Alertsec Express

Complex Malware Installed by Simple Phishing Attacks

August 9th, 2017

A new JScript back door called Bateleur distributed by the FIN7 (a.k.a Carbanak) hacker group through phishing emails targeting U.S.-based restaurant chains has been identified by Proofpoint researchers.

The modus operands is simple. The receiver gets the email containing document which contains macro. The message of the email is “here is the check as discussed.”

The executed macro creates a scheduled task to run Bateleur which then sleeps for three seconds and then again executes Bateleur and then sleeps for 10 seconds. Finally, it deletes the scheduled task.

“The combined effect of these commands is to run Bateleur on the infected system in a roundabout manner in an attempt to evade detection,” the researchers note.

The JScript macro contains anti-sandbox and anti-analysis functionality.

“We continue to see regular changes to the tactics and tools used by FIN7 in their attempt to infect more targets and evade detection,” the researchers state. “The Bateleur JScript back door and new macro-laden documents appear to be the latest in the group’s expanding toolset, providing new means of infection, additional ways of hiding their activity, and growing capabilities for stealing information and executing commands directly on victim machines.”

Simon Taylor, vice president of products at Glasswall, mentioned that though the software is complex, a method of installing it is very straight forward through phishing email.

“Phishing is a tried and true method for attackers — largely because it is predictably and repeatedly successful,” he said.

“Historically, the security industry has attempted to change employee behaviour,” Taylor added. “But while education helps, cyber criminals are continuously adjusting their techniques and the authenticity of their messages in order to stay several steps ahead of their victims.”

“Humans are and always will be the weakest link in an organization, and going forward, defense and detection strategies must change to address these inevitable challenges,” Taylor said.

Cyber Resilience

____________________________________________________________________________________________

Alertsec is based on the 256-bit AES encryption algorithm and has the highest security certifications.

Qualys CEO mentions that WannaCry a “Godsend” for his Business

August 5th, 2017

Security vendor Qualys CEO Philippe Courtot mentioned that the WannaCry ransomware and the planned General Data Protection Regulations (GDPR) are “godsends” that will help the company to grow further. He said this during company’s second quarter fiscal 2017 earnings call.

Qualys revenue saw 14% increase compared to previous year. This year revenue is $55.3 million.  Company is now estimating growth of 17 to 18%.

“Recent attacks like WannaCry and Petya have made it clear that the days of scanning the network perimeter and a few critical servers are over,” Courtot said during his company’s earnings call. “Enterprises now require scalability, accuracy and speed in order to identify assets that are vulnerable and ensure they are rapidly and properly remediated, which is something traditional enterprise IT and IT security solutions cannot deliver effectively and at which Qualys excels.”

Qualys’ cloud platform consists of a host of expanding capabilities that help enterprises with vulnerability and security management tasks. It has also announced new SSL/TLS certificate and cloud visibility technologies which will further augment the cloud security platform.

Upcoming GDPR regulation is also the main contributing factor for the company growth. It will come into effect in May 2018 across the European Union (EU). GDPR makes it compulsory to take all possible efforts for the companies to ensure the security and the privacy of customer data.

“We see that GDPR is in fact a godsend for Qualys and we see the effect of that because specifically, it is now accelerating the digital transformation of many of the large European companies,” Courtot said.

The recent breaches due to WannaCry has boosted Qualys business prospect.

“WannaCry has been also a godsend for Qualys,” Courtot said. “People finally realize that instead of having to buy solutions that supposedly protect them, that in fact they better try to identify all of their assets and also identify the vulnerabilities on those assets because this is what WannaCry and then NotPetya absolutely demonstrated.”

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

IoT Security Bill

August 2nd, 2017

This week the Internet of Things Cybersecurity Improvement Act of 2017 was introduced by a bipartisan group of U.S. senators. The rules sets minimum conditions and requirements for the security of Internet-connected devices purchased by the U.S. government. It also provides legal protections to security researchers.

Features:

(1) Devices which are connected to the internet should be patchable

(2) Industry standard protocols should be implemented

(3) Hard-coded passwords that can’t be changed should be leveraged

(4) Security vulnerabilities should not be present

It also asked the Office of Management and Budget to create alternative security conditions for devices with limited data processing and software functionality.

As per the bill, the definition of an Internet-connected device “is capable of connecting to and is in regular connection with the Internet,” and “has computer processing capabilities that can collect, send, or receive data.”

“While I’m tremendously excited about the innovation and productivity that Internet of Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” Sen. Mark Warner said in a statement.

