Login
Trend Micro Research has developed a go-to resource for all things related to cybercriminal underground hosting and infrastructure. Today we released the second in this three-part series of reports which detail the what, how, and why of cybercriminal hosting (see the first part here).
As part of this report, we dive into the common life cycle of a compromised server from initial compromise to the different stages of monetization preferred by criminals. It’s also important to note that regardless of whether a company’s server is on-premise or cloud-based, criminals don’t care what kind of server they compromise.
To a criminal, any server that is exposed or vulnerable is fair game.
Cloud vs. On-Premise Servers
Cybercriminals don’t care where servers are located. They can leverage the storage space, computation resources, or steal data no matter what type of server they access. Whatever is most exposed will most likely be abused.
As digital transformation continues and potentially picks up to allow for continued remote working, cloud servers are more likely to be exposed. Many enterprise IT teams, unfortunately, are not arranged to provide the same protection for cloud as on-premise servers.
As a side note, we want to emphasize that this scenario applies only to cloud instances replicating the storage or processing power of an on-premise server. Containers or serverless functions won’t fall victim to this same type of compromise. Additionally, if the attacker compromises the cloud account, as opposed to a single running instance, then there is an entirely different attack life cycle as they can spin up computing resources at will. Although this is possible, however, it is not our focus here.
Attack Red Flags
Many IT and security teams might not look for earlier stages of abuse. Before getting hit by ransomware, however, there are other red flags that could alert teams to the breach.
If a server is compromised and used for cryptocurrency mining (also known as cryptomining), this can be one of the biggest red flags for a security team. The discovery of cryptomining malware running on any server should result in the company taking immediate action and initiating an incident response to lock down that server.
This indicator of compromise (IOC) is significant because while cryptomining malware is often seen as less serious compared to other malware types, it is also used as a monetization tactic that can run in the background while server access is being sold for further malicious activity. For example, access could be sold for use as a server for underground hosting. Meanwhile, the data could be exfiltrated and sold as personally identifiable information (PII) or for industrial espionage, or it could be sold for a targeted ransomware attack. It’s possible to think of the presence of cryptomining malware as the proverbial canary in a coal mine: This is the case, at least, for several access-as-a-service (AaaS) criminals who use this as part of their business model.
Attack Life Cycle
Attacks on compromised servers follow a common path:
|
|
The monetization lifecycle of a compromised server
Often, targeted ransomware is the final stage. In most cases, asset categorization reveals data that is valuable to the business but not necessarily valuable for espionage.
A deep understanding of the servers and network allows criminals behind a targeted ransomware attack to hit the company where it hurts the most. These criminals would know the dataset, where they live, whether there are backups of the data, and more. With such a detailed blueprint of the organization in their hands, cybercriminals can lock down critical systems and demand higher ransom, as we saw in our 2020 midyear security roundup report.
In addition, while a ransomware attack would be the visible urgent issue for the defender to solve in such an incident, the same attack could also indicate that something far more serious has likely already taken place: the theft of company data, which should be factored into the company’s response planning. More importantly, it should be noted that once a company finds an IOC for cryptocurrency, stopping the attacker right then and there could save them considerable time and money in the future.
Ultimately, no matter where a company’s data is stored, hybrid cloud security is critical to preventing this life cycle.
The post The Life Cycle of a Compromised (Cloud) Server appeared first on .
Migrating to the cloud is hard. The PowerPoint deck and pretty architectures are drawn up quickly but the work required to make the move will take months and possibly years.
The early stages require significant effort by teams to learn new technologies (the cloud services themselves) and new ways of the working (the shared responsibility model).
In the early days of your cloud efforts, the cloud center of expertise is a logical model to follow.
A cloud center of excellence is exactly what it sounds like. Your organization forms a new team—or an existing team grows into the role—that focuses on setting cloud standards and architectures.
They are often the “go-to” team for any cloud questions. From the simple (“What’s an Amazon S3 bucket?”), to the nuanced (“What are the advantages of Amazon Aurora over RDS?”), to the complex (“What’s the optimum index/sort keying for this DynamoDB table?”).
The cloud center of excellence is the one-stop shop for cloud in your organization. At the beginning, this organizational design choice can greatly accelerate the adoption of cloud technologies.
The problem is that accelerated adoption doesn’t necessarily correlate with accelerated understanding and learning.
In fact, as the center of excellent continues to grow its success, there is an inverse failure in organizational learning which create a general lack of cloud fluency.
Cloud fluency is an idea introduced by Forrest Brazeal at A Cloud Guru that describes the general ability of all teams within the organization to discuss cloud technologies and solutions. Forrest’s blog post shines a light on this situation and is summed up nicely in this cartoon;
Our own Mark Nunnikhoven also spoke to Forrest on episode 2 of season 2 for #LetsTalkCloud.
Even though the cloud center of excellence team sets out to teach everyone and raise the bar, the work soon piles up and the team quickly shifts away from an educational mandate to a “fix everything” one.
What was once a cloud accelerator is now a place of burnout for your top, hard-to-replace cloud talent.
If you’ve paid attention to how cybersecurity teams operate within organizations, you have probably spotted a number of very concerning similarities.
Cybersecurity teams are also considered a center of excellence and the central team within the organization for security knowledge.
Most requests for security architecture, advice, operations, and generally anything that includes the prefix “cyber”, word “risk”, or hints of “hacking” get routed to this team.
This isn’t the security team’s fault. Over the years, systems have increased in complexity, more and more incidents occur, and security teams rarely get the opportunity to look ahead. They are too busy stuck in “firefighting mode” to take as step back and re-evaluate the organizational design structure they work within.
According to Gartner, for every 750 employees in an organization, one of those is dedicated to cybersecurity. Those are impossible odds that have lead to the massive security skills gap.
Security needs to follow the example of cloud fluency. We need “security fluency” in order to import the security posture of the systems we built and to reduce the risk our organizations face.
This is the reason that security teams need to turn their efforts to educating development teams. DevSecOps is a term chock full of misconceptions and it lacks context to drive the needed changes but it is handy for raising awareness of the lack of security fluency.
Successful adoption of a DevOps philosophy is all about removing barriers to customer success. Providing teams with the tools and autonomy they require is a critical factor in their success.
Security is just one aspect of the development team’s toolkit. It’s up to the current security team to help educate them on the principles driving modern cybersecurity and how to ensure that the systems they build work as intended…and only as intended.
The post Are You Promoting Security Fluency in your Organization? appeared first on .
Intelligent transportation systems (ITS) require harmonization among manufacturers to have any chance of succeeding in the real world. No large-scale car manufacturer, multimodal shipper, or MaaS (Mobility as a Service) provider will risk investing in a single-vendor solution. Successful ITS require interoperable components, especially for managing cybersecurity issues. See https://www.trendmicro.com/vinfo/us/security/news/intelligent-transportation-systems for a set of reports on ITS cybersecurity.
The good news is we now have a standard for automotive cybersecurity, ISA/SAE 21434. This standard addresses all the major elements of connected car security including V2X, reaching from the internals of ECUs and communications busses including CAN to the broader issues of fleet management and public safety. See https://www.iso.org/standard/70918.html for the current draft version of this standard.
Intelligent transport systems rely on complex, contemporary infrastructure elements, including cloud (for data aggregation, traffic analysis, and system-wide recommendations) and 5G (for inter-component networking and real-time sensing). ITS also rely on aging industrial control systems and components, for vehicle detection, weather reporting, and traffic signaling, some dating back forty years or more. This profound heterogeneity makes the cybersecurity problem unwieldy. Automotive systems generally are the most complex public-facing applications of industrial IoT. Any information security problems with them will erode public trust in this important and ultimately critical infrastructure.
Robert Bosch GmbH began working on the first automotive bus architecture in 1986. Automobiles gained increasing electronic functions (smog controls, seat belt monitors, electric window controls, climate controls, and so on). With each new device, the manufacturers had to install additional point-to-point wiring to monitor and control them. This led to increasing complexity, the possibility for error, extended manufacturing time, more costly diagnosis and repair post-sales, and added weight. See Figure 1 for details. By replacing point-to-point wiring with a simple bus, manufacturers could introduce new features connected with one pair of wires for control. This simplified design, manufacturing, diagnosis, and improved quality and maintainability.
Figure 1: CAN Networks Significantly Reduce Wiring (from National Instruments https://www.ni.com/en-us/innovations/white-papers/06/controller-area-network–can–overview.html)
The bus was simple: all devices saw all traffic and responded to messages relevant to them. Each message has a standard format, with a header describing the message content and priority (the arbitration IDs), the body which contains the relevant data, and a cyclic redundancy check (CRC), which is a code to verify that the message contents are accurate. This CRC uses a mathematical formula to determine if any bits have flipped, and for small numbers of errors can correct the message, like a checksum. This is not as powerful as a digital signature. It has no cryptographic power. Every device on the bus can use the CRC algorithm to create a code for messages it sends and to verify the data integrity of messages it receives. Other than this, there is no data confidentiality, authentication, authorization, data integrity, or non-repudiation in CAN bus messages – or any other automotive bus messages. The devices used in cars are generally quite simple, lightweight, and inexpensive: 8-bit processors with little memory on board. Any device connected to the network is trusted. Figure 2 shows the layout of a CAN bus message.
Figure 2: The Standard CAN Frame Format, from National Instruments
Today’s automobiles have more sophisticated devices on board. The types of messages and the services the offer are becoming more complex. In-vehicle infotainment (IVI) systems provide maps, music, Bluetooth connectivity for smartphones and other devices, in addition to increasingly more elaborate driving assistance and monitoring systems all add more traffic to the bus. But given the diversity of manufacturers and suppliers, impeding security measures over the automotive network. No single vendor could today achieve what Robert Bosch did nearly forty years ago. Yet the need for stronger vehicle security is growing.
