- Email: [email protected]
Firms delay breach reports
NEWS
Editorial Office: Editorial Office: Elsevier Ltd Elsevier Ltd The Boulevard, Langford Lane, Kidlington, The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Oxford, OX5 1GB, United Kingdom Fax: +44 (0)1865 843973 Tel: +44 1865 843239 Web: www.networksecuritynewsletter.com Web: www.networksecuritynewsletter.com Publisher: Greg Valero Publishing Director: Bethan Keall E-mail: [email protected] Editor: Steve Mansfield-Devine E-mail: [email protected] E-mail: [email protected] Senior Editor: Sarah Gordon Columnists: Editoral Ian Goslin,Advisory Karen Renaud, International Board: Spence, Colin Tankard Dario Forte, Dave Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The International Editoral Advisory Board: Fortress; Hancock, Communications; Ken Lindup, Dario Bill Forte, EdwardExodus Amoroso, AT&T Bell Laboratories; Consultant at Cylink; Dennis&Longley, Queensland University Fred Cohen, Fred Cohen Associates; Jon David, The ofFortress; Technology; Tim Myers, Novell; Tom Mulhall; Padget Bill Hancock, Exodus Communications; Ken Petterson, Martin Marietta; Schultz, Hightower; Lindup, Consultant at Cylink;Eugene Dennis Longley, Queensland Eugene Spafford, Purdue University; WinnNovell; Schwartau, Inter.Pact University of Technology; Tim Myers, Tom Mulhall;
Padget Petterson, Martin Marietta; Eugene Production Support Manager: Lin Schultz, Lucas Hightower;E-mail: [email protected] Spafford, Purdue University; Winn Schwartau, Inter.Pact Subscription Information Production Support Manager: Lin Lucas An annual subscription Network Security includes 12 E-mail: to [email protected] issues and online access for up to 5 users. Prices: Subscription Information E1112 for all European countries & Iran An annual subscription to Network Security includes 12 US$1244 for all countries except Europe and Japan issues and online access for up to 5 users. ¥147 525 for Japan Subscriptions run for 12 months, from the date (Prices valid until 31 July 2017) payment is received. To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 More information: www.elsevier.com/journals/ Email: [email protected], institutional/network-security/1353-4858 or via www.networksecuritynewsletter.com Subscriptions run for 12 months, from the date payment is Permissions may be sought directly fromatElsevier Global Rights received. Periodicals postage is paid Rahway, NJ 07065, Department, PO Box Oxford OX5 1DX, UK; phone: 1865 USA. Postmaster send800, all USA address corrections to:+44 Network 843830,365 fax: +44 1865 853333, email:NJ [email protected]. You Security, Blair Road, Avenel, 07001, USA
may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright Permissions may be sought directly from Elsevier Global Rights & permission’. In the USA, users may clear permissions and make Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 payments through the Copyright Clearance Center, Inc., 222 843830, fax: +44 1865 853333, email: [email protected]. You Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 may also contact Global Rights directly through Elsevier’s home page 8400, fax: +1 978 750 4744, and in the UK through the Copyright (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham & permission’. In the USA, users may clear permissions and make Court Road, London W1P 0LP, UK; tel: +44 (0)20 7631 5555; fax: payments through the Copyright Clearance Center, Inc., 222 Rosewood +44 (0)20 7631 5500. Other countries may have a local reproDrive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 graphic rights agency for payments. 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P Derivative Works 0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other Subscribers may reproduce tables of contents or prepare lists countries may have a local reprographic rights agency for payments. of articles including abstracts for internal circulation within their Derivative Works institutions. Permission of the Publisher is required for resale or Subscribers may reproduce tables of contents or prepare lists of artidistribution outside the institution. Permission of the Publisher cles including abstracts for internal circulation within their institutions. is required for all other derivative works, including compilations Permission of the Publisher is required for resale or distribution outside and translations. the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Electronic Storage or Usage Permission