Qatar National Bank has confirmed that its systems were hacked but said that the information released online was a combination of data picked up from the attack and from other sources such as social media.
The incident will not have a financial impact on the bank’s customers, whose accounts are secure, the bank said — without providing details of how its systems were hacked, the possible identity of the hackers and what information was harvested.
The announcement Sunday by one of the leading financial institutions in the Middle East follows the posting online last week of leaked documents. The attack targeted only a portion of Qatar-based customers, the bank said, claiming the hack attempted to target the bank’s reputation rather than specifically its customers.
“QNB Group’s Risk Team monitored abnormal activity in our system environment; this was immediately communicated to relevant authorities,” the bank said in a statement. “We also took immediate steps and our systems are fully secure and operational.”
The 1.4GB trove of documents leaked online included both financial information such as customer transaction logs, personal identification numbers and credit card data. But on closer scrutiny the data was found to have folders with detailed profiles on specific individuals, including what appeared to be files on members of the Qatari royal family, employees of media outlet Al Jazeera and people listed as working for the British MI6 and some other intelligence agencies, security firm Trend Micro said on Wednesday.
The attackers used an open-source SQL injection tool to extract all of the customer data they needed, wrote Simon Edwards, cyber security expert at Trend Micro. SQL injection is used against against websites that use SQL (structured query language) to query information from a database server.
The log file suggests that the attack could have started about nine months ago in July last year, Edwards said.
QNB said Tuesday that it would not comment on reports in social media of “an alleged data breach,” but sought to assure all concerned that there was no financial impact on the bank or its clients.
The not-for-profit organization, which runs 10 hospitals in the Washington, D.C., area, was hit with ransomware, the Baltimore Sun reported on Wednesday, citing two anonymous sources.
MedStar Health officials could not be immediately reached for comment. The organization issued two statements Wednesday, but did not describe what type of malware infected its systems.
It said in one statement that its IT team has worked continuously to restore access to three main clinical systems. It said no patient data or associate data was compromised.
Ransomware has become one of the most prevalent kinds of malware on the Internet although it has been around for more than a decade.
Several medical facilities have come forward over the last few weeks and publicly said ransomware had disrupted their operations. The targeting of medical groups has added a new and dangerous angle to these kinds of cyberattacks because patient care could be directly impacted.
MedStar encouraged patients on Wednesday to call doctor offices directly to make appointments, as it was still trying to restore its electronic appointment system.
Nonetheless, MedStar said it has been able to keep humming along. Since the attack, it has cared for 3,380 patients a day across 10 hospitals, performed 782 surgeries and delivered 72 babies.
“The malicious malware attack has created many inconveniences and operational challenges for our patients and associates,” according to a statement. “With only a few exceptions, we have continued to provide care approximating our normal volume levels.”
The Baltimore Sun reported the hackers offered MedStar a bulk decryption discount: three bitcoins to decrypt one computer, or 45 bitcoins, roughly US$18,500, to unlock them all.
Authorities are largely at a loss for how to stop ransomware. Some of the ransomware gangs, believed to be in Eastern Europe or Russia, are far out of the reach of law enforcement.
The company said the attacker however did not gain access to Customer Proprietary Network Information (CPNI) or other data.
CPNI is the information that telephone companies collect including the time, date, duration and destination number of each call and the type of network a consumer subscribes to.
Krebs On Security, which first broke the news of the breach, said a member of a underground cybercrime forum had posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise.
The seller priced the entire package at $100,000, but offered to sell it off in parts of 100,000 records for $10,000 apiece, Krebs added.
The vulnerability, which was investigated and fixed, did not leak any data on consumer customers, Verizon said in a statement.
The company is currently notifying customers impacted by the breach.
Palo Alto Networks has uncovered a new iOS threat dubbed “AceDeceiver” that is targeting non-jailbroken iDevices via a flaw in Apple’s DRM mechanism.
Palo Alto Networks has an eye for this kind of thing, having uncovered the WireLurker malware wreaking havoc on iPhones back in 2014.
Since then, iOS malware has got more advanced, and the latest threat to iPhone users has successfully managed to infiltrate non-jailbroken kit.
