Intel Security, Kaspersky Lab and Europol have teamed up to launch a new initiative designed to educate people about the threat of ransomware and offer keys that can unlock devices without having to pay the fraudsters.
The No More Ransom portal, which also has the backing of the Dutch National Police, has been put together in response to the rising threat from ransomware which had almost one million victims in Europe last year.
The portal will contain material designed to educate users about the threat of ransomware and where it comes from, but it is the access to some 160,000 keys that is most notable. These cover numerous ransomware strains, most notably the Shade trojan that emerged in 2014. This is a particularly nasty ransomware spread via websites and infected email attachments.
However, the command and control servers for Shade that stored the decryption keys were seized by law enforcement, and the keys were given to Kaspersky and Intel Security.
These have now been entered into the No More Ransom portal so that victims can access their data without paying the criminals.
Jornt van der Wiel, security researcher with Kaspersky’s global research and analysis team, explained that the portal will help people to take a stand against the rise of ransomware.
“The biggest problem with crypto-ransomware today is that when users have precious data locked down they readily pay criminals to get it back. That boosts the underground economy, and we are facing an increase in the number of new players and the number of attacks as a result,” he said.
“We can only change the situation if we coordinate our efforts to fight against ransomware. The appearance of decryption tools is just the first step on this road.”
Raj Samani, EMEA chief technology officer at Intel Security, echoed this sentiment. “This collaboration goes beyond intelligence sharing, consumer education and takedowns to actually help repair the damage inflicted on victims,” he said.
“By restoring access to their systems, we empower users by showing them they can take action and avoid rewarding criminals with a ransom payment.”
The burgeoning threat of hacking and the need to protect data more stringently will accelerate demand for cyber insurance in Europe, insurer Allianz said as it launched its first product aimed at Germany’s small-to-medium-sized manufacturers.
Cyber insurance has been slow to take off in Europe with fewer than one in 10 firms having taken out a policy, said Christopher Lohmann, head of the region Central and Eastern Europe at Allianz Global Corporate & Speciality (SGCS).
But he believes greater awareness among companies and new regulation, such as Germany’s I.T. security law which came into force last year and orders 2,000 providers of critical infrastructure to report serious breaches, will spur demand.
“There are many reasons to believe that cyber insurance will evolve into the fire insurance of the 21st century,” he said, adding a functioning IT system and secure data are critical to many businesses and their reputations.
Home to world champion manufacturers, Germany offers rich pickings for hackers, and attacks on industrial production sites are rising, according to the government’s latest IT Security Report.
Forty percent of German companies were affected by e-Crime over the past two years, according to a study by consultancy KPMG in 2015, an increase of 50 percent over 2013.
Germany’s small-to-medium-sized manufacturers, known as the Mittelstand and which form the backbone of its economy, are particularly vulnerable as they lack the big budgets for I.T spending.
The threat is growing as companies move to connect machinery to the Internet to enable it to collect and exchange data and make it easier to control remotely.
Despite this, cyber premiums in Germany were estimated to be worth only around $10 million last year. This compares with an estimated premium volume of $2.5 billion in the United States, according to Lohmann.
Peter Grass from the German Association of Insurers expects cyber insurance to become a matter of course for all companies whose business models depend on I.T.
“The development is relatively rapid – also because the public and politics are becoming ever more aware that this can be an economic problem,” he said.
The first cyber insurance policies were launched on the German market in 2011 and around 15 insurers are now active in the market. Other big players include Axa, Hiscox, Ergo (part of Munich Re) and Zurich Insurance.
This past weekend, the hacker, called thedarkoverlord, began posting the sale of the records on TheRealDeal, a black market found on the deep Web. (It can be visited through a Tor browser.)
The data includes names, addresses, dates of birth, and Social Security numbers – all of which could be used to commit identity theft or access the patient’s bank accounts.
These records are being sold in four separate batches. The biggest batch includes 9.3 million patient records stolen from a U.S. health insurance provider, and it went up for sale on Monday.
