaCry ransomware, and the subsequent Petya outbreak a month later, to demonstrate the extent to which poor patching processes are commonplace. WannaCry infected over 300,000 computers around the globe in May, using a leaked NSA exploit for a vulnerability in Windows' Server Message Block (SMB) v1 networking protocol, which allowed the malware to spread laterally across networks. Microsoft released a patch to protect systems against the exploit two months prior to the WannaCry attack, then later released an emergency patch to protect out-of-support systems against the ransomware when the outbreak occurred. But, despite the impact of WannaCry, a month later it seems that many organisations hadn't bothered to apply the correct patches, as Petya used the same exploit to spread itself across infected networks. It claimed a number of high-profile victims — many of which are still dealing with the post-infection fallout. "Something we don't talk about often enough is the opportunity everyone has to limit bad consequences by employing consistent and effective cybersecurity hygiene," said Phil Quade, chief information security officer at Fortinet. "Cybercriminals aren't breaking into systems using new zero day attacks, they are primarily exploiting already discovered vulnerabilities." ... Read More.
Carbon Black: Bug Shared Content Files with VirusTotal
BankInfo Security, August 21 — Carbon Black rolled with the punches last week after it was accused of exposing customer data via a so-called "architectural flaw" in its endpoint detection product by Denver-based Direct Defense. There was no flaw. But a company review prompted by the charge has, in fact, uncovered a now-patched bug that did expose customer data, albeit on a small scale. About 10 of Carbon Black's 3,000 customers are affected." The finding again involves a function that many vendors have incorporated into their endpoint detection products. The function sends an unknown file to VirusTotal, a so-called multi-scanner from Google. VirusTotal runs a file through more than 60 other anti-malware scanners from various vendors. That sharing, however, usually only occurs if customers have selected the option to upload files because sharing could result in data exposure. Carbon Black took a closer look at Cb Response to check for bugs after DirectDefense's accusation. It found Cb Response would sometimes share content files with VirusTotal in very specific circumstances. About 10 of Carbon Black's 3,000 customers are affected. Those customers have been notified, and Carbon Black has provided the customers with copies of the files, Michael Viscuso, Carbon Black's co-founder and CTO, writes in a blog post. The files have now all been removed from VirusTotal as of Aug. 13, he says. "Carbon Black takes our customers' security seriously. We responsibly disclose bugs according to the highest, most transparent industry standards, regardless of a bug's footprint," Viscuso writes in the blog. The bug, introduced in April, only affects MacOS. A sensor within Cb Response mistakenly classified some content files as binaries before flicking them to VirusTotal. The files were only shared if customers had already enabled sharing. The situation could potentially result in the exposure of sensitive data, depending on what is in the files. VirusTotal subscribers have access to its full cache of files, which can be downloaded for analysis. The affected versions of Cb Response are v5.2.7+ and v6.0.4+, Viscuso writes. For the bug to be triggered, customers must have the sensor configured to collect modloads and all binaries and to upload unknown ones to a multi-scanner, among other conditions. ... Read More.
WannaCry ransomware attack at LG Electronics takes systems offline
ZD Net, August 21 — Global consumer electronics manufacturer LG has confirmed it had to shut down some parts of its network after systems fell victim to WannaCry ransomware. Ransomware was found on an LG self-service kiosk in South Korea, with analysis of the code identifying it as WannaCry, the file-encrypting malware that used a leaked NSA exploit to spread around the world in May this year. WannaCry infected over 300,000 Windows systems and crippled networks, resulting in a number of major organisations — including the UK's National Health Service (NHS) and car manufacturer Honda — being forced to take systems offline. While security researcher Marcus Hutchins found a killswitch to prevent further spread of the malware, and Microsoft released an emergency patch to protect older systems against WannaCry, the ransomware has continued to infect unpatched systems. Now WannaCry has raised its head again, and infected self-service kiosk systems at LG Electronics in South Korea. ... Read More.