“What makes AceDeceiver different from previous iOS malware is that instead of abusing enterprise certificates as some iOS malware has over the past two years, AceDeceiver manages to install itself without any enterprise certificate at all,” Palo Alto says in a blog post.
AceDeceiver is abusing a design flaw in Apple’s DRM protection mechanism called FairPlay via a technique called “FairPlay Man-in-the-Middle”, enabling attackers to install malicious apps on iOS devices while bypassing Apple’s baked-in security measures.
It can do so without a user knowing, too, and the only tell-tale sign will be a new app icon showing on an iPhone’s home screen that most will probably assume they drunkenly installed.
Palo Alto notes that while this technique has been used by hackers since 2013, this is the first time that it’s been exploited to spread malware.
“In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code. They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by victim,” the security firm explains.
“Therefore, the user can install apps they never actually paid for, and the creator of the software can install potentially malicious apps without the user’s knowledge.”
Three different iOS apps in the AceDeceiver family were uploaded to Apple’s App Store between July 2015 and February 2016, and all of them claimed to be innocent wallpaper apps. Apple cleared the App Store of these apps back in February, albeit after they had managed to bypass its security seven times, but Palo Alto notes that even with the apps no longer available, they could still wreak havoc on iPhones and iPads.
“Even as Apple has removed AceDeceiver from App Store, it may still spread thanks to a novel attack vector.”
There’s no need to panic just yet, though, as Palo Alto notes that, for now at least, AceDeceiver is only targeting users in China.
While you don’t need to panic yet, Palo Alto notes that AceDeceiver demonstrates how easy it can be for malware to infect non-jailbroken devices, which could pave the way for similar threats to start cropping up in more regions soon.
“AceDeceiver is evidence of another relatively easy way for malware to infect non-jailbroken iOS devices. As a result, it’s likely we’ll see this start to affect more regions around the world, whether by these attackers or others who copy the attack technique.”
The firm has also issued a stark warning to iPhone and iPad-wielding businesses, adding: “Since AceDeceiver also spreads via enterprise certificates, we suggest that enterprises check for unknown or abnormal provision profiles as well.”
Palo Alto networks has notified Apple of the malware threat, but it has yet to be patched.
Palo Alto Networks have uncovered ransomware attacks aimed at Mac OS X users.
The attacks are low-budget so far, but it’s early days for the Mac OS X vulnerability so perhaps the financial demands will rise in time. Apple security attacks are rare but they do happen.
“On March 4 we detected that the Transmission BitTorrent ailient installer for OS X was infected with ransomware just a few hours after installers were initially posted. We have named this ransomware KeRanger,” said palo Alto in a blog post.
“The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014. As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.”
Victims are affected via a torrent site called Transmission. Palo Alto said that this is an open source project, and that the website was compromised by third parties with bad intentions.
You know how malware works: it infects computers and asks their owners to pay a fee to have the data unlocked. The industry advice is not to pay up, but some organisations do, so we suppose that it’s up to the victim.
The good news at this stage is that the ransom demand is just one bitcoin. Palo Alto has informed Apple and the Transmission people about the problem, and modified its own offerings to filter out dodgy URLs before they get to customers.
“Palo Alto reported the ransomware issue to the Transmission Project and to Apple on March 4. Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website. Palo Alto has also updated URL filtering and threat prevention to stop KeRanger affecting systems,” wrote the firm.
Resilient makes an incident-response platform that automates and orchestrates the processes for dealing with cyber incidents such as breaches and lost devices, and enabling companies to respond more quickly. The acquisition will give IBM Security the industry’s first integrated end-to-end platform combining analytics, forensics, vulnerability management and incident response, the company said.
IBM intends to bring Resilient’s full staff of roughly 100 on board once the acquisition is completed, including cryptographer and security guru Bruce Schneier, Resilient’s CTO.
The transaction is expected to close later this year; terms were not disclosed.
IBM has already been beefing up its security muscle for some time, including hiring 1,000 new experts last year, it said. Late last year, it appointed Mark van Zadelhoff general manager of its security business.
The Resilient acquisition bolsters IBM’s incident-response capabilities.
