Majority of malvertising attacks are hosted on news and entertainment websites

With news and entertainment websites some of the most popular among internet users, it’s not hard to believe that they are also among the most popular for malvertising, according to a new report by Bromium Labs “Endpoint Exploitation Trends 1H 2015”.

The report highlights the current threat trends within the World Wide Web and has found that the most common attacks target the most popular environments.

“Hackers continue to innovate new exploits, new evasion techniques and even new forms of malware – recently ransomware – preying on the most popular websites and commonly used software”

Key findings from “Endpoint Exploitation Trends 1H 2015” include:

News and Entertainment Websites Hotbed for Malvertising — More than 58 percent of malvertisments (online advertisements with hidden malware) were delivered through news websites (32 percent) and entertainment websites (26 percent); notable websites unknowingly hosting malvertising included,,, and

Attackers Targeting Flash — During the first six months of 2015, Flash experienced eight exploits, an increase of 60 percent since 2014, when there were five exploits. Most active exploit kits are now serving Flash exploits, potentially impacting a large number of Internet users, given the ubiquity of Adobe Flash.

Continuous Growth of Ransomware — In the first six months of 2015, nine new ransomware families emerged: CoinVault, TeslaCrypt, Cryptofortress, PClock, AlphaCrypt, El-Polocker, CoinVault 2.0, Locker and TOX; this is an 80 percent increase from 2014 and represents a significant growth in ransomware since 2013, when there were only two ransomware families: Cryptolocker and Crytowall. Ransomware continues to grow, as cybercriminals realize it is a lucrative form of attack.

Malware Evasion Avoids Detection — Bromium Labs analyzed malware evasion technology and found it is rapidly evolving to bypass even the latest detection techniques deployed by organizations, including antivirus, host intrusion prevention systems (HIPS), honeypots, behavioral analysis, network filters and network intrusion detection systems (NIDS).

A PDF of the full report is available here:



UK and Singapore agree to increase cooperation in cyber security

Earlier this week, Prime Minister David Cameron announced that UK and Singapore have agreed to increase cooperation in cyber security:

Reacting to the announcement, Ian Shaw, managing director of MWR InfoSecurity said, “We fully support this announcement and, infact, we are already active in the region, offering a range of cyber security services to Singaporean businesses and government agencies.”

“We think further cooperation, particularly the funding for research and development, is a tremendous step forward as the security of new technologies is vital for Singapore to meet its ambition to become a Smart Nation. In fact, over the last twelve months, we have been sharing our innovative research in Cyber Defence, Smart Energy and Smart City security.

“One of our Singapore based researchers, Yong Chuan Koh, recently offered insights to Microsoft Office sandboxing – the first in this space. His findings covered the Protected-View sandbox internals including its architecture, its initialisation sequence and the system resource restrictions.”

Speaking before presenting at ReCon Canada recently, MWR Singapore researcher Yong Chuan Koh said, “Criminals will always be looking for ways to fine tune their code to slip past defences and, as the defenders, its our job to make sure they’re unsuccessful. A key part of this, I believe, is research.”

Matt Alderman, VP of Strategy at Tenable Network Security also commented on the announcement stating;

“Singapore’s commitment to security is evident with the creation of the Cyber Security Agency earlier this year.  This agreement with the UK could have a very positive affect in cultivating new talent not only for the implementation of better security capabilities, but better response during security breaches. Singapore and the Asia Pacific region continue to feel the pressures of a shortage of information security professionals.  By 2020, this shortage is predicted to be 1.5M.  Cyber security talent development is a critical initiative and it’s great to see cooperation across regions.”




Every Threat is an Inside Threat

By TK Keanini, CTO, Lancope

While the cybersecurity industry is quick to put a label on things – Advanced Persistent Threat, Big Data Analytics and the ever-descriptive Internet of Things for example – many fail to grasp the similarities between the myriad of attacks that have taken place in recent years.

The reality is that most cyberattacks function like an inside threat. Attackers put a lot of focus on compromising the credentials and access privileges of legitimate organization insiders, and this is evident in the research surrounding data breaches.