of the Publisher is required to store or use electronically Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, permissions requests to: Elsevier Science Global Rights Department, at at the mail, fax and email addresses noted above. the mail, fax and email addresses noted above. Notice Notice No responsibility is assumed by the Publisher for any injury and/or damNo responsibility is assumed by the Publisher for any injury and/ age to persons or property as a matter of products liability, negligence or damage to persons or property as a matter of products liability, or otherwise, or from any use or operation of any methods, products, negligence or otherwise, or from any use or operation of any methinstructions or ideas contained in the material herein. Because of ods, products, instructions or ideas contained in the material herein. rapid advan ces in the medical sciences, in particular, independent Because of rapid advances in the medical sciences, in particular, verification of diagnoses and drug dosages should be made. Although independent verification of diagnoses and drug dosages should be all advertising material is expected to conform to ethical (medical) made. Although all advertising material is expected to conform to standards, inclusion in this publication does not constitute a guarantee ethical (medical) standards, inclusion in this publication does not or endorsement of the quality or value of such product or of the claims constitute a guarantee or endorsement of the quality or value of made of it by its manufacturer. such product or of the claims made of it by its manufacturer.
12987 Pre-press/Printed by Digitally Produced by Mayfield Press (Oxford) Limited Mayfield Press (Oxford) Limited
2
Network Security
...Continued from front page 4iQ uses automated crawling of Internet accessible sources – including social media, deep websites and the dark web – as well as analysis by subject matter experts who authenticate and verify the data. The firm’s analysts saw 3.6 billion new, genuine identity records go into circulation on underground forums and dark web marketplaces in 2018, a 20% higher figure than in 2017. It brings the total number in circulation to 14.9 billion – around double the population of the Earth, suggesting a high level of duplication. There is a busy trade on underground markets for ‘combo lists’ in which breached data is combined into username and password databases. “These lists with clear text passwords from thousands of breaches are being aggregated and repackaged, creating a snowball effect,” says the report. “The data is used to automate brute-forcing of authentication on websites, taking advantage of the fact that people reuse passwords across many sites. A number of open source tools automate the testing of these username and password combinations for ‘account takeover’, a major problem that persists in cyber security today.” Worryingly, the sector most heavily affected is government. The number of identities from government sources that were compromised jumped by 291%. “For the first time, we saw underground brokers actively including citizen data, such as voter databases, as part of their data portfolio,” said Julio Casal, 4iQ’s CTO. The report is available here: https://4iq.com/2019-identity-breachreport/. Meanwhile, the number of records exposed in the US healthcare sector rose to 11.5 million, according to the fifth annual ‘Healthcare Breach Report’ by cloud services firm Bitglass. There was some good news – the actual number of breaches hit a three-year low, at 290. But the quantity of compromised records was more than double compared to the previous year. Using data from the US Department of Health and Human Services’ ‘Wall of Shame’ database, which holds information on breaches involving protected health information (PHI), Bitglass
found that the most common cause of breaches (45.9%) was hacking and incidents resulting from poor IT security. The second-most-common category was unauthorised access and disclosure (35.9%), which often involves insiders. Accidental loss or theft (other than by hacking) makes up most of the rest of the incidents. The report is here: http://bit. ly/2HcGBtV.
Firms delay breach reports
D
ata from the Information Commissioner’s Office (ICO) has revealed that businesses routinely delayed data breach disclosure and failed to provide important details to the ICO in the year prior to the enactment of the General Data Protection Regulation (GDPR).