Toward that end, IBM on Monday also launched IBM X-Force Incident Response Services to help clients plan for, manage and respond to cyberattacks. Resilient’s platform will be a key component of those new services, as will IBM’s QRadar Security Intelligence Platform. IBM plans to integrate Resilient’s technology across the full IBM Security portfolio, it said.
Security has become an increasingly pressing challenge in the corporate world, because it’s no longer possible to make any company fully secure, said Rob Enderle, principal analyst with Enderle Group.
“The race has now moved to how quickly an attack can be discovered and mitigated so that damage is minimized,” Enderle added.
The addition of Resilient should broaden the areas where companies can use IBM security and also deepen the features and performance of those tools.
You won’t believe much the average security incident can cost an organisation. Unless, of course, you have been privileged enough to suffer one.
Kaspersky has worked it out for those of us who have not been tainted with the hacker brush, and found that the cost is large. We could have worked that out ourselves but, hey, we aren’t a large security company.
The firm delivers its findings in a True costs of a cyber attack blog post, coming straight in with the big numbers: a breach can cost anywhere between $500,000 and $1.4m in terms of downtime alone.
“When a business suffers from a cyber attack, there is a very clear and immediate cost as a result. Sensitive, confidential information has been compromised. The average direct cost associated with such a data breach for an enterprise with more than 1,000 employees is $551,000,” said a Kaspersky chap called Jake Kenny.
“There are many residual costs that you may not think about. An attack often interrupts business continuity, which results in extended periods of downtime for employees while the company is trying to recover. It is estimated that attacked enterprises suffered an average of 23 hours of downtime, resulting in an average loss of $1.4m.”
Kenny reckons that the first number would make us gasp, but he does not know us very well. These numbers pale when compared with the misfortunes of US retailer Target, where heads rolled and $162m was flushed down the toilet.
Juniper Research has already spoiled the Kaspersky party here, having released numbers concerning this kind of thing almost nine months ago. Juniper said that cyber crime will cost all industry over $2tn by 2019.
We got the information direct from Kaspersky in the end (no offence Mr Kenny) which revealed that the data is based on a survey of 5,500 companies, 90 percent of which admitted to being hacked. That is bleak. Losses differ depending on the size of the company; small and medium businesses lose less, but are perhaps more at risk from this kind of attack.
“SMBs tend to lose a significant amount of money on almost all types of breach, paying a similar high price on recovering from acts of espionage as well as DDoS and phishing attacks,” said Kaspersky.
The Juniper information is also chilling: “As more and more business infrastructure moves online, so do those wishing to destroy or defraud that infrastructure.
“Cyber crime is a growing threat to corporations and consumers, who are increasingly using online methods to run their businesses and lives. With the advent of mobile computing, this is only likely to become more common.”
Hewlett Packard Enterprise (HPE) has cast a shade on what it believes to be the biggest risks facing enterprises, and included on that list is Microsoft.
We ain’t surprised, but it is quite a shocking and naked fact when you consider it. The naming and resulting shaming happens in the HPE Cyber Risk Report 2016, which HPE said “identifies the top security threats plaguing enterprises”.
Enterprises, it seems, have myriad problems, of which Microsoft is just one.
“In 2015, we saw attackers infiltrate networks at an alarming rate, leading to some of the largest data breaches to date, but now is not the time to take the foot off the gas and put the enterprise on lockdown,” said Sue Barsamian, senior vice president and general manager for security products at HPE.
“We must learn from these incidents, understand and monitor the risk environment, and build security into the fabric of the organisation to better mitigate known and unknown threats, which will enable companies to fearlessly innovate and accelerate business growth.”
Microsoft earned its place in the enterprise nightmare probably because of its ubiquity. Applications, malware and vulnerabilities are a real problem, and it is Windows that provides the platform for this havoc.
“Software vulnerability exploitation continues to be a primary vector for attack, with mobile exploits gaining traction. Similar to 2014, the top 10 vulnerabilities exploited in 2015 were more than one-year-old, with 68 percent being three years old or more,” explained the report.
“In 2015, Microsoft Windows represented the most targeted software platform, with 42 percent of the top 20 discovered exploits directed at Microsoft platforms and applications.”
