Reluctant Apple joins FIDO

Recently, it has been revealed that Apple, which has been one of the tech companies that appeared more resistant to the FIDO Alliance, has joined the biometrics and authentication standards body. FIDO was founded by companies including Google, Yubico and Microsoft and was later joined by multiple chipmakers, financial institutions and other tech companies.  Apple hasn’t actually announced that it joined the FIDO Alliance, but it has been listed as one of the 40 or so “board level members” on FIDO’s website.
Jake Moore, Cybersecurity Specialist at ESET:
“Strengthening the security of an account, whilst making it more convenient for the user, is a step in the right direction. As the private key is stored locally on the device, even if the website has suffered a data breach, the hackers would have no passwords to steal, minimising the risk of exposure online. People tend to struggle with the concept of cyber security so rendering it compulsory for them in a convenient way is the best way to add an extra layer of protection.”



RESEARCH: The Hole in the Bucket – Attackers Abuse Bitbucket to Deliver an Arsenal of Malware

The Cybereason Nocturnus Research Team is following an active campaign to deliver multiple different types of malware and infect victims all over the world. Due to the unprecedented number of malware types deployed in this attack, the attackers are able to steal a wide variety of sensitive data, mine for Monero, and ultimately deploy ransomware. All of the payloads observed in this campaign originated from a code repository platform, Bitbucket, which was abused as part of the attackers delivery infrastructure.

Key points:

  • Abuses resource sharing platforms: TheCybereason Nocturnus team is investigating an ongoing campaign that abuses the Bitbucket infrastructure to store and distribute a large collection of different malware. The attackers aren’t satisfied with one payload, they want to use multiple to maximise their revenue.
  • Attacks from all sides: This campaign deploys seven different types of malware for a multi-pronged assault on businesses. It is able to steal sensitive browser data, cookies, email client data, system information, and two-factor authentication software data, along with cryptocurrency from digital wallets. It is also able to take pictures using the camera, take screenshots, mine Monero, and ultimately deploy ransomware.
  • Far Reaching: This ongoing campaign has infected over 500,000 machines worldwide thus far.
  • Modular and Constantly Updating: The attackers leverage Bitbucket to easily update payloads and distribute many different types of malware at once. In order to evade detection, they have an array of user profiles and continuously update their repositories, at times as often as every hour.
  • Many kinds of malware: The attackers use the Evasive Monero Miner to steal a combination of data, mine cryptocurrency, and deploy other malware including the Vidar stealer, Amadey Bot, and IntelRapid. They also use Predator the Thief, Azorult, and the STOP ransomware over the course of their activities.
  • Devastating impact: The combination of so many different types of malware exfiltrating so many different types of data can leave organisations unworkable. This threat is able to compromise system security, violate user privacy, harm machine performance, and cause great damage to individuals and corporations by stealing and spreading sensitive information, all before infecting them with ransomware.

This highlights an ongoing trend with cybercriminals, where they abuse legitimate online storage platforms like Github, Dropbox, Google Drive, and Bitbucket to distribute commodity malware.



New PayPal phishing campaign tricks users to send over passport details- Comment

A recently uncovered phishing campaign, targeting PayPal users, pulls out all the stops and asks victims for the complete spectrum of personal data – even going so far as to ask for social security numbers and uploaded photos of their passports. The campaign starts with a fairly run-of-the-mill phishing email, purporting to be from the online payment company’s notifications center, which warns victims that their account has been limited because it was logged into from a new browser or device. The email recipient must verify his or her identity by clicking on a button, which is a address that then redirects the browser to an attacker-owned landing page, which asks for a complete rundown of personal data.

Full story here:

Commenting on the news is Javvad Malik, security awareness advocate at KnowBe4:

We are seeing the criminals becoming more and more brazen in their attacks and methods. The key is to dupe someone to click on a phishing link,  once that has happened then the criminal can ask for whatever they wish.

This is not uncommon as we have seen this evolution in ransomware. Whereas previously ransomware only encrypted files now criminal look to steal data and logins and as much information as possible.

Similarly, we could be seeing the emergence of a trend where phishing attacks will look to gather more and more information.

It is why organisations need to ensure staff receive effective and timely security awareness and training so that they can spot phishing emails and report them appropriately.




