Category Archive

Global gaming hardware manufacturing company Razer leaked the personal information of around 100,000 customers by storing their data in an Elasticsearch cluster that was misconfigured to enable public access, security researcher Bob Diachenko has revealed.

The personal information of around 100,000 Razer customers was stored by the company in a large log chunk within an Elasticsearch cluster. The cluster was indexed by several public search engines as it was misconfigured for public access since 18th August.

According to Diachenko, who is well-known for unearthing publicly-exposed online databases, personal information stored in the log included full names, email addresses, phone numbers, customer internal IDs, order numbers, order details, billing, and shipping addresses.

“The customer records could be used by criminals to launch targeted phishing attacks wherein the scammer poses as Razer or a related company,” Diachenko said, adding that customers should be on the lookout for malicious emails or messages that might encourage them to click on links to fake login pages or download malware onto their device.

“We were made aware by Mr. Volodymyr [Diachenko] of a server misconfiguration that potentially exposed order details, customer, and shipping information. No other sensitive data such as credit card numbers or passwords were exposed,” Razer said after the breach was disclosed by Diachenko.

“The server misconfiguration has been fixed on 9 Sept, prior to the lapse being made public. We would like to thank you, sincerely apologize for the lapse, and have taken all necessary steps to fix the issue as well as to conduct a thorough review of our IT security and systems. We remain committed to ensuring the digital safety and security of all our customers,” the company added.

Commenting on the latest instance of a company exposing customer via a misconfigured online database, Chris DeRamus, VP of Technology, Cloud Security Practice at Rapid7, said to avoid cloud misconfigurations, companies need to immediately shift toward a new model of security that provides continuous controls and enforces secure configurations of cloud services, instead of attempting to do so only after a breach has occurred.

“Organisations need a security solution that provides the automation essential to enforce policy, reduce risk, provide governance, impose compliance, and increase security across a large-scale, hybrid cloud infrastructure. Automation takes the headache out of making cloud infrastructure secure in a shared responsibility world by providing a framework for what organizations should be doing via a continuous, real-time process.

“By leveraging security automation, companies can stay agile and innovate while maintaining the integrity of their technology stacks and applying the unique policies necessary to operate their businesses,” he added.

We’re Elixis Technology

.

News Source: https://www.teiss.co.uk/

Tens of thousands of US veterans have had their personal information illegally accessed in a data breach incident announced on Monday.

The US Department of Veterans Affairs (VA) Office of Management revealed that 46,000 veterans had been affected by the incident.

“The Financial Services Center (FSC) determined one of its online applications was accessed by unauthorized users to divert payments to community health care providers for the medical treatment of veterans. The FSC took the application offline and reported the breach to VA’s Privacy Office,” it continued.

“A preliminary review indicates these unauthorized users gained access to the application to change financial information and divert payments from VA by using social engineering techniques and exploiting authentication protocols.”

The VA Office of IT is conducting a comprehensive security review before system access is allowed again, it added.

To protect these veterans, the FSC is alerting the affected individuals, including the next-of-kin of those who are deceased, of the potential risk to their personal information,” the statement concluded.

“The department is also offering access to credit monitoring services, at no cost, to those whose social security numbers may have been compromised.”

Thomas Richards, principal security consultant at Synopsys, argued that social engineering is a common tactic to gain unauthorized access to applications and systems.

“If, for business reasons, these applications must be public facing they should be secured with multi-factor authentication to prevent any compromised credentials from being used,” he added.

“Organizations should also conduct regular assessments against their staff to raise awareness around social engineering threats, thus reducing the chance of a successful attack.”

Back in September last year, security researchers discovered a spoofed VA recruitment site crafted to deploy spyware on visitors’ computers.

We’re Elixis Technology

.

News Source: https://www.infosecurity-magazine.com/

A large proportion of employees are using their own devices to access data belonging to their company, according to a new study by Trend Micro.

Researchers found that 39% of workers use personal smartphones, tablets, and laptops to access corporate data, often via services and applications hosted in the cloud.

