FreshRSS

🔒
❌ About FreshRSS
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about cybersecurity news and events that happened over the past few days. This week, learn about a ransomware group that walked away with 2,200 Bitcoin: More than $33 million based on the current Bitcoin exchange rate. Also, read about this month’s Patch Tuesday security updates from Microsoft, including patches for 112 vulnerabilities.

 

Read on:

Microsoft Patch Tuesday Update Fixes 17 Critical Bugs

Microsoft’s November Patch Tuesday roundup of security fixes tackled an unusually large crop of remote code execution (RCE) bugs. Twelve of Microsoft’s 17 critical patches were tied to RCE bugs. In all, 112 vulnerabilities were patched by Microsoft, with 93 rated important, and two rated low in severity. In this article, ZDI’s Dustin Childs shares his thoughts on Microsoft’s removal of descriptions from CVE overviews.

An Old Joker’s New Tricks: Using Github to Hide Its Payload

Trend Micro detected a new Joker malware version on a sample on Google Play, which utilizes Github pages and repositories in an attempt to evade detection. The app promised wallpapers in HD and 4K quality and was downloaded over a thousand times before it was removed from the Play Store by Google after being reported as malicious.

NETGEAR Router, WD NAS Device Hacked on First Day of Pwn2Own Tokyo 2020

Due to the coronavirus pandemic, this year’s Pwn2Own Tokyo was turned into a virtual event coordinated by ZDI from Toronto, Canada. On the first day of the event, the NETGEAR Nighthawk R7800 router, Western Digital My Cloud Pro series PR4100 NSA device and Samsung Smart TV were targeted and $50,000 was awarded among teams STARLabs, Trapa Security and Team Flashback.

Developing Story: COVID-19 Used in Malicious Campaigns

As the number of those afflicted with COVID-19 continues to surge by thousands, malicious campaigns that use the disease as a lure likewise increase. In this report, Trend Micro researchers share samples on COVID-19 related malicious campaigns. The report also includes detections from other researchers.

IoT Security is a Mess. These Guidelines Could Help Fix That

The supply chain around the Internet of Things (IoT) has become the weak link in cybersecurity, potentially leaving organizations open to cyberattacks via vulnerabilities they’re not aware of. However, new guidelines from the European Union Agency for Cybersecurity (ENISA) aims to ensure that security forms part of the entire lifespan of IoT product development.

US Department of Energy Launches New Program for Technology Security Managers

The US Department of Energy (DOE) recently launched the Operational Technology (OT) Defender Fellowship. Another milestone from the Department in enhancing the US’s critical infrastructure. In collaboration with DOE’s Idaho National Laboratory (INL) and the Foundation for Defense of Democracies’ (FDD) Center for Cyber and Technology Innovation (CTTI), the OT Defender Fellowship hopes to expand the knowledge of primary US front-line critical infrastructure defenders.

Ransomware Gang is Raking in Tens of Millions of Dollars

A ransomware organization has raked in tens of millions of dollars, according to a new report. The organization, identified as group “One,” walked away with 2,200 Bitcoin, according to a report by Advanced Intelligence. That’s more than $33 million based on the current Bitcoin exchange rate.

CISA Braces for 5G with New Strategy, Initiatives

The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released its 5G Strategy, ensuring the federal government and its many states, local, tribal, territorial, and private sector partners are secure as when the 5G technology arrives. The agency’s document hoped to expand on how the US government would secure 5G infrastructure both in the country and abroad.

Hacker-for-Hire Group Targeting South Asian Organizations

There’s a new cyber mercenary group on the block, and they’re going after targets in more than a dozen countries globally, according to a BlackBerry research report. The hack-for-hire shop, which BlackBerry is calling “CostaRicto,” has largely gone after targets in South Asia, especially in India, Bangladesh and Singapore. Some of its targeting was also located in Africa, the Americas, Australia and Europe.

Defense in Depth, Layered Security in the Cloud

In this blog, Trend Micro’s vice president of cybersecurity, Greg Young, discusses the evolution of network security into how it manifests itself today, how network security has looked up until now, how the future of network security looks and why security teams need layered protection in the cloud.

Surprised by Microsoft’s decision to remove the description section from Patch Tuesday bulletins?  Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs appeared first on .

This Week in Security News: US Cyber Command Exposes New Russian Malware and REvil Ransomware Gang ‘Acquires’ KPOT Malware

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about cybersecurity news and events that happened over the past few days. This week, learn about eight new malware samples that were developed and deployed by Russian hackers in recent attacks. Also, read about how the operators of the REvil ransomware strain have “acquired” the source code of the KPOT trojan in an auction held on a hacker forum last month.

Read on:

Beware a New Google Drive Scam Landing in Inboxes

Scammers just found a new phishing lure to play with: Google Drive. A flaw in Drive is being exploited to send out seemingly legitimate emails and push notifications from Google that, if opened, could land people on malicious websites. The smartest part of the scam is that the emails and notifications it generates come directly from Google.

What Are the Best Options for Cybersecurity Protection for Small Businesses?

For Workplace IT, providing the best cybersecurity protection for their company’s hundreds of small business clients is critical. Workplace IT relies exclusively on Trend Micro to ensure that its customers have the best cybersecurity protection available. Partnering with one security vendor makes it easy for the company to focus on other issues, knowing that security is handled comprehensively and consistently.

REvil Ransomware Gang ‘Acquires’ KPOT Malware

The operators of the REvil ransomware strain have “acquired” the source code of the KPOT trojan in an auction held on a hacker forum last month. The sale took place after the KPOT malware author decided to auction off the code, desiring to move off to other projects, and was organized as a public auction on a private underground hacking forum for Russian-speaking cyber-criminals.

Encouraging the Next Generation of Cybersecurity Stars to Join the Industry

At its core, Trend Micro has a passion for education and a desire to grow the cybersecurity industry with talented, dedicated professionals. The two are closely linked: If we can introduce cyber skills into schools at an earlier age, then more young people will be encouraged to start a career in cybersecurity. That’s why Trend Micro is running a new virtual event for university students in November, during NIST NICE Cybersecurity Career Awareness Week.

Cybersecurity Threats to Corporate America are Present Now ‘More Than Ever,’ SEC Chair Says

Securities and Exchange Commission (SEC) Chairman Jay Clayton is telling corporate America it needs to be more vigilant on security. In an interview with CNBC, Clayton stressed that significant cybersecurity threats remain, despite the ongoing coronavirus pandemic and election season. In October alone, the Cybersecurity and Infrastructure Security Agency (CISA) put out 30 cyber alerts across various industries and business sizes, as well as consumers.

US Cyber Command Exposes New Russian Malware

US Cyber Command has exposed eight new malware samples that were developed and deployed by Russian hackers in recent attacks. Six of the eight samples are for the ComRAT malware (used by the Turla hacking group), while the other two are samples for the Zebrocy malware (used by the APT28 hacking group).

SaltStack Discloses Critical Vulnerabilities, Urges Patching

SaltStack disclosed three new vulnerabilities, two of which are assessed to be critical, and is urging users to patch immediately. In an advisory, the organization announced it released a security update to address the vulnerabilities. While two vulnerabilities were discovered and submitted by “KPC” of Trend Micro’s Zero Day Initiative (ZDI), the advisory does not say how CVE-2020-25592 was found. Dustin Childs, ZDI communications manager, said they reported it to SaltStack privately in late August.

New Data Shows Just How Badly Home Users Overestimate IoT Security

A new survey from the National Cyber Security Alliance (NCSA) shows adult workers vastly overestimate the security of the internet devices in their homes. The survey polled 1,000 adults – 500 aged 18-34 and 500 aged 50-75 – and found that the overwhelming majority of both believed the internet of things (IoT) devices they owned were secure.

Over 23,000 Hacked Databases Shared Over Telegram and Discord

It was reported that over 50GB of data from 23,000 hacked databases have been shared by hackers across Telegram channels and two hacking forums. A total of 23,618 databases were able to be downloaded through the Mega file hosting service, amounting to a dataset of around 13 billion personal files. The link was later taken down following abuse reports but there are fears that the data has entered the public domain.

Deloitte’s ‘Test Your Hacker IQ’ Site Fails Itself After Exposing Database Username, Password in Config File

A website created for global consultancy Deloitte to quiz people on knowledge of hacking tactics has proven itself vulnerable to hacking. The site, found at the insecure non-HTTPS URL http://deloittehackeriq.com/, makes its YAML configuration file publicly accessible. And within the file, in cleartext, is the username and password for the site’s mySQL database.

Toymaker Mattel Hit by Ransomware Attack

Top toymaker Mattel revealed it was a victim of a ransomware attack that successfully encrypted some data and temporarily crippled a limited number of business functions. The disclosure was part of a U.S. Securities Exchange Commission (SEC) disclosure filed in late October. Mattel reported the attack occurred on July 28, 2020 and that, for the most part, it was mitigated quickly and had a minimal impact on the company.

Spike in Emotet Activity Could Mean Big Payday for Ransomware Gangs

There’s been a massive increase in Emotet attacks and cyber criminals are taking advantage of machines compromised by the malware to launch more malware infections as well as ransomware campaigns. The October 2020 HP-Bromium Threat Insights Report reports a 1,200% increase in Emotet detections from July to September compared to the previous three months.

How do you secure your IoT devices at home?  Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: US Cyber Command Exposes New Russian Malware and REvil Ransomware Gang ‘Acquires’ KPOT Malware appeared first on .

This Week in Security News: Trend Micro Researcher Uncover Two Espionage Backdoors Associated with Operation Earth Kitsune and Trickbot and Ransomware Attackers Plan Big Hit on U.S. Hospitals

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about cybersecurity news and events that happened over the past few days. This week, learn about how Trend Micro researchers uncovered two new espionage backdoors associated with the ‘Operation Earth Kitsune’ campaign. Also, read about how U.S. healthcare providers have been put on high alert over Trickbot malware and ransomware targeting the sector.

Read on:

Operation Earth Kitsune: A Dance of Two New Backdoors

Trend Micro recently published a research paper on Operation Earth Kitsune, a watering hole campaign aiming to steal information by compromising websites. Besides its heavy use of SLUB malware, Trend Micro researchers also uncovered two new espionage backdoors associated with the campaign: agfSpy and dneSpy, dubbed as such following the attackers’ three-letter naming scheme.

FBI Warning: Trickbot and Ransomware Attackers Plan Big Hit on U.S. Hospitals

U.S. healthcare providers, already under pressure from the COVID-19 pandemic, are on high alert over Trickbot malware and ransomware targeting the sector. Trickbot is one of the largest botnets in the world, against which Microsoft took U.S. legal action earlier this month in effort to gain control of its servers. Within a day of the seizure, Trickbot C&C servers and domains were replaced with new infrastructure.

Trend Micro HouseCall for Home Networks

While a home network provides numerous benefits, it can also expose its users to safety and privacy risks. Checking for those risks doesn’t need to be costly: Trend Micro’s Housecall for Home Networks (HCHN) solution scans the connected devices in home networks and detects those that pose security risks and is available for free.

Bug-Bounty Awards Spike 26% in 2020

According to a list of top 10 vulnerabilities by HackerOne, cross-site scripting (XSS) remained the most impactful vulnerability and reaped the highest rewards for ethical hackers in 2020 for the second year in a row, earning hackers $4.2 million in total bug-bounty awards in the last year, a 26-percent increase from what was paid out in 2019 for finding XSS flaws. Following XSS on the list: Improper access control, information disclosure, server-side request forgery (SSRF) and more.

Supply Chain Attacks in the Age of Cloud Computing: Risks, Mitigations, and the Importance of Securing Back Ends

Security is an aspect that every enterprise needs to consider as they use and migrate to cloud-based technologies. On top of the list of resources that enterprises need to secure are networks, endpoints, and applications. However, another critical asset that enterprises should give careful security consideration to is their back-end infrastructure which, if compromised, could lead to supply chain attacks.

U.S. Shares Information on North Korean Threat Actor ‘Kimsuky’

An alert released this week by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Cyber Command Cyber National Mission Force (CNMF) provides information on Kimsuky, a threat actor focused on gathering intelligence on “foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions” on behalf of the North Korean government. The advisory says the adversary has been active since 2012, engaging in social engineering, spear-phishing, and watering hole attacks.

76% of Applications Have at Least One Security Flaw

Most applications contain at least one security flaw and fixing those flaws typically takes months, a new Veracode report reveals. This year’s analysis of 130,000 applications found that it takes about six months for teams to close half the security flaws they find. The report also uncovered some best practices to significantly improve these fix rates.

Apps Infected with Adware Found on Google Play Store

Some 21 malicious Android apps containing intrusive adware were discovered on the Google Play Store, but most have now been removed, according to a report from Avast. These fraudulent mobile applications, disguised as Android gaming apps, had been downloaded more than 8 million times since they were made available in the store.

Patients in Finland Blackmailed After Therapy Records Were Stolen by Hackers

The confidential records of thousands of psychotherapy patients in Finland have been hacked and some are now facing the threat of blackmail. Attackers were able to steal records related to therapy sessions, as well as patients’ personal information including social security numbers and addresses, according to Vastaamo, the country’s largest private psychotherapy center.

Surprised by the Vastaamo hack and subsequent blackmail of patients?  Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Trend Micro Researcher Uncover Two Espionage Backdoors Associated with Operation Earth Kitsune and Trickbot and Ransomware Attackers Plan Big Hit on U.S. Hospitals appeared first on .

This Week in Security News: Watering Hole Campaign Operation Earth Kitsune Spying on Users’ Systems and Fancy Bear Imposters Are on a Hacking Extortion Spree

By Jon Clay (Global Threat Communications)
week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a watering hole campaign Trend Micro dubbed ‘Operation Earth Kitsune’ that is spying on users’ systems through compromised websites. Also, read about how APT groups are threatening DDoS attacks against victims if they don’t send them bitcoin.

Read on:

Fancy Bear Imposters Are on a Hacking Extortion Spree

Radware recently published extortion notes that were sent to a variety of companies globally. The senders purport to be from the North Korean government hackers Lazarus Group, or APT38, and Russian state-backed hackers Fancy Bear, or APT28. The notes threaten that if the target doesn’t send bitcoin, powerful distributed denial of service (DDoS) attacks will be launched against the victim. Robert McArdle, Trend Micro’s director of our Forward-Looking Threat Research (FTR) team, comments on DDoS as an extortion method.

A Ride on Taiwan’s Self-Driving Bus

The self-driving bus is now being tested on the streets of downtown Taipei and more autonomous buses are being deployed in other places, including Germany, Japan and Canada. Since connected cars are still a relatively new technology, the dangers of these vehicles are unknown and mostly speculated. In this article, Trend Micro discusses potential security implications of these connected vehicles.

 U.S. Charges Russian Intelligence Officers in Major Cyberattacks

This week, the Justice Department unsealed charges accusing six Russian military intelligence officers of an aggressive worldwide hacking campaign that caused mass disruption and cost billions of dollars by attacking targets like a French presidential election, the electricity grid in Ukraine and the opening ceremony of the 2018 Winter Olympics.

 Operation Earth Kitsune: Tracking SLUB’s Current Operations

A watering hole campaign that Trend Micro has dubbed as Operation Earth Kitsune is spying on users’ systems through compromised websites. Using SLUB and two new malware variants, the attacks exploit vulnerabilities including those of Google Chrome and Internet Explorer.

Cybersecurity Company Finds Hacker Selling Info on 186 Million U.S. Voters

Trustwave says it found a hacker selling personally identifying information of more than 200 million Americans, including the voter registration data of 186 million. The revelation underscored how vulnerable Americans are to email targeting by criminals and foreign adversaries, even as U.S. officials announced that Iran and Russia had obtained voter registration data and email addresses with an eye toward interfering in the 2020 election.

Future Imperfect

In 2012, Trend Micro, the International Cyber Security Protection Alliance (ICSPA) and Europol’s European Cyber Crime Centre (EC3) collaborated on a white paper that imagined the technological advances of the coming 8 years, the societal and behavioral changes they may bring and the opportunities for malfeasance they could present. As we enter the 2020s, we now have the opportunity to objectively review the project against a number of success factors.

WordPress Deploys Forced Security Update for Dangerous Bug in Popular Plugin

WordPress sites running Loginizer, one of today’s most popular WordPress plugins with an install base of over one million sites, were forcibly updated this week to Loginizer version 1.6.4. This version contained a security fix for a dangerous SQL injection bug that could have allowed hackers to take over WordPress sites running older versions of the Loginizer plugin.

Just Leave That Docker API on the Front Porch, No One Will Steal It

Recently, a new type of Linux malware named “DOKI” has been discovered exploiting publicly accessible Docker API’s hosted in all major cloud providers. The manner in which threat actors are gaining access to container environments is a previously discovered technique, but the DOKI malware is something that has not been documented until now.

Adobe Fixes 16 Critical Code-Execution Bugs Across Portfolio

Adobe has released 18 out-of-band security patches in 10 different software packages, including fixes for critical vulnerabilities that stretch across its product suite. Two of the issues are out-of-bounds read flaws, (CVE-2020-24409, CVE-2020-24410); one is an out-of-bounds write bug (CVE-2020-24411). Tran Van Khang, working with Trend Micro Zero Day Initiative, is credited for the discoveries.

US Treasury Department Ban on Ransomware Payments Puts Victims in Tough Position

This month, the US Treasury Department’s Office of Foreign Assets Control (OFAC) warned organizations making ransomware payments that they risk violating economic sanctions imposed by the government against cybercriminal groups or state-sponsored hackers. The advisory has the potential to disrupt the ransomware monetization model, but also puts victims, their insurers and incident response providers in a tough situation.

What are your thoughts on the sanctions imposed by the government against cybercriminal groups or state-sponsored hackers?  Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Watering Hole Campaign Operation Earth Kitsune Spying on Users’ Systems and Fancy Bear Imposters Are on a Hacking Extortion Spree appeared first on .

This Week in Security News: Cybercriminals Use Stolen Data and Hacking Tools as Prizes in Poker Games and Rap Battles and VirusTotal Now Supports Trend Micro ELF Hash

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how cybercriminals are passing the time during the COVID-19 pandemic with online poker games, where the prizes include stolen data. Also, read about how VirusTotal now supports Trend Micro ELF Hash (aka telfhash).

 

Read on:

Cybercriminals Use Stolen Data and Hacking Tools as Prizes in Poker Games and Rap Battles

Cybercriminals have put their own spin on passing time during the COVID-19 lockdown with online rap battles, poker tournaments, poem contests, and in-person sport tournaments. The twist is that the prize for winning these competitions is sometimes stolen data and tools to make cybercrime easier, according to new research from Trend Micro.

Becoming an Advocate for Gender Diversity: Five Steps that Could Shape Your Journey

Sanjay Mehta, senior vice president at Trend Micro, was recently named a new board member at Girls In Tech—a noted non-profit and Trend Micro partner working tirelessly to enhance the engagement, education, and empowerment of women in technology. In this blog, Sanjay shares five steps that you can use to become an ally for diversity in the workplace.

October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug

In this month’s Patch Tuesday update, Microsoft pushed out fixes for 87 security vulnerabilities – 11 of them critical – and one of those is potentially wormable. There are also six bugs that were previously unpatched but publicly disclosed, which could give cybercriminals a leg up — and in fact at least one public exploit is already circulating for this group.

VirusTotal Now Supports Trend Micro ELF Hash

To help IoT and Linux malware researchers investigate attacks containing Executable and Linkable Format (ELF) files, Trend Micro created telfhash, an open-source clustering algorithm that helps cluster Linux IoT malware samples. VirusTotal has always been a valuable tool for threat research and now, with telfhash, users of the VirusTotal Intelligence platform can pivot from one ELF file to others.

New Emotet Attacks Use Fake Windows Update Lures

File attachments sent in recent Emotet campaigns show a message claiming to be from the Windows Update service, telling users that the Office app needs to be updated. Naturally, this must be done by clicking the Enable Editing button. According to the Cryptolaemus group, since yesterday, these Emotet lures have been spammed in massive numbers to users located all over the world.

Metasploit Shellcodes Attack Exposed Docker APIs

Trend Micro recently observed an interesting payload deployment using the Metasploit Framework (MSF) against exposed Docker APIs. The attack involves the deployment of Metasploit’s shellcode as a payload, and researchers said this is the first attack they’ve seen using MSF against Docker. It also uses a small, vulnerability-free base image in order for the attack to proceed in a fast and stealthy manner.

Barnes & Noble Warns Customers It Has Been Hacked, Customer Data May Have Been Accessed

American bookselling giant Barnes & Noble is contacting customers via email, warning them that its network was breached by hackers, and that sensitive information about shoppers may have been accessed. In the email to customers, Barnes & Noble says that it became aware that it had fallen victim to a cybersecurity attack on Saturday, October 10th.

ContentProvider Path Traversal Flaw on ESC App Reveals Info

Trend Micro researchers found ContentProvider path traversal vulnerabilities in three apps on the Google Play store, one of which had more than 5 million installs. The three applications include a keyboard customization app, a shopping app from a popular department store, and the app for the European Society of Cardiology (ESC). Fortunately, the keyboard and department store apps have both been patched by developers. However, as of writing this blog, the ESC app is still active.

Carnival Corp. Ransomware Attack Affects Three Cruise Lines

Hackers accessed personal information of guests, employees and crew of three cruise line brands and the casino operations of Carnival Corp. in a ransomware attack the company suffered on Aug. 15, officials have confirmed. Carnival Cruise Line, Holland America Line and Seabourn were the brands affected by the attack, which Carnival said they’re still investigating in an update on the situation this week.

Docker Content Trust: What It Is and How It Secures Container Images

Docker Content Trust allows users to deploy images to a cluster or swarm confidently and verify that they are the images you expect them to be. In this blog from Trend Micro, learn how Docker Content Trust works, how to enable it, steps that can be taken to automate trust validation in the continuous integration and continuous deployment (CI/CD) pipeline and limitations of the system.

Twitter Hackers Posed as IT Workers to Trick Employees, NY Probe Finds

A simple phone scam was the key first step in the Twitter hack that took over dozens of high-profile accounts this summer, New York regulators say. The hackers responsible for the July 15 attack called Twitter employees posing as company IT workers and tricked them into giving up their login credentials for the social network’s internal tools, the state’s Department of Financial Services said.

What is a DDoS Attack? Everything You Need to Know About Distributed Denial-of-Service Attacks and How to Protect Against Them

A distributed denial-of-service (DDoS) attack sees an attacker flooding the network or servers of the victim with a wave of internet traffic so big that their infrastructure is overwhelmed by the number of requests for access, slowing down services or taking them fully offline and preventing legitimate users from accessing the service at all. DDoS attacks are one of the crudest forms of cyberattacks, but they’re also one of the most powerful and can be difficult to stop.

Cyberattack on London Council Still Having ‘Significant Impact’

Hackney Council in London has said that a cyberattack earlier this week is continuing to have a “significant impact” on its services. Earlier this week, the north London council said it had been the target of a serious cyberattack, which was affecting many of its services and IT systems.

 

Surprised by the new Emotet attack?  Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Cybercriminals Use Stolen Data and Hacking Tools as Prizes in Poker Games and Rap Battles and VirusTotal Now Supports Trend Micro ELF Hash appeared first on .

This Week in Security News: A Look Inside the Bulletproof Hosting Business and Amazon Prime Day Spurs Spike in Phishing, Fraud Attacks

By Jon Clay (Global Threat Communications)
week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how cybercriminals secure their assets and survive in the business in a new Trend Micro report. Also, read about a how cybercriminals are tapping into Amazon’s Prime Day with phishing and malicious websites that are fraudulently using the Amazon brand.

Read on:

French Companies Under Attack from Clever BEC Scam

Trend Micro researchers observed a new modus operandi involving a clever BEC campaign that uses social engineering to target French companies. Malicious actors impersonated a French company in the metal fabrication industry that provides services to several organizations. They then registered a domain very similar to the legitimate one used by the business and used it to send emails to their targets. 

Amazon Prime Day Spurs Spike in Phishing, Fraud Attacks

Cybercriminals are tapping into Amazon’s annual Prime Day with researchers warning of a recent spike in phishing and malicious websites that are fraudulently using the Amazon brand. There has been a spike in the number of new monthly phishing and fraudulent sites created using the Amazon brand since August, the most significant since the COVID-19 pandemic forced people indoors in March.

CSO Insights: DataBank’s Mark Houpt on Looking Beyond Securing Infrastructures in the New Normal

The big move to working remotely wasn’t completely difficult for Mark Houpt, CISO at DataBank. After all, he has been doing so since before COVID-19. However, when the pandemic hit, DataBank, like many other companies across the globe, had to help most of their employees transition securely and smoothly to virtual work. Read up on the several important security considerations this experience highlighted.

240+ Android Apps Caught Showing Out-of-Context Ads

This summer, Google removed more than 240 Android applications from the Play Store for showing out-of-context ads and breaking a newly introduced Google policy against this type of intrusive advertising. Out-of-context ads are mobile ads that are shown outside an app’s normal container and appear as pop-ups or as full-screen ads.

Safe and Smart Connections: Securing IoT Networks for Remote Setups

As a result of our work-from-home (WFH) arrangements, there is an increased demand on networks as remote operations have created greater dependence on the IoT. Subsequently, now is a good time to re-examine the security of your network. Rather than only focusing on securing individual devices that can compromise a network, users should also secure the network to minimize threats across several devices.

Inside the Bulletproof Hosting Business

The use of underground infrastructure is inherent to the modus operandi of a cybercriminal. In Trend Micro’s Underground Hosting series, it differentiates how cybercrime goods are sold in marketplaces and what kinds of services are offered. In this final part of the Underground Hosting report series, Trend Micro explores the methods criminals employ to secure their assets and survive in the business.

Comcast Voice Remote Control Could be Turned into Spying Tool

The Comcast XR11 voice remote controller was recently found to be vulnerable and could be turned into a spying tool that eavesdrops on users. Discovered by researchers at Guardicore, the attack has been named WarezTheRemote and is said to be a very serious threat, considering that the remote is used for over 18 million devices across the U.S.

Transforming IoT Monitoring Data into Threat Defense

In the first half of 2020, there was a 70% increase in inbound attacks on devices and routers compared to the second half of 2019, which included attacks on IoT systems. To protect customers effectively by continuously monitoring trends in IoT attacks, Trend Micro examined Mirai and Bashlite (aka Qbot), two notorious IoT botnet malware types, and shares the figures relating to these botnets’ command and control (C&C) servers, IP addresses, and C&C commands.

Russia’s Fancy Bear Hackers Likely Penetrated a Federal Agency

Last week the Cybersecurity and Infrastructure Security Agency published an advisory that hackers had penetrated a US federal agency. Now, clues uncovered by a researcher at cybersecurity firm Dragos and an FBI notification to hacking victims obtained by WIRED in July suggest that it was Fancy Bear, a team of hackers working for Russia’s GRU also known as APT28.

Threat Research & XDR Combine to Stop Cybercrime

Like legitimate businesses across the globe seeking to improve their information security and protect their network infrastructure, cybercriminal businesses take similar precautions. Trend Micro Research released the final report in a series focused on this part of cybercriminal business: Underground hosting providers. Based on the report, it’s clear that understanding both the criminal business and the attacks themselves better prepares defenders and investigators to identify and eliminate threats.

Researchers Find Vulnerabilities in Microsoft Azure Cloud Service

As businesses are increasingly migrating to the cloud, securing the infrastructure has never been more important. According to research by Paul Litvak of Intezer Labs, two security flaws in Microsoft’s Azure App Services could have enabled a bad actor to carry out server-side request forgery (SSRF) attacks or execute arbitrary code and take over the administration server.

Cyber Security Awareness: A Critical Checklist

October 2020 marks the 17th year of National Cybersecurity Awareness Month, where users and organizations are encouraged to increase awareness of cybersecurity issues. To help raise awareness, Trend Micro’s Consumer Division breaks down of the security issues you should be aware of and shares tips about how you can protect yourself and your family while working, learning, or gaming at home.

The Basics of Keeping Kubernetes Cluster Secure: Worker Nodes and Related Components

In part one of this blog series, Trend Micro talked about the different ways developers can protect control plane components, including Kube API server configurations, RBAC authorization, and limitations in the communication between pods through network policies. In this second part, Trend Micro focuses on best practices that developers can implement to protect worker nodes and their components.

Are you surprised that Comcast voice activated remote controllers could be turned into a spying tool?  Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: A Look Inside the Bulletproof Hosting Business and Amazon Prime Day Spurs Spike in Phishing, Fraud Attacks appeared first on .

This Week in Security News: Linkury Adware Caught Distributing Full-Blown Malware and Cross-Platform Modular Glupteba Malware Uses ManageX

By Jon Clay (Global Threat Communications)
week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how an adware family known primarily for distributing browser hijackers, Linkury, has been caught distributing malware. Also, read about a newly uncovered strain of the Glupteba trojan.

 

Read on:

Cross-Platform Modular Glupteba Malware Uses ManageX

Trend Micro recently encountered a variant of the Glupteba trojan and reported its attacks on MikroTik routers and updates on its command and control (C&C) servers. The use of ManageX, a type of modular adware that Trend Micro has recently analyzed, is notable in this newly uncovered strain as it aims to emphasize the modularity and the cross-platform features of Glupteba as seen through its code analysis.

Phishing Attack Targets Microsoft 365 Users with Netflix & Amazon Lures

Security researchers have been tracking a phishing campaign that abuses Microsoft Office 365 third-party application access to obtain specific resources from victims’ accounts. The attacker, dubbed TA2552, mostly uses Spanish-language lures and a narrow range of themes and brands. These attacks have targeted organizations with a global presence but seem to choose victims who likely speak Spanish, according to a report from Proofpoint researchers.

New Report Suggests the Bug Bounty Business is Recession-Proof

A new report from HackerOne presents data suggesting that the bug bounty business might be recession-proof, citing increases in hacker registrations, monthly vulnerability disclosures and payouts during a pandemic-induced economic downturn. Brian Gorenc, senior director of vulnerability research and director of Trend Micro’s Zero Day Initiative program, shared that he’s seen bug bounty activity increase with ZDI publishing 1,045 vulnerability advisories in all of 2019 and 1,235 already in 2020.

Identity Fraud: How to Protect Your Identity Data, Accounts and Money During the Coronavirus Crisis

We’ve all been spending more time online since the pandemic hit, and as a result we’re sharing more personal and financial information online with each other and with organizations. Unfortunately, as ever, there are bad guys around every digital corner looking for this. Personally identifiable information (PII) is the currency of internet crime, and cyber-criminals will do whatever they can to get it.

Linkury Adware Caught Distributing Full-Blown Malware

An adware family known primarily for distributing browser hijackers has been caught distributing malware, security researchers said at the Virus Bulletin 2020 security conference. Its main method of distribution is the SafeFinder widget, a browser extension ironically advertised as a way to perform safe searches on the internet. K7 researchers say that in recent cases they analyzed, the SafeFinder widget has now also begun installing legitimate malware, such as the Socelars and Kpot infostealer trojans.

Chinese APT Group Targets Media, Finance, and Electronics Sectors

Cybersecurity researchers have uncovered a new espionage campaign targeting media, construction, engineering, electronics, and finance sectors in Japan, Taiwan, the U.S. and China. Linking the attacks to Palmerworm (aka BlackTech), likely a China-based advanced persistent threat (APT), the first wave of activity associated with this campaign began last year in August 2019.

InterPlanetary Storm Botnet Infects 13K Mac, Android Devices

A new variant of the InterPlanetary Storm malware has been discovered, which comes with fresh detection-evasion tactics and now targets Mac and Android devices (in addition to Windows and Linux, which were targeted by previous variants of the malware). Researchers say the malware is building a botnet with a current estimated 13,500 infected machines across 84 countries worldwide – and that number continues to grow.

More Americans Share Social Security, Financial and Medical Information than Before the Pandemic

A new survey has shown that consumer willingness to share more sensitive data – social security numbers, financial information and medical information – is greater in 2020 than in both 2018 and 2019. According to the NYC-based scientific research foundation ARF’s (Advertising Research Foundation) third annual privacy study, contact tracing is considered a key weapon in the fight against COVID-19.

Do you feel like you are more willing to share sensitive information online since the pandemic began? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Linkury Adware Caught Distributing Full-Blown Malware and Cross-Platform Modular Glupteba Malware Uses ManageX appeared first on .

This Week in Security News: Cybercriminals Distribute Backdoor with VPN Installer and New ‘Alien’ Malware can Steal Passwords from 226 Android Apps

By Jon Clay (Global Threat Communications)

 

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how threat actors are bundling Windscribe VPN installers with backdoors. Also, read about a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications.

 

 

Read on:

 

Windows Backdoor Masquerading as VPN App Installer

This article discusses findings covered in a recent blog from Trend Micro where company researchers warn that Windows users looking to install a VPN app are in danger of downloading one that’s been bundled with a backdoor. The trojanized package in this specific case is the Windows installer for Windscribe VPN and contains the Bladabindi backdoor.

The Evolution of Malicious Shell Scripts

The Unix-programming community commonly uses shell scripts as a simple way to execute multiple Linux commands within a single file. Many users do this as part of a regular operational workload manipulating files, executing programs and printing text. However, as a shell interpreter is available in every Unix machine, it is also an interesting and dynamic tool abused by malicious actors.

Microsoft Says It Detected Active Attacks Leveraging Zerologon Vulnerability

Hackers are actively exploiting the Zerologon vulnerability in real-world attacks, Microsoft’s security intelligence team said on Thursday morning. The attacks were expected to happen, according to security industry experts. Multiple versions of weaponized proof-of-concept exploit code have been published online in freely downloadable form since details about the Zerologon vulnerability were revealed on September 14 by Dutch security firm Secura BV.

Stretched and Stressed: Best Practices for Protecting Security Workers’ Mental Health

Security work is stressful under the best of circumstances, but remote work presents its own challenges. In this article, learn how savvy security leaders can best support their teams today — wherever they’re working. Trend Micro’s senior director of HR for the Americas, Bob Kedrosky, weighs in on how Trend Micro is supporting its remote workers.

Exploitable Flaws Found in Facial Recognition Devices

To gain a more nuanced understanding of the security issues present in facial recognition devices, Trend Micro analyzed the security of four different models: ZKTeco FaceDepot-7B, Hikvision DS-K1T606MF, Telpo TPS980 and Megvii Koala. Trend Micro’s case studies show how these devices can be misused by malicious attackers.

New ‘Alien’ Malware Can Steal Passwords from 226 Android Apps

Security researchers have discovered and analyzed a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications. Named Alien, this new trojan has been active since the start of the year and has been offered as a Malware-as-a-Service (MaaS) offering on underground hacking forums.

