A malware attack against accounting software giant Wolters Kluwer is causing a ‘quiet panic’ at accounting firms

By: Kate Fazzini

A malware attack on Wolters Kluwer, a popular tax and accounting software platform, has left many in the accounting world unable to work this week and sparked concerns about the security of the tax return and financial information stored on the company’s cloud servers.

Wolters Kluwer provides software and services to all of the top 100 accounting firms in the U.S., 90% of top global banks and 93% of Fortune 500 companies, according to its web site. Many of its tax and accounting services, as well as vital storage services, have been down since early Monday morning, leaving customers unable to work, access customer tax returns or personal information, during a busy filing period (taxes for non-profit organizations are due May 15). The approximately $4.8 billion company is headquartered in The Netherlands.

While the company did not comment on how many of its customers were impacted by the downtime, CNBC spoke to accountants and cybersecurity specialists across the U.S., from the biggest firms down to independent operations, who described significant and ongoing problems accessing their customers’ data. One accountant at a large, Midwest-based accounting firm, said that the accounting world was in a “quiet panic” over the attack. This person requested anonymity to protect his clients.

“We have a really close relationship with our customers, and we understand that this situation impacted their day-to-day work,” Elizabeth Queen, vice president of risk management for Wolters Kluwer, told CNBC. “We’re working around the clock to restore service, and we want to provide them the assurance that we can restore service safely. We’ve made very good progress so far.” Queen said the company has contacted authorities and third-party forensic teams to investigate the incident.

Queen reiterated a written statement issued yesterday by the company, which said “We have seen no evidence that customer data was taken or that there was a breach of confidentiality of that data. Also, there is no reason to believe that our customers have been infected through our platforms and applications. Our investigation is ongoing.”

Difficult communication and inaccessible data

The attack started around 8am Eastern Time on Monday. Queen said she could not yet release information on the specific type of attack against the company. But the incident is reminiscent of the NotPetya ransomware attacks of 2017, which spread quickly throughout firms, knocking out services including voice and email, and rendering huge databases of documents inaccessible.

 

More: https://www.shttps://www.cnbc.com/2019/05/08/wolters-kluwer-accountingom-may-6-cyberattack/

‘LightNeuron’ backdoor receives secret commands via Microsoft Exchange email servers; Russian link suspected

By: Bradley Barth

Researchers have uncovered what they say is the very first malware to achieve persistence in Microsoft Exchange email servers, which allows attackers to secretly execute commands via malicious emails featuring attachments with hidden code.

Dubbed LightNeuron, the furtive backdoor has been targeting Exchange servers since at least 2014, according to a blog post from ESET, whose researchers have provisionally linked the threat to the Russian cyber espionage group Turla. ESET discovered the backdoor on three victims: an unidentified Brazilian organization, a Ministry of Foreign Affairs in Eastern Europe and a regional diplomatic organization in the Middle East.

In addition to the confirmed Windows-based version, ESET believes there may be a Linux variant in use as well, based on artifacts turned up during its investigation.

The key to LightNeuron’s persistence technique is its ability to leverage “transport agents,” which according to Microsoft are tools that let users install custom software on Exchange servers and then process email messages that pass through the transport pipeline. These Transport Agents are granted the same level of trust as spam filters and other security products, ESET explains, which makes a successful infection all the more dangerous and hard to detect.

Using XML-based rules, a LightNeuron Transport Agent can interfere with a victim’s emails in a variety of ways — blocking them; composing and sending new ones; modifying their content, subjects and recipients; replacing attachments and more.

But the attackers’ can do much more than alter emails. They can also send commands via the compromised Exchange program, enabling them to write executables, launch executables and processes, delete or exfiltrate sensitive files and essentially control local machines via its command-and-control infrastructure.

To achieve this, the attackers simply send an email with a specially crafted PDF document or JPG image to any email address belonging to the infected organization. The commands inside these attached documents are hidden using steganography techniques.

