Category Archives: Cyber Security News

Not All Hacks Are Created Equal

Hacks, breaches and security intrusions are in the headlines on a day-to-day basis, but these hacks aren’t all created equal. According to new analysis from HackerOne, the kind of intrusion differs by industry and breach type.

The Hacker-Powered Security Report 2018 compiled comprehensive analysis on the hacker-powered security environment, including a deep dive into different types of hacks across a wide variety of industries. The report also looked at the prevalence of each attack and found that cross-site scripting (XSS) vulnerabilities were the most common across every industry.

The report data was derived from the hacker community and from HackerOne’s platform data from May 2017 to April 2018. The company analyzed 78,275 of the security vulnerability reports it received in 2017. It’s worth noting that ethical hackers reported those vulnerabilities to over 1,000 organizations through HackerOne.

The total number of critical vulnerabilities reported increased by 26% over 2017. There were 38 times more insecure storage vulnerabilities reported in 2017 than in 2016. Many of these insecure storage vulnerabilities resulted in major breaches.

For healthcare and technology industries, of the top 15 vulnerability types reported, nearly 8,000 were related to information disclosure. The results of the analysis suggested that organizations are “vastly underprepared for effective discovery, communication, remediation and disclosure of vulnerabilities as 93% of the Forbes Global 2000 list do not have a policy to receive, respond and resolve critical bug reports submitted by the outside world. It means we are less safe as a society.”

In contrast, the analysis suggests that hackers and enterprises have much reason to be optimistic. The potential to earn a living as a hacker has grown substantially, with hackers in over 100 countries taking home $31m. Top earners brought home 2.7 times the median salary of a software engineer in their home country, with some reportedly earning up to 16 times more.

Other key findings that bode well for hackers is that governments are paving the way for widespread adoption of bug bounty programs and many enterprises are adopting vulnerability disclosure policies (VDPs).

“Latin America had the largest uptake of VDPs and bug bounty programs, with an increase of 143% year over year. North America and the Asia Pacific region each increased 37%, and Europe, the Middle East, and Africa saw a combined 26% increase in the past year,” the report wrote.

Cyber threats are on the rise in Singapore, mirroring global trends

In 2017, the global cyber landscape continued to evolve. Cyber threats continued to grow in frequency and impact. Notably, there was a shift from profit-motivated attacks towards those aimed at causing massive disruptions, such as the WannaCry ransomware campaign.

As a highly-connected country, Singapore’s cyber landscape mirrored these global trends, according to the Cyber Security Agency of Singapore’s (CSA) “Singapore Cyber Landscape 2017” publication, which highlights facts and figures on cyber threats that Singapore faced in 2017, as well as the need to build up cyber resilience.

Common cyber threats such as phishing, website defacements, and malware infections also showed no signs of abating in 2017.

  • Website Defacements. 2,040 website defacements were observed in 2017. Many defacements were part of global mass defacement campaigns. The defaced websites belonged mostly to Small and Medium Enterprises (SMEs) from a range of sectors such as manufacturing, retail, and Information and Communications Technology (ICT).
  • Phishing. 23,420 phishing URLs[2] with a Singapore-link were found in 2017. Phishing emails are one of the simplest and most effective methods that hackers use to steal sensitive personal data (e.g. passwords, contact information, credit card details), by tricking users into opening dubious links or attachments. The websites of technology companies such as Apple and Microsoft were commonly spoofed, making up about 40 per cent of the observed phishing
  • Malware Infections.   
    • Compromised Systems. In 2017, CSA observed about 750 unique Command & Control (C&C) servers in Singapore, and a daily average of about 2,700 botnet drones with Singapore IP addresses. Of the more than 400 malware variants detected in 2017, five were observed to have caused the majority of the infections. Conficker, Mirai, Cutwail, Sality, and WannaCry accounted for more than half of the systems infected daily. The majority of these malware are not new, suggesting that many victims are not scanning for viruses and cleaning up their systems.
    • Ransomware. Singapore was relatively unscathed by major ransomware campaigns such as WannaCry. 25 cases of ransomware were reported to SingCERT in 2017. Besides WannaCry, victims were infected by ransomware such as CerberDharma, and Sage, and faced ransom demands ranging between S$2,000 and S$4,000.