Government Software Provider Tyler Technologies Hit by Possible Ransomware Attack

Tyler Technologies, a Texas-based provider of software and services for the U.S. government, started informing customers this week of a security incident that is believed to have involved a piece of ransomware. Tyler’s website is currently unavailable and in emails sent out to customers the company said its internal phone and IT systems were accessed without authorization by an “unknown third party.”

U.S. Justice Department Charges APT41 Hackers Over Global Cyberattacks

On September 16, 2020, the United States Justice Department announced that it was charging five Chinese citizens with hacking crimes committed against over 100 institutions in the United States and abroad. The global hacking campaign went after a diverse range of targets, from video game companies and telecommunications enterprises to universities and non-profit organizations. The five individuals were reportedly connected to the hacking group known as APT41.

Phishers are Targeting Employees with Fake GDPR Compliance Reminders

Phishers are using a bogus GDPR compliance reminder to trick recipients – employees of businesses across several industry verticals – into handing over their email login credentials. In this evolving campaign, the attackers targeted mostly email addresses they could glean from company websites and, to a lesser extent, emails of people who are high in the organization’s hierarchy.

Mispadu Banking Trojan Resurfaces

Recent spam campaigns leading to the URSA/Mispadu banking trojan have been uncovered, as reported by malware analyst Pedro Tavares in a Twitter post and by Seguranca Informatica in a blog post. Mispadu malware steals credentials from users’ systems. This attack targets systems with Spanish and Portuguese as system languages.

A Blind Spot in ICS Security: The Protocol Gateway Part 3: What ICS Security Administrators Can Do

In this blog series, Trend Micro analyzes the impacts of the serious vulnerabilities detected in the protocol gateways that are essential when shifting to smart factories and discusses the security countermeasures that security administrators in those factories must take. In the final part of this series, Trend Micro describes a stealth attack method that abuses a vulnerability as well as informs readers of a vital point of security measures required for the future ICS environment.

Major Instagram App Bug Could’ve Given Hackers Remote Access to Your Phone

Check Point researchers disclosed details about a critical vulnerability in Instagram’s Android app that could have allowed remote attackers to take control over a targeted device just by sending victims a specially crafted image. The flaw lets attackers perform actions on behalf of the user within the Instagram app, including spying on victim’s private messages and deleting or posting photos from their accounts, as well as execute arbitrary code on the device.

Addressing Threats Like Ryuk via Trend Micro XDR

Ryuk has recently been one of the most noteworthy ransomware families and is perhaps the best representation of the new paradigm in ransomware attacks where malicious actors go for quality over sheer quantity. In 2019, the Trend Micro™ Managed XDR and Incident Response teams investigated an incident concerning a Trend Micro customer that was infected with the Ryuk ransomware.

What are your thoughts on the Android Instagram app bug that could allow remote access to user’s phones? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Cybercriminals Distribute Backdoor with VPN Installer and New ‘Alien’ Malware can Steal Passwords from 226 Android Apps appeared first on .

This Week in Security News: AWS Outposts Ready Launches With 32 Validated Partners and Staples Hit by a Data Breach

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how solutions from 32 Amazon Web Services partners – including Trend Micro – are now available for AWS customers to use with their deployments of AWS Outposts. Also, read about a data breach at U.S. office-supply retailer Staples.

 

Read on:

Boosting Impact for Profit: Evolving Ransomware Techniques for Targeted Attacks

As described in Trend Micro’s 2020 Midyear Roundup, the numbers pertaining to ransomware no longer tell the full story. While the number of infections, company disclosures, and ransomware families has gone down, the estimated amount of money exchanged for the retrieval of encrypted data has steadily gone up. By going after institutions and companies with the urgent need to retrieve their data and get their systems running again, cybercriminals are able to demand exorbitant amounts of ransom.

AWS Outposts Ready Launches with 32 Validated Partners

Solutions from 32 Amazon Web Services partners, including Trend Micro, are available now for AWS customers to use with their deployments of AWS Outposts, the on-premises version of the industry’s leading public cloud.

Analysis of a Convoluted Attack Chain Involving Ngrok

The Trend Micro Managed XDR team recently handled an incident involving one of Trend Micro’s customers. The incident revealed how a malicious actor incorporated certain techniques into an attack, making it more difficult for blue teams and security researchers alike to analyze the chain of events in a clean and easily understandable manner. In this blog, Trend Micro further analyzes the attack.

39% of Employees Access Corporate Data on Personal Devices

A large proportion of employees are using their own devices to access data belonging to their company, according to a new study by Trend Micro. Researchers found that 39% of workers use personal smartphones, tablets, and laptops to access corporate data, often via services and applications hosted in the cloud.

A Blind Spot in ICS Security: The Protocol Gateway Part 2: Vulnerability Allowing Stealth Attacks on Industrial Control Systems

In this blog series, Trend Micro analyzes the impacts of the serious vulnerabilities detected in the protocol gateways and shares the security countermeasures that security administrators in smart factories must take. In the second part of this series, Trend Micro presents an overview of the verification methods, results of this research, and describes “flaws in the protocol conversion function,” one of the security risks revealed through Trend Micro’s experiments.

Staples Hit by Data Breach: What to Do Now

U.S. office-supply retailer Staples says its recent data breach affected fewer than 2,500 customers. Australian security researcher Troy Hunt, who runs the HaveIBeenPwned website, used his Twitter account to post a copy of an email message sent to an unknown number of Staples online customers.

“Zerologon” and the Value of Virtual Patching

A new CVE was released recently that has made quite a few headlines – CVE-2020-1472, also known as Zerologon. This CVE can allow an attacker to take advantage of the cryptographic algorithm used in the Netlogon authentication process and impersonate the identity of any computer when trying to authenticate against the domain controller.

Billions of Devices Vulnerable to New ‘BLESA’ Bluetooth Security Flaw

Billions of smartphones, tablets, laptops, and IoT devices are using Bluetooth software stacks that are vulnerable to a new security flaw disclosed this summer. Named BLESA (Bluetooth Low Energy Spoofing Attack), the vulnerability impacts devices running the Bluetooth Low Energy (BLE) protocol. BLE is a slimmer version of the original Bluetooth (Classic) standard but designed to conserve battery power while keeping Bluetooth connections alive as long as possible.

California Elementary Kids Kicked Off Online Learning by Ransomware

As students head back to the classroom, the wave of ransomware attacks against schools is continuing. The latest is a strike against a California school district that closed down remote learning for 6,000 elementary school students, according to city officials. The cyberattack, against the Newhall School District in Valencia, affected all distance learning across 10 different grade schools.

Mobile Messengers Expose Billions of Users to Privacy Attacks

When installing a mobile messenger like WhatsApp, new users can instantly start texting existing contacts based on the phone numbers stored on their device. For this to happen, users must grant the app permission to access and regularly upload their address book to company servers in a process called mobile contact discovery. A new research study shows that currently deployed contact discovery services severely threaten the privacy of billions of users.

Should employees be able to access company data via their personal devices? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: AWS Outposts Ready Launches With 32 Validated Partners and Staples Hit by a Data Breach appeared first on .

This Week in Security News: First Half of 2020 Led to Nearly 800 Disclosed Vulnerabilities and Cisco Jabber Bug Could Let Hackers Target Windows Systems Remotely

By Jon Clay (Global Threat Communications)
week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about Trend Micro’s midyear roundup report which found that published vulnerabilities in the first half of 2020 grew to 786, compared to 583 during the same time period last year. Also, read about vulnerabilities in Cisco’s Jabber app that could allow an attacker to execute arbitrary code.

 

Read on:

1H 2020 Cyber Security Defined by Covid-19 Pandemic

When thinking about 2020 security predictions, no one thought that there was a global pandemic brewing that would give cybercriminals an almost daily news cycle to take advantage of in their attacks against people and organizations around the world. While Covid-19 dominated the threat landscape in the first half of 2020, it wasn’t the only threat that defined it. Learn more about the 2020 threat landscape in Trend Micro’s recent blog.

Cisco Jabber Bug Could Let Hackers Target Windows Systems Remotely

Networking equipment maker Cisco has released a new version of its Jabber video conferencing and messaging app for Windows that includes patches for multiple vulnerabilities—which, if exploited, could allow an authenticated, remote attacker to execute arbitrary code. The flaws, which were uncovered by cybersecurity firm Watchcom during a pentest, affect all currently supported versions of the Jabber client (12.1-12.9) and has since been fixed by the company.

The Life Cycle of a Compromised (Cloud) Server

Trend Micro Research has developed a go-to resource for all things related to cybercriminal underground hosting and infrastructure. This week, Trend Micro released the second report in a three-part series which details the what, how, and why of cybercriminal hosting. Trend Micro dives into the common life cycle of a compromised server from initial compromise to the different stages of monetization preferred by criminals.

Instagram ‘Help Center’ Phishing Scam Pilfers Credentials

Turkish-speaking cybercriminals are sending Instagram users seemingly legitimate messages from the social media company, with the aim of stealing their Instagram and email credentials. Trend Micro researchers said that the campaign has been targeting hundreds of celebrities, startup business owners, and other entities with sizeable followings on Instagram.

What is a VPN and How Does it Increase Your Online Security and Privacy?

The number of VPN users has grown considerably over the past few years. According to a report from Go-Globe, 25% of netizens worldwide have used a VPN at least once in the last 30 days. Recently, VPN usage has surged in many countries and its popularity may see VPN usage surpass the estimated profit of USD$27.10 billion by the end of 2020. In this blog, Trend Micro takes a deeper look at all of the benefits a VPN can provide.

First Half of 2020 Led to Nearly 800 Disclosed Vulnerabilities: Report

Published vulnerabilities in January through June of 2020 grew to 786, compared to 583 during the same time period last year, according to Trend Micro’s midyear cybersecurity report. Bad actors most often targeted enterprise software, including Apache Struts and Drupal frameworks, between 2017 and the first half of this year. In this article, Trend Micro’s director of global threat communications, Jon Clay, shares his thoughts on the first half of 2020.

A Blind Spot in ICS Security: The Protocol Gateway Part 1: Importance of the Protocol Gateway

Trend Micro released a white paper summarizing potential protocol gateway security risks in early August. This blog series follows up on that paper, analyzing the impacts of the serious vulnerabilities detected in the protocol gateways essential when shifting to smart factories and outlining the security countermeasures that security administrators in factories must take. In the first blog of this series, part one describes the importance of the protocol gateway in ICS environments.

Evilnum Group Targets FinTech Firms with New Python-Based RAT

Evilnum, a group known for targeting financial technology companies, has added new malware and infection tricks to its arsenal, researchers warn. The group is suspected of offering APT-style hacker-for-hire services to other entities, a growing and worrying trend that’s changing the threat landscape.

Are Employees the Weakest Link in Your Security Strategy?

Email is the number one threat vector. Data from Trend Micro Smart Protection Network shows that for the first five months of 2020, 92% of all the cyberthreats leveraging Covid-19 were spam or phishing email messages. Email scams can have a big impact, both on the organization and the individual. This was highlighted in a recent report from BBC News where a finance professional from Glasgow, Scotland was targeted by a business email compromise (BEC) scam.

55% of Cybersquatted Domains are Malicious or Potentially Fraudulent

In a single month, cyber-squatters registered almost 14,000 domain names, more than half of which went on to host malicious or likely fraudulent content, Palo Alto Networks states in a report released this week. The company, which collected information on newly registered domains in December 2019, found 13,857 domains classified by its software as cybersquatting based on lexical analysis.

What are your thoughts on Evilnum’s APT-style hacker-for-hire services? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: First Half of 2020 Led to Nearly 800 Disclosed Vulnerabilities and Cisco Jabber Bug Could Let Hackers Target Windows Systems Remotely appeared first on .

This Week in Security News: Microsoft Fixes 129 Vulnerabilities for September’s Patch Tuesday and Trend Micro’s XDR Offerings Simplify and Optimize Detection and Response

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about this month’s Patch Tuesday update from Microsoft. Also, learn about Trend Micro’s Worry-Free XDR: a new version of its XDR platform designed to extend the power of correlated detection and response beyond the endpoint for smaller businesses.

Read on:

Exposed Docker Server Abused to Drop Cryptominer, DDoS Bot

Malicious actors continue to target environments running Docker containers. Trend Micro recently encountered an attack that drops both a malicious cryptocurrency miner and a distributed denial-of-service (DDoS) bot on a Docker container built using Alpine Linux as its base image. A similar attack was also reported by Trend Micro in May; in that previous attack, threat actors created a malicious Alpine Linux container to also host a malicious cryptocurrency miner and a DDoS bot.

Microsoft Fixes 129 Vulnerabilities for September’s Patch Tuesday

Microsoft released patches for 129 CVEs (common vulnerabilities and exposures) as part of its monthly Patch Tuesday rollout. Dustin Childs from Trend Micro’s Zero Day Initiative shared that this marks seven consecutive months of more than 110 bugs fixed and brings the yearly total close to 1,000.

Purple Fox EK Relies on Cloudflare for Stability

A year ago, Trend Micro talked about Purple Fox malware being delivered by the Rig exploit kit. Malwarebytes later found evidence that it had its own delivery mechanism, and thus named it the Purple Fox exploit kit. Trend Micro recently found a spike in the Purple Fox exploit kit with improved delivering tactics in our telemetry. Some of the improvements include use of full HTTPS infrastructure based on Cloudflare as frontend, fully encrypted landing page, and disguised redirection.

New Raccoon Attack Could Let Attackers Break SSL/TLS Encryption

A group of researchers has detailed a new timing vulnerability in Transport Layer Security (TLS) protocol that could potentially allow an attacker to break the encryption and read sensitive communication under specific conditions. Dubbed “Raccoon Attack,” the server-side attack exploits a side-channel in the cryptographic protocol (versions 1.2 and lower) to extract the shared secret key used for secure communications between two parties.

War of Linux Cryptocurrency Miners: A Battle for Resources

The Linux ecosystem is regarded as more secure and reliable than other operating systems, which possibly explains why Google, NASA, and the US Department of Defense (DoD) utilize it for their online infrastructures and systems. Unfortunately, the adoption of Linux systems is also an attractive target for cybercriminals. In this blog, learn about the ruthless battle for computing power among the different cryptocurrency-mining malware that target Linux systems. 

Trend Micro’s XDR Offerings Simplify and Optimize Detection and Response

Trend Micro announced Worry-Free XDR is a new version of its XDR platform designed to extend the power of correlated detection and response beyond the endpoint for smaller businesses. This unmatched channel offering is available now as a standalone or managed solution tailored for SMBs.

Securing Enterprise Security: How to Manage the New Generation of Access Control Devices

Enterprises are increasingly deploying contactless security solutions to control access to their spaces, especially now in the midst of a pandemic. These solutions mostly rely on devices that use facial recognition to manage entry to enterprise premises in an effective and efficient manner. Considering that these access control devices are the first line of defense for employees and assets on enterprise premises, Trend Micro set out to test the security of the devices and to find out whether they are susceptible to cyber as well as physical attacks.

Zeppelin Ransomware Returns with New Trojan on Board

The Zeppelin ransomware has sailed back into relevance, after a hiatus of several months. A wave of attacks were spotted in August by Juniper Threatlab researchers, making use of a new trojan downloader. These, like an initial Zeppelin wave observed in late 2019, start with phishing emails with Microsoft Word attachments (themed as “invoices”) that have malicious macros on board. Once a user enables macros, the infection process starts.

Published New Ebook: Strategic Investment to Secure Smart Factories

Security is undergoing a digital transformation in the manufacturing industry. As the fusion of the cyber world and the physical world progresses, various security issues are mounting. Manufacturing executives must view security as a management issue, not as a system issue. Trend Micro has published an ebook that focuses on security issues in the convergence of IT and OT.

Ransomware Accounted for 41% of All Cyber Insurance Claims in H1 2020

Ransomware incidents have accounted for 41% of cyber insurance claims filed in the first half of 2020, according to a report published today by Coalition, one of the largest providers of cyber insurance services in North America. The high number of claims comes to confirm previous reports from multiple cybersecurity firms that ransomware is one of today’s most prevalent and destructive threats.

What do you think about the Zeppelin ransomware attacks and the rise in ransomware overall? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Microsoft Fixes 129 Vulnerabilities for September’s Patch Tuesday and Trend Micro’s XDR Offerings Simplify and Optimize Detection and Response appeared first on .

This Week in Security News: First Half of 2020 Led to Nearly 800 Disclosed Vulnerabilities and Cisco Jabber Bug Could Let Hackers Target Windows Systems Remotely

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about Trend Micro’s midyear roundup report which found that published vulnerabilities in the first half of 2020 grew to 786, compared to 583 during the same time period last year. Also, read about vulnerabilities in Cisco’s Jabber app that could allow an attacker to execute arbitrary code.

Read on:

1H 2020 Cyber Security Defined by Covid-19 Pandemic

When thinking about 2020 security predictions, no one thought that there was a global pandemic brewing that would give cybercriminals an almost daily news cycle to take advantage of in their attacks against people and organizations around the world. While Covid-19 dominated the threat landscape in the first half of 2020, it wasn’t the only threat that defined it. Learn more about the 2020 threat landscape in Trend Micro’s recent blog.

Cisco Jabber Bug Could Let Hackers Target Windows Systems Remotely

Networking equipment maker Cisco has released a new version of its Jabber video conferencing and messaging app for Windows that includes patches for multiple vulnerabilities—which, if exploited, could allow an authenticated, remote attacker to execute arbitrary code. The flaws, which were uncovered by cybersecurity firm Watchcom during a pentest, affect all currently supported versions of the Jabber client (12.1-12.9) and has since been fixed by the company.

The Life Cycle of a Compromised (Cloud) Server

Trend Micro Research has developed a go-to resource for all things related to cybercriminal underground hosting and infrastructure. This week, Trend Micro released the second report in a three-part series which details the what, how, and why of cybercriminal hosting. Trend Micro dives into the common life cycle of a compromised server from initial compromise to the different stages of monetization preferred by criminals.

Instagram ‘Help Center’ Phishing Scam Pilfers Credentials

Turkish-speaking cybercriminals are sending Instagram users seemingly legitimate messages from the social media company, with the aim of stealing their Instagram and email credentials. Trend Micro researchers said that the campaign has been targeting hundreds of celebrities, startup business owners, and other entities with sizeable followings on Instagram.

What is a VPN and How Does it Increase Your Online Security and Privacy?

The number of VPN users has grown considerably over the past few years. According to a report from Go-Globe, 25% of netizens worldwide have used a VPN at least once in the last 30 days. Recently, VPN usage has surged in many countries and its popularity may see VPN usage surpass the estimated profit of USD$27.10 billion by the end of 2020. In this blog, Trend Micro takes a deeper look at all of the benefits a VPN can provide.

First Half of 2020 Led to Nearly 800 Disclosed Vulnerabilities: Report

Published vulnerabilities in January through June of 2020 grew to 786, compared to 583 during the same time period last year, according to Trend Micro’s midyear cybersecurity report. Bad actors most often targeted enterprise software, including Apache Struts and Drupal frameworks, between 2017 and the first half of this year. In this article, Trend Micro’s director of global threat communications, Jon Clay, shares his thoughts on the first half of 2020.

A Blind Spot in ICS Security: The Protocol Gateway Part 1: Importance of the Protocol Gateway

Trend Micro released a white paper summarizing potential protocol gateway security risks in early August. This blog series follows up on that paper, analyzing the impacts of the serious vulnerabilities detected in the protocol gateways essential when shifting to smart factories and outlining the security countermeasures that security administrators in factories must take. In the first blog of this series, part one describes the importance of the protocol gateway in ICS environments.

Evilnum Group Targets FinTech Firms with New Python-Based RAT

Evilnum, a group known for targeting financial technology companies, has added new malware and infection tricks to its arsenal, researchers warn. The group is suspected of offering APT-style hacker-for-hire services to other entities, a growing and worrying trend that’s changing the threat landscape.

Are Employees the Weakest Link in Your Security Strategy?

Email is the number one threat vector. Data from Trend Micro Smart Protection Network shows that for the first five months of 2020, 92% of all the cyberthreats leveraging Covid-19 were spam or phishing email messages. Email scams can have a big impact, both on the organization and the individual. This was highlighted in a recent report from BBC News where a finance professional from Glasgow, Scotland was targeted by a business email compromise (BEC) scam.

55% of Cybersquatted Domains are Malicious or Potentially Fraudulent

In a single month, cyber-squatters registered almost 14,000 domain names, more than half of which went on to host malicious or likely fraudulent content, Palo Alto Networks states in a report released this week. The company, which collected information on newly registered domains in December 2019, found 13,857 domains classified by its software as cybersquatting based on lexical analysis.

What are your thoughts on Evilnum’s APT-style hacker-for-hire services? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: First Half of 2020 Led to Nearly 800 Disclosed Vulnerabilities and Cisco Jabber Bug Could Let Hackers Target Windows Systems Remotely appeared first on .

This Week in Security News: Trend Micro and Snyk Partner to Fight Open Source Security Flaws and Ransomware Has Gone Corporate

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about Trend Micro and Snyk’s new co-developed solution to help manage the risk of open source vulnerabilities. Also, read about a new ransomware strain that emulates the practices of a legitimate enterprise.

Read on:

Trend Micro, Snyk Fight Open Source Security Flaws

This week, Trend Micro announced plans for a new, co-developed solution with Snyk, which expands on the company’s ongoing strategic partnership to enhance DevOps security. The joint solution will help security teams manage the risk of open source vulnerabilities from the moment open source code is introduced without interrupting the software delivery process. Trend Micro’s COO Kevin Simzer shares more details on the solution in this article.

Securing the Pandemic-Disrupted Workplace: Trend Micro 2020 Midyear Cybersecurity Report

Trend Micro’s 2020 Midyear Security Roundup examines pressing security issues during the first half of this year, including Covid-19-related threats and targeted ransomware attacks, and offers recommendations to help enterprises secure their systems from cybercriminals in the new normal terrain.

Ransomware Has Gone Corporate—and Gotten More Cruel

DarkSide is the latest strain of ransomware built to shake down big-game targets for millions—with attacks that seem legitimate by including guaranteed turnaround times, real-time chat support and brand awareness. As ransomware becomes big business, its purveyors have embraced the tropes of legitimate enterprises, down to corporate responsibility pledges. Ed Cabrera, chief cybersecurity officer at Trend Micro, comments on the serious risks of ransomware in this article.

Probing Attempts on Home Routers Increase in 1H 2020

The current reality of having many connected devices in the home has given rise to incidents of potential home network intrusions. In the first half of 2020, Trend Micro detected more than 10.6 billion suspicious connection attempts on routers’ unavailable TCP ports. TCP port 23, in particular, had the most detections of suspicious connection attempts, with more than 5.3 billion.

Hackers Exploit Autodesk Flaw in Recent Cyberespionage Attack

Threat actors exploited a vulnerability in the popular 3D computer graphics Autodesk software to launch a recent cyber-espionage attack against an international architectural and video production company. Researchers said that further analysis of the attack points to a sophisticated, APT-style group that had prior knowledge of the company’s security systems and used software applications, carefully planning their attack to infiltrate the company and exfiltrate data undetected.

CVE-2020-1380: Analysis of Recently Fixed IE Zero-Day

Microsoft recently patched a zero-day vulnerability that targeted Internet Explorer (IE) 11. It’s a use-after-free (UAF) bug in IE’s JavaScript engine, jscript9.dll. Previously, Trend Micro observed that zero-day attacks against IE usually exploit vbscript.dll and jscript.dll to run shellcode. This time, the target changed to jscript9.dll and used the modern JavaScript engine’s Just-In-Time (JIT) engine to trigger the bug, so Trend Micro decided to dive into the jscrtip9.dll JIT engine to figure out the root cause of CVE-2020-1380.

CSO Insights: Ricoh USA’s David Levine on Employing a Cloud- and Cybersecurity-First Strategy

In this blog, David Levine, vice president of corporate and information security and CSO for Ricoh USA, Inc., shares how his organization accommodates mobility by reinforcing a security-first mindset, employing a cloud-first strategy, managing risk, and enabling employees in the ‘new normal’.

Is the Electric Grid Closer to a Devastating Cyberattack that Could Mean Lights Out?

Could the electric grid be taken down with a $50 device secreted in the bottom of a coffee cup as researchers have claimed? Maybe, but the more likely threat comes from bad actors with improved capabilities who’ve ramped up their attacks on critical infrastructure and utilities. Seventy percent of industrial controls system (ICS) vulnerabilities disclosed in the first half of 2020 can be exploited remotely, according to a report from Claroty.

The Basics of Keeping Your Kubernetes Cluster Secure: Part 1

With Kubernetes’ popularity and increasingly high adoption rates, its security should always be prioritized. In this blog, Trend Micro provides vital tips and recommendations on keeping the master node, the API server, etcd, RBAC, and network policies secure.

After a Decade, Qbot Trojan Malware Gains New, Dangerous Tricks

The Qbot Trojan has been plaguing computer users and businesses for over a decade and the cybercriminals behind it are still coming up with new tricks that keep it one of the most prevalent and successful malware threats. The latest technique observed by security researchers involves the malware inserting itself into the legitimate email threads of their victims to spread.

Surprised by the DarkSide ransomware’s professionalism? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Trend Micro and Snyk Partner to Fight Open Source Security Flaws and Ransomware Has Gone Corporate appeared first on .

Are employees the weakest link in your security strategy? Train them!

By Joyce Huang

Email is the number one threat vector. There’s no exception, even with a global pandemic, on the contrary: COVID-19 has been used as an appealing hook by cyber criminals. Data from Trend Micro Smart Protection Network shows that for the first five months of 2020, 92 per cent of all the cyber threats leveraging COVID-19 were spam or phishing email messages.

Email scams can have a big impact, both on the organization and the individual. This was highlighted in a recent report from BBC News where a finance professional from Glasgow, Scotland was targeted by a business email compromise scam. The hackers disguised themselves as the employee’s CEO, and managed to convince her to transfer £200k to their bank account. When the organization realized what happened, they were able to retrieve half of the loss. However, the employee was fired and then pursued in the courts for the remaining sum. Her lawyers argued successfully that she had not received any training to identify these scams and the case was subsequently dismissed. This took a big personal toll on the employee who not only lost her job, but worried about losing her home as well. Her employer suffered financially and their reputation also took a hit. There were no winners in this case, but it really emphasized the importance of security awareness; companies need to arm their employees with the knowledge to protect the business, and ultimately themselves.

A great email security solution can block the majority of threats, but no product can catch 100 per cent of email scams. This means that humans are our last line of defense. Trend Micro Phish Insight service helps you to increase your employees’ awareness of phishing emails and other cyber threats. Best of all, it is completely free, allowing you to increase your cybersecurity while using this budget for other critical initiatives.

Let’s take a look at a customer use case:

A Phish Insight customer in the U.S. launched two phishing simulation campaigns for 1,500 employees in the first half of 2020.  The two campaigns were four months apart and targeted the same employees.
The first campaign was a fake email from CDC with a link that claimed to check new COVID-19 cases. It asked for the user’s log-in information after the link was clicked.

 

 

The second campaign is an email pretending to be from the organization’s IT department. It requested users to verify their account due to an Office 365 inbox storage limitation.

 

 

Both emails are very realistic looking with important and engaging topics that users care about.

So, what do the results look like?

Among the employees getting the emails, the result for the two campaigns shows a positive behavior change in recognizing a phishing email.

  • Percentage of employees that clicked the embedded URL in email reduced significantly (11 per cent vs. 7 per cent)
  • Percentage of employees that reported the phishing email to IT has increased significantly (11 per cent vs. 24 per cent)

However, when introducing a more challenging phishing attack (the 2nd campaign), the percentage of employees who posted their credentials to the phishing site has significantly increased (0.3 per cent vs. 3.4 per cent). While the company’s overall phishing awareness increased (reduced clicks), those who fell victim had a higher chance of giving out their credentials.

The result also shows that back office teams have a higher percentage of phished employees and the importance of on-going training. In addition to continuing phishing awareness training to all employees, the IT department will focus more on back office teams.

Using Phish Insight, the company successfully increased employees’ awareness while being able to target more at risk user groups and identify those that need more help.

Want to train your organization?

To start a phishing simulation for your users, you need $0 budget and only five minutes. With a really simple user experience, you can get up and running with your first simulation today.

Try Phish Insight with no obligation: phishinsight.trendmicro.com

The post Are employees the weakest link in your security strategy? Train them! appeared first on .

This Week in Security News: Trend Micro’s Zero Day Initiative Celebrates 15 Years and 24 Million Customers Affected after Experian Data Breach

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read how the Zero Day Initiative (ZDI) has awarded more than $25 million in bounty rewards to security researchers over the past decade and a half as it celebrates its 15th birthday. Also, learn about a new data breach from Experian affecting 24 million customers in South Africa.

Read on:

Bug Bounty Platform ZDI Awarded $25M to Researchers Over the Past 15 Years

Bug bounty platform pioneer Zero-Day Initiative (ZDI) awarded more than $25 million in bounty rewards to security researchers over the past decade and a half. In an anniversary post celebrating its 15-year-old birthday, ZDI said the bounty rewards represent payments to more than 10,000 security researchers for more than 7,500 successful bug submissions.

24 Million Customers Affected after Experian Data Breach

Leading consumer credit reporting agency Experian is in news again for a data breach. This week, a fraudster contacted the agency posing as a representative of a ‘legitimate client’ and obtained personal details of its South African customers. The company notes that it is an ‘isolated incident in South Africa involving a fraudulent data inquiry.’

Connected Security Solutions Helps City of Tyler’s CIO to Reduce Costs While Enabling Delivery of Enhanced Community & Public Safety Services

Benny Yazdanpanahi, CIO for the City of Tyler, knows that a highly secure IT environment is essential to the city’s continued success. To accomplish their security goals with limited resources and staff, Tyler’s leaders have been collaborating with Trend Micro for several years. Read this blog to learn more about how Trend Micro has strengthened the city’s security posture and empowers the IT team to focus on serving the community.

Over 94% of Cyber Attacks Involve Email: VP of Trend Micro’s Cyber Security

Greg Young, vice president of cybersecurity at Trend Micro, joins BNN Bloomberg to discuss his take on the Canada Revenue Agency (CRA) attack and Trend Micro’s new report on security risks for remote working since the pandemic lockdown. Watch the video to learn more.

The Cybersecurity Blind Spots of Connected Cars

With more people relying on connected car technologies for safety, accessibility, and infotainment—and with connected cars producing up to 30 terabytes of data each day—it’s important to keep connected cars protected against a range of ever-evolving risks and threats. Trend Micro’s recent research paper offers an examination of the cybersecurity blind spots of connected cars to help developers and manufacturers create secure and smart vehicles.

How Unsecure gRPC Implementations Can Compromise APIs, Applications

In this blog, Trend Micro discusses the security pitfalls that developers might face when shifting to gRPC and implementing gRPC in their projects. Because secure gRPC APIs play a pivotal role in overall application security, Trend Micro provides recommendations on how to protect gRPC implementations from threats and mitigate against risks.

Human Error Threatens Cloud Security

Virtually all security professionals believe that human error could put the security of cloud data at risk, according to new research published this week. A survey commissioned by Tripwire and carried out last month by Dimensional Research found that 93% of security professionals were concerned that human error could result in the accidental exposure of their cloud data.

Influential Facebook Brand Pages Stolen via Credential Phishing

Trend Micro has observed an increase in the number of compromised Facebook pages of influential personalities since June. Through an analysis of the surge, we found fake Facebook accounts posting notification messages on pages allegedly hacked with an attached link. The fake accounts also steal the owner or admins’ credentials to sell the page, change the details and name, and/or disguise the page to make another phishing account. 

Malicious Docker Hub Container Images Used for Cryptocurrency Mining

Increased adoption of containers has given rise to a range of potential threats to DevOps pipelines. Many of the attacks Trend Micro observed involved the abuse of container images to carry out malicious functionalities. For Docker-related threats, Trend Micro recently encountered an attack where the threat actor uploaded two malicious images to Docker Hub for cryptocurrency mining.

How Hackers Bled 118 Bitcoins Out of Covid Researchers in U.S.

Hackers locked down several servers used by the epidemiology and biostatistics department at the University of California at San Francisco and wanted a $3 million ransom to give them the keys. Transcripts reveal University of California at San Francisco’s weeklong negotiation to free its ransomware-locked servers. The haggling worked, sort of.

Threat Recap: Darkside, Crysis, Negasteal, Coinminer

In the past few weeks, Trend Micro has spotted notable developments for different types of threats. For ransomware, a new family named Darkside surfaced, while operators behind Crysis/Dharma released a hacking toolkit. For messaging threats, a targeted email campaign was used to propagate Negasteal/Agent Tesla. For fileless threats, a coinminer was seen bundled with legitimate applications.

Diving into End-to-End Deep Learning for Cybersecurity

New methods for detecting threats using AI challenges the need for human input and involves end-to-end deep learning solutions, which are being touted as the next big thing in malware detection. In the pipeline of such solutions, expert handcrafted input is replaced with ones provided by automated processes. The absence of expert handcrafted input gives rise to the question of whether human input is still relevant in the process of developing an efficient AI-powered cybersecurity solution.

Black Hat Trip Report – Trend Micro

At Black Hat USA 2020, Trend Micro presented two important talks on vulnerabilities in Industrial IoT (IIoT). The first discussed weaknesses in proprietary languages used by industrial robots, and the second talked about vulnerabilities in protocol gateways. Any organization using robots, and any organization running a multi-vendor OT environment, should be aware of these attack surfaces. In this blog, find a summary of the key points from each talk.

Have you seen an uptick in hacked Facebook pages recently? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Trend Micro’s Zero Day Initiative Celebrates 15 Years and 24 Million Customers Affected after Experian Data Breach appeared first on .

This Week in Security News: Microsoft Patches 120 Vulnerabilities, Including Two Zero-Days and Trend Micro Brings DevOps Agility and Automation to Security Operations Through Integration with AWS Solutions

By Jon Clay (Global Threat Communications)
week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about one of Microsoft’s largest Patch Tuesday updates ever, including fixes for 120 vulnerabilities and two zero-days. Also, learn about Trend Micro’s new integrations with Amazon Web Services (AWS).

 

Read on:

 

Microsoft Patches 120 Vulnerabilities, Two Zero-Days

This week Microsoft released fixes for 120 vulnerabilities, including two zero-days, in 13 products and services as part of its monthly Patch Tuesday rollout. The August release marks its third-largest Patch Tuesday update, bringing the total number of security fixes for 2020 to 862. “If they maintain this pace, it’s quite possible for them to ship more than 1,300 patches this year,” says Dustin Childs of Trend Micro’s Zero-Day Initiative (ZDI).