“This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices,” Warner added. “My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”

Arxan Technologies VP EMEA Mark Noctor hopes that other government will also follow “While there has been useful work in the area from bodies such as ENISA in Europe, it appears that an act of law is the best way to get vendors to ensure security,” he said.

“While the focus on basic measures such as password management is a good starting point, we’d also like to see future legislation build on this to require more advanced security measures, such as using code hardening to protect a connected device’s software from being broken into and reverse engineered for malicious purposes,” Doctor said.

Security research is also provided legal protections.

“I’ve long been making the case for reforms to the outdated and overly broad Computer Fraud and Abuse Act and the Digital Millennium Copyright Act,” Sen. Ron Wyden said in a statement.

“This bill is a bipartisan, common-sense step in the right direction.”

“This bill is designed to let researchers look for critical vulnerabilities in devices purchased by the government without fear of prosecution or being dragged to court by an irritated company,” Wyden added. “Enacting this bill would also help stop botnets that take advantage of Internet-connected devices that are currently ludicrously easy prey for criminals.”

____________________________________________________________________________________________

No server, IT knowledge or training is needed as everything is included in an Alertsec subscription.

Cyber Insurance and Cloud Cyber Attacks

July 31st, 2017

According to the insurer Lloyd’s, a large cyber attack could cause $53 billion in economic losses which is almost same estimation as per 2012’s Superstorm Sandy. The report mentions the two possibilities. One where a disruptive attack which can lead to losses of $53 billion. Other includes an attack on computer operating systems which could lead to losses of $28.7 billion.

As per Lloyd’s estimation, the range of losses can vary between $15.6 billion to $121.4 billion. Average loss range is from $620 million for a large loss to $8.1 billion for an extreme loss.

“Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economy, trigger multiple claims and dramatically increase insurers’ claims costs,” Lloyd’s CEO Inga Beale mentioned

“Underwriters need to consider cyber cover in this way and ensure that premium calculations keep pace with the cyber threat reality,” Beale added. “We have provided these scenarios to help insurers gain a better understanding of their cyber risk exposures so they can improve their portfolio exposure management and risk pricing, set appropriate limits and expand into this fast-growing, innovative insurance class with confidence.”

As per the RiskIQ study, cybercrime led to global economy $454 billion loss last year. it also mentioned that $858,153 is lost to cybercriminals every minute. Companies spent $142,694 per minute to protect.

“Today, an organization’s digital assets are subject to malware, malvertising, and phishing efforts on a scale never before seen, while rogue apps, domain and brand infringement, and social impersonation cause business disruption and material loss,” RiskIQ manager of content strategy Mike Browning wrote in a blog post examing the findings.

The report also mentioned that 818 pieces of unique malware are injected in the system per minute.

“As companies innovate Web, social, and mobile means to engage with their customers, partners and employees, threat actors will prey on business exposures and brands to capture users’ trust, access credentials, and sensitive data,” RiskIQ chief marketing officer Scott Gordon said in a statement. “This requires organizations to extend their security programs to monitor and mitigate threats outside the firewall.”

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Breach at Italy’s Biggest Bank

July 29th, 2017

The leading bank in Italy, UniCredit mentioned that approximately 400,000 of its customers’ data were affected after third party provider was hacked. The name of the third party is withheld. It is one of the major attack on Italy’s financial institution as per the Reuters.

The bank mentioned that data was stolen in two different breaches.

“UniCredit has launched an audit and has informed all the relevant authorities,” the bank said in a statement. “In the morning, UniCredit will also file a claim with the Milan Prosecutor’s office. The bank has also taken immediate remedial action to close this breach.”

Paul Norris, senior systems engineer for EMEA at Tripwire mentioned that these two breaches occurred in a year.

“Basic security hygiene needs to be adopted by all enterprises, not just financial institutions, and this includes secure configurations and vulnerability management, as well as performing specific threat assessment and countermeasures, which will reduce the overall risk of future attacks,” Norris said.

Evident.io CEO Tim Prendergast mentioned that customers expect that their information should be secured. “Enterprises, therefore, must demand that their partners operate according to the same security rules and protocols they abide by when it comes to customer data,” he said.

“It should be a requirement that all partners use continuous security monitoring of their cloud environments, and adhere to rigorous security protocols if they want to work with a vendor,” Prendergast added.

Matt Walmsley, EMEA director at Vectra Networks, mentioned that the breach reminds companies to take extra care to handle sensitive data.

“In an effort to save costs, businesses often outsource functions to third-party providers and external contractors,” he said. “However, businesses have a duty of care to protect personal information regardless of whether they manage it in-house or out-of-house.”