The hacker used a little-known vulnerability within the Remote Desktop Protocol to break into the insurance provider’s systems, he said in his posting on the black market site.
The three other batches cover a total of 655,000 patient records, from healthcare groups in Atlanta, Georgia, Farmington, Missouri, and another city in the Midwestern U.S. The hacker didn’t give the names of the affected groups.
To steal these patient records, the hacker used “readily available plain text” usernames and passwords to access the networks where the data was stored, according to his sales postings.
Using an online message sent through the market, thedarkoverlord declined to answer any questions unless paid. The hacker wants a total of 1,280 bitcoins for the data he stole.
Qatar National Bank has confirmed that its systems were hacked but said that the information released online was a combination of data picked up from the attack and from other sources such as social media.
The incident will not have a financial impact on the bank’s customers, whose accounts are secure, the bank said — without providing details of how its systems were hacked, the possible identity of the hackers and what information was harvested.
The announcement Sunday by one of the leading financial institutions in the Middle East follows the posting online last week of leaked documents. The attack targeted only a portion of Qatar-based customers, the bank said, claiming the hack attempted to target the bank’s reputation rather than specifically its customers.
“QNB Group’s Risk Team monitored abnormal activity in our system environment; this was immediately communicated to relevant authorities,” the bank said in a statement. “We also took immediate steps and our systems are fully secure and operational.”
The 1.4GB trove of documents leaked online included both financial information such as customer transaction logs, personal identification numbers and credit card data. But on closer scrutiny the data was found to have folders with detailed profiles on specific individuals, including what appeared to be files on members of the Qatari royal family, employees of media outlet Al Jazeera and people listed as working for the British MI6 and some other intelligence agencies, security firm Trend Micro said on Wednesday.
The attackers used an open-source SQL injection tool to extract all of the customer data they needed, wrote Simon Edwards, cyber security expert at Trend Micro. SQL injection is used against against websites that use SQL (structured query language) to query information from a database server.
The log file suggests that the attack could have started about nine months ago in July last year, Edwards said.
QNB said Tuesday that it would not comment on reports in social media of “an alleged data breach,” but sought to assure all concerned that there was no financial impact on the bank or its clients.
The not-for-profit organization, which runs 10 hospitals in the Washington, D.C., area, was hit with ransomware, the Baltimore Sun reported on Wednesday, citing two anonymous sources.
MedStar Health officials could not be immediately reached for comment. The organization issued two statements Wednesday, but did not describe what type of malware infected its systems.
It said in one statement that its IT team has worked continuously to restore access to three main clinical systems. It said no patient data or associate data was compromised.
Ransomware has become one of the most prevalent kinds of malware on the Internet although it has been around for more than a decade.
Several medical facilities have come forward over the last few weeks and publicly said ransomware had disrupted their operations. The targeting of medical groups has added a new and dangerous angle to these kinds of cyberattacks because patient care could be directly impacted.
MedStar encouraged patients on Wednesday to call doctor offices directly to make appointments, as it was still trying to restore its electronic appointment system.
Nonetheless, MedStar said it has been able to keep humming along. Since the attack, it has cared for 3,380 patients a day across 10 hospitals, performed 782 surgeries and delivered 72 babies.
“The malicious malware attack has created many inconveniences and operational challenges for our patients and associates,” according to a statement. “With only a few exceptions, we have continued to provide care approximating our normal volume levels.”
The Baltimore Sun reported the hackers offered MedStar a bulk decryption discount: three bitcoins to decrypt one computer, or 45 bitcoins, roughly US$18,500, to unlock them all.
Authorities are largely at a loss for how to stop ransomware. Some of the ransomware gangs, believed to be in Eastern Europe or Russia, are far out of the reach of law enforcement.
The company said the attacker however did not gain access to Customer Proprietary Network Information (CPNI) or other data.