The information was published following a Freedom of Information (FOI) request by threat detection firm Redscan. On average, businesses waited three weeks after discovery to report a breach to the ICO, while the worst offending organisation waited 142 days. The vast majority (91%) of reports failed to include important information such as the impact of the breach, recovery process and dates. The FOI also revealed that hackers disproportionately targeted businesses at the weekend, while many reports would be issued to the ICO on a Thursday or Friday – possibly in an attempt to minimise potential media coverage. On average, it took companies 60 days to identify they’d been a victim of a data breach, with one business taking as long as 1,320 days. Less than a quarter of businesses would be compliant with current GDPR requirements. “Data breaches are now an operational reality, but detection and response continue to pose a massive challenge to businesses,” said Mark Nicholls, Redscan’s director of cyber security. “Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO. This was a problem before the GDPR and is an even bigger problem
March 2019
NEWS/THREATWATCH
Threatwatch New Ursnif variant Cybereason says it has identified a new variant of Ursnif (aka Gozi ISFB), one of the most prolific information stealing trojans in the cybercrime landscape. Since its reappearance in early 2013, it has been constantly evolving. In 2015, its source code was leaked and made publicly available on Github, which led to further development of the code by various threat actors who improved it and added new features. More recently, Japan has been among the top countries targeted by Ursnif’s operators. In 2018, Cybereason reported attacks where Ursnif (mainly the Dreambot variant) and Bebloh (also known as URLZone and Shiotob) were operating in conjunction. In these joint campaigns, Bebloh is used as a downloader that runs a series of tests to evaluate whether it is running in a hostile environment (for example, it checks to see if it is running in a research VM). Once the coast is clear, it downloads Ursnif, which carries out its core banking and information stealing functions. Since the beginning of 2019, researchers have observed a campaign that specifically targets Japanese users. This campaign introduced a new Ursnif variant as well as improved targeted delivery methods through Bebloh.
now that reporting requirements are stricter.” Financial services and legal firms were far better at identifying and reporting breaches than general businesses – likely due to increased regulatory awareness and the highly sensitive nature of data processed in these industries. On average, financial services firms took 37 days to identify a breach, legal firms took 25 days, while companies classified as ‘general business’ took 138 days. Nearly a quarter of organisations did not report an incident date to the ICO, suggesting they either lacked awareness of or knowingly withheld this important information.
Huawei battles security concerns
C
ontroversy continues to swirl around Chinese telecoms firm Huawei, which has suffered bans preventing it from selling its equipment to government agencies in the US and Australia over alleged security concerns.
Now, according to the New York Times, the company is suing the US
March 2019
Termite turns bad AT&T Cybersecurity researchers have claimed that hackers are employing the Termite tool – a legitimate piece of software normally used to maintain connections between chains of machines across a network – to gain access to computers and deploy malware. Termite is often used by penetration testers, partly because of its ability to build a long chain of desktop, mobile and IoT devices that can be connected through networks and DMZs. Now hackers, predominately from Asia, are packaging malware within the tool. Recently, Symantec released a report detailing how hackers used Termite in an attack that stole the health data of a quarter of the Singapore population. There’s more information here: http://bit.ly/2F6P53t.
credentials, card details, etc – or access devices connected to the router, such as IoT devices, computers and smartphones or tablets. They could even install malware. The vulnerabilities affect GPON routers, typically supplied by ISPs to homes in China. However, other devices with the same firmware have yet to be tested so may equally be at risk. Using the Shodan search tool, around 220,000 such devices were detected. Nokia has been notified and is working on patches. Affected users are reliant on their ISP to auto-update the routers. There’s more information here: http://bit.ly/2F6xEjl.
Nokia routers at risk Tenable Research has discovered serious vulnerabilities affecting Nokia (Alcatel-Lucent) GPON Routers. If exploited, threat actors could recruit compromised devices to create a massive botnet. For home users with affected routers, attackers could gain access to the device to sniff traffic – including account
BorontoK malware targets Linux-based servers A new strain of ransomware, dubbed BorontoK, is at large. Unusually, it is targeting Linux-based servers – typically web servers – and requires victims to pay 20 bitcoins (around $75,000) in ransom. It’s believed the malware is also capable of affecting Windows machines. However, while samples of the malware have been testing, there’s little evidence so far of it being deployed in the wild. There’s more information here: http://bit.ly/2EYPGTh.