____________________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by Check Point and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Data Breach at Swedish Citizens’ Data Points

July 27th, 2017

Unscreened third-party IT workers were provided full access to the information of vehicles including police and military by the Swedish Transport Agency. Management of the operations were outsourced to IBM administrators without security checks in 2015.

According to the reports, as the data is handled in time pressure for this activity, there was no option to transfer bypassing standard security protocols.

Affected information included vehicle registration data for every Swedish citizen, data on all government and military vehicles, weight capacity of all roads and bridges — and the names, photos, and home addresses of air force pilots, police suspects, elite military operatives, and people under witness protection.

As per the Swedish Pirate Party founder Rick Falkvinge the breach is the “worst known governmental leak ever,” noting, “Sweden’s Transport Agency moved all of its data to ‘the cloud,’ apparently unaware that there is no cloud, only somebody else’s computer.”

“Many governments have had partial leaks in terms of method (Snowden) or relations (Manning) lately, but this is the first time I’m aware that the full treasure chest of every single top-secret governmental individual with photo, name, and home address has leaked,” Falkvinge wrote.

The entire register was sent to marketers which also included people in the witness protection program.

When that happened, Falkvinge wrote, “the sensitive identities were pointed out and named in a second distribution with a request for all subscribers to remove these:e records themselves. This took place in open clear text email.”

RiskVision CEO Joe Fantuzzi mentioned the risk of third party vendors.

While understanding your own risk environment is an important step in improving your risk posture, Fantuzzi said, it’s far from the only step.

“Organizations that fail to assess third party vulnerabilities will be left with gaping blind spots that will leave them susceptible to breaches and cyber attacks down the road,” Fantuzzi said.

“Ultimately, organizations need to truly consider third party environments as an extension of their own, and treat them as such from a security and risk perspective.”

____________________________________________________________________________________________

Alertsec is powered by Check Point Endpoint Security products, which are positioned in the leader’s quadrant in Gartner’s Magic Quadrant for Mobile Data Protection.

New additions to Qualys

July 25th, 2017

As per the new announcement, Qualys is upgrading its Software-as-a-Service cloud platform. It now provides customers with new cloud security and SSL/TLS certificate security abilities.

“CloudView a is an entirely new module built on the Qualys Cloud Platform,” Hari Srinivasan, Director of Product Management, Qualys, told eSecurityPlanet.

“CloudView is a new app framework in the Qualys Cloud Platform for a comprehensive and continuous protection of cloud infrastructure.”

Srinivasan mentioned that Cloudview has multiple apps which includes Cloud Inventory and Cloud Security Assessment, Cloud Inventory (CI) and Cloud Security Assessment (CSA).

CI and CSA provides a continuous security of public cloud infrastructure.

“These two apps allow teams to gain critical insights into these cloud resources and their security posture across them,” Srinivasan said.

The company provides insight into SSL/TLS certificate status and deployment.

“SSL Labs does not however store this data for later use,” Asif Karel, Director of Product Management at Qualys, told eSecurityPlanet. “CertView is a commercial offering intended for enterprise customers who will not only benefit from similar assessments of their public as well as internal servers and services, they will also be able to create and maintain an inventory of the certificates deployed in all of their environments and critical infrastructure.”

Karel also mentioned that the customers will be able to find the flaws in the certificate and related dangers

“The grading calculation highlights the support, or lack of support, for mechanisms such as HSTS that prevent protocol downgrade attacks as well as other TLS related vulnerabilities,” Karel said.

HTTP Strict Transport Security (HSTS) is a configuration on a webserver that only allows pages to be served over SSL/TLS as HTTPS.

The market is changed due to the arrival of free Let’s Encrypt. But it has a drawback which karel mentioned.

“Unsuspecting users might think they are communicating with trustworthy sites because the identity of the site has been validated by a CA (Certificate Authority), without realizing that these are just domain validated certificates with no assurance about the identity of the organization that owns the site, Karel said.

____________________________________________________________________________________________

The Alertsec service protects everything stored on the computer such as Word, PowerPoint, Excel, Outlook, Gmail, Photos, Credit Card data files etc.

Series A round for Security Startup

July 23rd, 2017

The San Francisco-based cyber security startup Insight Engines recently raised $15.8 million in a Series A round of financing for its threat intelligence gathering tool Splunk also known as called Cyber Security Investigator.

August Capital led the funding round which was backed by Real Ventures, Data Collective, Splunk and its co-founder, Erik Swan. Simon Crosby, co-founder and CTO of Bromium, is also part of an investor group.

Company makes big data easy to explore and work with natural-language processing technologies. Cyber Security Investigator can detect and understand cyber threats by asking questions.

