Cyber Security

Cyber Security

Common pitfalls in attributing cyberattacks

Articles, Blog, Cyber Security, cybersecurity
featured image

Attack attribution is always difficult as criminal groups often share code and techniques, and nation-state actors excel at deception. Here, security researchers share their techniques and common pitfalls.

Attributing cyberattacks to a particular threat actor is challenging, particularly an intricate attack that stems from a nation-state actor, because attackers are good at hiding or erasing their tracks or deflecting the blame to others.

The best method for arriving at a solid attribution is to examine the infrastructure and techniques used in the attack, but even then, researchers can often get it wrong, as Paul Rascagneres and Vitor Ventura of Cisco Talos illustrated in a talk at the VB2020 conference on September 30.

Researchers typically rely on three sources of intelligence, Rascagneres said: open-source intelligence (OSINT), which is publicly available information on the internet, technical intelligence (TECHINT) that relies on malware analysis, and proprietary data available only to the organizations involved in the incident.

Nation-state intelligence agencies serve as another source of intelligence because they have more information and additional resources than the private sector, but intel agencies are often secretive about their methods. “In public sectors, they don’t give everything,” Rascagneres said. “They don’t explain how they get all the detail. How does it make the link?”

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Photo by Kaitlyn Baker on Unsplash

 

Late-game election security: What to watch and watch out for

Articles, Blog, Cyber Security, cybersecurity, Defense Department, elections, Trickbot
featured image

Despite disruption of the Trickbot botnet network, last-minute leaks of stolen documents and post-election undermining of trust in the election system remain big concerns.

As we head into the final inning of what has been a dramatic US presidential election season, it’s clear the country has so far been spared the kind of high-stakes hacking and disinformation campaigns that marred the 2016 election. Still, US intel and cyber defense organizations are on the lookout for last-minute ransomware attacks and have been joined by their private sector counterparts while social media companies appear to be clamping down on disinformation efforts.

The most striking evidence that the US  may be better prepared than it was in 2016  is the extraordinary actions taken by US CyberCommand (CyberCom) to meddle with the Russian-language Trickbot botnet network, used to deliver malware, including ransomware, and frequently exploited by Russian military intelligence for plausible deniability. Following a scoop by journalist Brian Krebs that an unknown actor was meddling with Trickbot, news leaked over the weekend that CyberCom was the meddler.

CyberCom’s goal was to thwart any possible ransomware attacks on selected or strategically important jurisdictions. The military cyber arm might have also been pushed into action by a Trickbot-enabled ransomware attack on top healthcare provider Universal Health Services (UHS), which was forced to shutter digital operations when 400 of its computer systems were locked up by Ryuk ransomware.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

 

How SilentFade group steals millions from Facebook ad spend accounts

Articles, Blog, Cyber Security, cybersecurity, Facebook
featured image

SilentFade steals credentials and ad spend account information and sells the information to other bad actors. The group returned with improved malware after Facebook’s initial mitigation efforts.

Facebook is a magnet for scammers, thieves and other bad actors looking to swindle and manipulate the social media giant’s vast pool of users. One group discovered by Facebook’s in-house researchers took such a sophisticated approach to bilking Facebook users that it walked away with $4 million in an elaborate ad fraud scheme that went undetected by its victims.

Sachit Karve, speaking both for himself and fellow Facebook security researcher Jennifer Urgilez, offered more details about this scheme at the VB 2020 conference last week. Facebook insiders call the group behind it SilentFade and discovered that it came from a Chinese malware ecosystem that used different types of malware in its cybercrime sprees.

Facebook discovered the malware family near the end of 2018 but traced its origins back to 2016. SilentFade has a keen focus on social media targets. “SilentFade is interesting to us as it explicitly targets users of social networks and more recently services with social components like Amazon,” Karve said.

The name SilentFade comes from “Silently running Facebook ads with exploits.” “The malware is capable of running ads on Facebook, without the user’s knowledge, by exploiting a bug on the platform,” Karve said at the conference.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Photo by Brett Jordan on Unsplash

 

New FBI strategy seeks to disrupt threat actors, help defenders through better coordination

Articles, Blog, Coronavirus, Cyber Security, cybersecurity, DHS, FBI
featured image

The FBI sharpens its focus on collaboration among US and foreign government agencies and the private sector. It will acting as a central hub to deal with cybersecurity threats.