The ISO/SAE 21434 standard describes a model for securing the supply chain for automotive technology, for validating the integrity of the development process, detecting vulnerabilities and cybersecurity attacks in automotive systems, and managing the deployment of fixes as needed. It is comprehensive. ISO/SAE 21434 builds on decades of work in information security. By applying that body of knowledge to the automotive case, the standard will move the industry towards a safer and more trustworthy connected car world.
But the standard’s value doesn’t stop with cars and intelligent transport systems. Domains far beyond connected cars will benefit from having a model for securing communications among elements from diverse manufacturers sharing a common bus. The CAN bus and related technologies are used onboard ships, in aircraft, in railroad management, in maritime port systems, and even in controlling prosthetic limbs. The vulnerabilities are common, the complexity of the supply chain is equivalent, and the need for a comprehensive architectural solution is as great. So this standard is a superb achievement and will go far to improve the quality, reliability, and trustworthiness of critical systems globally.
What do you think? Let me know in the comments below or @WilliamMalikTM.
The post Connected Car Standards – Thank Goodness! appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about two recently detected variants of existing Linux botnet malware types targeting exposed Docker servers. Also, read about a group of vulnerabilities dubbed Ripple20 that have the potential to critically impact millions of IoT devices across many different industries.
Read on:
The Fear of Vendor Lock-in Leads to Cloud Failures
Vendor lock-in, the fear that by investing too much with one vendor an organization reduces their options in the future, has been an often-quoted risk since the mid-1990s. Organizations continue to walk a fine line with their technology vendors. Ideally, you select a set of technologies that not only meet your current needs but that align with your future vision as well.
How Do I Select a Mobile Security Solution for My Business?
The percentage of companies admitting to suffering a mobile-related compromise has grown, despite a higher percentage of organizations deciding not to sacrifice the security of mobile devices to meet business targets. To make things worse, the C-suite is the most likely group within an organization to ask for relaxed mobile security protocols – despite also being highly targeted by cyberattacks.
Knowing Your Shared Security Responsibility in Microsoft Azure and Avoiding Misconfigurations
Trend Micro is excited to launch new Trend Micro Cloud One – Conformity capabilities that will strengthen protection for Azure resources. As with any launch, there is a lot of new information, so we held a Q&A with one of the founders of Conformity, Mike Rahmati. In the interview, Mike shares how these new capabilities can help customers prevent or easily remediate misconfigurations on Azure.
FBI Warns K-12 Schools of Ransomware Attacks via RDP
The US Federal Bureau of Investigation (FBI) this week sent out a security alert to K-12 schools about the increase in ransomware attacks during the coronavirus pandemic, and especially about ransomware gangs that abuse RDP connections to break into school systems.
XORDDoS, Kaiji Botnet Malware Variants Target Exposed Docker Servers
Trend Micro recently detected variants of two existing Linux botnet malware types targeting exposed Docker servers: XORDDoS malware and Kaiji DDoS malware. Having Docker servers as their target is a new development for both XORDDoS and Kaiji; XORDDoS was known for targeting Linux hosts on cloud systems, while recently discovered Kaiji was first reported to affect internet of things (IoT) devices.
Frost & Sullivan Employee, Customer Data for Sale on Dark Web
A group is hawking records of more than 12,000 Frost & Sullivan employees and customers on a hacker folder. According to Cyble CEO Beenu Arora the breach was a result of a misconfigured backup directory on one of Frost & Sullivan’s public-facing servers. The KelvinSecurity Team said they put the information – which includes names, email addresses, company contacts, login names and hashed passwords – for sale in a hacking forum to sound the “alarm” after Frost & Sullivan didn’t respond to the group’s attempt to alert it to the exposed database.
Millions of IoT Devices Affected by Ripple20 Vulnerabilities
Israeli cybersecurity firm JSOF has released information on a group of vulnerabilities dubbed Ripple20. These vulnerabilities have the potential to critically impact millions of internet of things (IoT) devices across many different industries — crucial machines in the medical, oil and gas, transportation, power, and manufacturing industries can be affected by these bugs.
Nvidia Warns Windows Gamers of Serious Graphics Driver Bugs
Graphics chipmaker Nvidia has fixed two high-severity flaws in its graphics drivers. Attackers can exploit the vulnerabilities to view sensitive data, gain escalated privileges or launch denial-of-service (DoS) attacks in impacted Windows gaming devices.
Cyberattacks from the Frontlines: Incident Response Playbook for Beginners
For enterprises, staying competitive in an ever-changing market involves keeping up with the latest technological trends. However, without the parallel development of security infrastructure and robust response, new technology could be used as a conduit for cyberthreats that result in losses. Organizations should aim to prevent these breaches from happening — but having protocols for reducing a breach lifecycle is an essential and realistic approach for dealing with current threats.
OneClass Unsecured S3 Bucket Exposes PII on More than One Million Students, Instructors
An unsecured database belonging to remote learning platform OneClass has exposed information associated with more than a million students in North America who use the platform to access study guides and educational assistance. Data exposed includes full names, email addresses (some masked), schools and universities attended, phone numbers, school and university course enrollment details and OneClass account details.
During the past decade, various countries and industries have actively developed guidelines and frameworks for OT security. Recently, multiple guidelines have been integrated, and two standards as global standards are IEC62443 and the NIST CSF, SP800 series, from the viewpoint of security in smart factories. In this series, Trend Miro explains the overviews of IEC62443 and NIST CSF, in order to understand their concepts required for security in smart factories.
Many businesses have misperceptions about cloud environments, providers, and how to secure it all. In order to help separate fact from fiction when it comes to your cloud environment, Trend Micro debunks 8 myths to help you confidently take the next steps in the cloud.
Does your organization have an incident response playbook for potential breaches? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: XORDDoS and Kaiji Botnet Malware Variants Target Exposed Docker Servers and Ripple20 Vulnerabilities Could Impact Millions of IoT Devices appeared first on .
Trend Micro is excited to launch new Trend Micro Cloud One – Conformity capabilities that will strengthen protection for Azure resources.
As with any launch, there is a lot of new information, so we decided to sit down with one of the founders of Conformity, Mike Rahmati. Mike is a technologist at heart, with a proven track record of success in the development of software systems that are resilient to failure and grow and scale dynamically through cloud, open-source, agile, and lean disciplines. In the interview, we picked Mike’s brain on how these new capabilities can help customers prevent or easily remediate misconfigurations on Azure. Let’s dive in.
What are the common business problems that customers encounter when building on or moving their applications to Azure or Amazon Web Services (AWS)?
The common problem is there are a lot of tools and cloud services out there. Organizations are looking for tool consolidation and visibility into their cloud environment. Shadow IT and business units spinning up their own cloud accounts is a real challenge for IT organizations to keep on top of. Compliance, security, and governance controls are not necessarily top of mind for business units that are innovating at incredible speeds. That is why it is so powerful to have a tool that can provide visibility into your cloud environment and show where you are potentially vulnerable from a security and compliance perspective.
Common misconfigurations on AWS are an open Amazon Elastic Compute Cloud (EC2) or a misconfigured IAM policy. What is the equivalent for Microsoft?
The common misconfigurations are actually quite similar to what we’ve seen with AWS. During the product preview phase, we’ve seen customers with many of the same kinds of misconfiguration issues as we’ve seen with AWS. For example, Microsoft Azure Blobs Storage is the equivalent to Amazon S3 – that is a common source of misconfigurations. We have observed misconfiguration in two main areas: Firewall and Web Application Firewall (WAF),which is equivalent to AWS WAF. The Firewall is similar to networking configuration in AWS, which provides inbound protection for non-HTTP protocols and network related protection for all ports and protocols. It is important to note that this is based on the 100 best practices and 15 services we currently support for Azure and growing, whereas, for AWS, we have over 600 best practices in total, with over 70 controls with auto-remediation.
Can you tell me about the CIS Microsoft Azure Foundation Security Benchmark?
We are thrilled to support the CIS Microsoft Azure Foundation Security Benchmark. The CIS Microsoft Azure Foundations Benchmark includes automated checks and remediation recommendations for the following: Identity and Access Management, Security Center, Storage Accounts, Database Services, Logging and Monitoring, Networking, Virtual Machines, and App Service. There are over 100 best practices in this framework and we have rules built to check for all of those best practices to ensure cloud builders are avoiding risk in their Azure environments.
Can you tell me a little bit about the Microsoft Shared Responsibility Model?
In terms of shared responsibility model, it’s is very similar to AWS. The security OF the cloud is a Microsoft responsibility, but the security IN the cloud is the customers responsibility. Microsoft’s ecosystem is growing rapidly, and there are a lot of services that you need to know in order to configure them properly. With Conformity, customers only need to know how to properly configure the core services, according to best practices, and then we can help you take it to the next level.
Can you give an example of how the shared responsibility model is used?
Yes. Imagine you have a Microsoft Azure Blob Storage that includes sensitive data. Then, by accident, someone makes it public. The customer might not be able to afford an hour, two hours, or even days to close that security gap.
In just a few minutes, Conformity will alert you to your risk status, provide remediation recommendations, and for our AWS checks give you the ability to set up auto-remediation. Auto-remediation can be very helpful, as it can close the gap in near-real time for customers.
What are next steps for our readers?
I’d say that whether your cloud exploration is just taking shape, you’re midway through a migration, or you’re already running complex workloads in the cloud, we can help. You can gain full visibility of your infrastructure with continuous cloud security and compliance posture management. We can do the heavy lifting so you can focus on innovating and growing. Also, you can ask anyone from our team to set you up with a complimentary cloud health check. Our cloud engineers are happy to provide an AWS and/or Azure assessment to see if you are building a secure, compliant, and reliable cloud infrastructure. You can find out your risk level in just 10-minutes.
