Hackers Compromise Microsoft Support Agent to Access Outlook Email Accounts

By: Swati Khandelwal

If you have an account with Microsoft Outlook email service, there is a possibility that your account information has been compromised by an unknown hacker or group of hackers, Microsoft confirmed The Hacker News.

Earlier this year, hackers managed to breach Microsoft’s customer support portal and access information related to some email accounts registered with the company’s Outlook service.

Yesterday, a user on Reddit publicly posted a screenshot of an email which he received from Microsoft warning that unknown attackers were able to access some information of his OutLook account between 1 January 2019 and 28 March 2019.

 Another user on Reddit also confirmed that he/she too received the same email from Microsoft.

According to the incident notification email, as shown below, attackers were able to compromise credentials for one of Microsoft’s customer support agents and used it to unauthorisedly access some information related to the affected accounts, but not the content of the emails or attachments.

microsoft outlook email hacked

The information that a Microsoft’s customer support agent can view is limited to account email addresses, folder names, subject lines of emails, and the name of other email addresses you communicate with.

US Government Warns of New North Korean Malware

By: Phil Muncaster

Officials at the US Department of Homeland Security (DHS) have issued another warning about North Korean malware, this time a new variant dubbed “Hoplight.”

The backdoor trojan malware is linked to the notorious Hidden Cobra group, also known as the Lazarus Group.

“This artifact is a malicious PE32 executable. When executed the malware will collect system information about the victim machine including OS version, volume information, and system time, as well as enumerate the system drives and partitions,” the alert warned.

“The malware is capable of the following functions: Read, Write, and Move Files; Enumerate System Drives; Create and Terminate Processes; Inject into Running Processes; Create, Start and Stop Services; Modify Registry Settings; Connect to a Remote Host; Upload and Download Files.”

The malware uses a public SSL certificate for secure communications from South Korean web giant Naver, and employs proxies to obfuscate its activity.

“The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors,” the report claimed.

This is the latest in a long line of alerts warning of new North Korean malware, now in the double-digits.

It urges IT teams to follow best practices in cybersecurity including keeping systems and AV tools up-to-date and patched, disabling file and printer sharing, enforcing strong passwords, restricting user permissions, scanning for suspicious email attachments and more.

More: https://www.infosecurity-magazine.com/news/us-government-warns-north-korean-1-1/

Global Threat Statistics for the week of March 22, 2019

By: Julia Sowells

PayPal Phishing Casts a Wide Net

One of the most successful phishing methods is to co-opt a well-respected brand. PayPal topped the list by a wide margin in a recent analysis of over 100 million endpoints by Comodo Threat Intelligence Lab. PayPal was impersonated in 39% of all such attacks, with Microsoft a distant second at 20%.

Sharing this information is important so that your users know to be more vigilant if they get an email or alert, supposedly from PayPal, Microsoft, or the others in this chart. Some of these phishing websites look quite authentic and may fool even security-minded users. This type of information is a great addition to your security awareness program.

Top Brands co-opted for phishing websites

The scale at which these attacks are being deployed is evident in the number of web pages using this type of attack. This analysis discovered 61,767 web pages impersonating these brands for the purpose of phishing. Just over half were taken down by the time this article was written. That still leaves almost 30,000 malicious web pages to lure your users.

6 characteristics that make brands good targets for phishing impersonation

1. Registered user accounts

Brands that have hundreds of thousands of registered user accounts are an inviting target for cybercriminals. Consider, for example, PayPal with 267 million registered user accounts. If an attacker can send phishing emails to 1% of them, that’s 2.67 million chances that a user will click on a link that brings that user to their malicious website. If just 1% of those users click that link, they get 26,700 accounts that they have compromised.

2. Trusted brand

When dealing with a trusted brand, people tend to let their guard down. If a phishing website impersonates a trusted brand well enough, that lower level of user vigilance increases the chances of a successful attack.

3. Access to money

In most cases, this is the ultimate goal. There are other motivations such as hacktivism or cyber warfare.

More: https://hackercombat.com/global-threat-statistics-for-the-week-of-march/

FIN6 Shifts From Payment Card Theft to Ransomware

By: Scott Ferguson

FIN6, a cybercrime group that has focused on attacking point-of-sale devices to steal credit card numbers, now also is waging ransomware attacks that target businesses with either LockerGoga or Ryuk, according to a new analysis from security firm FireEye.

