Computer Weekly on the average time an attacker remains undetected in EMEA-based networks increasing to just about six months:
The time taken by firms to detect breaches increased by 40% from 2016 to 175 days on average in 2017, according to the latest M-Trends report by security firm FireEye.
This dwell time for the Europe, Middle East and Africa (EMEA) region is also 74 days longer than the global average of 101 days, which is up from 99 days in 2016, according to the report, which is based on information gathered during investigations by FireEye’s security analysts in 2017.
The report attributes the increase in dwell time to the rise in the number and variety of attacks from multiple threat actors, a decrease in organisations using incident response to address destructive malware, an increase in notifications by law enforcement, and an increase in the discovery of existing compromises relating to industrial control systems (ICS).
Interesting to read that EMEA dwell time is two and a half months longer than the global average. While I understand the overall dwell time increase, what is unique about EMEA making the area appear less effective at detection than the rest of the world?
WIRED has a nice expose’ on Fin7, a highly sophisticated actor responsible for major breaches of The Hudson’s Bay Company, Omni Hotels & Resorts, Trump Hotels, Jason’s Deli, Whole Foods, and Chipotle:
While lots of criminal hacking gangs are simply out to make money, researchers regard Fin7 as a particularly professional and disciplined organization. The group—which often appears to be Russian-speaking, but hasn’t been tied to a home country—generally works on a normal business schedule, with nights and weekends off. It has developed its own malware tools and attack styles, and seems to have a well-funded research and testing division that helps it evade detection by antivirus scanners and authorities more broadly. In the Saks breach, Fin7 used “point of sale” malware—software secretly installed in the cash register transaction systems customers interact with—to lift the financial data, a signature move.
“They’re connected to almost every major point of sale breach,” says Dmitry Chorine, cofounder and CTO of Gemini Advisory, a threat intelligence firm that works with financial institutions and that first reported the Saks/Lord & Taylor breach. “From what we’ve learned over the years the group is operated as a business entity. They definitely have a mastermind, they have managers, they have money launderers, they have software developers, and they have software testers. And let’s not forget they have the financial means to stay hidden. They make at least $50 million every month. Given that they’ve been in business for many years, they probably have at least a billion dollars on hand.”
While the natural inclination would be to tie a criminal operation like this to Russia, especially with hints of the group purportedly Russian speakers, that may simply be an extension of their sophistication. The actors may be so advanced they are capable of accurately copying Russian hacking groups, to take the heat of their own true identities. This will certainly buy them some time, but at some point they will likely make a small mistake leading to exposing exactly who the real criminals are hiding behind the screens.
So far Fin7 has largely succeeded at staying just out of reach, but it works at such a massive scale on so many heists at once that there are bound to be missteps. Just last week, Spanish police working with Europol, the FBI, and a group of other international agencies arrested what they called the “mastermind” behind Carbanak’s financial institution hacking, particularly a spree of ATM jackpotting and other money laundering. “The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity,” Steven Wilson, the head of Europol’s European Cybercrime Centre, said of the operation last week.
Though an impressive step, researchers are skeptical that the arrest will really destabilize or neuter such a robust criminal syndicate. “Someone who was using part of the tools was arrested in Spain. He may be at a higher level of the food chain, but it definitely doesn’t necessarily mean the whole group has been dismantled,” says Gemini Advisory’s Chorine. “Even if you observe the chatter on criminal forums, there’s no clear indication of who was arrested.”
So as has been the case for years now, Fin7 will likely live to steal another credit card number. Or, more likely, millions of them.
Fin7 does appear to be a massive operation, with this one takedown likely not affecting their entire strategy. They will likely rebuild this capability rather quickly, and be right back to their criminal ways.
Organizations likely going to be targeted by this group should not only invest in traditional cyber defense technologies, but need to consider threat intelligence as well. The days of merely installing a firewall, intrusion prevention system, web gateway, file sandboxing, and endpoint security are over. Technological solutions require a strategic layer, constant vigilance, and a more thorough understanding of the threat actors and their capabilities. This is why threat intelligence is far more important today than it ever has been.
Japan Today reports on a staggering number of personal information leaks as a result of cyber attacks targeting Japanese companies:
There were 3.08 million cases of personal information definitely or probably being leaked through cyberattacks on companies or other entities in Japan in 2017, a Kyodo News tally shows.
These figures are based on data security breaches at 82 entities last year — 76 companies, four administrative entities and two universities, according to the tally of confirmed or suspected data breaches.