 

XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Trend Micro has discovered an unusual infection related to Xcode developer projects. Upon further investigation, it was discovered that a developer’s Xcode project at large contained the source malware, which leads to a rabbit hole of malicious payloads. Most notable in our investigation is the discovery of two zero-day exploits: one is used to steal cookies via a flaw in the behavior of Data Vaults, another is used to abuse the development version of Safari.

 

Top Tips for Home Cybersecurity and Privacy in a Coronavirus-Impacted World: Part 1

We’re all now living in a post-COVID-19 world characterized by uncertainty, mass home working and remote learning. To help you adapt to these new conditions while protecting what matters most, Trend Micro has developed a two-part blog series on ‘the new normal’. Part one identifies the scope and specific cyber-threats of the new normal. 

 

Trend Micro Brings DevOps Agility and Automation to Security Operations Through Integration with AWS Solutions

Trend Micro enhances agility and automation in cloud security through integrations with Amazon Web Services (AWS). Through this collaboration, Trend Micro Cloud One offers the broadest platform support and API integration to protect AWS infrastructure whether building with Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS Lambda, AWS Fargate, containers, Amazon Simple Storage Service (Amazon S3), or Amazon Virtual Private Cloud (Amazon VPC) networking.

 

Shedding Light on Security Considerations in Serverless Cloud Architectures

The big shift to serverless computing is imminent. According to a 2019 survey, 21% of enterprises have already adopted serverless technology, while 39% are considering it. Trend Micro’s new research on serverless computing aims to shed light on the security considerations in serverless environments and help adopters in keeping their serverless deployments as secure as possible.

 

In One Click: Amazon Alexa Could be Exploited for Theft of Voice History, PII, Skill Tampering

Amazon’s Alexa voice assistant could be exploited to hand over user data due to security vulnerabilities in the service’s subdomains. The smart assistant, which is found in devices such as the Amazon Echo and Echo Dot — with over 200 million shipments worldwide — was vulnerable to attackers seeking user personally identifiable information (PII) and voice recordings.

 

New Attack Lets Hackers Decrypt VoLTE Encryption to Spy on Phone Calls

A team of academic researchers presented a new attack called ‘ReVoLTE,’ that could let remote attackers break the encryption used by VoLTE voice calls and spy on targeted phone calls. The attack doesn’t exploit any flaw in the Voice over LTE (VoLTE) protocol; instead, it leverages weak implementation of the LTE mobile network by most telecommunication providers in practice, allowing an attacker to eavesdrop on the encrypted phone calls made by targeted victims.

 

An Advanced Group Specializing in Corporate Espionage is on a Hacking Spree

A Russian-speaking hacking group specializing in corporate espionage has carried out 26 campaigns since 2018 in attempts to steal vast amounts of data from the private sector, according to new findings. The hacking group, dubbed RedCurl, stole confidential corporate documents including contracts, financial documents, employee records and legal records, according to research published this week by the security firm Group-IB.

 

Walgreens Discloses Data Breach Impacting Personal Health Information of More Than 72,000 Customers

The second-largest pharmacy chain in the U.S. recently disclosed a data breach that may have compromised the personal health information (PHI) of more than 72,000 individuals across the United States. According to Walgreens spokesman Jim Cohn, prescription information of customers was stolen during May protests, when around 180 of the company’s 9,277 locations were looted.

 

Top Tips for Home Cybersecurity and Privacy in a Coronavirus-Impacted World: Part 2

The past few months have seen radical changes to our work and home life under the Coronavirus threat, upending norms and confining millions of American families within just four walls. In this context, it’s not surprising that more of us are spending an increasing portion of our lives online. In the final blog of this two-part series, Trend Micro discusses what you can do to protect your family, your data, and access to your corporate accounts.

 

What are your thoughts on Trend Micro’s tips to make your home cybersecurity and privacy stronger in the COVID-19-impacted world? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Microsoft Patches 120 Vulnerabilities, Including Two Zero-Days and Trend Micro Brings DevOps Agility and Automation to Security Operations Through Integration with AWS Solutions appeared first on .

This Week in Security News: Robots Running the Industrial World Are Open to Cyber Attacks and Industrial Protocol Translation Gone Wrong

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. Based on research that Trend Micro released during Black Hat USA this past week, read about how some industrial robots have flaws that could make them vulnerable to advanced hackers, as well as the risks related to protocol gateways and how to secure these devices.

 

Read on:

Unveiling the Hidden Risks of Industrial Automation Programming

The legacy programming environments of widely used industrial machines could harbor virtually undetectable vulnerabilities and malware. Trend Micro’s recent security analysis of these environments, presented at Black Hat USA 2020 this week, reveals critical flaws and their repercussions for smart factories.

Top 6 Cybersecurity Trends to Watch for at Black Hat USA 2020

At this year’s Black Hat USA 2020 conference, some of the top trends expected to surface include ransomware, election security and how to protect a remote workforce. Trend Micro’s vice president of cybersecurity, Greg Young, said, “Cybercrime increased rather than slowed down due to the pandemic, as we saw 1 billion more threats blocked in the first half of 2020 compared to 2019.”

Lost in Translation: When Industrial Protocol Translation Goes Wrong

Also presented this week at Black Hat USA, this recent research from Trend Micro examines the risks related to protocol gateways, the possible impact of an attack or wrong translation, and ways to secure these devices.

‘Alarming’ Rate of Cyberattacks Aimed at Major Corporations, Governments and Critical Infrastructure Amid COVID-19: Report

As COVID-19 cases around the U.S. continue to rise, the International Criminal Police Organization (INTERPOL) says that governments are seeing an “alarming” rate of cyberattacks aimed at major corporations, governments and critical infrastructure.

Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

A series of ongoing business email compromise (BEC) campaigns that uses spear-phishing schemes on Office 365 accounts has been seen targeting business executives of more than 1,000 companies globally since March. The campaigns target senior positions in the United States and Canada, and the fraudsters, dubbed “Water Nue” by Trend Micro, primarily target accounts of financial executives to obtain credentials for further financial fraud.

Robots Running the Industrial World Are Open to Cyber Attacks

Industrial robots are now being used to assemble everything from airplanes to smartphones, using human-like arms to mechanically repeat the same processes over and over, thousands of times a day with nanometric precision. But according to a new report from Trend Micro, some robots have flaws that could make them vulnerable to advanced hackers, who could steal data or alter a robot’s movements remotely.

Patch Fail Led to Password Leak of 900 VPN Enterprise Servers

Applying a security update to a CVE released more than a year ago could have prevented a hacker from publishing plaintext usernames and passwords as well as IP addresses for more than 900 Pulse Secure VPN enterprise servers. This vulnerability, CVE 2019-11510, was one of the several recently exploited vulnerabilities by Russia’s Cozy Bear, APT29, in an attempt to steal COVID-19 vaccine research.

U.S. Offers Reward of $10M for Info Leading to Discovery of Election Meddling

The U.S. government is concerned about foreign interference in the 2020 election, so much so that it will offer a reward of up to $10 million for anyone providing information that could lead to tracking down potential cybercriminals aiming to sabotage the November vote.

TeamViewer Flaw Could be Exploited to Crack Users’ Password

A high-risk vulnerability in TeamViewer for Windows could be exploited by remote attackers to crack users’ password and, consequently, lead to further system exploitation. CVE-2020-13699 is a security weakness arising from an unquoted search path or element – more specifically, it’s due to the application not properly quoting its custom URI handlers – and could be exploited when the system with a vulnerable version of TeamViewer installed visits a maliciously crafted website.

Black Hat: How Your Pacemaker Could Become an Insider Threat to National Security

Implanted medical devices are an overlooked security challenge that is only going to increase over time. The emerging problem of vulnerabilities and avenues for attack in IMDs was first highlighted by the 2017 case of St. Jude (now under the Abbott umbrella), in which the US Food and Drug Administration (FDA) issued a voluntary recall of 465,000 pacemakers due to vulnerabilities that could be remotely exploited to tamper with the life-saving equipment.

What was your favorite session from Black Hat USA this week? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Robots Running the Industrial World Are Open to Cyber Attacks and Industrial Protocol Translation Gone Wrong appeared first on .

This Week in Security News: Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902 and Vermont Taxpayers Warned of Data Leak Over the Past Three Years

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how Trend Micro found an IoT Mirai botnet downloader that can be added to new malware variants to scan for exposed Big-IP boxes for intrusion. Also, learn about how the Vermont Department of Taxes may have been exposing taxpayer data for more than three years.

Read on:

Ransomware is Still a Blight on Business

Ransomware has been with us for years, but only really became mainstream after the global WannaCry and NotPetya incidents of 2017. Now mainly targeting organizations in lieu of consumers, and with increasingly sophisticated tools and tactics, the cybercriminals behind these campaigns have been turning up the heat during the COVID-19 pandemic. That’s why we need industry partnerships like No More Ransom.

Garmin Outage Caused by Confirmed WastedLocker Ransomware Attack

Wearable device maker Garmin shut down some of its connected services and call centers last week following what the company called a worldwide outage, now confirmed to be caused by a WastedLocker ransomware attack. Garmin’s product line includes GPS navigation and wearable technology for the automotive, marine, aviation, marine, fitness, and outdoor markets.

Trend Micro Launches Cloud Solution for Microsoft Azure

Trend Micro announced the availability of its Trend Micro Cloud One – Conformity offering to Azure customers, helping global organizations tackle misconfigurations, compliance challenges and cyber-risks in the cloud. The company also achieved the CIS Microsoft Azure Foundation Security Benchmark, certifying that the Conformity product has built-in rules to check for more than 100 best practices in the CIS framework.

Ensiko: A Webshell with Ransomware Capabilities

Ensiko is a PHP web shell with ransomware capabilities that targets platforms such as Linux, Windows, macOS, or any other platform that has PHP installed. The malware has the capability to remotely control the system and accept commands to perform malicious activities on the infected machine. It can also execute shell commands on an infected system and send the results back to the attacker via a PHP reverse shell.

‘Boothole’ Threatens Billions of Linux, Windows Devices

A newly discovered serious vulnerability – dubbed “BootHole” – with a CVSS rating of 8.2 could unleash attacks that could gain total control of billions of Linux and Windows devices. Security firm Eclypsium researchers released details this week about how the flaw can take over nearly any device’s boot process.

Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902

Following the initial disclosure of two F5 BIG-IP vulnerabilities in early July, Trend Micro continued monitoring and analyzing the vulnerabilities and other related activities to further understand their severities. Based on the workaround published for CVE-2020-5902, Trend Micro found an IoT Mirai botnet downloader that can be added to new malware variants to scan for exposed Big-IP boxes for intrusion and deliver the malicious payload.

Hackers Stole GitHub and GitLab OAuth Tokens from Git Analytics Firm Waydev

Waydev, a San Francisco-based company, runs a platform that can be used to track software engineers’ work output by analyzing Git-based codebases. Earlier this month, the company disclosed a security breach, saying that hackers broke into its platform and stole GitHub and GitLab OAuth tokens from its internal database.

Application Security 101

As the world currently grapples with the disruption brought about by the coronavirus pandemic, the need for digital transformation has become not only more apparent but also more urgent.  Applications now play an integral role, with many businesses and users relying on a wide range of applications for work, education, entertainment, retail, and other uses.

Vermont Taxpayers Warned of Data Leak Over the Past Three Years

The Vermont Department of Taxes may have been exposing taxpayer data that could be used in credential scams for more than three years due to a vulnerability in its online tax filing system. A notice posted on the department’s website warned taxpayers who filed a Property Transfer Tax return through the department’s online filing site between Feb. 1, 2017, and July 2, 2020, may have had their personal information leaked.

Guidelines Related to Security in Smart Factories Part 6: MITRE ATT&CK

This blog series explains examples of general-purpose guidelines for ICS and OT security and helps readers understand the concepts required for security in smart factories. Thus far, part one through part five have explained IEC62443, the NIST CSF, part of the P800 series, and CIS Controls. In part six, Trend Micro explains MITRE ATT&CK, although not a guideline, it is a knowledge base in which offensive and defensive technologies in cyber-attacks are clearly organized.

If You Own One of These 45 Netgear Devices, Replace It: Firm Won’t Patch Vulnerable Gear Despite Live Proof-of-Concept Code

Netgear has decided not to patch more than 40 home routers to plug a remote code execution vulnerability – despite security researchers having published proof-of-concept exploit code. The vulnerability was revealed publicly in June by Trend Micro’s Zero Day Initiative (ZDI).

Online Dating Websites Lure Japanese Customers to Scams

In May, Trend Micro observed a sudden increase in traffic for online dating websites primarily targeting Japanese customers. After analyzing and tracking these numbers, we found that these dating scam campaigns attract potential victims by using different website domains that have similar screen page layouts. By the end of the transactions, the fraudsters steal money from victims without the subscribers receiving any of the advertised results.

ESG Findings on Trend Micro Cloud-Powered XDR Drives Monumental Business Value

Trend Micro’s cloud-powered XDR and Managed XDR offerings optimize threat detection and response across all critical vectors. In a recent survey commissioned by Trend Micro and conducted by ESG, organizations surveyed experience faster detection and less alert fatigue as a result of intelligently using data from all their security controls (including those covering endpoints, email, servers, cloud workloads and networks).

How does your organization manage threat detection and response? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902 and Vermont Taxpayers Warned of Data Leak Over the Past Three Years appeared first on .

This Week in Security News: Trend Micro Research Uncovers the Business Infrastructure of Cybercrime and Apple Launches Security Device Research Program

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read new insights from Trend Micro that look at the market for underground hosting services and where cybercriminals rent the infrastructure for their business. Also, learn about Apple’s new iPhone Research Device Program that will provide certain hackers with special devices to conduct security research.

Read on:

Trend Micro Research Uncovers the Business Infrastructure of Cybercrime

This week Trend Micro released new insights analyzing the market for underground hosting services and detailing how and where cybercriminals rent the infrastructure that hosts their business. This first report of a planned three-part series details the market for buying and selling these services, which are the backbone of every other aspect of the cybercriminal business model, whether that includes sending spam, communicating with a command and control server, or offering a help desk for ransomware.

Have You Considered your Organization’s Technical Debt?

In the tech world where one seemingly tiny vulnerability can bring down your whole system, managing technical debt is critical. Fixing issues before they become emergent situations is necessary in order to succeed. By spending a little time each day to tidy up a few things, you can make your system more stable and provide a better experience for both your customers and your fellow developers.

New ‘Shadow Attack’ Can Replace Content in Digitally Signed PDF Files

Fifteen out of 28 desktop PDF viewer applications are vulnerable to a new attack that lets malicious threat actors modify the content of digitally signed PDF documents. The list of vulnerable applications includes Adobe Acrobat Pro, Adobe Acrobat Reader, Perfect PDF, Foxit Reader, PDFelement, and others, according to new research published this week by academics from the Ruhr-University Bochum in Germany.

Cleaner One Pro Speeds Up Your Mac: Part 2

In the first part of this blog series, Trend Micro introduced its Cleaner One Pro, a one-stop shop to help you speed up your Mac, highlighting the quick optimizer, the main console, and the cleaning tools. In part two, Trend Micro resumes the discussion of how to make your Mac run faster with more Cleaner One Pro features: system and application management, privacy protection and other options.

Multi-Platform Malware Framework Linked to North Korean Hackers

Security researchers at Kaspersky have identified a multi-platform malware framework that they believe North Korea-linked hackers have been leveraging in attacks over the past couple of years. Called MATA, the platform appears to have been in use since spring 2018 to target computers running Windows, Linux, and macOS. The framework, which consists of components such as a loader, an orchestrator, and plugins, is believed to be linked to the prolific North Korean hacking group Lazarus.

Updates on ThiefQuest, the Quickly-Evolving macOS Malware

In early July, Trend Micro noticed a new malware dubbed ThiefQuest, a threat that targets macOS devices, encrypts files, and installs keyloggers in affected systems. However, new reports on the malware state the assumption that the malware’s ransomware activity is not its main attack method; rather, it is a pre-emptive move to disguise its other capabilities such as file exfiltration, Command and Control (C&C) communication, and keylogging.

Apple’s Long-Awaited Security Device Research Program Makes its Debut

In order to make it easier for security researchers to find vulnerabilities in iPhones, Apple is launching an iPhone Research Device Program that will provide certain hackers with special devices to conduct security research. Beyond enhancing security for iOS users and making it easier to unearth flaws in iPhones, the program also aims to improve the efficiency of ongoing security research on iOS.

Guidelines Related to Security in Smart Factories Part 5: CIS Controls

The purpose of this blog series is to explain typical examples of general-purpose guidelines for ICS and OT security and understand the concepts required for security in smart factories. As a subset of NIST SP800-53 which was introduced in part four, part five explains the CIS Controls that correspond to practical guides.

US Charges Two Chinese Spies for a Global Hacking Campaign that Targeted COVID-19 Research

U.S. prosecutors have charged two Chinese nationals, said to be working for China’s state intelligence bureau, for their alleged involvement in a massive global hacking operation that targeted hundreds of companies and governments for more than a decade. The 11-count indictment, unsealed Tuesday, alleges Li Xiaoyu, 34, and Dong Jiazhi, 33, stole terabytes of data from high-technology companies around the world—including the United States.

Twitter Hacked in Bitcoin Scam

Are Apple, Elon Musk, Barrack Obama, Uber, Joe Biden, and a host of others participating in a very transparent bitcoin scheme? No. The question was whether individual accounts were compromised or if something deeper was going on. Underlying this whole situation is a more challenging issue: The level of access that support has to any given system.

What are your thoughts on Apple’s new iPhone Research Device program? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Trend Micro Research Uncovers the Business Infrastructure of Cybercrime and Apple Launches Security Device Research Program appeared first on .

This Week in Security News: Trend Micro Research Discovers Cybercriminal Turf War on Routers and a Massive Twitter Breach Compromises Some of the World’s Most Prominent Accounts

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about Trend Micro’s report on the botnet battle for IoT territory and how attacker groups are trying to gain control of vulnerable routers and other devices. Also, learn about a Twitter breach that happened earlier this week, involving some of the most well-known and wealthiest people and brands globally.

Read on:

‘DDoS-For-Hire’ is Fueling a New Wave of Attacks

Earlier this week, Trend Micro released a report about escalating global turf wars between attacker groups vying to seize control of vulnerable routers and other devices, titled “Worm War: The Botnet Battle for IoT Territory.” Robert McArdle, director of Trend Micro’s forward-looking threat research (FTR) and David Sancho, senior threat researcher, spoke with WIRED about findings from the report and how the aim of attacker groups is to power botnets that can direct a firehose of malign traffic or requests for DDoS attacks.

Extraordinary Twitter Hack Compromises Some of the World’s Most Prominent Accounts

Earlier this week, hackers hijacked the Twitter accounts of some of the world’s most prominent and wealthiest people and brands including Barack Obama, Joe Biden, Kanye West, Jeff Bezos, Bill Gates, Elon Musk and tech giant Apple. These hacked accounts sent out messages promising bitcoin payments as part of a scam.

Tax Scams – Everything You Need to Know to Keep Your Money and Data Safe

Cybercriminals are always on the hunt for two things: people’s identity data from their accounts and their money. Both can be exposed during the tax-filing season, and cybercriminals have adapted multiple tools and techniques to obtain this information. In this blog, take a look at some of the main threats during tax-filing season and what you can do to stay safe.

Russia is Trying to Hack and Steal Coronavirus Vaccine Data, U.S., Canadian and UK Officials Claim

Officials said that hackers linked to Russian intelligence services are trying to steal information about coronavirus vaccine research in the U.S., Canada and the U.K.  They said that a group known as APT29 — also known as “Cozy Bear” and believed to be associated with Russian intelligence — was likely to blame for the attack, which used spear phishing and custom malware to target vaccine researchers.

Trend Micro and Girls in Tech to Provide Cybersecurity Training to Girls Around the World

Trend Micro recently announced that it is expanding its partnership with non-profit Girls in Tech with a new initiative aimed at closing the gender diversity and talent gap in the technology industry. Together, the organizations will provide cybersecurity training to girls around the world to help develop a large talent pool of women eager to get their start in the industry.

Microsoft Tackles 123 Fixes for July Patch Tuesday

A critical DNS bug and a publicly known elevation-of-privilege flaw top this month’s Patch Tuesday list of 123 fixes. This article includes data from the Trend Micro Zero Day Initiative (ZDI) July Patch Tuesday blog post, which says that this Patch Tuesday “makes five straight months of 110+ CVEs released and brings the total for 2020 up to 742. For comparison, Microsoft released patches for 851 CVEs in all of 2019. At this pace, Microsoft will eclipse that number next month.”

Guidelines Related to Security in Smart Factories (Part 4) NIST SP800 Series

This blog series explains examples of general-purpose guidelines for ICS and OT security and helps readers understand the concepts required for security in smart factories. Based on the NIST CSF that was introduced in Part 3, from the SP800 series which are guidelines with high specificity, Part 4 explains SP800-53, SP800-82, and SP800-171, which are considered to be particularly relevant to general manufacturing industries.

TikTok’s Huge Data Harvesting Prompts U.S. Security Concerns

Security researchers say TikTok’s information collection practices are consistent with Facebook Inc., Google and other U.S. tech companies looking to tailor ads and services to their users. The bigger issue lies in what TikTok does with the intel it gathers. Some groups like the Democratic and Republican national committees and Wells Fargo & Co. have discouraged or banned people from using the app.

Infrastructure as Code: Security Risks and How to Avoid Them

Infrastructure as Code (IaC) is a key DevOps practice that bolsters agile software development. In this report, Trend Micro identifies security risk areas in IaC implementations and the best practices in securing them.

Lost in Translation: Serious Flaws Found in ICS Protocol Gateways

Marco Balduzzi, senior research scientist with Trend Micro, will disclose details of multiple vulnerabilities he and his team discovered in a sampling study of five popular ICS gateway products at Black Hat USA’s virtual event next month. Their findings focus not on the gateways’ software nor the industrial protocols as in previous research, but rather on a lesser-studied function: the protocol translation process that the devices conduct.

Fixing Cloud Migration: What Goes Wrong and Why?

As part of our #LetsTalkCloud series, Trend Micro is sharing some of its deep, in-house expertise on cloud migration through conversations with company experts and folks from the industry. To kick off the series, this blog covers some of the security challenges that solution architects and security engineers face with customers when discussing cloud migrations. Spoiler: these challenges may not be what you expect.

Has your organization experienced security challenges related to cloud migration? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Trend Micro Research Discovers Cybercriminal Turf War on Routers and a Massive Twitter Breach Compromises Some of the World’s Most Prominent Accounts appeared first on .

Twitter Hacked in Bitcoin Scam

By Mark Nunnikhoven (Vice President, Cloud Research)
Computer monitor with a bitcoin displayed on the screen being lifted out of the display by a fishing line indicated a scam or phishing attack

It started with one weird tweet. Then another. Quickly, some of the most prominent accounts on Twitter were all sending out the same message;

I am giving back to the community.

All Bitcoin sent to the address below will be sent back double! If you send $1,000, I will send back $2,000. Only doing this for 30 minutes.

[- BITCOIN WALLET ADDRESS -]

Are Apple, Elon Musk, Barrack Obama, Uber, Joe Biden, and a host of others participating in a very transparent bitcoin scheme?

No. Of course, not. The question was whether or not individual accounts were compromised or if something deeper was going on.

User Account Protection

These high profile accounts are prime targets for cybercriminals. They have a broad reach, and even a brief compromise of one of these accounts would significantly increase a hacker’s reputation in the underground.

That is why these accounts leverage the protections made available by Twitter in order to keep their accounts safe.

This means;

While it’s believed that one or two of these accounts failed to take these measures, it’s highly unlikely that dozens and dozens of them did. So what happened?

Rumours Swirl

As with any public attack, the Twitter-verse (ironically) was abuzz with speculation. That speculation ramped up when Twitter took the reasonable step of preventing any verified account from tweeting for about three hours.

This step helped prevent any additional scam tweets from being published and further raised the profile of this attack.

While some might shy away from raising the profile of an attack, this was a reasonable trade-off to prevent further damage to affected accounts and to help prevent the attack from taking more ground.

This move also provided a hint as to what was going on. If individual accounts were being attacked, it’s unlikely that this type of movement would’ve done much to prevent the attacker from gaining access. However, if the attacker was accessing a backend system, this mitigation would be effective.

Had Twitter itself been hacked?

Occam’s Razor

When imagining attack scenarios, a direct breach of the main service is a scenario that is often examined in-depth, which is also why it is one of the most planned for scenarios.

Twitter — like any company — has challenges with its systems, but they center primarily around content moderation…their backend security is top-notch.

An example of this an incident in 2018. Twitter engineers made a mistake that meant anyone’s password could have been exposed in their internal logs. Just in case, Twitter urged everyone to reset their password.

While possible, it’s unlikely that Twitter’s backend systems were directly breached. There is a much simpler potential explanation: insider access.

Internal Screenshot

Quickly after the attack, some in the security community noticed a screenshot of an internal support tool from Twitter surfacing in underground discussion forums. This rare inside view showed what appeared to be what a Twitter support team member would see.

This type of access is dangerous. Very dangerous.

Joseph Cox’s article detailing the hack has a key quote,

“We used a rep that literally done all the work for us.”

Anonymous Source

What remains unclear is whether this is a case of social engineering (tricking a privileged insider into taking action) or a malicious insider (someone internally motivated to attack the system).

The difference is important for other defenders out there.

The investigation is ongoing, and Twitter continues to provide updates via @TwitterSupport;

Our investigation is still ongoing but here’s what we know so far:

— Twitter Support (@TwitterSupport) July 16, 2020

Social Engineering

Donnie Sullivan from CNN has a fantastic interview with the legendary Rachel Tobac showing how simple social engineering can be and the dangerous impact it can have;

What is “social engineering,” you ask? @RachelTobac showed me. pic.twitter.com/TAw7FB1QPQ

— Donie O'Sullivan (@donie) July 16, 2020

If this attack was conducted through social engineering, the security team at Twitter would need to implement additional processes and controls to ensure that it doesn’t happen again.

Such a situation is what your team also needs to look at. While password resets, account closures, data transfers, and other critical processes are at particular risk of social engineering, financial transactions are atop the cybercriminal’s target list.

BEC—business email compromise—attacks accounted for USD 1.7 billion in losses in 2019 alone.

Adding additional side-channel confirmations, additional steps for verifications, firm and clear approvals and other process steps can help organizations mitigate these types of social engineering attacks.

Malicious Insider

If the attack turns out to be from a malicious insider. Defenders need to take a different approach.

Malicious insiders are both a security problem and human resource one.

From the security perspective, two key principles help mitigate the potential of these attacks;

Making sure that individuals only have the technical access needed to complete their assigned tasks, and only that access is key to limiting this potential attack. Combined with the smart separation of duties (one person to request a change, another to approval it), this significantly reduces the possibility of these attacks causing harm.

The other—and not often spoken of—side of these attacks is the reason behind the malicious intent. Some people are just malicious, and when presented with an opportunity, they will take it.

Other times, it’s an employee that feels neglected, passed over, or is disgruntled in some other way. A strong internal community, regular communication, and a strong HR program can help address these issues before they escalate to the point where aiding a cybercriminal becomes an enticing choice.

Support Risks

Underlying this whole situation is a more challenging issue; the level of access that support has to any given system.

It’s easy to think of a Twitter account as “yours.” It’s not. It’s part of a system run by a company that needs to monitor the health of the system, respond to support issues, and aid law enforcement when legally required.

All of these requirements necessitate a level of access that most don’t think about.

How often are you sharing sensitive information via direct message? Those messages are most likely accessible by support.

What’s to prevent them from accessing any given account or message at any time? We don’t know.

Hopefully, Twitter—and others—have clear guardrails (technical and policy-based) in place to prevent abuse of support access, and they regularly audit them.

It’s a hard balance to strike. User trust is at stake but also the viability of running a service.

Clear, transparent policies and controls are the keys to success here.

Abuse can be internal or external. Support teams typically have privileged access but are also among the lowest paid in the organization. Support—outside of the SRE community—is usually seen as entry-level.

These teams have highly sensitive access, and when things go south, can do a lot of harm. Again, the principles of least privilege, separation of duties, and a strong set of policies can help.

What’s Next?

In the coming days, more details of the attack will surface. In the meantime, the community is still struggling to reconcile the level of access gained and how it was used.

Getting access to some of the world’s most prominent accounts and then conducting a bitcoin scam? Based on the bitcoin transactions, it appears the cybercriminals made off with a little over USD 100,000. Not insignificant, but surely there were other opportunities?

Occam’s razor can help here again. Bitcoin scams and coin miners are the most direct method fo cybercriminals to capitalized on their efforts. Given the high profile nature of the attack, the time before the discovery was always going to be sure. This may have been the “safest” bet for the criminal(s) to profit from this hack.

In the end, it’s a lesson for users of social networks and other services; even if you take all of the reasonable security precautions, you are relying on the service itself to help protect you. That might not always hold true.

It’s a harsh reminder that the very tooling you put in place to run your service may be its biggest risk for service providers and defenders…a risk that’s often overlooked and underestimated.

In the end, Marques Brownlee sums it up succinctly;

Don't send Bitcoin to strangers.

— Marques Brownlee (@MKBHD) July 15, 2020

 

What do you think of this entire episode? Let’s talk about it—un-ironically—on Twitter, where I’m @marknca.

The post Twitter Hacked in Bitcoin Scam appeared first on .

Ask Me Anything – Celebrating The Fifth Anniversary Of My Monthly Threat Webinar

By Jon Clay (Global Threat Communications)

In July 2015, I did my first threat webinar. I had planned to do it on a monthly basis, and never imagined I would still be doing it five years later, but here I am, still creating monthly webinars. I still do. I started the webinar series to help people understand the different threats targeting our customers and I have always tried to focus on three areas:

  • Share information on what threats our customers deal with regularly
  • Talk about an actual threat and explain how it works
  • Discuss technologies versus solutions

This last point, discussing technologies versus solutions, has been one of the key items I try to follow as much as possible – after all, the goal of my webinars is to be educational, not a sales pitch.

Coming from a technical background, BS in Electrical Engineering from Michigan State University (Go Spartans!!), I enjoy learning about the new technologies being used to detect the latest threats and to ensure you know what to look for when selecting a vendor and/or a security solution. Over the years, I’ve discussed everything from APTs, coinminers, exploits, messaging threats, ransomware, underground activity and lots in between. It is pretty easy to find topics to discuss, as there is so much going on in our industry, and with the malicious actors regularly shifting their tactics, techniques and procedures, I can keep the content fairly fresh.

I really enjoy having guest speakers on my webinars to mix things up a bit for the viewers as well, as I know my limitations – there are just too many threats out there to keep up with all of them. The main reason I love doing the threat webinars is that I enjoy sharing information and teaching others about our industry and the threats affecting them.  If you want to check out any of my previous five years of webinars you can watch them here.

For my fifth year anniversary I wanted to try something different and I would like to do an open Q&A session. As I’ve never done this before, it will certainly be an interesting experience for me, but hopefully for you as well. I hope I can answer a majority of your questions, but I know some of you are way too smart for me, so please bear with me.

Our registration page for this webinar allows you to submit any pre-session questions that I’ll answer throughout the webinar. You can ask me anything that is on your mind and if I cannot get to your question, I’ll do my best to answer you afterwards in an email.

I hope to continue to do these webinars for the foreseeable future and I would like to end my post by thanking each and every one of you who has participated in my webinars over the years. It has been a pleasure, and I look forward to answering your questions.

Take care, stay healthy, and keep on smiling!

Jon

The post Ask Me Anything – Celebrating The Fifth Anniversary Of My Monthly Threat Webinar appeared first on .

This Week in Security News: 15 Billion Credentials Currently Up for Grabs on Hacker Forums and New Mirai Variant Expands Arsenal

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums. Also, learn about a new Mirai variant that exploits nine vulnerabilities, most notable of which is CVE-2020-10173.

Read on:

Cloud Security is Simple, Absolutely Simple.

“Cloud security is simple, absolutely simple. Stop over complicating it.” This is the advice that Mark Nunnikhoven, vice president of cloud research at Trend Micro, shared to kick off his presentation at the CyberRisk Alliance Cloud Security Summit this year. Check out a recording of his talk in this blog recap to learn more.

Order Out of Chaos: Tackling Phishing Attacks

Responding to phishing attacks requires a combination of commodity tools, cutting-edge machine learning techniques and human-powered defense. That’s how to create order out of chaos and beat the phishers at their own game, according to Trend Micro’s Greg Young. Learn more in his recent article on phishing in Security Boulevard.

Beyond the Endpoint: Why Organizations are Choosing XDR for Holistic Detection and Response

The endpoint has long been a major focal point for attackers targeting enterprise IT environments. Yet increasingly, security teams are needing to protect data across the organization – whether it’s in the cloud, on IoT devices, in email, or on-premises servers – attackers may jump from one environment to the next in multi-stage attacks and even hide between the layers. XDR solutions offer a convincing alternative to EDR and point solutions.

15 Billion Credentials Currently Up for Grabs on Hacker Forums

Fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums. A report released from the Digital Shadows Photon Research Team found that 100,000 separate data breaches over a 2-year period have yielded a 300% increase in stolen credentials, leaving a wealth of account details on dark-web hacker forums up for grabs.

ISO/SAE 21434: It’s Time to Put the Brakes on Connected Car Cyber-Threats

Connected cars are set to grow 270% by 2022 to reach an estimated 125 million in just a few years. However, the high-performance mobile computers in connected cars can also leave them exposed to sensitive data theft and remote manipulation, which could create serious physical safety issues. This is where the ISO/SAE 21434 standard comes in and creates detailed guidance for the automotive industry to help it navigate these challenges and reduce reputational and cyber-risk.

New Mirai Variant Expands Arsenal, Exploits CVE-2020-10173

Trend Micro discovered a new Mirai variant that exploits nine vulnerabilities, most notable of which is CVE-2020-10173 in Comtrend VR-3033 routers which were not observed as exploited by past Mirai variants. This discovery is a new addition to the Mirai variants that appeared in the past few months which include SORA, UNSTABLE, and Mukashi.

Microsoft Files Lawsuit to Seize Fake Domains Used in COVID-19-Themed BEC Attacks

Microsoft has filed a lawsuit in an effort to seize control of several domains used to launch COVID-19-themed cyberattacks against the company’s customers in 62 countries. The company started tracking the malicious activity in December 2019 after identifying it as a phishing scheme attempting to compromise Microsoft customer accounts and access emails, contacts, sensitive files, and other information.

