Security News

On Monday 12 of March Google was urging webmasters to replace untrusted Symantec digital certificates. Tenable launching its Lumin cyber-exposure benchmarking platform, worldwide server market revenue up 25 percent in the fourth quarter of 2017 and Druva and Wipro joining forces for data management as a service in mobile devices.

Starting with the April 17 release of Google’s Chrome 66 browser, all SSL/TLS certificates that Symantec issued prior to June 1, 2016, will be flagged by Chrome as unsafe, as well as those issued by Symantec-owned brands such as Verisign, Thawte and Equifax. Users attempting to navigate to these sites will receive a prominent error message warning them that their connection is not secure or private, and a button will be displayed offering to take them “Back to safety.”

Google has already released an early version of Chrome 66, the so-called First Canary version and will release the first beta of Chrome 66 on March 15. After that date, beta users with sites running the offending certificates will start experiencing failures.

Starting with Chrome 70, all websites with SSL/TLS certificates that Symantec issued after June 1, 2016, will be impacted in the same way. Google will release the First Canary of Chrome 70 on July 20.

Cyber-security vendor Tenable on March 8 announced Lumin, a cyber-exposure benchmarking service that helps organizations better understand their overall risk profile.

Lumin is part of the tenable.io software-as-a-service platform launched in January 2017, which provides security scanning and vulnerability management capabilities.

Renaud Deraison, CTO and co-founder of Tenable, said that Lumin imports data from multiple third-party sources outside of Tenable, including Qualys and ServiceNow, and takes all the scan results and merges them with threat data to see what vulnerabilities are actually being exploited. Lumin provides a ranking for detected vulnerabilities to prioritize and remediate the most impactful issues.

According to Gartner, big IT suppliers with hyper-scale data centers are buying more and more servers. Worldwide server revenue increased by 25.7 percent in the fourth quarter of 2017, while shipments grew 8.8 percent year over year.

Overall in 2017, worldwide server shipments grew 3.1 percent and server revenue increased 10.4 percent compared to 2016. Dell EMC ended the year in the No. 1 spot in server revenue with 19.4 percent market share, followed closely by Hewlett Packard Enterprise with 19.3 percent. Dell EMC grew 39.9 percent in the fourth quarter, while HPE grew 5.5 percent.

Dell EMC also maintained the No. 1 position in server shipments in the fourth quarter of 2017 with 18.2 percent market share. Despite a decline of 12.8 percent in server shipments in the fourth quarter, HPE was still second with 13.8 percent of the market.

As of March 7, global consultancy and software developer WiPro and edge device data management provider Druva are partnering to provide data management as a service for Wipro’s LiVE Workspace suite of enterprise administrative tools. Along with Druva’s longtime service for Windows devices, this deal brings the service to Apple devices.

LiVE Workspace provides enterprises with what it calls an “anywhere, anytime, any device” digital workplace. This enables companies to offer their employees a choice when deciding which tools empower them to be more productive.

Through this service, companies can more effectively enhance data protection and management while at the same time providing a better IT experience to employees.

 

The information contained in this website is for general information purposes only. The information is provided by eWEEK and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Whether your company is a mid-sized family-owned enterprise or a Fortune 500 entity, likely most of your board directors don’t have backgrounds in cybersecurity.

Most top corporate leaders, including many CIOs, don’t either.

Given that reality, how can a company proactively mitigate cybersecurity risks?

I recently sat down with David Ross, a principal with Baker Tilly specializing in cybersecurity, to talk about some of the steps and strategies companies can employ. Here are some of the thoughts he shared.

1) Educate your board
Boards need to understand the potential risks and how to establish proactive policies that will provide guidance and structure should a breach happen. Cyberattacks are a very real risk, and every board member must understand his or her fiduciary duty to provide oversight regarding risks.

Even if a board has a cybersecurity expert as a director, engaging with an outside consultant can be advantageous. The world of cybersecurity is changing all the time, making multiple perspectives vitally important to understanding and anticipating new threats.

2) Assess company needs and structure
The board, along with the CEO, chief risk officer, general counsel or chief information officer, should decide how to address and staff cybersecurity inside the company. The first decision to be made is if internal resources are needed or if the company should use an outside consulting firm.

Outside resources are a great solution if the company is small or has low risk. In situations like these, it doesn’t make sense to have an expert on staff 365 days per year.