It is not all bad news for Redmond, as the Google-operated Android is also put forward as a professional pain in the butt. So is iOS, before Apple users get any ideas.
“Malware has evolved from being simply disruptive to a revenue-generating activity for attackers. While the overall number of newly discovered malware samples declined 3.6 percent year over year, the attack targets shifted notably in line with evolving enterprise trends and focused heavily on monetisation,” added the firm.
“As the number of connected mobile devices expands, malware is diversifying to target the most popular mobile operating platforms. The number of Android threats, malware and potentially unwanted applications have grown to more than 10,000 new threats discovered daily, reaching a total year-over-year increase of 153 percent.
“Apple iOS represented the greatest growth rate with a malware sample increase of more than 230 percent.”
Trustwave has uncovered the news that people who work in the security industry suffer because of the ruddy cloud, the ruddy skills gap and the ruddy board.
This is not hearsay, although you might find anecdotal evidence in your workplace. This is science. Well, a survey anyway. This gift of knowledge comes from Trustwave, a firm that operates in the security arena and probably has access to industry ears and the will to bend them.
The firm asked people like you, perhaps even you, what gets you down at work. The answer can adequately be summarized as ‘work’, but there is a little more to it. Technology, supposed to be a great enabler, isn’t doing everyone favors, apparently, and things like the cloud are something of a straw to your IT staffer camel’s back.
The 2016 Security Pressures Report is out now, and you can access it if you have the yearning and the time. It makes it clear that there are pressures (we knew that) and that some of them are technological (you knew that).
A mix of menace, malware, malaise and management are the real stress points, and reading between the lines we reckon that Trustwave knows exactly what you should be doing about it.
“Security professionals live in a unique and stressful environment, defined by conflict with faceless attackers as well as internal threats,” said Steve Kelley, chief marketing officer at Trustwave.
“Businesses rely on information security more than ever before and the pressure to show measurable success is taking a toll on security practitioners.
“The widening gulf between the expected outcomes and the struggle to maintain adequate solutions and staff is driving businesses – as many as 86 percent of them – to partner with a managed security services provider to relax the pressures and help them achieve their cyber security goals.”
The plan calls for a $3.1 billion fund to replace outdated IT infrastructure; a new position of federal chief information security officer; a commission to study cybersecurity problems, and a program to recruit cybersecurity experts into government roles.
The U.S has been working since 2009 to improve the nation’s cyber defenses, most recently with the Cybersecurity Act of 2015, which promotes better information sharing between private industry and government, said Michael Daniel, special assistant to the President and cybersecurity coordinator, in a phone briefing with reporters Monday.
“Despite this track record, the cyberthreat continues to outpace our current efforts,” he said. “Particularly as we continue to hook more and more of our critical infrastructure up to the Internet, and as we build out the Internet of things, cyberthreats become only more frequent and more serious.”
The U.S. has faced serious data breaches and intrusions over the past two years. An attack on the Office of Personnel Management, the federal personnel agency, resulted in the theft of data including Social Security numbers, and in some cases fingerprints, of 21.5 million people.
In November 2014, the State Department took its unclassified email system offline after it detected suspicious activity. The shutdown came just two weeks after the White House reported unusual activity on the unclassified Executive Office of the President network.
Overall, the government wants to allocate $19 billion for cybersecurity spending in fiscal 2017, a 35% increase over the current year.
The proposed $3.1 billion Information Technology Modernization Fund would be used to replace systems that pose a high risk and to investigate more modern architectures, such as cloud services.
Hackers in China attempted to gain access to over 20 million active accounts on Alibaba Group Holding Ltd’s Taobao e-commerce website using Alibaba’s own cloud computing service, according to a state media report posted on the Internet regulator’s website.
An Alibaba spokesman said the company detected the attack in “the first instance”, reminded users to change passwords, and worked closely with the police investigation.
Chinese companies are grappling a sharp rise in the number of cyber attacks, and cyber security experts say firms have a long way to go before defenses catch up to U.S. counterparts.
