Monday, April 25, 2016

Issue 61 - Week of April 18th


1.       Singapore penalizes firms for data breaches: Several organizations in Singapore have been fined and issued warnings for breaching the country's Personal Data Protection Act (PDPA), including local IT retail chain Challenger Technologies and Chinese handset maker Xiaomi. The Act does not apply to public sector or Govt. K Box entertainment had suffered a breach in 2014 but till date - failed to put in place adequate data protection policies and security safeguards - they were fined S$50,000. The Institution of Engineers in Singapore as well as Fei Fah Medical Manufacturing were fined S$10,000 and S$5,000, respectively, for their failure to implement sufficient security measures to safeguard the data of their members and customers.

2.       Creepy new ransomware uses image from popular horror film: Another ransomware has entered circulation.  Known as  BitcoinBlackmailer.exe or JIGSAW. This malicious program starts encrypting your files while adding, with no irony, the '.FUN' file extension. It also threatens to start deleting files if the ransom is not paid within an allotted time, complete with countdown timer. To add to the distress of the victim, the ransomware displays the face of the character Billy the Puppet from the horror movie series Saw (see image below). Forcepoint Security Labs was able to reverse engineer and retrieve the encryption key. This malware can be detected and blocked by web security solutions like Forcepoint using the ACE technology.

3.       Samsam server-side ransomware targets schools, hospitals: A new ransomware program called Samsam- uses vulnerabilities in the JBoss application server to infect networks, with attackers focusing on health care organizations and schools. Samsam and another recent ransomware program known as Maktub do not require a connection to a command-and-control server to encrypt data on a targeted system.

4.       Security expert builds ransomware blocker for Mac: An expert has built an utility that scans for untrusted processes that are encrypting personal files, and stops them dead. The utility is called "RansomWhere?". False positives are kept to a minimum because ‘RansomWhere?’ explicitly trusts binaries signed by Apple. It also trusts applications that are already present on the system when it is installed. This is a double-edged feature - on the one hand it helps reduce false positives, but on the other hand if ransomware is already present on the system before RansomWhere? is installed, it may not be detected.

5.       Python-Based Malware Infects European Companies: IT security researchers have discovered an unusual family of malicious code written entirely in the Python programming language, making it easy to port to different operating systems. The malware uses a modular design that allows it to carry out a selection of different attacks, including executing files, logging keystrokes, mining bitcoins, executing arbitrary Python code and communicating with a remote server. The malware has targeted a number of European organizations, particularly in Poland, the targets include a national research institution, a shipping company, a large retailer and an IT organization, as well as a construction company in Denmark and an optical equipment provider in France.

6.       Manufacturers suffer increase in cyber-attacks: The manufacturing sector is now one of the most frequently hacked industries, second only to healthcare, financial services has dropped to third place. Many manufacturing companies are behind the curve in security because they have not been held to compliance standards like the financial services has. Manufacturers also appear to be vulnerable to older attacks, such as Heartbleed and Shellshock & SQL injection. Industrial control systems also pose a challenge to manufactures as most of them use decade old OS. Recommended Defensive Strategies are - Annual IT risk assessment, Annual penetration tests, Conduct ongoing vulnerability scanning.

7.       Apple v/s FBI: In the New York drug dealer iPhone case, Justice Dept. finds way into locked phone and hence drops demand for Apple's help. In this case, no hacks needed, after someone provided the passcode to unlock the device, according to the prosecutor. In the other case, FBI director hinted that the agency spent more than $1.3M to hack into the terrorist's iPhone.

8.       Hackers can spy on your calls and track location, using just your phone number: The famous ‘60 Minutes’ television show shocked some viewers Sunday evening when a team of German hackers demonstrated how they spied on an iPhone used by U.S. Congressman, then recorded his phone calls and tracked his movement through Los Angeles. Hackers leverage a security flaw in SS7 (Signalling System Seven) protocol that allows hackers to track phone locations, listen in on calls and text messages. The weakness affects all phones, whether it's iOS, Android, or whatever, and is a major security issue. The network operators are unwilling or unable to patch the hole, there is little the smartphone users can do.

9.       Long arm of law catches up: Two International hackers, have been sentenced to 24 years and 6 months in prison for their roles in developing and distributing SpyEye banking Trojan, a powerful botnet similar to the infamous ZeuS malware. Both hackers were charged with stealing hundreds of millions of dollars from banking institutions worldwide. In a different case - A Former Reuters journalist, who was convicted last year of helping the Anonymous group of hackers, has been sentenced to 24 months in prison for computer hacking charges. He was found guilty of giving login credentials to Anonymous, using which the group defaced the Los Angeles Times.

