Industry Reactions to the Verizon 2017 Data Breach Investigations Report

Article from Heise Security (April 28, 2017)

Nearly 2,000 breaches were analyzed in this year’s Verizon 2017 Data Breach Investigations Report and more than 300 were espionage-related.  Verizon’s report highlights that businesses must rethink their protection strategies to guard against cyber-attacks. The fact that 88% of breaches identified in the report fall into patterns first identified in 2014 is an illustration of the need for businesses to identify and properly secure their critical data and assets against attack.

The continued success of tried and tested methods deployed by hackers is indicative of senior leaders lacking the knowledge to approach the issue, and instead relying on quick fixes. The truth is, the patchwork of security solutions that are deployed in many organizations are too often ineffective in securing the data at the heart of business today. This also reflects on the security industry more broadly.

Client organizations should be educated on the structure of their data assets, and how to manage their security holistically. The correct technology and process, coupled with effective alerting, alarming and active hunting for threats will set organizations on the right path to avoiding disasters. It’s high time a structured approach to cybersecurity is deployed across the industry to reduce the damage caused by hackers. Most importantly for business leaders, as well as promising better protection this more focused and integrated approach always results in better economics overall.

  • Pete Banham, Cyber Resilience Expert at Mimecast: Impersonation fraud and ransomware attacks via email are now the easiest ways for criminals to steal money and valuable data. Impersonation attacks rarely include a malicious link or attachment, bypassing many traditional security detections. Ransomware is a well-organized threat, with many organizations choosing to pay off hackers quietly to make the threat go away instead of combating the problem. The best defense against these types of attack is a layered approach to security, including sandboxing of email attachments, stamping of external email with warnings and on-going employee awareness campaigns.
  • Fraser Kyne, EMEA CTO at Bromium: What most interested me in this year’s DBIR was that phishing attacks are actually becoming even more prevalent. One in 14 users are being duped into clicking on a bad link or attachment; but even worse, a quarter of those people go on to do it again! There is a phrase that I think is very apt here – “You can’t patch stupidity”. Essentially, what the DBIR shows us is that you can have the best education, the best processes and the most on-point detection capabilities available, but you will still take a hit… the fact is that however cyber-savvy they are, end-users will always be the weakest link in security. Organizations therefore need to shift the onus away from controlling user behavior if they are to get a handle on the situation. The best way of mitigating phishing attacks is to have a safety net in place, allowing end-users to click with freedom, without having to worry too much about stumbling upon a bad link or malicious attachment. Micro-virtualization is key to this, ensuring that each user task is contained within its own fully isolated and unique virtual environment. As a result, any malicious files are trapped within that virtual machine, posing no risk to the rest of the system. If a user finds themselves opening a malicious email or document, they can simply close down that window, and the threat disappears.
  • Ilia Kolochenko, CEO at High-Tech Bridge: As in the previous report from 2016, insecure web applications dominate the top attack vectors in almost all the industries. Cybercrime is a [criminal] business, and thus follows the basic rules of business: spend less, get more. Attackers are always looking for the weakest link in your IT infrastructure, before leveraging expensive 0-days and complicated APT attacks. Today, the majority of large organizations and governments can be easily breached via their web and mobile (backend) applications. Emerging risk comes from third-party applications, which are exploited by hackers to compromise your trusted third-party and get access to your data afterwards… Application security becomes a major problem for organizations and should be addressed as a high priority.
  • Darren Anstee, CTO at Arbor Networks: Verizon’s Data Breach Investigations Report is an industry gold standard for examining the threat landscape. The fact that it reveals the risk of DDoS attacks has never been higher for industries such as finance, retail and others who are reliant on Internet services and manage large quantities of high value data really emphasizes the serious situation facing businesses today. Organizations in these sectors must invest appropriately to protect themselves and their customers. They can do this by taking the fight to cyber-criminals with improved intelligence sharing and better co-operation with law enforcement. Businesses should also implement layered security, using on premise solutions to deal with targeted attacks and then the cloud to deal with large volumetric attacks. Organizations need to also strengthen their visibility and threat detection capabilities across internal networks so that they have broad and deep visibility of network traffic, threats and user behavior.

New Dok Mac Malware Gets Complete Access to Victim’s Traffic, Even If Encrypted

Article from Softpedia (April 28, 2017)

A new Mac malware was discovered in the wild – the malware affects all OSX versions and is virtually undetectable on VirusTotal. What makes matters worse is that the malware is signed with a valid developer certificate authenticated by Apple. Once the infection is complete, the attackers manage to gain complete access to all victim communications, including those encrypted by SSL. The security researchers discovered that the malware mostly targets European users, and the phishing technique used is quite elaborate.

For instance, one German user was sent a message regarding a supposed inconsistency in their tax returns. The malware is contained in a .zip archive named Dokument.zip signed just a week ago by a Seven Muller. Once executed, the malware copies itself to the /Users/Shared/folder and begins to execute itself from the new location. A pop-up appears claiming the package is damaged and cannot actually execute. In reality, if there’s a LoginItem named “AppStore,” the malware deletes it and adds itself as such instead. “The malicious application will then create a window on top of all other windows. This new window contains a message, claiming a security issue has been identified in the operating system that an update is available, and that to proceed with the update, the user has to enter a password as shown in the picture below. The malware checks the system localization, and supports messages in both German and English,” Check Point writes. The victim can’t access any windows or use the computer until they enter the password and the malware finishes installation.

Once that happens, the malware gets admin privileges which it uses to install brew, a package manager for Macs. It then installs TOR and SOCAT.  “The malware then changes the victim system’s network settings such that all outgoing connections will pass through a proxy, which is dynamically obtained from a Proxy AutoConfiguration (PAC) file sitting in a malicious server,” researchers note. A new root certificate is then installed on the infected device, which allows the cybercriminal to intercept the victim’s traffic. It can impersonate any website without the victim’s knowledge.

Google and Facebook Are the Two Companies That Got Scammed Out of $100M

Article from Softpedia (April 28, 2017)

Remember a month ago when reports indicated that two tech companies were tricked into paying north of $100 million by a Lithuanian man?

Well, it seems those companies are none other than Google and Facebook. “This case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by criminals,” said the US Attorney at the time.  Evaldas Rimasauskas, the scammer that was indicted by the US, pretended to be a popular Asian computer hardware company by registering his own company in Latvia back in 2014, holding the same name. He then forged emails from employees of the Asian firm and started sending invoices to the two US tech companies who had this company as a hardware supplier. Without checking too much the emails they received, the companies started paying. The money was sent to his bank accounts in Latvia and Cyprus, adding up to more than $100 million. The money was then spread over multiple accounts in Latvia, Slovakia, and Hong Kong. The scheme also involved phishing employees of Google and Facebook and getting his hands on files that helped him forge contracts and letters with the names and signatures of execs from the company he was impersonating.

Well, Fortune now reports that the two companies targeted by the scheme are Google and Facebook, while the company the Latvian hacker was impersonating is Quanta Computer, a Taiwanese parts supplier, which also works with Apple and Amazon. Facebook and Google eventually admitted to being the unnamed companies in last month’s reports. Facebook said they’d managed to recover the bulk of the funds and has been cooperating with law enforcement in the investigation. Similarly, Google got its money back. The investigation isn’t anywhere near over, however, as Rimasauskas continues to deny any involvement in the scheme, as he tries to fight his extradition to the United States.