Cleaner One Pro Speeds Up Your Mac: Part 1

Trend Micro Cleaner One Pro is an easy-to-use, all-in-one disk cleaning and optimization utility that can help you boost your Mac’s performance. In this two-part blog series, Trend Micro outlines how you can use Cleaner One Pro to make your Mac run faster, walking you through its features. In Part 1, Trend Micro focuses on Quick Optimizer, the Main Console, and the Cleaning Tools.

Joker Malware Apps Once Again Bypass Google’s Security to Spread via Play Store

Cybersecurity researchers unveiled another instance of Android malware hidden under the guise of legitimate applications to stealthily subscribe unsuspecting users for premium services without their knowledge. The Joker malware has found another trick to bypass Google’s Play Store protections: obfuscate the malicious DEX executable inside the application as Base64 encoded strings, which are then decoded and loaded on the compromised device.

Malicious Chrome Extensions, Domains Used to Steal User Data

Google Chrome extensions and Communigal Communication Ltd. (Galcomm) domains were used in a campaign that aims to track user activity and data, according to Awake Security. In the past three months, the researchers found 111 malicious or fake Chrome extensions using Galcomm domains as their command and control infrastructure. There have been at least 32 million downloads of these malicious extensions.

Patch Now: F5 Vulnerability with CVSS 10 Severity Score

F5 Networks, a provider of networking devices and services, urges users to patch their BIG-IP networking systems as soon as possible after disclosing two vulnerabilities: CVE-2020-5902, a critical remote code execution (RCE) vulnerability found in BIG-IP device’s Traffic Management User Interface (TMUI), and CVE-2020-5903, a less critical vulnerability that involves cross-site scripting (XSS). F5 has now released patches for both in the vulnerabilities’ respective security advisories.

Ransomware Report: Avaddon and New Techniques Emerge, Industrial Sector Targeted

Over the past couple of months, ransomware has remained a formidable threat as new families, techniques, and targets continue emerging at every turn. Trend Micro recently witnessed the rise of a new ransomware family called Avaddon. In this blog, Trend Micro examines techniques utilized by some ransomware variants and the industries affected by these attacks.

70% of Organizations Experienced a Public Cloud Security Incident in the Last Year

70% of organizations experienced a public cloud security incident in the last year – including ransomware and other malware (50%), exposed data (29%), compromised accounts (25%), and cryptojacking (17%), according to Sophos. Organizations running multi-cloud environments are greater than 50% more likely to suffer a cloud security incident than those running a single cloud.

Russian Group Cosmic Lynx Launches Over 200 BEC Campaigns

A Russian group dubbed as Cosmic Lynx initiated more than 200 Business Email Compromise (BEC) campaigns targeting hundreds of multinational companies, according to security firm Agari. Cosmic Lynx was revealed to have been launching campaigns in over 40 countries including the United States, Canada, and Australia since 2019. The average amount requested from the targets is at US $1.27 million.

Guidelines Related to Security in Smart Factories Part 3: NIST Cyber Security Framework

This blog series explains examples of general-purpose guidelines for ICS and OT security and helps readers understand the concepts required for security in smart factories. Part three dives into the NIST Cyber Security Framework (CSF), which is issued by US National Institute of Standards and Technology (NIST).

Has your organization experienced a public cloud security incident over the last year? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: 15 Billion Credentials Currently Up for Grabs on Hacker Forums and New Mirai Variant Expands Arsenal appeared first on .

ISO/SAE 21434: It’s time to put the brakes on connected car cyber-threats

By William "Bill" Malik (CISA VP Infrastructure Strategies)

Connected cars are on the move. Globally their number is set to grow 270% between 2018 and 2022 to reach an estimated 125 million in a couple of years. Increasingly, these vehicles are more akin to high-performance mobile computers with wheels than traditional cars, with features including internet access, app-based remote monitoring and management, advanced driver-assistance, and autonomous driving capabilities. But this also leaves them exposed to sensitive data theft and remote manipulation, which could create serious physical safety issues.

This is where a new standard comes in. ISO/SAE 21434 creates detailed guidance for the automotive industry to help it navigate these challenges and reduce reputational and cyber-risk. A new report from Trend Micro details what industry stakeholders need to, along with our recommendations as cybersecurity experts.

Packed with power

Modern automobiles do far more than transport their occupants from A to B. They are filled with computing power, sensors, infotainment systems and connectivity to help improve the car experience, traffic safety, vehicle maintenance and much more. This all creates complexity, which in turn leads to the emergence of cybersecurity gaps.

For example, there are now more than 100 engine control units (ECUs) in many modern vehicles, packed with software to control everything from the engine and suspension to the brakes. By hijacking the execution of any ECU an attacker could move laterally to any target in the vehicle, potentially allowing them to remotely cause life-threatening accidents.

As our report explains, there are three fundamental issues that make securing connected cars challenging:

Vulnerabilities are difficult to patch due to the highly tiered mature of car supply chains, firmware interoperability and long update times. If updates fail, as they can, a vehicle may be left inoperable.

Protocols used for connectivity between ECUs were not designed with security in mind, allowing attackers to conduct lateral movement.

Aftermarket products and services represent a third area of risk exposure. Akin to unsecured IoT devices in the smart home, they can be abused by attackers to pivot to more sensitive parts of the vehicle.

These vulnerabilities have been highlighted in research dating back years, but as connected cars grow in number, real-world attacks are now starting to emerge. Attack scenarios target everything from user applications to network protocols, to the CAN bus, on-board software and more. In short, there’s much for the bad guys to gain and plenty for carmakers to lose.

Here to help

This is where the new standard comes in. ISO/SAE 21434 “Road vehicles – Cybersecurity engineering” is a typically long and detailed document designed to improve automotive cybersecurity and risk mitigation across the entire supply chain — from vehicle design and engineering through to decommissioning.

As a long-time collaborator with the automotive industry, Trend Micro welcomes the new standard as a way to enhance security-by-design in an area coming under the increasing scrutiny of attackers. In fact, eight out of the world’s top 10 automotive companies have adopted Trend Micro solutions for their enterprise IT.

In order to follow ISO/SAE 21434 and protect connected cars, organizations need comprehensive visibility and control of the entire connected car ecosystem, including: vehicle, network and backend systems. They should then consider developing a Vehicle Security Operations Center (VSOC) to manage notifications coming in from all three areas and to create a bird’s eye view of the entire ecosystem.

Consider the following capabilities in each of these key areas:

Vehicle: Detect in-vehicle vulnerabilities and possible exploitation, including those in critical devices that connected the in-vehicle network to outside networks, for instance, in-vehicle infotainment systems (IVI) and telematic control units (TCUs).

Network: Apply network security policy, monitoring traffic to detect and prevent threats including connections between vehicle and backend cloud and data centers.

Backend: Secure data centers, cloud and containers from known and unknown threats and bugs without compromising performance.

Vehicle SOC: Take quick and effective action by correlating threats detected from the endpoint, network, and backend with individual notifications from each, enabling a bird’s eye view of comprehensive elements.

In uncertain times for the industry, it pays to get ahead of the game, and any prospective changes in local laws that the new ISO/SAE standard may encourage. For carmakers looking to differentiate in a tough market, and do the right thing by protecting their customers, Trend Micro is here to help.

To find out more, read the full report here.

The post ISO/SAE 21434: It’s time to put the brakes on connected car cyber-threats appeared first on .

This Week in Security News: Payment Card Skimmer Attacks Hit 8 Cities and Survey Finds 72% of Remote Workers Have Gained Cybersecurity Awareness During Lockdown

By Jon Clay (Global Threat Communications)
week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about eight U.S. cities that recently had payment card data stolen via point-of-sale skimming malware on their Click2Gov online payment platforms. Also, learn about the cybersecurity behaviors of more than 13,000 remote workers across 27 countries in a new survey from Trend Micro.

Read on:

Connected Car Standards – Thank Goodness!

Intelligent transportation systems (ITS) require harmonization among manufacturers to have any chance of succeeding in the real world. Successful ITS’ require interoperable components, especially for managing cybersecurity issues. The good news is we now have a standard for automotive cybersecurity (ISA/SAE 21434) that addresses all the major elements of connected car security. In this blog from Trend Micro, learn more about this standard for automotive cybersecurity.

The Next Cybersecurity Headache: Employees Know the Rules but Just Don’t Care

Cybersecurity has shot to the top of many IT leaders’ priorities over the past few months as remote working became the de facto way of doing business. Yet despite more awareness of the security risks of working from home, employees are still showing a lax attitude when putting it into practice. Trend Micro recently surveyed more than 13,000 remote workers across 27 countries and found that 72% of respondents claimed to have gained better cybersecurity awareness during the pandemic.

Risk Decisions in an Imperfect World

Risk decisions are the foundation of information security – but sadly also one of the most often misunderstood parts. This is bad enough on its own but can sink any effort at education as an organization moves towards a DevOps philosophy. In this blog, check out a video on how to properly evaluate risk from Mark Nunnikhoven, vice president of cloud research at Trend Micro.

Payment Card Skimmer Attacks Hit 8 Cities

Eight U.S. cities recently had payment card data stolen via point-of-sale skimming malware on their Click2Gov online payment platforms, according to Trend Micro. Five of those cities had already been victims of similar Magecart-style attacks in recent years. This new round of attacks targeted payment card information, along with the card owner’s name and address.

Perspectives Summary – What You Said

On Thursday, June 25, Trend Micro hosted its first-ever virtual Perspectives event. As the session progressed, Trend Micro polled attendees, composed of more than 5,000 global registrants, on two key cloud security questions. In this blog, Trend Micro analyzes and shares the responses.

Microsoft Issues Two Emergency Security Updates Impacting Windows 10 and Windows Server

This week, Microsoft issued emergency security updates for two vulnerabilities that could allow attackers to run remote code execution against victims. One of the flaws, CVE-2020-1425, would allow attackers to gather information from victims about further compromising their targets. Abdul-Aziz Hariri, a vulnerability analysis manager for Trend Micro’s Zero Day Initiative, is credited for finding and reporting the vulnerabilities.

Principles of a Cloud Migration

Development and application teams can be the initial entry point of a cloud migration as they start looking at faster ways to accelerate value delivery. In this video, Trend Micro’s Jason Dablow describes some techniques on how development staff can incorporate the Well Architected Framework and other compliance scanning against their Infrastructure as Code prior to it being launched into a cloud environment.

V Shred Data Leak Exposes PII, Sensitive Photos of Fitness Customers and Trainers

Las Vegas-based fitness brand V Shred, that offers fitness plans for women and men, exposed the personally identifiable information (PII) of more than 99,000 customers and trainers – and has yet to fully resolve the leaking database responsible. On Thursday, vpnMentor’s research team made the data leak public.

CSO Insights: Liggett Consulting’s Mark Liggett on Connectivity and Visibility in Securing Remote Work

When remote work becomes not just an option but the only choice for many, it raises vital questions about the technical side regarding how to make the transition feasible and how to keep it secure. In this blog, Mark Liggett, CEO of Liggett Consulting and longtime IT and cybersecurity key player, sits down with Trend Micro to share his thoughts on the importance of connectivity and visibility in securing WFH setups.

FakeSpy Android Malware Spread Via ‘Postal-Service’ Apps

Android mobile device users are being targeted in a new SMS phishing campaign that is spreading the FakeSpy infostealer. The malware, disguised as legitimate global postal-service apps, steals SMS messages, financial data and more from victims’ devices. The campaign was first discovered targeting South Korean and Japanese speakers, but it has now expanded to China, Taiwan, France, Switzerland, Germany, the United Kingdom and the United States.

Guidelines Related to Security in Smart Factories Part 2: System Design and Security Level of IEC62443

This blog series from Trend Micro describes typical examples of general-purpose guidelines for ICS and OT security and helps readers understand the concepts required for security in smart factories. In part two, learn about the concepts of system design and security levels in IEC62443.

Forward-Looking Security Analysis of Smart Factories Part 5: Recommended Security Strategies and Countermeasures

In this five-part blog series, Trend Micro looks at the security risks to be aware of when promoting smart factories by examining overlooked attack vectors, feasible attack scenarios, and recommended defense strategies. Wrapping up this series is a blog examining recommended security strategies and countermeasures to secure smart factories and to keep operations running.

How well do you think your organization’s employees are following security and IT procedures during quarantine? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Payment Card Skimmer Attacks Hit 8 Cities and Survey Finds 72% of Remote Workers Have Gained Cybersecurity Awareness During Lockdown appeared first on .

Survey: Employee Security Training is Essential to Remote Working Success

By Trend Micro

Organisations have been forced to adapt rapidly over the past few months as government lockdowns kept most workers to their homes. For many, the changes they’ve made may even become permanent as more distributed working becomes the norm. This has major implications for cybersecurity. Employees are often described as the weakest link in the corporate security chain, so do they become an even greater liability when working from home?

Unfortunately, a major new study from Trend Micro finds that, although many have become more cyber-aware during lockdown, bad habits persist. CISOs looking to ramp up user awareness training may get a better return on investment if they try to personalize strategies according to specific user personas.

What we found

We polled 13,200 remote workers across 27 countries to compile the Head in the Clouds study. It reveals that 72% feel more conscious of their organisation’s cybersecurity policies since lockdown began, 85% claim they take IT instructions seriously, and 81% agree that cybersecurity is partly their responsibility. Nearly two-thirds (64%) even admit that using non-work apps on a corporate device is a risk.

Yet in spite of these lockdown learnings, many employees are more preoccupied by productivity. Over half (56%) admit using a non-work app on a corporate device, and 66% have uploaded corporate data to it; 39% of respondents “often” or “always” access corporate data from a personal device; and 29% feel they can get away with using a non-work app, as IT-backed solutions are “nonsense.”

This is a recipe for shadow IT and escalating levels of cyber-risk. It also illustrates that current approaches to user awareness training are falling short. In fact, many employees seem to be aware of what best practice looks like, they just choose not to follow it.

Four security personas

This is where the second part of the research comes in. Trend Micro commissioned Dr Linda Kaye, Cyberpsychology Academic at Edge Hill University, to profile four employee personas based on their cybersecurity behaviors: fearful, conscientious, ignorant and daredevil.

In this way: Fearful employees may benefit from training simulation tools like Trend Micro’s Phish Insight, with real-time feedback from security controls and mentoring.

Conscientious staff require very little training but can be used as exemplars of good behavior, and to team up with “buddies” from the other groups.

Ignorant users need gamification techniques and simulation exercises to keep them engaged in training, and may also require additional interventions to truly understand the consequences of risky behavior.

Daredevil employees are perhaps the most challenging because their wrongdoing is the result not of ignorance but a perceived superiority to others. Organisations may need to use award schemes to promote compliance, and, in extreme circumstances, step up data loss prevention and security controls to mitigate their risky behavior.

By understanding that no two employees are the same, security leaders can tailor their approach in a more nuanced way. Splitting staff into four camps should ensure a more personalized approach than the one-size-fits-all training sessions most organisations run today.

Ultimately, remote working only works if there is a high degree of trust between managers and their teams. Once the pandemic recedes and staff are technically allowed back in the office, that trust will have to be re-earned if they are to continue benefiting from a Work From Home environment.

The post Survey: Employee Security Training is Essential to Remote Working Success appeared first on .

Perspectives Summary – What You Said

By William "Bill" Malik (CISA VP Infrastructure Strategies)

 

On Thursday, June 25, Trend Micro hosted our Perspectives 2-hour virtual event. As the session progressed, we asked our attendees, composed of +5000 global registrants, two key questions. This blog analyzes those answers.

 

First, what is your current strategy for securing the cloud?

Rely completely on native cloud platform security capabilities (AWS, Azure, Google…) 33%

Add on single-purpose security capabilities (workload protection, container security…) 13%

Add on security platform with multiple security capabilities for reduced complexity 54%

 

This result affirms IDC analyst Frank Dickson’s observation that most cloud customers will benefit from a suite offering a range of security capabilities covering multiple cloud environments. For the 15% to 20% of organizations that rely on one cloud provider, purchasing a security solution from that vendor may provide sufficient coverage. The quest for point products (which may be best-of-breed, as well) introduces additional complexity across multiple cloud platforms, which can obscure problems, confuse cybersecurity analysts and business users, increase costs, and reduce efficiency.  The comprehensive suite strategy compliments most organizations’ hybrid, multi-cloud approach.

Second, and this is multiple choice, how are you enabling secure digital transformation in the cloud today?

 

This shows that cloud users are open to many available solutions for improving cloud security. The adoption pattern follows traditional on-premise security deployment models. The most commonly cited solution, Network Security/Cloud IPS, recognizes that communication with anything in the cloud requires a trustworthy network. This is a very familiar technique, dating back in the on-premise environment to the introduction of firewalls in the early 1990s from vendors like CheckPoint and supported by academic research as found in Cheswick and Bellovin’s Firewalls and Internet Security (Addison Wesley, 1994).

 

The frequency of data exposure due to misconfigured cloud instances surely drives Cloud Security Posture Management, certainly aided by the ease of deployment of tools like Cloud One conformity.

 

The newness of containers in the production environment most likely explains the relatively lower deployment of container security today.

 

The good news is that organizations do not have to deploy and manage a multitude of point products addressing one problem on one environment. The suite approach simplifies today’s reality and positions the organization for tomorrow’s challenges.

 

Looking ahead, future growth in industrial IoT and increasing deployments of 5G-based public and non-public networks will drive further innovations, increasing the breadth of the suite approach to securing hybrid, multi-cloud environments.

 

What do you think? Let me know @WilliamMalikTM.

 

The post Perspectives Summary – What You Said appeared first on .

This Week in Security News: Intel Says ‘Tiger Lake’ Will Drown Control-Flow Malware and New Phishing Campaign Targeting Office 365 Exploits Brand Names

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how the next generation of Intel mobile processors will include malware protection built into the chip. Also, read about a new phishing campaign that uses brand names to bypass security filters and trick victims into giving up Microsoft Office 365 credentials to gain access to corporate networks.

Read on:

Intel Says ‘Tiger Lake’ Will Drown Control-Flow Malware

Announced this week, the next generation of Intel mobile processors will include malware protection built into the chip. The protection, provided by Intel’s Control-Flow Enforcement Technology (CET), will first be available in the company’s “Tiger Lake” mobile processors. In this article, Greg Young, vice president of cybersecurity at Trend Micro, shares his thoughts.

Forward-Looking Security Analysis of Smart Factories Part 4: MES Database Compromises

In this five-part blog series, Trend Micro looks at the security risks to be aware of when promoting smart factories by examining overlooked attack vectors, feasible attack scenarios and recommended defense strategies. Part four describes how the Manufacturing Engineering System (MES) plays an important role in the manufacturing process and how cyberattacks on the MES can affect production activities.

Elite CIA Unit that Developed Hacking Tools Failed to Secure its Own Systems, Allowing Massive Leak, an Internal Report Found

The theft of top-secret computer hacking tools from the CIA in 2016 was the result of a workplace culture in which the agency’s elite computer hackers “prioritized building cyber weapons at the expense of securing their own systems,” according to an internal report. The breach — allegedly committed by a CIA employee — was discovered a year after it happened, when the information was published by WikiLeaks in March 2017.

Unpatched Vulnerability Identified in 79 NETGEAR Router Models

A whopping 79 NETGEAR router models are vulnerable to a severe security flaw that can let hackers take over devices remotely. According to researchers, the vulnerability impacts 758 different firmware versions that have been used on 79 NETGEAR routers across the years, with some firmware versions being first deployed on devices released as far back as 2007.

Massive IBM Cloud Outage Caused by BGP Hijacking

IBM has provided new information about the large-scale outage that occurred this week, affecting many IBM Cloud customers. The outage, which knocked a whole host of sites offline, was the result of BGP hijacking, said the firm.

Hackers Posing as LinkedIn Recruiters to Scam Military, Aerospace Firms

A new, highly sophisticated espionage campaign targeting military and aerospace organizations across Europe and the Middle East has been discovered by cybersecurity firm ESET. The campaigners attempt to lure company employees to extract money and/or sensitive documents. Dubbed Operation In(ter)caption; the campaign was active from September to December 2019, and espionage is declared the primary objective behind this campaign.

Phishing Campaign Targeting Office 365, Exploits Brand Names

Researchers have discovered a sophisticated new phishing campaign that uses recognized brand names to bypass security filters and to trick victims into giving up Microsoft Office 365 credentials to gain access to corporate networks. A report from Check Point Software first observed the attacks—the majority of which targeted European companies, with others seen in Asia and the Middle East.

Foodora Data Breach Impacts Customers in 14 Countries

Online food delivery service Delivery Hero has confirmed a data breach affecting its Foodora brand. The cybersecurity incident has exposed the account details of 727,000 customers in 14 different countries. Information exposed in the incident included names, addresses, phone numbers, and hashed passwords. While no financial data was leaked, customers’ geolocation data, accurate to within a couple of inches, was breached.

Cisco Adds New Security Features to Webex, Patches Serious Vulnerabilities

At its Cisco Live 2020 event, the networking giant informed customers that it has extended its data loss prevention (DLP) retention, Legal Hold and eDiscovery features to Webex Meetings. The company has also published several security advisories this week for Webex vulnerabilities, including three that have been classified as high severity and one rated medium severity.

Vulnerable Platform Used in Power Plants Enables Attackers to Run Malicious Code on User Browsers

Otorio’s incident response team identified a high-score vulnerability in OSIsoft’s PI System. They immediately notified OSIsoft Software of the vulnerability, which OSIsoft filed with ICS-CERT (ICSA-20-163-01). Installed in some of the world’s largest critical infrastructure facilities, OSIsoft Software’s PI System is a data management platform that accesses a broad range of core OT network assets in the sites it serves.

What other sophisticated phishing campaigns have you seen during the pandemic? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Intel Says ‘Tiger Lake’ Will Drown Control-Flow Malware and New Phishing Campaign Targeting Office 365 Exploits Brand Names appeared first on .

This Week in Security News: Microsoft June Patch Tuesday Fixes 129 Flaws in Largest-Ever Update and New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa

By Jon Clay (Global Threat Communications)
week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about Microsoft’s largest-ever Patch Tuesday update including 129 CVEs. Also, read about a new Android Spyware dubbed ActionSpy.

Read on:

Microsoft June Patch Tuesday Fixes 129 Flaws in Largest-Ever Update

Microsoft has released patches for 129 vulnerabilities as part of its June Patch Tuesday updates – the highest number of CVEs ever released by Microsoft in a single month. Within the blockbuster security update, 11 critical remote code-execution flaws were patched in Windows, SharePoint server, Windows Shell, VBScript and other products.

#LetsTalkSecurity: Become the Hunter 

This week, Rik Ferguson, vice president of Security Research at Trend Micro, hosted the sixth episode of #LetsTalkSecurity featuring guest Jake Williams, founder of Rendition Infosec. Check out this week’s episode and follow the link to find more information about upcoming episodes and guests.

Not Just Good Security Products, But a Good Partner

This week, Trend Micro announced it has been placed in the Champions quadrant of the Canalys Global Cybersecurity Leadership Matrix, in recognition of major investments and improvements in the channel over the past year. The report particularly highlights Trend Micro’s partner portal improvements that include significant investments in deal registration, sales kits, promotions and training.

12 Biggest Cloud Threats and Vulnerabilities In 2020

Data breaches, cybercrime and targeted attacks in the cloud have driven demand for cloud security products and services in recent years. From misconfigured storage buckets and excess privileges to Infrastructure as Code (IoC) templates and automated attacks, here’s a look at 12 of the biggest cloud threats technical experts are worried about this year. Data breaches, cybercrime and targeted attacks in the cloud have driven demand for cloud security products and services in recent years.

Trend Micro Guardian: Protecting Your Kids On-the-Go

Some smart devices are not limited for use on the home network, for example, your child’s mobile phone or tablet. Keeping your kids safe with on-the-go devices means extending your security policies beyond the home. Trend Micro Home Network Security makes it easy with its free app, Trend Micro Guardian. Guardian integrates with HNS’s parental control rules via Mobile Device Management technology to extend the rules you’ve applied on your home network to your children’s Wi-Fi/mobile connections outside the home.

Microsoft Discovers Cryptomining Gang Hijacking ML-Focused Kubernetes Clusters

Microsoft published a report detailing a never-before-seen series of attacks against Kubeflow, a toolkit for running machine learning (ML) operations on top of Kubernetes clusters. The attacks have been going on since April, and Microsoft says its end-goal has been to install a cryptocurrency miner on Kubernetes clusters running Kubeflow instances exposed to the internet.

New Tekya Ad Fraud Found on Google Play

In late March, researchers from CheckPoint found the Tekya malware family being used to carry out ad fraud on Google Play. These apps have since been removed from the store, but Trend Micro recently found a variant of this family that had made its way onto Google Play via five malicious apps, although these have also been removed.

Fake COVID-19 Contact-Tracing Apps Infect Android Phones

Security researchers have identified 12 malicious Android applications, disguised to appear as official government COVID-19 contact-tracing apps, distributing malware onto devices. The Anomali Threat Research team found multiple applications containing a range of malware families, primarily banking Trojan Anubis and SpyNote, an Android Trojan with the goal of collecting and monitoring data on infected devices.

Tracking, Detecting, and Thwarting PowerShell-based Malware and Attacks

While traditional malware and attacks rely on crafted executables to function, fileless malware reside in memory to evade traditional scanners and detection methods. PowerShell, a legitimate management tool used by system administrators, provides an ideal cover for threat actors as they craft payloads heavily dependent on its deep Windows integration. Trend Micro has published multiple reports on this phenomenon, which has been further validated by telemetry data.

Updated Analysis on Nefilim Ransomware’s Behavior

Shortly after the discovery of Nefilim in March 2019, Trend Micro released its analysis of the ransomware and its behavior. Through recent investigations of cases observed in several companies, Trend Micro has amassed more information on how this ransomware operates. Some notable updates added the use of other tools such as Mimikatz, AdFind, CobaltStrike, and MegaSync, and the description of events that occur within the attack phases weeks or even months before the ransomware is deployed.

New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa

While tracking Earth Empura, also known as POISON CARP/Evil Eye, Trend Micro identified an undocumented Android spyware it has dubbed ActionSpy. During the first quarter of 2020, Trend Micro observed Earth Empusa’s activity targeting users in Tibet and Turkey before they extended their scope to include Taiwan.

Babylon Health Admits ‘Software Error’ Led to Patient Data Breach

Babylon Health, a UK AI chatbot and telehealth startup which has been valued in excess of $2BN, has suffered an embarrassing data breach after a user of the app found he was able to access other patients’ video consultations. The company confirmed the breach yesterday, telling the BBC that a “software error” related to a feature that lets users switch from audio to video-based consultations part way through a call had caused a “small number” of UK users to be able to see others sessions.

Forward-Looking Security Analysis of Smart Factories Part 3: Trojanized Libraries for Industrial IoT Devices

In part three of this five-part blog series, Trend Micro looks at the security risks of promoting smart factories by examining overlooked attack vectors, feasible attack scenarios, and recommended defense strategies. This blog describes the usage of Industrial IoT (IIoT) devices and overlooked security risks in software supply chains.

Surprised by the new Android spyware ActionSpy that was revealed via phishing attacks from Earth Empusa? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Microsoft June Patch Tuesday Fixes 129 Flaws in Largest-Ever Update and New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa appeared first on .

This Week in Security News: Google Faces Privacy Lawsuit Over Tracking Users in Incognito Mode and TrickBot Adds Enterprise-grade Module to Malware Arsenal

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a new module for the infamous trojan known as TrickBot that has been deployed. Also, read about Google’s $5 billion class-action lawsuit over claims that it has been collecting people’s browsing information when using the incognito browsing mode.

 

Read on:

No Entry: How Attackers Can Sneak Past Facial Recognition Devices

Now more than ever, businesses are looking into contactless entry solutions, turning to edge devices that use facial recognition or small devices like radio-frequency identification cards. These devices serve as the first line of defense for keeping intruders out of offices, which can be subject to many different types of attacks. In this blog, Trend Micro analyzes the different ways an intruder can trick or hack into facial recognition access control devices.

Cloud Security and Data Protection: What Enterprises Need to Know

Data security is rarely the first consideration when choosing a public cloud service provider. That is changing, though, because of the rise of tougher rules, regulations, and standards aimed at protecting consumer privacy. In this article, Mark Nunnikhoven, vice president of cloud research at Trend Micro, shares his thoughts on what enterprises need to know about cloud security and data protection.

Lemon Duck Cryptominer Spreads Through Covid-19 Themed Emails

In a recent campaign, Trend Micro came across a PowerShell script (mailer script) that distributes the Lemon Duck cryptominer through a new propagation method: Covid-19-themed emails with weaponized attachments. These emails are delivered to all Microsoft Outlook contacts of the user of a compromised machine, as similarly observed by SANS Internet Storm Center.

TrickBot Adds BazarBackdoor to Malware Arsenal

A new module for the infamous trojan known as TrickBot has been deployed: A stealthy backdoor that researchers call “BazarBackdoor.” The binary was first spotted being delivered as part of a phishing campaign that began in March, according to Panda Security. The campaign used the legitimate marketing platform Sendgrid to reach targets in a mass-mailing fashion.

Factory Security Problems from an IT Perspective (Part 3): Practical Approach for Stable Operation

This article is the last in a three-part series discussing the challenges IT departments face when they are tasked with overseeing cybersecurity in factories and implementing measures to overcome those challenges. For strong factory security, Trend Micro recommends three measures: network separation, layer-optimized measures, and integrated management of these elements. In this third article, Trend Micro explains this concrete approach to security.

Zoom Patches Two Serious Vulnerabilities Found by Cisco Researchers

Members of Cisco’s Talos threat intelligence and research group have identified two vulnerabilities in the Zoom client application that can allow a remote attacker to write files to the targeted user’s system and possibly achieve arbitrary code execution. The vulnerabilities, tracked as CVE-2020-6109 and CVE-2020-6110, are both rated high severity.

#LetsTalkSecurity: Ghost in the Machine 

This Week, Rik Ferguson, vice president of security research at Trend Micro, hosted the fourth episode of #LetsTalkSecurity featuring guest Joe Slowik, USN Vet, Adversary Hunter, and Digital Sanitation Engineer with a focus on ICS. Check out this week’s episode and follow the link to find information about upcoming episodes and guests.

Google Faces Privacy Lawsuit Over Tracking Users in Incognito Mode

Google faces a $5 billion class-action lawsuit over claims that it has been collecting people’s browsing information without their knowledge when using the incognito browsing mode that is meant to keep their online activities private. The lawsuit, filed in the federal court in San Jose, California, alleges that Google compiles user data through Google Analytics, Google Ad Manager and other applications and website plug-ins, including smartphone apps, regardless of whether users click on Google-supported ads.

Barcode Reader Apps on Google Play Found Using New Ad Fraud Technique

Trend Micro recently saw two barcode reader apps in Google Play, together downloaded more than a million times, that started showing unusual behavior (detected as AndroidOS_HiddenAd.HRXJA). This includes behavior that can be seen even when the user is not actively using the phone.

Email Scammer Pleads Guilty to Defrauding Texas Firms Out of More Than $500,000

A 64-year-old man has admitted his role in an email-based fraud scheme that relied on spoofed email addresses to con two companies out of more than $500,000. Kenety Kim, or Myung Kim, pleaded guilty Tuesday in a Texas court to conspiracy to commit money laundering as part his role in a business email compromise scheme.

Surprised by Google’s lawsuit over tracking users in incognito mode? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Google Faces Privacy Lawsuit Over Tracking Users in Incognito Mode and TrickBot Adds Enterprise-grade Module to Malware Arsenal appeared first on .

Message from Eva Chen – as a human being, not a CEO: We need to speak out and act against racism

By Eva Chen

 

I would like to express my outrage over the brutal killings of George Floyd, Breonna Taylor, and Ahmaud Arbery – not as the CEO of an international company, but as a human being and a citizen of the world. It makes me very sad, but also intensely frustrated and angry to realize how little is being done around the world to overcome the blatant inequality and racism that persists. The disturbing, high-profile incidents in the past weeks expose in a cruel way how we live in a world where fear, uncertainty and discrimination continue to impact the lives of black people every single day.

 

As a global society, we should do better; we must be better.

 

At Trend Micro, we are committed to providing a safe, empathetic and respectful environment where we reject any form of racism and discrimination, with zero tolerance. We not only welcome diversity in our Trend Micro family, we encourage it, whether it is diversity of race, ethnicity, nationality, gender, gender identification, sexual orientation, physical ability, age, religion, veteran status, socio-economic status, and political philosophy. We believe it is our different backgrounds and experiences that make us who we are and make us as strong as we are. But we continue to listen and learn how to create equality for all.

 

I feel very strongly that we all need to do something and become a force for change. We have an obligation towards our communities and our children to leave this world in a better place. I am fortunate as a CEO to be able to use my voice to speak out against any kind of discrimination, against racism in any form. I ask that we all seek to expand our perspectives and heighten our awareness of others. We must open our eyes to the current and ugly truth and challenge any subconscious tendencies to avoid this painful reality of inequality!

 

Today I am inspired to lift up the voice of a young Trend Micro employee who posted on our internal web site:

 

“Progress is a process. Unity is part of the process.
Unity drives awareness…
Awareness drives education…
Education drives action…
Action drives change…
Let’s make a change!”

 

These are very difficult times for us as individuals, communities, and as nations. I ask you to join me in doing our part to fight racism – we can’t afford any more lives to be lost, any more children growing up deprived of their opportunities. First and foremost, we need to listen to our black communities and educate ourselves. And we must acknowledge that this is an ongoing issue – and continue to fight inequality every day, even when the protests don’t make headlines anymore. We can all make a difference. Speak out against injustice, listen to the stories of inequality, act, vote and make a change.

 

Together, we can make this world a better place!

Eva Chen

The post Message from Eva Chen – as a human being, not a CEO: We need to speak out and act against racism appeared first on .

This Week in Security News: How the Cybercriminal Underground Has Changed in 5 Years and the NSA Warns of New Sandworm Attacks on Email Servers

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how, over the past five years, the cybercriminal underground has seen a major shift to new platforms, communications channels, products, and services. Also, read about a new wave of Sandworm cyberattacks against email servers conducted by one of Russia’s most advanced cyber-espionage units.

Read on:

How the Cybercriminal Underground Has Changed in 5 Years

Trend Micro has been profiling the underground cybercrime community for many years. Over the past five years, it has seen a major shift to new platforms, communications channels, products, and services, as trust on the dark web erodes and new market demands emerge. Trend Micro expects the current pandemic to create yet another evolution, as cyber-criminals look to take advantage of new ways of working and systemic vulnerabilities.