Cybercrime on the Rise

The Singapore Police Force (SPF) reported that cybercrime continued to rise in 2017, with 5,430 cybercrime cases reported. Between 2016 and 2017, cybercrime cases grew from 15.6 per cent to 16.6 per cent of total crimes, even as overall crime fell.

Online cheating accounted for the majority of cybercrime cases, with other cases involving compromised social media and SingPass accounts, impersonation scams, ransomware and unauthorised access. These are offences under the Computer Misuse and Cybersecurity Act. Singapore’s first conviction of a Dark Web-related crime took place in November 2017.

Cyber Threats Singapore Faces

Threats to Critical Information Infrastructure (CII) Sectors. CII sectors deliver essential services and a compromise of their systems can have a debilitating impact on Singapore’s society and economy. CII sectors such as Banking & Finance and Government remain prime targets for cyber-attacks, because of the sensitive information held by organisations in these sectors. In September 2017, the website of a Singapore insurance company was breached, compromising the personal data of 5,400 customers, including their e-mail addresses, mobile numbers and dates of birth. Government agencies also faced a range of cyber threats, including system intrusions and spoofed websites. To better protect Government systems and citizens’ data, Government agencies separated Internet surfing from Government networks in 2017.

Threats to Businesses. Businesses are common targets of cyber-attacks. SMEs are especially vulnerable, as they often lack the resources or know-how to adopt appropriate cybersecurity practices.  Almost 40 per cent of the 146 cases reported to SingCERT in 2017 involved businesses, particularly SMEs, and most of the cases involved phishing attacks and ransomware. Businesses are encouraged to invest in cybersecurity solutions to protect themselves from cyber-attacks.

Threats to Individuals. The three most common cyber threats reported to SingCERT by individuals were phishing, ransomware and tech support scams. A public awareness survey of 2,035 respondents conducted by CSA in 2017 showed that most respondents recognised that everyone had a role to play in cybersecurity, and were concerned about cybersecurity risks. However, there were still gaps in habits when it came to password management and updating of software. To encourage adoption of good cybersecurity practices, the publication highlights four cyber tips o help readers go safe online.

Building up Singapores Cyber Resilience

A cyber-attack is inevitable. When it happens, it is important that Singapore is able to respond and recover expediently. CSA works closely with partners from the public and private sectors to build up Singapore’s cyber resilience. Efforts include the introduction of the new Cybersecurity Act to strengthen the protection of CII sectors, conducting regular cybersecurity exercises to raise CII sector readiness in responding and dealing with cyber incidents, as well as initiatives to develop a professional cybersecurity workforce.

CSA also reaches out to businesses and individuals to raise cybersecurity awareness and adoption through campaigns and platforms such as GoSafeOnline, SingCERT website and social media channels. Other efforts include the push for cybersecurity research and development to accelerate the growth of the industry to support Smart Nation initiatives.  CSA also collaborates with international partners to build cyber capacity and drive the adoption of voluntary cyber norms for a “rules-based” international order in cyberspace.

David Koh, Commissioner of Cybersecurity and Chief Executive of CSA, said, “Given Singapore’s connectivity, what happens globally is often immediately felt here. As we continue our Smart Nation push, we have to raise our cyber hygiene and defences, especially against cyber-attackers who are getting better resourced and skilled. We need to play our part by being vigilant and adopting good cybersecurity practices to keep Singapore’s cyberspace safe and trustworthy for all.”

THE WORST CYBERSECURITY BREACHES OF 2018 SO FAR

LOOKING BACK AT the first six months of 2018, there haven’t been as many government leaks and global ransomware attacks as there were by this time last year, but that’s pretty much where the good news ends. Corporate security isn’t getting better fast enough, critical infrastructure security hangs in the balance, and state-backed hackers from around the world are getting bolder and more sophisticated.

Here are the big digital security dramas that have played out so far this year—and it’s only half over.