Since 2016, FIN6 has been stealing credit card data to sell on the darknet to other groups looking to commit fraud. By targeting the hospitality and retail industries, the group is believed to have collected about 20 million payment cards worth $400 million, FireEye reports.

Security researchers at several firms, including IBM, have concluded that FIN6 has ties to Russia.

Now, FIN6 – or at least some members associated with cybercriminal gang – have begun to switch tactics, deploying ransomware throughout the networks that they are attacking, FireEye researchers note in a blog.

Newer Ransomware Strains

One strain of ransomware that FIN6 is using, according to FireEye, is Ryuk, which was used against the Chicago-based Tribune Publishing company in late 2018. The other is Lockergoga, the ransomware used against the Norwegian firm Norsk Hydro in March, causing at least $40,000 in financial damage. It’s also suspected in other attacks in Europe and the U.S., according to security researchers.

The reason for using these newer strains of ransomware might be that the FIN6 group is attempting to evade security protections that have been put in place to guard against more well-known, widely deployed malware, FireEye tells Information Security Media Group.

“Given that this ransomware is being manually deployed post-compromise and needs only the barest functionality (encrypt files, drop ransom note, evade anti-malware protections), the benefit of using a malware that is largely unknown and for which anti-malware detections are poor likely outweighs the benefit of [using other] well-known ransomware that may be better detected or integrate unnecessary functionality,” FireEye says in a statement provided to ISMG. “FIN6 may believe that Ryuk and LockerGoga have lower prevalence and therefore might be less likely to be detected.”

The report also notes: “FireEye has observed what appears to be a gradual decline in the volume of FIN6-attributable point-of-sale intrusions preceding this shift, but we can definitely not rule out the possibility that this activity is ongoing in parallel. FIN6 typically monetizes intrusions. Targeting payment card data limits the scope of potential targets and requires additional time and resources.”

More: https://www.bankinfosecurity.com/report-fin6-shifts-from-payment-card-theft-to-ransomware-a-12358

Fake Malware Tricks Radiologists Diagnosing Cancer

By: Kacy Zurkus

With the use of deep learning, researchers Yisroel Mirsky, Tom Mahler, Ilan Shelef and Yuval Elovici at Cyber Security Labs at Ben-Gurion University demonstrated in a video proof of concept (PoC) that an attacker could fool three expert radiologists by falsifying CT scans, inserting or removing lung cancer, the Washington Post reported.

“In 2018, clinics and hospitals were hit with numerous cyber attacks leading to significant data breaches and interruptions in medical services,” the researchers wrote. “Attackers can alter 3D medical scans to remove existing, or inject non-existing medical conditions. An attacker may do this to remove a political candidate/leader, sabotage/falsify research, perform murder/terrorism, or hold data ransom for money.”

Using a test dummy to highlight the vulnerabilities in picture archiving and communication systems (PACS), researchers demonstrated that 98% of the times they injected or removed solid pulmonary nodules, they were able to fool radiologists and state-of-the-art artificial intelligence (AI).

“I was quite shocked,” Nancy Boniel, a radiologist in Canada who participated in the study, told the Washington Post. “I felt like the carpet was pulled out from under me, and I was left without the tools necessary to move forward.”

According to the PoC, researchers built a man-in-the-middle device to use the method of attack that penetration testers demonstrated in a hospital. The researchers gained access to the radiologist’s workstation and the CT scanner room after the cleaning staff opened the door for them. In a matter of 30 seconds, they installed a device running a fake malware designed to inject or remove images.

Once installed, the attackers returned to the waiting room, where they had remote wireless access and were able to intercept and manipulate CT scans, which were not encrypted.

More: https://www.infosecurity-magazine.com/news/fake-malware-tricks-radiologists-1/

ENTREVISTA: ALEXANDRE VASCONCELOS / COO – Diretor de Operações da SIKUR

By: Sina

Pane nas redes sociais, invasões, venda de dados, privacidade existe?

Convidamos um especialista em segurança em tecnologia para falar sobre o tema que cada vez mais fica em evidencia e rodeado de escândalos.

Alexandre Vasconcelos é executivo de Tecnologia com mais de 20 anos de experiência em engenharia, produto e vendas na indústria de TIC, desde pequenos Integradores e Revendas a Multinacionais. Bacharel em Ciência da Computação e com MBA de Governança de TI. Atualmente gerencia as Operações da *Sikur, conduzindo seus recursos e otimizando as habilidades das pessoas, conduz o trabalho da equipe de P&D em projetos existentes e de inovação, alinhando o posicionamento estratégico da empresa com as necessidades de mercado e suas tendências. Confira a entrevista:

REDE SINA – Em março houve uma pane nas redes sociais, facebook, whats, instagram pararam. Há quem diga que foi para que fotos do massacre em Suzano não fossem circuladas. O que pensam a respeito? Quais as possíveis causas da pane?