Get started today with a 60-day free trial >
Check out our knowledge base of Azure best practice rules>
Do you see value in building a security culture that is shifted left?
Yes, we have done this for our customers using AWS and it has been very successful. The more we talk about shifting security left the better, and I think that’s where we help customers build a security culture. Every cloud customer is struggling with implementing earlier on in the development cycle and they need tools. Conformity is a tool for customers which is DevOps or DevSecOps friendly and helps them build a security culture that is shifted left.
We help customers shift security left by integrating the Conformity API into their CI/CD pipeline. The product also has preventative controls, which our API and template scanners provide. The idea is we help customers shift security left to identify those misconfigurations early on, even before they’re actually deployed into their environments.
We also help them scan their infrastructure-as-code templates before being deployed into the cloud. Customers need a tool to bake into their CI/CD pipeline. Shifting left doesn’t simply mean having a reporting tool, but rather a tool that allows them to shift security left. That’s where our product, Conformity, can help.
The post Knowing your shared security responsibility in Microsoft Azure and avoiding misconfigurations appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about Microsoft’s largest-ever Patch Tuesday update including 129 CVEs. Also, read about a new Android Spyware dubbed ActionSpy.
Read on:
Microsoft June Patch Tuesday Fixes 129 Flaws in Largest-Ever Update
Microsoft has released patches for 129 vulnerabilities as part of its June Patch Tuesday updates – the highest number of CVEs ever released by Microsoft in a single month. Within the blockbuster security update, 11 critical remote code-execution flaws were patched in Windows, SharePoint server, Windows Shell, VBScript and other products.
#LetsTalkSecurity: Become the Hunter
This week, Rik Ferguson, vice president of Security Research at Trend Micro, hosted the sixth episode of #LetsTalkSecurity featuring guest Jake Williams, founder of Rendition Infosec. Check out this week’s episode and follow the link to find more information about upcoming episodes and guests.
Not Just Good Security Products, But a Good Partner
This week, Trend Micro announced it has been placed in the Champions quadrant of the Canalys Global Cybersecurity Leadership Matrix, in recognition of major investments and improvements in the channel over the past year. The report particularly highlights Trend Micro’s partner portal improvements that include significant investments in deal registration, sales kits, promotions and training.
12 Biggest Cloud Threats and Vulnerabilities In 2020
Data breaches, cybercrime and targeted attacks in the cloud have driven demand for cloud security products and services in recent years. From misconfigured storage buckets and excess privileges to Infrastructure as Code (IoC) templates and automated attacks, here’s a look at 12 of the biggest cloud threats technical experts are worried about this year. Data breaches, cybercrime and targeted attacks in the cloud have driven demand for cloud security products and services in recent years.
Trend Micro Guardian: Protecting Your Kids On-the-Go
Some smart devices are not limited for use on the home network, for example, your child’s mobile phone or tablet. Keeping your kids safe with on-the-go devices means extending your security policies beyond the home. Trend Micro Home Network Security makes it easy with its free app, Trend Micro Guardian. Guardian integrates with HNS’s parental control rules via Mobile Device Management technology to extend the rules you’ve applied on your home network to your children’s Wi-Fi/mobile connections outside the home.
Microsoft Discovers Cryptomining Gang Hijacking ML-Focused Kubernetes Clusters
Microsoft published a report detailing a never-before-seen series of attacks against Kubeflow, a toolkit for running machine learning (ML) operations on top of Kubernetes clusters. The attacks have been going on since April, and Microsoft says its end-goal has been to install a cryptocurrency miner on Kubernetes clusters running Kubeflow instances exposed to the internet.
New Tekya Ad Fraud Found on Google Play
In late March, researchers from CheckPoint found the Tekya malware family being used to carry out ad fraud on Google Play. These apps have since been removed from the store, but Trend Micro recently found a variant of this family that had made its way onto Google Play via five malicious apps, although these have also been removed.
Fake COVID-19 Contact-Tracing Apps Infect Android Phones
Security researchers have identified 12 malicious Android applications, disguised to appear as official government COVID-19 contact-tracing apps, distributing malware onto devices. The Anomali Threat Research team found multiple applications containing a range of malware families, primarily banking Trojan Anubis and SpyNote, an Android Trojan with the goal of collecting and monitoring data on infected devices.
Tracking, Detecting, and Thwarting PowerShell-based Malware and Attacks
While traditional malware and attacks rely on crafted executables to function, fileless malware reside in memory to evade traditional scanners and detection methods. PowerShell, a legitimate management tool used by system administrators, provides an ideal cover for threat actors as they craft payloads heavily dependent on its deep Windows integration. Trend Micro has published multiple reports on this phenomenon, which has been further validated by telemetry data.
Updated Analysis on Nefilim Ransomware’s Behavior
Shortly after the discovery of Nefilim in March 2019, Trend Micro released its analysis of the ransomware and its behavior. Through recent investigations of cases observed in several companies, Trend Micro has amassed more information on how this ransomware operates. Some notable updates added the use of other tools such as Mimikatz, AdFind, CobaltStrike, and MegaSync, and the description of events that occur within the attack phases weeks or even months before the ransomware is deployed.
New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa
While tracking Earth Empura, also known as POISON CARP/Evil Eye, Trend Micro identified an undocumented Android spyware it has dubbed ActionSpy. During the first quarter of 2020, Trend Micro observed Earth Empusa’s activity targeting users in Tibet and Turkey before they extended their scope to include Taiwan.
Babylon Health Admits ‘Software Error’ Led to Patient Data Breach
Babylon Health, a UK AI chatbot and telehealth startup which has been valued in excess of $2BN, has suffered an embarrassing data breach after a user of the app found he was able to access other patients’ video consultations. The company confirmed the breach yesterday, telling the BBC that a “software error” related to a feature that lets users switch from audio to video-based consultations part way through a call had caused a “small number” of UK users to be able to see others sessions.
In part three of this five-part blog series, Trend Micro looks at the security risks of promoting smart factories by examining overlooked attack vectors, feasible attack scenarios, and recommended defense strategies. This blog describes the usage of Industrial IoT (IIoT) devices and overlooked security risks in software supply chains.
Surprised by the new Android spyware ActionSpy that was revealed via phishing attacks from Earth Empusa? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Microsoft June Patch Tuesday Fixes 129 Flaws in Largest-Ever Update and New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how the operators of the Shade (Troldesh) ransomware have shut down and released more than 750,000 decryption keys. Also, learn about an attack using Zoom installers to spread a WebMonitor RAT malware.
Read on:
The Industry 4.0 Lab Never Ignores Brownfields – What POLIMI and Trend Micro Aim to Prove
It takes time for new technologies to penetrate the market and even the most innovative technology must be used safely and with confidence. Industry 4.0 technology is no exception. Engineers and researchers, including those at Politecnico di Milano (POLIMI) and Trend Micro, are currently investigating how to map ICT technology principles onto OT environments, including factory environments.
Shade (Troldesh) Ransomware Shuts Down and Releases Decryption Keys
The operators of the Shade (Troldesh) ransomware have shut down and, as a sign of goodwill, have released more than 750,000 decryption keys that past victims can now use to recover their files. Security researchers from Kaspersky Lab have confirmed the validity of the leaked keys and are now working on creating a free decryption tool.
Trend Micro’s Top Ten MITRE Evaluation Considerations
The MITRE ATT&CK framework, and the evaluations, have gone a long way in helping advance the security industry, and the individual security products serving the market. The insight garnered from these evaluations is incredibly useful but can be hard to understand. In this blog, read Trend Micro’s top 10 key takeaways for its evaluation results.
New Android Malware Steals Banking Passwords, Private Data and Keystrokes
A new type of mobile banking malware has been discovered abusing Android’s accessibility features to exfiltrate sensitive data from financial applications, read user SMS messages, and hijack SMS-based two-factor authentication codes. Dubbed “EventBot” by Cybereason researchers, the malware can target over 200 different financial apps, including banking, money transfer services, and crypto-currency wallets.
Principles of a Cloud Migration – Security, The W5H – Episode WHAT?
Last week in Trend Micro’s cloud migration blog series, we explained the “WHO” of securing a cloud migration, detailing each of the roles involved with implementing a successful security practice during the migration. This week, Trend Micro touches on the “WHAT” of security: the key principles required before your first workload moves.
Critical WordPress e-Learning Plugin Bugs Open Door to Cheating
Researchers have disclosed critical-severity flaws in three popular WordPress plugins used widely by colleges and universities: LearnPress, LearnDash and LifterLMS. The flaws, now patched, could allow students to steal personal information, change their grades, cheat on tests and more.
WebMonitor RAT Bundled with Zoom Installer
The COVID-19 pandemic has highlighted the usefulness of communication apps for work-from-home setups. However, as expected, cybercriminals look to exploit popular trends and user behavior. Trend Micro has witnessed threats against several messaging apps, including Zoom. In April, Trend Micro spotted an attack using Zoom installers to spread a cryptocurrency miner. Trend Micro recently encountered a similar attack that drops a different malware: RevCode WebMonitor RAT.
Group Behind TrickBot Spreads Fileless BazarBackdoor
A new campaign is spreading a new malware named “BazarBackdoor,” a fileless backdoor created by the same threat actors behind TrickBot, according to BleepingComputer. The conclusion is drawn due to similarities in code, crypters, and infrastructure between the two malware variants. The social engineering attacks used to spread the backdoor use topics such as customer complaints, COVID-19-themed payroll reports, and employee termination lists for the emails they send out.