Shadowserver, an Internet Guardian, Finds a Lifeline

In March, internet security group Shadowserver learned that longtime corporate sponsor Cisco was ending its support. With just weeks to raise hundreds of thousands of dollars to move its data center out of Cisco’s facility—not to mention an additional $1.7 million to make it through the year—the organization was at real risk of extinction. Ten weeks later, Shadowserver has come a long way toward securing its financial future. This week, Trend Micro committed $600,000 to Shadowserver over three years, providing an important backbone to the organization’s fundraising efforts. 

#LetsTalkSecurity: No Trust for the Wicked 

This Week, Rik Ferguson, vice president of Security Research at Trend Micro, hosted the fourth episode of #LetsTalkSecurity featuring guest Dave Lewis, Global Advisory CISO at Duo Security. Check out this week’s episode and follow the link to find information about upcoming episodes and guests.

Principles of a Cloud Migration – Security W5H – The HOW

Security needs to be treated much like DevOps in evolving organizations, meaning everyone in the company has a shared responsibility to make sure it is implemented. It is not just a part of operations, but a cultural shift in doing things right the first time – security by default. In this blog from Trend Micro, learn 3 tips to get you started on your journey to securing the cloud.

What’s Trending on the Underground Market?

Trust has eroded among criminal interactions in the underground markets, causing a switch to e-commerce platforms and communication using Discord, which both increase user anonymization, a new Trend Micro report reveals. Determined efforts by law enforcement appear to be having an impact on the cybercrime underground as several forums have been taken down by global police entities.

Is Cloud Computing Any Safer from Malicious Hackers?

Cloud computing has revolutionized the IT world, making it easier for companies to deploy infrastructure and applications and deliver their services to the public. The idea of not spending millions of dollars on equipment and facilities to host an on-premises data center is a very attractive prospect to many. But is cloud computing any safer from malicious threat actors? Read this blog from Trend Micro to find out.

Smart Yet Flawed: IoT Device Vulnerabilities Explained

The variety and range of functions of smart devices present countless ways of improving different industries and environments. While the “things” in the internet of things (IoT) benefits homes, factories, and cities, these devices can also introduce blind spots and security risks in the form of vulnerabilities. Vulnerable smart devices open networks to attack vectors and can weaken the overall security of the internet. For now, it is better to be cautious and understand that “smart” can also mean vulnerable to threats.

Cyberattacks Against Hospitals Must Stop, Says Red Cross

Immediate action needs to be taken to stop cyberattacks targeting hospitals and healthcare organizations during the ongoing coronavirus pandemic – and governments around the world need to work together to make it happen, says a newly published open letter signed by the International Committee of the Red Cross, former world leaders, cybersecurity executives and others.

Securing the 4 Cs of Cloud-Native Systems: Cloud, Cluster, Container, and Code

Cloud-native technologies enable businesses to make the most of their cloud resources with less overhead, faster response times, and easier management. Like any technology that uses various interconnected tools and platforms, security plays a vital role in cloud-native computing. Cloud-native security adopts the defense-in-depth approach and divides the security strategies utilized in cloud-native systems into four different layers.

Coinminers Exploit SaltStack Vulnerabilities CVE-2020-11651 and CVE-2020-11652

Researchers from F-Secure recently disclosed two high-severity vulnerabilities in SaltStack Salt: CVE-2020-11651, an authentication bypass vulnerability, and CVE-2020-11652, a directory traversal vulnerability. These can be exploited by remote, unauthenticated attackers, and all versions of SaltStack Salt before 2019.2.4 and 3000 before 3000.2 are affected. Trend Micro has witnessed attacks exploiting these vulnerabilities, notably those using cryptocurrency miners.

PonyFinal Ransomware Targets Enterprise Servers Then Bides Its Time

A Java-based ransomware known as PonyFinal has emerged, targeting enterprise systems management servers as an initial infection vector. It exfiltrates information about infected environments, spreads laterally and then waits before striking — the operators go on to encrypt files at a later date and time, when the likelihood of the target paying is deemed to be the most likely.

Qakbot Resurges, Spreads through VBS Files

Trend Micro has seen events that point to the resurgence of Qakbot, a multi-component, information-stealing threat first discovered in 2007. Feedback from Trend Micro’s sensors indicates that Qakbot detections increased overall. A notable rise in detections of a particular Qakbot sample (detected by Trend Micro as Backdoor.Win32.QBOT.SMTH) was also witnessed in early April.

CSO Insights: SBV’s Ian Keller on the Challenges and Opportunities of Working Remotely

The COVID-19 pandemic has forced businesses to change the way they operate. These abrupt changes come with a unique set of challenges, including security challenges. Ian Keller, Chief Security Officer of SBV Services in South Africa, sat down with Trend Micro and shared his thoughts on how SBV is coping with the current pandemic, the main challenges they faced when transitioning their staff to remote work, as well as how they plan to move forward.

NSA Warns of New Sandworm Attacks on Email Servers

The US National Security Agency (NSA) has published a security alert warning of a new wave of cyberattacks against email servers, attacks conducted by one of Russia’s most advanced cyber-espionage units. The NSA says that members of Unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service, have been attacking email servers running the Exim mail transfer agent (MTA).

Forward-Looking Security Analysis of Smart Factories <Part 2> Security Risks of Industrial Application Stores

In the second part of this five series column, Trend Micro looks at the security risks to be aware of when promoting smart factories by examining overlooked attack vectors, feasible attack scenarios, and recommended defense strategies. This column is especially applicable for architects, engineers, and developers who are involved in smart factory technology.

Factory Security Problems from an IT Perspective (Part 2): People, Processes, and Technology

This blog is the second in a series that discusses the challenges that IT departments face when they are assigned the task of overseeing cybersecurity in factories and implementing measures to overcome these challenges. In this article, Trend Micro carries out an analysis to uncover the challenges that lie in the way of promoting factory security from an IT perspective.

21 Tips to Stay Secure, Private, and Productive as You Work from Home on Your Mac

If you brought a Mac home from the office, it’s likely already set up to meet your company’s security policies. But what if you are using your personal Mac to work from home? You need to outfit it for business, to protect it and your company from infections and snooping, while ensuring it continues to run smoothly over time. In this blog, learn 21 tips for staying secure, private, and productive while working from home on your Mac.

Surprised by the new wave of Sandworm attacks? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: How the Cybercriminal Underground Has Changed in 5 Years and the NSA Warns of New Sandworm Attacks on Email Servers appeared first on .

This Week in Security News: New Bluetooth Vulnerability Exposes Billions of Devices to Hackers and Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about a new security vulnerability in Bluetooth that could potentially allow an attacker to spoof a remotely paired device. Also, learn about two malware files that pose as Zoom installers but when decoded, contain malware code.

Read on:

Forward-Looking Security Analysis of Smart Factories <Part 1> Overlooked Attack Vectors

Trend Micro recently released a paper showing the results of proof-of-concept research on new security risks associated with smart factories. In this series of five columns, Trend Micro will explore the security risks to be aware of when promoting smart factories by examining overlooked attack vectors, feasible attack scenarios, and recommended defense strategies. This first column introduces the concept of “smart manufacturing,” and explains the research methods and attack vectors that are unique to smart factories.

Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers

Trend Micro found two malware files that pose as Zoom installers but when decoded, contain malware code. These malicious fake installers do not come from Zoom’s official installation distribution channels. One of the samples installs a backdoor that allows threat actors to run malicious routines remotely, while the other sample involves the installation of the Devil Shadow botnet in devices.

Adobe Releases Critical Out-of-Band Security Update

This week, Adobe released four security updates, one of them being an out-of-band security update for Adobe Character Animator that fixes a critical remote code execution vulnerability. All these vulnerabilities were discovered by Mat Powell of Trend Micro’s Zero Day Initiative and were not found in the wild.

QNodeService: Node.js Trojan Spread via Covid-19 Lure

Trend Micro recently noticed a Twitter post by MalwareHunterTeam that showed a Java downloader with a low detection rate. Its name, “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar”, suggests it may have been used in a Covid-19-themed phishing campaign. Running this file led to the download of a new, undetected malware sample written in Node.js; this trojan is dubbed as “QNodeService”.

ShinyHunters Is a Hacking Group on a Data Breach Spree

In the first two weeks of May, a hacking group called ShinyHunters went on a rampage, hawking what it claims is close to 200 million stolen records from at least 13 companies. Such binges aren’t unprecedented in the dark web stolen data economy, but they’re a crucial driver of identity theft and fraud.

Netwalker Fileless Ransomware Injected via Reflective Loading

Trend Micro has observed Netwalker ransomware attacks involving malware that is not compiled but written in PowerShell and executed directly in memory and without storing the actual ransomware binary into the disk. This makes this ransomware variant a fileless threat, enabling it to maintain persistence and evade detection by abusing tools that are already in the system to initiate attacks.

Beware of Phishing Emails Urging for a LogMeIn Security Update

LogMeIn users are being targeted with fake security update requests, which lead to a spoofed phishing page. The phishing email has been made to look like it’s coming from LogMeIn. Not only does the company logo feature prominently in the email body, but the sender’s identity has been spoofed and the phishing link looks, at first glance, like it might be legitimate.

Phishing Site Uses Netflix as Lure, Employs Geolocation

A phishing site was found using a spoofed Netflix page to harvest account information, credit card credentials, and other personally identifiable information (PII), according to a Twitter post by PartnerRe Information Security Analyst Andrea Palmieri. Trend Micro looked into the malicious site, hxxp://secure-up-log.com/netflix/, to learn more about the operation and found that the sites have geolocation features.

New Bluetooth Vulnerability Exposes Billions of Devices to Hackers

Academics from École Polytechnique Fédérale de Lausanne (EPFL) disclosed a security vulnerability in Bluetooth that could potentially allow an attacker to spoof a remotely paired device, exposing over a billion modern devices to hackers. The attacks, dubbed Bluetooth Impersonation Attacks or BIAS, concern Bluetooth Classic, which supports Basic Rate (BR) and Enhanced Data Rate (EDR) for wireless data transfer between devices.

#LetsTalkSecurity: Fighting Back  

This Week, Rik Ferguson, vice president of Security Research at Trend Micro, hosted the third episode of #LetsTalkSecurity featuring guest Katelyn Bowden, CEO & founder of The BADASS Army. In this week’s episode, Rik and Katelyn discuss fighting back and more. Check out this week’s episode and follow the link to find information about upcoming episodes and guests.

Fraudulent Unemployment, COVID-19 Relief Claims Earn BEC Gang Millions

An infamous business email compromise (BEC) gang has submitted hundreds of fraudulent claims with state-level U.S. unemployment websites and coronavirus relief funds. Behind the attacks is Scattered Canary, a highly organized Nigerian cybergang that employs dozens of threat actors to target U.S. enterprise organizations and government institutions. Researchers who tracked the fraudulent activity said the gang may have made millions from the fraudulent activity.

Factory Security Problems from an IT Perspective (Part 1): Gap Between the Objectives of IT and OT

The manufacturing industry is undergoing drastic changes and entering a new transition period. Today, it may be difficult to find companies that don’t include Digital Transformation (DX) or the Internet of Things (IoT) in their strategies. Manufacturing companies need to include cybersecurity in both the information technology (IT) domain and the operational technology (OT) one as well. This three-part blog series discusses the challenges that IT departments face when assigned the task of overseeing cybersecurity in factories and implementing measures to overcome these challenges.

What did you think about this week’s #LetsTalkSecuirty episode? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: New Bluetooth Vulnerability Exposes Billions of Devices to Hackers and Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers appeared first on .

This Week in Security News: How Researchers Used an App Store to Demonstrate Hacks on a Factory and Microsoft Again Surpasses 100 Vulnerabilities on Patch Tuesday

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how researchers at Trend Micro used an app store to demonstrate hacks on a manufacturing facility. Also, learn about this month’s patch activity from Microsoft.

Read on:

How Two Researchers Used an App Store to Demonstrate Hacks on a Factory

When malicious code spread through the networks of Rheinmetall Automotive, it disrupted plants on two continents, temporarily costing up to $4 million each week. While awareness of these type of threats has grown, there’s still a risk that too many organizations view such attacks as isolated incidents, rather than the work of a determined attacker. Federico Maggi, a senior researcher at Trend Micro, set out to dispel that mindset.

#LetsTalkSecurity: Hacker Adventures  

This Week, Rik Ferguson, Vice President of Security Research at Trend Micro, hosted the second episode of #LetsTalkSecurity featuring Jayson E. Street, Vice President at SphereNY. This series explores security and how it impacts our digital world. In discussion with some of the brightest and most influential minds in the community, Trend Micro explores this fascinating topic. Check out this week’s episode and follow the link to find information about upcoming episodes and guests.

Microsoft Again Surpasses 100 Vulnerabilities on Patch Tuesday

For the third consecutive month Microsoft issued a hefty list of Patch Tuesday security updates covering 111 CVEs with 16 making the critical list. This is the third month Microsoft has had more than 100 vulnerabilities listed in its monthly security rollup, but unlike the last few months, May’s list does not contain any vulnerabilities currently being exploited in the wild.

Principles of a Cloud Migration – Security W5H – The WHERE

Where do we add security in the cloud? Start by removing the thinking that security controls are tied to specific implementations. You don’t need an intrusion prevention wall that’s a hardware appliance much like you don’t need an agent installed to do anti-malware. This blog puts the focus on your configuration, permissions, and other best practices.

Securing Smart Manufacturing

Trend Micro recently published a report that surveys the Industry 4.0 attack surface, finding that within the manufacturing operation, the blending of IT and OT exposes additional attack surfaces. In the current report on rogue robots, Trend Micro collaborated with the Politecnico di Milano to analyze the range of specific attacks today’s robots face, and the potential consequences those attacks may have.

Package Delivery Giant Pitney Bowes Confirms Second Ransomware Attack in 7 Months

Package and mail delivery giant Pitney Bowes suffered its second ransomware attack in seven months. The incident came to light after a ransomware gang known as Maze published a blog post claiming to have breached and encrypted the company’s network. The Maze crew provided proof of access in the form of 11 screenshots portraying directory listings from inside the company’s computer network.

Tropic Trooper’s Back: USBferry Attack Targets Air-Gapped Environments

Trend Micro recently found that Tropic Trooper’s latest activities center around targeting Taiwanese and the Philippine military’s physically isolated networks through a USBferry attack. Trend Micro also observed targets among military/navy agencies, government institutions, military hospitals, and a national bank. The group employs USBferry, a USB malware that performs different commands on specific targets, maintains stealth in environments, and steals critical data through USB storage.

Texas Courts Won’t Pay Up in Ransomware Attack

A ransomware attack has hit the IT office that supports Texas appellate courts and judicial agencies, leading to their websites and computer servers being shut down. The office said that it will not pay the ransom requested by the cybercriminals. Specifically affected is the Office of Court Administration, which is the IT provider for the appellate courts and state judicial agencies within the Texas Judicial Branch.

New MacOS Dacls RAT Backdoor Show Lazarus’ Multi-Platform Attack Capability

Trend Micro found an application sample in April called TinkaOTP that seemed like a normal one-time password authentication tool. However, further investigation showed the application bearing a striking resemblance to Dacls remote access trojan (RAT), a Windows and Linux backdoor that 360 Netlab discovered in December 2019.

Facebook Awards Researcher $20,000 for Account Hijacking Vulnerability

Security researcher Vinoth Kumar says Facebook awarded him $20,000 after he discovered and reported a Document Object Model-based cross-site scripting (DOM XSS) vulnerability that could have been exploited to hijack accounts. The researcher says he discovered the vulnerability in the window.postMessage() method, which is meant to safely enable cross-origin communication between Window objects.

Cloud Security: Key Concepts, Threats, and Solutions

Enterprises may be migrating requirements to the cloud, starting fully in the cloud (going “cloud native”), or mastering their cloud-based security strategy. Regardless of what stage of the cloud journey a company is in, cloud administrators should be able to conduct security operations like performing vulnerability management, identifying important network events, carrying out incident response, and gathering and acting on threat intelligence — all while keeping many moving parts in compliance with relevant industry standards.

From Bugs to Zoombombing: How to Stay Safe in Online Meetings

Forced to now work, study, and socialize at home, the online digital world has become essential to our communications — and video conferencing apps have become our “face-to-face” window on the world. The problem is that as users flock to these services, the bad guys are also waiting to disrupt or eavesdrop on chats, spread malware, and steal data. In this blog, Trend Micro explores some of the key threats out there and how users can stay safe while video conferencing.

Surprised by Texas courts’ decision not to pay the ransom in its latest ransomware attack? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: How Researchers Used an App Store to Demonstrate Hacks on a Factory and Microsoft Again Surpasses 100 Vulnerabilities on Patch Tuesday appeared first on .

This Week in Security News: 7 Tips for Security Pros Patching in a Pandemic and Coinminer, DDoS Bot Attack Docker Daemon Ports

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about a malicious cryptocurrency miner and Distributed Denial of Service (DDoS) bot that targets open Docker daemon ports. Also, learn about tips for IT and security pros struggling to patch properly throughout the pandemic.

 

Read on:

#Let’sTalkSecurity: Bounty Smarter Not Harder

This Week, Rik Ferguson, Vice President of Security Research at Trend Micro, hosted the first episode of #Let’sTalkSecurity featuring Katie Moussouris, Founder and CEO of Luta Security. This series explores security and how it impacts our digital world. In discussion with some of the brightest and most influential minds in the community, Trend Micro explores this fascinating topic. Check out this week’s episode and follow the link to find information about upcoming episodes and guests.

Teaming Up with INTERPOL to Combat COVID-19 Threats

Partnerships matter in times of a crisis. Specifically, public-private partnerships matter in cybersecurity, which is why Trend Micro is always happy to reach out across industry, academia, and law enforcement to collaborate. Trend Micro is delighted to be working with long-time partner, INTERPOL, over the coming weeks on a new awareness campaign to help businesses and remote workers stay safe from an influx of COVID-19 threats.

7 Tips for Security Pros Patching in a Pandemic

Patch management has historically been a challenge for IT and security teams, which are under pressure to create strong programs and deploy fixes as they are released. Now, their challenges are intensified as a global shift to remote work forces companies to rethink patching strategies. In this article, experts in vulnerability and patch management share their advice for IT and security pros struggling to patch properly throughout the pandemic.

Principles of a Cloud Migration – Security W5H – The When

Security is as important to your cloud migration as the actual workload you are moving to the cloud. It is essential to plan and integrate security at every single layer of both architecture and implementation. If you are doing a disaster recovery migration, you need to make sure that security is ready for the infrastructure, your shiny new cloud space, as well as the operations supporting it.

Samsung Patches 0-click Vulnerability Impacting All Smartphones Sold Since 2014

This week Samsung released a security update to fix a critical vulnerability impacting all smartphones sold since 2014. The security flaw resides in how the Android OS flavor running on Samsung devices handles the custom Qmage image format (.qmg), which Samsung smartphones started supporting on all devices released since late 2014.

Security 101: How Fileless Attacks Work and Persist in Systems

As security measures get better at identifying and blocking malware and other threats, modern adversaries are constantly crafting sophisticated techniques to evade detection. One of the most persistent evasion techniques involves fileless attacks, which do not require malicious software to break into a system. Instead of relying on executables, these threats misuse tools that are already in the system to initiate attacks.

Zoom Acquires Keybase to Bring End-to-End Encryption to Video Platform

Popular communications platform provider Zoom Video announced on Thursday that it has acquired secure messaging and file-sharing service Keybase for an undisclosed sum. The move is the latest by the company as it attempts to bolster the security of its offerings and build in end-to-end encryption that can scale to the company’s massive user base.

Phishing, Other Threats Target Email and Video App Users

Trend Micro has seen several threats abusing tools utilized in work from home (WFH) setups. Cybercriminals are using credential phishing sites to trick users into entering their credentials into fake login pages of email and collaboration platforms and videoconferencing apps.

Firefox 76 Delivers New Password Security Features and Security Fixes

Just in time for this year’s World Password Day, Mozilla has released new Firefox Lockwise features. Starting with Firefox 76, users will be able to check whether any of the passwords they use are vulnerable (e.g., identical to a password that has been breached) and be alerted when their login and password is involved in a breach.

Excel Files with Hidden Sheets Target Users in Italy

A spam campaign using emails that have Excel file (.xls) attachments has been seen circulating and targeting users in Italy, Germany and other countries. The attachment appears blank when opened, but it has a sheet set to “hidden” that attempts to connect to a URL and download a file. Setting sheets to hidden is a documented feature. Some of the subjects of the spam emails written in Italian involve topics like free services, correcting information, invoice details, order completion and service assistance.

Coinminer, DDoS Bot Attack Docker Daemon Ports

Researchers found an open directory containing malicious files, which was first reported in a series of Twitter posts by MalwareHunterTeam. Analyzing some of the files, Trend Micro found a malicious cryptocurrency miner and Distributed Denial of Service (DDoS) bot that targets open Docker daemon ports. The attack starts with the shell script named mxutzh.sh, which scans for open ports (2375, 2376, 2377, 4243, 4244) and then creates an Alpine Linux container that will host the coinminer and DDoS bot.

Naikon APT Hid Five-Year Espionage Attack Under Radar

After five years under the radar, the Naikon APT group has been unmasked in a long-term espionage campaign against several governments in the Asia-Pacific region. The Chinese APT group was first uncovered by Kaspersky researchers in 2015. A recently discovered widespread campaign reveals the group has spent the past five years quietly developing their skills and introducing the “Aria-body” RAT into their arsenal of weapons.

What do you think about Firefox’s new Lockwise password security features? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: 7 Tips for Security Pros Patching in a Pandemic and Coinminer, DDoS Bot Attack Docker Daemon Ports appeared first on .

Teaming up with INTERPOL to combat COVID-19 threats

By Trend Micro

If the past couple of months have taught us anything, it’s that partnerships matter in times of crisis. We’re better, stronger and more resilient when we work together. Specifically, public-private partnerships matter in cybersecurity, which is why Trend Micro is always happy to reach out across industry, academia and law enforcement to offer its expertise.

We are again delighted to be working with long-time partner INTERPOL over the coming weeks on a new awareness campaign to help businesses and remote workers stay safe from a deluge of COVID-19 threats.

The new normal

All over the world, organizations have been forced to rapidly adjust to the new normal: social distancing, government lockdowns and mass remote working. While most have responded superbly to the challenge, there’s no denying that IT security teams and remote access infrastructure are being stretched to the limit. There are understandable concerns that home workers may be more distracted, and therefore likely to click on phishing links, and that their PCs and devices may not be as well protected as corporate equivalents.

At the same time, the bad guys have also reacted quickly to take advantage of the pandemic. Phishing campaigns using COVID as a lure have surged, spoofing health authorities, government departments and corporate senders. BEC attacks try to leverage the fact that home workers may not have colleagues around to check wire transfer requests. And remote infrastructure like RDP endpoints and VPNs are being targeted by ransomware attackers — even healthcare organizations that are simultaneously trying to treat critical patients infected with the virus.

Getting the basics right

That’s why Trend Micro has been pushing out regular updates — not only on the latest scams and threats we’re picking up around the globe, but also with advice on how to secure the newly distributed workforce. Things like improved password security, 2FA for work accounts, automatic software updates, regular back-ups, remote user training, and restricted use of VPNs can all help. We’re also offering six months free use of our flagship Trend Micro Maximum Security product to home workers.

Yet there’s always more to do. Getting the message across as far and wide as possible is where organizations like INTERPOL come in. That’s why we’re delighted to be teaming up with the global policing organization to run a new public awareness campaign throughout May. It builds on highly successful previous recent campaigns we’ve collaborated on, to tackle BEC and crypto-jacking.

This time, we’ll be resharing some key resources on social media to alert users to the range of threats out there, and what businesses and home workers can do to stay safe. And we’ll help to develop infographics and other new messages on how to combat ransomware, online scams, phishing and other threats.

We’re all doing what we can during these difficult days. But if some good can come from a truly terrible event like this, then it’s that we show our strength in the face of adversity. And by following best practices, we can make life much tougher for the cybercriminals looking to profit from tragedy.

The post Teaming up with INTERPOL to combat COVID-19 threats appeared first on .

This Week in Security News: Shade Ransomware Shuts Down, Releases Decryption Keys and WebMonitor RAT Bundled with Zoom Installer

By Jon Clay (Global Threat Communications)
week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how the operators of the Shade (Troldesh) ransomware have shut down and released more than 750,000 decryption keys. Also, learn about an attack using Zoom installers to spread a WebMonitor RAT malware.

Read on:

The Industry 4.0 Lab Never Ignores Brownfields – What POLIMI and Trend Micro Aim to Prove

It takes time for new technologies to penetrate the market and even the most innovative technology must be used safely and with confidence. Industry 4.0 technology is no exception. Engineers and researchers, including those at Politecnico di Milano (POLIMI) and Trend Micro, are currently investigating how to map ICT technology principles onto OT environments, including factory environments.

Shade (Troldesh) Ransomware Shuts Down and Releases Decryption Keys

The operators of the Shade (Troldesh) ransomware have shut down and, as a sign of goodwill, have released more than 750,000 decryption keys that past victims can now use to recover their files. Security researchers from Kaspersky Lab have confirmed the validity of the leaked keys and are now working on creating a free decryption tool.

Trend Micro’s Top Ten MITRE Evaluation Considerations

The MITRE ATT&CK framework, and the evaluations, have gone a long way in helping advance the security industry, and the individual security products serving the market. The insight garnered from these evaluations is incredibly useful but can be hard to understand. In this blog, read Trend Micro’s top 10 key takeaways for its evaluation results.  

New Android Malware Steals Banking Passwords, Private Data and Keystrokes

A new type of mobile banking malware has been discovered abusing Android’s accessibility features to exfiltrate sensitive data from financial applications, read user SMS messages, and hijack SMS-based two-factor authentication codes. Dubbed “EventBot” by Cybereason researchers, the malware can target over 200 different financial apps, including banking, money transfer services, and crypto-currency wallets. 

Principles of a Cloud Migration – Security, The W5H – Episode WHAT?

Last week in Trend Micro’s cloud migration blog series, we explained the “WHO” of securing a cloud migration, detailing each of the roles involved with implementing a successful security practice during the migration. This week, Trend Micro touches on the “WHAT” of security: the key principles required before your first workload moves.  

Critical WordPress e-Learning Plugin Bugs Open Door to Cheating

Researchers have disclosed critical-severity flaws in three popular WordPress plugins used widely by colleges and universities: LearnPress, LearnDash and LifterLMS. The flaws, now patched, could allow students to steal personal information, change their grades, cheat on tests and more. 

WebMonitor RAT Bundled with Zoom Installer

The COVID-19 pandemic has highlighted the usefulness of communication apps for work-from-home setups. However, as expected, cybercriminals look to exploit popular trends and user behavior. Trend Micro has witnessed threats against several messaging apps, including Zoom. In April, Trend Micro spotted an attack using Zoom installers to spread a cryptocurrency miner. Trend Micro recently encountered a similar attack that drops a different malware: RevCode WebMonitor RAT. 

Group Behind TrickBot Spreads Fileless BazarBackdoor

A new campaign is spreading a new malware named “BazarBackdoor,” a fileless backdoor created by the same threat actors behind TrickBot, according to BleepingComputer. The conclusion is drawn due to similarities in code, crypters, and infrastructure between the two malware variants. The social engineering attacks used to spread the backdoor use topics such as customer complaints, COVID-19-themed payroll reports, and employee termination lists for the emails they send out. 

Critical Adobe Illustrator, Bridge and Magento Flaws Patched

Adobe is warning of critical flaws in Adobe Bridge, Adobe Illustrator and the Magento e-commerce platform. If exploited, the most severe vulnerabilities could enable remote code execution on affected systems. Francis Provencher, Mat Powell, and an anonymous reporter were credited for discovering the flaws, all working with Trend Micro’s Zero Day Initiative.

Guidance on Kubernetes Threat Modeling

Kubernetes is one of the most used container orchestration systems in cloud environments. As such, like any widely used application, it is an attractive target for cybercriminals and other threat actors. In this blog, Trend Micro shares three general areas that cloud administrators need to secure their deployments against, as they can introduce threats or risks to their Kubernetes-driven containerization strategies.

Loki Info Stealer Propagates Through LZH Files

Trend Micro previously encountered a spam sample that propagates the info stealer Loki through Windows Cabinet (CAB) files. Recently, Trend Micro also acquired another sample that delivers the same malware, but through LZH compressed archive files. Trend Micro detects the attachment and the dropper as TrojanSpy.Win32.LOKI.TIOIBYTU.

Security 101: How Fileless Attacks Work and Persist in Systems

As security measures improve, modern adversaries continue to craft sophisticated techniques to evade detection. One of the most persistent evasion techniques involves fileless attacks, which don’t require malicious software to break into a system. Instead of relying on executables, these threats misuse tools that are already in the system to initiate attacks.

COVID-19 Lockdown Fuels Increase in RDP Attacks

The number of attacks abusing the remote desktop protocol (RDP) to compromise corporate environments has increased significantly over the past couple of months, according to Kaspersky. With employees worldwide forced to work from home due to the COVID-19 pandemic, the volume of corporate traffic has increased significantly, just as the use of third-party services has increased to keep teams connected and efficient.

What measures are you taking to secure your migration to the cloud? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Shade Ransomware Shuts Down, Releases Decryption Keys and WebMonitor RAT Bundled with Zoom Installer appeared first on .

This Week in Security News: Security Researcher Discloses Four IBM Zero-Days After Company Refused to Patch and Trend Micro Integrates with Amazon AppFlow

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about a security researcher who has published details about four zero-day vulnerabilities impacting an IBM security product after the company refused to patch the bugs. Also, learn about Amazon’s new AppFlow and how Trend Micro Cloud One integrates with it.

Read on:

Trend Micro’s COVID-19 Resource Page

To help protect you during the COVID-19 pandemic, Trend Micro has put together a resource page to help address the new security challenges you may be facing. This page includes the latest news and information on COVID-19 scams, security tools and programs to help keep you informed and safe while you work remotely.

Security Researcher Discloses Four IBM Zero-Days After Company Refused to Patch

A security researcher has published details about four zero-day vulnerabilities impacting an IBM security product after the company refused to patch bugs following a private bug disclosure attempt. The bugs impact the IBM Data Risk Manager (IDRM), an enterprise security tool that aggregates feeds from vulnerability scanning tools and other risk management tools to let admins investigate security issues.

“We Need COBOL Programmers!” No, You Probably Don’t

New Jersey recently made the news following a plea for COBOL programmers to help modernize legacy systems running unemployment claims that had apparently failed following a recent spike in activity. In a recent blog from Bill Malik, VP of Infrastructure Strategies at Trend Micro, Bill explains why needing more COBOL programmers is likely not the answer.

 All the Things COVID-19 Will Change Forever, According to 30 Top Experts

We’re four weeks into the massive time-out forced on us by coronavirus and many of us have spent much of that time trying to get used to the radical lifestyle change the virus has brought. But we’re also beginning to think about the end of the crisis, and what the world will look like afterward. In this article, read Trend Micro CEO Eva Chen’s thoughts on how businesses will operate in the post-COVID world.

Gamaredon APT Group Use COVID-19 Lure in Campaigns

Gamaredon is an APT group that has been active since 2013 and is generally known for targeting Ukrainian government institutions. Trend Micro recently came across an email with a malware attachment that used the Gamaredon group’s tactics. Some of the emails used the coronavirus pandemic as a topic to lure victims into opening emails and attachments, and campaigns targeted victims in European countries, among others.

Grouping Linux IoT Malware Samples with Trend Micro ELF Hash

This year, 31 billion IoT devices are expected to be installed globally. Consequently, cybercriminals have been developing IoT malware, such as backdoors and botnets, for malicious purposes, including digital extortion. In response, Trend Micro created Trend Micro ELF Hash (telfhash), an open-source clustering algorithm that effectively clusters malware targeting IoT devices running on Linux, using Executable and Linkable Format (ELF) files.

SBA Reveals Potential Data Breach Impacting 8,000 Emergency Business Loan Applicants

The US Small Business Administration (SBA) has revealed a suspected data breach impacting the portal used by business owners to apply for emergency loans. On Tuesday, the US agency said the incident may affect close to 8,000 applicants to the Economic Injury Disaster Loan program (EIDL), which offers up to $10,000 to small business owners currently struggling due to the coronavirus pandemic.

Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining

Recently, Trend Micro wrote an article about more than 8,000 unsecured Redis instances found in the cloud. In this blog, Trend Micro expands on how these instances can be abused to perform remote code execution (RCE), as demonstrated by malware samples captured in the wild. These malicious files have been found to turn Redis instances into cryptocurrency-mining bots and infect other vulnerable instances via their “wormlike” spreading capability.

Trend Micro Integrates with Amazon AppFlow

The acceleration of in-house development enabled by public cloud and Software-as-a-Service (SaaS) platform adoption in the last few years has given us new levels of visibility and access to data. Putting all the data together to generate insights and action, however, can present a challenge. Amazon is changing that with the release of AppFlow. Trend Micro Cloud One is a launch partner with this new service, enabling simple data retrieval from your Cloud One dashboard to be fed into AWS services as needed.

iOS Exploit Lets Attackers Access Default iPhone Mail App

This week it was reported that alleged Chinese state-sponsored hackers have been exploiting a critical vulnerability in iOS to spy to Uyghurs Muslim minority in China. In a new report published by security firm Zecops, it has been noted that a bug in iOS has been exploited by hackers since at least January 2018.

Nemty Ransomware Ceases Public Operations, Focuses on Private Schemes

Threat actors behind Nemty ransomware are to close their ransomware-as-a-service operation as they zero in on private schemes. This was confirmed in a Russian hacker forum post that security researcher Vitali Kremez shared with Bleeping Computer. In the post, “jsworm,” the ransomware’s operator, declared that “we leave in private” (translated from Russian) and that current victims only have one week to acquire decryptors for the last time.

Maze Ransomware Attacks US IT Firm

According to a report from Bleeping Computer, IT managed services firm Cognizant suffered a ransomware attack purportedly conducted by threat actors behind Maze ransomware. The company has emailed their clients about the attack, including a preliminary list of indicators of compromise (IoC) identified through its investigation. The list of IoCs include IP addresses and file hashes, which have been linked to previous Maze attacks.

Containers Are Not VMs, and Other Misconceptions

The adoption rate of containers has been steadily growing as organizations begin to see the benefits container technology provides. This adoption represents a new computing paradigm for many of the engineers responsible for running the IT infrastructure of these organizations – but new concepts often come with misconceptions. In this article, Trend Micro’s Rob Maynard shares some of the biggest misconceptions about container technology.