Last week, the US Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint announcement about the potential threat that foreign-backed online journals pose in spreading misinformation ahead of the crucial 2020 US presidential election. This alert, intended to raise public awareness based on government intelligence, reflects a new strategic direction by the FBI to work with partners across the federal landscape to better protect the American public and its allies from cyber threats.

“It’s a complex threat environment where our greatest concerns involve foreign actors using global infrastructure to compromise US networks,” Tonya Ugoretz, deputy assistant director of the FBI’s Cyber Division said during a conference at Auburn University’s McCrary Institute organized to debut the Bureau’s new strategy.

Ugoretz said that among the many factors the FBI must now juggle in dealing with cyber threats are:

  • The increased attack surfaces stemming from widespread work-at-home arrangements due to the COVID-19 crisis
    Attackers’ growing willingness to exploit the increased vulnerabilities the wider attack surface make possible
    The increase in availability of tools that threat actors use to launch attacks
    Growth in the number of both criminal and nation-state threat actors.
[This article appeared in CSO Online. To read the rest of the article please visit here.]

Photo by Jack Young on Unsplash

 

CIOs say security must adapt to permanent work-from-home

Articles, Blog, Coronavirus, Cyber Security, cybersecurity, DHS, Insider Threat
featured image

Both private- and public-sector CIOs see many more employees permanently working remotely, and say security needs to adapt to new threats and how they communicate.

The entire US economy and government were forced to shut down in-person facilities and operations almost overnight in March as COVID quarantines began. The new conditions forced organizations to quickly find ways to secure tens of millions of new, vulnerable endpoints created by at-home workers. Now, six months later, technology leaders are taking stock of what happened and considering how a post-COVID landscape might look.

COVID has resulted in a lot of forward-looking changes, Jim Weaver, CIO of Washington State, said at the second day of the annual Cybersecurity Summit hosted by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA). “COVID has been our chief innovation officer. Now as a state we’re pivoting to change our service methodologies while in the middle of a pandemic and economic downturn.” Washington was the first state with a positive COVID case on January 14.

“Governor Inslee has been a big proponent for remote work for a lot of reasons and so we did have a culture and mindset in place already enabled to support it,” Weaver said. Washington had to jump from an average of 3,000 to 4,000 remote concurrent connections to 65,000 to 70,000 almost overnight. “That went pretty flawlessly, I’m pleased to say.”

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Photo by Charles Deluvio on Unsplash

 

Ransomware attacks growing in number, severity: Why experts believe it will get worse

Articles, Blog, Cyber Security, cybersecurity, DHS, ransomware
featured image

Law enforcement and federal experts discuss recent ransomware trends and challenges of fighting the attacks.

Ransomware has become the most chronic and common threat to digital networks. At a time when 41% of all cybersecurity insurance claims flow from ransomware attacks, it’s no surprise that ransomware is top of mind for leading security experts, government officials and law enforcement leaders.

“I think ransomware is going to get worse and I hate to say it, but it’s almost the perfect crime,” Mark Weatherford, chief strategy officer and board member of the non-profit National Cyber Security Center, told attendees at the third annual Hack the Capitol event. “It’s easy to pull off and it’s almost impossible to get caught.”

While major ransomware events grab all the headlines, Weatherford worries about the smaller victims of ransomware attackers. “Small- and medium-sized businesses simply don’t have the resources or the technical acumen to understand the threat environment that they live in,” he said.

Sometimes it can seem like a ransomware attack is inevitable. “A lot of my friends in companies that I talk to on a regular basis literally are waiting for that shoe to drop when they are the victim of a big ransomware event,” Weatherford said.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Photo by Michael Geiger on Unsplash

TLS attacks and anti-censorship hacks

Articles, Blog, Censorship, China, Cyber Security, cybersecurity, TLS
featured image

Despite safeguards in TLS 1.3, China is still censoring HTTPS communications, according to a new report. There are workarounds to this. Plus, how TLS can be used as an attack vector.