Ukraine Central Bank Detects Massive Attack Preparation
Data Breach Today, August 21 — Ukraine's central bank has warned state-owned and private banks across the country that a new malware campaign targeting financial services firms across the country may be a prelude to another assault of Not-Petya proportions. "The nature of this malicious code, its mass distribution, and the fact that at the time of its distribution it was not detected by any anti-virus software, suggest that this attack is preparation for a mass cyberattack on the corporate networks of Ukrainian businesses," the central bank warned financial institutions earlier this month, in a letter seen by Reuters. The National Bank of Ukraine — the country's central bank — did not immediately reply to a request for comment on that report. But Ukraine's central bank told Reuters that it shared the threat intelligence with the country's banks two weeks ago. It said that the attacks have been spreading via malicious Microsoft Word documents attached to emails. "On August 11… the central bank promptly informed banks about the appearance of new malicious code, its features, compromise indicators and the need to implement precautionary measures to prevent infection," the central bank told Reuters in emailed comments. The bank says the intelligence it disseminated had been gathered by Ukraine's national computer emergency response team, CERT-UA. Malware and ransomware have long been distributed via malicious files attached to spam emails, designed to trick recipients into executing the attachment or otherwise aid the attack. If such attachments do get opened, they typically function as a "dropper," downloading additional malware from an attacker-controlled server onto the by now infected, or "zombie," endpoint. Earlier this month, CERT-UA warned that there is an elevated risk of attacks from August 20 to 25 as Ukraine celebrates its 1991 independence from the USSR. ... Read More.
The daily grind in the life of a spammer
ZD Net, August 21 — Spam is one of life's annoyances, alongside cold and robot callers. While you may first link spam to emailed claims that you have a rich long-lost relative in Africa or you've won the Spanish lottery — despite never having played — spam emails often serve a more nefarious purpose. For those that fall for emails asking for your details to send you more wealth than you can imagine, to deposit your lottery winnings, or — often successfully — to visit a link which seems like your legitimate bank to re-input your credentials, this can lead to identity theft, account hijacking, and in serious cases, funds taken out of your account without authorization. Spam and phishing campaigns are common, but how do the cyberattackers behind them operate? On Monday, researchers from IBM X-Force Kassel revealed a research project investigating the average work week of a spammer. According to the security team, which operates spam honeypots and monitoring, by using data gleaned from spam campaigns, the team has been able to map trends and patterns worldwide. IBM X-Force found that as spam campaigns are used to generate cash fraudulently, they generally act as businesses, with operators planning their workdays around business hours. Over 83 percent of spam is sent during weekdays, with "significant" drops over weekends. After analyzing six months' worth of data, the team also discovered the biggest days for spam campaigns are Tuesday, Wednesday, and Thursday. There is a hike in spam volumes around 5am UTC (1am EST) during weekdays, and IBM says this is because "spammers start off with Europe before they 'follow the sun' and start spamming recipients in the US." ... Read More.
Institute for Women’s Health Hacked: PHI Compromised
HIPAA Journal, August 21 — Ransomware attacks on healthcare organizations have increased, although that is far from the only malware threat. Keylogging malware can be used to obtain sensitive information such as login credentials, or in the case of the San Antonio Institute for Women’s Health (IFWH), credit and debit card information as it was entered into its system. The keylogging malware was discovered on the IFWH network on July 6, 2017, prompting a forensic investigation of its systems. That investigation revealed the malware had been installed on June 5, although it took until July 11 for the malware to be removed from the majority of its systems and a further two days for IFWH to confirm that the malware had been completely removed from all terminal servers and workstations. During the time that the malware was present, it recorded and transmitted sensitive data as information was entered into its system. The types of data recorded by the malware between June 5 and July 11 includes names, dates of birth, addresses, Social Security numbers, scheduling notes, current procedural technology and other billing codes and other information that was entered into its system between those dates. ... Read More.
Gartner sets fire to all the cyber things
ZD Net, August 21 — "A fire is coming," says Steve Riley, a research director at Gartner. It's a metaphorical fire, representing the rapid change in cybersecurity that's making traditional techniques like blacklists, whitelists, and malware signatures irrelevant. It's now a spectrum of risk, Riley told the Gartner Security and Risk Management Summit in Sydney on Monday. Embrace the shades of grey, he said. Embrace all the colours of risk. Each year, Gartner's summit kicks off with an explanation of their current framework for thinking about cybersecurity. Each year it morphs a little bit, adding new concepts as the cybersecurity threat landscape and technology evolve, dropping items as they lose significance because everyone's already on that same page. Gartner's framework is, therefore, an indication what organisations are not doing. And the more Gartner emphasises it, the more organisations really need to pull their fingers out. In recent years, Gartner has stressed the importance of a risk-based approach to security, and a people-centric approach. Their most recent keyword has been "adaptive", steering away from the overused "agile". Most of these ideas were in one of the first slides we were shown on Monday. "Manage Risk. Build Trust. Embrace Change by Becoming Adaptive Everywhere." There's nothing new there, but it needs to be repeated. Gartner also stressed the importance of using analytics to reduce the workload of cybersecurity staff. They cited the example of one US organisation that had used analytics to reduce the number of security events needing investigation daily from 1500 to 30. ... Read More.
