now browsing by tag
A Chinese state-sponsored hacking group has been targeting Malaysian government officials, computer experts with the Malaysian government said on Wednesday.
The purpose of the attacks has been to infect computers of government officials with malware and then steal confidential documents from government networks, Malaysia’s Computer Emergency Response Team (MyCERT) said in a security advisory.
The attacks against government officials consist of highly-targeted spear-phishing emails.
MyCERT says the attackers have been pretending to be a journalist, an individual from a trade publication, and representatives for a military organization and non-governmental organization (NGO).
The emails contained links to documents stored on Google Drive. The documents, when opened, asked recipients to enable macros.
The malicious macros used two Office exploits (CVE-2014-6352 and CVE-2017-0199) to execute malicious code on the victim’s system to download and install malware.
“The group’s operations tend to target government-sponsored projects and take large amounts of information specific to such projects, including proposals, meetings, financial data, shipping information, plans and drawings, and raw data,” MyCERT said.
MyCERT officials didn’t say if government officials were compromised in these attacks.
Indirectly pointing the finger at China
However, while MyCERT didn’t accuse the Chinese government directly, their advisory included links to research from the cyber-security community.
The write-ups [1, 2, 3, 4] describe the hacking tools and modus operandi of a cyber-espionage group known as APT40, known for its hacking activity alligned with the interests of the Chinese government.
In an exposé published last month, an online group of cyber-security analysts calling themselves Intrusion Truth have claimed that APT40 are contractors hired and operating under the supervision of the Hainan department of the Chinese Ministry of State Security.
According to FireEye, besides Malaysia, the group has also targeted Cambodia, Belgium, Germany, Hong Kong, Philippines, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom.
The group has been primarily focused on “engineering, transportation, and the defense industry, especially where these sectors overlap with maritime technologies.”
The APT40 group is also tracked by other security firms, but under other names, such as TEMP.Periscope, TEMP.Jumper, Leviathan, BRONZE MOHAWK, GADOLINIUM. The group has been active since 2014, according to multiple reports.
The post #hacking | Malaysia warns of Chinese hacking campaign targeting government projects appeared first on National Cyber Security.
View full post on National Cyber Security
Five years after a huge data breach at extramarital affair website Ashley Madison gave criminals access to the credentials of roughly 32 million users, some victims are being hit once again, this time with a highly personalized extortion attempt.
The extortion message includes detailed personal and financial information on the victim and demands a Bitcoin payment (the equivalent of $1,000 on up) to ensure that incriminating details won’t be shared with friends, family, and employers. The message includes two factors that are becoming more popular in criminal attacks: Details of the ransom payment are in an encrypted .PDF file attached to the email, and the .PDF includes a QR code at the top as a way to access payment information.
Both of these newer details are attempts to evade email filters that increasingly target criminal attack content. According to researchers at Vade Secure, which published a blog post on the new attack, the form of the attack is similar to other messages in a wave of “sextortion” attacks that have been ongoing since July 2018.
For more, read here.
Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
The post Ashley Madison Breach Returns with Extortion Campaign appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans Enterprise VulnerabilitiesFrom DHS/US-CERT’s National Vulnerability Database CVE-2019-15625PUBLISHED: 2020-01-18 A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim’s memory processes to extract sensitive information. CVE-2019-19696PUBLISHED: 2020-01-18 A RootCA vulnerability found in Trend […] View full post on AmIHackerProof.com
A whopping 186.4 million Americans shopped in stores and online between Black Friday and Cyber Monday this year, according to the National Retail Federation. On average, these shoppers spent $361.90 per person over the five-day Thanksgiving weekend.
*** This is a Security Bloggers Network syndicated blog from Morphisec Moving Target Defense Blog authored by Arnold Osipov. Read the original post at: https://blog.morphisec.com/trickbot-returns-in-a-new-ecommerce-shopping-campaign
The post #cybersecurity | #hackerspace |<p> Trickbot Returns in a New eCommerce Shopping Campaign <p> appeared first on National Cyber Security.
View full post on National Cyber Security
Phishing attacks and campaigns have always been a hot topic in online security. With many posts tagged as “phishing” on our blog — the first one being over nine years old now — we’ve seen our fair share of phishing attempts.
In this post, we’ll cover the signs of a phishing attacks so you can recognize and avoid falling for them.
What is a Phishing Attack?
A phishing attack happens when a malicious actor pretends to be someone else to gain privileged access or information. This can be in the form of a website, phone number, email, or even in person. If you’re not familiar with the concept of phishing, we have a post covering what is phishing.
Signs of a Phishing Attack
Phishing attacks come in all shapes and forms, and methods attackers use are always evolving. There are many common characteristics which are easy to recognize once you know what to look for.
