now browsing by tag


#cybersecurity | hacker | the Gathering online player info

Source: National Cyber Security – Produced By Gregory Evans

A misconfigured legacy database administered by game publisher Wizards of the Coast reportedly exposed the information of hundreds of thousands of online gamers who played Magic: The Gathering Arena or Magic: The Gathering Online.

According to various media reports, Renton, Wash.-based WoTC recently sent impacted users an email stating that on Nov. 14 “we learned that an internal database file from a decommissioned version of the WotC login had inadvertently been made accessible outside the company.” The reports note that the file had been residing in an openly accessible Amazon Web Services storage bucket.

Exposed information reportedly included players’ names, email addresses and hashed and salted passwords, as well as the date and time their accounts were created. WoTC does not have reason to believe the information has been used maliciously. Nevertheless, players are encouraged to reset their passwords as a precautionary measure.

TechCrunch reportde that a review of the database file revealed 452,634 players’ information and 470 email addresses associated with WoTC employees.

MTG Arena and Magic Online are both digital versions of the popular original MTG card trading game.

SC Media has not heard back from Wizards of the Coast for additional comment.

Next post in Security News

Original Source link

The post #cybersecurity | hacker | the Gathering online player info appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | Attackers pose as German, Italian & US gov’t agencies to spread malware

Source: National Cyber Security – Produced By Gregory Evans

Since October, a threat actor has been impersonating governmental agencies in phishing emails designed to infect American, German and Italian organizations with various forms of malware, including the Cobalt Strike backdoor, Maze ransomware and the IcedID banking trojan.

Business and IT services, manufacturing companies, and healthcare organizations make up a large share of the targets in this operation, said a blog post today from Proofpoint, which calls the group TA2101. In many cases, the emails are sent from addresses that are made to look authentic at first glance, only they end in the .icu top-level domain.

The Proofpoint Threat Insight Team observed TA2101 campaigns targeting German on Oct. 16 and 23, and then again on Nov. 6, during which time the actor pretended to be the Bundeszentralamt fur Steuern, aka the German Federal Ministry of Finance. The adversary sent hundreds of emails with lures designed to entice recipients into opening Word documents containing malicious macros. These macros executed a PowerShell script that delivered Cobalt Strike, a legitimate attack simulation tool that in the wrong hands can be used as actual malware.

The October emails, aimed largely at IT services companies, falsely claimed that recipients were due to receive a tax refund, and instructed them to open the Word doc to fill out a refund request form.

The Nov. 6 emails similarly targeted business and IT services companies. In this instance, however, the attached documents were disguised as an RSA SecureID key, but actually contained macros that delivered Maze ransomware. One day later, TA2101 sent out even more emails, except instead of impersonated the Federal Ministry of Finance, the attackers pretended to be the ISP 1&1 Internet AG.

Phishing activity targeting Italian organizations, especially manufacturing companies, took place on Oct. 29. For this scam, TA2101 emailed dozens of prospective victims a notification of law enforcement activities that purportedly came from Agenzia Entrate, the Italian Ministry of Taxation and threatened recipients with financial penalties. Again, opening the attached Word doc would trigger the embedded macros to install Maze.

The most recent campaign referenced in the blog post took place on Nov. 12 and zeroed in on American organizations. These emails, which used a uspsdelivery-service.com domain instead of .icu, seemed to come from the U.S. Postal Service and again appeared to include a Word document with an RSA SecurID key. Opening the document this case caused the macros to deliver the IcedID banking trojan.

“Proofpoint researchers have observed a consistent set of TTPs… that allows attribution of these campaigns to a single actor with high confidence. These include the use of .icu domains, as well as identical email addresses for the Start of Authority (SOA) resource records stored for the DNS entries for the domains used in these campaigns,” wrote Proofpoint researcher and blog post author Bryan Campbell. The SOA email addresses, gladkoff1991@yandex.ru, is also linked campaigns that attempted to spread Buran ransomware in September.”

“Additionally, Proofpoint researchers have observed that the canonical URLs used by this actor are formatted in a repeatable fashion with word_/.tmp in the string with slight variations made over time,” the blog post continued. “Proofpoint researchers suspect that the word_/.tmp usage might be linked to previous campaigns that were spotted earlier by the infosec community in 2019.”

Original Source link

The post #cybersecurity | hacker | Attackers pose as German, Italian & US gov’t agencies to spread malware appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | PureLocker ransomware built for targeted attacks, linked to MaaS dealer

Source: National Cyber Security – Produced By Gregory Evans

A newly discovered ransomware called PureLocker is targeting the production servers of enterprises, while exhibiting some behavior that’s very unusual for most malicious encryptors.

Among its quirky features: it’s written in the PureBasic programming language, which helps it avoid conventional anti-malware detection engines; it’s very picky about who it infects, only executing if the victim machine passes a series of checks; and it appears to be used as a later stage of a larger multi-stage attack.