Gartner's Avivah Litan on Attribution and Elections
BankInfo Security, August 21 — As threats and threat actors multiply and evolve, digital attribution becomes ever more critical, says Gartner's Avivah Litan. She discusses how to approach attribution and also offers her take on the technologies that could help secure U.S. elections. In an interview at Information Security Media Group's recent New York City Fraud and Breach Prevention Summit, Litan discusses: • The tools to improve digital attribution of cyberattacks; • How to record attacks against U.S. election systems; • Basic controls to strengthen voter registration and authentication. Litan is a vice president and distinguished analyst at Gartner Research. Her areas of expertise include endpoint security; security analytics for cybersecurity and fraud; user and entity behavioral analytics; insider threats; fraud detection; and prevention and identity proofing. ... Read More.
Maersk Previews NotPetya Impact: Up to $300 Million
Data Breach Today, August 17 — Danish shipping giant A.P. Møller–Maersk faces a loss of up to $300 million as a result of the NotPetya global malware outbreak. After NotPetya infected systems at Maersk, the world's biggest shipping firm had to reroute ships, and was unable to dock or unload cargo ships in dozens of ports. "In the last week of the quarter we were hit by a cyber attack, which mainly impacted Maersk Line, APM Terminals and Damco," Maersk CEO Søren Skou, said in an interim report issued Wednesday. "Business volumes were negatively affected for a couple of weeks in July. We expect that the cyber attack will impact results negatively by $200-$300 million." The malware known as NotPetya — aka SortaPetya, Petna, ExPetr, GoldenEye, Nyetya, Diskcoder.C — hit organizations beginning June 27. Cyber police in Ukraine, as well as such security firms as Cisco Talos, ESET, Microsoft and Symantec, have said the attacks were facilitated by a "cunning backdoor" added to widely used accounting software. From there, NotPetya spread to businesses with Ukraine-based offices or business partners, in part by targeting an SMB flaw that Microsoft had patched, prior to the NotPetya outbreak. But NotPetya could also spread via two legitimate Windows tools — PsExec and Windows Management Instrumentation — as well as use the open source Mimikatz tool to try and steal passwords from infected systems. Firms in Ukraine, including government agencies, appear to have experienced the brunt of NotPetya infections. The Ukrainian government has yet to detail in full the costs, outages or cleanup — some of which likely continues — as a result of NotPetya. But it has blamed the attack on Russia. ... Read More.
How secure is your car? Unpatchable flaw lets attackers disable safety features
ZD Net, August 17 — Researchers have discovered a security flaw that probably affects all new vehicles. It allows an attacker to turn off safety features, such as airbags, ABS brakes, and power-steering — or any of a vehicle's computerized components connected to its controller area network or CAN bus. Because it's a design flaw affecting the CAN bus messaging protocol standard used in CAN controller chips, the vulnerability can't simply be patched with a recall as happened after researchers remotely hacked a Jeep in 2015. It's also not specific to one vehicle model or its underlying electronics. Additionally, an attack on the flaw devised by several researchers sidesteps common intrusion-prevention and detection techniques that protect CANs against cyber attacks by blocking malicious CAN messages. Instead of trying to inject a malicious CAN bus message or "frame" into the network, the attack targets how CAN responds to error messages. If the CAN receives too many error messages from a device, it is disconnected from the CAN, disabling the device's functionality. "Our attack focuses on how CAN handles errors," writes Trend Micro researcher Federico Maggi, one of the paper's authors. "Errors arise when a device reads values that do not correspond to the original expected value on a frame. When a device detects such an event, it writes an error message onto the CAN bus to 'recall' the errant frame and notify the other devices to entirely ignore the recalled frame." ... Read More.
LambdaLocker ransomware victim? Now you can decrypt your files for free
ZD Net, August 17 — Victims of LambdaLocker ransomware can now get their files back for free using a decryption tool released as part of the No More Ransom initiative. The scheme was launched last year, with the goal of bringing law enforcement and private industry together to fight the file-locking malware. No More Ransom recently celebrated its one year anniversary, and now offers over 50 decryption tools for use against more than 100 ransomware families. Now cyber security researchers at Avast Antivirus have added a decryption tool for LambdaLocker to the portal, allowing victims to retrieve their files without paying the 0.5 Bitcoin [$2,200] ransom that attackers demand in exchange for the cryptographic key. LambdaLocker first appeared in January and uses a combination of AES-256 and SHA-256 ciphers to encrypt victims' files, making them inaccessible and adding the extension '.lambda_l0cked'. But an error in the latest build of the ransomware has allowed Avast researchers to retrieve files. "There was a bug in the cryptography implementation in the latest version of the LambdaLocker ransomware, which allowed us to decrypt the victims' files without paying the ransom," Ladislav Zezula, Malware Researcher at Avast, told ZDNet. ... Read More.