The corresponding number of cases totaled 2.07 million in 2015, before surging to 12.6 million in 2016 due to a massive data leak at travel agency JTB Corp.
However, the amount of damages stemming from stolen credit card information hit an all-time high last year, as credit card information was involved in 530,000 cases, or roughly one-sixth of the total.
The total amount of damages roughly doubled from a year earlier to 17.6 billion yen ($166 million) in 2017, according to the Japan Consumer Credit Association.
Yet these figures probably understate the extent of the problem, according to some experts.
There are likely a host of companies unwilling to report data breaches for fear of legal liability or public embarrassment. Take these numbers with a huge spoonful of salt because it is almost guaranteed to be much larger number.
Japan has been making strong strides to increase cyber security capability throughout the years. However, there is a lack of emphasis on computer science in grade, middle, and high schools. A concerted, strategic focus on educating young folks on cyber security, an extremely important topic, is essentially non-existent. Until the Japanese educational system catches up with the societal shift towards more data-driven enterprises, Japan will unfortunately remain a cyber security laggard.
Wired discusses the recent Atlanta ransomware attack and how actors leveraging SamSam are selective about their targets, often choosing organizations it believes will end up paying the ransom:
Attackers deploying SamSam are also known to choose their targets carefully—often institutions like local governments, hospitals and health records firms, universities, and industrial control services that may prefer to pay the ransom than deal with the infections themselves and risk extended downtime. They set the ransoms—$50,000 in the case of Atlanta—at price points that are both potentially manageable for victim organizations and worthwhile for attackers.
And unlike some ransomware infections that take a passive, scattershot approach, SamSam assaults can involve active oversight. Attackers adapt to a victim’s response and attempt to endure through remediation efforts. That has been the case in Atlanta, where attackers proactively took down their payment portal after local media publicly exposed the address, resulting in a flood of inquiries, with law enforcement like the FBI close behind.
From an attackers point-of-view, it is just smart business to set the ransom price at a point within reach for the victim. The actors are banking on the victims believing it is far more expedient and less expensive to pay the ransom rather than endure a lengthy outage.
Although it appears easier to pay a ransom to rapidly resume operations, the overall economics of a ransomware attack are not that simple. Even if a victim pays a ransom they will need to essentially rebuild their entire network from the ground up to ensure they completely eradicate any trace of the attackers. Merely paying a ransom does not guarantee the actors did not leave a backdoor somewhere within the network.
Performing a cost-benefit analysis is important in these situations, weighing the difference in lost revenue due to the ransomware attack, lost productivity, cost to pay the ransom versus cost to remediate the infection. This is no easy task, with no black-and-white answer. The chosen route ultimately depends on the business and the types of daily operations it undertakes. Ransomware attacks are not one size fits all.
In the specific case of Atlanta, it sounds like mission critical data was encrypted in the ransomware attack. That the city cannot recover this data through local or cloud-based backups demonstrates a situation faced all too often: lack of proper foresight and planning. Had the city safely stored mission critical data off site in addition to its local storage, then forgoing payment and merely rebuilding would be an easy choice. But it seems the situation is much more complicated.
The City also suffered a cyberattack in April 2017, which exploited the EternalBlue Windows network file sharing vulnerability to infect the system with the backdoor known as DoublePulsar—used for loading malware onto a network. EternalBlue and DoublePulsar infiltrate systems using the same types of publicly accessible exposures that SamSam looks for, an indication, Williams says, that Atlanta didn’t have its government networks locked down.
“The DoublePulsar results definitely point to poor cybersecurity hygiene on the part of the City and suggest this is an ongoing problem, not a one time thing.”
Though Atlanta won’t comment on the details of the current ransomware attack, a City Auditor’s Office report from January 2018 shows that the City recently failed a security compliance assessment.
This is the issue: Atlanta lacks the necessary security professionals to keep the systems IT assets safe from modern attacks. This is a good lesson to be learned for other similar city governments. Get your act together and ensure security is a priority and baked into IT operations otherwise expect successful attacks to continue to hinder operations.
Reuters reports on an Under Armour data breach affecting upwards of 150 million MyFitnessPal user accounts:
The stolen data includes account user names, email addresses and scrambled passwords for the popular MyFitnessPal mobile app and website, Under Armour said in a statement. Social Security numbers, driver license numbers and payment card data were not compromised, it said.
It is the largest data breach this year and one of the top five to date, based on the number of records compromised, according to SecurityScorecard.
Larger hacks include 3 billion Yahoo accounts compromised in a 2013 incident and credentials for more than 412 million users of adult websites run by California-based FriendFinder Networks Inc in 2016, according to breach notification website LeakedSource.com.