“Once an email is recognized as a command email, the command is executed and the email is blocked directly on the Exchange server. Thus, it is very stealthy and the original recipient will not be able to view it,” states the blog post, authored by ESET researcher Matthieu Faou. Faou also penned an accompanying white paper that further details the threat.

More: https://www.scmagazine.com/home/security-news/lightneuron-backdoor

Binance Hacked — Hackers Stole Over $40 Million Worth Of Bitcoin

By: Mohit Kumar

Binance, one of the largest cryptocurrency exchanges in the world, confirmed today that the company lost nearly $41 million in Bitcoin in what appears to be its largest hack to date.

In a statement, Binance’s CEO Changpeng Zhao said the company discovered a “large scale security breach” earlier on May 7, as a result of which hackers were able to steal roughly 7000 bitcoins, which worth 40.6 million at the time of writing.

News of the hack comes just hours after Zhao tweeted that Binance has “to perform some unscheduled server maintenance that will impact deposits and withdrawals for a couple of hours.”

According to the company, malicious attackers used a variety of attack techniques, including phishing and computer viruses, to carry out the intrusion and were able to breach a single BTC hot wallet (a cryptocurrency wallet that’s connected to the Internet), which contained about 2% of the company’s total BTC holdings, and withdraw stolen Bitcoins in a single transaction.

What’s more disturbing is that the company admitted the hackers managed to get their hands on user critical information, such as API keys, two-factor authentication codes, and potentially other information, which is required to log in to a Binance account.

Zao also warned that “hackers may still control certain user accounts and may use those to influence prices.”

Fortunately, the Binance cold storage—the offline wallets where the majority of funds are kept—remain secure. Also, Internet-connected individual user wallets were not directly affected.

More:  https://thehackernews.com/2019/05/binance-cryptocurrency-hacked.html?m=1

Chinese Hackers Used NSA Hacking Tools Before Shadow Brokers Leaked Them

By: Swati Khandelwal

In a shocking revelation, it turns out that a hacking group believed to be sponsored by Chinese intelligence had been using some of the zero-day exploits linked to the NSA’s Equation Group almost a year before the mysterious Shadow Brokers group leaked them.

According to a new report published by cybersecurity firm Symantec, a Chinese-linked group, which it calls Buckeye, was using the NSA-linked hacking tools as far back as March 2016, while the Shadow Brokers dumped some of the tools on the Internet in April 2017.

Active since at least 2009, Buckeye—also known as APT3, Gothic Panda, UPS Team, and TG-0110—is responsible for a large number of espionage attacks, mainly against defence and critical organizations in the United States.

Although Symantec did not explicitly name China in its report, researchers with a high degree of confidence have previously attributed [1,2] Buckeye hacking group to an information security company, called Boyusec, who is working on behalf of the Chinese Ministry of State Security.

Symantec’s latest discovery provides the first evidence that Chinese state-sponsored hackers managed to acquire some of the hacking tools, including EternalRomanceEternalSynergy, and DoublePulsar, a year before being dumped by the Shadow Brokers, a mysterious group that’s still unidentified.

According to the researchers, the Buckeye group used its custom exploit tool, dubbed Bemstour, to deliver a variant of DoublePulsar backdoor implant to stealthily collect information and run malicious code on the targeted computers.

Benstour tool was designed to exploit two then-zero-day vulnerabilities (CVE-2019-0703 and CVE-2017-0143) in Windows to achieve remote kernel code execution on targeted computers.

More: https://thehackernews.com/2019/05/buckeye-nsa-hacking-tools.html

TinyPOS: Handcrafted Malware in Assembly Code

By: Kacy Zurkus

Legacy software vulnerabilities have created opportunities for hackers to steal credit card data and other personal information using tiny point of sale (POS) malware, according to research published by Forcepoint.

Researchers reportedly analyzed 2,000 samples of POS malware and found that many are handcrafted, written in assembly code and very small; thus, researchers aptly named the malware TinyPOS.