Critical Adobe Illustrator, Bridge and Magento Flaws Patched
Adobe is warning of critical flaws in Adobe Bridge, Adobe Illustrator and the Magento e-commerce platform. If exploited, the most severe vulnerabilities could enable remote code execution on affected systems. Francis Provencher, Mat Powell, and an anonymous reporter were credited for discovering the flaws, all working with Trend Micro’s Zero Day Initiative.
Guidance on Kubernetes Threat Modeling
Kubernetes is one of the most used container orchestration systems in cloud environments. As such, like any widely used application, it is an attractive target for cybercriminals and other threat actors. In this blog, Trend Micro shares three general areas that cloud administrators need to secure their deployments against, as they can introduce threats or risks to their Kubernetes-driven containerization strategies.
Loki Info Stealer Propagates Through LZH Files
Trend Micro previously encountered a spam sample that propagates the info stealer Loki through Windows Cabinet (CAB) files. Recently, Trend Micro also acquired another sample that delivers the same malware, but through LZH compressed archive files. Trend Micro detects the attachment and the dropper as TrojanSpy.Win32.LOKI.TIOIBYTU.
Security 101: How Fileless Attacks Work and Persist in Systems
As security measures improve, modern adversaries continue to craft sophisticated techniques to evade detection. One of the most persistent evasion techniques involves fileless attacks, which don’t require malicious software to break into a system. Instead of relying on executables, these threats misuse tools that are already in the system to initiate attacks.
COVID-19 Lockdown Fuels Increase in RDP Attacks
The number of attacks abusing the remote desktop protocol (RDP) to compromise corporate environments has increased significantly over the past couple of months, according to Kaspersky. With employees worldwide forced to work from home due to the COVID-19 pandemic, the volume of corporate traffic has increased significantly, just as the use of third-party services has increased to keep teams connected and efficient.
What measures are you taking to secure your migration to the cloud? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Shade Ransomware Shuts Down, Releases Decryption Keys and WebMonitor RAT Bundled with Zoom Installer appeared first on .
Over the past three decades, we’ve had time at Trend Micro to observe the industry trends that have the biggest impact on our customers. And one of the big things we’ve seen is that threats move largely in tandem with changes to IT infrastructure. This matters today because most organizations are transforming the way they run and manage their infrastructure—a daunting task on its own.
But with digital transformation also comes an expanded corporate attack surface, driving security leaders to demand enhanced visibility, detection & response across the entire enterprise — this is not just about the endpoint.
Transforming business
Over the past five years, there has been a major shift in the way IT infrastructure is delivered, and with that shift, increasing complexity. A big part of this change has been the use of the cloud, reflected in Gartner’s prediction that the market will grow to over $266 billion in 2020. Organizations everywhere are leveraging the cloud and DevOps to rapidly deliver new and differentiated applications and services for their customers, partners and employees. And the use of containers and microservices across a multi-cloud and hybrid environment is increasingly common.
In addition to leveraging public cloud services like IaaS, organizations are also rapidly adopting SaaS applications like Office 365, and expanding their use of mobile and collaborative applications to support remote working. Some are even arguing that working patterns may never be the same again, following the changes forced on many employers by the Covid-19 pandemic.
Combine these changes with networks that continue to extend to include branch offices and add new areas to protect like operational technology including industrial systems, and we can certainly see that the challenges facing the modern enterprise look nothing like they did a few years ago.
Under fire, under pressure
All of these infrastructure changes make for a broader attack surface that the bad guys can take advantage of, and they’re doing so with an increasingly wide range of tools and techniques. In the cloud there is a new class of vulnerabilities introduced through a greater use of open source, containers, orchestration platforms, supply chain applications and more. For all organizations, the majority of threats still prey upon the user, arriving via email (over 90% of the 52.3 billion we blocked in 2019), and they’re no longer just basic phishing attempts. There’s been an uptick in fileless events designed to bypass traditional security filters (we blocked 1.4 million last year). And Business Email Compromise (BEC) and ransomware continue to evolve, the latter causing major outages across local government, healthcare and other vulnerable sectors.
Organizations are often left flat-footed because they don’t have the in-house skills to secure a rapidly evolving IT environment. Mistakes get made, and configuration errors can allow the hackers to sneak in.
Against this backdrop, CISOs need visibility, detection and response capabilities across the extended enterprise. But in too many cases, teams are struggling because they have:
|
|
Beyond the endpoint
While endpoint detection and response (EDR) has become a popular response to some of these problems over recent years, the reality is that cyber-attacks are rarely straightforward and limited to the endpoint (as noted in the email statistic above). Security teams actually need visibility, detection, and response across the entire IT environment, so they can better contextualize and deal with threats.
This is what Trend Micro XDR offers. It provides visibility across not just endpoints but also email, servers, cloud workloads and networks, applying AI and expert security analytics to correlate and identify potential threats. The result is fewer, higher fidelity alerts for stretched IT security teams to deal with. Recognizing the skills shortage reality, we also offer a managed XDR service that augments in-house SOC activities with the power of Trend Micro security experts.
Detection and response is too important to be limited to the endpoint. Today’s CISOs need visibility, detection, and response everywhere.
The post Why CISOs Are Demanding Detection and Response Everywhere appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about why Zoom has released an update for its Linux, Mac, and Windows apps that removes the meeting ID from the app’s title bar. Also, read about Trend Micro’s latest research on cloud-specific security, with examples of threats and risks that organizations could face when migrating to the cloud or using cloud services.
Read on:
Trend Micro Study Shows Cloud Misconfiguration as Major Threat
This week, Trend Micro released new research findings concerning cloud security, a major area of concern for enterprises of all sizes. The research confirms the role of both human errors and complex deployments in creating cloud-based cyber threats; above all, Trend Micro notes the dangers of cloud misconfiguration to cloud environments.
NCSA Small Business Webinar Series
The National Cyber Security Alliance is hosting a series of webinars for small business owners, and Trend Micro is proud to support this effort with guest speakers sharing threat intelligence and security expertise. The topics will help small companies deal with the challenges of COVID-19, including sessions on telework, digital spring cleaning, e-commerce security, how to avoid COVID-19 scams and more.
Cisco ‘Critical Update’ Phishing Attack Steals Webex Credentials
An ongoing phishing campaign is reeling in victims with a recycled Cisco security advisory that warns of a critical vulnerability. The campaign urges victims to “update,” only to steal their credentials for Cisco’s Webex web conferencing platform instead. The campaign is looking to leverage the wave of remote workers who have come to rely on online conferencing tools like Webex and other platforms.
Principles of a Cloud Migration – From Step One to Done
Cloud migrations are happening every day and analysts predict over 75% of mid-size to large enterprises will migrate a workload to the cloud by 2021 – but how can you make sure your workload is successful? In this multi-part blog series, Trend Micro explores best practices, forward thinking, and use cases around creating a successful cloud migration from multiple perspectives.
Zoomed In: A Look into a Coinminer Bundled with Zoom Installer
Trend Micro recently found a Coinminer bundled with the legitimate installer of video conferencing app Zoom, luring users who want to install the software but end up downloading a malicious file. The compromised files are assumed to come from fraudulent websites. Trend Micro has been working with Zoom to ensure that they are able to communicate this to their users appropriately.
Investigation into a Nefilim Attack Shows Signs of Lateral Movement, Possible Data Exfiltration
Trend Micro’s Managed XDR (MxDR) and Incident Response (IR) teams recently investigated an incident involving a company that was hit by the Nefilim ransomware, which was initially discovered in March 2020. What makes Nefilim especially devious is that the threat actors behind the attack threaten to release the victim’s stolen data on an online leak site.
Zoom Removes Meeting IDs from App Title Bar to Improve Privacy
Video conferencing service Zoom has released an update for its Linux, Mac, and Windows apps that removes the meeting ID from the app’s title bar. The update comes after the company’s users have often leaked their meeting IDs, and even meeting passwords, when sharing screenshots of their meetings on social media.
Analysis: Suspicious “Very Hidden” Formula on Excel 4.0 Macro Sheet
A malicious Microsoft Excel 4.0 Macro sheet with a suspicious formula that is set as “Very Hidden” was submitted by a customer and further analyzed by Trend Micro researchers. The sheet is not readily accessible via the Microsoft Excel User Interface (UI) due to a feature documented in the Microsoft website that allows users to hide sheets. The compromised files were commonly used as an attachment in spam.
Actively Exploited MS Exchange Flaw Present on 80% of Exposed Servers
Attackers looking to exploit CVE-2020-0688, a critical Microsoft Exchange flaw patched by Microsoft in February 2020, don’t have to look hard to find a server they can attack: according to an internet-wide scan performed by Rapid7 researchers, there are at least 315,000 and possibly as many as 350,000 vulnerable on-premise Exchange servers (out of 433,464 total) out there.
Misconfigured Docker Daemon API Ports Attacked for Kinsing Malware Campaign
A campaign that targets misconfigured Docker Daemon API ports through Kinsing malware was reported by security researchers from Aqua Security. The campaign exploited the ports to run an Ubuntu container. According to the researchers, Kinsing malware’s strings revealed that it is a Golang-based Linux agent.
Threat Actors Deliver Courier-Themed Spam Campaign with Attached ACE Files
Trend Micro researchers detected a new courier service-themed malicious spam campaign that uses ACE files as attachments. The samples were gathered from Trend Micro’s honeypot. The email poses as a shipment arrival notification with a fake receipt attached. It then convinces receivers to download the attachment by asking them to check if the address on the receipt is correct.blo
Exploring Common Threats to Cloud Security
Trend Micro’s recent cloud research provides examples of threats and risks organizations could face when migrating to the cloud or using cloud services. No matter the cloud service or platform, the common theme is that misconfiguration continues to be one of the major pitfalls of cloud security, affecting both companies who subscribe to cloud services and users of software that are hosted on the cloud.
