Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Security News. Show all posts
User Security
cyber espionage Cyber Espionage Campaign Cyber Security Cyber Security News Economy Hacking SMS User Security

Cyberattacks On Small Businesses: The US Economy’s ‘Achilles Heel’?


Small business firms play an important role when it comes to the economy, but they are more vulnerable to cyberattacks. 

At the time when Elena Graham, co-founder of Canada-based security service CYDEF, started selling cyber security software to smaller firms and businesses, business was relatively slow. However, now the demand is increasing, driven by a sharp rise in remote work that has exposed small businesses to cyberattacks. 

Since the start of the year, business at her security firm has tripled reaching an all-time high. "It was a total head-in-the-sand situation. 'It's not going to happen to me. I'm too small.' That was the overwhelming message that I was hearing five years ago. But yes, it is happening." says Elena. 

But with the booming security services, one can deduce that small businesses are comparatively at higher risk of being attacked by threat actors, than large businesses, as noted by Barracuda Networks.  

The risks were dramatically bolstered by the global pandemic. According to a report by RiskReconm, a Mastercard company that evaluated companies’ cyber-security risk, cyberattacks on small companies surged by more than 150% between 2020-21. 

"The pandemic created a whole new set of challenges and small businesses weren't prepared," says Mary Ellen Seale, chief executive of the National Cybersecurity Society, a non-profit that helps small businesses create cyber-security plans. 

In March 2020, at the peak of the pandemic, a survey of small businesses by broadcaster CNBC concluded that only 20% planned on investing in cyber-protection. 

Working remotely, during the pandemic, meant that more personal devices like smartphones, tablets, and laptops had access to sensitive corporate information.  

Lockdown, however, put a strain on budgets, curtailing the amount of money businesses could invest in security. Cybersecurity and costly in-house experts were frequently out of reach. Consequently, the weak cyber-security infrastructure was prone to cyber-attacks. 

With just one compromised supplier, cyber criminals could access networks of organizations further up the supply chain. According to Ms. Seale, "Large businesses depend on small businesses[…]They are the lifeblood of the United States, and we need a wake-up call." Small businesses account for more than 99% of companies in the US and employ nearly half of all Americans, playing a critical role in the global economy. In regard to this, Dr. Kim says they are like the economy's "Achilles heel". 

“They may be a small company but what they sell to large businesses could be very important. If they're hacked, [their product] won't be fed into supply chains and everything will be affected," Dr. Kim further adds. 
Read more »
United States
cyber rules Cyber Security Cyber Security awareness Cyber Security News National cyber security strategy United States

TSA: New Cybersecurity Directives Issued for US Passenger and Freight Railroad Carriers

 

The Transportation Security Administration (TSA) has recently announced a new cybersecurity security directive. The directive is issued in order to improve the cybersecurity of railroad operations and regulate passengers and freight railroad carriers. 
The TSA announcement demonstrates the Biden-Harris Administration’s commitment to strengthening the cybersecurity of U.S critical infrastructure. The security directives will further improve the nation’s railroad operations’ cyber security preparedness and resilience, building on the TSA's work to fortify defenses in other modes of transportation. 

Why are the new directives important?  


The latest measures are taken by US officials following the series of ransomware attacks and hacking incidents in the past years.  

In 2016, San Francisco Municipal Transportation Agency was targeted by a ransomware attack, which caused administrators to disable ticketing machines and turnstiles for metro stations for a weekend. 

Last year, the US witnessed the disruptive potential of a cybercrime incident, where a major pipeline company had to halt its operations for days following a ransomware attack. 

The new TSA directive instructs rails companies to report hacking incidents to the Department of Homeland Security, having a strategy in place to prevent a cyberattack from affecting their business operations. 

The directive essentially focuses on creating access controls to prevent unauthorized access to critical systems.  

The operators must ensure that these systems are constantly monitored and detected by policies and procedures. Additionally, they must also make sure that the operating systems, applications, drivers, and firmware of the critical systems are patched and up to date. 

About the new directives, TSA Administrator David Pekoske said, “The nation’s railroads have a long track record of forward-looking efforts to secure their network against cyber threats and have worked hard over the past year to build additional resilience, and this directive, which is focused on performance-based measures, will further these efforts to protect critical transportation infrastructure from attack.” 