Under Armour said it is working with data security firms and law enforcement, but did not provide details on how the hackers got into its network or pulled out the data without getting caught in the act.
I have yet to locate a single article discussing how the breach occurred or any potential vulnerability exploited by the attackers to gain access to MyFitnessPal data.
If you use MyFitnessPal, I strongly suggest you immediately login and change your password, especially if you reused a password you are using elsewhere [like the vast majority of internet users].
The Daily Beast has an exclusive report discussing how Guccifer 2.0, the ostensible self-purported lone DNC hacker, appears to have slipped up in tradecraft and inadvertently revealed being a Russian intelligence officer:
Guccifer famously pretended to be a “lone hacker” who perpetrated the digital DNC break-in. From the outset, few believed it. Motherboard conducted a devastating interview with Guccifer that exploded the account’s claims of being a native Romanian speaker. Based on forensic clues in some of Guccifer’s leaks, and other evidence, a consensus quickly formed among security experts that Guccifer was completely notional.
Proving that link definitively was harder. Ehmke led an investigation at ThreatConnect that tried to track down Guccifer from the metadata in his emails. But the trail always ended at the same data center in France. Ehmke eventually uncovered that Guccifer was connecting through an anonymizing service called Elite VPN, a virtual private networking service that had an exit point in France but was headquartered in Russia.
But on one occasion, The Daily Beast has learned, Guccifer failed to activate the VPN client before logging on. As a result, he left a real, Moscow-based Internet Protocol address in the server logs of an American social media company, according to a source familiar with the government’s Guccifer investigation. Twitter and WordPress were Guccifer 2.0’s favored outlets. Neither company would comment for this story, and Guccifer did not respond to a direct message on Twitter.
Working off the IP address, U.S. investigators identified Guccifer 2.0 as a particular GRU officer working out of the agency’s headquarters on Grizodubovoy Street in Moscow.
There are a few angles to look at this. Primarily, if this is true, it is an major slip-up in GRU cyber tradecraft. Failure to activate a VPN is a huge issue, and not something seasoned actors would normally do.
However, Putin seem unconcerned about being accused of taking part in the DNC hacks, and any potential connections to the Trump campaign. He just won a new term in a sham election, and likely looks at this find as not a big deal.
So what? What will the United States do that could potentially harm Russia? It is not like the Trump Administration has taken a strong stance on Russia.
Finally, the security world had all but decided Guccifer 2.0 was Russian intelligence. This merely adds one additional data point to a lot of data pointing towards the GRU. So really it is not a major find in the grand scheme.
NBC News is reporting the Equifax hack is worse than originally thought, with an additional 2.4 million customer records affected:
The company said it was able confirm the identities of U.S. consumers whose driver’s license information was taken by referencing other information in proprietary company records that the attackers did not steal.
“Equifax will notify these newly identified U.S. consumers directly, and will offer identity theft protection and credit file monitoring services at no cost to them,” the company said.
The new information is the latest blow to the industry giant, which lost three top executives — including its longtime CEO Rick Smith — in the fallout of the mega-breach that exposed private information belonging to 143 million people.
Equifax is a company whose entirely existence relies upon their collecting personally identifiable information. Therefore it should be blatantly obvious to even the most inexperienced layman that properly securing and defending this data is of the utmost importance. To have identified an additional 2.4m people months after the original disclosure demonstrates their complete and utter disregard for the people.
This company needs to be slapped with fines and investigated for their exceedingly poor security posture, even they had any to begin with.
NHK WORLD reports that Porsche Japan had a network breach leading to customer data being leaked:
The Japanese arm of German automaker Porsche says more than 28,000 email addresses have been leaked via a hack.
Porsche Japan says information at risk includes 23,151 email addresses belonging to customers who asked for product brochures via the internet between 2000 and 2009.
Its officials suspect their customers’ names, postal addresses, phone numbers and income information may also have been compromised.
They have also admitted to a leak of email addresses of customers who participated in a 2015 sales campaign.
Not good at all. I am curious what attack vector was used to breach the network and subsequently exfiltrate the data. Additionally, I wonder what their security operations center and situational awareness capabilities are.
TechRepublic is reporting on a Securities and Exchange Commission update to a 2011 cyber security statement, stating US publicly traded companies will be required to disclose in a timely manner when they have been breached or there are material cyber security risks:
First, and most importantly, is that the SEC is essentially extending its interpretation of older disclosure rules to cover cybersecurity. If you are familiar at all with SEC disclosure guidelines under Securities Act of 1933 and the Securities Exchange act of 1934 these new guidelines won’t appear very different—the SEC even wants disclosures filed on the same forms.