CPNI is the information that telephone companies collect including the time, date, duration and destination number of each call and the type of network a consumer subscribes to.
Krebs On Security, which first broke the news of the breach, said a member of a underground cybercrime forum had posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise.
The seller priced the entire package at $100,000, but offered to sell it off in parts of 100,000 records for $10,000 apiece, Krebs added.
The vulnerability, which was investigated and fixed, did not leak any data on consumer customers, Verizon said in a statement.
The company is currently notifying customers impacted by the breach.
Palo Alto Networks has uncovered a new iOS threat dubbed “AceDeceiver” that is targeting non-jailbroken iDevices via a flaw in Apple’s DRM mechanism.
Palo Alto Networks has an eye for this kind of thing, having uncovered the WireLurker malware wreaking havoc on iPhones back in 2014.
Since then, iOS malware has got more advanced, and the latest threat to iPhone users has successfully managed to infiltrate non-jailbroken kit.
“What makes AceDeceiver different from previous iOS malware is that instead of abusing enterprise certificates as some iOS malware has over the past two years, AceDeceiver manages to install itself without any enterprise certificate at all,” Palo Alto says in a blog post.
AceDeceiver is abusing a design flaw in Apple’s DRM protection mechanism called FairPlay via a technique called “FairPlay Man-in-the-Middle”, enabling attackers to install malicious apps on iOS devices while bypassing Apple’s baked-in security measures.
It can do so without a user knowing, too, and the only tell-tale sign will be a new app icon showing on an iPhone’s home screen that most will probably assume they drunkenly installed.
Palo Alto notes that while this technique has been used by hackers since 2013, this is the first time that it’s been exploited to spread malware.
“In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code. They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by victim,” the security firm explains.
“Therefore, the user can install apps they never actually paid for, and the creator of the software can install potentially malicious apps without the user’s knowledge.”
Three different iOS apps in the AceDeceiver family were uploaded to Apple’s App Store between July 2015 and February 2016, and all of them claimed to be innocent wallpaper apps. Apple cleared the App Store of these apps back in February, albeit after they had managed to bypass its security seven times, but Palo Alto notes that even with the apps no longer available, they could still wreak havoc on iPhones and iPads.
“Even as Apple has removed AceDeceiver from App Store, it may still spread thanks to a novel attack vector.”
There’s no need to panic just yet, though, as Palo Alto notes that, for now at least, AceDeceiver is only targeting users in China.
While you don’t need to panic yet, Palo Alto notes that AceDeceiver demonstrates how easy it can be for malware to infect non-jailbroken devices, which could pave the way for similar threats to start cropping up in more regions soon.
“AceDeceiver is evidence of another relatively easy way for malware to infect non-jailbroken iOS devices. As a result, it’s likely we’ll see this start to affect more regions around the world, whether by these attackers or others who copy the attack technique.”
The firm has also issued a stark warning to iPhone and iPad-wielding businesses, adding: “Since AceDeceiver also spreads via enterprise certificates, we suggest that enterprises check for unknown or abnormal provision profiles as well.”
Palo Alto networks has notified Apple of the malware threat, but it has yet to be patched.
Palo Alto Networks have uncovered ransomware attacks aimed at Mac OS X users.
The attacks are low-budget so far, but it’s early days for the Mac OS X vulnerability so perhaps the financial demands will rise in time. Apple security attacks are rare but they do happen.
“On March 4 we detected that the Transmission BitTorrent ailient installer for OS X was infected with ransomware just a few hours after installers were initially posted. We have named this ransomware KeRanger,” said palo Alto in a blog post.
“The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014. As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.”
Victims are affected via a torrent site called Transmission. Palo Alto said that this is an open source project, and that the website was compromised by third parties with bad intentions.
You know how malware works: it infects computers and asks their owners to pay a fee to have the data unlocked. The industry advice is not to pay up, but some organisations do, so we suppose that it’s up to the victim.