Genuine-Looking but Odd Requests
Many phishing campaigns will use a recognizable company or branding that the victim is familiar with. This can be a financial institution, coworker, or website you know.
To do this, they will try spoofing their email or phone number, or use one which contains genuine-looking keywords via public emails.
Both of these emails use public email registrars, which can create emails with any names for free.
These emails use a similar domain name to the actual company, such as securi.info instead of sucuri.net. This is why it’s important to always double-check the domain to ensure it’s genuine.
Fast Action Required
To make the victims skip over details they would usually notice, the phishing attempt will add a sense of urgency to the message. Due to the severity or urgency of the request, you are more likely to immediately follow the links or open the attachment the attacker wants you to.
- This offers expire in 1 hour!
- [Urgent] Malware on your website
- Your account is compromised
- Suspicious charges on your account
This one will vary greatly depending on the goal of the attacker and knowledge they have about the victim, but the contact method will likely seem different from your usual communication.
When an attacker pretends to be your boss or coworker, they will most likely use a different writing style than your usual message:
- More or less typos
- More or less formal
- Missing or different signature
These are all signs that you should double-check with your contact to see if they sent the message, preferably with a communication channel you know is safe.
No Signs at All
The most important thing to keep in mind when thinking about phishing is that all attempts are different — and many targeted attacks are very advanced. They can hack or spoof your boss’s email, and then use the correct data to mislead you into thinking they are your target. If they request you visit a link or open an attachment, your best bet is to double-check via a different communication channel to make sure the request is genuine.
Phishing Campaign Examples
Here are some examples of phishing campaigns we have seen lately:
Google Drive Phishing Campaign
Notice how odd it is to be able to use any email provider to login to Google Drive:
Bank Phishing Campaign in Brazil
Notice how the phishing campaign asks for credit card information in the last image.
Now that you’re familiar with the concept of phishing campaigns, you can recognize the attacks and avoid falling for them! If you are looking to be up to date on the latest website attacks trends, subscribe to receive email updates.
The post #cybersecurity | #hackerspace |<p> How to Recognize a Phishing Campaign <p> appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans Estimated reading time: 5 minutes Use of Phishing emails is not new for cyber-attack and is still one of the classic strategies to compromise a victim’s machine. Cyber criminals lure victims to open email attachments (mostly Doc and XLS files) by faking them to look like […] View full post on AmIHackerProof.com
Researchers have spotted a new phishing campaign targeting credentials and financial data of people using the Stripe payments platform. Emails are disguised as alerts from Stripe support.
Stripe enables e-commerce, facilitates payments, and helps run businesses with its software-as-a-service platform. Online companies use Stripe to receive payments, manage workflows, and update payment card data, among other things. Its millions of global customers include major brands, among them Amazon, Google, Salesforce, Microsoft, Shopify, Spotify, Nasdaq, and National Geographic.
Now attackers are trying to gain access to credentials for Stripe’s platform and the billions of dollars it handles each year. This access could enable the adversaries to steal payment card data and defraud customers, report researchers with the Cofense Phishing Defense Center today.
Emails in the campaign pretend to be notifications from “Stripe Support,” telling the account admin the “details associated with account are invalid.” The admin must take immediate action or the account will be placed on hold, the attacker warns. The idea is to cause fear or panic among businesses that heavily rely on their online transactions and payments to keep running.
These emails include a “Review your details” button with an embedded hyperlink. A common security practice is to hover the mouse over a hyperlink to see its destination. The attackers behind the campaign blocked this by adding a title to the HTML’s <a> tag. Instead of displaying the URL when a mouse hovers over it, the button simply shows “Review your details” in text.
“When rendered in the email client, instead of seeing the underlying link of that button, you just see the title that pops up,” says Cofense CTO Aaron Higbee. “In this case, the user wouldn’t have been able to see where the misleading domain went.” It’s a common evasion technique.
When clicked, this button redirects targets to a phishing page disguised to imitate Stripe’s customer login page. This part of the attack includes three separate pages: One collects the admin’s email address and password, the second requests the bank account number and phone number, and the third redirects the admin back to the initial Stripe login page with a “Wrong Password” error so they don’t suspect anything.
Another interesting factor in this attack was the credential compromised, Higbee says. The attackers were able to obtain the login details for a press[@]company[.]org email address, which also granted them access to the victim company’s MailChimp account. This is the platform they ultimately used to launch the phishing campaign, he explains. As a result, the phishing emails appear to originate from the email address of a compromised organization.
“This is saying to me the attackers are looking for ways to make sure their phishing emails are successfully delivered,” Higbee continues. Most people have MailChimp whitelisted, and many companies use it for things like password resets.
While the attackers were savvy with HTML, their writing skills could use some work. Misspelled words (“Dear Costumer”) and obvious grammatical mistakes could tip off any user to suspicious activity, Higbee says. Employees who suspect foul play should approach emails with caution.