PowerPoint ‘Weakness’ Opens Door to Malicious Mouse-Over Attack
A researcher is sounding the alarm over what he believes could be a novel attack vector which allows a hacker to manipulate a PowerPoint file to download and begin the installation of malware, simply by hovering over a hypertext link. The technique does require a victim to accept one pop-up dialogue box to run or install a program. For those reasons, Microsoft does not consider this a vulnerability.
Cloud Transformation Is the Biggest Opportunity to Fix Security
Lower costs, improved efficiencies and faster time to market are some of the primary benefits of transitioning to the cloud. However, it’s not done overnight. It can take years to move complete data centers and operational applications to the cloud and the benefits won’t be fully realized until most functional data have been transitioned.
Who is World Wired Labs and Why Are They Selling an Android Trojan?
A company advertising a remote access tool frequently used by criminals and nation-state hackers may be serving as a front for a Chinese hacking group, according to research published by BlackBerry Cylance. In a report on remote access trojans (RAT), researchers detail an Android malware variant, which they call PWNDROID4, that can be used to monitor targets’ phone calls, record audio, send and receive text messages, and track victims’ GPS location.
Is your organization looking to migrate to the cloud? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Exploring Common Threats to Cloud Security and Zoom Removes Meeting IDs from App Title Bar to Improve Privacy appeared first on .
This overview builds on the recent report from Trend Micro Research on cloud-specific security gaps, which can be found here.
Don’t be cloud-weary. Hear us out.
Recently, a major tipping point was reached in the IT world when more than half of new IT spending was on cloud over non- cloud. So rather than being the exception, cloud-based operations have become the rule.
However, too many security solutions and vendors still treat the cloud like an exception – or at least not as a primary use case. The approach remains “and cloud” rather than “cloud and.”
Attackers have made this transition. Criminals know that business security is generally behind the curve with its approach to the cloud and take advantage of the lack of security experience surrounding new cloud environments. This leads to ransomware, cryptocurrency mining and data exfiltration attacks targeting cloud environments, to name a few.
Why Cloud?
There are many reasons why companies transition to the cloud. Lower costs, improved efficiencies and faster time to market are some of the primary benefits touted by cloud providers.
These benefits come with common misconceptions. While efficiency and time to market can be greatly improved by transitioning to the cloud, this is not done overnight. It can take years to move complete data centers and operational applications to the cloud. The benefits won’t be fully realized till the majority of functional data has been transitioned.
Misconfiguration at the User Level is the Biggest Security Risk in the Cloud
Cloud providers have built in security measures that leave many system administrators, IT directors and CTOs feeling content with the security of their data. We’ve heard it many times – “My cloud provider takes care of security, why would I need to do anything additional?”
This way of thinking ignores the shared responsibility model for security in the cloud. While cloud providers secure the platform as a whole, companies are responsible for the security of their data hosted in those platforms.
Misunderstanding the shared responsibility model leads to the No. 1 security risk associated with the cloud: Misconfiguration.
You may be thinking, “But what about ransomware and cryptomining and exploits?” Other attack types are primarily possible when one of the 3 misconfigurations below are present.
You can forget about all the worst-case, overly complex attacks: Misconfigurations are the greatest risk and should be the No. 1 concern. These misconfigurations are in 3 categories:
|
|
How Big is The Misconfiguration Problem?
Trend Micro Cloud One – Conformity identifies an average of 230 million misconfigurations per day.
To further understand the state of cloud misconfigurations, Trend Micro Research recently investigated cloud-specific cyber attacks. The report found a large number of websites partially hosted in world-writable cloud-based storage systems. Despite these environments being secure by default, settings can be manually changed to allow more access than actually needed.
These misconfigurations are typically put in place without knowing the potential consequences. But once in place, it is simple to scan the internet to find this type of misconfiguration, and criminals are exploiting them for profit.
Why Do Misconfigurations Happen?
The risk of misconfigurations may seem obvious in theory, but in practice, overloaded IT teams are often simply trying to streamline workflows to make internal processes easier. So, settings are changed to give read and/or write access to anyone in the organization with the necessary credentials. What is not realized is that this level of exposure can be found and exploited by criminals.
We expect this trend will increase in 2020, as more cloud-based services and applications gain popularity with companies using a DevOps workflow. Teams are likely to misconfigure more cloud-based applications, unintentionally exposing corporate data to the internet – and to criminals.
Our prediction is that through 2025, more than 75% of successful attacks on cloud environments will be caused by missing or misconfigured security by cloud customers rather than cloud providers.
How to Protect Against Misconfiguration
Nearly all data breaches involving cloud services have been caused by misconfigurations. This is easily preventable with some basic cyber hygiene and regular monitoring of your configurations.
Your data and applications in the cloud are only as secure as you make them. There are enough tools available today to make your cloud environment – and the majority of your IT spend – at least as secure as your non-cloud legacy systems.
You can secure your cloud data and applications today, especially knowing that attackers are already cloud-aware and delivering vulnerabilities as a service. Here are a few best practices for securing your cloud environment:
|
|
To read the complete Trend Micro Research report, please visit: https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/exploring-common-threats-to-cloud-security.
For additional information on Trend Micro’s approach to cloud security, click here: https://www.trendmicro.com/en_us/business/products/hybrid-cloud.html.
The post Cloud Transformation Is The Biggest Opportunity To Fix Security appeared first on .
Few national emergencies have the ability to strike panic into the populace quite like a virus pandemic. It’s fortunately something most of us have never had to experience, until now. At the time of writing, the number of global confirmed cases of Coronavirus infection, or COVID-19, has reached nearly 174,000 worldwide. Although the official US total currently remains a fraction of that (around 4,000), problems with testing mean many cases are likely to be going unreported here.
This is a difficult time for many Americans, as it is for citizens all over the world. But unfortunately it’s extraordinary global events like this that cyber-criminals look for in order to make their schemes more successful. True to form, they’re using mass awareness of the outbreak and a popular desire for more information on the virus, to trick users into giving away personal information and log-ins, or to unwittingly install malware on their devices.
As organizations enforce remote working to reduce the impact of the virus, many of you will be logging-on from home or your mobile computing devices, which may have fewer built-in protections from such threats. This makes it more important than ever to know how the bad guys are trying to cash in on COVID-19 and what you can do to stay safe.
Here’s a quick guide to the key online threats and security tips:
Phishing for trouble
Decades before COVID-19 burst onto the scene, a different kind of pandemic was spreading across the globe. Phishing messages have been one of the most popular tools in the hackers’ arsenal for years. In fact, Trend Micro blocked nearly 48 billion email-borne threats in 2019, 91% of the total we detected. Phishing is designed to trick the user into handing over their log-ins or personal and financial details, or persuading them to unwittingly download malware. Cyber-criminals typically achieve this by spoofing an email to make it appear as if sent from a legitimate and trustworthy source.
Once a user has been hooked, they are enticed into clicking on a malicious link or opening a malware-laden attachment. This could be anything from a banking trojan designed to steal online banking log-ins, to a piece of ransomware which will lock the user out of their PC until they pay a fee. It could even be cryptojacking malware which sits on the infected machine, quietly mining for Bitcoin while running up large energy bills and slowing down your PC.
The bad news is that phishing messages — whether sent by email, social media, text or messaging app — are getting harder to spot. Many now feature perfect English, and official logos and sender domains. They also often use current newsworthy events to trick the user into clicking. And they don’t get more high-profile than the COVID-19 pandemic.
Depending on how well protected your computing devices are, you may be more likely to receive one of these scam messages than be exposed to the virus itself. So, it pays to know what’s out there.
Watch out for these scams
The phishing landscape is evolving all the time. But here is a selection of some of the most common scams doing the rounds at the moment:
‘Official’ updates
Many of these emails purport to come from official organizations such as the US Center for Disease Control and Prevention (CDC), or the World Health Organization (WHO). They claim to contain key updates on the spread of the virus and must-read recommendations on how to avoid infection. Booby-trapped links and attachments carry malware and/or could redirect users to phishing sites.
Coronavirus map
Sometimes legitimate tools can be hijacked to spread malware. Researchers have spotted a version of the interactive Coronavirus dashboard created by Johns Hopkins University which was altered to contain information-stealing malware known as AZORult. If emails arrive with links to such sites, users should exercise extreme caution.
Corporate updates
Many big brands are proactively contacting their customer base to reassure them of the steps they are taking to keep staff and customers safe from the virus. But here too, the hackers are jumping in with spoof messages of their own purporting to come from the companies you may do business with. FedEx is one such global brand that has been spoofed in this way.
Donations
Another trick is to send phishing emails calling for donations to help fund research into the virus. One, claiming to come from the “Department of Health” has a subject line, “URGENT: Coronavirus, Can we count on your support today?” A key tactic in phishing emails is to create a sense of urgency like this to rush the reader into making hasty decisions.
Click here for a cure
One scam email claims to come from a medical professional and contains details about a vaccine for COVID-19 which has been “hushed up” by global governments. Of course, clicking through to find the non-existent ‘cure’ will bring the recipient nothing but trouble.
Tax refunds
In the UK, users have received emails spoofed to appear as if sent from the government, and promising a tax refund to help citizens cope with the financial shock of the pandemic. As governments in the US and elsewhere start to take more interventionist measures to prop up their economies, we can expect more of these types of phishing email.