“We are encouraged by the significant collaboration between TSA, FRA, CISA and the railroad industry in the development of this security directive.”  

As per Anne Neuberger, a senior White House official, the US officials are also working on cybersecurity measures for the water and healthcare sectors. Alongside regulations for the communications sector, including emergency warning systems are also underway.
Read more »
Windows
China Cyber Security News Hackers Linux malware Sidewalk Backdoo Windows

Hackers Group in China Creates Linux Version of Sidewalk Windows

One of the state-supported hacker groups in China has reportedly developed a Linux variant of a backdoor known as SideWalk backdoor targeting Windows systems in the academic sectors. The variant of sidewalk is believed to be assigned as a part of a Cyberespionage campaign by Earth Baku, an advanced persistent threat (APT) group with connections to APT41, termed as SparklingGoblin it is working against the entities based in the Indo-Pacific region.   
 
Sidewalk Linux Backdoor was detected in the past by security researchers back in 2020.  Sidewalk Backdoor, initially tracked as Stageclient was observed at the cybersecurity company ESET in May 2020, targeting the servers in a university in a university in Hong Kong. The group targeted in the same university in February 2021.   
 
“The group continuously targeted this organization over a long period of time, successfully compromising multiple key servers, including a print server, an email server, and a server used to manage students schedules and course registrations” ESET stated in reports shared with The Hacker News. 
 
In an analysis carried out by ESET, it was observed that StageClient and Spectre botnet (a subset of a security vulnerability) are both in fact Linux variants of SideWalk. ESET also observed the SideWalk variants for Linux and Windows, in which they detected that both the variants hold a great many similarities in their infrastructures and in the way both the malwares function deducing it is in fact a Linux variant of SideWalk as well. 
 
One of the similarities of the two malwares being connected to Sidewalk was they both used the same encryption key to transport data from the infected device to the C&C servers. Secondly, it was observed that both the variants used the Cha Cha20 encryption algorithm to "use a counter with an initial value of 0x0B”, something that is particular to SideWalk. Lastly, it was observed that for both the Window and Linux, the malware uses the exact five threats given below, which are programmed for specific tasks:
 
[StageClient::ThreadNetworkReverse] – fetching proxy configurations for alternate connections to the command and control (C2) server.

[StageClient::ThreadHeartDetect] – close connection to C2 server when commands are not received in the specified time.

[StageClient::ThreadPollingDriven] – send heartbeat commands to the C2 server if there is no info to deliver.

[StageClient::ThreadBizMsgSend] – check for data to be sent in message queues for all other threads and process it.

[StageClient::ThreadBizMsgHandler] – check for pending messages from the C2 server 
 
Although SparklingGoblin actively targets the regions of East and Southeast Asia, it has now been going global. hitting organizations outside the given regions. 
Read more »
WiFi
Cyber Security News IoT Vulnerabilities and Exploits WiFi

Experts Discovered 226 Security Flaws in Nine Wi-fi Routers

 

Security experts and editors at CHIP (a German IT) have found 226 potential security faults in nine wi-fi routers from authentic manufacturers like AVM, Netgear, Asus, D-Link, TP-Link, Linksys, Edimax, and Synology. TP-Link Archer AX6000 router was the most affected by the flaws, according to cybersecurity experts, besides this, they also found 32 flaws, along with Synology RT-2600ac with 30 defects, and Netgear Nighthawk AX12 having 29 bugs. Experts also discovered around ten vulnerabilities in Netgear Nighthawk AX12, Edimax BR-6473AX, Asus ROG Rapture GT-AX11000, Linksys Velop MR9600, AVM FritzBox 7590 AX, and AVM FritzBox 7530 AX. 

The experts analyzed these network systems with the help of IoT Inspector's security platform, which searched around 1000 CVEs and security vulnerabilities. IoT CEO Jan Wendenburg said "changing passwords on first use and enabling the automatic update function must be standard practice on all IoT devices, whether the device is used at home or in a corporate network. The greatest danger, besides vulnerabilities introduced by manufacturers, is using an IoT device according to the motto ‘plug, play and forget.” 

The most commonly found issues, according to cybersecurity researchers are out-of-date Linux kernel in the firmware, multimedia, and VPN features, existing hard-coded credentials, use of unsafe communication protocols, and weak security passwords. According to the security affairs advisory, "some of the security issues were detected more than once. Very frequently, an outdated operating system, i.e. Linux kernel, is in use. Since the integration of a new kernel into the firmware is costly, no manufacturer was up to date here. 