The 2015 Verizon Data Breach Investigations Report revealed an increase in stolen credentials in point-of-sale intrusions:

“These are also not mere opportunistic attacks. Many incidents involved direct social engineering of store employees (often via a simple phone call) in order to trick them into providing the password needed for remote access to the POS.”

According to the cybersecurity consulting company Mandiant, 100 percent of breaches it has investigated involved stolen credentials.

Last year’s data breach at Target originated from credentials stolen from an HVAC subcontractor, and attackers who gained information about 56 million credit and debit cards from Home Depot last April did so with stolen credentials from a third-party vendor.

What is behind this shift in tactics?

Over the past few decades, organizations have been pumping billions of dollars into strengthening their perimeters and managing vulnerabilities. Meanwhile the rise of remote access and personal devices such as smartphones and tablets have broadened the threat surface and brought more sensitive data in contact with the internet.

Instead of focusing on breaching the perimeter, attackers have just shifted to compromising the human layer, which is more reachable now than ever before. In many organizations, employees have generous access privileges and the ability to log into the network remotely, which means attackers have more opportunities to utilize compromised credentials. Additionally, personal information about employees is also more accessible via social media sites like Facebook or LinkedIn, which gives attackers better insight into how to fool them.

Here’s a hypothetical scenario. An attacker has managed to track down an employee named Mark on social media. Mark likes to talk about his job and his favorite online poker site. The attacker sends Mark an email posing as a representative from the poker site with an attached brochure on new services, complete with malware. Mark opens the attachment without a second thought, and in a few days the malware sends keystroke information including his VPN login credentials back to the attacker.

Now Mark has effectively become an inside threat. Unfortunately, no matter how strong our castle walls are, users who appear legitimate are able to walk right through the front gate.

How do you catch an inside threat?

Since it is nearly impossible to stop a potential attacker at the gate, early detection is key. Fortunately the defender, an attack isn’t over with the initial breach. The perpetrator still has to execute a number of steps before their goal is complete, and we can stop them at any point in this process.

The first thing an organization needs to catch a threat inside their network is visibility. If firewalls are armed guards at the gate, visibility is the security camera monitoring inside the building. Internal network traffic, access logs, policy violations and more need to be watched continuously for suspicious activity. Know what a regular day looks like on your network. Know how much traffic to expect, who is expected to access sensitive information and what applications are used in the day-to-day business operation. Anything that falls outside of those bounds should be investigated. Remember compromised credentials will look legitimate until you isolate anomalous activity such as moving abnormally large amounts of data, repeated logins during nonbusiness hours or remote access from unusual and faraway locations.

You want to be able to identify the following activities:

·       Unauthorized access
·       Violation of organization policies
·       Internal reconnaissance
·       Data hoarding
·       Data loss

Data analytics can make a huge difference here. If an organization is large, it can be impossible to monitor network activity manually. Anything important is quickly drowned out by the plethora of other information. Using network telemetry, a good security analytics tool can help the relevant information rise to the top.

Secondly, keep an audit trail of network transactions for as long as is feasible. Once you detect the attacker on your network, the audit trail can be used to identify how the threat operated and what assets were compromised. It may also help the authorities pursue criminal charges against the attacker.

Lastly, don’t forget that these attackers thrive on compromising the human layer. You should train employees on best practices for using the internet and how to recognize social engineering tactics like phishing. Use network segmentation to limit the amount of sensitive data each user has access to, and monitor traffic from third-party contractors for possible compromised credentials.

As corporations expand in both number of employees and connected devices, it has become easier for cybercriminals to appear as a legitimate threat inside the network. While this trend comes with a new set of challenges than other security concerns, organizations can protect themselves with the right tools and mindset. Early detection of these intruders can keep a security event from becoming the next big breach plastered across the evening news.



OpenSSH Vulnerability Leaves Popular Operating Systems and Devices at Risk

Francis Turner – VP Product Research and Security ThreatSTOP

A new vulnerability has been found in OpenSSH which is used by almost all Linux/BSD distributions, as well as many network infrastructure and security devices to allow “Secure Shell” or SSH connectivity for remote management. OpenSSH is not only utilized in open source systems, but is also commonly used in popular operating systems (OSs) such as Mac OS X, and Linux distributions including Ubuntu and Red Hat, as well as devices manufactured by IBM, HP, Sun, Cisco, Novell, Nokia, Juniper, Dell and many others.