How to stay safe
The good news is that there’s plenty you can do to protect you and your family from phishing emails like these. A blend of the following technical and human fixes will go a long way to minimizing the threat:
|
|
How Trend Micro can help
Fortunately, Trend Micro Security can also help. Among its anti-phishing features are the following:
Antispam for Outlook: includes checks on email sender reputation, employs web threat protection to block malicious URLs in messages, and scans for threats in files attached to email messages.
Fraud Buster: uses leading-edge AI technology to detect fake emails in Gmail and Outlook webmail that don’t contain malicious URLs or attachments, but still pose a risk to the user.
To find out more about how Trend Micro can help keep your family safe from online threats and phishing, go to our Trend Micro Security homepage, or watch our video series: How to Prevent Phishing, Part 1 and Part 2.
The post How to Stay Safe as Online Coronavirus Scams Spread appeared first on .
Tax season has always been a pretty nerve-wracking time for hard-working Americans. But over the years, technology advances have arrived to gradually make the process a bit easier. The bad news is that they can also introduce new cyber risks and even more stress.
There are two things that cybercriminals are always on the hunt for: people’s identity data from their accounts, and their money. And during the tax-filing season both can be unwittingly exposed. Over the years, cybercriminals have adapted multiple tools and techniques to part taxpayers with their personal information and funds.
Let’s take look at some of the main threats out there and what you can do to stay safe.
What do they want?
Cybercrime is a highly efficient money-making business. Some reports suggest this underground economy generates as much as $1.5 trillion each year. (See Into the Web of Profit, April 2018, McGuire, Bromium.) And tax-related scams are an increasingly popular way for the bad guys to drive-up profits. The Internal Revenue Service (IRS) claims that “thousands of people have lost millions of dollars and their personal information” to such attacks.
The bottom line is that they’re after one of two things: to trick you into wiring funds to them, and/or to get hold of your personally identifiable information (PII), including bank account and Social Security Numbers (SSNs). This personal data can subsequently be used to defraud you or the IRS, or may be deployed in follow-on identity fraud schemes to capture illicit funds from you.
There are various ways cyber-criminals can achieve these goals. The most common is by using social engineering tactics to trick taxpayers into sending money or personal information. But they might also use malware, either delivered to you personally or targeted at your tax preparer. This means you not only have to look after your own cybersecurity but also demand that the third-party businesses you work with store and transmit your sensitive information securely.
Look out for these scams
Here’s a round-up of the most popular tactics used by tax scammers today:
Impersonation: The fraudster gets in touch pretending to be an IRS representative. This could be via email, phone, social media or even SMS. They usually claim you owe the IRS money in unpaid taxes or fines and demand a wire transfer, or funds from a prepaid debit card. Sometimes they may ask for personal and financial details—for example, by claiming you’re entitled to a large tax refund and they just need you to supply your bank account info.
These interactions are usually pushy. The scammer knows the best way of making you pay up is by creating a sense of urgency and, sometimes, shaming the individual into believing they’ve been withholding tax payments. Phishing emails may look highly convincing, right down to the logo and sender domain, while phone callers will use fake names and badge numbers. Sometimes the scammers use personal data they may have stolen previously or bought on the Dark Web to make their communications seem more convincing.
In some impersonation scams, the fraudsters may even pretend to work for charities and ask for personal details to help disaster victims with tax refund claims.
Spoofing, phishing, and malware: In some cases, a text, email or social media message spoofed to appear as if sent from the IRS or your tax preparer actually contains malware. The scammers use the same tactics as above but trick the recipient into clicking on a malicious link or opening an attachment laden with malware. The covert download that follows could result in: theft of your personal information; your computer being completely hijacked by hackers via remote control software; or a ransomware download that locks your computer until you pay a fee.
Fake tax returns: Another trick the scammers employ is to use stolen SSNs and other personal information to file tax returns on your behalf. They can then try to claim a large payment in tax refunds from the IRS. The PII they use to file in your name may have been taken from a third-party source without your knowledge, and the first you might hear of it is when you go to file a legitimate tax return. It can take months to resolve the problem.
Attacks targeting tax preparers: Over half of Americans use third-party tax preparation companies to help them with their returns. However, this offers another opportunity for scammers to get hold of your sensitive information. In one recently discovered campaign, malware deployed on tax preparers’ websites was designed to download to the visitor’s computer as soon as they loaded the page. The IRS warns that businesses large and small are potentially at risk, as scammers are keen to get hold of tax information which enables them to file highly convincing fake returns in your name.
What to do
The good news is that by taking a few simple steps you can insulate yourself from the worst of these scams. Remember: the IRS does not contact taxpayers by email, text messages or social media to request personal/financial information— so if you receive communications that do, they are definitely a scam. It’s also important to remember that scams happen all year round, not just in the run-up to the tax filing deadline. That means, unfortunately, that you need to be on your guard all the time.
Here are a few other recommendations:
|
|
It also pays to demand that your tax preparer take their own precautions to keep your data secure. They should not be sending sensitive data or documents unencrypted in emails and must take steps on their own to combat phishing emails that target employees, since these can cascade to you during your tax preparation process. Whether hosted in the cloud or running on-premises, the servers that hold your data should also have adequate protection—and you have a right (and a duty to yourself) to ask ahead of time what they’re doing to protect it.
According to the IRS tax preparers should put the following internal controls in place:
|
|
How Trend Micro can help
Trend Micro offers a range of security tools to help taxpayers keep their personal and financial information safe from fraudsters.
Our flagship consumer solution Trend Micro Security (TMS) provides the following protections:
|
|
To find out more, go to our Trend Micro Security website.
The post Tax Scams – Everything you need to know to keep your money and data safe appeared first on .
Variety is welcome in most walks of life, but not when it comes to the threat landscape. Yet that is unfortunately the reality facing modern cybersecurity professionals. As Trend Micro’s 2019 roundup report reveals, hackers have an unprecedented array of tools, techniques and procedures at their disposal today. With 52 billion unique threats detected by our filters alone, this is in danger of becoming an overwhelming challenge for many IT security departments.
In response, many CISOs are rightly re-examining how they approach threat defense. Rather than create potential security gaps and risk budget shortfalls through best-of-breed investments, they’re understanding that it may be better to consolidate on one provider that can do it all.
The state of play
Our report provides an alarming snapshot into a threat landscape characterized by volatility and chaos. Financially motivated cybercriminals collaborate and compete with each other on a daily basis to elicit profits from their victims. And there are plenty of those, thanks to increased investments in cloud and digital platforms that have broadened the corporate attack surface.
Three trends in the report stand out:
Ransomware is on the rise: Although the number of new families fell, the number of detected ransomware components jumped by 10% to top 61 million during the year. Attacks have been causing chaos across the US, particularly among under-funded public sector authorities and schools. The recent outage at Redcar council could be ominous for UK local authorities. As if service downtime wasn’t enough, several groups have also begun stealing sensitive data before they encrypt, and releasing it if victims don’t pay up — which will require organisations to evolve their threat defense strategies.
Phishing is evolving: As always, email-borne attacks accounted for the vast majority (91%) of threats we blocked last year, and increased 15% in volume from 2018. What does this mean? That phishing remains the number one vector for attacks on organisations. Although we noted an overall decline in total attempts to visit phishing sites, there were some spikes. Fraudsters appear to be targeting Office 365 in an attempt to bypass security filters: the number of unique phishing URLs that spoofed the Microsoft cloud platform soared by 100% from the previous year. BEC attacks, which the FBI has claimed cost more than any other cybercrime type last year, grew 5%.
The supply chain is exposed: At the same time, the digital supply chain has rapidly expanded in recent years, exposing more organisations to risk. This was particularly notable in the e-commerce space last year, as Magecart gangs managed to compromise an estimated two million sites. Many of these attacks focused on attacking supply chain partners, which provide JavaScript libraries to the victim sites. We also observed an increase in attacks focused on compromising DevOps tools and deployments, such as misconfigured versions of Docker Engine – Community and unsecured Docker hosts.
What happens now?
This is just the tip of the iceberg. We also detected a 189% brute force IoT logins, an increase in mobile malware, and much more. To regain the initiative in the face of such a wide-ranging set of threats, CISOs may find more value in taking a connected threat defence approach. This would consolidate protection onto a single provider across gateways, networks, servers and endpoints, with underlying threat intelligence optimizing defense at each layer.
Here’s a quick checklist of elements to consider:
|
|
To find out more, read Trend Micro’s 2019 roundup report here: https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/the-sprawling-reach-of-complex-threats.
The post Hackers Expand Their Repertoire as Trend Micro Blocks 52 Billion Threats in 2019 appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how Trend Micro’s collaboration with INTERPOL’s Global Complex for Innovation helped reduce cryptojacking by 78% in Southeast Asia. Also, read about three malicious apps in the Google Play Store that may be linked to the SideWinder threat group.
Read on:
First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group
Trend Micro found three malicious apps in the Google Play Store that work together to compromise a device and collect user information. The three malicious apps — disguised as photography and file manager tools — are likely to be connected to SideWinder, a known threat group that has reportedly targeted military entities’ Windows machines.
Operation Goldfish Alpha Reduces Cryptojacking Across Southeast Asia by 78%
Interpol announced the results of Operation Goldfish Alpha, a six-month effort to secure hacked routers across the Southeast Asia region. The international law enforcement agency said its efforts resulted in a drop of cryptojacking operations across Southeast Asia by 78%, compared to levels recorded in June 2019. Private sector partners included the Cyber Defense Institute and Trend Micro.
Celebrating Decades of Success with Microsoft at the Security 20/20 Awards
Trend Micro, having worked closely with Microsoft for decades, is honored to be nominated for the Microsoft Security 20/20 Partner awards in the Customer Impact and Industry Changemaker categories. Check out this blog for more information on the inaugural awards and Trend Micro’s recognitions.