Government, claiming the ban is unconstitutional. The full story is here: https://nyti.ms/2NQsScq. This comes at a time when the company’s CTO, Meng Wanzhou, is under house arrest in Canada awaiting extradition to the US to face charges relating to breaking sanctions against Iran. The US has also called on its allies to avoid using Huawei products in major infrastructure and has even hinted that it will refuse to share intelligence with countries that don’t comply. At the same time, Huawei Device Co and its US subsidiary Huawei Device USA have pleaded not guilty to charges of conspiracy to steal trade secrets, attempted theft of trade secrets, wire fraud and obstruction of justice in a federal court in Seattle. The organisation is accused of stealing the technology behind T-Mobile USA’s Tappy robotic phone testing system. The indictment is here: http://bit. ly/2tSSM6q. In the UK, where Huawei’s networking equipment is in use by a number of major telecoms companies, Huawei pays for a secure facility – the Huawei Cyber Security Evaluation Centre (HCSEC) – which is staffed by members of the UK’s
signals intelligence agency GCHQ and where UK firms and government agencies are given controlled access to the source code and designs for its products in order to perform security audits. Similar centres exist in Bonn, Dubai, Toronto and China. Now the firm has opened Huawei Cyber Security Transparency Centre (HCSTC) in Brussels to give similar access to EU organisations. Speaking at the International Institute for Strategic Studies Singapore, Jeremy Fleming, head of GCHQ, said that China’s position in the global tech sector represents “a first order strategic challenge for us all”. But, he added: “We have to understand the opportunities and threats from China’s technological offer. We have to understand the global nature of supply chains and service provision irrespective of the flag of the supplier. We have to take a clear view on the implications of China’s technological acquisition strategy in the West, and help our Governments decide which parts of this expansion can be embraced, which need risk management, and which will always need a sovereign, or allied, solution.”
Network Security
3
Editorial Office: Editorial Office: Elsevier Ltd Elsevier Ltd The Boulevard, Langford Lane, Kidlington, The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Oxford, OX5 1GB, United Kingdom Fax: +44 (0)1865 843973 Tel: +44 1865 843239 Web: www.networksecuritynewsletter.com Web: www.networksecuritynewsletter.com Publisher: Greg Valero Publishing Director: Bethan Keall E-mail: [email protected] Editor: Steve Mansfield-Devine E-mail: [email protected] E-mail: [email protected] Senior Editor: Sarah Gordon Columnists: Editoral Ian Goslin,Advisory Karen Renaud, International Board: Spence, Colin Tankard Dario Forte, Dave Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The International Editoral Advisory Board: Fortress; Hancock, Communications; Ken Lindup, Dario Bill Forte, EdwardExodus Amoroso, AT&T Bell Laboratories; Consultant at Cylink; Dennis&Longley, Queensland University Fred Cohen, Fred Cohen Associates; Jon David, The ofFortress; Technology; Tim Myers, Novell; Tom Mulhall; Padget Bill Hancock, Exodus Communications; Ken Petterson, Martin Marietta; Schultz, Hightower; Lindup, Consultant at Cylink;Eugene Dennis Longley, Queensland Eugene Spafford, Purdue University; WinnNovell; Schwartau, Inter.Pact University of Technology; Tim Myers, Tom Mulhall;
Padget Petterson, Martin Marietta; Eugene Production Support Manager: Lin Schultz, Lucas Hightower;E-mail: [email protected] Spafford, Purdue University; Winn Schwartau, Inter.Pact Subscription Information Production Support Manager: Lin Lucas An annual subscription Network Security includes 12 E-mail: to [email protected] issues and online access for up to 5 users. Prices: Subscription Information E1112 for all European countries & Iran An annual subscription to Network Security includes 12 US$1244 for all countries except Europe and Japan issues and online access for up to 5 users. ¥147 525 for Japan Subscriptions run for 12 months, from