Researchers from Intezer and IBM X-Force IRIS analyzed the ransomware and detailed their findings in a joint blog post this week. “PureLocker is a rather unorthodox ransomware,” said Interzer security researcher Michael Kajiloti. “Instead of trying to infect as many victims as possible, it was designed to conceal its intentions and functionalities unless executed in the intended manner. This approach has worked well for the attackers who have managed to successfully use it for targeted attacks, while remaining undetected for several months.”

Much of PureLocker’s code is unique, but a certain portion, including its dropper program and its built-in evasion and anti-analysis functionalities, is borrowed from a backdoor malware called more_eggs, which is sold on cybercrime forums by a prominent malware-as-a-service provider. “These findings strongly suggest that the MaaS provider of ‘more_eggs’ has added a new malware kit to its offerings, by modifying the ‘more_eggs’ loader’s payload from a JScript backdoor to a ransomware,” the blog post concluded.

The more_eggs backdoor has been used in the past by financially motivated cybercriminal groups including the Cobalt Gang and FIN6. However, it has not been determined if one of these groups or another threat actor is responsible for distributing PureLocker.

The researchers only looked at samples that target Windows, but there are also PureLocker variants that can infect Linux-based machines as well. One Windows sample was disguised as C++ cryptography library called Crypto++, Kajiloti reported. From Oct. 13-30, the sample went almost completely undetected in VirusTotal scan results — a feat the researchers attributed to the use of PureBasic as a programming language.

“AV vendors have trouble generating reliable detection signatures for PureBasic binaries,” the blog post said. “In addition, PureBasic code is portable between Windows, Linux, and OS-X, making targeting different platforms easier.”

Shortly after installation, the malware goes through a thorough series of checks. It makes sure it’s not being analyzed or debugged, that its being executed by the command-line utility “regsrv32.exe,” that its file extension is .dll or .ocx, that the current year on the machine is 2019, and that it has administrator rights. If it does not pass all these checks, the malware exits and does not perform its attack.

If it does pass the checks, PureLocker encrypts primarily data files with AES and RSA algorithms and adds a .CR1 extension to them. It then secure-deletes the original files to thwart recovery efforts. The ransomware note threatens the victim that the private key will be erased in seven days, and leaves an email address to contact regarding payment.

Original Source link

The post #cybersecurity | hacker | PureLocker ransomware built for targeted attacks, linked to MaaS dealer appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | Why network segmentation is ready for an overhaul

Source: National Cyber Security – Produced By Gregory Evans

The past
five years have seen the overhaul of some of cybersecurity’s biggest technology
categories. Palo Alto Networks and the next-generation firewall market upended
the network security market, companies like Splunk turned SIEM on its head, and
next-generation endpoint technology from companies like Crowdstrike and Cylance
changed the game for endpoint security.

As these
transformations take hold in the market, the question becomes: what comes next?
Which technology will be the next one to be revolutionized?

The next
category most likely to be disrupted is network segmentation, which allows
companies to split their main network into smaller sub-networks to mitigate
risks. From a cybersecurity perspective, this means you can have networks with
sensitive finance data or customer credit card information on a totally
separate network from potential entry points for attack, like an employee’s
laptop or your smart building technology.

network segmentation isn’t new, it hasn’t been as widely adopted across the
enterprise. Some of this can be credited to shortcomings of existing
technologies for today’s companies, such as difficulty to implement in
environments outside of the data center or blind spots like unmanaged devices.

But there
are a few signs already that the technology is ready for a revamp. Hackers
continue to penetrate company networks, and the ease with which they can move
laterally across the network means they are able to cause greater havoc to an
organization. Companies are also facing new, more complex compliance
requirements and greater risk overall as the attack surface grows due to a
rising volume and diversity of devices, including IoT and operational
technology (OT) devices. Network segmentation is one way that companies can better
handle some of these challenges, or at least limit their risk.

As part of
any coming transformation, our industry needs to shift our thinking about what
we want from the next generation of network segmentation tools and consider
some of the qualifications for these technologies. 

First, we
should make sure we are getting the full context of all devices and
applications you might want to segment across the full extended enterprise,
from campus to data center to cloud and OT environments. Without knowing that
context as a baseline, you won’t know what or how to segment. The more granular
that context, the more helpful it can be. For instance, it is helpful to know
if a camera is a surveillance camera or a teleconferencing camera because you
might want different types of policies for each type.

Today, CISOs
are challenged when they only get that context in pieces. They may know device
types or applications for the data center, which is generally easier because
devices are more straightforward, but not across the entire enterprise. But
they will need this data as the foundation if they want to apply network
segmentation effectively and more broadly.