Security Predictions for 2020 According to Trend Micro
Threat actors are shifting and adapting in their choice of attack vectors and tactics — prompting the need for businesses and users to stay ahead of the curve. Trend Micro has identified four key themes that will define 2020: a future that is set to be Complex, Exposed, Misconfigured and Defensible. Check out Digital Journal’s Q&A with Greg Young, vice president of cybersecurity at Trend Micro, to learn more about security expectations for this year.
The Everyday Cyber Threat Landscape: Trends from 2019 to 2020
In addition to security predictions for the new year, Trend Micro has listed some of the biggest threats from 2019 as well as some trends to keep an eye on as we begin 2020 in this blog. Many of the most dangerous attacks will look a lot like the ones Trend Micro warned about in 2019.
5 Key Security Lessons from the Cloud Hopper Mega Hack
In December 2019, the U.S. government issued indictments against two Chinese hackers who were allegedly involved in a multi-year effort to penetrate the systems of companies managing data and applications for customers via the computing cloud. The men, who remain at large, are thought to be part of a Chinese hacking collective known as APT10.
The Summit of Cybersecurity Sits Among the Clouds
Shifts in threats in the security landscape have led Trend Micro to develop Trend Micro Apex One, a newly redesigned endpoint protection solution. Trend Micro Apex One brings enhanced fileless attack detection and advanced behavioral analysis and combines Trend Micro’s powerful endpoint threat detection capabilities with endpoint detection and response (EDR) investigative capabilities.
New Iranian Data Wiper Malware Hits Bapco, Bahrain’s National Oil Company
Iranian state-sponsored hackers have deployed a new strain of data-wiping malware on the network of Bapco, Bahrain’s national oil company. The incident took place on December 29th and didn’t have the long-lasting effect hackers might have wanted, as only a portion of Bapco’s computer fleet was impacted and the company continued to operate after the malware’s detonation.
Ransomware Recap: Clop, DeathRansom, and Maze Ransomware
As the new year rolls in, new developments in different ransomware strains have emerged. For example, Clop ransomware has evolved to integrate a process killer that targets Windows 10 apps and various applications; DeathRansom can now encrypt files; and Maze ransomware has been targeting U.S. companies for stealing and encrypting data, alerted by the Federal Bureau of Investigation (FBI).
4 Ring Employees Fired for Spying on Customers
Smart doorbell company Ring said that it has fired four employees over the past four years for inappropriately accessing customer video footage. The disclosure comes in a recent letter to senators from Amazon-owned Ring as it attempts to defend the privacy of its platform, which has been plagued by data privacy incidents over the past year.
Web Skimming Attack on Blue Bear Affects School Admin Software Users
A web skimming attack was recently used to target Blue Bear, a school administration software that handles school accounting, student fees, and online stores for educational institutions. Names, credit card or debit card numbers, expiration dates and security codes, and Blue Bear account usernames and passwords may have been collected.
Patched Microsoft Access ‘MDB Leaker’ (CVE-2019-1463) Exposes Sensitive Data in Database Files
Researchers uncovered an information disclosure vulnerability (CVE-2019-1463) affecting Microsoft Access, which occurs when the software fails to properly handle objects in memory. The vulnerability, dubbed “MDB Leaker” by Mimecast Research Labs, resembles a patched information disclosure bug in Microsoft Office (CVE-2019-0560) found in January 2019.
A Trend Micro honeypot detected a cryptocurrency-mining threat on a compromised site, where the URL hxxps://upajmeter[.]com/assets/.style/min was used to host the command for downloading the main shell script. The miner, a multi-component threat, propagates by scanning vulnerable machines and brute-forcing (primarily default) credentials.
What are your thoughts on the rise of cryptomining malware and cryptojacking tactics? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: INTERPOL Collaboration Reduces Cryptojacking by 78% and Three Malicious Apps Found on Google Play May be Linked to SideWinder APT Group appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about the threat campaign Waterbear and how it uses API hooking to evade security product detection. Also, read about December Patch Tuesday updates from Microsoft and Adobe.
Read on:
Waterbear is Back, Uses API Hooking to Evade Security Product Detection
Previously, Waterbear has been used for lateral movement, decrypting and triggering payloads with its loader component. In most cases, the payloads are backdoors that can receive and load additional modules. However, recently Trend Micro discovered a piece of Waterbear payload with a brand new purpose: hiding its network behaviors from a specific security product by API hooking techniques.
Microsoft December 2019 Patch Tuesday Plugs Windows Zero-Day
Microsoft has released today the December 2019 Patch Tuesday security updates. This month’s updates include fixes for 36 vulnerabilities, including a zero-day in the Windows operating system that has been exploited in the wild.
(Almost) Hollow and Innocent: Monero Miner Remains Undetected via Process Hollowing
Recently, Trend Micro found a cryptomining threat using process hollowing and a dropper component that requires a specific set of command line arguments to trigger its malicious behavior, leaving no trace for malicious activity detection or analysis to reference the file as malicious.
2020 Predictions: Black Hats Begin to Target Facial Recognition Technology
Research interest in defeating facial recognition technology is booming. Adversaries are likely taking notice, but don’t expect widespread adoption overnight. Jon Clay, director of threat communication at Trend Micro, points out that techniques ranging from deep fakes to adversarial machine learning are likely still in an early stage.
US, UK Governments Unite to Indict Hacker Behind Dreaded Dridex Malware
Maksim Yakubets, who allegedly runs Russia-based Evil Corp, the cybercriminal organization that developed and distributed banking malware Dridex, has been indicted in the United States by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC).
Trend Micro, McAfee and Bitdefender Top Cloud Workload Security List
Trend Micro, McAfee and Bitdefender were named among the leaders in a new report from Forrester Research on cloud workload security that covered 13 vendors.
BEC Scam Successfully Steals US $1 Million Using Look-Alike Domains
A Chinese venture capital firm lost US $1 million to scammers who successfully came between a deal the firm had with an Israeli startup. The business email compromise (BEC) campaign used by the attackers consisted of 32 emails and look-alike domains to trick both parties of their authenticity.
Retail Cyberattacks Set to Soar 20% in 2019 Holiday Season
As cybercriminals grow more sophisticated and holiday shoppers continue to flock online, researchers warn internet-based retailers could face a 20 percent uptick in cyberattacks this holiday season compared to last year.
Bug in Ryuk Ransomware’s Decryptor Can Lead to Loss of Data in Certain Files
Ryuk’s decryptor tool could cause data loss instead of reinstating file access to users. According to a blog post from Emsisoft, a bug with how the tool decrypts files could lead to incomplete recoveries, contrary to what the decryptor is meant to achieve.
Hacker Hacks Hacking Platform, Gets Paid $20,000 By the Hacked Hackers
HackerOne operates as a conduit between ethical hackers looking for vulnerabilities, and organizations like General Motors, Goldman Sachs, Google, Microsoft, Twitter, and the U.S. Pentagon, want to patch those security holes before malicious threat actors can exploit them. One of the hackers registered with the platform hacked HackerOne instead and was paid $20,000 (£15,250) by HackerOne as a result.
Trickbot’s Updated Password-Grabbing Module Targets More Apps, Services
Researchers from Security Intelligence have reported on a sudden increase of Trickbot’s activities in Japan, and Trend Micro researchers have found updates to the password-grabbing (pwgrab) module and possible changes to the Emotet variant that drops Trickbot.
Ransomware Recap: Snatch and Zeppelin Ransomware
Two ransomware families with noteworthy features – Snatch and Zeppelin –were spotted this week. Snatch ransomware is capable of forcing Windows machines to reboot into Safe Mode. Zeppelin ransomware, on the other hand, was responsible for infecting healthcare and IT organizations across Europe and the U.S.
Brian Krebs is the CISO MAG Cybersecurity Person of the Year
For the first time, CISO Mag named a Cybersecurity Person of the Year, who is defined as someone who been committed to bringing awareness into the realm of cybersecurity. In addition to recognizing Brian Krebs of KrebsOnSecurity.com, two other individuals were recognized: Trend Micro’s Rik Ferguson, VP of security research, and web security expert Troy Hunt.
Do you think retail cyberattacks will soar higher than 20 percent this holiday season? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: December Patch Tuesday Updates and Retail Cyberattacks Set to Soar 20 Percent During 2019 Holiday Season appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about stalkerware and why it’s on the rise. Also, read about Trend Micro’s selection as a launch partner for the new Amazon Virtual Private Cloud (Amazon VPC) Ingress Routing service, announced during AWS re:Invent 2019.
Read on:
You’re in Safe Hands with Trend Micro Home Network Security
Your home should be a haven that protects you. In the cyber age, however, your router, computers, TVs, game consoles and smart devices are continuously connected to the internet and run the risk of being hacked—usually when you least expect it. This blog is the first of a three-part series outlining how to implement Home Network Security to protect your home.
Amazon Web Services Recognizes Trend Micro as Launch Partner for New Service
With Amazon VPC Ingress Routing, Trend Micro customers will gain benefits which include more flexibility and control traffic routing with transparent deployment and no need to re-architect. Deploying in-line allows customers to be proactive in their network security, which in turn can prevent and disrupt attacks before they can be successful.
What Worries CISOs Most In 2019
Trend Micro’s VP of infrastructure strategies, Bill Malik, recently sat down with a dozen senior IT security leaders to discuss challenges they are currently facing in light of considerable changes in their business environments. These include the high pace of acquisitions balancing executive and team focuses, bring-your-own-device (BYOD) policies and ransomware infections.
Ransomware Attack Hits Major U.S. Data Center Provider
CyrusOne, one of the biggest data center providers in the U.S., has suffered a ransomware attack and is currently working with law enforcement and forensics firms to investigate the attack. CyrusOne is also helping customers restore lost data from backups.