Australian Health Insurance-Themed Spam Spreads Ursnif

Trend Micro researchers encountered a spam campaign referencing the Australian health insurance brand Medicare. The attachment, which Trend Micro detects as Trojan.X97M.URSNIF.THDAEBO, downloads the malicious file (detected as TrojanSpy.Win32.URSNIF.THDAEBO). The campaign aims to spread the spyware Ursnif, also known as Gozi.

Loki Delivered as CAB File Attachment

Trend Micro has found a spam sample that delivers the info stealer Loki through an attached Windows Cabinet (CAB) file in its honeypot. The email that bears the malicious file poses as a quotation request to trick the user into executing the binary file inside the CAB file.

Know the Symptoms: Protect Your Devices While Working from Home

Would you know if one of your devices was compromised? In this article, Trend Micro shares how cybercriminals are leveraging the COVID-19 pandemic to capitalize on vulnerable hardware and unsecured systems. Trend Micro also shares common symptoms of compromise across mobile devices, desktops, laptops and IoT devices.

What do you think will be the biggest change to business in the post-COVID world? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Security Researcher Discloses Four IBM Zero-Days After Company Refused to Patch and Trend Micro Integrates with Amazon AppFlow appeared first on .

“We Need COBOL Programmers!” No, You Probably Don’t

By William "Bill" Malik (CISA VP Infrastructure Strategies)

Editor’s note: While this topic isn’t entirely security-specific, Trend Micro leader William Malik, has career expertise on the trending topic and shared his perspective.

——

There was a provocative report recently that the Governor of New Jersey told reporters that the state of New Jersey needed COBOL programmers. The reason was that the number of unemployment claims had spiked, and the legacy system running unemployment claims had failed. That 40-year-old system was written in COBOL, so the conclusion was that the old language had finally given out. Hiring COBOL programmers would let the State update and modernize the application to handle the increase in load.

This might be the problem, but it probably is not. Here’s why.

  1. Software doesn’t wear out, and it doesn’t rust. Any code that’s been running for 40 years is probably rock solid.
  2. Computers have a fixed amount of specific resources: processing power, memory, network capacity, disk storage. If any of these is used up, the computer cannot do any more work.
  3. When a computer application gets more load than it can handle, things back up. Here’s a link to a process that works fine until excessive load leads to a system failure. https://www.youtube.com/watch?v=NkQ58I53mjk Trigger warning – this may be unsettling to people working on assembly lines, or on diets.
  4. Adding more resources must fit the machine architecture proportionately.
  5. Incidentally, throwing a bunch of people at an IT problem usually makes things worse.

From these points, we learn the following lessons.

Software Doesn’t Wear Out

Logic is indelible. A computer program is deterministic. It will do exactly what you tell it to do, even if what you tell it to do isn’t precisely what you meant it to do. Code never misbehaves – but your instructions may be incorrect. That’s why debugging is such a hard problem.

Incidentally, that’s also why good developers usually make lousy testers. The developer focuses her mind on one thing – getting a bunch of silicon to behave. The tester looks for faults, examines edge conditions, limit conditions, and odd configurations of inputs and infrastructure to see how things break. The two mindsets are antithetical.

Once a piece of software has been in production long enough, the mainline paths are usually defect free. In fact, the rest of the code may be a hot mess, but that stuff doesn’t get executed so those defects are latent and do not impact normal processing. Ed Adams published a report in 1984 titled “Optimizing Preventative Service for Software Products” (https://ieeexplore.ieee.org/document/5390362, originally published in the IBM Journal of Research and Development, v 28, n 1). He concluded that once a product has been in production for a sufficient time, it was safer to leave it alone. Installing preventative maintenance was likely to disrupt the system. Most IT organizations know this, having learned the hard way. “If it ain’t broke, don’t fix it” is the mantra for this wisdom.

As a corollary, new software has a certain defect rate. Fixes to that software typically have a defect rate ten times greater. So if a typical fix is large enough, you put in a new bug for every bug you take out.

Computers Are Constrained

All computers have constraints. The relative amount of resources mean some computers are better for some workloads than others. For mainframes, the typical constraint is processing power. That’s why mainframes are tuned to run at 100% utilization, or higher. (How do you get past 100% utilization? Technically, of course, you can’t. But what the measurements are showing you is how much work is ready to run, waiting for available processing power. The scale actually can go to 127%, if there’s enough work ready.)

Different types of computers have different constraints. Mainframes run near 100% utilization – the CPU is the most expensive and constrained resource. PCs on the other hand never get busy. No human can type fast enough to drive utilization above a few percent. The constrained resource on PCs is typically disk storage. That’s why different types of computers do better at different types of work. PCs are great for user interface stuff. Mainframes are perfect for chewing through a million database records. By chance we developed mainframes first; that’s not an indictment of either type, Both are useful.

Computers Can Run Out of Resources

Any IT infrastructure has a design point for load. That is, when you put together a computer you structure it to meet the likely level of demand on the system. If you over-provision it, you waste resources that will never be used. If you under-provision it, you will not meet your service level agreements. So when you begin, you must know what the customers – your users – expect in terms of response time, number of concurrent transactions, database size, growth rates, network transaction load, transaction mix, computational complexity of transaction types, and so on. If you don’t specify what your targets are for these parameters, you probably won’t get the sizing right. You will likely buy too much of one resource or not enough of another.

Note that cloud computing can help – it allows you to dynamically add additional capacity to handle peak load. However, cloud isn’t a panacea. Some workloads don’t flex that much, so you spend extra money for flexibility for a capability that you can provide more economically and efficiently if it were in-house.

Add Capacity in Balance

When I was in high school our physics teacher explained that temperature wasn’t the same as heat. He said “Heat is the result of a physical or chemical reaction. Temperature is simply the change in heat over the mass involved.” One of the kids asked (snarkily) “Then why don’t drag racers have bicycle tires on the back?” The teacher was caught off guard. The answer is that the amount of heat put into the tire is the same regardless of its size, but the temperature was related to the size of the area where the tire touched the road. A bicycle tire has only about two square inches on the pavement, a fat drag tire has 100 square inches or more. So putting the same amount of horsepower spinning the tire will cause the bicycle tire’s temperature to rise about 50 times more than the gumball’s will.

When you add capacity to a computing system, you need to balance related capacity elements or you’ll be wasting money. Doubling the processor’s power (MHz or MIPS) without proportionately increasing the memory or network capacity simply moves the constraint from one place to another. What used to be a system with a flat-out busy CPU now becomes a system that’s waiting for work with a queue at the memory, the disk drive, or the network card.

Adding Staff Makes Things Worse

Increasing any resource creates potential problems of its own, especially of the system’s underlying architecture is ignored. Fore the software development process (regardless of form) one such resource is staff. The book “The Mythical Man-Month” by Fred Brooks (https://www.barnesandnoble.com/w/the-mythical-man-month-frederick-p-brooks-jr/1126893908) discusses how things go wrong.

The core problem is adding more people require strong communications and clear goals. Too many IT projects lack both. I once was part of an organization that consulted on a complex application rewrite – forty consultants, hundreds of developers, and very little guidance. The situation degenerated rapidly when the interim project manager decided we shouldn’t waste time on documentation. A problem would surface, the PM would kick off as task force, hold a meeting, and send everybody on their way. After the meeting, people would ask what specific decisions had been reached, but since there were no minutes, nobody could be sure. That would cause the PM to schedule another meeting, and so on. Two lessons I learned concerns meetings:

  1. If you do not have agenda, you do not have a meeting.
  2. If you do not distribute minutes, you did not have a meeting.

When you add staff, you must account for the extra overhead managing the activities of each person, and establish processes to monitor changes that every participant must follow. Scrum is an excellent way of flattening potentially harmful changes. By talking face to face regularly, the team knows everything that’s going on. Omit those meetings or rely on second-hand reports and the project is already off the rails. All that remains is to see how far things go wrong before someone notices.

In Conclusion …

If you have a computer system that suddenly gets a huge spike in load, do these things first:

  1. Review the performance reports. Look at changes in average queue length, response time, transaction flight time, and any relevant service level agreements or objectives.
  2. Identify likely bottlenecks
  3. Model the impact of additional resources
  4. Apply additional resource proportionately
  5. Continue to monitor performance

If you are unable to resolve the capacity constraints with these steps, examine the programs for internal limitations:

  1. Review program documentation, specifications, service level objectives, workload models and predictions, data flow diagrams, and design documents to understand architectural and design limits
  2. Determine what resource consumption assumptions were built per transaction type, and expected transaction workload mix
  3. Verify current transaction workload mix and resource consumption per transaction type
  4. Design program extension alternatives to accommodate increased concurrent users, transactions, resource demands per transaction class
  5. Model alternative design choices, including complexity, size, and verification (QA cost)
  6. Initiate refactoring based on this analysis

Note that if you do not have (or cannot find) the relevant documentation, you will need to examine the source code. At this point, you may need to bring in a small set of experts in the programming language to recreate the relevant documentation. Handy hint: before you start working on the source code, regenerate the load modules and compare them with the production stuff to identify any patches or variance between what’s in the library and what’s actually in production.

Bringing in a bunch of people before going through this analysis will cause confusion and waste resources. While to an uninformed public it may appear that something is being done, the likelihood is that what is actually being done will have to be expensively undone before the actual core problem can be resolved. Tread lightly. Plan ahead. State your assumptions, then verify them. Have a good plan and you’ll work it out. Remember, it’s just ones and zeros.

What do you think? Let me know in the comments below, or @WilliamMalikTM.

The post “We Need COBOL Programmers!” No, You Probably Don’t appeared first on .

Letter from the CEO: A time of kindness and compassion

By Trend Micro

Dear Customers,

Together, we are facing a truly unprecedented situation and we have all had to adapt to the new reality. The global coronavirus pandemic is affecting our families, our communities, our organizations – indeed, it affects our perspective and way of life. As you certainly have too, at Trend Micro we have been busy over the past few weeks ensuring our employees are safe while also delivering uninterrupted service and protection for our customers. We have made it a priority to help organizations around the globe strengthen their security and ensure business continuity while so many of their employees work remotely.

As a global company with headquarters in Japan, we have been exposed to COVID-19 from the very early days when it first erupted in Asia. We have seen the massive impact this novel coronavirus has had on all of us: from social distancing, to families being separated, illness and even death. Our thoughts and prayers go out to everyone who has been impacted by the virus, directly or indirectly.

The safety of our employees is our first priority and for the last few weeks the vast majority of our employees are all working from home – all 7,000 across 60 countries. It is heartwarming to see the different activities teams have launched to stay connected while being apart: virtual happy hours or morning coffee meetings, online sports classes to stay fit together, movie watching nights and even remote karaoke. I sometimes feel that we are more connected now than ever before.

In the midst of these difficult times, we have also seen the amazing power of positivity and kindness around the world. I am very touched and proud of how our employees, our Trenders, are stepping up even more than usual to engage in acts of generosity and community support. A few examples include:

  • Employee-initiated neighborhood help services such as shopping for the elderly
  • Tools developed to help our medical heroes, for example a 3D printed clip that allows medical staff to wear face masks more comfortably
  • New content for students and parents who are now working from home, developed by our Internet Safety for Kids & Families team
  • Over 60,000 masks donated to our communities
  • Give & Match activities supporting underserved neighborhoods in India and the Philippines, with the company matching each employee donation.

We have also seen Trenders donating some of their accrued paid vacation days to colleagues who might need additional time off to take care of family. There have been thousands of such acts of kindness – likely many more that I’m not even aware of. Knowing the passion of our employees, I know that there are new activities being organized and happening at this exact moment.

In this same spirit, it is very important to me – as well as the entire executive team – that we do the right thing for our employees and our customers during these difficult times, rather than focusing solely on what’s best for our bottom line. We intend to retain all of our employees, and are working to ensure that our teams that work on commission will continue to have a steady income, no matter how business goes. We know that not every company is as fortunate as we are, and many family members of our employees are out of jobs, so our executives have also committed to reducing their salaries if necessary, to ensure that every employee will receive company bonuses for the first half of 2020. If we protect our Trend Micro family, our Trend Micro family can protect and care for their communities.

I understand these times are difficult and while we are celebrating acts of kindness and positivity, many of our friends and families are struggling with health issues and other concerns. Our hearts go out to all those who are affected, to our healthcare workers and all essential employees who help keep our lives going. We thank you from the bottom of our hearts.

Please stay safe – and stay at home!

Kind regards,

Eva Chen

 

The post Letter from the CEO: A time of kindness and compassion appeared first on .

This Week in Security News: Exploring Common Threats to Cloud Security and Zoom Removes Meeting IDs from App Title Bar to Improve Privacy

By Jon Clay (Global Threat Communications)
week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about why Zoom has released an update for its Linux, Mac, and Windows apps that removes the meeting ID from the app’s title bar. Also, read about Trend Micro’s latest research on cloud-specific security, with examples of threats and risks that organizations could face when migrating to the cloud or using cloud services.

Read on:

Trend Micro Study Shows Cloud Misconfiguration as Major Threat

This week, Trend Micro released new research findings concerning cloud security, a major area of concern for enterprises of all sizes. The research confirms the role of both human errors and complex deployments in creating cloud-based cyber threats; above all, Trend Micro notes the dangers of cloud misconfiguration to cloud environments.  

NCSA Small Business Webinar Series

The National Cyber Security Alliance is hosting a series of webinars for small business owners, and Trend Micro is proud to support this effort with guest speakers sharing threat intelligence and security expertise. The topics will help small companies deal with the challenges of COVID-19, including sessions on telework, digital spring cleaning, e-commerce security, how to avoid COVID-19 scams and more.

Cisco ‘Critical Update’ Phishing Attack Steals Webex Credentials

An ongoing phishing campaign is reeling in victims with a recycled Cisco security advisory that warns of a critical vulnerability. The campaign urges victims to “update,” only to steal their credentials for Cisco’s Webex web conferencing platform instead. The campaign is looking to leverage the wave of remote workers who have come to rely on online conferencing tools like Webex and other platforms.

Principles of a Cloud Migration – From Step One to Done

Cloud migrations are happening every day and analysts predict over 75% of mid-size to large enterprises will migrate a workload to the cloud by 2021 – but how can you make sure your workload is successful? In this multi-part blog series, Trend Micro explores best practices, forward thinking, and use cases around creating a successful cloud migration from multiple perspectives.  

Zoomed In: A Look into a Coinminer Bundled with Zoom Installer

Trend Micro recently found a Coinminer bundled with the legitimate installer of video conferencing app Zoom, luring users who want to install the software but end up downloading a malicious file. The compromised files are assumed to come from fraudulent websites. Trend Micro has been working with Zoom to ensure that they are able to communicate this to their users appropriately.

Investigation into a Nefilim Attack Shows Signs of Lateral Movement, Possible Data Exfiltration

Trend Micro’s Managed XDR (MxDR) and Incident Response (IR) teams recently investigated an incident involving a company that was hit by the Nefilim ransomware, which was initially discovered in March 2020. What makes Nefilim especially devious is that the threat actors behind the attack threaten to release the victim’s stolen data on an online leak site.

Zoom Removes Meeting IDs from App Title Bar to Improve Privacy

Video conferencing service Zoom has released an update for its LinuxMac, and Windows apps that removes the meeting ID from the app’s title bar. The update comes after the company’s users have often leaked their meeting IDs, and even meeting passwords, when sharing screenshots of their meetings on social media.

Analysis: Suspicious “Very Hidden” Formula on Excel 4.0 Macro Sheet

A malicious Microsoft Excel 4.0 Macro sheet with a suspicious formula that is set as “Very Hidden” was submitted by a customer and further analyzed by Trend Micro researchers. The sheet is not readily accessible via the Microsoft Excel User Interface (UI) due to a feature documented in the Microsoft website that allows users to hide sheets. The compromised files were commonly used as an attachment in spam.

Actively Exploited MS Exchange Flaw Present on 80% of Exposed Servers

Attackers looking to exploit CVE-2020-0688, a critical Microsoft Exchange flaw patched by Microsoft in February 2020, don’t have to look hard to find a server they can attack: according to an internet-wide scan performed by Rapid7 researchers, there are at least 315,000 and possibly as many as 350,000 vulnerable on-premise Exchange servers (out of 433,464 total) out there.

Misconfigured Docker Daemon API Ports Attacked for Kinsing Malware Campaign

A campaign that targets misconfigured Docker Daemon API ports through Kinsing malware was reported by security researchers from Aqua Security. The campaign exploited the ports to run an Ubuntu container. According to the researchers, Kinsing malware’s strings revealed that it is a Golang-based Linux agent.

Threat Actors Deliver Courier-Themed Spam Campaign with Attached ACE Files

Trend Micro researchers detected a new courier service-themed malicious spam campaign that uses ACE files as attachments. The samples were gathered from Trend Micro’s honeypot. The email poses as a shipment arrival notification with a fake receipt attached. It then convinces receivers to download the attachment by asking them to check if the address on the receipt is correct.blo

Exploring Common Threats to Cloud Security

Trend Micro’s recent cloud research provides examples of threats and risks organizations could face when migrating to the cloud or using cloud services. No matter the cloud service or platform, the common theme is that misconfiguration continues to be one of the major pitfalls of cloud security, affecting both companies who subscribe to cloud services and users of software that are hosted on the cloud.

PowerPoint ‘Weakness’ Opens Door to Malicious Mouse-Over Attack

A researcher is sounding the alarm over what he believes could be a novel attack vector which allows a hacker to manipulate a PowerPoint file to download and begin the installation of malware, simply by hovering over a hypertext link. The technique does require a victim to accept one pop-up dialogue box to run or install a program. For those reasons, Microsoft does not consider this a vulnerability.

Cloud Transformation Is the Biggest Opportunity to Fix Security

Lower costs, improved efficiencies and faster time to market are some of the primary benefits of transitioning to the cloud. However, it’s not done overnight. It can take years to move complete data centers and operational applications to the cloud and the benefits won’t be fully realized until most functional data have been transitioned.

Who is World Wired Labs and Why Are They Selling an Android Trojan?

A company advertising a remote access tool frequently used by criminals and nation-state hackers may be serving as a front for a Chinese hacking group, according to research published by BlackBerry Cylance. In a report on remote access trojans (RAT), researchers detail an Android malware variant, which they call PWNDROID4, that can be used to monitor targets’ phone calls, record audio, send and receive text messages, and track victims’ GPS location.

Is your organization looking to migrate to the cloud? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Exploring Common Threats to Cloud Security and Zoom Removes Meeting IDs from App Title Bar to Improve Privacy appeared first on .

This Week in Security News: More Than 8,000 Unsecured Redis Instances Found in the Cloud and Wiper Malware Called “Coronavirus” Spreads Among Windows Victims

By Jon Clay (Global Threat Communications)
week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about 8,000 Redis instances running unsecured in different parts of the world, even deployed in public clouds. Also, read about a new Windows malware, called “Coronavirus,” that makes disks unusable by overwriting the master boot record (MBR).

Read on:

COVID-19: How Do I Work from Home Securely?

In light of the current COVID-19 crisis, shelter-in-place orders have forced many companies to support remote work. However, hackers are primed and ready to take advantage of home workers, whose machines and devices may not be as secure as those in the office. In this blog, learn about some of the major threats to home workers and their organizations, and what can be done to keep hackers at bay.

Vulnerability Researchers Focus on Zoom App’s Security

Researchers have turned up security and privacy flaws in Zoom, which has had success during the pandemic. In late March, one red-team member found that Zoom would display universal naming convention (UNC) paths as links, which, if clicked, would send a username and password hash to an attacker-controlled system. In this article, Brian Gorenc of Trend Micro’s ZDI program shares insight into Zoom vulnerabilities.

More Than 8,000 Unsecured Redis Instances Found in the Cloud

Trend Micro discovered 8,000 Redis instances running unsecured across the globe, even deployed in public clouds. The instances have been found without Transport Layer Security (TLS) encryption and are not password protected. When left unsecured and allowed to be internet-facing or integrated into IoT devices, cybercriminals can find and abuse Redis servers to launch attacks such as SQL injections, cross-site scripting, malicious file uploads, and even remote code execution, among others.

Vulnerable VPN Appliances at Healthcare Organizations Open Doors for Ransomware Gangs

The increased enterprise VPN use due to the COVID-19 pandemic and the work-from-home shift has not gone unnoticed by ransomware gangs, Microsoft warns. Microsoft has pinpointed several dozens of hospitals with vulnerable gateway and VPN appliances in their infrastructure and decided to notify them directly about it and offer advice on how to keep safe.

Cloud-First but Not Cloud-Only: Why Organizations Need to Simplify Cybersecurity

The global public cloud services market is on track to grow 17% this year, topping $266 billion. However, while many organizations may describe themselves as “cloud-first”, they’re certainly not “cloud-only.” Hybrid cloud is the name of the game today: a blend of multiple cloud providers and multiple datacenters. While driving agility, differentiation and growth, this new reality also creates cyber risk.

Magecart Hackers Inject iFrame Skimmers in 19 Sites to Steal Payment Data

Cybersecurity researchers have uncovered an ongoing new Magecart skimmer campaign that has successfully compromised at least 19 different e-commerce websites to steal payment card details. According to a recent report, RiskIQ researchers spotted a new digital skimmer, dubbed “MakeFrame,” that injects HTML iframes into webpages to phish payment data.

The AWS Service to Focus On – Amazon EC2

Trend Micro recently analyzed the most affected AWS Services, finding that EC2-related issues topped the list with 32% of all issues and S3 contributed to 12% of all issues. While cloud providers offer a secure infrastructure and best practices, many customers are unaware of their role in the shared responsibility model. In this blog, learn how to secure data and configure environments with AWS best practices.

Wiper Malware Called “Coronavirus” Spreads Among Windows Victims

A new Windows malware has emerged that makes disks unusable by overwriting the master boot record (MBR). It takes its cue from the COVID-19 pandemic, calling itself simply “Coronavirus.” Overwriting the MBR is the same trick that the infamous NotPetya wiper malware used in 2017 in a campaign that caused widespread, global financial damage.

Raccoon Stealer’s Abuse of Google Cloud Services and Multiple Delivery Techniques

Raccoon Malware as a Service (MaaS) can steal login credentials, credit card information, cryptocurrency wallets and browser information. It can arrive on a system through delivery techniques such as exploit kits, phishing and bundled with other malware. In this blog, Trend Micro investigates campaigns that used exploit kits Fallout and Rig, and observes its use of Google Drive as part of its evasion tactics.

Developing Story: COVID-19 Used in Malicious Campaigns

The COVID-19 pandemic is being used in a variety of malicious campaigns including email spam, BEC, malware, ransomware and malicious domains.  As the number of those afflicted continue to surge by thousands, campaigns that use the disease as a lure also increase. Trend Micro researchers are periodically sourcing for samples on COVID-19-related malicious campaigns.

Threat Actors Abuse Evernote, Other Shared Platforms for Credential Phishing

Trend Micro researchers found campaigns that abuse the note-taking platform Evernote to host credential-phishing pages. The campaigns also exploit other shared platforms for editing images, making infographics and charts, and creating brand templates. Evernote’s notebook sharing functionality that uses public links is what threat actors exploited to spread malicious PDF files via phishing emails. 

Malicious Domains and Files Related to Zoom Increase, ‘Zoom Bombing’ on the Rise

As the use of video conferencing platforms has increased with many people working from home due to the COVID-19 outbreak, cases of “Zoom Bombing” and malicious domains and files related to Zoom have also been on the rise. Registrations of domains that reference the name of Zoom has significantly increased, and other communication apps such as Google Classroom have been targeted as well.

Russian Investigators Bust Credit Card Fraud Ring

Russian federal investigators have arrested at least 25 people accused of operating a credit card fraud ring, according to a statement released by the Russian Federal Security Service (FSB). Those charged allegedly included a card fraud kingpin and two dozen associates linked to more than 90 websites that sold stolen credit card data and operated internationally.

Microsoft Corrects Misstatement Of 775 Percent Surge in Demand for Cloud Services Amid Coronavirus Outbreak

A recent Microsoft blog reported the tech giant had seen a “775 percent increase of our cloud services in regions that have enforced social distancing or shelter in place orders.” That line was wrong: the almost 8x increase only pertained to monthly users of the Microsoft’s Teams collaboration platform, and only in a one-month period in Italy, a region of the world particularly impacted by the virus.

Using Zoom? Here’s How to Keep Your Business and Employees Safe

The COVID-19 crisis has sparked a new wave of phishing, BEC, extortion, ransomware and data breach attempts, and although it’s not the only platform being targeted, Zoom has been the subject of some of the highest-profile incidents so far. Fortunately, there are things organizations can do to protect their business and their employees. In this blog, learn about best practices you can use to help secure your Zoom conferences.

Have you or your organization been a victim of “Zoom Bombing”? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: More Than 8,000 Unsecured Redis Instances Found in the Cloud and Wiper Malware Called “Coronavirus” Spreads Among Windows Victims appeared first on .

Using Zoom? Here’s how to keep your business and employees safe

By Bharat Mistry

Cyber-criminals are always looking for new opportunities to make money and steal data. Globally trending events are a tried-and-tested way of doing just this, and they don’t come much bigger than the current Covid-19 pandemic. It’s sparking a wave of phishing, BEC, extortion, ransomware and data breach attempts. And as increasing numbers of global workers are sent home, new opportunities are opening up to compromise video conferencing apps.

Although not alone in being targeted, Zoom has been the subject of some of the highest-profile incidents so far this year. Fortunately, there are things you can do to keep your business safe.

Under the microscope

The video conferencing app is in many ways a victim of its own success. Security concerns have been raised about it in the past, after researchers revealed zero-day flaw in the Mac Zoom client which could have allowed hackers to spy on users via their webcams. Later the same year, separate research revealed an API-targeted enumeration attack affecting the platform. Neither of these are thought to have been exploited in the wild.

However, things have changed today: with much of the world using the platform to hold business meetings and personal video calls, scrutiny of its security posture has never been greater.

From bugs to bombing

There are several risks to be aware of. The first is of several new vulnerabilities discovered in the platform: one of which could allow hackers to steal Windows passwords, and another two which could enable attackers to remotely install malware on affected Macs and eavesdrop on meetings.

Most news coverage, however, is focused on “Zoombombing” — when uninvited users crash meetings. This often happens when large-scale semi-public events are held, and meeting IDs are shared on social media. If there’s no password for the meeting and attendees aren’t screened, then Zoombombers may turn up. Once in the ‘meeting’, crashers often post offensive comments, stream adult content or do other things to disrupt the event.

The same underlying techniques could be used by hackers to eavesdrop on or disrupt business meetings. It’s all about taking advantage of unsecure settings in the app, (and possibly using brute-force tools to crack meeting IDs).

With access to a meeting, hackers could harvest highly sensitive and/or market-critical corporate information, or even spread malware via a file transfer feature.

The final threat is from phishing attacks. Hackers know users are looking en masse for ways to communicate during government lockdowns. By creating legitimate-looking Zoom links and websites, they could steal financial details, spread malware or harvest Zoom ID numbers, allowing them to infiltrate virtual meetings. One vendor discovered 2,000 new domains had been registered in March alone, over two-thirds of the total for the year so far.

What you can do

The good news is that there are several things you can do to mitigate the security risks associated with Zoom.

The most basic are:

  • Ensure Zoom is always on the latest software version
  • Build awareness of Zoom phishing scams into user training programs. Users should only download the Zoom client from a trusted site and check for anything suspicious in the meeting URL when joining a meeting
  • Ensure all home workers have anti-malware including phishing detection installed from a reputable vendor

Next, it’s important to revisit those administrative settings in the app, to reduce the opportunities for hackers and Zoombombers.

The most important revolve around the Zoom Personal Meeting ID (a 9-11 digit number every user has). If a hacker gets hold of this, and the meeting is not password protected, they could access it. A leaked email or simple brute-force/guessing techniques could enable a hacker to compromise the ID and associated URL. For reoccurring meetings, the threat persists.

Fortunately, automatically generated passwords are now switched on by default, and the use of personal meeting IDs are switched off, meaning Zoom will create a random, one-off ID for each meeting.

These setting should be kept as is. But organisations can do more, including:

  • Ensure you also generate a meeting ID automatically for recurring meetings
  • Set screen-sharing to “host only” to prevent uninvited guests from sharing disruptive content
  • Don’t share any meeting IDs online
  • Disable “file transfers” to mitigate risk of malware
  • Make sure that only authenticated users can join meetings
  • Lock the meeting once it’s started to prevent anyone new joining
  • Use waiting room feature, so the host can only allow attendees from a pre-assigned register
  • Play a sound when someone enters or leaves the room
  • Allow host to put attendees on hold, temporarily removing them from a meeting if necessary

The post Using Zoom? Here’s how to keep your business and employees safe appeared first on .

This Week in Security News: Hong Kong Users Targeted with Mobile Malware via Local News Links and Hackers Hijack Routers to Spread Malware Via Coronavirus Apps

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about Apple iOS smartphone users in Hong Kong targeted in a new campaign exploiting online news readers to distribute malware. Also, read about how hackers are hijacking routers and changing Domain Name System (DNS) settings in order to redirect victims to attacker-controlled sites promoting fake coronavirus information apps.

Read on:

Apple iOS Users Served Mobile Malware in Poisoned News Campaign

Apple iOS smartphone users in Hong Kong are being targeted in a new campaign exploiting online news readers to serve malware. This week, Trend Micro researchers said the scheme, dubbed Operation Poisoned News, uses links posted on a variety of forums popular with Hong Kong residents that claim to lead to news stories. 

The Wawa Breach: 30 Million Reasons to Try Dark Web Monitoring

Data breaches are the new normal. Last year in the US there were a reported 1,473 of these incidents, exposing nearly 165 million customer records. The latest data breach from convenience store and gas station chain Wawa could be one of the largest ever, affecting 30 million card records from customers.

Infosec Industry Shows Compassionate Side Amid #COVID19 Pandemic

As the coronavirus pandemic continues, large numbers of organizations have been forced to implement work from home measures for staff. While working from home, employees are more susceptible to cybersecurity threats, especially with a rise in tailored COVID-19 cyber-scams. In this article, read about how Trend Micro and other information security companies have taken steps to offer free resources and support to organizations and employees at this difficult time.

Nefilim Ransomware Threatens to Expose Stolen Data

A new ransomware named Nefilim has been discovered threatening to release its victims’ data to the public if they fail to pay the ransom. It is most likely distributed through exposed Remote Desktop Protocol (RDP), as shared by SentinelLabs’ Vitali Krimez and ID Ransomware’s Michael Gillespie.

Remember Cryptojacking from Way, Way Back (2019)? Site Infections are Down 99% – Thanks to Death of Coinhive

Cryptojacking, the theft of computing power to mine digital currency, has been around at least since 2013 – and has shrunk in use dramatically with the death of Monero-mining service Coinhive. Since Coinhive’s closure last year, cryptojacking has been almost eliminated, according to a group of researchers from the University of Cincinnati in America, and Lakehead University in Canada.

Microsoft Alerts Users About Critical Font-Related Remote Code Execution Vulnerability in Windows

Microsoft released a security advisory on a zero-day remote code execution (RCE) vulnerability affecting Windows operating systems. The vulnerability is found in an unpatched library and comprises two RCE flaws found in Adobe Type Manager Library (atmfd.dll), a built-in library for the Adobe Type Manager font management tool in Windows. 

Credit Card Skimmer Found on Tupperware Website

Cybercriminals hacked Tupperware.com and planted malicious code designed to steal payment card information, Malwarebytes warned this week. The credit card skimmer was planted on the main website and some of its localized versions. The website has nearly one million visitors every month, indicating that hackers may have obtained a significant number of payment card records.

Mirai Updates: New Variant Mukashi Targets NAS Devices, New Vulnerability Exploited in GPON Routers, UPX-Packed FBot

Researchers observed a number of new developments related to the internet of things (IoT) malware Mirai, which actively searches for vulnerabilities in IoT devices. A new Mirai variant named Mukashi was found attacking network-attached storage (NAS) devices, a new vulnerability in GPON routers was exploited by Mirai, and a UPX-packed Fbot variant was detected by a Trend Micro honeypot.

Hackers Hijack Routers to Spread Malware Via Coronavirus Apps

Cybercriminals are hijacking routers and changing Domain Name System (DNS) settings, in order to redirect victims to attacker-controlled sites promoting fake coronavirus information apps. If victims download these apps, they are infected with information stealing Oski malware. This latest attack shows that hackers are becoming more creative in how they leverage the coronavirus pandemic.

Working from Home? Here’s What You Need for a Secure Setup

In response to the ongoing coronavirus outbreak, many companies have rolled out work-from-home arrangements. As a result, there has been an influx of employees signing in remotely to corporate networks and using cloud-based applications, potentially opening doors to security risks. In this blog, Trend Micro shares how security teams and home office users can mitigate the risks that come with remote-working setups.

Russian Hackers Using Stolen Corporate Email Accounts to Mask their Phishing Attempts

In the last year, Russian military intelligence hackers have used previously hacked email accounts to send a wide array of phishing attempts. Feike Hacquebord, senior threat researcher at Trend Micro, explains new research regarding the group known as Fancy Bear, APT28, or Pawn Storm, and how they used hacked emails of high-profile personnel at defense firms in the Middle East to carry out an attack.

Review, Refocus, and Recalibrate: The 2019 Mobile Threat Landscape

Trend Micro analyzed 2019’s most notable mobile threats to assess the landscape and help users and enterprises reevaluate their measures and practices to defend against future threats. While there was a decrease in certain threats compared to 2018, in 2019 cybercriminals looked at the malicious mobile routines that worked in the past and adjusted these to make them more sophisticated, persistent, and profitable online and offline.

Have you seen any COVID-19 related cyber-scams? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Hong Kong Users Targeted with Mobile Malware via Local News Links and Hackers Hijack Routers to Spread Malware Via Coronavirus Apps appeared first on .

This Week in Security News: How to Stay Safe as Online Coronavirus Scams Spread and Magecart Cyberattack Targets NutriBullet Website

By Jon Clay (Global Threat Communications)
week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about tips you can use to secure your home office. Also, read about how Magecart Group 8 targeted the website of the blender manufacturer, NutriBullet, in an attempt to steal the payment-card data of its online customers.

 

Read on:

A Message from Our COO Regarding Trend Micro’s Customer Commitment During the Global Coronavirus Pandemic (COVID-19)

As COVID-19 continues to impact individuals, families, communities and businesses around the world, Trend Micro has taken action to ensure that the COVID-19 crisis does not impact the customer experience of its products or services. In this blog from Trend Micro’s chief operating officer, Kevin Simzer, learn about the steps that Trend Micro is taking to not only ensure employee safety, but to continue to deliver exceptional customer service.