Hiring an on-staff expert usually depends on two intertwined factors: the company’s revenue (the more revenue, the more risk) and how much technology and data are integrated into the company. Ross identified a benchmark for hiring as being approximately $1.5 billion in revenue. However, the revenue threshold might be significantly lower for a technology and data-driven company.

Also, some companies in highly-regulated industries, such as financial services and health care, are required by law to hire a chief information security officer.

3) Understand benefits of engaging a cybersecurity consultant
A consultant can conduct an ethical hack to review the organization for potential risks, allowing the board to confront exactly what must be done.

Engaging a consulting firm doesn’t have to be a major commitment for an organization. For example, a consulting firm can be retained to attend two board meetings per year for advisement and reporting purposes, but an agreement also can spell out the chargeable rates in advance if additional consulting is needed, such as cyber-review and due diligence of a potential acquisition. While the agreement will not bind the board to using the consulting firm if something happens, it does define the costs.

Working through the agreement with the consulting firm and engaging them to do some preliminary board education and risk testing helps the consulting firm learn about the company and what is important to them. This kind of retained consulting service will cost between $30,000 and $120,000 depending on the size of the company and the complexity of its data. When compared to the cost of an outside retained attorney, the value becomes clear and the investment makes sense.

When interviewing consulting firms, you’ll want to assess the firm’s ability to train your staff, solve security issues through in-house software development, and the service team’s range and depth of experience. It’s important these items align with your company’s needs.

4) Determine if in-house cybersecurity expertise is needed
If it’s decided having an expert on staff will be beneficial, a company must consider what kind of expert to hire. There are operational experts who, among other duties, guard data by handling password assignments, software obsolescence and transfer of data when an employee leaves. There also are strategic experts who address the strategic side of technology and work to proactively mitigate risks.

Most companies mistakenly combine these two roles. To find candidates with the right background and skill sets, an appropriate job description is key. Especially when hiring for the position for the first time, it can be advantageous to partner with an executive search firm or cybersecurity consulting firm to help craft an appropriate job description.

5) Determine reporting structure
In order to establish effective internal controls, it’s often best to have the cybersecurity leader report to the CEO, risk officer or general counsel. Similar to how the internal audit leader does not report to the CFO, it’s often best to have the cybersecurity leader report to someone other than the chief information officer in order to safeguard data and assets.

6) Set a hiring strategy
With essentially 0 percent unemployment in the information technology sector, security skill sets are scarce. This makes it critical to rethink recruitment and retention methods for this type of a role.

Accelerating hiring times by using an executive search firm, training from within, filling skills gaps with consulting experts, and offering attractive compensation can help you hire — and keep — the best and brightest for your organization.

The cybersecurity landscape is continually evolving, creating a competitive hiring market for professionals with strong cybersecurity backgrounds and skills. This perpetual change — and threat of cyberattacks — can make companies and boards of directors unsure how to proceed with implementing a cybersecurity strategy.

However, companies without cybersecurity leadership will need to decide what level of expertise and support is necessary to protect their assets, customers and employees or face the possibility of a potentially catastrophic cyberattack

 

The information contained in this website is for general information purposes only. The information is provided by nationalcybersecurityand while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

 

 

According to new data by TrendMicro, attackers utilising the Emotet banking Trojan predominantly used internet providers located in the U.S.A. to host their Command & Control infrastructure.

In a recent blog post, TrendMicro states that the United States of America, with a 45% share, hosts more Emotet C2 infrastructure through Comcast, followed by Mexico and Canada. The top 3 ASN numbers being used to host the C2 servers are 7922 (Comcast Cable), 8151 (Telmex), and 22773 (Cox Communications). This infrastructure was determined by actively tracking Emotet and with nearly 15 thousand artifacts ranging between June and September 2018.

Top Countries hosting Emotet C&C servers

 

Emotet uses RSA certificates for confidential communication and by analysing Emotet malware samples, it was noted that on average a single sample contains 39 different C2 addresses. Each C2 uses one of six RSA certificates and by tracking the samples and certificates used by the C2, TrendMicro were able to further split the six certificates in to two groups; with three certificates per group.

These two groups show they are two separate C2 infrastructures operating in parallel. TrendMicro states that this makes it “more difficult to track Emotet and minimize the possibility of failure“. Correlating known campaigns against the two infrastructure groups display a clear distinction between the two and indicates a differing agenda which may even be controlled by different operators.