As the original 2011 statement said, “although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, companies nonetheless may be obligated to disclose such risks and incidents.”
What this new interpretive statement does is reinforce and expand the 2011 original, along with adding an important section designed to crack down on insiders trading stock based on undisclosed knowledge of a cyber attack—something important to consider in the wake of stock dumping accusations surrounding the Equifax breach (of which executives were later cleared in an internal investigation).
What the SEC has to say on that particular front is clear: “directors, officers, and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company.”
In other words, disclose incidents immediately to prevent even the appearance of impropriety.
It should be obvious to anyone that disclosure should be mandatory. However, most companies will act in the best interest of the officers running the company, and therefore often times will attempt to hide breaches from the public. This is harmful in so many ways that it is almost unbelievable in 2018 there are no actual legally binding requirements.
ZDNet is reporting Tesla failed to properly secure their Amazon Web Services servers, thus leading to a breach where the attackers were using them to mine cryptocurrency:
Researchers from the RedLock Cloud Security Intelligence (CSI) team discovered that cryptocurrency mining scripts, used for cryptojacking — the unauthorized use of computing power to mine cryptocurrency — were operating on Tesla’s unsecured Kubernetes instances, which allowed the attackers to steal the Tesla AWS compute resources to line their own pockets.
Tesla’s AWS system also contained sensitive data including vehicle telemetry, which was exposed due to the unsecured credentials theft.
“In Tesla’s case, the cyber thieves gained access to Tesla’s Kubernetes administrative console, which exposed access credentials to Tesla’s AWS environment,” RedLock says. “Those credentials provided unfettered access to non-public Tesla information stored in Amazon Simple Storage Service (S3) buckets.”
The unknown hackers also employed a number of techniques to avoid detection. Rather than using typical public mining pools in their scheme, for example, the threat actors instead installed mining pool software and instructed the mining script to connect to an unlisted endpoint.
Tesla essentially lives within connected services, and to make such an amateur mistake is surprising for the company. The attackers could have done a lot more damage, but were ultimately more interested in trying to make money than vandalism.
WIRED has an in-depth article on the recently revealed North Korean hacker group known as APT37 aka ScarCruft aka Group123:
In its analysis of APT37, FireEye provides a rare breakdown of the hacker group’s entire known toolset, from initial infection to final payload. Earlier this month, security firms tracked the group using a zero-day vulnerability in Adobe Flash to spread malware via websites, an unusual use of a still-secret and unpatched software flaw. But in the past, the group has also exploited non-zero-day Flash vulnerabilities that victims have been slow to patch, lingering flaws in the popular Korean Hangul word processor to infect computers via malicious attachments, and even BitTorrent, indiscriminately uploading malware-infected software to piracy sites to trick unwitting users into downloading and installing it.
Once it finds an initial foothold on a victim’s machine, APT37 has a diverse grab bag of spy tools at its disposal. It has installed malware that FireEye calls DogCall, ShutterSpeed, and PoorAim, all of which have the capability of stealing screenshots of a victim’s computer, logging keystrokes, or digging through their files. Another malware sample, ZumKong, is designed to steal credentials out of browser memory. A tool called CoralDeck compresses files and extracts them to the attacker’s remote server. And a piece of spyware FireEye calls SoundWave takes over a victim’s PC microphone to silently record and store eavesdropped audio logs.
Perhaps most disturbing, Hultquist notes, is that APT37 has in some cases also dropped a tool that FireEye calls RUHappy, which has the potential to destroy systems. That wiper malware deletes a portion of the computer’s master boot record and restarts the computer so that it’s left fully paralyzed, displaying only the words “Are You Happy?” on the screen. FireEye notes that it’s never actually seen that malware triggered on a victim’s network—only installed and left as a threat. But Cisco’s Talos researchers noted in their own detailed report on APT37 last month that a 2014 attack on a Korean power plant had indeed left that three-word message on wiped machines, though they weren’t able to otherwise tie that attack to APT37.
It is fascinating how the different groups of hackers within nation state backed organizations use different tactics, techniques, and procedures, thus making it relatively easy for foreign intelligence agencies to track their operations so well. While there is no definitive proof APT37 is who FireEye says they are, there is a good chance this is the real deal. Attribution used to be difficult, but has come a long way in the recent years.