the date (Prices valid until 31 July 2017) payment is received. To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 More information: www.elsevier.com/journals/ Email: [email protected], institutional/network-security/1353-4858 or via www.networksecuritynewsletter.com Subscriptions run for 12 months, from the date payment is Permissions may be sought directly fromatElsevier Global Rights received. Periodicals postage is paid Rahway, NJ 07065, Department, PO Box Oxford OX5 1DX, UK; phone: 1865 USA. Postmaster send800, all USA address corrections to:+44 Network 843830,365 fax: +44 1865 853333, email:NJ [email protected]. You Security, Blair Road, Avenel, 07001, USA
may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright Permissions may be sought directly from Elsevier Global Rights & permission’. In the USA, users may clear permissions and make Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 payments through the Copyright Clearance Center, Inc., 222 843830, fax: +44 1865 853333, email: [email protected]. You Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 may also contact Global Rights directly through Elsevier’s home page 8400, fax: +1 978 750 4744, and in the UK through the Copyright (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham & permission’. In the USA, users may clear permissions and make Court Road, London W1P 0LP, UK; tel: +44 (0)20 7631 5555; fax: payments through the Copyright Clearance Center, Inc., 222 Rosewood +44 (0)20 7631 5500. Other countries may have a local reproDrive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 graphic rights agency for payments. 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P Derivative Works 0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other Subscribers may reproduce tables of contents or prepare lists countries may have a local reprographic rights agency for payments. of articles including abstracts for internal circulation within their Derivative Works institutions. Permission of the Publisher is required for resale or Subscribers may reproduce tables of contents or prepare lists of artidistribution outside the institution. Permission of the Publisher cles including abstracts for internal circulation within their institutions. is required for all other derivative works, including compilations Permission of the Publisher is required for resale or distribution outside and translations. the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Electronic Storage or Usage Permission of the Publisher is required to store or use electronically Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, permissions requests to: Elsevier Science Global Rights Department, at at the mail, fax and email addresses noted above. the mail, fax and email addresses noted above. Notice Notice No responsibility is assumed by the Publisher for any injury and/or damNo responsibility is assumed by the Publisher for any injury and/ age to persons or property as a matter of products liability, negligence or damage to persons or property as a matter of products liability, or otherwise, or from any use or operation of any methods, products, negligence or otherwise, or from any use or operation of any methinstructions or ideas contained in the material herein. Because of ods, products, instructions or ideas contained in the material herein. rapid advan ces in the medical sciences, in particular, independent Because of rapid advances in the medical sciences, in particular, verification of diagnoses and drug dosages should be made. Although independent verification of diagnoses and drug dosages should be all advertising material is expected to conform to ethical (medical) made. Although all advertising material is expected to conform to standards, inclusion in this publication does not constitute a guarantee ethical (medical) standards, inclusion in this publication does not or endorsement of the quality or value of such product or of the claims constitute a guarantee or endorsement of the quality or value of made of it by its manufacturer. such product or of the claims made of it by its manufacturer.