Of the samples analyzed, 95% were loaders used to distribute malware to systems. In addition, researchers found that system compromises can go months without detection due to the small code size (2.7kb). Though researchers suggested that protecting against these attacks is not difficult, the issue for many organizations is that they are using old, outdated POS software and hardware that can do a lot of damage.

The samples were grouped into four categories: loaders, mappers, scrapers and cleaners, wrote Robert Neumann, senior security researcher at Forcepoint. “The most probable initial vector would be a remote hack into the POS system to deliver the Loaders. Other options could include physical access (unlikely) or a rogue auto-update to deliver a compromised file to the POS operating system.”

That attackers are targeting POS systems is nothing new, particularly because they collect large amounts of personal data. Because of their vulnerabilities, Ryan Wilk, VP of customer success for NuData Security, a Mastercard company, said POS systems have long been a prime target for cyber-criminals.

More: https://www.infosecurity-magazine.com/news/tinypos-handcrafted-malware-in-1/

Vodafone Found Hidden Backdoors in Huawei Equipment

By: Daniele Lepido

 

While the carrier says the issues found in 2011 and 2012 were resolved at the time, the revelation may further damage the reputation of a Chinese powerhouse.

For months, Huawei Technologies Co. has faced U.S. allegations that it flouted sanctions on Iran, attempted to steal trade secrets from a business partner and has threatened to enable Chinese spying through the telecom networks it’s built across the West.

 Now Vodafone Group Plc has acknowledged to Bloomberg that it found vulnerabilities going back years with equipment supplied by Shenzhen-based Huawei for the carrier’s Italian business. While Vodafone says the issues were resolved, the revelation may further damage the reputation of a major symbol of China’s global technology prowess.

Europe’s biggest phone company identified hidden backdoors in the software that could have given Huawei unauthorized access to the carrier’s fixed-line network in Italy, a system that provides internet service to millions of homes and businesses, according to Vodafone’s security briefing documents from 2009 and 2011 seen by Bloomberg, as well as people involved in the situation.

Vodafone asked Huawei to remove backdoors in home internet routers in 2011 and received assurances from the supplier that the issues were fixed, but further testing revealed that the security vulnerabilities remained, the documents show. Vodafone also identified backdoors in parts of its fixed-access network known as optical service nodes, which are responsible for transporting internet traffic over optical fibers, and other parts called broadband network gateways, which handle subscriber authentication and access to the internet, the people said. The people asked not to be identified because the matter was confidential.

More: https://www.bloomberg.com/news/articles/2019-04-30/vodafone-found-hidden-backdoors-in-huawei-equipment

O futuro do POS – fraquezas – parte 1

By: Alexandre Vasconcelos

Fraudes em máquinas POS (Point of Sale) tem se tornado cada vez mais comuns e frequentes, independentemente de como é feita a interação com a máquina os fraudadores desenvolvem técnicas sofisticadas para obter vantagens ilícitas.

O mercado de varejo, desde o pequeno comerciante às grandes redes, são um dos principais alvos do momento. De acordo com um estudo conduzido em 2017 pelo Instituto Ponemon, pequenos negócios são um grande alvo para os hackers; em média $1.2 bilhões de dólares foram gastos por estas instituições devido a problemas em suas operações decorrentes de falhas de segurança, e 61% delas sofreram algum tipo de ataque cibernético nos últimos 12 meses.

Associado a isto, os meios de pagamento vêm passando por transformações significativas. A introdução do *Pay (Apple, Google e Samsung) no mercado brasileiro (2) trouxeram novas formas de realizar operações de crédito e débito por meio de NFC (Near Field Communication) e MST (Magnetic Secure Transmission, proprietário da Samsung), ao aproximar os smartphones das máquinas de POS. No entanto, estes são apenas o ponto de partida para usos ainda mais intensivos deste tipo de tecnologia, que ainda poderá ser amplamente explorado no mercado financeiro, por exemplo.