10.   Don't fool around with politicians esp. Lalu: An Indian engineering student, who was arrested last week for hacking into and posting objectionable content on Lalu Prasad’s Facebook page, was expelled from his college. He is a third year student at a local engineering college in Bihar. The cyber cell arrested the student and seized two mobile phones and a SIM card which he allegedly used.


Billy the Puppet from the horror movie series Saw:

Sunday, April 17, 2016

Issue 60 - Week of April 11th

1.       FDIC suffers data breach: Federal Deposit Insurance Corporation (FDIC) provides deposit insurance to depositors in US banks, it suffered a major data breach- exposing  the records of 44,000 customers. A former employee - who had legitimate access to the data - downloaded the data to a personal device and left the corporation with the data. An FDIC spokeswoman confirmed that the former employee has signed an affidavit specifying no breached information was used in any form. This growing threat from Insiders is a big worry for all CIOs whose companies handle sensitive data.

2.       Hybrid GozNym malware targets customers of 24 financial institutions: A group of cybercriminals have combined two powerful malware programs (Gozi ISFB Malware + Nymaim malware), to create a new online banking Trojan (GozNym) that has already stolen millions of dollars from customers of 24 U.S. and Canadian banks. Nymaim is a dropper file that uses a DLL of Gozi- which is capable of injecting malicious code into Web browsing sessions. Together they are used to steal credentials and perform online banking fraud.

3.       Cybercriminals now target tier-2 systems: With Tier 1 systems like retail banking becoming more secure, the Cybercriminals targeting Australia are shifting their focus to other targets where money is held and security is poor, such as payroll, invoicing, and superannuation systems. The criminals log in to these systems using stolen credentials, check the date of the next pay run, and log out. They log back in just before the pay run, change employees' bank details to their own or to accounts that they control and let the payroll run proceed.

4.       Are you using Apple iPad? if yes- upgrade to iOS 9.3.1 immediately: iOS versions pervious to this are vulnerable to 1/1/1970 bug attack. If the iPad is in untrusted Wi-Fi network with a spoofed NTP server that sets the date as 1/1/1970, then the iPad's software becomes unstable and causes overheating and permanently damages the device. Fortunately this cannot happen to iPhone, as the phone depends on GSM network for its date and time.

5.       Are you using QuickTime for Windows? if yes- uninstall it now: Two reasons why you should do it - (i) Apple has abandoned QuickTime for Windows and it will not deliver security updates. (ii) There are two known critical vulnerabilities that could allow an attacker to take control of a system running QuickTime.

6.       Apple v/s FBI: After getting a third party to hack the shooter's iPhone – Sources have confirmed that nothing useful was found on it. In the drug dealer iPhone case, Apple resists FBI’s call to unlock the iPhone. Apple told a federal court last week that it should not be asked to help the FBI unlock the iPhone used by the drug dealer and that the case would lead to "an avalanche" of similar demands if prosecutors prevailed.

7.       FBI Director puts tape over his webcam: The director admitted that he has put a piece of tape over his personal laptop's webcam. On one hand he says 'absolute privacy hampers the law enforcement' but on the contrary, he is doing exactly the same with his personal webcam. However, tape on webcam cannot stop hackers or government spying agencies from recording your voice. FBI in the past has used malware to hack into cameras to spy on targets.

8.       Petya ransomware cracked: In issue 58, we spoke about this new ransomware that encrypts the whole hard drive. A researcher discovered a weakness in the nasty malware's design. To crack the malware - victims need to run a tool that extracts specific data from the infected hard drive and upload it to the researchers password generator tool - which will generate the decryption key for free. This is a great solution to decrypt the infected files, but most likely, the Petya authors have already heard about this tool and are modifying their code to disable the solution. So, there is no guarantee the tool will continue to work indefinitely. Regular backups and good web security solution are the best bets against ransomware.

9.       Cox investigates as employee data appears for sale on the dark web: Names, email addresses, phone numbers, and other information relating to some 40,000 Cox Communications employees is currently advertised on a marketplace specializing in stolen data and computer exploits. Cox is aware of this matter and have engaged a third-party forensic team to conduct a comprehensive investigation and are actively working with law enforcement.


10.   Online banking and plastic card-related fraud in India increases: The incidence of ATM, credit, debit card and net banking-related fraud has gone up by more than 35 percent between 2012-13 and 2015-16 in India, according to Reserve Bank of India. 11,997 cases have been booked in the first nine months of 2015-16. In Mumbai alone the credit card fraud rises 151% and it makes up 55% of cyber-crimes this year.