The good news at this stage is that the ransom demand is just one bitcoin. Palo Alto has informed Apple and the Transmission people about the problem, and modified its own offerings to filter out dodgy URLs before they get to customers.
“Palo Alto reported the ransomware issue to the Transmission Project and to Apple on March 4. Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website. Palo Alto has also updated URL filtering and threat prevention to stop KeRanger affecting systems,” wrote the firm.
Resilient makes an incident-response platform that automates and orchestrates the processes for dealing with cyber incidents such as breaches and lost devices, and enabling companies to respond more quickly. The acquisition will give IBM Security the industry’s first integrated end-to-end platform combining analytics, forensics, vulnerability management and incident response, the company said.
IBM intends to bring Resilient’s full staff of roughly 100 on board once the acquisition is completed, including cryptographer and security guru Bruce Schneier, Resilient’s CTO.
The transaction is expected to close later this year; terms were not disclosed.
IBM has already been beefing up its security muscle for some time, including hiring 1,000 new experts last year, it said. Late last year, it appointed Mark van Zadelhoff general manager of its security business.
The Resilient acquisition bolsters IBM’s incident-response capabilities.
Toward that end, IBM on Monday also launched IBM X-Force Incident Response Services to help clients plan for, manage and respond to cyberattacks. Resilient’s platform will be a key component of those new services, as will IBM’s QRadar Security Intelligence Platform. IBM plans to integrate Resilient’s technology across the full IBM Security portfolio, it said.
Security has become an increasingly pressing challenge in the corporate world, because it’s no longer possible to make any company fully secure, said Rob Enderle, principal analyst with Enderle Group.
“The race has now moved to how quickly an attack can be discovered and mitigated so that damage is minimized,” Enderle added.
The addition of Resilient should broaden the areas where companies can use IBM security and also deepen the features and performance of those tools.
You won’t believe much the average security incident can cost an organisation. Unless, of course, you have been privileged enough to suffer one.
Kaspersky has worked it out for those of us who have not been tainted with the hacker brush, and found that the cost is large. We could have worked that out ourselves but, hey, we aren’t a large security company.
The firm delivers its findings in a True costs of a cyber attack blog post, coming straight in with the big numbers: a breach can cost anywhere between $500,000 and $1.4m in terms of downtime alone.
“When a business suffers from a cyber attack, there is a very clear and immediate cost as a result. Sensitive, confidential information has been compromised. The average direct cost associated with such a data breach for an enterprise with more than 1,000 employees is $551,000,” said a Kaspersky chap called Jake Kenny.
“There are many residual costs that you may not think about. An attack often interrupts business continuity, which results in extended periods of downtime for employees while the company is trying to recover. It is estimated that attacked enterprises suffered an average of 23 hours of downtime, resulting in an average loss of $1.4m.”
Kenny reckons that the first number would make us gasp, but he does not know us very well. These numbers pale when compared with the misfortunes of US retailer Target, where heads rolled and $162m was flushed down the toilet.
Juniper Research has already spoiled the Kaspersky party here, having released numbers concerning this kind of thing almost nine months ago. Juniper said that cyber crime will cost all industry over $2tn by 2019.
We got the information direct from Kaspersky in the end (no offence Mr Kenny) which revealed that the data is based on a survey of 5,500 companies, 90 percent of which admitted to being hacked. That is bleak. Losses differ depending on the size of the company; small and medium businesses lose less, but are perhaps more at risk from this kind of attack.
“SMBs tend to lose a significant amount of money on almost all types of breach, paying a similar high price on recovering from acts of espionage as well as DDoS and phishing attacks,” said Kaspersky.
The Juniper information is also chilling: “As more and more business infrastructure moves online, so do those wishing to destroy or defraud that infrastructure.
“Cyber crime is a growing threat to corporations and consumers, who are increasingly using online methods to run their businesses and lives. With the advent of mobile computing, this is only likely to become more common.”
Hewlett Packard Enterprise (HPE) has cast a shade on what it believes to be the biggest risks facing enterprises, and included on that list is Microsoft.