Metamorfo banking Trojan has expanded its campaign to target online users’ banking services- Comment

It has been reported that the Metamorfo banking Trojan has expanded its campaign to target online users’ banking services around the world, with the aim of stealing credit card information, finances and other personal details. Like many other hacking campaigns, Metamorfo begins with phishing emails that in this case claim to contain information about an invoice and invite the user to download a .ZIP file. By downloading and running the file, the victim allows Metamorfo to execute and run on a Windows machine.

Commenting on this, Justin Fox, director of DevOps engineering at NuData Security, a Mastercard company, said “Banks and consumers are under continuous attacks by cybercriminals that will try to find any crack in defences to track and step in the middle between consumers and banks. While banks are employing various technologies to identify the true customer online, they just can’t protect them when hackers target consumers. Experts advise never to click on an attachment sent to you, but time and again cybercriminals come up with the most sophisticated method to trick the end user into clicking. From the moment a user receives the malicious email in their inbox, the clock is ticking – most users will click on links and provide their information, or open a malware infected document without thinking twice. Once they do, their credentials are immediately harvested for hackers to leverage or sell on the Dark Web. Educating end users is clearly not enough, nor is the deployment of technical countermeasures to protect end users.”



Translink report suspected IT hack to the police

As reported by the BBC, bus and train operator Translink has reported a suspected hack of its internal IT systems to the police. The firm confirmed it has reported an “incident” to the Police Service of Northern Ireland (PSNI) after experiencing difficulties with its internal IT systems. Bus and train services have not been affected, a spokesperson said.

Jake Moore, Cybersecurity Expert at ESET:

“I applaud organisations that report cyberattacks at the earliest opportunity, which in turn gives them the best chance of quicker recovery. Attacks such as ransomware are not legally required to be reported as usually personal data isn’t compromised in this way, but holding your hands will usually attract external expert support.

After the wake of the Travelex cyberattack, it has been proven that the reporting aspect of the situation is just as important as getting back to business as usual. Ransomware, although hugely impactful on a company, needn’t be embarrassing and we need to steer away from the stigma of damaging the brand or being further targeted. Cyberattacks are unfortunately inevitable but it’s the honesty from the start, including learning from what has happened, that will help put a company back on its feet with a stronger defence.”



Cisco Flaws Put Millions of Workplace Devices at Risk

As reported by Wired, researchers say that a crop of recently discovered flaws in Cisco enterprise products—like desk phones, web cameras, and network switches—could be exploited to penetrate deep into corporate networks. Because Cisco dominates the network equipment market, the bugs impact millions of devices.
All software has flaws, but embedded device issues are especially concerning given the potential for espionage and the inherent complexity of patching them. These particular vulnerabilities, found by the enterprise security firm Armis, can also break out of the “segmentation” IT managers use to silo different parts of a network, like a guest Wi-Fi, to cause widespread issues.
Jake Moore, Cybersecurity Expert at ESET:
“Cisco will always be targeted due to the huge numbers they operate on. However, the interesting aspect of this case is that these flaws could possibly be exploited by someone on the inside, which tends to be forgotten about in countless firms.
Usually automatic updates are the best way to protect against this type of threat, but so many of these devices do not allow auto updates and therefore become vulnerable very quickly even once a flaw is known. IT managers need to be aware of the risks and immediately update where possible before anyone is able to take advantage of this threat.”



NSPCC urges Facebook to stop encryption plans

As reported by the BBC, child-protection organisations say Facebook’s decision to strongly encrypt messages will give offenders a place to hide. The company is moving ahead with plans to implement the measure on Facebook Messenger and Instagram Direct. But more than 100 organisations, led by the NSPCC, have signed an open letter warning the plans will undermine efforts to catch abusers. They say Facebook has failed to address concerns about child safety.
Jake Moore, Cybersecurity Expert at ESET:
“Encryption is the backbone of the internet; without it, you lose all security. If you create a backdoor to encryption, you undermine the encryption entirely. There is an endless battle between law enforcement and the technology companies when it comes to encryption, but it is vital that we strike the correct balance. 
I think Facebook are right to secure their applications, which in fact protects users. Taking away encryption allows cyber criminals to view sensitive data, which creates more problems in the long run. You could also argue that if Facebook was to allow access to its messaging platforms, many users could simply move to other more privacy-focused applications.” 