ALEXANDRE VASCONCELOS – Nos dias de hoje a infraestrutura de rede em nuvem dos vários provedores disponíveis pelo planeta é bem madura e capaz de atender aos mais diferentes níveis de carga de acesso, inclusive com redundância geográfica. Eventos recentes, como esta pane parcial nas redes sociais, certamente foi causada por erro humano. Alguns sites noticiaram erro de configuração de um servidor que acabou causando um pequeno transtorno nestes serviços.

REDE SINA- Em março de 2018, foi noticiado que a empresa Cambridge Analytica teria comprado acesso a informações pessoais de mais de 50 milhões de usuários do Facebook e usado esses dados para criar um sistema que permitiu predizer e influenciar as escolhas dos eleitores nas urnas, segundo a investigação dos jornais The Guardian e The New York Times. Em setembro de 2018, o Facebook sofreu um ataque em sua rede de computadores que afetou 50 milhões de pessoas. A rede social deslogou 90 milhões de usuários, forçando-os a fazer login de novo. O que pensam a respeito destes casos?

A.V – Casos como estes tem motivado países (ou até mesmo blocos inteiros, como a União Europeia) a criarem legislações específicas para proteção de dados dos usuários, com penalidades altíssimas. Na União Europeia já está em vigor a GDPR (General Data Protection Regulation), nos USA o Estado da Califórnia elaborou a CCPA (California Consumer Privacy Act) e o Brasil não ficou atrás e publicou a LGPD (Lei Geral de Proteção de Dados). Estas leis/regulamentos tendem a incentivar outras nações a seguirem na mesma direção, no sentido de valorizar a privacidade e propriedade dos dados de seus usuários, criando mecanismos para impedir que compra e venda de informações por parte de terceiros mal intencionados.

REDE SINA – O sobre o comércio “legal” e ilegal da venda de dados?

A.V – Estamos sempre em conformidade com legislação vigente, se algo é ilegal deve ser devidamente tratado pelas autoridades competentes. No que diz respeito ao comércio “legal” de informações é fundamental ter clareza do que se compra e do que se vende e que ambas as partes atentem ao que é ou não permitido nas regiões em que atuam.

REDE SINA – Aplicativos como whats app dizem usar um sistema criptografado. É seguro, pode ser invadido? Eles podem vender dados assim mesmo?

A.V – Em linhas gerais, aplicativos como o WhatsApp oferecem um sistema de criptografia bem robusto e bem difíceis de serem quebrados. No entanto, é importante mencionar que nem sempre sistemas gratuitos oferecem a robustez de um sistema corporativo desenhado e preparado para atender demandas específicas e com suporte adequado. Com sistemas gratuitos é importante prestar atenção aos termos de uso, pois geralmente incluem cláusulas que possibilitam o compartilhamento de informações com terceiros ou dentro do mesmo grupo de empresas que detém os direitos sob o App, o que acaba abrindo brechas para perda de privacidade.

REDE SINA – Nas eleições do ano passado do Brasil, houve muita polêmica a respeito do uso dos whats app e redes sociais. Disparos em massa pra milhares de pessoas. Fake news. Perfis fakes. É possível prevenir situações como essa?

A.V – Em sistemas abertos como o WhatsApp esse tipo de controle é bem difícil de ser feito, a não ser que o próprio sistema imponha limitação para o envio de informações em massa. As “Fake News” e perfis falsos também são bem difíceis de serem minimizados, uma vez que os infratores não são devidamente penalizados. O fato de que literalmente todas as pessoas com acesso a Internet têm a possibilidade de criar e compartilhar notícias, apesar da legislação prever proteção de situações como calúnia e difamação, já dificulta o controle; o mesmo acontece com perfis falsos, apesar de existirem meios para se investigar e identificar quem gerou o perfil e notícias falsas. Na medida em que leis específicas para este tipo de situação delituosa sejam implementadas – e efetivamente cumpridas – este tipo de situação tende a diminuir.

REDE SINA- Como pensar uma eleição justa com a tecnologia que há hoje?