The Head in the Clouds study, which surveyed more than 13,000 remote workers globally, found that many of the personal devices used to access company data were not as secure as their corporate equivalents. 

A further finding of the study was that more than half (52%) of global remote workers have IoT devices connected to their home network, with 10% using lesser-known brands. 

Since home networks typically offer security protection that is inferior to that which a business can afford to implement, researchers expressed concern that attackers could access home networks, then use unprotected personal devices as a stepping stone into the corporate networks they’re connected to.

Getting access to personal devices may not present much of a challenge to threat actors, given that over one-third (36%) of remote workers surveyed did not have basic password protection on all personal devices.

“The fact that so many remote workers use personal devices for accessing corporate data and services suggests that there may be a lack of awareness about the security risks associated with this,” commented cyberpsychology expert Dr. Linda K. Kaye.

“Tailored cybersecurity training which recognizes the diversity of different users and their levels of awareness and attitudes around risks would be beneficial to help mitigate any security threats which may derive from these issues.”

The research also revealed that 70% of global remote workers connect corporate laptops to the home network, opening up the possibility for malware infections to be brought from the home into the office. 

“IoT has empowered simple devices with computing and connectivity, but not necessarily adequate security capabilities,” said Bharat Mistry, principal security strategist at Trend Micro. 

“This threat is amplified as an age of mass remote work blurs the lines between private and company devices, putting both personal and business data in the firing line.”

We’re Elixis Technology

.

News Source: https://www.infosecurity-magazine.com/

Warner Music Group has issued a data breach notification following a prolonged skimming attack on an undisclosed number of its e-commerce websites.

The cyber-attack was discovered by the multinational entertainment and record label conglomerate on August 5, 2020. 

E-commerce websites that are hosted and supported by an external service provider in the US but operated by Warner were found to have been compromised by an unauthorized third party.

By installing data-skimming malware on the sites, the threat actor was able to access information being entered by customers.

Personal data compromised in the attack included names, email addresses, telephone numbers, billing addresses, shipping addresses, credit card numbers, card expiration dates, and CVC and CVV codes. 

The as yet unidentified cyber-criminal accessed Warner customers’ personal information entered into the affected websites during transactions made between April 25, 2020, and August 5, 2020. Payments made through PayPal were reportedly not affected by this incident.

A data breach notice sent by Warner to the affected customers stated that “any personal information” customers had entered into the affected websites “after placing an item in your shopping cart was potentially acquired by the unauthorized third party.”

Warner said that it was prompt to inform relevant credit card providers and law enforcement of the breach. The company has not yet disclosed how many customers were affected by the incident.

Affected customers have been offered 12 months of identity monitoring services free of charge by Warner. 

The cyber-attack comes three years after Warner fell victim to a phishing scam that resulted in the leak of 3.12 TB of internal data relating to Vevo, the company’s premium music video provider.

“Digital skimming and Magecart attacks continue to be a lucrative source of revenue for hackers as they continue to seek large targets for maximum payouts. For example, data stolen from an attack on another e-commerce platform in 2019 was valued at $133M on the dark web,” commented security evangelist at PerimeterX, Ameet Naik. 

“Third-party platforms, scripts, and services are ideal targets for attackers because the techniques can be reused to steal data from multiple e-commerce sites.”

.

We’re Elixis Technology

.

News Source: https://www.infosecurity-magazine.com/

The world’s largest webmaster form has been found wanting in terms of its cybersecurity posture after researchers discovered an unprotected database leaking data on nearly 900,000 users.

Digital Point provides a platform for members to chat and buy and sell websites, domains and digital services.

Back in July, researchers at WebsitePlanet teamed up with Jeremiah Fowler to discover an Elasticsearch database belonging to Digital Planet that was left online without password protection, exposing nearly 63 million records.

These included emails, names, internal user ID numbers, internal records and user posts related to 863,412 users of the site.

