Week of October 27, 2017


Week of October 27, 2017

NSA Contractor Leaked US Hacking Tools By Mistake*:

  • An incredible sequence of security mistakes led to a US National Security Agency contractor leaking his own confidential hacking tools to Russian cybersecurity firm Kaspersky Lab, according to the Moscow-based firm.
  • The claim comes as part of an internal investigation into allegations that the company helped Russian spies discover and steal the NSA files.
  • Kaspersky Lab does not dispute that it discovered hacking tools on the computer of a user of one of its consumer antivirus products.
  • According to Kaspersky’s report, the contractor was using the company’s home antivirus software, and the antivirus software detected some NSA hacking tools – flagging them as malware.
  • The antivirus made use of a second security feature that the contractor had enabled, uploading the file to Kaspersky Lab for analysis.
  • The company’s founder and chief executive said the issue was elevated directly to him, nothing was shared with anyone, and the decision was made to delete the archive from all the company’s systems.
  • Kaspersky Lab’s narrative matches with the initial allegations in a number of ways, but leaves some puzzling discrepancies like the timeline of alleged events.
  • The bigger unknown is whether and how Kaspersky’s acknowledged discovery and acquisition of NSA hacking tools resulted in Russian intelligence agencies discovering the NSA contractor, and targeting him for further attacks.
  • Mr Kaspersky denies the allegation, saying, “No credible evidence has been presented to substantiate the claim of the company’s involvement in the alleged incident.”
  • Kaspersky Lab recently announced a new initiative to try and win back some of the trust lost as a result of the allegations.
  • The “global transparency initiative” sees it opening up the source code to its software to a panel of independent experts, as well as submitting to a full audit of its internal security practices.

*Source: The Guardian, October 26, 2017


Hackers Can Gain Access to Maritime Ship Data Through a Built-In Backdoor*:

  • Researchers have uncovered severe vulnerabilities in software used by thousands of maritime ships worldwide.
  • The AmosConnect communication shipboard platform is available to provide narrowband satellite communications, email, fax, interoffice communication, and more for those at sea.
  • Researchers unveiled a new analysis of AmosConnect 8.0, which uncovered two critical security issues that could give attackers unfettered access to systems and information.
  • International shipping firms and services often deal with confidential customer data and they may also hold valuable deliveries and so can be a target for threat actors.
  • The blind SQL injection bug allowed attackers to gain access to credentials stored in internal databases; the server stores usernames and passwords in plaintext, making this vulnerability trivial to exploit.
  • The AmosConnect server features a built-in backdoor equipped with system privileges, which would give attackers full system and administration privileges and the ability to remotely execute code on the server.
  • Essentially anyone interested in sensitive company information or looking to attack a vessel's IT infrastructure could take advantage of these flaws.
  • This leaves crew member and company data extremely vulnerable and could present risks to the safety of the entire vessel.
  • AmosConnect 8.0 version has now been discontinued, and so the company recommends that customers revert back to AmosConnect 7.0 or switch to an email solution.
  • When these kinds of business are so integral to the economy at large, security cannot be an afterthought.

*Source: ZD net, October 26, 2017


The Biggest Risk Is The Hackers": Cybersecurity Expert Weighs In On Amazon Key*:

  • Amazon presents the new Amazon Key program as a simple, convenient way to have your packages dropped off inside your home.
  • Here’s how it works:
    • You buy a special smart door lock for $249, along with an in-home wireless camera aimed at the door.
    • When the delivery driver arrives, Amazon gets a notification and remotely activates the camera and unlocks the door.
    • The driver opens your door and puts your package inside, then steps out and asks Amazon to relock the door.
  • A convenient concept in theory, but the biggest risk is that hackers could get a hold of the database of door codes.
  • On the flip side, 11 million packages are stolen every year, and it would be much easier to steal a package off of somebody’s front porch than spend a year trying to hack Amazon’s system to steal something out of someone’s house.
  • The service is available to Amazon Prime members only. The company says if anything goes wrong, they offer a satisfaction guarantee.
  • If you have a home security system, you’ll have to turn it off on the day of the delivery because Amazon says its employees won’t be able to do that.

*Source: CBS News, October 25, 2017


Russia’s Election Hackers Use D.C. Cyber Warfare Conference as Bait*:

  • The Russian military hackers behind last year’s election meddling are using an upcoming cyber warfare conference in Washington D.C. as a lure to infect a new crop of victims with malware.
  • Effectively turning a high-level gathering packed with NATO and U.S. military cyber defenders into an opportunity for more attacks.
  • The new campaign by the hackers known as Fancy Bear and APT28 began in early October, when the hackers began spamming out a flier for next month’s International Conference on Cyber Conflict, or CyCon U.S.
  • The Russian hackers’ flier for the event is a Microsoft Word document named “Conference_on_Cyber_Conflict.doc”.
  • It contains logos of the conference and text from the conference website, but buried inside is a malicious macro that downloads and installs malware called Seduploader.
  • Seduploader is a Fancy Bear reconnaissance program that lets the hackers take screenshots and gather basic system information to decide if the victim is worth spying on long-term.
  • The campaign suggests Fancy Bear is specifically interested in spying on efforts to thwart its hacking of Western targets.
  • The attack on the kinds of individuals attending the conference could yield extremely sensitive information and this is most likely what the actors were hoping for in this instance.
  • CyCon US is hosted by the U.S. Army Cyber Institute at the United States Military Academy, and the NATO Cooperative Cyber Defense Center of Excellence based in Estonia.
  • The new attack follows the same tradecraft Fancy Bear used in May when it circulated a poisoned Word document criticizing the U.S. bombing of air bases in Syria.
  • The report notes a spike in traffic to the malware’s control server on October 7, which suggests that some targets fell for the new attack.

*Source: The Daily Beast, October 23, 2017


US Energy, Nuke and Aviation Sectors Under Sustained Attack*:

  • The United States' Department of Homeland Security has issued an alert that warns of “advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.”
  • The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity.
  • The attackers are seeking to identify information pertaining to network and organizational design, as well as control system capabilities, within organizations.
  • The attacks were conducted with depressingly-familiar tactics: the attackers would first figure out high-value targets in the organizations they sought to crack, then spear-phished them with emails containing benign attachments that prompted users to click on a link that led to malware or fake login pages that harvested credentials.
  • Once the attackers had credentials, they loaded malware that started to sniff for and exfiltrate data, sometimes by creating new users on targeted domains.
  • The alert notes that the phishing payloads were legitimate attachments that did not contain malware, but exploited user gullibility or risky features of tools like initiating downloads using Server Message Block.
  • The Department's recommended actions therefore reference existing and long-standing security advice and include things like deploying email and web filters, checking for obvious signs of intrusion, and checking to see if new users have unexpectedly been created.
  • The alert doesn’t say what damage the attacks may have wrought, nor does it attempt to reveal the origins of the attacks.

*Source: The Register, October 22, 2017


When Protecting Medical Devices From Hacks, Is The Cure Worse Than The Disease?*:

  • Medical technology has become increasingly connected in recent years, and even devices such as pacemakers are now connected to the internet.
  • This allows doctors to monitor problems such as irregular heartbeats or failing battery life.
  • Internet connectivity brings with it new risks for pacemakers and other medical devices.
  • Abbott Laboratories has rolled out an update intended to protect pacemakers from being hacked, but some medical professionals are concerned that the risks outweigh the rewards.
  • Abbott warned that its newest update has the potential to cause malfunctions within the pacemakers, and since the release the Food and Drug Administration received at least 12 reports of pacemakers malfunctioning during the update process.
  • In some cases, the devices failed to update properly and even when the devices did update correctly, there were reports that some of the pacemakers went into backup mode during the updates.
  • None of the reports contained any mention of serious harm being caused to the patients.
  • While there have been multiple reports of malfunctions during the updating process, the FDA has received no reports of any of the hacks which the updates were meant to prevent.
  • The low risk of hacking combined with the higher risk of malfunction has led some doctors to simply refuse the updates.
  • Abbott Laboratories pacemakers are currently in use by about 465,000 patients in the United States, and they aren’t the only medical devices at risk of being hacked.

*Source: Digital Trends, October 21, 2017


Unpaid $7 Waffle House Bill Leads to ID Theft Ring*:

  • Police in Louisiana have uncovered a sophisticated, Los Angeles-based identity theft ring, thanks to two men who skipped out on their $7 Waffle House bill.
  • Waffle House employees called police, saying two men had stiffed the restaurant and driven away in a U-Haul van.
  • The investigators were still taking statements at the restaurant when patrol officers spotted a U-Haul van parked at a nearby hotel.
  • A passenger ran into nearby woods as officers approached; he was later found and both the driver and passenger were arrested.
  • A search of the van turned up fake identification and credit cards, credit card skimming devices, and a Waffle House receipt for $7.41.
  • The investigation revealed a highly sophisticated identity theft scheme operating out of Los Angeles.
  • Both men had flown into New Orleans from different states, rented the van, and installed credit card skimming devices at multiple gas stations in the area.
  • Both were arrested on charges of identity theft, bank fraud, monetary instrument abuse and theft by fraud.

*Source: AP news, October 19, 2017


13 Skimmers Found on ATMs Across Chicago*:

  • Skimming devices have been found on more than a dozen ATMs across Chicago in September and October, most on the city’s North Side.
  • The warning comes a day after police reported three devices at Walgreens stores downtown.
  • Skimmers, which steal card users’ personal data, were confirmed at several stores.
  • In some of these cases, the offenders also used cameras and recorded PINs.
  • Please click on the bellow link to view the locations and dates where the skimmers were found.

*Source: Chicago Tribune, October 23, 2017


Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

scroll top