12987 Pre-press/Printed by Digitally Produced by Mayfield Press (Oxford) Limited Mayfield Press (Oxford) Limited
2
Network Security
...Continued from front page 4iQ uses automated crawling of Internet accessible sources – including social media, deep websites and the dark web – as well as analysis by subject matter experts who authenticate and verify the data. The firm’s analysts saw 3.6 billion new, genuine identity records go into circulation on underground forums and dark web marketplaces in 2018, a 20% higher figure than in 2017. It brings the total number in circulation to 14.9 billion – around double the population of the Earth, suggesting a high level of duplication. There is a busy trade on underground markets for ‘combo lists’ in which breached data is combined into username and password databases. “These lists with clear text passwords from thousands of breaches are being aggregated and repackaged, creating a snowball effect,” says the report. “The data is used to automate brute-forcing of authentication on websites, taking advantage of the fact that people reuse passwords across many sites. A number of open source tools automate the testing of these username and password combinations for ‘account takeover’, a major problem that persists in cyber security today.” Worryingly, the sector most heavily affected is government. The number of identities from government sources that were compromised jumped by 291%. “For the first time, we saw underground brokers actively including citizen data, such as voter databases, as part of their data portfolio,” said Julio Casal, 4iQ’s CTO. The report is available here: https://4iq.com/2019-identity-breachreport/. Meanwhile, the number of records exposed in the US healthcare sector rose to 11.5 million, according to the fifth annual ‘Healthcare Breach Report’ by cloud services firm Bitglass. There was some good news – the actual number of breaches hit a three-year low, at 290. But the quantity of compromised records was more than double compared to the previous year. Using data from the US Department of Health and Human Services’ ‘Wall of Shame’ database, which holds information on breaches involving protected health information (PHI), Bitglass
found that the most common cause of breaches (45.9%) was hacking and incidents resulting from poor IT security. The second-most-common category was unauthorised access and disclosure (35.9%), which often involves insiders. Accidental loss or theft (other than by hacking) makes up most of the rest of the incidents. The report is here: http://bit. ly/2HcGBtV.
Firms delay breach reports
D
ata from the Information Commissioner’s Office (ICO) has revealed that businesses routinely delayed data breach disclosure and failed to provide important details to the ICO in the year prior to the enactment of the General Data Protection Regulation (GDPR).
The information was published following a Freedom of Information (FOI) request by threat detection firm Redscan. On average, businesses waited three weeks after discovery to report a breach to the ICO, while the worst offending organisation waited 142 days. The vast majority (91%) of reports failed to include important information such as the impact of the breach, recovery process and dates. The FOI also revealed that hackers disproportionately targeted businesses at the weekend, while many reports would be issued to the ICO on a Thursday or Friday – possibly in an attempt to minimise potential media coverage. On average, it took companies 60 days to identify they’d been a victim of a data breach, with one business taking as long as 1,320 days. Less than a quarter of businesses would be compliant with current GDPR requirements. “Data breaches are now an operational reality, but detection and response continue to pose a massive challenge to businesses,” said Mark Nicholls, Redscan’s director of cyber security. “Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO. This was a problem before the GDPR and is an even bigger problem
March 2019
NEWS/THREATWATCH
Threatwatch New Ursnif variant Cybereason says it has identified a new variant of Ursnif (aka Gozi ISFB), one of the most prolific information stealing trojans in the cybercrime landscape. Since its reappearance in early 2013, it has been constantly evolving. In 2015, its source code was leaked and made publicly available on Github, which led to further development of the code by various threat actors who improved it and added new features. More recently, Japan has been among the top countries targeted by Ursnif’s operators. In 2018, Cybereason reported attacks where Ursnif (mainly the Dreambot variant) and Bebloh (also known as URLZone and Shiotob) were operating in conjunction. In these joint campaigns, Bebloh is used as a downloader that runs a series of tests to evaluate whether it is running in a hostile environment (for example, it checks to see if it is running in a research VM). Once the coast is clear, it downloads Ursnif, which carries out its core banking and information stealing functions. Since the beginning of 2019, researchers have observed a campaign that specifically targets Japanese users. This campaign introduced a new Ursnif variant as well as improved targeted delivery methods through Bebloh.
now that reporting requirements are stricter.” Financial services and legal firms were far better at identifying and reporting breaches than general businesses – likely due to increased regulatory awareness and the highly sensitive nature of data processed in these industries. On average, financial services firms took 37 days to identify a breach, legal firms took 25 days, while companies classified as ‘general business’ took 138 days. Nearly a quarter of organisations did not report an incident date to the ICO, suggesting they either lacked awareness of or knowingly withheld this important information.