Fowler warned that an attacker without administrative credentials could have edited, downloaded or even deleted this data.

The latter threat is particularly real given the recent spate of “Meow” bot attacks on exposed databases. An attacker could also look to steal the data before deleting it and holding it to ransom.

Another particular threat from exposure of this kind of data is domain hijacking, Fowler warned.

“Having the contact information, email and other details could allow a cyber-criminal to use acquired personal information about the actual domain owner to impersonate them,” he explained.

“Domain hijacking is exactly what it sounds like and criminals could try to change the registration information and ownership details. This type of theft would allow the domain hijacker to gain full control of the website name and can use the domain for their own purposes or try to sell it to a third party.”

Fowler described the dataset as a “treasure chest of information” for would-be domain hijackers.

“Many of the email accounts were admin@ or similar. Having a domain stolen can destroy a business or an organization and there is no guarantee that you will get it returned,” he continued.

“Anyone who has ever lost a domain name will tell you that dealing with lawyers, court costs and losing the trust of your clients would be devastating.”

.

We’re Elixis Technology

.

News Source: https://www.infosecurity-magazine.com/

Millions of WordPress sites are being probed in automated attacks looking to exploit a recently discovered plugin vulnerability, according to security researchers.

Wordfence, which itself produces a plugin for the platform, revealed news of the zero-day bug at the start of September. It affects File Manager which, as the name suggests, is a plugin that helps users to manage files on their WordPress sites.

The plugin is installed on around 700,000 WordPress sites, and although Wordfence estimates that only around 37%, or 262,0000, are still running a vulnerable version, this hasn’t stopped attackers from trying their luck against a much larger number of users.

“Attacks against this vulnerability have risen dramatically over the last few days. Wordfence has recorded attacks against over one million sites today, September 4, 2020. Sites not using this plugin are still being probed by bots looking to identify and exploit vulnerable versions of the File Manager plugin, and we have recorded attacks against 1.7 million sites since the vulnerability was first exploited,” explained Wordfence’s Ram Gall.

“Although Wordfence protects well over three million WordPress sites, this is still only a portion of the WordPress ecosystem. As such, the true scale of these attacks is larger than what we were able to record.”

The vulnerability itself could allow a remote, unauthenticated user to execute commands and upload malicious files on a target site. Gall therefore urged users to patch the issue promptly by installing the latest version of the plug, v6.9.

“If you are not actively using the plugin, uninstall it completely,” he added. “Due to the breadth of file management functionality this plugin provides a user within the wp-admin dashboard, we recommend uninstalling the plugin when it is not actively being used.”

.

We’re Elixis Technology

.

News Source: https://www.infosecurity-magazine.com/

Google Android users were pestered last week by a series of fake notifications popping up on their devices.

According to Paul Ducklin of Naked Security by Sophos’, the string of phony popups first became an annoyance for users of the Google Hangouts app before bothering users of Microsoft Teams.

“Users all over the world, and therefore at all times of day (many users complained of being woken up unnecessarily), received spammy looking messages,” wrote Ducklin in a blog post published on August 28.

“To be clear, it wasn’t Microsoft testing notifications in the Teams app for Android. The bogus alerts caught the software giant off guard, too.”

From their content, the notifications don’t appear to be malicious or criminal in intent. No dubious links or calls to action were included, with messages simply stating the header “FCM Messages” followed by the text “Test Notification!!!!” 

Pondering the identity of the sender and their motive, Ducklin commented: “The messages did indeed look like some sort of test—but by whom, and for what purpose?

“The four exclamation points suggested someone of a hackerish persuasion—perhaps some sort of overcooked ‘proof of concept’ (PoC) aimed at making a point, sent out by someone who lacked the social grace or the legalistic sensitivity of knowing when to stop.”

Ducklin suggests that the spate of fake notifications may be connected to a recent discovery made by a cybersecurity researcher and bug bounty hunter calling themself “Abbs.” On August 17, Abbs claimed to have earned $30K for identifying a coding vulnerability in numerous Android apps that could enable someone to highjack the Firebase Cloud Messaging (FCM) service.