A.V – A tecnologia nada mais é do que uma ferramenta para facilitar e otimizar o processo eleitoral, com possibilidades de também conferir maior segurança. Por meio do uso adequado da tecnologia a democracia pode ser exercida em sua plenitude, proporcionando liberdade para que todos façam suas escolhas de maneira independente.

REDE SINA – Nossos aparelhos nos escutam? Por que? Para que? É possível evitar? Como?

A.V – Sempre existe a possibilidade dos aparelhos escutarem seus usuários, seja por meio de aplicativos espiões (instalados voluntariamente ou não pelo usuário), bem como por parte da operadora de telefonia a qual nos conectamos. Por isso é fundamental utilizar Aplicativos e dispositivos – como o SIKURPlatform e SIKURPhone – que garante a integridade das informações, não importando por onde passem ou sejam armazenadas.

REDE SINA – Existe privacidade na internet? É possível ter segurança em e-mail, redes sociais? como? Qual o diferencial da Sikur para demais empresas de segurança? Vocês oferecem um app e um aparelho totalmente criptografado. Já houveram tentativas de invasão? Como aperfeiçoam o sistema? Quais são os projetos da Sikur no Brasil?

A.V – É possível ter privacidade na Internet, seguindo uma série de boas práticas que profissionais de segurança frequentemente recomendam, como o uso de senhas fortes, não repetir senhas entre serviços diferentes e usar um segundo fator de autenticação, quando disponível. Além disso, o uso de produtos que ofereçam suporte especializado e garantia de privacidade sempre serão as melhores escolhas.

No que tange às redes sociais, cada uma delas possui mecanismos que ajudam a melhorar a privacidade, mas o que realmente faz diferença e ser seletivo com o tipo de informação que se publica nestes espaços, muitas pessoas disponibilizam informações confidenciais e revelam suas rotinas e dia a dia, desta forma não há privacidade que resista a qualquer tecnologia.

O diferencial da Sikur está na oferta de uma plataforma completa de comunicação segura, pronta para atender governos e corporações em seus mais diversos níveis. A plataforma, que é totalmente integrada entre dispositivos Android, iOS, Windows e o SIKURPhone, um telefone com um sistema operacional seguro, capaz de proteger as informações do usuário nos mais diversos níveis, com várias camadas de segurança.

Em sendo uma empresa que oferece produtos de segurança da informação sofremos ataques constantes, mas seguimos também desenvolvendo e utilizando as melhores práticas de mercado e implementando mecanismos para nos proteger de situações como estas.

Para o Brasil temos um mercado bem amplo a ser conquistado, nossa estratégia é fazer isso por meio dos nossos Integradores. Com eles estamos presentes em vários Estados brasileiros e buscando e conquistando novos contratos em entidades governamentais e no setor privado.

More: http://redesina.com.br/entrevista-alexandrevasconcelos-coo-diretor-de-operacoes-da-sikur/

Planet Hollywood Owner Suffers Major POS Data Breach

By: Phil Muncaster

Earl Enterprises, the parent company of Planet Hollywood and other US restaurant chains, has admitted suffering a 10-month breach of customer payment card data.

The firm said in a notice on Friday that hackers installed POS malware at a number of restaurants including those operating under the brand names Buca di Beppo, Earl of Sandwich, Planet Hollywood, Chicken Guy!, Mixology and Tequila Taqueria.

“The malicious software was designed to capture payment card data, which could have included credit and debit card numbers, expiration dates and, in some cases, cardholder name,” it explained.

“Although the dates of potentially affected transactions vary by location, guests that used their payment cards at potentially affected locations between May 23, 2018 and March 18, 2019 may have been affected by this incident. Online orders paid for online through third-party applications or platforms were not affected by this incident.”

There was no indication from the hospitality firm how many customers had been affected, but reports suggest it could be over two million.

Security researcher Brian Krebs has claimed that the breach is linked to the appearance of 2.15 million stolen cards on the dark web back in February.

More: https://www.infosecurity-magazine.com/news/planet-hollywood-owner-major-pos-1/

Remote Execution Vulnerability in CISCO IP Phone 7800 Series and 8800 Series

By: Information Security Newspaper

A vulnerability in the web based management interface of the Session Initiation Protocol (SIP) Software on the Cisco IP Phone 7800 Series and the Cisco IP Phone 8800 Series could allow a non-authenticated remote attacker to generate a denial of service (DoS) condition or execute arbitrary code, mentioned experts from the best ethical hacking Institute, in conjunction with specialists from the International Institute of Cyber Security.