What’s more, these emails didn’t originate from a “stripe.com” email address, he continues. Even though the display name said Stripe Support, recipients of these emails should also check for a Stripe domain name in the sender’s email address. Higbee also warns people to be wary of emails seemingly intended to provoke fear or urgency, which many attackers prey on.
He suspects this type of attack will continue, especially against users of the payment platform.
“If there is a way for an attacker to automatically discern whether a company uses Stripe, I’d guess this type of attack would be on the rise,” Higbee says. “There’s money at the end of that.”
This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio
View full post on National Cyber Security
Source: National Cyber Security News
Former Tennessee Gov. Phil Bredesen’s Senate campaign told the FBI in a letter Thursday that it fears it was hacked.
While the word “cybersecurity” may evoke thoughts of highly sophisticated attacks that require fancy computing equipment and skilled hackers, the reality is that most attacks — especially in a corporate environment — involve simpler strategies that depend upon one thing: exploiting human behavior.
Most companies are hard at work building technology to better protect themselves and their users or customers. But technology can only get us so far. People are the most important factor in any company’s cybersecurity strategy, and investing in security engagement goes a long way in helping companies reduce the probability of a breach.
Facebook runs security engagement programs year-round, but the most important tool in our arsenal is Hacktober, an annual, monthlong tradition each October designed to build and maintain a security-conscious culture. It’s our version of National Cyber Security Awareness Month, a campaign to get people involved in cyber security and play their part in making the internet safer and more secure for everyone.
Hacktober has a number of different elements, from phishing tests and marketing campaigns to contests, workshops, and expert talks. Participation is not mandatory, but we find that about one-third of employees participate in at least one activity over the course of the month. Everything is designed to remind our employees how to protect themselves, our company, and the millions of people who use Facebook every day.
Security awareness can be engaging rather than scary — or worse, boring. If we create an interactive and fun environment around security, people will learn important security lessons and retain them throughout the year.
At Facebook, we take a “hacker” approach to security awareness because that ethos is a core part of our culture, which means it resonates with our employees. One of the best examples of this is our Capture the Flag (CTF) competitions.
CTFs are computer-based competitions that allow people to practice securing machines and defending against mock cyber security attacks. We know many of our employees enjoy solving complex problems in a competitive environment, and CTFs give us a way to create that type of fun, competitive atmosphere around security education. This year we deployed two versions: a jeopardy-style CTF where challenges could be solved by doing research and an attack-defense CTF that relied on real-world attacks and exploits. The CTFs were hosted on our open-sourced platform, and the challenges were designed by a cross-functional team of security engineers each with a specialized skill set (mobile application security, Windows security, and so on) to ensure a well-rounded CTF experience.
In the spirit of keeping things fun and engaging, we also offered a series of lighter events that reflected our hacker culture, like hands-on lock picking classes. And to generate buzz around all of our activities and keep our employees engaged, we offered Hacktober-branded “swag” — T-shirts, hats, stickers, and magnets —designed in the “Hack-o-lantern” branding we’ve established over the last seven years.
All employees should feel comfortable talking about security. Everyone should be able to raise concerns without hesitation, even if their role in keeping our company safe may not be so obvious.
We believe all employees must participate in keeping Facebook a safe, secure place on internet. Over the course of Hacktober, we run a series of “hacks” such as phishing emails and rogue authentication pushes that help us assess the response of our employees to these simulated attacks. We also hold informal fireside chats with speakers like Condoleezza Rice, the former U.S. secretary of state and renowned expert on geopolitical risk. Her joint talk with Facebook CSO Alex Stamos gave people an opportunity to hear about the evolution of nation state–sponsored cyberattacks.
To mitigate the risk of human error, companies need to broaden their definition of security. Hacktober isn’t just about “cyber” security. It’s also about the physical security and safety of our employees. We partner with our physical security colleagues to provide training classes for employees, such as a travel safety course geared toward female employees, and use Facebook to share training videos on the threat of tailgating.
Employees should know the people who work on our security teams. And they should understand their role in protecting people on Facebook.
Facebook has grown over the years, which means the process of identifying and communicating with members of the security team can be challenging. We tried to simplify this by creating a security help form on our intranet as well as offering tours of our Global Security Operations Center. We also promote our security work through a massive marketing campaign: We built a dedicated microsite for people to visit and learn about different activities, and promoted it with Hacktober posters, resource cards, and coffee sleeves. We also created an internal Hacktober Facebook group where employees could post questions, provide feedback, collaborate on CTF challenges, or just post their thoughts on current security topics or concerns.