“In today’s day and age, advisories are always changing their patterns of attack, making static alerts ineffective defense,” Grant Wernick, co-founder and CEO of Insight Engines, told e-security Planet. “CSI [Cyber Security Investigator] levels the playing field, allowing the good guys to be dynamic in ways they never imagined possible.”

This technology can help fill the IT companies with the workforce gap.

“CSI helps bridge the hiring chasm between the need for talented individuals and the work force available,” said Wernick. “CSI is a force multiplier for the most advanced security teams who can now achieve more effective results in a fraction of the time. With CSI we have been able to transform physical security staff to augment cyber security operations, which has resulted in both significant cost savings and fresh perspectives for the enterprise.”

It also reduces time to zero in on cyber security issues.

“CSI empowers analysts to escape search fatigue by helping them analyze more of their data and spend less time searching,” he said. They can “spend more time focused on mitigating real threats and significantly less time focused on crafting esoteric queries. Using CSI, analysts no longer need to be big data specialists and can focus back on defending against an ever-increasing threat landscape.”

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers. 

Corelight Rises Series A Funding

July 21st, 2017

A San Francisco-based technology startup Corelight had raised $9.2 million in a Series A round of funding led by Accel Partners. Other participants include Osage University Partners and Dr Steve McCanne, co-founder of Riverbed Technology.

Corelight Sensor is the company product which uses Bro, an open-source network analysis framework to check even the most advanced or stealthy network attacks. Dr Vern Paxson, a professor of computer science at UC Berkeley, who co-founded the company and serves as its chief scientist.

Corelight mentioned that it uses specialized hardware to provide four times the data processing output. It also features high-performance network interface card to quickly generate results.

“Since all data, no matter what the threat vector, travel over networks, the Corelight Sensor is a powerful tool to understand threats” Alan Saldich, CMO of Corelight, told e-security Planet. Those threats include malware infections port scanning, denial of service attacks, unauthorized access, misconfigurations, abuse, exfiltration of data, insider threats, advanced persistent threats, phishing or other email-based attacks, he said.

“While Bro-Corelight is not always the tool that detects incidents–in many cases, it is end users who detect unusual emails or behaviour, or report ransomware–it is the fastest way to resolve them and get clarity about exactly what happened and why to get to the root cause,” continued Saldich.

Corelight Sensor provides output in easy to understand manner.

“Understanding those alerts is a laborious and time-consuming job because there are many systems involved, each with different data, logs, user interfaces, formats and they are not necessarily correlated or organized in a way that is useful to [incident responders],” said Saldich.

“That means that advanced persistent threats can linger undetected or unresolved for hours, days or weeks because dealing with them is so challenging.”

Corelight present the security threat data in a format so that security personals take the action.

“Corelight helps companies resolve cyber security incidents much faster than they can today. We do that by providing clarity and detailed information about all network traffic, summarized and structured specifically for cybersecurity pros and incident responders,” added Saldich.

____________________________________________________________________________________________

Alertsec encryption is powered by Check Point and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Kaspersky Lab Defends Allegations

July 18th, 2017

Kaspersky Lab is accused of deep connections with Russia-based hacking efforts. The U.S. government has removed the firm from its vendor list which can be used for federal government. The step was taken after U.S. officials, including Adm. Mike Rogers, director of the National Security Agency and Cyber Command leader, testified before a Senate committee mentioning potential risks from Kaspersky Lab software.

Kaspersky Lab has denied the accusations.

“Regardless of how the facts are misconstrued to fit in with a hypothetical, false theory, Kaspersky Lab, and its executives, do not have inappropriate ties with any government,” the company stated. “The company does regularly work with governments and law enforcement agencies around the world with the sole purpose of fighting cybercrime.”

Allegations were also made against Kaspersky Lab that it took active participation in raids with Russian law enforcement officials and ‘hacked back’ against organizations.

“Hacking back is illegal, and Kaspersky Lab has never been involved in such activities,” the company stated. “Instead we are actively participating in joint shut-down of botnets led by law enforcements of several countries where the company provides technical knowledge.”


Kaspersky Lab mentioned that it only provides technical expertise throughout the investigation to help catch cybercriminals.

“Concerning raids and physically catching cybercriminals, Kaspersky Lab might ride along to examine any digital evidence found, but that is the extent of our participation, as we do not track hackers’ locations,” the company stated.

“I want to reassure you, our valued partner – there is no evidence because no such inappropriate ties exist,” he wrote in reference to the Russian government allegations. “While Kaspersky Lab regularly works with governments and law enforcement agencies around the world to fight cybercrime, the company has never helped nor will help, any government in the world with its cyberespionage efforts.”

____________________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by Check Point and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.