A adoção de tecnologias que facilitam e massificam os meios de pagamento é um movimento sem retorno, pois trata-se de um avanço natural, assim como aconteceu em inúmeras outras áreas que também se desenvolveram e progrediram. No entanto, existe um elo fraco nesta cadeia e pouco considerado até o momento: o POS. A tecnologia por trás destas pequenas máquinas é relativamente simples, seu hardware é de baixa capacidade e barato, o que facilita muito a sua massificação. Existem regras de segurança e regulamentos claros e muito bem desenhados de maneira que estas máquinas e seus sistemas proprietários ofereçam bons níveis de segurança, protegendo os dados dos clientes que nelas colocam seus cartões e informam as suas senhas. Mas até que ponto estas máquinas são seguras?

Mais: http://tiinside.com.br/tiinside/seguranca/artigos-seguranca/23/04/2019/o-futuro-do-pos

Cinco tendências para o setor de telecomunicações na América Latina

By: Hector Silva

 

A tecnologia e suas formas de interação estão em constante mudança. Com 2019 já em curso, destaco aqui cinco previsões para os setores de tecnologia e telecomunicações na América Latina e o que podemos esperar.

Operações de rede mais rápidas e eficientes graças à automação inteligente As redes estão se tornando mais inteligentes graças aos avanços de rede mais proativos. Embora muitas operadoras na América Latina continuem contando com processos antigos e trabalhando de forma reativa, novos progressos tecnológicos vêm criando redes e sistemas capazes de prever falhas e fazer alterações sem a necessidade de intervenção humana, antes mesmo que o problema aconteça. Esse é um passo fundamental em direção a uma verdadeira Rede Adaptativa™, que aumenta a eficiência, reduz custos e ajuda os operadores a alcançarem os resultados esperados, mesmo frente a constantes mudanças de demanda.

A automação inteligente gera também economia nos processos de lançamento dos produtos no mercado, o que é em si um grande diferencial frente à concorrência. Em vez de depender que indivíduos determinem os erros no sistema, fluxos de trabalho automatizados responsáveis por identificar erros no sistema já ajudaram a Ciena a economizar 67% em custos operacionais, aumentar em 15% a aceleração de receita e alcançar retorno sobre os investimentos 5,4 vezes mais rápido.

Primeiros passos em direção ao 5G e a divisão do bolo                                                     A Verizon vai ser uma das primeiras operadoras de rede móvel do mundo a oferecer 5G comercial ainda este ano. A última geração de rede móvel vai focar em uma grande variedade de novas tecnologias, entre elas SDN, NFV, automação inteligente e análise. Um dos principais recursos do 5G vai ser “dividir” a rede física para garantir a performance de rede de ponta a ponta para serviços críticos, como cidades inteligentes, realidade virtual e aumentada. Embora os serviços comerciais de 5G na América Latina estejam a anos de distância, a longa jornada para a 5G pode começar agora com a implantação das tecnologias necessárias.

Os serviços de comunicação de resposta a emergências podem receber uma “fatia do bolo” do 5G para garantir que essas redes nunca falhem. Essa será uma ferramenta essencial para cidades inteligentes, pois ela dará prioridade a serviços essenciais. Acredita-se que o 5G será a maior inovação do setor de telecomunicações da próxima década e, quanto mais as operadoras se movimentarem hoje, mais fácil será a transição no futuro.

Crescente necessidade de proteger dados físicos                                                             A América Latina nunca sofreu tantos ataques cibernéticos como em 2018. Executivos do setor estão começando a perceber o tamanho do risco representados por eles e outros tipos de malware e estão reforçando suas políticas de segurança para proteger dados sigilosos. As principais instituições financeiras do Chile foram vítimas de grandes ataques cibernéticos e perderam milhões de dólares no processo. Outros países como Colômbia, Equador, México e Venezuela são alvos cada vez mais frequentes de ataques de malware: segundo um estudo da ESET, 45% das empresas nesses países já foram afetadas.