The research further discusses the review of compilation timestamps to make a hypothesis that the author may operate in UTC +10, which places them in east Russia or east Australia. However, TrendMicro admits this to be mere speculation, as at least three separate machines are used to package and operate varied timezones. Threat actors have also been known to change their locality and timezones to confuse reverse engineers.

While much of the world is impacted by Emotet, Europe and the United States have been impacted the greatest. It is ironic how infrastructure used by Emotet is located in the same regions as the victims, but further indicate these regions to be well connected and contain cheap hosting as well as easily compromised nodes.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Earlier this year, Microsoft acquired popular code repository hosting service GitHub for $7.5 billion, and now IBM has just announced the biggest open-source business deal ever.

IBM today confirmed that it would be acquiring open source Linux firm Red Hat for $190 per share in cash, working out to a total value of approximately $34 billion.

Red Hat, known for its Red Hat Enterprise Linux (RHEL) operating system, is a leading software company that offers open-source software products to the enterprise community. Even Oracle uses Red Hat’s source code for its Oracle Linux product.

Red Hat’s last year revenue was $2.4 billion, and this year the company has earned $2.9 billion. But if Red Hat products are open source and updates are free, you might be wondering how does the company earn.

Red Hat was one of the first companies who found a successful way to make money from free open-source software. It offers consulting services—including assessments, implementations, platform migrations, solution integration, and application development.

IBM Acquires Red Hat to Target Cloud Computing Giants

Like other big tech companies, IBM has also been a major supporter of Linux and contributor to the kernel and other open source projects, but the company has been left behind Amazon, Alphabet (Google) and Microsoft when it comes to cloud computing.

The accusation deal will help IBM expand its reach as an enterprise cloud computing provider.

“The acquisition of Red Hat is a game-changer. It changes everything about the cloud market,” Ginni Rometty, IBM Chairman, President, and Chief Executive Officer said in a statement.

“IBM will become the world’s #1 hybrid cloud provider, offering companies the only open cloud solution that will unlock the full value of the cloud for their businesses.”

IBM: Red Hat Will Remain Independent Unit

It is important to be noted that Red Hat will continue to be led by Red Hat CEO Jim Whitehurst and Red Hat’s current management team, as before. IBM intends to maintain Red Hat’s headquarters, facilities, brands, and practices.

“Importantly, Red Hat is still Red Hat. When the transaction closes, as I noted above, we will be a distinct unit within IBM, and I will report directly to IBM CEO Ginni Rometty. Our unwavering commitment to open source innovation remains unchanged,” said James M. Whitehurst, CEO at Red Hat.

“The independence IBM has committed to will allow Red Hat to continue building the broad ecosystem that enables customer choice and has been integral to open source’s success in the enterprise.”

According to IBM, the deal between IBM and Red Hat has already been approved by both of the companies’ boards of directors, but it is still subject to Red Hat shareholder and regulatory approvals.

If all goes as planned, the acquisition deal is expected to close in the second half of 2019.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

The Necurs botnet, a large and well-known spam originator, has become synonymous with cybercrime. Its spam-sending capabilities, through a botnet of a few million infected devices, are frequently dedicated to vast campaigns that deliver banking malware, cryptojacking malware, ransomware and a variety of email scams sent to millions of recipients in each run.

IBM X-Force monitors Necurs activity and recently discovered yet another face of this malspam volcano. This time, Necurs is spewing geotargeted emails designed to threaten and extort payment from those who may have been watching adult movies or possibly having an extramarital affair.

Of course, this spam campaign is yet another a wide-cast net from Necurs, and the attackers have no idea whether the person they reached actually does any of these activities, but the odds appear to pay off anyway. Like other phishing and social engineering scams, it is often a numbers game.

Over 30,000 IPs Spewing an Extortion Scam

In Necurs spam campaigns that started around mid-September, X-Force detected millions of emails sent to recipients in different countries, essentially from the same set of malicious IPs and with similar content.

The emails came from over 30,000 different IP addresses, 70 percent of which were dynamic IPs. The attackers demanded that victims pay in bitcoin to one of more than 500 unique wallets. The campaign came in typical spikes of activity that was more marked midweek and then over the weekend.

All of Necurs’ cybercrime campaigns are linked with well-known cybercrime gangs, such as the operators of the Dridex malware, TrickBot, Locki and Monero miners, to name a few. But in this case, scammers don’t have much more than a creative email they send around and wait for the cash to come in. All they’re using here is social engineering.