Russian Grid Hacking

In 2017, security researchers sounded the alarm about Russian hackers infiltrating and probing United States power companies; there was even evidence that the actors had direct access to an American utility’s control systems. Combined with other high-profile Russian hacking from 2017, like the NotPetya ransomware attacks, the grid penetrations were a sobering revelation. It wasn’t until this year, though, that the US government began publicly acknowledging the Russian state’s involvement in these actions. Officials hinted at it for months, before the Trump Administration first publicly attributed the NotPetya malware to Russia in February and then blamed Russia in March for grid hacking. Though these attributions were already widely assumed, the White House’s public acknowledgement is a key step as both the government and private sector grapple with how to respond. And while the state-sponsored hacking field is getting scarier by the day, you can use WIRED’s grid-hacking guide to gauge when you should really freak out.

US Universities

In March, the Department of Justice indicted nine Iranian hackers over an alleged spree of attacks on more than 300 universities in the United States and abroad. The suspects are charged with infiltrating 144 US universities, 176 universities in 21 other countries, 47 private companies, and other targets like the United Nations, the US Federal Energy Regulatory Commission, and the states of Hawaii and Indiana. The DOJ says the hackers stole 31 terabytes of data, estimated to be worth $3 billion in intellectual property. The attacks used carefully crafted spearphishing emails to trick professors and other university affiliates into clicking on malicious links and entering their network login credentials. Of 100,000 accounts hackers targeted, they were able to gain credentials for about 8,000, with 3,768 of those at US institutions. The DOJ says the campaign traces back to a Tehran-based hacker clearinghouse called the Mabna Institute, which was founded around 2013. The organization allegedly managed hackers and had ties to Iran’s Islamic Revolutionary Guard Corps. Tension between Iran and the US often spills into the digital sphere, and the situation has been in a particularly delicate phase recently.

Rampant Data Exposures

Data breaches have continued apace in 2018, but their quiet cousin, data exposure, has been prominent this year as well. A data exposure, as the name suggests, is when data is stored and defended improperly such that it is exposed on the open internet and could be easily accessed by anyone who comes across it. This often occurs when cloud users misconfigure a database or other storage mechanism so it requires minimal or no authentication to access. This was the case with the marketing and data aggregation firm Exactis, which left about 340 million records exposed on a publicly accessible server. The trove didn’t include Social Security numbers or credit card numbers, but it did comprise 2 terabytes of very personal information about hundreds of millions of US adults—not something you want hanging out for anyone to find. The problem was discovered by security researcher Vinny Troia and reported by WIRED in June. Exactis has since protected the data, but it is now facing a class action lawsuit over the incident.

Cloud leaks pop up regularly, but data exposures can also occur when software bugs inadvertently store data in a different format or location than intended. For example, Twitter disclosed at the beginning of May that it had been unintentionally storing some user passwords unprotected in plaintext in an internal log. The company fixed the problem as soon as it found it, but wouldn’t say how long the passwords were hanging out there.

After the revelation of a data exposure, organizations often offer the classic reassurance that there is no evidence that the data was accessed improperly. And while companies can genuinely come to this conclusion based on reviewing access logs and other indicators, the most sinister thing about data exposures is that there’s no way to know for sure what exactly went down while no one was watching.

Under Armour

Hackers breached Under Armour’s MyFitnessPal app in late February, compromising usernames, email addresses, and passwords from the app’s roughly 150 million users. The company discovered the intrusion on March 25 and disclosed it in under a week—some welcome hustle from a large company. And it seems Under Armour had done a good enough job setting up its data protections that the hackers couldn’t access valuable user information like location, credit card numbers, or birth dates, even as they were swimming in login credentials. The company had even protected the passwords it was storing by hashing them, or converting them into unintelligible strings of characters. Pretty great, right? There was one crucial issue, though: Despite doing so many things well, Under Armour admitted that it had only hashed some of the passwords using the robust function called bcrypt; the rest were protected by a weaker hashing scheme called SHA-1, which has known flaws. This means that attackers likely cracked some portion of the stolen passwords without much trouble to sell or use in other online scams. The situation, while not an all-time-worst data breach, was a frustrating reminder of the unreliable state of security on corporate networks.

One to Watch: VPNFilter

At the end of May, officials warned about a Russian hacking campaign that has impacted more than 500,000 routers worldwide. The attack spreads a type of malware, known as VPNFilter, which can be used to coordinate the infected devices to create a massive botnet. But it can also directly spy on and manipulate web activity on the compromised routers. These capabilities can be used for diverse purposes, from launching network manipulation or spam campaigns to stealing data and crafting targeted, localized attacks. VPNFilter can infect dozens of mainstream router models from companies like Netgear, TP-Link, Linksys, ASUS, D-Link, and Huawei. The FBI has been working to neuter the botnet, but researchers are still identifying the full scope and range of this attack.