As discussões em torno da segurança de rede e segurança de dados devem ganhar ainda mais força em 2019, especialmente em relação à necessidade de desenvolver novas proteções de rede. As organizações precisam usar métodos abrangentes de segurança para garantir a confidencialidade, a integridade e a disponibilidade dos dados em suas redes.  Para evitar tantas ameaças cibernéticas, será necessário reforçar as políticas anti-phishing e introduzir criptografia e outras medidas de segurança, como autenticação em dois fatores. Apesar de útil para garantir maior eficiência e otimização, a Inteligência Artificial (IA) também está sendo usada por criminosos cibernéticos para roubar informações. Ao mesmo tempo, o uso da tecnologia nos pontos certos da rede pode detectar mutações em códigos antigos de malware e ajudar a mitigar os ataques. A criptografia ponta a ponta vai ganhar cada vez mais importância na proteção da privacidade e na segurança das informações, e vai ser usada para todos os dados transferidos pelas redes de fibra óptica.

Mais: http://tiinside.com.br/tiinside/services/20/04/2019/cinco-tendencias

Car2go vehicle theft in Chicago probed by police

By: David Muller

The Chicago Police Department said late Wednesday it was notified by Car2go that some of the company’s vehicles may have been rented by deceptive or fraudulent means through a mobile app.

Daimler North America subsidiary Car2go is dealing with an apparent raft of vehicle thefts in Chicago and suspended the app-based service while a police investigation is underway.

The Chicago Police Department said late Wednesday it was notified by Car2go that some of the company’s vehicles may have been rented by deceptive or fraudulent means through a mobile app.

“Due to the information provided by the company, numerous vehicles have been recovered and persons of interest are being questioned,” the department said in the statement, adding 100 vehicles remain unaccounted for.

The department said 50 Mercedes-Benz vehicles remain in the Chicago area and that “over a dozen persons of interest are being questioned.”

Police said the vehicle recoveries appeared to be isolated to the city’s West Side.

A Daimler spokesman said in an email the company is working with Chicago law enforcement “to neutralize a fraud issue.”

“No personal or confidential member information has been compromised,” Daimler spokesman Michael Silverman said. “Out of an abundance of caution and safety for our members and Chicago fleet support teams we are temporarily pausing our Chicago service. We will provide an update as soon as possible, and we of course apologize to our Chicago members for the inconvenience.”
Silverman, asked whether any vehicles had been stolen, as initially reported by one news outlet, declined to comment on “an active police investigation.”

The Car2go app allows users on-demand access to a network of eco-friendly Mercedes-Benz and Smart vehicles. The company launched in the U.S. in 2009 with a fleet of Smart ForTwo vehicles. It added Mercedes-Benz CLA and GLA vehicles to its fleet in 2017.

In January, the company said it had 3.6 million members worldwide in 2018, a rise of 21 percent from the previous year. At the time, Chicago was its newest location and had more than 10,000 members sign on since the Windy City launch in July.

Car2go’s global fleet in January totaled nearly 14,000 vehicles in 25 locations in North America, Europe and Asia.

More: https://www.chicagobusiness.com/transportation/car2go-vehicle-theft-chicago-probed-police

Hackers Compromise Microsoft Support Agent to Access Outlook Email Accounts

By: Swati Khandelwal

If you have an account with Microsoft Outlook email service, there is a possibility that your account information has been compromised by an unknown hacker or group of hackers, Microsoft confirmed The Hacker News.

Earlier this year, hackers managed to breach Microsoft’s customer support portal and access information related to some email accounts registered with the company’s Outlook service.

Yesterday, a user on Reddit publicly posted a screenshot of an email which he received from Microsoft warning that unknown attackers were able to access some information of his OutLook account between 1 January 2019 and 28 March 2019.

 Another user on Reddit also confirmed that he/she too received the same email from Microsoft.

According to the incident notification email, as shown below, attackers were able to compromise credentials for one of Microsoft’s customer support agents and used it to unauthorisedly access some information related to the affected accounts, but not the content of the emails or attachments.

microsoft outlook email hacked

The information that a Microsoft’s customer support agent can view is limited to account email addresses, folder names, subject lines of emails, and the name of other email addresses you communicate with.