Email content examined by X-Force researchers revealed a number of repeating formats in which the sender falsely claimed to have malware-based control of the recipient’s email accounts and computer. The attackers went on to allege that they had infected adult sites with tracking malware and filmed the victim through his or her webcam while watching content on a supposedly compromised site.

To keep the matter secret, the senders demanded that money be sent to them in bitcoin, asking for an amount between $250 to $550. If they were not paid, the attackers threatened to distribute the supposed video recording to the victim’s contact list, family, co-workers and friends.

In another version of the scam, the attackers claim they have knowledge about an extramarital affair the recipient is engaged in and threaten to send supposed proof of the affair to the victim’s spouse, family, friends and co-workers.

In all cases, the sender has no control of the recipient’s device or webcam, and the entire ploy is a sham. But to make the recipient believe otherwise, the spammers added a twist: the value of the “From” header field is equal to the “To” header field, which would seem to confirm that the blackmailer has access to the victim’s accounts/computer. Also, the “SMTP-From” and “SMTP-To” values are equal to the “From” value.

How Necurs Tailors Its Spam to Recipients’ Local Language

This time, unlike previous campaigns, Necurs is spreading spam in different languages. To deliver the message in the correct language, emails are sent according to the recipient’s webmail top-level domain (TLD). So if the domain is .co.uk, for example, the email will be sent in English, and if the domain in .fr, it will be sent in French.

While the campaign included versions of this scam in seven different languages, the overwhelming majority of emails were sent in German and ended up in X-Force spam honeypots when recipient email addresses had a .de or .ch TLD.

Languages touched by this campaign so far include:

  • Arabic;
  • English;
  • French;
  • German;
  • Italian;
  • Japanese; and
  • Korean.

The researchers were somewhat surprised to see Arabic, Japanese and Korean on the list, since those languages are harder to machine-translate and are rarely targeted by international crooks.

The French email was written by someone who is likely a French speaker, and not translated online like the English version, for example. It could be indicative of some of those involved originating in Europe and possibly collaborating with counterparts in other parts of the world.

Victims Pay Up in Bits

It is unusual to be able to judge the success of a spam campaign from the outside. Security researchers rarely have access to metrics of how many people opened a malicious email, how many went to the phishing site or how many ended up paying the criminals. In this case, however, there is a way to get a general idea because the attackers used bitcoin wallet addresses.

In all, X-Force saw 500 bitcoin addresses used in this campaign; however, most emails indicated the same few wallets while others were rarely used. It was therefore possible to look up the miscreants’ financial profits via services such as BitRef that enable researchers to check bitcoin wallet balances. While we did not check every wallet, we did want to see if the attackers were getting any money.

We spot-checked the top 20 bitcoin addresses used in the campaign. As an example, one of the addresses that appeared in over 3 million email messages sent to German recipients amassed 0.52 BTC, which was equal to about $3,300 as of September 20, 2018. That wallet never got any more money and stopped receiving coins on September 19.

The amount of bitcoin contained in only the 20 main wallets totals about $50,000. Some wallets are still actively receiving coins. Most wallets show some withdrawals of the coins, bringing them to zero, which means the attackers have been removing the coins to another wallet or cashing them out.

Phishing Is Phishing — Don’t Take the Bait

October is National Cyber Security Awareness Month (NCSAM)in the U.S., making it a great opportunity to remind employees, family and friends to polish up on some information security basics, especially those related to email.

Put simply, you should always avoid opening unsolicited email. This can minimize the opportunity to fall for a social engineering scam. These communications are carefully crafted to lure people to take action, especially if they trigger an emotional reaction such as fear, urgency or, in this case, embarrassment.

You should also enable email filtering on your accounts to prevent most spam from getting through. Keep your devices clear of malware, run an up-to-date antivirus program and, if ever in doubt, have them examined by a professional.

If possible, use a separate device for online banking and other activities that involve the transfer of sensitive information. In general, adult content websites are known for high traffic and therefore are often a target for cybercriminals, which helped lend this scam some added credibility.

Visit the X-Force Exchange to learn more about this campaign. For tips to keep yourself safe from online scams and malware, check out the FBI’s Internet Crime Complaint Center (IC3) and StaySafeOnline.

 

The information contained in this website is for general information purposes only. The information is gathered from Security Intelligence while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.