Looking For Secure VPN Services? Get a Lifetime Subscription

PRIVACY – a bit of an Internet buzzword nowadays, because the business model of the Internet has now shifted towards data collection.

Today, most users surf the web unaware of the fact that websites and online services collect their personal information, including search histories, location, and buying habits and make millions by sharing your data with advertisers and marketers.

If this is not enough, then there are governments across the world conducting mass surveillance, and hackers and cyber criminals who can easily steal sensitive data from the ill-equipped networks, websites, and PCs.

So, what’s the solution and how can you protect your privacy, defend against government surveillance and prevent malware attacks?

No matter which Internet connection you are using to go online, one of the most efficient solutions to maximize your privacy is to use a secure VPN service.

In this article, we have introduced two popular VPN services, TigerVPN and VPNSecure, which help you in many ways. But before talking about them, let’s dig deeper into what is a VPN, importance of VPN and why you should use one.

What is a VPN & Why You Should Use It?

A VPN, or Virtual Private Network, is nothing but an encrypted tunnel between you and the Internet.

Once you connect directly to your VPN service, every Internet browsing activity of yours will go through the VPNs servers and blocks third parties, including government and your ISP, from snooping on your connection.

  • Secure and Encrypted Web Browsing: VPNs enhance online security by keeping your data secured and encrypted.
  • Online Anonymity: VPNs help you browse the Internet in complete anonymity so that no one can track the origin of your Internet connection back to you.
  • Prevent Data & Identity Theft: VPNs encrypt all data transferred between your computer and the Internet, allowing you to keep your sensitive information safe from prying eyes and significantly reducing the risk of security breaches and cyber attacks.
  • Unblock Websites & Bypass Internet Restrictions: VPN essentially hides your IP address, so your visits to any restricted sites do not register with the third-party, including your government or ISP, trying to block you, ensuring you enjoy the online freedom of speech.
  • Hide Your Browsing History From ISP: VPNs stop your ISP from logging your web visit, as the spying ISP will not be able to see what you are visiting on the Internet.
  • Multiple Device Supported: Many VPN services usually support multiple devices and work on all operating systems, such as Windows, Mac, Linux, Android, and iOS. With multiple device support, you can set up your PC, work computer and smartphone to access one VPN at the same time.

 

Ex-NSO Employee Caught Selling Stolen Phone Hacking Tool For $50 Million

A former employee of one of the world’s most powerful hacking companies NSO Group has been arrested and charged with stealing phone hacking tools from the company and trying to sell it for $50 million on the Darknet secretly.

Israeli hacking firm NSO Group is mostly known for selling high-tech malware capable of remotely cracking into Apple’s iPhones and Google’s Android devices to intelligence apparatuses, militaries, and law enforcement around the world.

However, the phone hacking company has recently become the victim of an insider breach attack carried out by a 38-year-old former NSO employee, who stole the source code for the company’s most powerful spyware called Pegasus and tried to sell it for $50 million on the dark web in various cryptocurrencies, including Monero and Zcash, Israeli media reported.

That’s much higher than the actual NSO Group’s price tag for Pegasus, which reportedly sells for under $1 million per deployment.

If you remember, Pegasus is the same spyware that was used to target human rights activist Ahmed Mansoor in the United Arab Emirates in mid-2016.

Pegasus can hack mobile phones remotely, allowing an attacker to access an incredible amount of data on a target victim, including text messages, calendar entries, emails, WhatsApp messages, user’s location, microphone, and camera—all without the victim’s knowledge.

According to an indictment filed by Israel’s attorney general, which does not name the employee, the accused worked in NSO’s quality assurance department, and upon realizing that he was going to lose his job, he copied top-secret code from NSO’s networks to an external hard drive after disabling McAfee security software on his PC.

Following his dismissal on April 29, the accused contacted an unidentified individual on the darknet, representing himself as a member of a hacking crew who had successfully broken into NSO computers and attempted to sell the hard drive containing the spyware code for $50 million.

Ironically, the buyer himself in turn informed the company about their leaked hacking tools and the sale on the dark web.