Sunday, April 10, 2016

Issue 59 - Week of April 4th


1.       'Panama Papers' Law Firm was hacked: In the latest twist in the historic "Panama Papers" data leak and scandal, the founding partner of the law firm whose files were dumped, exposing illicit offshore holdings of global political leaders, celebrities, and others, says his firm was hacked by an outsider. The law firm 'Mossack Fonseca' has two main websites, one runs on WordPress and the customer portal runs Drupal. Both of those sites were running outdated versions of the software and in both cases significant security holes existed that would have allowed hackers access.

2.       Heartbleed remains a risk 2 years after it was reported: On April 7, 2014, Heartbleed was publicly disclosed by the OpenSSL project, affecting millions of users and devices around the world. It was used by hackers to attack several corporates, government agencies like Canada's Revenue Agency (CRA) and some of the largest banks in US. Two years after it was first reported, the vulnerability remains a risk and is likely still being exploited by attackers taking advantage of unpatched servers. Most of the organizations that are still at risk because they don't know what their third-party vendors are implementing in products that they run on their network.

3.       Trump hotel chain suffers fresh data breach: Republican candidate Donald Trump's hotel chain, The Trump Hotel Collection, has become the victim of a credit card system data breach for the second time in only a year. Experts have spotted a "pattern of fraud" relating to customer credit cards, which implies the Trump Hotel Collection may once again be harboring malware on point-of-sale (PoS) systems within some hotels, or potentially all of them. In January - Hyatt Hotels had admitted that 250 hotels in 54 countries were affected by a cyber-attack which targeted customer financial information.

4.       FBI says it can unlock 5c but not 5s or later phones: The Apple V/s FBI case did not prolong as a third party helped FBI unlock the 5c iPhone. The director confirmed that they now have a tool that works on a narrow slice of phones. However, the agency could not unlock an iPhone 5s running iOS 7 that was used by a drug dealer in New York and has sought Apple's help. This new case represents the latest battleground in the legal dispute between US officials and Apple over encryption.

5.       Philippines and Turkey suffer hacks: The database of the Philippine Commission on Elections (COMELEC) has been breached and the personal information of 55 million voters potentially exposed in what could rank as the worst ever government data breach anywhere. Meanwhile in Turkey - Personal details of nearly 50 Million Turkish citizens, including that of the country's President, have been compromised and posted online in a massive security breach.

6.       Phishing email that knows your address: We are moving into a “post-privacy” society, where it is not uncommon for an attacker to have access to information that we have previously considered as personal. Using this - Hackers carefully-craft user-specific emails that contain links and personal information to trick victims into installing a new kind of Ransomware. BBC News reported that some of their staffers have received such emails. Ransomware is increasingly becoming problematic for private companies, hospitals and citizens.

7.       Dridex becomes more dangerous: Experts have observed that in addition to stealing banking credentials, the malware increasingly is also being used to steal credit card information. First few versions of Dridex were focused on English-speaking countries like Australia, the UK and the U.S, while the current versions target companies from all over the world. Dridex seems to be back after it was taken down by authorities in last Oct.

8.       Adobe Patches Zero-Day Flaw Used by Exploit Kit: Adobe patches 24 vulnerabilities, including a zero-day issue being exploited by the Magnitude Exploit Kit and flaws reported at the Pwn2own contest. Some of the vulnerabilities were being used by the Magnitude Exploit kit to deliver ransomware identified as Cerber and Locky thru "drive-by downloads", which do not require user action to initiate. Unlike attachment-based malware, simply visiting a Website, by browsing to the site or clicking on a URL in email exposes the browser's Adobe Flash Player to the exploit.

9.       Over 135 million modems vulnerable to denial-of-service flaw: A vulnerability, found in a modem used in millions of households, can allow an attacker with access to the network to remotely reset the device, which wipes out the internet provider's settings and causing a denial-of-service attack until the modem owner contacts their internet provider. The problem lies with how the modem, handles authentication and cross-site requests. A firmware upgrade that ensures the need of credentials before rebooting or resetting will sort this issue.

10.   State Bank of Mysore customers lose money after accounts hacked: SBM has initiated an internal probe and lodged a complaint following hacking of their banking system last week, which resulted in many customers losing large sums through multiple online transactions of ₹49. The bank has refunded the lost money to its customers. It is reported that some of them have lost upwards of ₹50,000/-. Experts familiar with the matter have blamed the bank for its unpatched systems and poor security posture – which was not enough to defend against zero day attacks or modern malware.
The series of text messages that customers of State Bank of Mysore received:

Sunday, April 3, 2016

Issue 58 - Week of Mar 27th


1.       Mattel nearly loses $3M to a classic phishing scam: A finance executive with the maker of children’s toys - Mattel, fell victim to a phishing scam and wired a cool $3 million to Chinese hackers. The phishing email was unremarkable and came directly from their new CEO, or so the executive thought. She was wrong. She wired the money and within few hours during a discussion with CEO she realized the scam. Luckily the transfer took place on a bank holiday, with cooperation from Chinese authorities, Mattel was able to reclaim the wired cash, before the hackers could have claimed it on the next working day. Other recent Phishing attacks have targeted W-2 data.