Describing the weakness, Abbs exclaimed: “A malicious attacker could control the content of push notifications to any application that runs the FCM SDK and has its FCM server key exposed, and at the same time send these notifications to every single user of the vulnerable application!

“These notifications could contain anything the attacker wants including graphic/disturbing images (via the ‘image’: ‘url-to-image’ attribute) accompanied with any demeaning or politically inclined message in the notification!”

The author of the notifications, which were promptly halted by Google and Microsoft, has yet to be identified.

.

We’re Elixis Technology

.

News Source: https://www.infosecurity-magazine.com/

Over 50,000 fake login pages were detected in the first half of 2020, with some able to be polymorphic and represent different brands.

According to research from Ironscales, fake login pages are commonly used to support hacks and spear-phishing campaigns, and its researchers found more than 200 of the world’s most prominent brands were spoofed with fake login pages.

It also found nearly 5% (2500) of the 50,000+ fake login pages were polymorphic, with one fake login able to represent more than 300 different login pages.

Ironscales’ Brendan Roddas explained polymorphism occurs when an attacker implements “slight but significant and often random change to an emails’ artifacts, such as its content, copy, subject line, sender name or template in conjunction with or after an initial attack has deployed.”

This allows attackers to quickly develop phishing attacks that trick signature-based email security tools that were not built to recognize such modifications to threats, ultimately allowing different versions of the same attack to land undetected in employee inboxes. In this research, Microsoft and Facebook led the list with 314 and 160 permutations, respectively.

The research also determined the brand with the largest number of fake login pages to be PayPal with 11,000, followed by Microsoft with 9500 and Facebook with 7000.

Ironscales said the most common recipients of fake login page emails work in the financial services, healthcare and technology industries as well as at government agencies.

Commenting, Chris Hauk, consumer privacy champion at Pixel Privacy, said: “We see fake login pages being used for one very good reason: they work. As long as users fall for this trick, the bad actors of the world will continue to use them.

“Perhaps the best way to fight these fake login pages is to better educate users as to the hazards of such pages and how to best identify when a fake login page is being visited. I also suggest using utilities that can identify such pages, such as Ironscales URL and link scanner.” 

Niamh Muldoon, senior director of trust and security at OneLogin, highlighted the main reasons why fake logins work: firstly there is still a huge lack of cybersecurity education, training and awareness amongst the internet end user community globally. “This gap in end user knowledge has grown significantly over the last six months with the pandemic,” she said. “While we have asked the public to upend their lives and transfer it online to help them maintain social distancing and keep them physically safe, many do not have the knowledge to keep themselves cyber-safe.”

Secondly, there is a lack of governance associated with website creation, domain registration and associated management. She said: “This includes verifying the integrity of sites and/or domains in a proactive fashion. While there are clear procedures and processes to have websites and domains taken down where they contain malware and/or are not legitimate, these processes are extremely time consuming, resulting in end users being exposed in the time between the fake pages appearing and the domains and IPs being blacklisted or taken down.”

However, she said “trust and security platform leaders in this field are making the threat landscape harder to traverse for malicious attackers, through clever security consciousness messaging on legitimate login pages.” She recommended partnering with a trusted identity partner that provides multi-factor authentication to reduce the risk of account compromise via these fake login pages/sites. “Ultimately, a global task force and international collaboration is needed to implement regulations associated with domain and website registration and management, to stop these sites appearing in the first place,” she added.

Hugo van der Toorn, manager offensive security at Outpost24, said this is not about attacks targeted against your company, but the names, trademarks and overall recognition of the brands which are used to achieve certain goals. “As organizations, we need to facilitate the swift reporting and follow-up on phishing attempts that infringe our brands and threaten our customers and ultimately our reputations. After receiving a positively identified phishing attempt, we need to be able to issue a notice and takedown and, within hours, shut down this one phishing campaign,” he said.