Second, the
future of network segmentation needs traffic context. Very few organizations
have the luxury of building their network entirely from scratch. Instead,
they’re more likely to be layering network segmentation on top of existing
networks. To do that effectively, you need to know what is talking to what. You
also need to know what counts as legitimate traffic, as in what should be
talking to what. If you don’t have visibility into that, you can’t have full
confidence that you can enforce network segmentation rules without breaking

organizations will be able to use all that context information to create and
enforce policies. This is the step that will take us to the next generation of
network segmentation. It will set boundaries across the network, segmenting it
so devices and applications can only access the data they need and so the blast
radius of an attack is contained inside a limited area.

important thing to note about this final step is that it will likely always be
an iterative process. The enforcement of the policies should be dynamic and
automated, taking the device and traffic context and using that to stay
up-to-date with today’s rapidly changing networks. Older policies may need to
be updated to take into account a changing environment. It should also be
orchestrated across multiple technologies to account for varying
infrastructure, like campus switches, firewalls, SDN infrastructure, and public
cloud infrastructure. All of these nuanced changes are possible if you have
deep context into the environment. Ideally, we could also simulate these
changes ahead of time, so security personnel could test out policies as they
create them to see how they might impact the network before they are put into
action. You don’t want to break something in the process!

Today’s CISO
doesn’t have an easy job. They are grappling with how to get a handle on a
growing number of cybersecurity threats, as well as reduce overall risk and
meet compliance mandates. The network segmentation technologies of tomorrow
might help address those pain points and reduce the scope of an attack. Data
breaches are unfortunately a matter of when, not if, for all companies. With
that in mind, it is more important than ever to focus on finding new ways to
innovate and limit the risk and scope of damage an attack might pose. 

Original Source link

The post #cybersecurity | hacker | Why network segmentation is ready for an overhaul appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | With election on horizon, U.K.’s Labour Party contends with DDoS attacks

Source: National Cyber Security – Produced By Gregory Evans The U.K. Labour Party’s digital platforms have been the target of distributed denial of service attack activity since yesterday, impeding access to the political body’s main website. The initial wave of DDoS attacks took place on Nov. 11. Multiple news reports today quoted a Labour Party […] View full post on AmIHackerProof.com

#cybersecurity | hacker | ‘DIRT CLEAN’ -a technology rationalization approach for security controls

Source: National Cyber Security – Produced By Gregory Evans Security is a boardroom topic and not a hard sell these days. Not saying the job of the CISO has become easier, but certainly getting funding is less of a herculean task as it used to be 10 years ago. Everyday we get updates about breaches […] View full post on AmIHackerProof.com

#cybersecurity | hacker | Former Twitter employees charged with using access to spy for Saudi Arabia

Source: National Cyber Security – Produced By Gregory Evans

A pair of former
Twitter employees – one an engineer and the other a media partnership manager –
were busted for accessing users’ account and personal data on behalf of Saudi
Arabia to ferret out opponents of the kingdom.

Engineer Ali Alzabarah and manager Ahmad Abouammo were charged with operating within the U.S. as agents of a foreign power, the Justice Department said Wednesday. In charges filed in a San Francisco court, the FBI noted the two defied Twitter policies and used their “access to proprietary and confidential Twitter information,” including the email addresses, phone numbers, birthdates and IP addresses of Twitter users, on behalf of the Saudi government. Abouammo is linked to Saudi Crown Prince Mohammad bin Salman (MbS), who U.S. intelligence officials say ordered the murder of journalist Jamal Khashoggi.

“The criminal complaint unsealed today alleges
that Saudi agents mined Twitter’s internal systems for personal information
about known Saudi critics and thousands of other Twitter users,” U.S. Attorney
David L. Anderson said in a statement. “U.S. law protects U.S. companies from
such an unlawful foreign intrusion. We will not allow U.S. companies or U.S.
technology to become tools of foreign repression in violation of U.S. law.”

The Justice
Department charges lay out a scheme in which Abouammo spied on three Twitter
accounts while Alzabarah accessed 6,000 accounts to suss out Saudi dissidents
and activists in the U.S. who opposed Saudi Arabia’s policies in exchange for
monetary compensation.

A third man,
Ahmed Almutairi, who worked for a social media firm associated with the Saudi
government, served as an intermediary and is being sought by authorities. Alzabarah
and Almutairi are both Saudi citizens while Abouammo is a citizen of the U.S.

recognize the lengths bad actors will go to try and undermine our service,”
Twitter said in a statement. “Our company limits access to sensitive account
information to a limited group of trained and vetted employees.”

The charges
were first reported
by the Washington Post.

Original Source link

The post #cybersecurity | hacker | Former Twitter employees charged with using access to spy for Saudi Arabia appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | Ransomware attack delays government services in Nunavut, Canada

Source: National Cyber Security – Produced By Gregory Evans

A ransomware attack last weekend struck the network of the Canadian territory Nunavut, severely impeding a bevy of government services that rely on access to systems and electronic files.