In the latest case, hackers obtained a database of 99 million usernames and passwords from a number of websites, according to a separate report on a website managed by the Ministry of Public Security.
The hackers then used Alibaba’s cloud computing platform to input the details into Taobao. Of the 99 million usernames, they found 20.59 million were also being used for Taobao accounts, the ministry website said.
The hackers started inputting the details into Taobao in mid-October and were discovered in November, at which time Alibaba immediately reported the case to police, the ministry website said. The hackers have since been caught, it said.
Alibaba’s systems discovered and blocked the vast majority of log-in attempts, according to the ministry website.
The hackers used compromised accounts to fake orders on Taobao, a practice known as “brushing” in China and used to raise sellers’ rankings, the newspaper said. The hackers also sold accounts to be used for fraud, it said.
Alibaba’s spokesman said the hackers rented the cloud computing service, but declined to comment on security measures designed to stop the system being used for the attack. He said they could have used any such service, and that the attack was not aided by any possible loopholes in Alibaba’s platform.
“Alibaba’s system was never breached,” the spokesman said.
The number of accounts, 20.59 million, represents about 1 out of every 20 annual active buyers on Alibaba’s China retail marketplaces.
Slapdash developers have been advised not to use the open source JSPatch method of updating their wares because it is as vulnerable as a soft boiled egg, for various reasons.
It’s FireEye that is giving JSPatch the stink eye and providing the warning that it has rendered over 1,000 applications open to copy and paste theft of photos and other information. And it doesn’t end there.
FireEye’s report said that Remote Hot Patching may sound like a good idea at the time, but it really isn’t. It is so widely used that is has opened up a 1,220-wide iOS application hole in Apple users’ security. A better option, according to the security firm, is to stick with the Apple method, which should provide adequate and timely protection.
“Within the realm of Apple-provided technologies, the way to remediate this situation is to rebuild the application with updated code to fix the bug and submit the newly built app to the App Store for approval,” said FireEye.
“While the review process for updated apps often takes less time than the initial submission review, the process can still be time-consuming and unpredictable, and can cause loss of business if app fixes are not delivered in a timely and controlled manner.
Let’s not all make this JSPatch’s problem, because presumably it’s developers who are lacking.
FireEye spoke up for the open source security gear while looking down its nose at hackers. “JSPatch is a boon to iOS developers. In the right hands, it can be used to quickly and effectively deploy patches and code updates. But in a non-utopian world like ours, we need to assume that bad actors will leverage this technology for unintended purposes,” the firm said.
Teenage hackers are making merry with the online world of CIA director of national intelligence James Clapper.
This is the second bout of attacks from the group of technology tearaways, according to Motherboard, which reports on the Clapper problem and its connection to a group known as Crackas With Attitude.
A member of the group, a young chap called Cracka, told Motherboard that access to a range of Clapper accounts had been seized, and that Clapper and the CIA haven’t a clue what’s going on.
“I’m pretty sure they don’t even know they’ve been hacked. You asked why I did it. I just wanted the gov to know people aren’t fucking around, people know what they’re doing and people don’t agree #FreePalestine,” he said.
The claims were supported by the Office of the Director of National Intelligence, which confirmed that something has happened and that the authorities are looking into it.
“We’re aware of the matter and we reported it to the appropriate authorities,” said spokesman Brian Hale, before going mute.
Cracka, representing himself on Twitter as @dickreject, is less quiet. He has tweeted a number of confirmatory and celebratory messages that are not particularly flattering about the CIA and its abilities.
This is the group’s second bite at the CIA cherry. The teenagers walked into the personal email account of CIA director John Brennan last year and had a good look around. Some of the impact of this was washed away when it was discovered that Brennan used an AOL account for his communications.
“A hacker, who describes himself as an American high school student, has breached the CIA boss’s AOL email account and found a host of sensitive government files that one assumes a government official shouldn’t be sending to his personal email address,” said security comment kingpin Graham Cluley at the time.
“I’m not sure what’s more embarrassing. Being hacked or having an AOL email account.”
Thousands of small businesses continue to suffer intermittent outages of their websites in the crucial lead up to Christmas, after their provider Moonfruit took all sites offline yesterday.