We ain’t surprised, but it is quite a shocking and naked fact when you consider it. The naming and resulting shaming happens in the HPE Cyber Risk Report 2016, which HPE said “identifies the top security threats plaguing enterprises”.
Enterprises, it seems, have myriad problems, of which Microsoft is just one.
“In 2015, we saw attackers infiltrate networks at an alarming rate, leading to some of the largest data breaches to date, but now is not the time to take the foot off the gas and put the enterprise on lockdown,” said Sue Barsamian, senior vice president and general manager for security products at HPE.
“We must learn from these incidents, understand and monitor the risk environment, and build security into the fabric of the organisation to better mitigate known and unknown threats, which will enable companies to fearlessly innovate and accelerate business growth.”
Microsoft earned its place in the enterprise nightmare probably because of its ubiquity. Applications, malware and vulnerabilities are a real problem, and it is Windows that provides the platform for this havoc.
“Software vulnerability exploitation continues to be a primary vector for attack, with mobile exploits gaining traction. Similar to 2014, the top 10 vulnerabilities exploited in 2015 were more than one-year-old, with 68 percent being three years old or more,” explained the report.
“In 2015, Microsoft Windows represented the most targeted software platform, with 42 percent of the top 20 discovered exploits directed at Microsoft platforms and applications.”
It is not all bad news for Redmond, as the Google-operated Android is also put forward as a professional pain in the butt. So is iOS, before Apple users get any ideas.
“Malware has evolved from being simply disruptive to a revenue-generating activity for attackers. While the overall number of newly discovered malware samples declined 3.6 percent year over year, the attack targets shifted notably in line with evolving enterprise trends and focused heavily on monetisation,” added the firm.
“As the number of connected mobile devices expands, malware is diversifying to target the most popular mobile operating platforms. The number of Android threats, malware and potentially unwanted applications have grown to more than 10,000 new threats discovered daily, reaching a total year-over-year increase of 153 percent.
“Apple iOS represented the greatest growth rate with a malware sample increase of more than 230 percent.”
Trustwave has uncovered the news that people who work in the security industry suffer because of the ruddy cloud, the ruddy skills gap and the ruddy board.
This is not hearsay, although you might find anecdotal evidence in your workplace. This is science. Well, a survey anyway. This gift of knowledge comes from Trustwave, a firm that operates in the security arena and probably has access to industry ears and the will to bend them.
The firm asked people like you, perhaps even you, what gets you down at work. The answer can adequately be summarized as ‘work’, but there is a little more to it. Technology, supposed to be a great enabler, isn’t doing everyone favors, apparently, and things like the cloud are something of a straw to your IT staffer camel’s back.
The 2016 Security Pressures Report is out now, and you can access it if you have the yearning and the time. It makes it clear that there are pressures (we knew that) and that some of them are technological (you knew that).
A mix of menace, malware, malaise and management are the real stress points, and reading between the lines we reckon that Trustwave knows exactly what you should be doing about it.
“Security professionals live in a unique and stressful environment, defined by conflict with faceless attackers as well as internal threats,” said Steve Kelley, chief marketing officer at Trustwave.
“Businesses rely on information security more than ever before and the pressure to show measurable success is taking a toll on security practitioners.
“The widening gulf between the expected outcomes and the struggle to maintain adequate solutions and staff is driving businesses – as many as 86 percent of them – to partner with a managed security services provider to relax the pressures and help them achieve their cyber security goals.”
The plan calls for a $3.1 billion fund to replace outdated IT infrastructure; a new position of federal chief information security officer; a commission to study cybersecurity problems, and a program to recruit cybersecurity experts into government roles.
The U.S has been working since 2009 to improve the nation’s cyber defenses, most recently with the Cybersecurity Act of 2015, which promotes better information sharing between private industry and government, said Michael Daniel, special assistant to the President and cybersecurity coordinator, in a phone briefing with reporters Monday.