The attack took place on Saturday afternoon, encrypting files on government servers and workstations and crippling email and other internet-based communications. The only service to be unaffected is the Qulliq Energy Corporation, Nunavut’s only power utility.

With an estimated population that’s approaching 40,000, Nunavut is Canada’s northernmost territory, which split off from the Northwest Territories in 1999. Many of its inhabitants are Inuit.

“I want to assure Nunavummiut that we are working non-stop to resolve this issue,” said Nunavut Premier Joe Savikataaq in a government press release. “Essential services will not be impacted and the GN will continue to operate while we work through this issue. There will likely be some delays as we get back online, and I thank everyone for their patience and understanding.”

In an attempt to mitigate the incident, the territory is prioritizing the restoration of data to key services related to health, family services, education, justice and finance, the press release continues. Government officials expect that most files will ultimately be restored, thanks to their use of back-up files. While services continue to operate, some are running contingency procedures and conducting business manually, resulting in significant delays.

An FAQ page published on Nunavut’s official government website offered updates on the statuses of its departments.

For instance, Department of Health workers are currently relying on a paper-based system, while the territory’s MediTech health care software system remains inoperational. Health care facilities continue to operate, and patients scheduled for visits can keep their appointments, though they are asked to bring their health care cards and medications. Telehealth services, however are down and must be rescheduled.

Additionally, the Finance Department may be delayed in sending government employees and vendors their scheduled paychecks. Medical or duty travel payments and reimbursements are also impacted. Distribution of driver’s licenses and ID cards — a responsibility of the Department of Economic Development and Transportation (EDT) — is also impacted.

Networked phone services in the capital of Iqaluit are functional, but using direct dial only.

“Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm,” the states the ransom note, which was obtained by the Canadian Broadcasting Corporation (CBC). The note instructs the victim to install the Tor browser and visit a link to a payment site. The attackers warn that the link expires in 21 days, at which point the decryption key will be deleted.

Brett Callow, company spokesperson at cybersecurity company Emsisoft, told SC Media in emailed comments that the ransomware note matches that of a ransomware called DoppelPaymer, which is often distributed via the Dridex banking trojan. Victims are often infected with Dridex when they open a phishing email attachment, he added.

In the Nov. 4 press release, Nunavut officials said they responded to the attack by “isolating the network, notifying cybersecurity experts and working with our internet software providers.”

“It is difficult to estimate recovery timelines at this early stage,” the release continues.

“Ransomware attacks can have a much larger impact than temporarily denying access to systems in exchange for payment. The demanded ransom amounts often pale in comparison to the collateral damage and downtime costs they cause,” said Justin Des Lauriers, technical project manager at Exabeam, in emailed comments. His colleague, Barry Shteiman, VP of research and innovation, added that “for cybersecurity teams to detect ransomware early enough in the ransomware lifecycle to stop it, they need to understand the business models used by ransomware network operators, the kill chain of a ransomware attack and how to detect and disrupt ransomware in corporate environments. Armed with this information, analysts should be able to react faster in the event their organization is hit with a ransomware infection.”

Original Source link

The post #cybersecurity | hacker | Ransomware attack delays government services in Nunavut, Canada appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | Every Desjardins customer impacted by June data incident

Source: National Cyber Security – Produced By Gregory Evans

The Canadian
financial services company Desjardins now believes all 4.2 million of its
members were affected by a data incident that took place earlier this year.

The company on
October 31 was informed by the Sûreté du Québec that the data
announced on June 20 actually impacted all 4.2 million 4.2 million
individual caisse members who do their banking with Desjardins in Quebec and
Ontario. The data leaked included first and last name, date of birth, social
insurance number, address, phone number, email address and details about their
banking habits and Desjardins products.

Initially, it was believed that only 2.9 million of the credit union’s customers were affected by what was an insider attack. This incident was not a cyberattack. Desjardins computer systems were in no way breached during this incident, which was the result of illegal acts committed by the above-mentioned former employee, the company said in June. The employee in question has been fired and arrested by the Laval police, CBC news reported.

Next post in Insider Threats

Original Source link

The post #cybersecurity | hacker | Every Desjardins customer impacted by June data incident appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | Application isolation and virtualization provide a false sense of cybersecurity – It’s time for a better solution

Source: National Cyber Security – Produced By Gregory Evans A recently discovered critical vulnerability presents yet another case study for the shortcomings of the isolation/virtual machine model for cybersecurity. The vulnerability, CVE-2019-14378, has a severity of 8.8, and was first published in the National Vulnerability Database on July 29th, 2019. The vulnerability affects QEMU, the […] View full post on AmIHackerProof.com