Stalkerware is government-style surveillance software used by individuals to spy on others, which is usually someone you know. With smartphone usage continuing to rise, a whole mini industry has appeared over the past couple of years selling monitoring software, or more treacherously, trojan spyware and code that can hide itself so that you don’t even know it’s on your device.
The California DMV Is Making $50M a Year Selling Drivers’ Personal Information
The California Department of Motor Vehicles is generating revenue of $50,000,000 a year through selling drivers’ personal information, according to a DMV document obtained by Motherboard. This information includes names, physical addresses, and car registration information.
Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK
Trend Micro has followed cyberespionage group TICK (a.k.a. “BRONZE BUTLER” or “REDBALDKNIGHT”) since 2008 but noticed an unusual increase in malware development and deployments towards November 2018 as part of a campaign dubbed “Operation ENDTRADE.”
Iran Targets Mideast Oil with ZeroCleare Wiper Malware
A freshly discovered wiper malware dubbed “ZeroCleare” has been deployed to target the energy and industrial sectors in the Middle East. According to IBM’s X-Force Incident Response and Intelligence Services (IRIS), ZeroCleare was involved in a recently spotted APT attack on an oil and gas company, in which it compromised a Windows machine via a vulnerable driver.
Trend Micro has found a new spyware family disguised as chat apps on a phishing website. Trend believes that the apps, which exhibit many cyberespionage behaviors, are initially used for a targeted attack campaign.
Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
In November 2019, Trend Micro analyzed an exploit kit named Capesand that exploited Adobe Flash and Microsoft Internet Explorer flaws. During an analysis of the indicators of compromise (IoCs) in the deployed samples that were infecting the victim’s machines, we noticed that these samples were making use of obfuscation tools that made them virtually undetectable.
Trend Micro More Than Doubles Commitment to Underrepresented Persons in Cybersecurity
This week at AWS re:Invent, Trend Micro announced plans to further strengthen its commitment to underrepresented persons by more than doubling its annual time and financial investments to alleviate the skills and diversity gaps in cybersecurity.
Mobile Security: 80% of Android Apps Now Encrypt Network Traffic by Default
Three years ago, Google started its push to tighten network traffic protection from Android devices to web services. The company has provided an update stating that 80% of Android apps have adopted the HTTPS standard by default. HTTPS encrypts network traffic, preventing third parties from intercepting data from apps.
Magecart Sets Sights on Smith & Wesson, Other High-Profile Stores
After incidents in the past few months that saw the threat actor go after customers of online shops and hotel chains, threat actors from the infamous card-skimming group once again took action, this time on Black Friday on a new set of targets: high-profile stores, including firearms vendor Smith & Wesson (S&W).
Out on a Highway Run: Threats and Risks on ITS and Smart Vehicles
The research firm Counterpoint predicted that by 2022, the number of vehicles with embedded connectivity will grow by 270%. The expected increase in technology adoption, however, does not come without risks — from petty showcases of hacks to possibly bigger threats to safety and financial losses.
StrandHogg Android Vulnerability Allows Malware to Hijack Legitimate Apps
Researchers discovered a vulnerability in Android devices that allows malware to hijack legitimate apps. Using this vulnerability (StrandHogg), cybercriminals could trick users into granting permissions to their malicious apps and provide openings for phishing pages.
Ginp Trojan Targets Android Banking App Users, Steals Login Credentials and Credit Card Details
Counterfeit apps were found carrying a new version of the Android banking trojan Ginp (detected by Trend Micro as AndroidOS_Ginp.HRXB) to steal user login credentials and credit card details. ThreatFabric’s analysis of recent Ginp samples showed that it reused some code from Anubis, an Android malware family notorious for its use in cyberespionage activities before being re-tooled as a banking trojan.
What AWS re:Invent announcement did you find the most interesting? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Trend Micro Selected as Launch Partner for AWS Ingress Routing Service and Stalkerware on the Rise appeared first on .
We recently held a valuable conversation (and a great dinner) with about a dozen senior IT security leaders in Atlanta, Georgia. I was fortunate to attend and discuss what plagues them most.
Here are some of their concerns.
Many face considerable change in their business environments – one third of the companies called out the high pace of acquisitions as a source of risk.
Acquisitions draw down information security resources disproportionately. First, IT security must participate in the due diligence phase, prior to the actual acquisition. Under significant time pressure, and strictly bound by the terms of the governing NDA, the InfoSec team must verify the integrity of the target environment’s IT infrastructure. It must render a judgment on the trustworthiness of the underlying procedures, the competence of the support team, the appropriateness of funding and staffing, the effectiveness of policy and awareness training, the fitness of the security technology judged against the changing mission of the target firm, and the accessibility of crucial information. In regulated industries, the acquirer has to review past certifications, audit findings and recommendations, and earlier security events, including how they were handled, and how the organization effectively integrated lessons learned into its updated way of doing business. Some of the attendees reported an acquisition every six weeks over the past two years or more. This pace requires efficient process maturity and open communication among the team members, and ample trust.
Some CIOs reported the challenge of balancing the executive team’s need to know with the managerial desire to optimize team focus on critical initiatives. In the Boardroom and among the C-suite, IT remains a hot topic and IT security is a known vulnerability. This leads some organizations toward micromanaging the IT security team. As we all know, this inappropriate focus has two costs: first, it distracts the Board and the C-suite from their primary missions. Second, it distracts the people doing the job from their task. One effective tactic some adopted is the weekly – or even daily – newsletter. This document provides the status for ongoing projects, notes about top performers, assessment of newly discovered vulnerabilities, and pointers towards effective risk mitigation the leadership team can bring to their respective operational areas. When a Board member has a question for the team, the CISO can intercept it and post a response through the newsletter.
Many CISOs discussed their challenges with BYOD policies. Some mentioned concerns with GDPR impeding their ability to wipe corporate applications and information from employee-owned devices. It’s unclear how to balance that business requirement with privacy concerns for smart phones. With laptops, one approach is to limit corporate access through a locked-down virtual desktop image accessed through a secure VPN. An evil-minded employee could take a picture of the screen, but that attack works on a corporate laptop just as well.
BEC remains a concern, along with phishing attacks leading to possible ransomware infections. One approach is to ignore emails from new domains – those that are less than two months old. This would exclude email from nearly all attackers; anyone legitimately trying to reach an employee will try again in time.
The meeting was quite open and convivial. It was an honor to participate in the discussion, and I look forward to similar meetings in the future. My thanks to the participants!
What do you think? Let me know in the comments below, or message me @WilliamMalikTM!
The post What Worries CISOs Most In 2019 appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about recent skimming and phishing scams as we head into the holidays and how you can protect yourself and your organization. Also, read about how the p4 hacking team from Poland won Trend Micro’s Capture the Flag (CTF) competition in Tokyo.
Read on:
Skimming Scams and Redirection Schemes Phish Consumers Credentials Days Before Black Friday
Ahead of Black Friday, cybercriminals are busy rolling out schemes to trick consumers into sharing their card credentials. In one skimming operation, threat actors faked a retailer’s third-party payment service platform (PSP), resulting in a hybrid skimmer-phishing page. Another campaign used redirection malware on WordPress websites so that users would land on their malicious phishing page.
Polish Hacking Team Triumphs in Trend Micro CTF Competition
Machine learning, reverse engineering, and unearthing mobile and IoT vulnerabilities were among the disciplines tested during Trend Micro’s latest international capture the flag (CTF) competition. The fifth Raimund Genes Cup final pitted 13 teams of young hackers against one another. The winning team, p4 from Poland, claimed a ¥1 million prize (US $9,000) and 15,000 Zero Day Initiative points per player at the Tokyo event.
Patched GIF Processing Vulnerability CVE-2019-11932 Still Afflicts Multiple Mobile Apps
CVE-2019-11932, a vulnerability in WhatsApp for Android, was patched with version 2.19.244 of WhatsApp, but the underlying problem lies in the library called libpl_droidsonroids_gif.so, which is part of the android-gif-drawable package. While this flaw has also been patched, many applications still use the older version and remain at risk.
Don’t Overlook the Security of Your Supply Chain
In its 2020 Predictions report, Trend Micro states that organizations will face a growing risk from their cloud and the supply chain. The reliance on open source and third-party software and the introduction of modern workplace practices all present immense risks.
Trickbot Appears to Target OpenSSH and OpenVPN Data in Upgraded Password-Grabbing Module
Trickbot, which was a simple banking trojan when it arrived in 2016, has since mutated into a constantly evolving malware family that includes information theft, vulnerability exploitation, and rapid propagation among its capabilities. In Trend Micro’s recent blog, learn more about how to combat Trickbot and other similarly sophisticated threats.
Stranger Hacks into Baby Monitor, Tells Child, ‘I Love You’
A stranger hacked a Seattle couple’s baby monitor and used it to peer around their home remotely and tell the pair’s 3-year-old, “I love you,” the child’s mother said. It’s not the first time the monitor brand in question, Fredi, made by Shenzhen Jinbaixun Technology Co., Ltd., according to its website, has come under fire for being comparatively easy to access.
Microsoft Says New Dexphot Malware Infected More Than 80,000 Computers
Microsoft security engineers detailed today a new malware strain that has been infecting Windows computers since October 2018 to hijack their resources to mine cryptocurrency and generate revenue for the attackers. Named Dexphot, this malware reached its peak in mid-June this year when its botnet reached almost 80,000 infected computers.
How are you protecting yourself from skimming and phishing scams during this holiday season? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Skimming and Phishing Scams Ahead of Black Friday and Polish Hacking Team Wins Capture the Flag Competition appeared first on .
FreshRSS 