“Despite this track record, the cyberthreat continues to outpace our current efforts,” he said. “Particularly as we continue to hook more and more of our critical infrastructure up to the Internet, and as we build out the Internet of things, cyberthreats become only more frequent and more serious.”
The U.S. has faced serious data breaches and intrusions over the past two years. An attack on the Office of Personnel Management, the federal personnel agency, resulted in the theft of data including Social Security numbers, and in some cases fingerprints, of 21.5 million people.
In November 2014, the State Department took its unclassified email system offline after it detected suspicious activity. The shutdown came just two weeks after the White House reported unusual activity on the unclassified Executive Office of the President network.
Overall, the government wants to allocate $19 billion for cybersecurity spending in fiscal 2017, a 35% increase over the current year.
The proposed $3.1 billion Information Technology Modernization Fund would be used to replace systems that pose a high risk and to investigate more modern architectures, such as cloud services.
Hackers in China attempted to gain access to over 20 million active accounts on Alibaba Group Holding Ltd’s Taobao e-commerce website using Alibaba’s own cloud computing service, according to a state media report posted on the Internet regulator’s website.
An Alibaba spokesman said the company detected the attack in “the first instance”, reminded users to change passwords, and worked closely with the police investigation.
Chinese companies are grappling a sharp rise in the number of cyber attacks, and cyber security experts say firms have a long way to go before defenses catch up to U.S. counterparts.
In the latest case, hackers obtained a database of 99 million usernames and passwords from a number of websites, according to a separate report on a website managed by the Ministry of Public Security.
The hackers then used Alibaba’s cloud computing platform to input the details into Taobao. Of the 99 million usernames, they found 20.59 million were also being used for Taobao accounts, the ministry website said.
The hackers started inputting the details into Taobao in mid-October and were discovered in November, at which time Alibaba immediately reported the case to police, the ministry website said. The hackers have since been caught, it said.
Alibaba’s systems discovered and blocked the vast majority of log-in attempts, according to the ministry website.
The hackers used compromised accounts to fake orders on Taobao, a practice known as “brushing” in China and used to raise sellers’ rankings, the newspaper said. The hackers also sold accounts to be used for fraud, it said.
Alibaba’s spokesman said the hackers rented the cloud computing service, but declined to comment on security measures designed to stop the system being used for the attack. He said they could have used any such service, and that the attack was not aided by any possible loopholes in Alibaba’s platform.
“Alibaba’s system was never breached,” the spokesman said.
The number of accounts, 20.59 million, represents about 1 out of every 20 annual active buyers on Alibaba’s China retail marketplaces.
Slapdash developers have been advised not to use the open source JSPatch method of updating their wares because it is as vulnerable as a soft boiled egg, for various reasons.
It’s FireEye that is giving JSPatch the stink eye and providing the warning that it has rendered over 1,000 applications open to copy and paste theft of photos and other information. And it doesn’t end there.
FireEye’s report said that Remote Hot Patching may sound like a good idea at the time, but it really isn’t. It is so widely used that is has opened up a 1,220-wide iOS application hole in Apple users’ security. A better option, according to the security firm, is to stick with the Apple method, which should provide adequate and timely protection.
“Within the realm of Apple-provided technologies, the way to remediate this situation is to rebuild the application with updated code to fix the bug and submit the newly built app to the App Store for approval,” said FireEye.
“While the review process for updated apps often takes less time than the initial submission review, the process can still be time-consuming and unpredictable, and can cause loss of business if app fixes are not delivered in a timely and controlled manner.
Let’s not all make this JSPatch’s problem, because presumably it’s developers who are lacking.
FireEye spoke up for the open source security gear while looking down its nose at hackers. “JSPatch is a boon to iOS developers. In the right hands, it can be used to quickly and effectively deploy patches and code updates. But in a non-utopian world like ours, we need to assume that bad actors will leverage this technology for unintended purposes,” the firm said.