The Transport Layer Security (TLS) protocol emerged as a focal point of attention for the information security world during August as the Chinese government updated its censorship tool, the Great Firewall of China, to block HTTPS traffic with the latest TLS version. The topic got even more attention when security researchers offered workarounds to TLS-enabled censorship and demonstrated potential TLS-based attacks at DEF CON: Safe Mode.

TLS is a widely adopted protocol that enables privacy and data security for internet communications, mostly by encrypting communications between web applications and servers. TLS 1.3, the most recent version, was published in 2018. TLS is the foundation of the more familiar HTTPS technology and hides communications from uninvited third parties, even as it does not necessarily hide the identity of the users communicating.

TLS 1.3 introduced something called encrypted server name indication (ESNI), which makes it difficult for third parties, such as nation-states, to censor HTTPS communications. In early August, three organizations — iYouPort, the University of Maryland and the Great Firewall Report — issued a joint report about the apparent blocking of TLS connections with the ESNI extension in China.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Hybrid cloud complexity, rush to adopt pose security risks, expert says

Articles, Blog, Cloud security, Cyber Security, cybersecurity
featured image

Organizations rushing to adopt hosted cloud infrastructure alongside on-premises systems might not fully understand or address potential security threats.

As enterprises race to adopt cloud technology, they also encounter a combination of new possible threats from the rapid and frequently unorganized deployment of different cloud-based technologies. Particular concerns surround the adoption of so-called hybrid cloud technologies, Sean Metcalf, founder of cloud security advisory company Trimarc told the attendees of DEF CON Safe Mode last week.

The hybrid cloud is a blend of on-premises infrastructure combined with cloud-hosted infrastructure (infrastructure-as-a-service, or IaaS) and services (software-as-a-service, or SaaS). The IaaS providers are usually giants such as Amazon’s AWS, Microsoft’s Azure or Google’s Cloud Platform. Extending on-premises data centers into the cloud basically means the cloud is effectively operating as a virtualization host like VMware or Microsoft Hyper V, Metcalf said.

Because of this effective virtualization, any attacks that are associated with those cloud data center elements are similar to how you would attack VMware and Hyper V “but with the additional overhead of ‘well, it’s hosted by Microsoft or it’s hosted by Amazon, or it’s hosted Google,’” Metcalf tells CSO.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

CISO Q&A: How AvidXchange manages COVID-related threats and risk

Articles, Blog, Coronavirus, Cyber Security, cybersecurity
featured image

Like many CISOs, Christina Quaine’s team is supporting the payment processor’s work-at-home employees and managing internal pandemic-specific risks. It also helps its mid-market customers meet new security challenges.

CSO caught up with Christina Quaine, the CISO of AvidXchange, a North Carolina-based payments processor that focuses on mid-market companies. We talked to her about how this mid-sized company, with 1,400 or so employees, has dealt with the changes wrought by the COVID pandemic. Given the company’s role in financial transactions, we were particularly keen to hear how the rise in coronavirus fraud instances were affecting her job. Below is a transcript of our conversation, edited for length and clarity.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

18 (new) ways attackers can compromise email

Articles, Blog, Cyber Security, cybersecurity, Email, Phishing
featured image

Researchers have discovered eighteen new vulnerabilities in how email systems authenticate senders, making it even easier for criminals to fool users.

All organizations wrestle with chronic phishing attacks that are the primary vectors through which malicious actors breach systems and spread malware.

Most phishing attackers deliver their payloads on networks by crafting spoofed emails that look like they come from legitimate, authoritative senders. Those look-alike emails instead derive from domains deployed solely for malicious purposes. It’s virtually impossible for most email recipients to detect the differences between real and spoofed email accounts, making phishing an intractable and seemingly never-ending problem for users and organizations alike.

Now computer science researchers have discovered eighteen new vulnerabilities in how email systems authenticate senders. Vern Paxson, Professor of Computer Science at UC Berkeley and Co-Founder and Chief Scientist at Corelight, Jianjun Chen, Post-Doc researcher at the International Computer Science Institute and Jian Jiang, Senior Director of Engineering at F5 (Shape Security), presented the result of their research at Black Hat last week in a talk entitled “You Have No Idea Who Sent That Email: 18 Attacks on Email Sender Authentication.”

[This article appeared in CSO Online. To read the rest of the article please visit here.]