Huawei battles security concerns
C
ontroversy continues to swirl around Chinese telecoms firm Huawei, which has suffered bans preventing it from selling its equipment to government agencies in the US and Australia over alleged security concerns.
Now, according to the New York Times, the company is suing the US
March 2019
Termite turns bad AT&T Cybersecurity researchers have claimed that hackers are employing the Termite tool – a legitimate piece of software normally used to maintain connections between chains of machines across a network – to gain access to computers and deploy malware. Termite is often used by penetration testers, partly because of its ability to build a long chain of desktop, mobile and IoT devices that can be connected through networks and DMZs. Now hackers, predominately from Asia, are packaging malware within the tool. Recently, Symantec released a report detailing how hackers used Termite in an attack that stole the health data of a quarter of the Singapore population. There’s more information here: http://bit.ly/2F6P53t.
credentials, card details, etc – or access devices connected to the router, such as IoT devices, computers and smartphones or tablets. They could even install malware. The vulnerabilities affect GPON routers, typically supplied by ISPs to homes in China. However, other devices with the same firmware have yet to be tested so may equally be at risk. Using the Shodan search tool, around 220,000 such devices were detected. Nokia has been notified and is working on patches. Affected users are reliant on their ISP to auto-update the routers. There’s more information here: http://bit.ly/2F6xEjl.
Nokia routers at risk Tenable Research has discovered serious vulnerabilities affecting Nokia (Alcatel-Lucent) GPON Routers. If exploited, threat actors could recruit compromised devices to create a massive botnet. For home users with affected routers, attackers could gain access to the device to sniff traffic – including account
BorontoK malware targets Linux-based servers A new strain of ransomware, dubbed BorontoK, is at large. Unusually, it is targeting Linux-based servers – typically web servers – and requires victims to pay 20 bitcoins (around $75,000) in ransom. It’s believed the malware is also capable of affecting Windows machines. However, while samples of the malware have been testing, there’s little evidence so far of it being deployed in the wild. There’s more information here: http://bit.ly/2EYPGTh.
Government, claiming the ban is unconstitutional. The full story is here: https://nyti.ms/2NQsScq. This comes at a time when the company’s CTO, Meng Wanzhou, is under house arrest in Canada awaiting extradition to the US to face charges relating to breaking sanctions against Iran. The US has also called on its allies to avoid using Huawei products in major infrastructure and has even hinted that it will refuse to share intelligence with countries that don’t comply. At the same time, Huawei Device Co and its US subsidiary Huawei Device USA have pleaded not guilty to charges of conspiracy to steal trade secrets, attempted theft of trade secrets, wire fraud and obstruction of justice in a federal court in Seattle. The organisation is accused of stealing the technology behind T-Mobile USA’s Tappy robotic phone testing system. The indictment is here: http://bit. ly/2tSSM6q. In the UK, where Huawei’s networking equipment is in use by a number of major telecoms companies, Huawei pays for a secure facility – the Huawei Cyber Security Evaluation Centre (HCSEC) – which is staffed by members of the UK’s
signals intelligence agency GCHQ and where UK firms and government agencies are given controlled access to the source code and designs for its products in order to perform security audits. Similar centres exist in Bonn, Dubai, Toronto and China. Now the firm has opened Huawei Cyber Security Transparency Centre (HCSTC) in Brussels to give similar access to EU organisations. Speaking at the International Institute for Strategic Studies Singapore, Jeremy Fleming, head of GCHQ, said that China’s position in the global tech sector represents “a first order strategic challenge for us all”. But, he added: “We have to understand the opportunities and threats from China’s technological offer. We have to understand the global nature of supply chains and service provision irrespective of the flag of the supplier. We have to take a clear view on the implications of China’s technological acquisition strategy in the West, and help our Governments decide which parts of this expansion can be embraced, which need risk management, and which will always need a sovereign, or allied, solution.”
Network Security
3