NSO Group said the company quickly identified the breach and unnamed suspect and contacted the authorities, adding that no material had been shared with any third-party and that no customer data or information was compromised.

The suspect was arrested on June 5, and the stolen property was secured. He was then charged with an attempt to sell security tools without an appropriate license, employee theft, and attempt to harm property in a manner that could hurt state security.

With 500 employees and valued at $900 million, NSO Group has been in a deal worth $1 billion with US-based software company Verint Systems who’s willing to merge its security division with NSO, revealed in May this year.

Juniper Networks simplifies path to a secure and automated multicloud

Juniper Networks has expanded its campus portfolio, including extending EVPN-VXLAN fabric to the campus, enabling a common architecture for campus and data center fabrics by unifying disparate architectures.

Through this unification, Juniper Networks is providing the building blocks for an enterprise-wide fabric, a key component in building a simple, secure and automated multicloud.

Juniper also announced enhancements to its branch portfolio with new capabilities in its Contrail SD-WAN solution, utilizing NFX Series, SRX Series and vSRX Series WAN Edge devices combined with Contrail Service Orchestration.

Most enterprises have separate campus and data center networks, leveraging entirely different architectures to provide connectivity across the two domains. This leads to divergent operations, which inhibits enterprises’ attempts to unify their infrastructure under a common operational umbrella. With Juniper’s new EVPN-VXLAN campus architecture, enterprises can build campus networks using the same protocols that are popular in the most stable and efficient data centers that exist today.

To facilitate the way customers can deploy their entire campus, Juniper has also expanded its campus portfolio via a resell agreement with a global Wi-Fi leader, Aerohive Networks, and today announced the expansion of their strategic partnership to provide a cloud-managed, wired, wireless and WAN solution.

Juniper Sky Enterprise integrates with Aerohive’s Cloud Services APIs and Aerohive’s HiveManager Network Management System to provide a single pane of glass for monitoring the entire wired and wireless campus network. The solution offers customers choice of deployment models – including public cloud, private cloud or on-premises.

Understanding that the branch is also an integral part of the customer’s journey to multicloud, Juniper is enhancing its Contrail SD-WANcapabilities with support for fine-grained Application Quality of Experience (AppQoE) and industry-first active-active clustering for Juniper’s NFX and SRX Series branch devices.

Juniper is also expanding its 5-step multicloud migration framework to include evolution paths for campus and branch networks. The 5-step multicloud migration provides enterprises with a set of best practices, natural technology insertions and recommended products and services to more easily complete the journey to a secure and automated multicloud.

“Since implementing Juniper Networks’ switching products, James Cook University now has the foundation for secure and automated multicloud, giving the university flexibility to accelerate our use of private and public cloud resources,” said Swain Kirk, Head of ICT Infrastructure Services at James Cook University.

“Our network now has a consistent design for the core, data center and campus networks using Juniper’s QFX and EX Series switches, which deliver significant operational simplicity. Our IT team can consistently apply policies and operations across multiple campuses, clouds and other locations. Previously, if one switch went offline, it could take down seven floors or three buildings. But now with a highly resilient, redundant network design, we can lose a piece of equipment in the chain without impacting the user experience.”

Researchers Uncover New Attacks Against LTE Network Protocol

If your mobile carrier offers LTE, also known as the 4G network, you need to beware as your network communication can be hijacked remotely.

A team of researchers has discovered some critical weaknesses in the ubiquitous LTE mobile device standard that could allow sophisticated hackers to spy on users’ cellular networks, modify the contents of their communications, and even can re-route them to malicious or phishing websites.

LTE, or Long Term Evolution, is the latest mobile telephony standard used by billions of people designed to bring many security improvements over the predecessor standard known as Global System for Mobile (GSM) communications.

However, multiple security flaws have been discovered over the past few years, allowing attackers to intercept user’s communications, spy on user phone calls and text messages, send fake emergency alerts, spoof location of the device and knock devices entirely offline.

4G LTE Network Vulnerabilities

Now, security researchers from Ruhr-Universität Bochum and New York University Abu Dhabi have developed three novel attacks against LTE technology that allowed them to map users’ identity, fingerprint the websites they visit and redirect them to malicious websites by tampering with DNS lookups.