The device software used is also commonly found to be outdated, as it all too often relies on standard tools like BusyBox.” Experts observed that not all these faults can be compromised, false positives were also found. Experts discussed their findings with the manufacturers too, most of these vulnerabilities have been patched. Users are suggested to modify factory settings, make sure that devices install auto-updates, and stop functions that are not important.
Read more »
User Security
Cyber Security Cyber Security News Facebook Meta Privacy User Security

Meta's New Security Program Protects Activities, Journalists, and Human Rights Defenders


Social media website Meta (earlier known as Facebook), earlier this week announced a broadening of its Facebook protect security program to add human rights activists, journalists, social activists, and government officials exposed to malicious actors throughout the social media platforms. These defenders and activists are vital for public debate in critical communities, said Nathan Gleicher, security policy head at Meta. These people safeguard human rights across the world, promote democratic elections, hold government and political parties accountable. However, this makes them a primary target for threat actors.

Facebook Protect, as of now, is being released around the world in phases, it allows users that apply for a change to have robust safety protections such as 2FA two-factor authentication, and looking out for possible hacking threats. According to Meta, around 1.5 million user profiles have enabled the Facebook Protect as of now, out of which, 9,50,000 profiles turned on the 2FA feature after the feature was on the roll since September 2021. 

The program is similar to Google's APP (Advanced Protection Program), aimed at protecting users with sensitive information and high visibility, putting them at a greater risk of online attacks. It stops suspicious account access attempts and incorporates strict checks before downloading softwares and files on Gmail and Chrome. Users eligible for Facebook Protect will be informed via a Facebook prompt, with an option to enable the advanced security features along with identifying potential problems like weak passwords, that can be easily hacked by actors for gaining access to FB accounts. 

The announcement came a week after Apple announced to notify targeted users of threat notifications by state-sponsored hackers. These notifications would be sent via email and iMessage notifications to the phone numbers and addresses linked with Apples users' IDs. Meta said "over the next several months, we’re going to carefully expand this requirement globally. We’re encouraged by our early findings and will continue to improve Facebook Protect over time."
Read more »
US
Cyber Attacks Cyber Security News Cybersecurity Cybersecurity Incident Iran Israel US

Iran Accuses USA and Israel for Carrying Out Fuel Cyberattacks

 

An Iranian General alleged that Israel and US might have planned a cyberattack that caused disruption of fuel in service stations in Iran. The attack which happened on Tuesday is similar to two recent incidents where, as per the general, the attackers might be Iran's rivals: USA and Israel. Two incidents were analyzed, the Shahid Rajaei port incident and the railway accident, and found that these two incidents were similar. Earlier this year, as per Iran's transportation ministry, a cyberattack disrupted its website and computer systems, reports Fars news agency. 

"In a country where petrol flows freely at what are some of the lowest prices in the world, motorists need digital cards issued by the authorities. The cards entitle holders to a monthly amount of petrol at a subsidized rate and, once the quota has been used up, to buy more expensive at the market rate," reports The Security Week. In 2020, Washington Post reported an incident where Israel orchestrated an attack on Iranian port Shahid Rajaei (in Hormuz Strait), a strategic path to global oil shipments. 

The recent cyber disruption resulted in traffic jams in major pockets in Tehran, having long lines at petrol pumps disrupting traffic flow. Following the incident, the oil ministry shut down the service stations in order for easy manual distribution of petrol, said the authorities. On Wednesday, President Ebrahim Raisi alleged that the actors were trying to sway the people of Iran against Islamic Republic leadership. As per the reports, an estimated 3200 out of 4300 of the country's service stations have been re-linked with the central distribution system, said the National Oil Products Distribution Company. 

Besides this, there are other stations who also give fuel to motorists, but not at subsidized rates, which makes it twice in the rates, around 5-6 US cents/litre. The Security Week reports, "Since 2010, when Iran's nuclear program was hit by the Stuxnet computer virus, Iran and its arch-foes Israel and the United States have regularly accused each other of cyberattacks. The conservative Fars news agency on Tuesday linked the breakdown to opponents ahead of the second anniversary of deadly protests sparked by a hike in petrol prices."
Read more »
TrickBot trojan
Cyber Security News Hacking News malware Russian Hackers TrickBot TrickBot trojan

Alleged TrickBot Gang Member Arrested While Leaving South Korea




A Russian native – on accusations of being associated with the TrickBot cybercrime gang – was recently arrested by the authorities at Seoul International airport, while trying to leave South Korea. 