A statement from the company at 1pm today said: “Our operations team is continuing to work on resolving the service issue. We are making progress but unable to provide specific details at this time. Once again, we’re really sorry for the disruption. Your patience and understanding is very much appreciated.”
A further update was scheduled for 3pm but had not materialized at the time of publication.
The identikit website creator made the unusual decision after facing a prolonged DDoS attack against its servers last Thursday from a hacking group calling itself Armada DDoS. The company is believed to have had renewed threats of further attacks and is still suffering a significant degradation of service.
The motives for the attack are currently unknown.
Moonfruit began restoring service this morning, but at 1pm many customers were still having problems, and the main Moonfruit site was offline.
Moonfruit is one of the oldest sites of its type, dating back to 2000. The British company was initially advertising-based and free before moving to a subscription model when the last bubble burst.
The whole system was based on Adobe Flash until recently, but has been adapted for HTML5, which represents an important step in its survival as more browsers stop rendering the ageing platform.
However, the company announced earlier today that it is taking all its sites offline for 12 hours after a sustained distributed denial-of-service (DDoS) attack on its servers.
Moonfruit Update, 14/12/2015: https://t.co/5xkHAshFT9 and your sites will be offline today. Please read: https://t.co/w2CvVG1xqQ
— Moonfruit (@moonfruit) December 14, 2015
Dave Larson, chief operating officer at Corero Network Security, said: “Unfortunately, the sheer size and scale of hosting or data centre operator network infrastructures and their massive customer base presents an incredibly attractive attack surface due to the multiple entry points and significant aggregate bandwidth that acts as a conduit for a damaging and disruptive DDoS attack.
“As enterprises of all sizes increasingly rely on hosted critical infrastructure or services, they are placing themselves at even greater risk from these devastating DDoS attacks, even as an indirect target.”
DDos attacks grew by a third in just the past quarter. A Swedish bank was brought down last month, while GitHub was taken offline earlier in the year by an attack thought to have originated in China.
Moonfruit customers have expressed their anger at the short notice and timing of the outage. Many are obviously concerned about potential loss of sales in the run up to Christmas, but Moonfruit maintained that the downtime is necessary to make “infrastructure changes”.
“We have been working with law enforcement agencies regarding this matter and have spared no time or expense in ensuring we complete the work as quickly as possible,” said the company’s director, Matt Casey, in a statement posted to the Moonfruit Facebook page.
The Moonfruit site, which is built on its own platform is back up and running. A further statement from Moonfruit last night said, ”We know how painful this has been for you and your business. We have used the time well and our defenses have improved substantially. Thank you for your patience and support throughout this crisis. We are nearly there and hope to fully restore service by early evening.
As always, we care about the Moonfruit Community and will keep you informed. You have no idea how much the messages of support have meant as we’ve burned the midnight oil over the weekend to put things right, and to better position you for the future.”
The service set up by WordPress to better support WordPress has failed users by suffering a security breach and behaving just like the rest of the internet.
WordPress, and its themes, are often shone with the dark light of the security vulnerability, but we do not hear of WP Engine often. Regardless of that, it seems to do good business and is reaching out to those that it does business with to tell them what went wrong and what they need to do about it.
A reasonable amount of threat mitigation is required, and if you are affected by the issue you are going to have to change your password – again, and probably keep a cautious eye on the comings and goings of your email and financial accounts.
“At WP Engine we are committed to providing robust security. We are writing today to let you know that we learned of an exposure involving some of our customers’ credentials. Out of an abundance of caution, we are proactively taking security measures across our entire customer base,” says the firm in an urgent missive on its web pages.
“We have begun an investigation, however there is immediate action we are taking. Additionally, there is action that requires your immediate attention.”
That action, is probably to panic in the short term, and then to change your password and cancel out any instances of its re-use across the internet. You know the drill, this is a daily thing right. Judging by the WordPress statement we are in the early days of internal investigation.
“While we have no evidence that the information was used inappropriately, as a precaution, we are invalidating the following five passwords associated with your WP Engine account,” explains WordPress as it reveals the sale of its – actually, your, problem. “This means you will need to reset each of them.”
Have fun with that.