SSH is typically used to log onto another computer over a network; execute commands on a remote computer or network device, such as a router or firewall; or securely transfer files from one computer to another over an encrypted channel or tunnel across the internet. SSH and the related SCP and SFTP services can use either a username and password for authentication, or a pre-shared key file to login to a remote host. Typically the SSH service is setup to allow both types of access initially, and for internal connectivity across a local area network (LAN), both are commonly acceptable.

However it has long been a recommended security policy for devices that are Internet accessible to disable the less secure username/password login capability once the required security keys have been created and configured, as third parties could gain access by simply brute force guessing the password. Unfortunately, following this recommendation is not always possible, for example shared systems such as multi-host servers that provide common services to multiple users and domains may be unable to require that all users have a key, as some Microsoft Windows SSH/SFTP tools do not support the use of keys.

The newly found vulnerability applies to any SSH device running the vulnerable versions of OpenSSH that allows for user/password logins as opposed to shared keys.  An initial review of the vulnerability indicates that it appears to be common across nearly every device that has not yet had password logins specifically disabled because the OpenSSH code is very widely used and this bug appears to have been present for more than seven years.

The vulnerability allows an attacker to attempt many thousands of passwords for a user, instead of the default three to six attempts, before being blocked. What this means is that any vulnerable server or network device which allows user/password logins from the Internet can be remotely accessed if it has a known standard username (e.g. root or admin) and any even slightly popular password. Many networking devices are readily identified as such, and have “admin” as a standard username.

Organizations that have deployed a proactive security intelligence service are protected from the scanners that will be performing this attack. Any attempts by the attackers who are scanning organizations’ networks looking for vulnerable systems will be immediately reported to the vendor. Once reported, the IP address used to scan will be added to their database of known bad actors. All activity from that IP address—inbound and outbound communications—will be blocked going forward. This enables the vendor to protect an organization’s sensitive data by blocking any attempts at data exfiltration via the IP address and any domains or URLs that use the server or host with that IP address.

Security teams can also look up IPs that they suspect are being used for scanning at:



UCLA Health System cyber attack affecting 4.5 million patients

It has emerged this evening that UCLA Health System has been the victim of a criminal cyber attack affecting 4.5 million patients. The attackers accessed a computer network that contains personal and medical records.

Clinton Karr, senior security strategist, Bromium

“Healthcare information security is in critical condition. We have seen report after report of millions upon millions of records breached this year. According to the Department of Health and Human services, more than 120 million people have been compromised in more than 1,110 separate breaches since 2009 – a third of the US population. These data breaches are symptomatic of a failure of healthcare organizations to invest in preventative measures, such as threat isolation.”

Gavin Reid, VP of threat intelligence, Lancope

“This is another in a long series of recently discovered compromises to medical institutions  Carefirst, Anthem, Bluecross and now the UCLA HS. At this point we probably have more breached medical databases than ones that haven’t been compromised. The problem is that no one wants to spend additional money – and at hospitals you better be spending that money on a new medical equipment or something that saves lives.  The hospitals have budgetary needs that impact directly on patient care and lets face it real-life-death situations (better staff, better equipment). The move from paper records in filing cabinets locked away in rooms to online accessible record keeping has been fueled by cost savings and by the increase in medical hardware/software that can take feeds of this data and update automatically. Hospitals have mass adopted online record keeping but haven’t seen themselves as a target like a bank.  The medical industry as a whole has to up its game in security maturity especially basics like patching, security controls and incident detection and response.

1) Why is this growing?

Three reasons

Large scale attacks to hospital patient records data bases along with areas that are doing medical research can be extremely valuable source data for pharmaceutical and other medical research. Some medical offices have unique patient records & histories spanning years that could never be recreated and have a huge research value. Secondly the patient records themselves often have very complete PII (Personal Identifying Information) sets that are easily used in more common data theft scenarios. The last and increasingly common one is where medical identity theft is used to create fraudulent insurance claims using a stolen identity.

2) What can be done to stop it?

The medical industry as a whole has to up its game in security maturity especially basics like patching, security controls and incident detection.

3) What can a consumer do to protect him/herself?