This is one group to watch, especially since they have already targeted Japan. This means there is a possibility they may leverage Tokyo 2020 as a jumping point into Japanese networks.
The Washington Post reports US National Security Advisor H.R. McMaster, someone hand-picked by President Trump after he fired Michael Flynn, has publicly acknowledged evidence of Russian interference in the 2016 presidential election is “incontrovertible”, which then prompted an interesting tweet from POTUS:
The comments, a day after the Justice Department indicted 13 Russians on charges of interference in the election that catapulted Donald Trump to the White House, follow months of efforts by the president to cast doubt on assertions of Moscow’s interference.
In a late-night tweet Saturday, President Trump hit out at McMaster, saying he “forgot” to mention that the Russians had not impacted the results of the election and that there had been no collusion with his campaign. Both are frequent Trump talking points that have not been substantiated by intelligence agency conclusions or investigators.
“General McMaster forgot to say that the results of the 2016 election were not impacted or changed by the Russians and that the only Collusion was between Russia and Crooked H, the DNC and the Dems. Remember the Dirty Dossier, Uranium, Speeches, Emails and the Podesta Company!”
McMaster’s comments came as he used a high-profile address at a global security conference to try to rally Western allies against common enemies, offering an olive branch to U.S. partners that have often felt battered and neglected in the age of Trump.
On the one hand it is good to see someone in the Trump administration acknowledge Russian interference in the 2016 presidential election. On the other, I find Trump’s inability to fully comprehend the situation incredibly frustrating. It is curious he is so quick to blame everyone but Russia for what happened.
Reuters reports on UK publicly attributing and blaming Russia for last years NotPetya attack, which crippled multiple UK government agencies and businesses:
The so-called NotPetya attack in June started in Ukraine where it crippled government and business computers before spreading around the world, halting operations at ports, factories and offices.
Britain’s foreign ministry said the attack originated from the Russian military.
“The decision to publicly attribute this incident underlines the fact that the UK and its allies will not tolerate malicious cyber activity,” the ministry said in a statement.
“The attack masqueraded as a criminal enterprise but its purpose was principally to disrupt,” it said.
“Primary targets were Ukrainian financial, energy and government sectors. Its indiscriminate design caused it to spread further, affecting other European and Russian business.”
UK is showing the current US administration how to play hardball politics against Russia. Since the US is not publicly condemning Russia for their bad behavior, our allies will have to fill in that gap until the administration changes its tune.
ZDNET reports about new Lazarus attack activity designed to steal bitcoins from global banking organizations:
Now Lazarus has resurfaced once again, with a phishing campaign which aims to plant malware on the systems of global financial organisations and bitcoin users for both short-term and long-term gain.
Dubbed ‘HaoBao’, the campaign has been uncovered by MacAfee [sic] Labs. It’s different to other phishing operations by the Lazarus group and uses novel code to infect machines.
The latest Lazarus campaign was first spotted in mid-January, when researchers discovered a malicious document being distributed via a Dropbox link, which claimed to be a job advert for a business development executive located in Hong Kong for a large multi-national bank.
The author is listed as ‘Windows User’ and the document was created in Korean, with additional similar documents appearing in the days which followed.
Attackers pose as a job recruiter, and send the target a spear-phishing email with a fake job advert, which when opened encourages the user to ‘enable content’ to see a document they’re told was created with an earlier version of Word.
The entire campaign does not appear to be all that sophisticated despite the techniques not having been previously witnessed. North Korea seems to be laser focused on stealing money rather than disruption or destruction. Now is an interesting time to focus on stealing bitcoin considering its recent major devaluation, but if Lazarus is in it for the long-term then it may prove lucrative.
“We know the cause of the problem but that kind of issues occurs frequently during the Games. We decided with the IOC we are not going to reveal the source (of the attack),” he told reporters.
Russia, which has been banned from the Games for doping, said days before the opening ceremony that any allegations linking Russian hackers to attacks on the infrastructure connected to the Pyeongchang Olympic Games were unfounded.
“We know that Western media are planning pseudo-investigations on the theme of ‘Russian fingerprints’ in hacking attacks on information resources related to the hosting of the Winter Olympic Games in the Republic of Korea,” Russia’s foreign ministry said.
“Of course, no evidence will be presented to the world.”
It makes sense not to publicly announce attribution for this attack until after the games have been completed. There is nothing to gain from discussing it in the open at this juncture. Once the games are finished, a lessons learned and complete after action report on the cyber attacks will be a treasure trove of information extremely useful to Japan for Tokyo 2020.