The vulnerability exists because the software poorly validates the input provided by the user during the authentication process. According to reports, a hacker could exploit this flaw by connecting to an affected device using HTTP and delivering malicious user keys.

If successful, the attacker could activate a reload on the affected device, thereby generating a denial-of-service condition, or could execute arbitrary code using the user privileges of the application, said the experts from the best ethical hacking Institute. The company has already released software updates to fix this vulnerability. Other risk mitigation methods are not known at the time of writing.

According to the experts from the best ethical hacking Institute, the vulnerability affects Cisco IP Phone 7800 Series and 8800 Series products, as these devices run the SIP software from earlier versions.

More:https://www.securitynewspaper.com/2019/03/22/remote-execution-vulnerability-in-cisco-ip-phone-7800-series-and-8800-series/

Israeli Fintech Firms Targeted by Cardinal RAT Malware

By: Kevin Jones

According to a blog post from threat research department Unit 42 of cyber security company Palo Alto Networks published on March 19, an upgraded cardinal RAT malware targets Israeli fintech companies that work with forex and crypto trading.

Since April 2017, Cardinal RAT has been identified when examining attacks against two Israel-based fintech companies engaged in developing forex and crypto trading software. Per the report, Unit 42 first encountered an older version of the malware in question, the software is a Remote Access Trojan (RAT), allows the attacker to remotely take control of the system.

This updated malware hinders its analysis and evades detection. The researchers explain the complicated techniques employed by the malware, though the payload does not vary significantly compared to the original in terms of modus operandi or capabilities.

The malware acts as a reverse proxy and collects victim data, executes commands, updates the settings, and even uninstalls itself. It then recovers passwords, logs keypresses, downloads and executes files, captures screenshots, updates itself and cleans cookies from the browsers. Unit 42 noted the malware attacks employing who is engaged in forex and crypto trading, and based in Israel.

A possible connection between Cardinal RAT and a JavaScript-based malware called EVILNUM was discovered. The research team feels that it is used in attacks on similar organizations. When looking at files submitted by the same customer Unit 42 reportedly identified EVILNUM. It proves somewhat like that this malware is used in attacks against fintech organizations.

More: https://hackercombat.com/israeli-fintech-firms-targeted-by-cardinal-rat-malware/

Keep it simple, keep it safe—the importance of lean software for secure vehicles

By: Automotive World

Each additional line of code creates new potential for cyber attackers to find a way in to the system. Freddie Holmes finds out how a diet could be in store for automotive software as the industry cracks down on complexity

Many premium vehicles on sale today now contain more software than a commercial aircraft, in some cases exceeding 100 million lines of code. The number of electronic control units (ECUs) in modern cars has soared, bringing swathes of new functionalities to consumers. Worryingly, it has also created opportunities for hackers to tamper with critical driving functions, with potentially dire consequences.

In an effort to reverse the trend, the industry has embarked on a strategy to reduce the number of ECUs within new vehicles and cut back on unnecessary coding. It has seen automakers and suppliers alike place cyber security as a top priority moving forward. Indeed, while California-based Green Hills Software (GHS) has its roots in the aerospace and defence sectors, automotive has quickly become the company’s largest market segment.

Software overload

Software currently dominates the rhetoric within automotive as the introduction of connected and automated features ramps up. ECUs have been added at will to support these technologies, but it has raised concern within the cyber security community. “Some people would say the trend was out of control,” said Joe Fabbre, Director of Platform Solutions at GHS. “In recent years, manufacturers would add another ECU every time a new function was introduced to a vehicle.”

A similar trend can be seen with connectivity. In the cockpit, digital dashes are fast becoming the norm in upmarket models—consider Audi’s Virtual Cockpit and the Peugeot i-Cockpit, for example. “There has been a rush to get systems internet-connected in order to provide additional services. At the same time, self-driving computers have also arrived,” said Fabbre. With a mix of safety-critical and entertainment-focussed software now running alongside each other, vehicles have become increasingly vulnerable. “Not enough thought has been put into the security architecture of the overall system. Luckily, we have not seen any malicious hacks in the wild, but researchers have proven that it is possible to perform remote attacks on these connected computers that now reside in cars.”

More: https://www.automotiveworld.com/articles/keep-it-simple-keep-it-safe-the-importance-of-lean-software-for-secure-vehicles/