All three attacks, explained by researchers on a dedicated website, abuse the data link layer, also known as Layer Two, of the ubiquitous LTE network.

The data link layer lies on top of the physical channel, which maintains the wireless communication between the users and the network. It is responsible for organizing how multiple users access resources on the network, helping to correct transmission errors, and protecting data through encryption.

Out of three, identity mapping and website fingerprinting developed by the researchers are passive attacks, in which a spy listens to what data is passing between base stations and end users over the airwaves from the target’s phone.

However, the third, DNS spoofing attack, dubbed “aLTEr” by the team, is an active attack, which allows an attacker to perform man-in-the-middle attacks to intercept communications and redirect the victim to a malicious website using DNS spoofing attacks.

What is aLTEr Attack?

Since the data link layer of the LTE network is encrypted with AES-CTR but not integrity-protected, an attacker can modify the bits even within an encrypted data packet, which later decrypts to a related plaintext.

“The aLTEr attack exploits the fact that LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected, which allows us to modify the message payload: the encryption algorithm is malleable, and an adversary can modify a ciphertext into another ciphertext which later decrypts to a related plaintext,” the researchers said in their paper.

In aLTEr attack, an attacker pretends to be a real cell tower to the victim, while at the same time also pretending to be the victim to the real network, and then intercepts the communications between the victim and the real network.

As a proof-of-concept demonstration, the team showed how an active attacker could redirect DNS (domain name system) requests and then perform a DNS spoofing attack, causing the victim mobile device to use a malicious DNS server that eventually redirects the victim to a malicious site masquerading as Hotmail.

The researcher performed the aLTEr attack within a commercial network and commercial phone within their lab environment. To prevent unintended inference with the real network, the team used a shielding box to stabilize the radio layer.

Also, they set up two servers, their DNS server, and an HTTP server, to simulate how an attacker can redirect network connections. You can see the video demonstration to watch the aLTEr attack in action.

The attack is dangerous, but it is difficult to perform in real-world scenarios. It also requires equipment (USRP), about $4,000 worth, to operate—something similar to IMSI catchers, Stingray, or DRTbox—and usually works within a 1-mile radius of the attacker.

Forthcoming 5G networks may also be vulnerable to these attacks, as the team said that although 5G supports authenticated encryption, the feature is not mandatory, which likely means most carriers do not intend to implement it, potentially making 5G vulnerable as well.

“The use of authenticated encryption would prevent the aLTEr attack, which can be achieved through the addition of message authentication codes to user plane packets,” the researchers said.

“However, the current 5G specification does not require this security feature as mandatory, but leaves it as an optional configuration parameter.”

What’s Worse? LTE Network Flaws Can’t be Patched Straightaway

Since the attacks work by abusing an inherent design flaw of the LTE network, it cannot be patched, as it would require overhauling the entire LTE protocol.

As part of its responsible disclosure, the team of four researchers—David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper—notified both the GSM Association and the 3GPP (3rd Generation Partnership Project, along with other telephone companies, before going public with their findings.

In response to the attacks, the 3GPP group, which develops standards for the telecommunications industry, said that an update to the 5G specification might be complicated because carriers like Verizon and AT&T have already started implementing the 5G protocol.

How Can You Protect Against LTE Network Attacks?

The simplest way to protect yourself from such LTE network attacks is to always look out for the secure HTTPS domain on your address bar.

The team suggests two exemplary countermeasures for all carriers:

1.) Update the specification: All carriers should band together to fix this issue by updating the specification to use an encryption protocol with authentication like AES-GCM or ChaCha20-Poly1305.

However, the researchers believe this is likely not feasible in practice, as the implementation of all devices must be changed to do this, which will lead to a high financial and organizational effort, and most carriers will not bother to do that.

2.) Correct HTTPS configuration: Another solution would be for all websites to adopt the HTTP Strict Transport Security (HSTS) policy, which would act as an additional layer of protection, helping prevent the redirection of users to a malicious website.

New Malware Family Uses Custom UDP Protocol for C&C Communications

Security researchers have uncovered a new highly-targeted cyber espionage campaign, which is believed to be associated with a hacking group behind KHRAT backdoor Trojan and has been targeting organizations in South East Asia.