2.       MedStar Hospital forced to turn patients away after virus attack: Last week the hospital was hit by ransomware, the hospital responded quickly by taking the infected IT systems offline to avoid further corrupting its network infrastructure. The Baltimore Sun reported a ransom of $18,500 was sought. MedStar declined to comment. FBI is currently investigating the incident. Recently, a Cancer Hospital reported a breach while a hospital in Germany was held to ransom by cyber-attackers but they did not pay-up and a LA Hospital that went thru a similar attack paid $17k.

3.       Magento becomes fresh target for KimcilWare ransomware: Magento is an e-commerce platform - that is used by over 200,000 companies worldwide. A strain of ransomware called KimcilWare is being used in campaigns against Magento websites. The malware is installed via a script which encrypts all data and can be spotted through the .kimcilware extension, which is added to all locked files. A new index.html file displays a ransom note, alongside a readme file, which demands a ransom of $140 to unlock the e-commerce store. There is no cure for the Infection and Infected users should consider reverting to backups to wipe clean the infection.

4.       New ransomware encrypts the whole hard drive: While most ransomware focuses on infecting systems in order to lock files, a new breed called Petya goes further – by completely removing access to hard drives and operating systems. Phishing emails are being sent to targeted firms (mostly HR departments) containing Dropbox links to applications which install Petya on systems. Once installed Petya forces a reboot and loads the Malicious code, which under the guise of system tool check disk (CHKDSK) -runs a 'scan'. As this fake scan proceeds, Petya is encrypting the Master File Table on the drive. The ransom price is 0.9 BTC ($370). Regular backup and good web security solutions are a must to combat Ransomware.

5.       Apple v/s FBI: Last week, the FBI announced that the third party had helped it unlock the iPhone, and the Department of Justice dropped the case. Apple got some kudos from consumers for standing its ground against the government. Apple is expected to tighten security even more with its next iPhone software, likely to be announced in June and available in September.

6.       Bangladesh Heist update: Last week - a Chinese casino junket operator returned $4.63 million of the $81 million that hackers stole from the Bangladesh central bank's account in the US Federal Reserve Bank and laundered in Manila's casinos. Earlier, $20 million transfer was rejected by a receiving bank in Sri Lanka because the beneficiary's name was misspelled.

7.       Prepare to be hacked if you don't use a password for VNC: By choosing to use no authentication to secure VNC connection, users are sending out a 'please hack me' invitation. A hacker created a script that cycles through internet IP addresses and tries to connect to unsecured servers through a web-based VNC viewer. If the script finds an available connection without any authentication, it will connect and grab a screenshot, otherwise the script will kill the session and move to a different IP address. The hacker now has about 23GB of screenshots and some of them have been posted to VNC Roulette. Some of the Images are mundane like people browsing Facebook, doing their online banking, reading email, shopping etc., while other images feature SCADA systems and sensitive data.

8.       Security flaw in Apple lets malicious apps in: Despite new security features in iOS 9, businesses still need to be alert to employees being duped into installing malicious configuration profiles on their iPhones. Apple offers enterprise certificates to allow businesses to distribute apps outside the App Store and it allows any app installed by the MDM to be trusted. MDM is third party to Apple and vulnerable to a man-in-the-middle attack. Researchers have shown how an attacker can hijack and imitate MDM commands that iOS trusts, including the ability to install enterprise apps over the air.

9.       6 Charged for hacking lottery terminals to produce more winning tickets: Police have arrested and charged six people with crimes linked to hacking Connecticut state lottery terminals in order to produce more winning tickets than usual. Prosecutors say all the six suspects are either owners or employees of retail stores that produced a much higher number of winning tickets than the state average. The hack appears to have exploited some software weaknesses in lottery terminals that not only caused ticket requests to be delayed but also allowed operators to know ahead of time whether a given request would produce a winning ticket.


10.   Tech companies play April Fool's Day pranks: On April 1st every year - Internet gets its funny bone and is filled with viral pranks from tech companies, this year Google, Samsung, Kayak all had their pranks. One of Google's prank "Introducing the self-driving bicycle in the Netherlands" was well received. Google said the self-driving bicycle would enable safe navigation through the city for Amsterdam residents, and it furthers Google’s ambition to improve urban mobility with technology.