Limit who has your personal data when possible – share only with trusted providers that have a need to know.  Be vigilant if you ever come across a medical bill in your name that covers services you didn’t receive – even if there is no associated bill or charge.”



Offset Agreements: A Practical Guide

Toby Duthie, Partner, Forensic Risk Alliance & Lukas Bartusevicius, Business Development Analyst, Forensic Risk Alliance.

Offset agreements have played a major role in global defense procurement over the past few decades. Global defense budgets are growing rapidly, leading to fierce competition among suppliers and ever-greater scrutiny of government spending. In order to offset the cost of defense procurement and to source the most cost-effective deals available, buyer countries often require defense vendors to make additional investments in the country, often worth 50 to 100% of the value of the main contract. Agreed offset packages are very complex and secretive, and often have little to do with the vendor’s operations; taken together, this presents major risks to the vendor.

The unique nature of offset packages makes them difficult to compare – valuation of the offset performance is therefore tricky. Offset obligation value is expressed as a percentage of the main contract’s value, which is then processed by a government formula. This is usually a function of the expectations of the performance of the vendor in the prescribed offset package, which is then used to establish performance requirements. Upon successful completion of such arbitrarily prescribed tasks, vendors earn offset credits; once the required amount of offset credits is acquired, the offset is deemed complete.

Due to often complex and evolving requirements in unknown markets, as well as potentially biased expectations and arbitrary measurement, offset discharge becomes a difficult issue to manage. The issue is exacerbated by the fact that offset obligations often are a secondary consideration to the main contract, which may lead to so-called offset-gaps. To deal with management issues and to protect the main contract, vendors often commit significant resources to offset ventures but not always before the main contract has been awarded. However, lack of oversight and compliance measures bring about high third-party risk.

Since 2007, many governments have been cracking down on international corruption. It is estimated that $2.6 trillion is lost annually due to fraud, bribery and other corrupt practices. Government procurement is the most corrupted practice on the international level – according to the OECD, between 1999 and 2014, 57% of all bribes were paid to secure government procurement contracts. International anti-corruption regulations are very flexible when it comes to jurisdiction. The main legal tools – the U.S’s Foreign Corrupt Practices Act, the UK’s Bribery Act and the obligations of the OECD’s Anti-Bribery Convention – cover the same corruption offences: bribery of a foreign official, commercial bribery, record-keeping and internal control violations, and failure of a commercial organization to prevent bribery. Each of these offences carry severe penalties, which is a significant factor as very often the guilty parties are not aware of the violations they are committing. Defense vendors therefore run a high risk of sanctions and fines, and prison sentences on individuals.

The offset industry is booming – which has both positive and negative effects. The highest risk for vendors is non-compliance, which can lead to both sanctions in multiple jurisdictions and the loss of the main contract. As offset deals are unique and non-comparable, strategic business development approach is commonly applied, and internal compliance departments based in home countries are often left outside of the loop. Companies should follow emerging best practice of strengthening its oversight of offset ventures during deal structuring (by thorough due diligence of the stakeholders involved, ensuring all transactions comply with all international regulations, and carrying out analysis of offset valuation); and during discharge (by auditing performance documentation, which is often in a foreign language and prepared in accordance with unknown accounting standards, monitoring credit claim procedures, and ensuring all internal controls, books and obligations are met). Furthermore, vendors should invest heavily in measures that pre-empt and prevent corruption, bribery, money laundering and fraud. Finally, and most importantly, it is vital to remember that in offsets, one size does not fit all – a flexible, tailored approach is of crucial importance.

Forensic Risk Alliance


Forensic Risk Alliance is an international firm of forensic investigators and accountants, data protection experts and eDiscovery specialists with offices in the US, UK, France and Switzerland. It helps businesses to resolve complex and high-risk financial, legal and regulatory challenges. Its people provide independent, conflict-free advice and litigation support services, often in the local language. FRA collects and analyzes data for use in legal disputes and investigations (often cross- border) in a number of areas, including litigation, fraud, bribery and corruption investigations. FRA is one of only ten companies in the world approved to carry out validation audits for the EITI (Extractive Industries Transparency) Initiative which evaluate how well a country’s government conforms to the EITI’s standards of transparency in reporting revenue received from the extraction of natural resources.