RDP-Capable TrickBot Targets Telecoms Sectors in U.S. and Hong Kong

A recently discovered TrickBot variant targeting organizations in telecoms, education and financial services in the United States and Hong Kong includes a module for remote desktop protocol (RDP) brute-forcing, Bitdefender reports. The malware has mostly been distributed through spam emails but was also linked to infections with other malware.

How to Stay Safe as Online Coronavirus Scams Spread

Unfortunately, it’s extraordinary global events like COVID-19 that cyber-criminals look for in order to make their schemes more successful. As organizations enforce remote working to reduce the impact of the virus, many will be logging-on from home or mobile computing devices, which may have fewer built-in protections from such threats. This makes it more important than ever to know how the bad guys are trying to cash in on COVID-19 and what you can do to stay safe.

DDoS Attack Targets German Food Delivery Service

Cybercriminals have launched a distributed denial-of-service (DDoS) attack against German food delivery service Takeaway.com (Liefrando.de), demanding two bitcoins (about $11,000) to stop the flood of traffic. Liefrando delivers food from more than 15,000 restaurants in Germany, where people under COVID-19 restrictions depend on the service. The attack has now stopped, according to a report from BleepingComputer. 

Suddenly Teleworking, Securely

Telework is not a new idea and a good percentage of the workforce already does so. But the companies who have a distributed workforce had time to plan for it, and to plan for it securely. This event can’t be treated like a quick rollout of an application: there are business, infrastructure, and customer security impacts. In this blog from Trend Micro’s vice president of cybersecurity, Greg Young, learn how to set yourself up for secure remote work success.

COVID-19: With Everyone Working from Home, VPN Security Has Now Become Paramount

With most employees working from home amid today’s COVID-19 (coronavirus) outbreak, enterprise VPN servers have now become paramount to a company’s backbone, and their security and availability must be the focus going forward for IT teams.

New Ursnif Campaign Targets Users in Japan

Trend Micro researchers recently detected a new Ursnif campaign targeting users in Japan. The malware is distributed through infected Microsoft Word documents coming from spam emails. Ursnif, also known as Gozi, is an information stealer that collects login credentials from browsers and email applications. It has capabilities for monitoring network traffic, screen capturing, and keylogging.

Trend Micro’s David Sancho on Criminals’ Favorite IoT Targets

In this video, Trend Micro Senior Researcher David Sancho speaks with CyberScoop Editor-in-Chief Greg Otto about his 2020 RSA Conference presentation, which looked at where criminals are infecting Internet of Things targets.

New Variant of Paradise Ransomware Spreads Through IQY Files

Internet Query Files (IQY) were used to deliver a new variant of Paradise ransomware, as reported by Last Line. The said file type has not been associated with this ransomware family before. In the past, IQY files were typically used in other malware campaigns, such as the Necurs botnet that distributes IQY files to deliver FlawedAmmy RAT.

Magecart Cyberattack Targets NutriBullet Website

Magecart Group 8 targeted the website of the blender manufacturer, NutriBullet, in an attempt to steal the payment-card data of its online customers. Yonathan Klijnsma, threat researcher with RiskIQ, said in a post that a JavaScript web skimmer code was first inserted on the website of the blender retailer on Feb. 20, specifically targeting the website’s checkout page.

The IIoT Threat Landscape: Securing Connected Industries

The Industrial Internet of Things (IIoT) provides bridges of connectedness that enable seamless IT and OT convergence. However, threat actors can cross these bridges to compromise systems. As the use of IoT extends beyond the home and goes into the vast industrial landscape, the scale of threats likewise grows for smart factories, smart cities, connected cars, and other smart environments.

What are you doing to secure your home office devices? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: How to Stay Safe as Online Coronavirus Scams Spread and Magecart Cyberattack Targets NutriBullet Website appeared first on .

A message from our COO regarding Trend Micro’s Customer commitment during the global Coronavirus Pandemic (COVID-19)

By Trend Micro

The recent outbreak of COVID-19 has affected peoples’ lives across the globe and has quickly swept through and impacted individuals, families, communities, and businesses around the world. At Trend Micro, our number one priority is to ensure that our employees and their families are as safe as possible, and our thoughts are with those who have been affected by the virus.

Our team has spent a great deal of time reviewing options to ensure both the continued protection of our customers and partners, as well as the physical safety of our employees. We realize this situation remains very dynamic, as information continues to change day-to-day, and as such we will continue to provide updates as we learn more, but in the meantime we remain committed to providing the superior service and support that our customers, partners and suppliers have come to expect of our company throughout this situation.

We know the critical role that Trend Micro plays in your organization to keep your company and employees protected. We have taken several measures to ensure that the COVID-19 crisis does not impact your experience with Trend Micro products or services.

Listed below are several actions that the team has taken to date to not only ensure that our employees are safe, but to continue to deliver business “as usual” during this time:

Safety of Employees
Our number one priority is the health and safety of our employees around the globe. To that measure, we have:

  • Abided by local government guidelines: All of our global offices are adhering to guidelines and best practices from the Center for Disease Control (CDC), other global health organizations and local government guidelines.
  • Ability to work from remote locations: Many teams at Trend Micro have worked remotely from all corners of the globe for over a decade. This practice has enabled us to provide you with world-class products and service even in a time of social distancing. With the COVID-19 situation, we have shifted our workforce to virtual/remote wherever it is feasible, and we are maintaining critical onsite operations as needed.  At this time, we have not experienced any major impact to our business operations as a result of this temporary shift, and we will continue to closely monitor and adjust as appropriate to ensure we are continuing to deliver world class security protection and service for our customers and partners.
  • Travel restrictions: We have suspended all international travel, with only essential domestic travel permitted where still allowed (and if the employee is comfortable doing so).  As new restrictions are being placed daily, we will continue to closely monitor this situation and react appropriately.
  • Ongoing Vigilance: A cross-functional team within Trend Micro is closely monitoring all aspects of the crisis and will take prudent, agile, and swift action necessary to ensure the safety of our employees.  We are committed to doing our part to minimize the spread of COVID-19 while ensuring service continuity for you.

 

Continuity of Service
We are committed to ensuring that we continue to support the security needs of your organization, including but not limited to:

  • Product Infrastructure: All Trend products are built upon a highly reliable commercial cloud infrastructure and delivered through a variety of content delivery networks. This includes our ISO 27001-certified SaaS offerings.
  • Support Infrastructure: Our major global support centers have already shifted to remote/virtual operations and are working to ensure the customer experience is as seamless as possible.
  • Flexibility: As with any best-in-class SaaS organization, we are able to perform all systems monitoring and product development remotely.
  • Supply Chain: We are working very closely with our global suppliers and technical content providers/partners to ensure that availability and normal operations of our technology and services are not adversely impacted due to measures that they will have to put into place for combating this issue as well.
  • Resilience: Our R&D, Support and other technology teams are globally dispersed and able to provide you with around the clock access. Though geographically spread out, we are one global, highly coordinated team, dedicated to supporting your business needs. We have been operating in this model for decades, and we consider this to be one of Trend Micro’s inherent strengths for continuing to have a strong operational model in times of crisis such as this.

As an optimistic organization, we believe that because of this unfortunate situation, new ways to work together and incredible innovation will occur and will make us all stronger in the future.

As always, if you have any questions or concerns, please reach out to your local account representative or Trend Micro authorized support contact.   We will continue to watch this situation closely, react accordingly and communicate any substantial changes with our customers and partners.

On behalf of everyone at Trend Micro, thank you for trusting us with your business. We wish health and safety to you and your families, employees, and customers.

 

Sincerely,

Kevin Simzer

Chief Operating Officer

Trend Micro Incorporated

 

The post A message from our COO regarding Trend Micro’s Customer commitment during the global Coronavirus Pandemic (COVID-19) appeared first on .

This Week in Security News: Operation Overtrap Targets Japanese Online Banking Users and Everything You Need to Know About Tax Scams

By Jon Clay (Global Threat Communications)
week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about the number of ways Operation Overtrap can infect or trap victims with its payload. Also, read about how to protect your personal identity data and money during tax-filing season.

Read on:

AWS Launches Bottlerocket, a Linux-based OS for Container Hosting

AWS has launched Bottlerocket, its own open-source operating system for running containers on both virtual machines and bare metal hosts. The new OS is a stripped-down Linux distribution that’s akin to projects like CoreOS’s now-defunct Container Linux and Google’s container-optimized OS. The project is launching in cooperation with several partners including Alcide, Armory, CrowdStrike, Datadog, New Relic, Sysdig, Tigera, Trend Micro and Waveworks.

Tax Scams – Everything You Need to Know to Keep Your Money and Data Safe

There are two things that cybercriminals are always on the hunt for: personal identity data and money. During the tax-filing season, both can be unwittingly exposed. Over the years, cybercriminals have adapted multiple tools and techniques to part taxpayers with their personal information and funds. This blog looks at the main threats out there and what you can do to stay safe.

March 2020 Patch Tuesday: Microsoft Fixes 115 Vulnerabilities, Adobe None

This week for March 2020 Patch Tuesday, Microsoft dropped fixes for 115 CVE-numbered flaws: 26 are critical, 88 important, and one of moderate severity. The good news is that none of them are under active attack. Adobe seems to have skipped this Patch Tuesday and there’s no indication whether the customary security updates are just delayed or if there won’t be any in the coming days.

Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan

Trend Micro recently discovered a new campaign dubbed “Operation Overtrap” for the number of ways it can infect or trap victims with its payload. The campaign targets online users of various Japanese banks by stealing their banking credentials using a three-pronged attack. Based on Trend Micro’s telemetry, Operation Overtrap has been active since April 2019.

Hackers Are Working Harder to Make Phishing and Malware Look Legitimate

Even though the overall volume of malware dropped in 2019, phishing and business email compromise (BEC) went up sharply, according to Trend Micro’s 2019 Cloud App Security Roundup. The company blocked nearly 400,000 attempted BEC attacks in 2018, which is 271% more than the previous year and 35% more credential phishing attempts than in 2018.

Busting Ghostcat: An Analysis of the Apache Tomcat Vulnerability (CVE-2020-1938 and CNVD-2020-10487)

Discussions surrounding the Ghostcat vulnerability (CVE-2020-1938 and CNVD-2020-10487) found in Apache Tomcat puts it in the spotlight as researchers investigated its security impact– specifically, its potential use for remote code execution (RCE). Learn more about the Ghostcat vulnerability in this blog analysis.

10 Key Female Cybersecurity Leaders to Know in 2020

In celebration of Women’s History Month, the editors of Solutions Review shared the accomplishments of ten key female cybersecurity leaders in 2020. Trend Micro’s CEO Eva Chen made the list based on her numerous accomplishments in the cybersecurity industry.

Coronavirus Used in Spam, Malware, and Malicious Domains

The coronavirus disease (COVID-19) is being used as bait in email spam attacks on targets across the globe. As the number of cases continues to grow, campaigns using the virus as a lure will likewise increase. This has been observed by multiple entities, and researchers from Trend Micro have also seen a significant spike in the detection of the subject in email spam attacks.

Cookiethief Android Malware Uses Proxies to Hijack Your Facebook Account

A combination of new modifications to Android malware code has given rise to Trojans able to steal browser and app cookies from compromised devices. Researchers from Kaspersky said the new malware families, dubbed Cookiethief, use a combination of exploits to acquire root rights to an Android device and then to steal Facebook cookie data. 

Nemty Ransomware Spreads via Love Letter Emails

Threat actors have been found distributing Nemty ransomware through a spam campaign using emails that pose as messages from lovers, according to a report by Malwarebytes and X-Force Iris researchers. Researchers from Trend Micro have also encountered the emails.

WordPress GDPR Plugin Vulnerable to Cross-Site Scripting Attacks

GDPR Cookie Consent, a WordPress plugin, inadvertently exposed websites to cross-site scripting (XSS) attacks through a vulnerability that affects versions 1.8.2 and below of the plugin. As disclosed in a report by NinTechNet, the vulnerability allowed privilege escalation. The plugin had over 700,000 active installations at the time of the exploit.

Analysis: Abuse of .NET Features for Compiling Malicious Programs

While the .NET framework is originally intended to help software engineers, cybercriminals have found a way to abuse its features to compile and execute malware on the fly. Recently, Trend Micro discovered several kinds of malware, such as LokiBot, utilizing this technique. 

OpenSMTPD Vulnerability (CVE-2020-8794) Can Lead to Root Privilege Escalation and Remote Code Execution

A root privilege escalation and remote execution vulnerability (designated as CVE-2020-8794) has been discovered in the free and open-source Unix Daemon, OpenSMTPD. The flaw originates from an out-of-bounds read, which attackers can take advantage of to execute arbitrary code on vulnerable systems.

Are you concerned about the security risks involved with filing your taxes online? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Operation Overtrap Targets Japanese Online Banking Users and Everything You Need to Know About Tax Scams appeared first on .

This Week in Security News: 10,000 Users Affected by Leak from Misconfigured AWS Cloud Storage and Massive U.S. Property and Demographic Database Exposes 200 Million Records

By Jon Clay (Global Threat Communications)
week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how the data of train commuters in the U.K. who were using the free Wi-Fi in Network Rail-managed stations was unintentionally leaked due to an unsecured Amazon Web Services (AWS) cloud storage. Also, read about how more than 200 million records containing property-related information on U.S. residents were exposed.

Read on:

Security Risks in Online Coding Platforms

As DevOps and cloud computing has gained popularity, developers are coding online more and more, but this traction has also raised the questions of whether online integrated development environments (IDEs) are secure. In this blog, learn about two popular cloud-based IDEs: AWS Cloud9 and Visual Studio Online.

Legal Services Giant Epiq Global Offline After Ransomware Attack

The company, which provides legal counsel and administration that counts banks, credit giants, and governments as customers, confirmed the attack hit on February 29. A source said the ransomware hit the organization’s entire fleet of computers across its 80 global offices.

Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks

Trend Micro has conducted an analysis into the behavior of the Geost trojan by reverse engineering a sample of the malware. The trojan employed several layers of obfuscation, encryption, reflection, and injection of non-functional code segments that made it more difficult to reverse engineer. Read this blog for further analysis of Geost.

Trend Micro Cooperates with Japan International Cooperation Agency to Secure the Connected World

Trend Micro this week announced new initiatives designed to enhance collaboration with global law enforcement and developing nations through cybersecurity outreach, support and training. The first agreement is with the Japan International Cooperation Agency (JICA), a government agency responsible for providing overseas development aid and nurturing social economic growth in developing nations.

Data of U.K. Train Commuters Leak from Misconfigured AWS Cloud Storage

The data of train commuters in the U.K. who were using the free Wi-Fi in Network Rail-managed stations was unintentionally leaked due to an unsecured Amazon Web Services (AWS) cloud storage. Approximately 10,000 users were affected, and data thought to be exposed in the leak includes commuters’ travel habits, contact information such as email addresses, and dates of birth.

Critical Netgear Bug Impacts Flagship Nighthawk Router

Netgear is warning users of a critical remote code execution bug that could allow an unauthenticated attacker to take control of its Wireless AC Router Nighthawk (R7800) hardware running firmware versions prior to 1.0.2.68. The warnings, posted Tuesday, also include two high-severity bugs impacting Nighthawk routers, 21 medium-severity flaws and one rated low.

FBI Working to ‘Burn Down’ Cyber Criminals’ Infrastructure

To thwart increasingly dangerous cyber criminals, law enforcement agents are working to “burn down their infrastructure” and take out the tools that allow them to carry out their devastating attacks, FBI Director Christopher Wray said this week. Unsophisticated cyber criminals now have the power to paralyze entire hospitals, businesses and police departments, Wray also said.

A Massive U.S. Property and Demographic Database Exposes 200 Million Records

More than 200 million records containing a wide range of property-related information on U.S. residents were left exposed on a database that was accessible on the web without requiring any password or authentication. The exposed data included personal and demographic information such as name, address, email address, age, gender, ethnicity, employment, credit rating, investment preferences, income, net worth and property-specific information.

How Human Security Investments Created a Global Culture of Accountability at ADP

Human security is what matters during a cybersecurity crisis, where skills and muscle memory can make the difference in make-or-break moments. Leaders and culture are the most important predictors of cyberattack outcomes, so it’s time to stop under-investing in human security.

Ransomware Attacks Prompt Tough Question for Local Officials: To Pay or Not to Pay?

There were at least 113 successful ransomware attacks on state and local governments last year, according to global cybersecurity company Emsisoft, and in each case, officials had to figure out how to respond. Read this article to find out how officials make the tough call.

Wondering how more than 200 million records were exposed without requiring any password or authentication? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

 

 

 

The post This Week in Security News: 10,000 Users Affected by Leak from Misconfigured AWS Cloud Storage and Massive U.S. Property and Demographic Database Exposes 200 Million Records appeared first on .

This Week in Security News: Trend Micro Detects a 10 Percent Rise in Ransomware in 2019 and New Wi-Fi Encryption Vulnerability Affects Over a Billion Devices

By Jon Clay (Global Threat Communications)
week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how Trend Micro detected a 10 percent rise in ransomware attacks in 2019. Also, learn about a new Wi-Fi encryption vulnerability affecting over a billion devices.

Read on:

Trend Micro Detects a 10 Percent Rise in Ransomware

In its 2019 Annual Security Roundup, Trend Micro detected a decrease in the number of new ransomware families despite the overall attack increase. Additionally, it found that ransomware groups formed alliances in 2019 for more effective attacks. The healthcare industry remains the most targeted by ransomware; meanwhile, government and education sectors were also highly targeted.

In Safe Hands with Trend Micro Home Network Security – Part 3: Testing Its Functions

Are you sure your home network is secure? In the third post of its four-part series, Trend Micro breaks down home network security to help you test the following features: threat blocking, access control and parental controls.

Six Suspected Drug Dealers Went Free After Police Lost Evidence in Ransomware Attack

US prosecutors were forced to drop 11 narcotics cases against six suspected drug dealers after crucial case files were lost in a ransomware infection at a Florida police department. Evidence from the 11 cases could not be recovered following the attack that hit the Stuart police department in April 2019.

Hackers Expand Their Repertoire as Trend Micro Blocks 52 Billion Threats in 2019

Trend Micro’s 2019 roundup report reveals just how many tools, techniques and procedures hackers have at their disposal today. With 52 billion unique threats detected in 2019 by Trend Micro’s filters alone, threats are becoming an overwhelming challenge for many IT security departments.

New Wi-Fi Encryption Vulnerability Affects Over A Billion Devices

Cybersecurity researchers uncovered a new high-severity hardware vulnerability residing in Wi-Fi chips manufactured by Broadcom and Cypress—reportedly powering over a billion devices. Dubbed ‘Kr00k’ and tracked as CVE-2019-15126, the flaw could let nearby remote attackers intercept and decrypt some wireless network packets transmitted over-the-air by a vulnerable device.

Cybercrime Group Uses G Suite, Physical Checks in BEC Scam

An African cybercrime group named Exaggerated Lion uses G Suite and physical checks as new tools for Business Email Compromise (BEC) attacks, reported in a research paper by Agari. Like other BEC scams, the targets belong to company departments that handle finance.

Cisco Patches Flaws in FXOS, UCS Manager and NX-OS Software

On Wednesday, Cisco released patches for 11 vulnerabilities in its products, including multiple flaws that impact Cisco UCS Manager, FXOS, and NX-OS software. The most important of the bugs is a high severity flaw in FXOS and NX-OS that could allow an unauthenticated, adjacent attacker to execute arbitrary code as root. The weakness can also be exploited for denial of service (DoS).

PowerGhost Spreads Beyond Windows Devices, Haunts Linux Machines

Trend Micro researchers encountered a PowerGhost variant that infects Linux machines via EternalBlue, MSSQL and Secure Shell (SSH) brute force attacks. The malware, previously known to target only Windows systems, is a fileless cryptocurrency-mining malware that attacks corporate servers and workstations, capable of embedding and spreading itself undetected across endpoints and servers.

Android Malware Can Steal Google Authenticator 2FA Codes

Security researchers say that an Android malware strain can now extract and steal one-time passcodes (OTP) generated through Google Authenticator, a mobile app that’s used as a two-factor authentication (2FA) layer for many online accounts.

Ransomware Hits U.S. Electric Utility

The Reading Municipal Light Department (RMLD) has been infected with ransomware, revealed in a statement by the electric utility company. RMLD did not disclose the details on how their system was infected or the demands of the group behind the malware and there was no indication of plans to pay ransom to the threat actors.

Are you surprised that the number of new ransomware families detected in 2019 decreased while number of attacks increased? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Trend Micro Detects a 10 Percent Rise in Ransomware in 2019 and New Wi-Fi Encryption Vulnerability Affects Over a Billion Devices appeared first on .

This Week in Security News: LokiBot Impersonates Popular Game Launcher and DRBControl Espionage Operation Hits Gambling, Betting Companies

By Jon Clay (Global Threat Communications)
week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a variant of LokiBot that has been discovered impersonating a popular game launcher, known for Fortnite, to trick users into executing it on their machines. Also, read about how an advanced threat actor has been targeting gambling and betting companies with malware linked to two Chinese hacker groups.

Read on: 

LokiBot Impersonates Popular Game Launcher and Drops Compiled C# Code File

LokiBot, which can harvest sensitive data such as passwords and cryptocurrency information, has been discovered impersonating game launcher Epic Games—the company behind games such as Fortnite–to trick users into executing it on their machines. Further analysis revealed that a sample of this variant employs a quirky, installation routine that involves dropping a compiled C# code file.

DRBControl Espionage Operation Hits Gambling, Betting Companies

An advanced threat actor has been targeting gambling and betting companies with malware that links to two Chinese hacker groups. The mission — named “DRBControl” by security researchers — appears to be cyberespionage and includes stealing databases and source code from the targets. Researchers at Trend Micro painted a larger picture of DRBControl’s activities after analyzing a backdoor used by the group against a company in the Philippines.

Uncovering Risks in Ordinary Places: A Look at the IoT Threat Landscape

As the IoT continues to become more integrated into enterprises and homes, the threat landscape also expands. In this blog, Trend Micro looks at the most significant threats and vulnerabilities in IoT devices on the edge of the network, within the network itself, and on the cloud; as well as gains insights from the cybercriminal underground.

Newly Discovered Vulnerability Can Let Hackers Impersonate LTE Mobile Device Users, Researchers Say

German researchers have found a new vulnerability on 4G/LTE mobile devices that could allow hackers to impersonate the phone’s owner. In this article, Mark Nunnikhoven, vice president of cloud research for cybersecurity firm Trend Micro, discusses the threat level of this vulnerability and its risks, which include  running up a person’s bill by making international calls or using premium services offered by the victim’s provider, like a TV streaming service.

Fake Dating Apps Found as Top Source of Malware in Africa

According to research from Kaspersky, 7,734 attacks from 1,486 threats were detected, affecting 2,548 mobile users from the continent. The countries with the most recorded attacks were South Africa with 58%, as Kenya (10%) and Nigeria (4%) trail behind.

US Govt Warns Critical Industries After Ransomware Hits Gas Pipeline Facility

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a warning to all industries operating critical infrastructures about a new ransomware in response to a cyberattack targeting an unnamed natural gas compression company’s internal network, encrypting critical data and knocking servers out of operation for almost two days. 

Plugin Leaves Nearly 100,000 WordPress Sites Vulnerable to Compromise

According to a report by WebARX, a vulnerability in a plugin for WordPress themes allows remote attack execution, gives full administrator rights, and can possibly even wipe out the entire website database. The vulnerability was discovered in ThemeGrill Demo Importer, a plugin that offers demo options for themes, widgets, and other content that can help customize websites.

MGM Grand Breach Leaked Details of 10.6 Million Guests Last Summer

A hacking forum this week published personal details of more than 10.6 million guests who stayed at MGM Resorts, the result of a breach due to unauthorized access to a cloud server that occurred at the famous Las Vegas hotel and casino last summer. Those guests included celebrities, tech CEOs, reporters, government officials, and employees at some of the world’s largest tech companies.

Stolen Credit Card Data Concealed through Fake Club Membership Cards

Stolen credit card data has been disguised through counterfeit club membership cards, as revealed by the U.S. Secret Service and reported by Brian Krebs. The cards, purportedly for exclusive use at name-brand retailers, had barcodes that contained the credit card information as well expiration dates and card verification values (CVVs). 

Adobe Releases Out-of-Band Patch for Critical Code Execution Vulnerabilities

Adobe has released an out-of-schedule fix to resolve two vulnerabilities that may expose user systems to code execution attacks. Users of Adobe Media Encoder and After Effects should update their software builds immediately. The tech giant thanked researcher Francis Provencher, alongside Matt Powell from Trend Micro’s Zero Day Initiative for reporting the vulnerabilities.  

Surprised by the scale of the giant MGM Grand breach? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: LokiBot Impersonates Popular Game Launcher and DRBControl Espionage Operation Hits Gambling, Betting Companies appeared first on .

This Week in Security News: February 2020 Patch Tuesday Update and Misconfigured AWS S3 Bucket Leaks 36,000 Inmate Records

By Jon Clay (Global Threat Communications)
week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about the more than 140 February Patch Tuesday updates from Microsoft and Adobe. Also, read about how an unsecured and unencrypted Amazon Simple Storage Service (S3) bucket was found leaking 36,077 inmate records in several U.S. states.

Read on:

February 2020 Patch Tuesday: Microsoft Fixes 99 Vulnerabilities, Adobe 42

This week, patches from Microsoft and Adobe for February were announced. Microsoft released fixes for 99 vulnerabilities – 12 critical, one of which is being exploited in the wild – and Adobe released fixes for 42, most of which are critical, and none actively exploited.

How to Manage Your Privacy On and Off Facebook

Where on Facebook is your privacy most at risk and what can you do to mange these risks? Although Facebook has taken steps to offer users tools to manage their data, such as their recent broad launch of their Off-Facebook Activity tool, they are not always easy to find. This blog from Trend Micro serves as a guide on how to protect your privacy on Facebook.

Emotet Malware Now Hacks Nearby Wi-Fi Networks to Infect New Victims

Emotet, the notorious trojan behind several botnet-driven spam campaigns and ransomware attacks, has found a new attack vector: using already-infected devices to identify new victims that are connected to nearby Wi-Fi networks. According to researchers at Binary Defense, the newly discovered Emotet sample leverages a “Wi-Fi spreader” module to scan Wi-Fi networks, and then attempts to infect devices that are connected to them.

Outlaw Updates Kit to Kill Older Miner Versions, Targets More Systems

Trend Micro discovered that the hacking group Outlaw has been busy developing their toolkit for illicit income sources. While they had been quiet since Trend Micro’s analysis in June, there was an increase in the group’s activities in December, with updates on the kits’ capabilities reminiscent of their previous attacks.

Irving Security Company Spun Out of Trend Micro Lands $26M in Funding

Cysiv announced this week the close of a $26 million Series A financing led by ForgePoint Capital, a top tier venture capital firm that invests in transformative cybersecurity companies. Trend Forward Capital has been actively backing Cysiv and is also participating in this financing. Proceeds will be used to scale business operations and fuel further platform enhancements.

Trickbot, Emotet Use Text About Trump to Evade Detection

Threat actors have been using text from news articles about U.S. President Donald Trump to make malware undetectable. Trickbot samples employing this technique were recently found, while Trend Micro researchers detected Emotet samples using the same method.

Puerto Rico Gov Hit By $2.6M Phishing Scam

According to reports, an email-based phishing scam hit Puerto Rico’s Industrial Development Company, which is a government-owned corporation aimed at driving economic development to the island along with local and foreign investors. The scam email alleged a change to a banking account tied to remittance payments, which is a transfer of money (often by a foreign worker) to an individual in their home country.

Malicious Spam Campaign Targets South Korean Users

The spam campaign, detected by Trend Micro researchers, utilizes attachments compressed through ALZip, an archive and compression tool widely used in South Korea. When decompressed, the attachment is revealed to contain two executable (.EXE) files that carry the information stealer TrojanSpy.

Google Removes 500+ Malicious Chrome Extensions from the Web Store

Google has removed more than 500 malicious Chrome extensions from its official Web Store following a two-month long investigation conducted by security researcher Jamila Kaya and Cisco’s Duo Security team. The removed extensions operated by injecting malicious ads (malvertising) inside users’ browsing sessions.

Dynamic Challenges to Threat Detection and Endpoint Security — and How to Overcome Them

As a result of great technological advancements, our environments are steadily changing. Now more than ever, individuals and organizations rely on technology to make life more dynamic. This reliance on technology and the consequent expanding attack surface are what cybercriminals bank on as they create threats that are meant to trick users and organizations. In this blog, learn how to step up your threat detection and endpoint security.

YouTube, Twitter Hunt Down Deepfakes

YouTube and Twitter have taken measures to clamp down on synthetic and manipulated media, including deepfakes. Deepfakes are media (images, audio, video, etc.) synthetically generated through artificial intelligence and machine learning (AI/ML), which have been exploited in adult videos and propaganda using the faces and voices of unwitting celebrities, politicians, and other well-known figures.

Misconfigured AWS S3 Bucket Leaks 36,000 Inmate Records

An unsecured and unencrypted Amazon Simple Storage Service (S3) bucket was found leaking 36,077 records belonging to inmates of correctional facilities in several U.S. states. The leak, which was discovered by vpnMentor, exposed personally identifiable information (PII), prescription records and details of inmates’ daily activities.

An In-Depth Technical Analysis of CurveBall (CVE-2020-0601)

CVE-2020-0601 is a vulnerability that was discovered by the National Security Agency (NSA) and affects how cryptographic certificates are verified by one of the core cryptography libraries in Windows that make up part of the CryptoAPI system. Dubbed CurveBall or “Chain of Fools,” an attacker exploiting this vulnerability could create their own cryptographic certificates that appear to originate from a legitimate certificate that is trusted by Windows by default.

In your opinion, what was the most noteworthy patch from this month’s update? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: February 2020 Patch Tuesday Update and Misconfigured AWS S3 Bucket Leaks 36,000 Inmate Records appeared first on .

This Week in Security News: ZDI Bug Hunters Rake in $1.5M in 2019 and Metamorfo Trojan Malware Campaign Targets Online Banking Users

By Jon Clay (Global Threat Communications)
week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about Trend Micro Zero Day Initiative’s $1.5 million in awards and other noteworthy milestones in 2019. Also, learn about a crafty malware that makes you retype your passwords so it can steal them for credit card information and other personal data.

Read on:

Four Reasons Your Cloud Security is Keeping You Up at Night

Organizations are migrating to the cloud for speed, agility, scalability, and cost-efficiency – but they have realized that it demands equally powerful security management. As the cloud continues to attract more businesses, security teams are spending sleepless nights securing the infrastructure. We can reduce the number of security issues affecting cloud infrastructure; however, we must first conquer the possible reasons for security vulnerabilities.

Trend Micro and Baker Hughes Collaborate to Help Deliver Protection for Critical Infrastructure

Trend Micro announced this week that it will collaborate with Baker Hughes’ Nexus Controls operational technology (OT) security experts through a strategic framework agreement, signed in late 2019. Together the companies aim to provide comprehensive, industry leading guidance and support for enterprises running critical OT environments.

Malicious Optimizer and Utility Android Apps on Google Play Communicate with Trojans that Install Malware, Perform Mobile Ad Fraud

Trend Micro recently discovered several malicious optimizer, booster and utility apps (detected as AndroidOS_BadBooster.HRX) on Google Play. The apps can access remote ad configuration servers that can be used for malicious purposes, perform mobile ad fraud, and download as many as 3,000 malware variants or malicious payloads on affected devices.

Zero Day Initiative Bug Hunters Rake in $1.5M in 2019

Zero Day Initiative, a division of Trend Micro, awarded more than $1.5 million in cash and prizes to bug-hunters throughout 2019, resulting in 1,035 security vulnerability advisories for the year. Most of those advisories (88 percent) were published in conjunction with a patch from the vendor.

ICS in VUCA: Insights from the World‘s Biggest ICS Security Event – S4

Many sessions at this year’s S4 discussed strengthening leadership. The environment surrounding the ICS community is filled with volatility, uncertainty, complexity and ambiguity (VUCA), and it requires strong leadership to drive changes. In this blog, read about the key takeaways coming out of the world’s leading ICS security event, S4.

This Crafty Malware Makes You Retype Your Passwords So It Can Steal Them

A trojan malware campaign is targeting online banking users around the world with the aim of stealing credit card information, finances and other personal details. Detailed by researchers at Fortinet, the Metamorfo banking trojan has targeted users of over 20 online banks in countries around the world including the US, Canada, Peru, Chile, Spain, Brazil, Ecuador and Mexico.

SORA and UNSTABLE: 2 Mirai Variants Target Video Surveillance Storage Systems

Trend Micro researchers encountered two variants of the notorious internet of things (IoT) malware, Mirai, employing a new propagation method. The two variants, namely SORA (detected as IoT.Linux.MIRAI.DLEU) and UNSTABLE (detected as IoT.Linux.MIRAI.DLEV), gain entry through Rasilient PixelStor5000 video surveillance storage systems by exploiting CVE-2020-6756.

Vulnerability in WhatsApp Desktop Exposed User Files

Facebook has patched a vulnerability in WhatsApp Desktop that could allow an attacker to launch cross-site scripting (XSS) attacks and access files from the victim’s system when paired with WhatsApp for iPhone. The vulnerability was discovered by PerimeterX security researcher Gal Weizman, who found he could bypass WhatsApp’s CSP to execute code on a target system using maliciously crafted messages.

Ryuk Ransomware Infects US Government Contractor

The internal system of U.S. government contractor Electronic Warfare Associates (EWA) was infected with Ryuk ransomware last week, ZDNet reported. EWA is a contractor that supplies electronic equipment and services to the Department of Defense (DOD), the Department of Homeland Security (DHS), and the Department of Justice (DOJ).

New Lemon Duck Malware Campaign Targets IoT, Large Manufacturers

Printers, smart TVs and automated guided vehicles that depend on Windows 7 have become the latest targets for cybercriminals leveraging a “self-spreading” variant of the malware Lemon Duck. In a report released Wednesday by TrapX Security, researchers warn manufacturers dependent on IoT devices are targets in a new global campaign leveraging the malware variant.

New Extortion Campaign Threatens Victims of the 2015 Ashley Madison Breach

A new extortion campaign is targeting victims of the Ashley Madison data breach that happened five years ago, Vade Secure reports. Avid Life Media — the company behind the site — was hacked in 2015 by a group known as Impact Team. The actors behind this new campaign tell victims that they will publicize proof of their profile as well as other “embarrassing” activities and demand bitcoins as payment. 