“It’s not about stopping all phishing and training employees until no one clicks. It is all about responding swiftly and adequality on behalf of the people that do recognize and report these phishing attempts.”

.

We’re Elixis Technology

.

News Source: https://www.infosecurity-magazine.com/

Local government bodies are more likely to be targeted by ransomware attacks than any other type of organization, according to a new study by Barracuda Networks, which looked at 71 global ransomware incidents over the last 12 months.

It found that 44% of global ransomware attacks that have taken place so far in 2020 have been aimed at municipalities, which is virtually the same proportion as in 2019 (45%). Barracuda highlighted the attack on Redcar and Cleveland council’s computer system in the UK, which is believed to have cost the local authority over £10m.

Of the municipalities subjected to ransomware attacks in 2020, 15% have confirmed they have made payments, compared to no ransoms being paid last year.

The analysis also found there has been a significant rise in ransomware attacks against education and healthcare institutions this year compared with 2019 (15% versus 6% and 23% versus 21%, respectively). This suggests cyber-criminals are attempting to take advantage of the disruption caused by COVID-19 on these sectors, such as an increase in digital learning methods at schools and universities and more under pressure healthcare systems.

There has also been rise in ransomware attacks against logistics companies, with six notable incidents observed since July 2019.

Overall, a ransom was paid in 14% of cases, with an average payment of $1652,66.

Fleming Shi, CTO of Barracuda Networks, commented: “The quantity of ransomware attacks facing all types of organizations has been growing rapidly in recent years, having been spurred on by complicated geopolitical circumstances, more recently the coronavirus pandemic, and the fact that ransom payments from corporations and municipalities are becoming more common.

“Combatting this issue requires blocking the threat from the source, using advanced inbound and outbound security techniques that go beyond the traditional gateway. This includes using machine learning-enabled software to close the technical and human error gaps often found in an organization.

“Other techniques such as subscribing to IP blacklists, using advanced firewalls and malware detection, implementing user awareness training and utilizing data backup solutions, are all very effective and strongly advised.”

.

We’re Elixis Technology

.

News Source: https://www.infosecurity-magazine.com/

Cybersecurity professionals want stricter measures to tackle the rising amount of online misinformation and fake domains, according to new research by the Neustar International Security Council (NISC).

A new report by NISC found that almost half (48%) of cybersecurity professionals regard these problems as a threat to their enterprise, while the other half (49%) rank the threat they pose as very significant.

To combat the threat, 91% of cybersecurity professionals called for stricter measures to be implemented on the internet if the issues are not resolved. 

Not content to wait for regulatory assistance, many professionals in the cybersecurity community are taking action against these threats themselves. Nearly half of organizations (46%) reported that they have plans in place to ensure greater emphasis on their ability to react to the rise of misinformation and fake domains. 

An additional 35% said that dealing with these threats will be a focus area for them in the next six months, while 13% would consider taking action if misinformation and fake domains continue to be an issue.

The research was based on a July 2020 survey of 306 professionals from across six EMEA and US markets in senior positions within their organizations who are able to give informed opinions on cybersecurity’s most pressing issues.

“Misinformation is by no means new—from the beginning of time it has been used as a key tactic by people trying to achieve major goals with limited means,” said Rodney Joffe, chairman of NISC, senior vice president and fellow at Neustar. 

“The current global pandemic, however, has led to a sharp uptick in misinformation and the registration of fake domains, with cyber-criminals using tactics such as phishing, scams and ransomware to spread misleading news, falsified evidence and incorrect advice. While the motives of malicious actors may differ, the erosion of trust caused by misinformation poses a range of ethical, social and technological challenges to organizations.”

NISC researchers also highlighted a steep 12-point increase on the International Cyber Benchmarks Index year-on-year from July 2019 to July 2020. The Index, which is calculated based on the changing level of threat and impact of cyber-attacks, has maintained an upward trend since May 2017.

.

We’re Elixis Technology

.

News Source: https://www.infosecurity-magazine.com/