According to researchers from Palo Alto, the hacking group, which they dubbed RANCOR, has been found using two new malware families—PLAINTEE and DDKONG—to target political entities primarily in Singapore and Cambodia.

However, in previous years, threat actors behind KHRAT Trojan were allegedly linked to a Chinese cyber espionage group, known as DragonOK.

While monitoring the C&C infrastructure associated with KHRAT trojan, researchers identified multiple variants of these two malware families, where PLAINTEE appears to be the latest weapon in the group’s arsenal that uses a custom UDP protocol to communicate with its remote command-and-control server.

To deliver both PLAINTEE and DDKONG, attackers use spear phishing messages with different infection vectors, including malicious macros inside Microsoft Office Excel file, HTA Loader, and DLL Loader, which includes decoy files.

“These decoys contain details from public news articles focused primarily on political news and events,” researchers explain. “Additionally, these decoy documents are hosted on legitimate websites including a government website belonging to the Cambodia Government and in at least once case, Facebook.”

Moreover, PLAINTEE downloads and installs additional plugins from its C&C server using the same custom UDP protocol that transmits data in encoded form.

“These families made use of custom network communication to load and execute various plugins hosted by the attackers,” researchers say. “Notably the PLAINTEE malware’ use of a custom UDP protocol is rare and worth considering when building heuristics detections for unknown malware.”

On the other hand, DDKONG has been in use by the hacking group since February 2017 and doesn’t have any custom communication protocol like PLAINTEE, though it is unclear whether one threat actor or more only use this malware.

According to researchers, the final payload of both malware families suggests that the purpose of both malware is to conduct cyber espionage on their political targets; instead of stealing money from their targets.

Since RANCOR group is primarily targeting non-tech-savvy users, it is always advised to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless adequately verifying the source.

Moreover, most importantly, make use of behavioral-based antivirus software that can detect and block such malware before it can infect your device, and always keep it and other apps up-to-date.

Think unconventionally to mitigate cybersecurity risks

Taking a conventional approach to security is typically about “keeping the bad stuff out” of your network, whether it be spam, viruses, malware, DDoS attacks, or any number of other common threats. But in today’s constantly evolving threat landscape, conventional is not enough.

Proactively assessing your security posture and focusing on mitigating risk on a constant basis is crucial. Not only will this reduce the probability of an attack actually happening, but it will also enable the ability to remediate and recover your business quickly in the event of exposure.

So, how should organisations take this approach?

1. Mitigate the risk posed by targeted email attacks

Spear phishing and business email compromise (BEC) attacks are highly targeted and researched attacks where criminals typically attempt to defraud individuals and lead them to transfer money or share credentials. Criminals engage in casual conversation with victims through email in an attempt to gain their trust before actually doing anything malicious. In many cases, criminals gather background information on victims through social media, which helps make their efforts more convincing.

The success criminals are experiencing makes targeted threats one of the highest risk vectors for organisations. Based on the Global State of Information Security Survey 2018 by PwC, 31% of respondents cited that BEC compromised their businesses in Singapore. This is among the top five cybersecurity incidents that has impacted businesses. The FBI also estimates that more than US$5 billion has been lost to BEC in recent years. The real challenge for security is that traditional solutions, such as email security gateways and anti-virus solutions, fail to detect these attempts because the messages don’t contain malicious links or attachments. To mitigate the risk of targeted email attacks, an entirely new approach needs to be taken leveraging less traditional methods.

Artificial intelligence (AI) is increasingly been used to provide messaging intelligence to determine whether an email is part of a spear phishing attack with a high degree of accuracy. Domain fraud protection using DMARC (Domain-based Message Authentication, Reporting & Conformance) authentication is also been used to monitor data on domains and get actionable insight on legitimate and fraudulent usage of a domain. Another approach is to use fraud simulation training for high risk individuals to periodically and automatically train and test security awareness with simulated attacks.

2. Mitigate the risk posed by careless or untrained users

Human error is the Achilles’ heel in cybersecurity systems. In the same Global State of Information Security® Survey 2018, 38% of Singapore companies cited employees to be the likely source of cyber incidents as they are on the front lines of ever increasing email-based threats like phishing, ransomware, and malware. As hackers become more sophisticated and prevalent, users need to be aware of the threats and able to easily recognise malicious emails. Email security is not just the responsibility of IT – it’s the responsibility of every employee in your organisation.