Emotet Uses Coronavirus Scare in Latest Campaign, Targets Japan

Threat actors behind the Emotet malware used the novel coronavirus (2019-nCoV) scare as a hook for their spam email campaign against targets in Japan. IBM X-Force reported that the coronavirus spam emails were disguised as official notifications sent by a disability welfare provider and public health centers. The email content warns recipients about the rapid spread of the virus and instructs them to download an attached notice that allegedly contains preventive measures.

Researchers Use Smart Light Bulbs to Infiltrate Networks

Researchers successfully infiltrated networks through a vulnerability in Philips Hue light bulbs. The CVE-2020-6007 vulnerability, which involves the Zigbee communication protocol, can be abused to remotely install malicious firmware in smart light bulbs and spread malware to other internet-of-things (IoT) devices.

What was your biggest takeaway from the S4 ICS security conference this year? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: ZDI Bug Hunters Rake in $1.5M in 2019 and Metamorfo Trojan Malware Campaign Targets Online Banking Users appeared first on .

This Week in Security News: Over 2,000 WordPress Accounts Compromised and Facebook to Pay $550M to Settle Class Action Case Over Facial Recognition

By Jon Clay (Global Threat Communications)
week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, over two thousand WordPress sites were compromised using a malicious script that redirects visitors to scam websites. Also, read about how Facebook has agreed to pay $550 million to Illinois users to settle a class action lawsuit filed over the use of its face-tagging technology.

Read on:

Security Analysis of Devices that Support SCPI and VISA Protocols

The Standard Commands for Programmable Instruments (SCPI) protocol, now 30 years old, was initially designed for sensors communicating over serial lines to make adoption via different languages and hardware interfaces easier. Today, these devices are being exposed to the internet as more networks get connected, but they have never been designed for it and network administrators might not be aware that this is happening.

The Rich Are Different, but their Smartphones Aren’t

After Jeff Bezos’ phone was hacked, it raised the question of how high-profile people protect their cybersecurity. In this article, Mark Nunnikhoven, vice president of cloud research at Trend Micro, explains that the rich and famous can’t buy phones that are more secure than the average.

Malicious Script Plagues Over 2,000 WordPress Accounts, Redirects Visitors to Scam Sites

Besides leading visitors to scam websites, the malicious script can also gain unauthorized admin access to affected WordPress sites, allowing attackers to inject malware and apply modifications. Sucuri reported that the attackers gained access to the affected sites by exploiting plugins such as the vulnerable versions of the “CP Contact Form with PayPal” and the “Simple Fields” plugins.

Avast Winds Down Jumpshot, Cites User Data Sale Privacy Concerns

Avast is winding down its subsidiary Jumpshot following an explosive investigation into the sale of user data to third parties that may pose a risk to consumer privacy. The antivirus vendor said the unit will no longer have access to user information harvested from users of Avast products and services will eventually be fully terminated.

Unsecured AWS S3 Bucket Found Leaking Data of Over 30K Cannabis Dispensary Customers

An unsecured Amazon S3 bucket owned by cannabis retailer THSuite was found leaking the data of more than 30,000 individuals. Discovered by a vpnMentor research team during a large-scale web mapping project, the unsecured bucket exposed 85,000 files that included records with sensitive personally identifiable information (PII).

Facebook to Pay $550M to Settle Class Action Case Over Facial Recognition

Facebook has agreed to pay $550 million to Illinois users to settle a class action lawsuit filed over the use of its face-tagging technology to collect facial-recognition data on its social media platform. The suit stems from a class-action proceeding from Facebook users in Illinois over a feature called Tag Suggestions, which identifies Facebook users in photos based on biometric identification technology.

Google, Mozilla Crack Down on Malicious Extensions and Add-ons

The Google security team has temporarily disallowed the publishing or updating of paid extensions that use the Chrome Web Store payments due to an influx of fraudulent transactions performed via the extensions. Mozilla banned 197 suspicious Firefox add-ons that executed malicious code, ran codes from a remote server, stole user data, collected user search terms and obfuscated source code.

Microsoft Azure Flaws Could Have Let Hackers Take Over Cloud Servers

Cybersecurity researchers at Check Point disclosed details of two recently patched vulnerabilities in Microsoft Azure services that are potentially dangerous and, if exploited, could have allowed hackers to target several businesses that run their web and mobile apps on Azure.

3 Indonesian Hackers Arrested for Global Magecart Attacks, Other Members Still at Large

The International Criminal Police Organization (Interpol), together with the Indonesian National Police, recently publicized the arrest of three Indonesian men suspected of being behind intercontinental Magecart attacks. Known targets of this attack include online shops, hotel chains, advertising companies and even schools.

Inside the World’s Highest-Stakes Industrial Hacking Contest

Pwn2Own Miami, held at the S4 industrial control system security conference, has focused its participants’ skills for the first time exclusively on industrial control software (ICS). Every target is an application that touches physical machinery. The compromises could have catastrophic effects, from blackouts to life-threatening industrial accidents. In this article, read more about the inaugural Pwn2Own Miami competition.

Over 30 Million Stolen Credit Card Records Being Sold on the Dark Web

Cybercriminals were found selling more than 30 million credit card records on the dark web, purportedly from a data breach suffered by a U.S.-based gas station and convenience store chain last year. The breach was caused by a PoS malware attack and affected 860 convenience stores, of which 600 were also gas stations.

What are your thoughts on the class action lawsuit over Facebook’s facial recognition technology? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Over 2,000 WordPress Accounts Compromised and Facebook to Pay $550M to Settle Class Action Case Over Facial Recognition appeared first on .

This Week in Security News: Trend Micro Creates Factory Honeypot to Trap Malicious Attackers and Microsoft Leaves 250M Customer Service Records Open to the Web

By Jon Clay (Global Threat Communications)
week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, dive into a research study that explores the risks associated with common cybersecurity vulnerabilities in a factory setting. Also, read about how misconfigured Microsoft cloud databases containing 14 years of customer support logs exposed 250 million records.

Read on:

Don’t Let the Vulnera-Bullies Win. Use Our Free Tool to See If You Are Patched Against Vulnerability CVE-2020-0601

Last week, Microsoft announced vulnerability CVE-2020-0601 and has already released a patch to protect against any exploits stemming from the vulnerability. Understanding how difficult it can be to patch systems in a timely manner, Trend Micro created a valuable tool that will test endpoints to determine if they have been patched against this latest threat or if they are still vulnerable.

Ransomware, Snooping and Attempted Shutdowns: See What Hackers Did to These Systems Left Unprotected Online

Malicious hackers are targeting factories and industrial environments with a wide variety of malware and cyberattacks including ransomware and cryptocurrency miners. All of these incidents were spotted by researchers at Trend Micro who built a honeypot that mimicked the environment of a real factory. The fake factory featured some common cybersecurity vulnerabilities to make it appealing for hackers to discover and target.

Defend Yourself Now and In the Future Against Mobile Malware

Recently, 42 apps were removed from the Google Play Store after being installed eight million times over the period of a year, flooding victims’ screens with unwanted advertising. Trend Micro blocked more than 86 million mobile threats in 2018, and that number is expected to continue to increase. To learn how to protect your mobile device from hackers, read this blog from Trend Micro.

Trend Micro Joins LOT Network to Fight ‘Patent Trolls’

Trend Micro announced this week that it has joined non-profit community LOT Network in a bid to combat the growing threat posed to its business and its customers by patent assertion entities (PAEs). The community now has more than 500 members, including some of the world’s biggest tech companies such as Amazon, Facebook, Google, Microsoft and Cisco.

Blocking A CurveBall: PoCs Out for Critical Microsoft-NSA Bug CVE-2020-0601

Security researchers have released proof-of-concept (PoC) codes for exploiting CVE-2020-0601, a bug that the National Security Agency (NSA) reported. The vulnerability affects Windows operating systems’ CryptoAPI’s validation of Elliptic Curve Cryptography (ECC) certificates and Public Key Infrastructure (PKI) trust. Enterprises and users are advised to patch their systems immediately to prevent attacks that exploit this security flaw.

Microsoft Leaves 250M Customer Service Records Open to the Web

Misconfigured Microsoft cloud databases containing 14 years of customer support logs exposed 250 million records to the open internet for 25 days. The account information dates back as far as 2005 and as recent as December 2019 and exposes Microsoft customers to phishing and tech scams. Microsoft said it is in the process of notifying affected customers.

Microsoft Releases Advisory on Zero-Day Vulnerability CVE-2020-0674, Workaround Provided

On January 17, Microsoft published an advisory (ADV200001) warning users about CVE-2020-0674, a remote code execution (RCE) vulnerability involving Microsoft’s Internet Explorer (IE) web browser. A patch has not yet been released as of the time of writing — however, Microsoft has acknowledged that it is aware of limited targeted attacks exploiting the flaw.

Google to Apple: Safari’s Privacy Feature Actually Opens iPhone Users to Tracking

Researchers from Google’s Information Security Engineering team have detailed several security issues in the design of Apple’s Safari anti-tracking system, Intelligent Tracking Prevention (ITP). ITP is designed to restrict cookies and is Apple’s answer to online marketers that track users across websites. However, Google researchers argue in a new paper that ITP leaks Safari users’ web browsing habits.

Hacker Publishes Credentials for Over 515,000 Servers, Routers, and IoT Devices

A hacker has published the credentials of over 515,000 servers, routers, and IoT devices on a well-known hacking website. ZDNet reported that the list consists of IP addresses and the usernames and passwords used by each for unlocking Telnet services, the port that allows these devices to be controlled through the internet.

Pwn2Own Miami Contestants Haul in $180K for Hacking ICS Equipment

The first Pwn2Own hacking competition that exclusively focuses on industrial control systems (ICS) has kicked off in Miami. So far, a total of $180,000 has been awarded for pwning five different products. The contest hosts at Trend Micro’s Zero Day initiative (ZDI) have allocated more than $250,000 in cash and prizes for the contest, which is testing eight targets across five categories.

Sextortion Scheme Claims Use of Home Cameras, Demands Bitcoin or Gift Card Payment

A new sextortion scheme has been found preying on victims’ fears through social engineering and follows in the footsteps of recent sextortion schemes demanding payment in bitcoin. Security researchers at Mimecast observed the scheme during the first week of the year. The scheme reportedly sent a total of 1,687 emails on Jan. 2 and 3, mostly to U.S. email account holders.

NetWire RAT Hidden in IMG Files Deployed in BEC Campaign

A recent business email compromise (BEC) campaign, purportedly coming from a small number of scammers in Germany, targets organizations by sending them emails with IMG file attachments hiding a NetWire remote access trojan (RAT). The campaign was discovered by IBM X-Force security researchers and involves sending an employee of the targeted organization an email masquerading as a corporate request.

What are your thoughts on the results of Trend Micro’s factory honeypot study? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Trend Micro Creates Factory Honeypot to Trap Malicious Attackers and Microsoft Leaves 250M Customer Service Records Open to the Web appeared first on .

This Week in Security News: The First Patch Tuesday Update of 2020 and Pwn2Own Vancouver Announced

By Jon Clay (Global Threat Communications)
week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a major crypto-spoofing bug impacting Windows 10 that has been fixed as part of Microsoft’s January Patch Tuesday update. Also, read about the launch of Pwn2Own Vancouver, where it will pay to hack a Tesla Model 3.

Read on:

Can You Hack a Tesla Model 3? $500,000 Says That You Can’t

Trend Micro’s Zero Day Initiative (ZDI) has officially announced that its Pwn2Own Vancouver competition will be hosted at CanSecWest March 18-20. This time, the stakes have been upped in the automotive category: the hacker who can evade the multiple layers of security found in a Tesla Model 3 to pull off a complete vehicle compromise will win a $500,000 prize and a new Tesla Model 3.

Texas School District Loses $2.3 Million to Phishing Scam, BEC

Manor Independent School District (MISD) in Texas is investigating an email phishing attack after a series of seemingly normal school-vendor transactions resulted in the loss of an estimated $2.3 million. According to the statement posted on Twitter, the district is cooperating with the Manor Police Department and the Federal Bureau of Investigation (FBI).

Equifax Settles Class-Action Breach Lawsuit for $380.5M

A Georgia court granted final approval for an Equifax settlement in a class-action lawsuit, after the credit-reporting agency was hit by its massive 2017 data breach. This week, the Atlanta federal judge reportedly ruled that Equifax will pay $380.5 million to settle lawsuits regarding the breach.

Sodinokibi Ransomware Increases Year-End Activity, Targets Airport and Other Businesses

The Sodinokibi ransomware, detected as Ransom.Win32.SODINOKIBI,was involved in several high-profile attacks in 2019. The ransomware ended the year by launching a new round of attacks aimed at multiple organizations, including the Albany International Airport and the foreign exchange company Travelex.

ICS Security in the Spotlight Due to Tensions with Iran

Given the heightened tensions between the U.S. and Iran, organizations with connected industrial infrastructure should be on guard. In the wake of the assassination, several cybersecurity experts and U.S. government officials have warned of the ICS security risk that Iran-affiliated adversaries pose. Others point to the likelihood of smaller cyberattacks designed to distract rather than prompt retaliation.

Dymalloy, Electrum, and Xenotime Hacking Groups Set Their Targets on US Energy Sector

At least three hacking groups have been identified aiming to interfere with power grids across the United States. The oil, gas, water and energy industries have proved to become a valuable target for threat actors looking to compromise ICS environments, and according to a report on the state of industrial control systems (ICSs), attempts in attacking the utilities industry are on the rise.

Microsoft Patches Major Crypto Spoofing Bug

A major crypto-spoofing bug impacting Windows 10 users has been fixed as part of Microsoft’s January Patch Tuesday security bulletin. The vulnerability could allow an attacker to spoof a code-signing certificate, vital to validating executable programs in Windows, and make it appear as if an application was from a trusted source.

Mobile Banking Trojan FakeToken Resurfaces, Sends Offensive Messages Overseas from Victims’ Accounts

Researchers recently discovered an updated version of the mobile banking trojan FakeToken after detecting 5,000 smartphones sending offensive text messages overseas. Once the malware infects an unprotected Android device, FakeToken is able to send and intercept text messages such as 2FA codes or tokens, as well as scan through the victim’s contacts to possibly send phishing messages.

Report: Chinese Hacking Group APT40 Hides Behind Network of Front Companies

An online group of cybersecurity analysts calling themselves “Intrusion Truth” doxed their fourth Chinese state-sponsored hacking operation. After previously exposing details about Beijing’s hand in APT3 (believed to operate out of the Guangdong province), APT10 (Tianjin province), and APT17 (Jinan province), Intrusion Truth has now begun publishing details about China’s cyber apparatus in the state of Hainan, an island in the South China Sea.

What are your thoughts on the major crypto-spoofing bug that was found by the NSA? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: The First Patch Tuesday Update of 2020 and Pwn2Own Vancouver Announced appeared first on .

This Week in Security News: INTERPOL Collaboration Reduces Cryptojacking by 78% and Three Malicious Apps Found on Google Play May be Linked to SideWinder APT Group

By Jon Clay (Global Threat Communications)
week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how Trend Micro’s collaboration with INTERPOL’s Global Complex for Innovation helped reduce cryptojacking by 78% in Southeast Asia. Also, read about three malicious apps in the Google Play Store that may be linked to the SideWinder threat group.

Read on:

First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group

Trend Micro found three malicious apps in the Google Play Store that work together to compromise a device and collect user information. The three malicious apps — disguised as photography and file manager tools — are likely to be connected to SideWinder, a known threat group that has reportedly targeted military entities’ Windows machines.

Operation Goldfish Alpha Reduces Cryptojacking Across Southeast Asia by 78%

Interpol announced the results of Operation Goldfish Alpha, a six-month effort to secure hacked routers across the Southeast Asia region. The international law enforcement agency said its efforts resulted in a drop of cryptojacking operations across Southeast Asia by 78%, compared to levels recorded in June 2019. Private sector partners included the Cyber Defense Institute and Trend Micro.

Celebrating Decades of Success with Microsoft at the Security 20/20 Awards

Trend Micro, having worked closely with Microsoft for decades, is honored to be nominated for the Microsoft Security 20/20 Partner awards in the Customer Impact and Industry Changemaker categories. Check out this blog for more information on the inaugural awards and Trend Micro’s recognitions.

Security Predictions for 2020 According to Trend Micro

Threat actors are shifting and adapting in their choice of attack vectors and tactics — prompting the need for businesses and users to stay ahead of the curve. Trend Micro has identified four key themes that will define 2020: a future that is set to be Complex, Exposed, Misconfigured and Defensible. Check out Digital Journal’s Q&A with Greg Young, vice president of cybersecurity at Trend Micro, to learn more about security expectations for this year.

The Everyday Cyber Threat Landscape: Trends from 2019 to 2020

In addition to security predictions for the new year, Trend Micro has listed some of the biggest threats from 2019 as well as some trends to keep an eye on as we begin 2020 in this blog. Many of the most dangerous attacks will look a lot like the ones Trend Micro warned about in 2019.

5 Key Security Lessons from the Cloud Hopper Mega Hack

In December 2019, the U.S. government issued indictments against two Chinese hackers who were allegedly involved in a multi-year effort to penetrate the systems of companies managing data and applications for customers via the computing cloud. The men, who remain at large, are thought to be part of a Chinese hacking collective known as APT10.

The Summit of Cybersecurity Sits Among the Clouds

Shifts in threats in the security landscape have led Trend Micro to develop Trend Micro Apex One™, a newly redesigned endpoint protection solution. Trend Micro Apex One™ brings enhanced fileless attack detection and advanced behavioral analysis and combines Trend Micro’s powerful endpoint threat detection capabilities with endpoint detection and response (EDR) investigative capabilities.

New Iranian Data Wiper Malware Hits Bapco, Bahrain’s National Oil Company

Iranian state-sponsored hackers have deployed a new strain of data-wiping malware on the network of Bapco, Bahrain’s national oil company. The incident took place on December 29th and didn’t have the long-lasting effect hackers might have wanted, as only a portion of Bapco’s computer fleet was impacted and the company continued to operate after the malware’s detonation. 

Ransomware Recap: Clop, DeathRansom, and Maze Ransomware

As the new year rolls in, new developments in different ransomware strains have emerged. For example, Clop ransomware has evolved to integrate a process killer that targets Windows 10 apps and various applications; DeathRansom can now encrypt files; and Maze ransomware has been targeting U.S. companies for stealing and encrypting data, alerted by the Federal Bureau of Investigation (FBI).

4 Ring Employees Fired for Spying on Customers

Smart doorbell company Ring said that it has fired four employees over the past four years for inappropriately accessing customer video footage. The disclosure comes in a recent letter to senators from Amazon-owned Ring as it attempts to defend the privacy of its platform, which has been plagued by data privacy incidents over the past year.

Web Skimming Attack on Blue Bear Affects School Admin Software Users

A web skimming attack was recently used to target Blue Bear, a school administration software that handles school accounting, student fees, and online stores for educational institutions. Names, credit card or debit card numbers, expiration dates and security codes, and Blue Bear account usernames and passwords may have been collected.

Patched Microsoft Access ‘MDB Leaker’ (CVE-2019-1463) Exposes Sensitive Data in Database Files

Researchers uncovered an information disclosure vulnerability (CVE-2019-1463) affecting Microsoft Access, which occurs when the software fails to properly handle objects in memory. The vulnerability, dubbed “MDB Leaker” by Mimecast Research Labs, resembles a patched information disclosure bug in Microsoft Office (CVE-2019-0560) found in January 2019.

Cryptocurrency Miner Uses Hacking Tool Haiduc and App Hider Xhide to Brute Force Machines and Servers

A Trend Micro honeypot detected a cryptocurrency-mining threat on a compromised site, where the URL hxxps://upajmeter[.]com/assets/.style/min was used to host the command for downloading the main shell script. The miner, a multi-component threat, propagates by scanning vulnerable machines and brute-forcing (primarily default) credentials.

What are your thoughts on the rise of cryptomining malware and cryptojacking tactics? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: INTERPOL Collaboration Reduces Cryptojacking by 78% and Three Malicious Apps Found on Google Play May be Linked to SideWinder APT Group appeared first on .

This Week in Security News: Latest Cyber Risk Index Shows Elevated Risk of Cyber Attack and IoT Company Wyze Exposes Information of 2.4M Customers

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about Trend Micro’s Cyber Risk Index (CRI) and its results showing increased cyber risk. Also, read about a data breach from IoT company Wyze that exposed information of 2.4 million customers.

Read on:

The 5 New Year’s Tech Resolutions You Should Make for 2020

Now is the perfect time to reflect on the past and think of all the ways you can make this coming year your best one yet. With technology playing such a central role in our lives, technology resolutions should remain top of mind heading into the new year. In this blog, Trend Micro shares five tech resolutions that will help make your 2020 better and safer.

Security Study: Businesses Remain at Elevated Risk of Cyber Attack

Elevated risk of cyber attack is due to increased concerns over disruption or damages to critical infrastructure, according to the Trend Micro’s latest Cyber Risk Index (CRI) study. The company commissioned Ponemon Institute to survey more than 1,000 organizations in the U.S. to assess business risk based on their current security postures and perceived likelihood of attack.

Parental Controls – Trend Micro Home Network Security Has Got You Covered

In the second blog of a three-part series on security protection for your home and family, Trend Micro discusses the risks associated with children beginning to use the internet for the first time and how parental controls can help protect them.

Cambridge Analytica Scandal: Facebook Hit with $1.6 Million Fine

The Cambridge Analytica scandal continues to haunt Facebook. The company has been receiving fines for its blatant neglect and disregard towards users’ privacy. The latest to join the bandwagon after the US, Italy, and the UK is the Brazilian government.

Why Running a Privileged Container in Docker is a Bad Idea

Privileged containers in Docker are containers that have all the root capabilities of a host machine, allowing the ability to access resources which are not accessible in ordinary containers. In this blog post, Trend Micro explores how running a privileged, yet unsecure, container may allow cybercriminals to gain a backdoor in an organization’s system.

IoT Company Wyze Leaks Emails, Device Data of 2.4M

An exposed Elasticsearch database, owned by Internet of Things (IoT) company Wyze, was discovered leaking connected device information and emails of millions of customers. Exposed on Dec. 4 until it was secured on Dec. 26, the database contained customer emails along with camera nicknames, WiFi SSIDs (Service Set Identifiers; or the names of Wi-Fi networks), Wyze device information, and body metrics.

Looking into Attacks and Techniques Used Against WordPress Sites

WordPress is estimated to be used by 35% of all websites today, making it an ideal target for threat actors. In this blog, Trend Micro explores different kinds of attacks against WordPress – by way of payload examples observed in the wild – and how attacks have used hacked admin access and API, Alfa-Shell deployment, and SEO poisoning to take advantage of vulnerable sites.

FPGA Cards Can Be Abused for Faster and More Reliable Rowhammer Attacks

In a new research paper published on the last day of 2019, a team of American and German academics showed that field-programmable gate array (FPGA) cards can be abused to launch better and faster Rowhammer attacks. The new research expands on previous work into an attack vector known as Rowhammer, first detailed in 2014

Emotet Attack Causes Shutdown of Frankfurt’s IT Network

The city of Frankfurt, Germany, became the latest victim of Emotet after an infection forced it to close its IT network. There were also incidents that occurred in the German cities of Gießen, Bad Homburgas and Freiburg.

BeyondProd Lays Out Security Principles for Cloud-Native Applications

BeyondCorp was first to shift security away from the perimeter and onto individual users and devices. Now, it is BeyondProd that protects cloud-native applications that rely on microservices and communicate primarily over APIs, because firewalls are no longer sufficient. Greg Young, vice president of cybersecurity at Trend Micro, discusses BeyondProd’s value in this article.

How MITRE ATT&CK Assists in Threat Investigation

In 2013, the MITRE Corporation, a federally funded not-for-profit company that counts cybersecurity among its key focus area, came up with MITRE ATT&CK™, a curated knowledge base that tracks adversary behavior and tactics. In this analysis, Trend Micro investigates an incident involving the MyKings botnet to show how the MITRE ATT&CK framework helps with threat investigation.

TikTok Banned by U.S. Army Over China Security Concerns

With backlash swelling around TikTok’s relationship with China, the United States Army this week announced that U.S. soldiers can no longer have the social media app on government-owned phones. The United States Army had previously used TikTok as a recruiting tool for reaching younger users,

Mobile Money: How to Secure Banking Applications

Mobile banking applications that help users check account balances, transfer money, or pay bills are quickly becoming standard products provided by established financial institutions. However, as these applications gain ground in the banking landscape, cybercriminals are not far behind.

What security controls do you have in place to protect your home and family from risks associated with children who are new internet users? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Latest Cyber Risk Index Shows Elevated Risk of Cyber Attack and IoT Company Wyze Exposes Information of 2.4M Customers appeared first on .

This Week in Security News: Microsoft vs. Amazon in the Cloud and Escalated Risk in the Oil and Gas Industry

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about cybersecurity risk facing the oil and gas industry and its supply chain. Also, read about what Trend Micro’s CEO, Eva Chen, has to say about Microsoft and Amazon’s battle for cloud leadership.

Read on:

How to Get the Most Out of Industry Analyst Reports

In this video blog, Trend Micro’s Vice President of Cybersecurity, Greg Young, taps into his past experience at Gartner to explain how to discern the most value from industry analysts and help customers understand how to use the information.

Top Gun 51 Profile: Trend Micro’s Jeff Van Natter Sees Distributors as Key to Reaching New Partners

In an interview with Channel Futures, Trend Micro’s Jeff Van Natter explains why he believes distributors will continue to play an important role for Trend as it looks to expand its partner ecosystem.

How to Speed Up a Slow PC Running Windows OS

The first step to improving your Windows PC performance is to determine what’s causing it to run slow. In this blog, learn about eight tips on how to fix a slow PC running Windows and how to boost your PC’s performance.

We Asked 13 Software Execs Whether Microsoft Can Topple Amazon in the Cloud, and They Say There’s a Chance but It’ll Be a Hard Battle

Business Insider talked to 13 executives at companies that partner with Microsoft and Amazon on cloud platforms for their take on the rivalry between the two, and whether Microsoft can win. In this article, read about what Trend Micro CEO Eva Chen has to say about the rivalry.

DDoS Attacks and IoT Exploits: New Activity from Momentum Botnet

Trend Micro recently found notable malware activity affecting devices running Linux. Further analysis of the malware samples revealed that these actions were connected to a botnet called Momentum, which has been used to compromise devices and perform distributed denial-of-service (DDoS) attacks.

Oil and Gas Industry Risks Escalate, Cybersecurity Should Be Prioritized

The oil and gas industry and its supply chain face increased cybersecurity risks from advanced threat groups and others as they continue to build out digitally connected infrastructure, Trend Micro research reveals.

Christmas-Themed Shopping, Game and Chat Apps Found Malicious, Lure Users with Deals

Security researchers caution Android users when downloading apps for shopping, games, and Santa video chats as they found hundreds of malicious apps likely leveraging the season to defraud unwitting victims via command-and-control (C&C) attacks, adware or “excessive or dangerous combinations of permissions,” such as camera, microphone, contacts and text messages.

New Orleans Mayor Declares State of Emergency in Wake of City Cyberattack

New Orleans Mayor LaToya Cantrell declared a state of emergency last Friday after the city was hit by a cyberattack where phishing attempts were detected. Cantrell said the attack is similar to the July 2019 attack on the state level where several school systems in Louisiana were attacked by malware.

Credential Harvesting Campaign Targets Government Procurement Sites Worldwide

Cybersecurity company Anomali uncovered a campaign that used 62 domains and around 122 phishing sites in its operations and targeted government procurement services in 12 countries, including the United States, Canada, Japan, and Poland.

Schneider Electric Patches Vulnerabilities in its EcoStruxure SCADA Software and Modicon PLCs

Schneider Electric released several advisories on vulnerabilities they have recently fixed in their EcoStruxure and Modicon products. Modicon M580, M340, Quantum and Premium programmable logic controllers (PLCs) were affected by three denial of service (DoS) vulnerabilities.

FBot aka Satori is Back with New Peculiar Obfuscation, Brute-force Techniques

Trend Micro recently observed that the Mirai-variant FBot, also known as Satori, has resurfaced. Analysis revealed that this malware uses a peculiar combination of XOR encryption and a simple substitution cipher, which has not been previously used by other IoT malware variants. Additionally, the credentials are not located within the executable binary — instead, they are received from a command-and-control (C&C) server.

15 Cyber Threat Predictions for 2020

As 2020 nears, this article outlines the cyber threats that Trend Micro’s research team predicts will target organizations in the coming year, and why.

Negasteal/Agent Tesla Now Gets Delivered via Removable Drives, Steals Credentials from Becky! Internet Mail

Trend Micro recently spotted a Negasteal/Agent Tesla variant that uses a new delivery vector: removable drives. The malware also now steals credentials from the applications FTPGetter and Becky! Internet Mail.

Into the Battlefield: A Security Guide to IoT Botnets

The internet of things (IoT) has revolutionized familiar spaces by making them smarter. Homes, offices and cities are just some of the places where IoT devices have given better visibility, security and control. However, these conveniences have come at a cost: traditional cyberthreats also found a new arena for attacks and gave rise to realities like IoT botnets.

 

What’s your take on whether or not Microsoft can topple Amazon in the cloud? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Microsoft vs. Amazon in the Cloud and Escalated Risk in the Oil and Gas Industry appeared first on .

How To Get The Most Out Of Industry Analyst Reports

By Trend Micro

Whether you’re trying to inform purchasing decisions or just want to better understand the cybersecurity market and its players, industry analyst reports can be very helpful. Following our recent accolades by Forrester and IDC in their respective cloud security reports, we want to help customers understand how to use this information.

Our VP of cybersecurity, Greg Young, taps into his past experience at Gartner to explain how to discern the most value from industry analyst reports.

The post How To Get The Most Out Of Industry Analyst Reports appeared first on .

This Week in Security News: December Patch Tuesday Updates and Retail Cyberattacks Set to Soar 20 Percent During 2019 Holiday Season

By Jon Clay (Global Threat Communications)

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about the threat campaign Waterbear and how it uses API hooking to evade security product detection. Also, read about December Patch Tuesday updates from Microsoft and Adobe.

Read on:

Waterbear is Back, Uses API Hooking to Evade Security Product Detection

Previously, Waterbear has been used for lateral movement, decrypting and triggering payloads with its loader component. In most cases, the payloads are backdoors that can receive and load additional modules. However, recently Trend Micro discovered a piece of Waterbear payload with a brand new purpose: hiding its network behaviors from a specific security product by API hooking techniques.

Microsoft December 2019 Patch Tuesday Plugs Windows Zero-Day

Microsoft has released today the December 2019 Patch Tuesday security updates. This month’s updates include fixes for 36 vulnerabilities, including a zero-day in the Windows operating system that has been exploited in the wild.

(Almost) Hollow and Innocent: Monero Miner Remains Undetected via Process Hollowing

Recently, Trend Micro found a cryptomining threat using process hollowing and a dropper component that requires a specific set of command line arguments to trigger its malicious behavior, leaving no trace for malicious activity detection or analysis to reference the file as malicious.

2020 Predictions: Black Hats Begin to Target Facial Recognition Technology

Research interest in defeating facial recognition technology is booming. Adversaries are likely taking notice, but don’t expect widespread adoption overnight. Jon Clay, director of threat communication at Trend Micro, points out that techniques ranging from deep fakes to adversarial machine learning are likely still in an early stage.

US, UK Governments Unite to Indict Hacker Behind Dreaded Dridex Malware

Maksim Yakubets, who allegedly runs Russia-based Evil Corp, the cybercriminal organization that developed and distributed banking malware Dridex, has been indicted in the United States by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC).

Trend Micro, McAfee and Bitdefender Top Cloud Workload Security List

Trend Micro, McAfee and Bitdefender were named among the leaders in a new report from Forrester Research on cloud workload security that covered 13 vendors.

BEC Scam Successfully Steals US $1 Million Using Look-Alike Domains

A Chinese venture capital firm lost US $1 million to scammers who successfully came between a deal the firm had with an Israeli startup. The business email compromise (BEC) campaign used by the attackers consisted of 32 emails and look-alike domains to trick both parties of their authenticity.

Retail Cyberattacks Set to Soar 20% in 2019 Holiday Season

As cybercriminals grow more sophisticated and holiday shoppers continue to flock online, researchers warn internet-based retailers could face a 20 percent uptick in cyberattacks this holiday season compared to last year.

Bug in Ryuk Ransomware’s Decryptor Can Lead to Loss of Data in Certain Files

Ryuk’s decryptor tool could cause data loss instead of reinstating file access to users. According to a blog post from Emsisoft, a bug with how the tool decrypts files could lead to incomplete recoveries, contrary to what the decryptor is meant to achieve.

Hacker Hacks Hacking Platform, Gets Paid $20,000 By the Hacked Hackers

HackerOne operates as a conduit between ethical hackers looking for vulnerabilities, and organizations like General Motors, Goldman Sachs, Google, Microsoft, Twitter, and the U.S. Pentagon, want to patch those security holes before malicious threat actors can exploit them. One of the hackers registered with the platform hacked HackerOne instead and was paid $20,000 (£15,250) by HackerOne as a result.

 Trickbot’s Updated Password-Grabbing Module Targets More Apps, Services

Researchers from Security Intelligence have reported on a sudden increase of Trickbot’s activities in Japan, and Trend Micro researchers have found updates to the password-grabbing (pwgrab) module and possible changes to the Emotet variant that drops Trickbot.

Ransomware Recap: Snatch and Zeppelin Ransomware

Two ransomware families with noteworthy features – Snatch and Zeppelin –were spotted this week. Snatch ransomware is capable of forcing Windows machines to reboot into Safe Mode. Zeppelin ransomware, on the other hand, was responsible for infecting healthcare and IT organizations across Europe and the U.S.

Brian Krebs is the CISO MAG Cybersecurity Person of the Year

For the first time, CISO Mag named a Cybersecurity Person of the Year, who is defined as someone who been committed to bringing awareness into the realm of cybersecurity. In addition to recognizing Brian Krebs of KrebsOnSecurity.com, two other individuals were recognized: Trend Micro’s Rik Ferguson, VP of security research, and web security expert Troy Hunt.

Do you think retail cyberattacks will soar higher than 20 percent this holiday season? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: December Patch Tuesday Updates and Retail Cyberattacks Set to Soar 20 Percent During 2019 Holiday Season appeared first on .

❌