Bug in Philips Smart Light Allows Hopping to Devices on the Network- Comment

It has been reported that security researchers taking a closer look at the Philips Hue smart bulbs and the bridge device that connects them discovered a vulnerability that helped them compromise more meaningful systems on the local network.

Commenting on this, Boris Cipot, senior security engineer at Synopsys, said “IoT devices, be it bulbs, door locks, home assistants, switches etc., are a common utility in many households today. This is due to their versatility of use, which also helps to make life easier and more comfortable. They can be controlled by devices like our phones and other IOT devices in the same network, so we can use our voice to turn them on and off, or in the case of the Philips Hue bulbs, change the colour or intensity of light. The communication protocol used for giving commands to the Philips Hue bulbs and receiving information from them is called ZigBee, a standardized protocol used by many other IoT devices. Unfortunately, this protocol has a vulnerability enabling an attacker to exploit these IoT devices, including the Philips Hue bulbs and the Philips Hue Bridge model 2.x.

The good news is that the vulnerability has already patched by Philips and was released on the 13th of January. Users that have automatic updates enabled on their bridges have already got the patch applied. Those who have not enabled automatic updates or are unsure if they have, should check what their status is on the Hue System in the Hue app (Settings -> Software update -> Automatic Update). It is highly advisable to turn the automatic updates on as you do not want to miss any security improvements now or in the future. Furthermore, there are other perks to having automatic updates switched on. This includes ensuring you do not miss out on quality, security or performance improvements, as well as guaranteeing that your Hue System stays compatible with new Hue products.”



The UK Gov law outlines will provide a necessary first-step in enhancing IoT device security

The UK Government has unveiled new regulatory proposals for the consumer Internet of Things (IoT), forcing the IoT ecosystem to take a more rigorous and conscious approach to cybersecurity. With an estimated 75 billion internet connected devices worldwide forecasted for 2025, there is no denying that the scope of IoT is becoming a more integral part of our lives; yet with this comes the increased security risks.

Whilst the new law outlines requirements for unique passwords, no ‘factory reset’ options, vulnerability reporting functions and minimum timeframes for security updates, Paul Farrington, CTO of EMEA at Veracode believes that as some of the worst offenders when it comes to fixing flaws, the proposal should be extended to ensure manufacturers are building in software security at the early stages.

Below is a comment from Paul on the topic. Please let me know if you’re interested in running it in a story. Alternatively, we can offer you a briefing or opinion piece from Paul to discuss this issue further.

Paul Farrington, CTO of EMEA at Veracode:

“The outcome of the consultation will provide a necessary first-step in enhancing IoT device security. The Government has attempted to balance the needs of industry with those of users. Removing default passwords, coordinating vulnerability reporting and bringing clarity to technical support coverage is progress. These measures do fall well short of what is necessary to protect users. Research shows that the manufacturing is one of the worst sectors at dealing with security bugs. 83% of software apps have at least one security issue. On average, firms take 171 days to fix a security defect. Improving ways for people to report problem is really a bare minimum. What we really need is a way for IoT device manufacturers to evidence how they are building security to the process, at the earliest stages. The toy industry has had to do something similar around safety-testing for decades. The Government will need to revisit IoT security legislation again before too long.”



CEOs are deleting their social media accounts to protect against cyber attacks- Comments

Professional services firm PwC surveyed over 1,600 CEOs from around the world and found that cyber attacks have become the most feared threat for large organisations – and that many have taken actions around their personal use of technology to help protect against hackers.

A total of 80 per cent of those surveyed listed cyber threats as the biggest threat to their business, making it the thing that most CEOs are worried about, ranking ahead of skills (79 per cent) and the speed of technological change. (75 per cent)

48 per cent CEOs surveyed said the risk of cyber attacks had caused them to alter their own personal digital behaviour, such as deleting social media accounts or virtual assistant applications or requesting a company to delete their data.

The full story can be found here:

Saryu Nayyar, CEO of Gurucul comments:

“The fact that CEOs are becoming more aware of the danger of cyberattacks is encouraging. With the staggering costs that data breaches have incurred – lost money, lost reputation, lost jobs – cybersecurity is now a big enough issue to be elevated to the c-suite and the boardroom. It can no longer be ignored or relegated to second tier status or dropped into the laps of low level employees. Defining and implementing an effective cybersecurity program starts at the very top. The CEOs who recognise this will be rewarded by staying out of the data breach headlines.”