Part of mitigating the risk means having the ability to provide regular security training to test employees and increase security awareness of various targeted attacks. Simulated targeted attack training is the most effective form of training. Focus on training high-risk individuals, not just senior executives. Turn your users from part of the attack surface to part of the solution.

3. Mitigate the risk posed by rapid application development

Identifying and remediating application vulnerabilities while maintaining development agility is sometimes challenging. This is particularly true when adopting cloud platforms like AWS and Azure that enable rapid application deployments.

Unfortunately, your applications can act as a significant vector for today’s advanced threats. A single unpatched vulnerability can let an attacker penetrate your network, steal or compromise your (and your customers’) data, and profoundly disrupt your operations. Vulnerabilities in your websites and other public-facing applications can lead to costly data breaches and infiltration. Proactively check for vulnerabilities regularly in your sites and applications.

4. Mitigate the risk of data loss

Sometimes you can do everything right in your approach to security and still have something ugly happen — like have your data lost or held for ransom. That’s why there’s one important step you should take to mitigate the risk of data loss. Protect it. Implement a data protection strategy that not only includes a backup plan, but one that allows for easy recovery as well.

If criminals encrypt your files with ransomware, you’ll be able to eliminate the malware, then delete the encrypted files and restore them from a recent clean backup. The whole process can take as little as one hour, allowing you to get right back to business, and leaving the criminals empty-handed.

By taking these proactive steps to mitigate the security risks in your organisation, you’ll greatly reduce the attack probability, and have the ability to remediate and quickly recover in the event of exposure. Being truly secure requires a lot more than just focusing on keeping the bad stuff out. Instead learn how to mitigate the potential risks before they ever come your way.

Yahoo Hacker linked to Russian Intelligence Gets 5 Years in U.S. Prison

A 23-year-old Canadian man, who pleaded guilty last year for his role in helping Russian government spies hack into email accounts of Yahoo users and other services, has been sentenced to five years in prison.

Karim Baratov (a.k.a Karim Taloverov, a.k.a Karim Akehmet Tokbergenov), a Kazakhstan-born Canadian citizen, was also ordered on Tuesday by United States Judge Vince Chhabria to pay a fine of $250,000.

Baratov had previously admitted his role in the 2014 Yahoo data breach that compromised about 500 million Yahoo user accounts. His role was to “hack webmail accounts of individuals of interest to the FSB,” Russia’s spy agency.

In November, Baratov pleaded guilty to a total of nine counts, including one count of conspiring to violate the Computer Fraud and Abuse Act, and eight counts of aggravated identity theft.

According to the US Justice Department, Baratov and his co-defendant hacker Alexsey Belan worked for two agents—Dmitry Dokuchaev and Igor Sushchin—from the FSB (Federal Security Service) to compromise the accounts.

The Justice Department announced charges for all of the four people in March last year, which resulted in the arrest of Baratov in Toronto at his Ancaster home and then his extradition to the United States.

However, Belan—who is already on the FBI’s Most Wanted Hackers list—and both FSB officers currently reside in Russia, due to which they are unlikely to face the consequences for their involvement.

Baratov ran an illegal no-questions-asked hacking service from 2010 until his arrest in March 2017, wherein he charged customers around $100 to obtain another person’s webmail password by tricking them to enter their credentials into a fake password reset page.

According to the court documents, Baratov managed to crack more than 11,000 email accounts in both Russia as well as the United States before the Toronto Police Department caught him.

As part of his plea, Baratov admitted to hacking thousands of webmail accounts of individuals for seven years and send those accounts’ passwords to Russian spy Dokuchaev in exchange for money.

The targeted attack allowed the four to gain direct access to Yahoo’s internal networks, and once in, co-defendant hacker Belan started poking around the network.

According to the FBI, Belan discovered two key assets:

  • Yahoo’s User Database (UDB) – a database containing personal information about all Yahoo users.
  • The Account Management Tool – an administrative tool used to make alterations to the targeted accounts, including their passwords.

Belan then used the file transfer protocol (FTP) to download the Yahoo’s UDB, which included password recovery emails and cryptographic values unique to each Yahoo account, eventually enabling Belan and Baratov to access specific accounts of interest to the Russian spies.