Reportedly, the Russian resident – identified as Mr. A by media –  was leaving for his home in Russia after waiting for over a year in the South Asian country. As per local media reports (Seoul's KBS) the alleged individual was prevented from leaving South Korea due to COVID-19 travel restrictions – international travel had been canceled by Seoul officials as the global pandemic broke out. Subsequently, Mr. A's passport expired, and he was stranded in South Korea as he waited to renew his passport. 

The Russian man who allegedly worked as a web browser developed for the malware spreading TrickBot gang in 2016 during his stay in Russia, denied 'being aware' of working for a cybercrime group. “When developing the software, the user manual did not identify malware,” said the individual at Seoul High Court. 

As per a Korean newspaper, on September 01, an interrogation was held at the 20th Criminal Division of the Seoul High Court – for the extradition request case against the alleged developer of the malware. While fighting the US extradition attempt, the lawyer of the accused argued that the US will prosecute the man unjustly. "If you send it to the United States, it will be very difficult to exercise your right of defense and there is a good chance that you will be subject to excessive penalties,” claimed the attorney. 

As per the reports, the suspect continued to maintain that the operation manual did not fall under malicious software when he developed the software. He received work from TrickBot via a job search site, following which he developed a web browser for the gang, according to The Record. Notably, the recruiters preferred applicants who did not ask a lot of questions. 

TrickBot is an advanced banking trojan that targets Windows machines. Initially created to steal the banking information of unsuspecting users, TrickBot has evolved over the last five years to be versatile, widely available, and easy to use. With new variants being increasingly released, TrickBot infections have become more frequent on home office networks; continuous advancement since its inception has cemented TrickBot's reputation as a highly adaptive modular malware.
Read more »
malware
Cyber News Cyber Security News Cybersecurity Malicious actor malware

VIP72: 15-Year-Old Malware Proxy Network Goes 'Dark' Without Notice



A 15-year-old cybercrime anonymity service called VIP72, in the past, allowed a large number of cybercriminals to cover up their actual location by routing traffic via dozens of hacked computers seeded with malware – suddenly went offline for a period of two weeks and has not shown any signs of return. 

Similar to other proxy networks advertised on the darknet and other cybercrime forums, VIP72 also routed its clients' traffic via systems that have been infected by malware. Employing the malicious service, users could choose network nodes in almost any of the countries to relay their traffic as they conceal themselves behind some unsuspecting user's URL. 

Over the past few days, the darknet has been flooded with  "R.I.P" texts for the malware proxy network, VIP72 that went dark without any prior notice. Initially, the authors of VIP62 told their customers that they will be back online shortly, indicating it's a maintenance issue that's restricting their operations. “Sorry for the inconvenience but we're performing some maintenance at the moment. We'll be back online shortly!”, read a notice titled “We'll be back soon!” 

It was updated to read, “Socks client will be unavailable within next 5 (FIVE) days for planned upgrades. We will resume normal work of socks client till the end of this week. All active subscriptions will have +8 days to existed paid period.” 

“—We only work on web vip72.com and sellvip72.com/en. Do not access fraudulent websites on google search e.g: vip72.cx, .us etc...”, the notice further read in 'red' letter font. 

Originally set up in 2006, VIP72, had a long run assisting malicious actors in concealing their real location via a well-founded proxy service. Basically, the proxying service of VIP72 effectively obscured the identity and true location of malware campaigners by routing their traffic via multiple network bounces. In a nutshell, VIP72 essentially offered its customers safety from the security police. 

However, ironically enough, the U.S.-hosted proxy service itself has presumably faced something serious, perhaps, a case of policing. Other experts speculate, that VIP72 might have experienced trouble in competing against newly emerged sophisticated anonymity network services. Although the reason behind VIP72's sudden disappearance remains unclear and the website has gone offline for two weeks now, the proxy service is still accessible to some of the users, which makes sense as the compromised hosts would still be infected with the malware and will indefinitely continue to forward traffic for as long as they remain under the effect of proxy malware.
Read more »
Subscribe to: Posts (Atom)