Hacktober is also a great learning opportunity for the security team. The microsite served as a data source for us to find out what people are most interested in, but we’re constantly tracking metrics that help us improve our programs — and we try to apply some of the lessons in real time. For example, we suspended this year’s phishing campaign in the middle of the month when our data showed a significant drop in people clicking on phishing links and an increase in the number of people reporting the phishing scams to the security team. In essence, we had achieved our goal of changing employee behavior and decided it would be better to allocate resources elsewhere.
Campaigns like Hacktober can be one of the most effective ways to assess social engineering risk and understand what types of human behavior your company or organization is most vulnerable to. Is it phishing? Weak passwords? Physical security? And what tools or tactics can your team deploy to address these threats?
We designed Hacktober to fit the culture and security needs of Facebook, but other companies can apply many of these principles as well. Just remember that any successful campaign must have support from senior leadership, align with the company culture, and take some of the fear out of the security conversation. Security education isn’t about shaming people for poor habits. It’s about rewarding positive behavior and fostering a security-conscious culture among your most critical resource: people.
Here’s how your company can create its own Hacktober:
- Prioritize organization and branding. Facebook decorates its walls with posters with a distinctive “Hack-o-lantern” design and uses internal groups to share posts about Hacktober. Creating a unique identity for your awareness effort helps people identify it and find ways to get involved.
- Partner with third-party organizations. The National Cyber Security Alliance is a great partner for security awareness work and offers ideas and content.
- Recognize and reward engagement. Hacktober memorabilia like T-shirts and stickers are wildly popular at Facebook. Facebook employees who report suspicious activity or uncover one of our hacks are rewarded with one of these coveted prizes, which help drive awareness and incentivize others to get involved.
- Run real-world security tests. Simple tests can go a long way toward reminding people to remain vigilant. We recommend things people would encounter in an average work day: sending spear-phishing emails (malicious emails that appear to come from a trusted source) or dropping USB drives around the office with fake malware, which teaches employees to think twice before plugging an unknown device into their computer.
- Bring people together. Offer educational sessions with your security team, host interactive workshops, and run competitions and contests. You can even use the Facebook open-source CTF platform to run your own CTFs.
- Keep it fun. Security doesn’t have to be scary. Facebook has invited families to its HQ for a safety-themed movie and pumpkin-carving night. These and other hands-on activities help educate people in a fun, casual environment.
The post How #Facebook’s Annual #Hacktober Campaign Promotes #Cybersecurity to #Employees appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
A Chinese hacking operation is back with new malware attack techniques and has switched its focus to conducting espionage on western corporations, having previously targeted organisations and individuals in Taiwan, Tibet, and the Philippines.
Dubbed KeyBoy, the advanced persistent threat actor has been operating out of China since at least 2013 and in that time has mainly focused its campaigns against targets in South East Asia region.
The last publicly known actively by KeyBoy saw it target the Tibetan Parliament between August and October 2016, according to researchers, but following that the group appeared to cease activity — or at least managed to get off the radar.
But now the group has reemerged and is targeting western organisations with malware which allows them to secretly perform malicious activities on infected computers. They include taking screenshots, key-logging, browsing and downloading files, gathering extended system information about the machine, and shutting down the infected machine.
KeyBoy’s latest activity has been uncovered by security analysts at PwC, who’ve analysed the new payload and found it includes new infection techniques replacing legitimate Windows binaries with a copy of the malware.
Like similar espionage campaigns by other hacking operations, the campaign begins with emails containing a malicious document – in the case analysed by PwC, the lure was a Microsoft Word document named ‘ Q4 Work Plan.docx’.
But rather than delivering macros or an exploit, the lure uses the Dynamic Data Exchange (DDE) protocol to fetch and download a remote payload. Microsoft has previously described DDE as a feature, not a flaw.
In this case, Word tells the user there’s been an error and the document needs updating – if this instruction is run, a remote fake DLL payload is run, which in turn serves up a dropper for the malware.
Once the process has been run and the malware is installed, the initial DLL is deleted, leaving no trace of the malicious fake. As the malware also disables Windows File Protection and related popups, it therefore isn’t immediately obvious to system administrators that a legitimate DLL was replaced.
Once inside the target system, the attackers are free to conduct espionage campaigns as they please – although PwC researchers have listed possible indicators of compromisewhich organisations can use to discover if there are traces of KeyBoy in the network.
Similar techniques and attack capabilities have been observed in past KeyBoy campaigns, leading researchers to conclude that this campaign is by the same group.
Researchers have yet to uncover which specific organisations or sectors KeyBoy is targeting with its latest campaign, but say that the group has now turned its attention to conducting corporate espionage on organisations in the west.
Aside from knowing that they’re based in China, it’s not yet been possible to uncover the KeyBoy hacker group or identify their ultimate motives. While it has some of the hallmarks of a state-backed operation, previous research into the group says any type of criminal gangcould operate this style of campaign.
The post Chinese #hacking group #returns with new #tactics for #espionage #campaign appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures