Thursday, April 3, 2025
Follow us On Linkedin
Home Blog Page 911

Comodo Threat Research Labs discovered new sophisticated malware “Tordow v2.0” easily gain your mobile root privilege

By
Balaji
-
Comodo Threat Research Labs discovered new sophisticated malware “Tordow v2.0” easily gain your mobile root privilege

Android malware “Tordow v2.0” which specifically affected to mobile bank user in Russia has been discovered by Threat Researchers of comodo TRL.

spoke person said ,Tordow is the first mobile banking Trojan for the Android operating system that seeks to gain root privileges on infected devices.

Root access of mobiles no needed to perform its malicious activities, but with root access hackers can do many things in mobile devices.

How danger Tordow v2.0:

Comodo Researcher’s said ,”Tordow 2.0 can make telephone calls, control SMS messages, download and install programs, steal login credentials, access contacts, encrypt files, visit webpages, manipulate banking data, remove security software, reboot a device, rename files, and act as ransomware.”

It can able to collect the the technical things in mobile devices including the information about device hardware and software, operating system, manufacturer, Internet Service Provider, and user location.

Ransomware funtionality:

Accordinng to the Report from comodo lab Crypto functionality has uniquely play with Ransomware operation .Tordow 2.0 possesses CryptoUtil class functions with which it can encrypt and decrypt files using the AES algorithm with the following hardcoded key: ‘MIIxxxxCgAwIB’. Its Android application package (APK) files, with names such as “cryptocomponent.2”, are encrypted with the AES algorithm.

How Tordow 2.0 gain root privilege:

There are nine different ways in which it verifies that it has gained root privileges. Its status is transmitted to one of the attacker’s command-and-control (C2) servers, such as one found at “https://2ip.ru”. With root access, the attacker can pretty much do anything, and it becomes difficult to remove such entrenched malware from an infected system.

Common way to spread Tordow 2.0:

Malware Researcher of Comodo TRL G. Ravi Krishna Varma said,Tordow spreads via common social media and gaming applications that have been downloaded, reverse-engineered, and sabotaged by malicious coders.

Apps that have been exploited include VKontakte (the Russian Facebook), Pokemon Go, Telegram, and Subway Surfers.

Infected programs are usually distributed from third-party sites not affiliated with official websites such as the Google Play and Apple stores, although both have had trouble with hosting and distributing infected apps before.

Affected applications are act as original one  but also include an exploit pack for root access, and access to downloadable Trojan modules, embedded and encrypted malicious functionality including the C2 communications,

Majority of victims & prevention :

Most of the victims has been affected in Russia  ,Comodo Request to the android users For protection against Tordow 2.0 and similar threats, users should keep their security software up-to-date, be suspicious of unsolicited links and attachments, and only download applications from official websites.

For more Technical Reference visit comodo blog .

CryptXXX ransomware spread through legitimate websites – Be Aware

By
Balaji
-
CryptXXX ransomware spread through legitimate websites – Be Aware

The CryptXXX ransomware has been spreading through compromised legitimate websites that redirect to malicious sites.

A number of legitimate websites were hit by a botnet, which redirects visitors to a malicious site where the ransomware CryptXXX is downloaded. CryptXXX’s exploit kit has the ability to evade security software and virtual machines.

Having a web presence is critical to running a modern business. Many people may not be able to find a business without a web presence or they may go to a competitor with a better website. Unfortunately, it requires some resources to have a web presence and even more so for businesses that decide to self-host their websites.

Many businesses will hire an IT contractor or web developer to set up their website and will use WordPress because it’s relatively easy to post content with it.

The downside is that running a self-hosted WordPress website requires maintaining the security of the system, including all the WordPress components.

Many businesses using self-hosted WordPress websites have had them compromised by the SoakSoak botnet, which scans for WordPress systems with vulnerable plug-ins.

The botnet scans for vulnerable plug-ins by checking known default URLs for the plug-ins. Once a vulnerable system is identified, it’s compromised to redirect to a website hosting the Neutrino exploit kit that is then used to compromise vulnerable endpoints with the CryptXXX ransomware.

Enterprises can follow standard antimalware guidance for endpoint security and use network security controls to prevent the CryptXXX ransomware from being installed on their endpoints by drive-by downloads. Regardless of the other security controls used, backups of critical data are necessary.

WordPress has security guidance for users, including automatic updating that should be used when setting up and maintaining a self-hosted WordPress system.

Users with limited IT resources should carefully evaluate how they host their WordPress site to ensure it is properly maintained, and to avoid creating an IT public health nuisance used to infect other people on the internet with CryptXXX.

Using a hosted WordPress site may be slightly more expensive, but requires significantly less work to maintain.

Five ways to prevent a ransomware infection through network security

The ransomware threat is no different than any other threat; there’s a vulnerability and the criminals want to exploit it for ill-gotten gains. The method and underlying technologies evolve, but the threat itself needs to be handled in the same manner as any other threat. Here’s how enterprises can approach this security challenge:

1. Acknowledge that you don’t know what you don’t know

The sign of a truly wise security professional is admitting that many things on the network are unknown.

Systems, applications, users, information and the like all make up a group of assets that are often unaccounted for and, therefore, undersecured and currently at risk to ransomware.Another key indicator of a smart security pro is the presence of a plan to make things better.

2. Acquire support from management and users

Before anything can get off the ground in security, management needs to politically and financially back it, and they needs to do so on an ongoing basis.

Assuming the security team is able to get management on board with their plan for fighting ransomware, they’ll also need to get the users on board with policies, ramifications of bad choices and the overall setting of expectations on “this is how things work here.”

3. Deploy the proper technologies or tweak your existing setup

The heart of a strong malware defense is well-designed and properly-implemented technologies. If a network is to stand up against a modern day ransomware infection, it needs the following:

  • First and foremost, patching needs to be under control. Many businesses struggle with this, especially with third-party patches for Java and Adobe products, and hackers love this. Until software updates are deployed in a timely fashion, the organization is a sitting duck. A network is just one click away from compromise.
  • Effective malware protection is also a necessity. Steer away from the traditional and look more toward advanced malware tools including non-signature/cloud-based antivirus, whitelisting and network traffic monitoring/blocking technologies.
  • Data backups are critical. Organizations’ systems — especially the servers that are at risk to ransomware infections — are only as good as their last backup. Discussions around backups are boring, but they need to be well-thought-out to minimize the impact of the ransomware that does get through and encrypts critical assets.
  • Network segmentation is another important part of ransomware protection, but it’s only sometimes deployed properly. Just keep in mind that VLANs — the most common segmentation technique — aren’t secure if an internal user can guess the IP addressing scheme that’s likely a mere digit increment or decrement away.

4. Monitor and respond


Security teams can’t secure — or respond to — the things it doesn’t acknowledge. Most enterprises have a half-baked monitoring, alerting and incident response program.

Security teams need to do what needs to be done: monitor servers, workstations and network for anomalies, take quick action, and do what’s necessary to respond to the current event and prevent it from reoccurring.

5. Fine-tune to get better


Many people — both in management as well as IT and security — view security as a one-time deal. You invest, you deploy, you assess and everything else will take care of itself, but this is hardly the case.

IT and security teams are pressed for time because they’re constantly having more projects layered on top of what is still left undone. Figure out a way to fix that. It may be in terms of time management, different processes or hiring new FTEs. Whatever it is, fix it.

Nagios Core < 4.2.2 : Curl Command Injection / Remote Code Execution CVE-2016-9565

By
Gurubaran
-
Nagios Core < 4.2.2 : Curl Command Injection / Remote Code Execution CVE-2016-9565

Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. For more details on Nagios.

Vulnerability

Vulnerability in Nagios could enable remote attackers who can  manage to impersonate the feed server through DNS Poisoning, ARP Spoofing.. etc. to provide a malicious response that injects parameters to  curl command used by the affected RSS client class and effectivelyread/write arbitrary files on the vulnerable Nagios server.

This could lead to Remote Code Execution in the context of www-data/nagios user
on default Nagios installs that follow the official setup guidelines.This occurs because of using Vulnerable component for handling RSS new feeds.

This component was used by Nagios front-end to load news feeds from remote feed source upon log-in.The component was found vulnerable to CVE-2008-4796.

Full vulnerability report along including POC with relevant parts of code and Injection points can be found at : https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html

Business Impact

Upon successful mitigation the attacker can extract sensitive data from the Nagios monitoring server as well as achieve arbitrary code execution as demonstrated by the exploit.

Corporate monitoring servers with a large number of connected hosts are often left unpatched due to their sensitive/central role on the network  which increase the chances of exploitation.

As explained in the description section, the vulnerability could be a threat  coming from the Internet. If a major ISP / DNS, or nagios.org site itself was  compromised, this could potentially allow attackers to exploit the vulnerability on multiple Nagios installations which retrieve RSS feeds automatically and the corporate firewall does not stop the egress traffic from the monitoring server.

As a result, an attacker could potentially gain unauthorised access to  affected Nagios installations without even knowing the target IP addresses and despite a lack of direct access to the target (blocked igress traffic on the firewall).

Versions Affected

Both of the Nagios Core stable branches 3.x and 4.x are affected.This vulnerability was disclosed responsibly to the vendor and was fully fixed in Nagios Core 4.2.2. Ensure that you are using  Nagios 4.2.2.

Update to the Latest Nginx Core release. For more details in upgrading Nagios on Linux  refer 2daygeek .

  1. In the IPS tab, click Protections and find the Nagios XI Command Injection&nbsp;protection using the Search tool and Edit the protection’s settings.
  2. Install policy on all modules.

References

A Backdoor Discover in Skype allows to hack everything that Skype can offer for Mac OS X

By
Balaji
-
A Backdoor Discover in Skype allows to hack everything that Skype can offer for Mac OS X

Trustwave recently reported a locally exploitable issue in the Skype Desktop API Mac OS-X which provides an API to local programs/plugins executing on the local machine.

The API is formally known as the Desktop API (previously known as the Skype Public API – Application Programming Interface) and it enables third-party applications to communicate with Skype.

As described in the Trustwave advisory, the issue is an authentication by-pass discovered in the API whereby a local program could by-pass authentication if they identified themselves as the program responsible for interfacing with the Desktop API on behalf of the Skype Dashboard widget program.

Who has been created this backdoor?

The vulnerability seems to have been created by a developer at Skype prior to Microsoft’s takeover of the company, and likely exposed some 30 million Mac OS X users.

A Backdoor?

An interesting possibility is that this bug is the result of a backdoor entered into the Desktop API to permit a particular program written by the vendor to access the Desktop API without user interaction. Indeed, this possibility seems even more likely when you consider that the Desktop API provides for an undocumented client name identifier (namely “Skype Dashbd Wdgt Plugin”).

Notifying the user of Desktop API through the backdoor works differently than the normal course of action which is to notify the user of an access attempt and prompt the user for permission.

In the case of the backdoor no such notification attempt is made and as such the user is not given the opportunity to deny access.

An unused backdoor?

Curiously, the actual Skype Dashboard widget does not seem to utilize the backdoor into the Skype Desktop API despite the name “Skype Dashbd Wdgt Plugin”.

This raises the possibility that the backdoor is the result of a development accident which left the code behind accidentally during the process of implementing the Dashboard plugin.

If it was a coding accident, it is an old one. Our investigations have shown that the string “Skype Dashbd Wdgt Plugin” has been present in versions of Skype for Mac OS-X for some 5+ years.

What can you access?

The Desktop API, in previous versions, permitted access to nearly everything that Skype can offer.

This included, but was not limited to: “notifications of incoming messages (and their contents), modifying messages and creating chat sessions, ability to log and record Skype call audio to disk and retrieve user contacts”.

In later versions of the Desktop API, access to text messages was dropped from the specification but access to other features remained.

Patched the backdoor:Microsoft

Microsoft has patched a backdoor in Skype for Mac OSX that would allow an attacker to log and record Skype call audio, retrieve user contact information, read the content of incoming messages, create chat sessions, modify messages, and carry out other malicious activity.

How easy is the backdoor to use?

Accessing the backdoor is as easy as changing a single line of code in the numerous examples given by Skype themselves in how to use the Desktop API.

A simple change to the ‘clientApplicationName‘ NSString method (or CFString member variable if using the Carbon API), setting this value to “Skype Dashbd Wdgt Plugin” is all that is required.

Technical explanation:

Discovering the backdoor is a relatively trivial process, in fact this can be done with a simple call to the GNU utility ‘strings’, for instance:

You can obtain a source disassembly of the responsible function by utilizing Hopper to disassemble the Skype application binary, the results are shown below:

In the above image you can see that the member function ‘authLevelForApplication:(NSString *)applicationName’ of the object ‘SkypeAPIController’ returns 1 (‘YES’) if the value of ‘applicationName’ is equal to ‘Skype Dashbd Wdgt Plugin’.

Versions of Skype prior to the Microsoft acquistion utilized one form or another of binary obfuscation/encryption where the binary dynamically unpacked itself upon execution.

This is a typical technique to hamper efforts to extract information and reverse engineer the program. However, in general these techniques were trivial to by-pass by simply attaching a debugger and dumping the pages of memory containing executable code.

Very Severe Cyclone Vardah : Slows down Internet Connection in India

By
Gurubaran
-
Very Severe Cyclone Vardah : Slows down Internet Connection in India

Cyclone Vardah  which hits Chennai severely, has unleashed a Wreaked havoc and severe destruction all around. More that that it also impacts Internet and Telecommunication connectivity in entire south India.

It impacts in that time that we are currently undergoing a transition towards digital economy, where Internet is to play a key role. 

Even though vardah slows down in Tamilnadu and moves to Karnataka, we are experiencing huge loss in states of Tamilnadu,Karnataka, Kerala, Andhra Pradesh, Telangana, Maharashtra and Gujarat.

How we connected as a Nation

When you are to interact with Internet, the requested inform will reach target after passing through a complicated Matrix of Routers and Switches. You can use Traceroute to get your route path displayed.

The same things while you are enjoying an video or IRC chats or Conversation on Whatsapp. For a data network we should connect a network of networks, the networks maybe anyone like (Airtel, ACT, BSNL, YOU).

Let’s consider our city Chennai, all networks in Chennai will connect with City-wide networks which connects to Statewide Networks which then connects to Country wide networks and then to a Global Network which forms the Internet.Without optical fiber cables it is not possible to connect the bandwidth we are talking about.

In India access to global Network can happen with 4 port cities Chennai, Mumbai, Cochin and Tuticorin. The cities also host the landing stations – which connect the land cables with the submarine cables.

The Gateways connect India directly with Europe, Singapore, Africa, the Middle East and other countries, usually via submarine cables (India has 8 such cables).Simply to connect website faster, it’s because these gateways effectively balance the load to Networks of Networks.

As per Dr. Govind, former CEO of NIXI  “The internet is very critical for the country. We’re going through a monetary policy change and hope to become a digital economy. We’re growing as a country of internet citizens from 400 million internet users to approximately 750 million users, with a vast majority of them coming from the hinterland. Chennai is an important hub.”

How this affects

Chennai is bit critical to bank fraternity as it having major IT hubs for banks and data centres. It also impacts with the percentage of failed transactions or Internet payment gateways due to the drop in Internet Connections.

Importance of Chennai Gateway has been enhanced by Google as it operating peering hub in Chennai (and another in Mumbai). This esimates, nearly half of the India’s Internet traffic handled by Chennai hub.

To another extend that India’s wide network of around 2 Lakh ATMs are dependent on ISP for internet connectivity. If ATMs are unable to authenticate transactions, they will irresistible fail.

ISPs alert to their users

Meanwhile various Internet service providers sent alert Notifications to their end user’s.

Airtel, whose V-fiber network is severely affected

“Dear Customer, the cyclone in Chennai has impacted one of our undersea cables which may affect Internet speeds of your Airtel Broadband connection. We deeply regret the inconvenience. Our engineers are working to resolve the issue and services will be normalised shortly.”

Message From Vodafone

“Cyclone Vardah, which paralysed Chennai and nearby areas, caused disruption of some of our services as well. Our on-ground teams are working on a war-footing to restore services in the shortest possible time.”

YOU Broadband shared

Alert from ACT Fibernet

“ACT Fibernet’s network has been impacted by the Cyclone Vardah on multiple counts that include downtime in international Gateway, power shutdown in switches and routers and last mile fiber disconnections due to Tree Falls, pillar collapses and so on. Close to 50% of our network was impacted in Chennai leading to intermittent network issues. Our team has been working round the clock and reinforcement team from Bangalore has also joined the restoration work in Chennai..”

If you’re really interested on extremely technical explanation of the situation can be found on Varun Priolkar’s blog here.

So the next time you’re hit by a cyclone, don’t be surprised if you ends up affecting your ISP, and in effect, your internet experience.

Yahoo’s More than One Billion Accounts Hacked- It possibly the “Biggest Hack of All Time”

By
Balaji
-
Yahoo’s More than One Billion Accounts Hacked- It possibly the “Biggest Hack of All Time”

Yahoo has announced that “more than one billion user accounts” may have been stolen by hackers during an attack that took place in August 2013, according to a press release.

This is a separate hack than the one that Yahoo announced back in September, in which as many as 500 million user accounts were compromise.

The company also warned attackers have figured out a way to log into targeted Yahoo accounts without even supplying the victim’s password.

“Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts,”

Yahoo’s chief information security officer Bob Lord said in a statement the company published Wednesday afternoon. “We have not been able to identify the intrusion associated with this theft.”

The statement says that for potentially affected accounts, the stolen user account information may have included “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”

“The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected.”

The attackers in this case apparently found a way to forge these authentication cookies, which would have granted them to access targeted accounts without needing to supply the account’s password.

In addition, a forged cookie could have allowed the attackers to remain logged into the hacked accounts for weeks or indefinitely.

Yahoo’s statement said the company is in the process of notifying the affected account holders, and that it has invalidated the forged cookies.

What can users do to protect their account?

We encourage our users to visit our Safety Center page for recommendations on how to stay secure online. Some important recommendations we’re re-emphasizing today include the following:

  • Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account;
  • Review all of your accounts for suspicious activity;
  • Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information;
  • Avoid clicking on links or downloading attachments from suspicious emails; and
  • Consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.

Critical bug allows to read all your Private Chats of Facebook Messenger by hackers

By
Balaji
-
Critical bug allows to read all your Private Chats of Facebook Messenger by hackers

One of the network’s most popular features, with 1-billion active monthly users. Unlike photo and status features designed specifically for sharing and publishing, the power of Messenger is in the ability to communicate privately.

security vulnerability found on Facebook, which also potentially affects millions of websites using origin null restriction checks, threatening user privacy and opening site visitors up to malicious entities.

“The hack, dubbed “Originull,” enables an attacker to access and view all of a user’s private chats, photos and other attachments sent via Facebook Messenger. The issue was discovered and reported to Facebook by team researcher Ysrael Gurt.  (Facebook has since fixed the flawed component)”

“The vulnerability discovered is a cross-origin bypass-attack which allows the hacker to use an external website to access and read a user’s private Facebook messages”

Normally, the browser protects Messenger users from such occurrences by only allowing Facebook pages to access this information. However, Facebook opens a “bridge,” in order to enable “subsites” of Facebook.com to access Messenger information.

A vulnerability in the manner in which Facebook manages the identity of these subsites makes it possible for a malicious website to access private Messenger chats.

             The chat appears on the BugSec website. The user ID is shown to the left.

For example, if the user opens a website to which the hacker has directed them (via a malicious ad, a security issue, or the hacker’s own website), the hacker can then see all the Facebook Messenger chats, photos and other attachments which the user sends or receives.

This happens even if the user sends the messages by way of another computer, or from their personal mobile device!


However, Secret Conversations, Facebook Messenger’s end-to-end encrypted chat feature was not affected by this bug, as it can be initiated or launched only using its mobile app.

 “This security flaw meant that the messages of 1-billion active monthly Messenger users were vulnerable to attackers,” said Stas Volfus, Chief Technology Officer of BugSec”

Watch the Facebook Messenger Originull video:

SamSa Ransomware Attacks – Encrypt your data and ask for money to unlock it

By
Priya James
-
SamSa Ransomware Attacks – Encrypt your data and ask for money to unlock it

SamSa having very few samples when compared to other malware families like Cryptomix, Cerber and Locky. This is an byproduct which is targeting organisation instead of  Internet Users.

In last 12 months. it was completely evaluated by Author’s, to make analysis and reverse engineering difficult.While we classify all of these samples as “SamSa,” the attackers have used various names to identify their projects.

Following are the .NET project names that witnessed;

  • samsam
  • MIKOPONI
  • RikiRafael
  • showmehowto
  • wanadoesme
  • wanadoesme2
  • gonomore
  • gotohelldr
  • WinDir

Profits

SamSa having confirmed profits of $70,000 for the threat actors, with estimates by other researchers as high as $115,000. SamSa ransomware executables often contain the Bitcoin Wallet address victims are supposed to use to pay the ransom.

This not only makes tracking monetary payments extremely difficult, but also is yet another example of how the SamSa actors take a very targeted approach to their victims, generating unique data for each victim they infect.

Of those 19 unique BTC addresses we observed since March 24th, 14 of these have received payments totaling roughly 394 BTC. Prior to March 24, 2016, we observed roughly 213 BTC received, giving us a total of 607 BTC received by the SamSa actors.

Using today’s current BTC rate of $744.43, this allows us to estimate that the attackers have obtained roughly $450,000 since their operations began.

Conclusion

In the past year, the SamSa actors have showed no sign in stopping their attacks. They’ve successfully compromised a number of organizations, and continue to reap significant rewards for their efforts.

In the past year alone, they’ve collected an estimated $450,000 from their scam. As the group continues to make money, it is unlikely we shall see them stop in the near future. Palo Alto Networks customers are protected from this threat via the following ways:

  1. All malware is classified as malicious in WildFire.
  2. Domains used by SamSa have been flagged as malicious in Threat Prevention.

A full list of indicators of compromise (IOCs) related to SamSa can be found here.

2017 Cybersecurity Predictions

By
Priya James
-
2017 Cybersecurity Predictions

2017 should be an opportunity for organisations to instigate a regular program of security risk assessments to stay ahead in cybersecurity. New technologies and ever-increasing levels of connectivity are transforming businesses and unlocking business development opportunities across the region.

What are Gartner predictions for Asia-Pacific in 2017?

Industrial control systems (ICS) are an integral part of any business, especially in Asia-Pacific. These include building management systems, heating ventilation and air conditioning (HVAC), and security doors, just to name a few.

Most businesses outsource their building management requirements so they don’t necessarily know whether the third-party provider has adequate security in place. It’s not impossible for a malicious actor to execute an attack that could cause significant damage.

Things to consider:

  • When you think about it, nearly all businesses could be at risk of an attack like this. Business leaders have to consider security beyond the basic steps of protection. Organisations need to gain an overarching view of their potential weak spots through third parties as well as their own network. Additionally, they need to put a plan in place that would help counter any potential attacks.
  • Have you checked what non-IT equipment your business depends on and what security they have enabled? Are they connected to the internet, managed by a third party?
  • When outsourcing to a third party, what level of security assurance do they have in place? Are they able to provide information to you on how they secure themselves and, ultimately, how they secure and manage your network and systems?

IOT devices will be a target for cybercrime

Market research firm Gartner predicts that the number of connected ‘things’ will rise from 6.5 billion in 2015 to almost 21 billion by 2020. Anything that you connect into your computer or network is a potential risk.

The types of devices range from CCTV cameras to tiny sensors attached to complex machinery, and they may not always be top of mind for security professionals. But if they are connected to the internet or managed by a third party, then they could put the business at risk.

Things to consider:

  • It is important to understand that the IoT is not a possibility or a project of the future – it is a current reality. Make a point to ask suppliers involved in security assurance how they can assure the security of the devices they provide. As we have seen many times, there may be no security, or the devices could be using some default username or password. These should be changed from the moment they are on your network.
  • Any devices using factory settings for security are simply asking to be compromised. IT managers must change those standard administrator passwords to avoid being targeted.
  • These devices should also be regularly checked to see if they adhere to the company’s security policy.

We may see a ransomware vortex with a nasty surprise

Ransomware involves attackers locking up a business’s data and demanding a ransom for its release. If you thought 2016 was bad for ransomware – where attackers access data and ransom it back to the victim – then 2017 will be worse. We can expect to see a higher attack volume, using more sophisticated technologies.

If the discovery of Locky ransomware was anything to go by, financial malware will continue on an upward trajectory in 2017.

Things to consider:

  • If you have fewer than 72 hours to respond, do you have a comprehensive backup strategy and response ready to counter these attacks?
  • When was the last time you tested and verified the backup?
  • Have you applied basic file blocking to prevent threats from entering your organisation? Certain file types can be a risk to your organisation. Ask yourself, “Should we allow all files or should we manage the risk by not allowing malicious files types that may cause an issue?”

We will have serious data trust issues

People will continue to be too trusting or fooled into thinking something is safe when it really isn’t. For example, confidential data can be exposed, or made available, that looks like it comes from an organisation, when it was actually planted by a malicious party. Either way, there’s a business reputational risk and a monetary price to pay.

For years, information security professionals have been focused on a model known as the CIA triad, which looks at Confidentiality, Integrity and Availability and is designed to guide policies for information security within an organisation.

Many organisations have long looked at confidentiality as a means to protect their data from theft or availability as a means to ensure they can access their data or systems, but how much time has been spent focusing on the integrity of the data or systems?

Imagine a data project, years in the making, where the data an organisation has been collecting and analysing is corrupted. For example, a resource company that has invested heavily in research and development is prospecting for the next drill site where they collect petabytes of data, but an attacker manipulates the information, rendering it worthless.

If the integrity of the data is manipulated, where a few bits of information are changed, the company might drill in the wrong spot, wasting time and money and potentially creating an environmental disaster. This could cause companies to make incorrect decisions with significant ramifications.

The same could be said about cases where systems have been wiped after an attack, removing all traces that it happened.

So What Can Be Done?

Firstly, any business should welcome these changes as they are a way to further digitise services and enhance our way of life. But with any move to further digitising services that we offer or are offered to us, we need to ensure that the data is protected.

Verification should be at the centre of all platforms, at every stage of development, and at the core of every provider-customer relationship. Its integrity must be protected from being modified by unauthorised parties.

Data must only be made available to authorised parties to access the information when needed.

What you need to consider:

  • Businesses need to look at two key things: where their sensitive data resides and what data is critical to the business to operate. Somewhat surprisingly, many organisations struggle to answer this question. This can lead to misappropriation of resources in the form of security controls being used broadly across the entire organisation, rather than being targeted to where they’re needed most. This then results in increased cost to acquire and use security measures.
  • Who amongst our employees has access to our sensitive data? Simply knowing who has access to documents or big data stores stops short of understanding to what they have access.
  • A key way to reduce risk to sensitive information is to also understand how the data is protected. Is there protection in place, and does it meet the right level to mitigate risk for something that could be mission-critical to a business?

KFC Security Breach – 1.2 million members of its Colonel’s Club warned to change passwords immediately

By
Gurubaran
-
KFC Security Breach – 1.2 million members of its Colonel’s Club warned to change passwords immediately

KFC Security Breach

KFC pushed an warning Email to all 1.2M users in the colonelsclub warned to change their account password immediately, after they discovered that their website has been targeted by the hackers and several user account’s may be compromised.

Customers who use the same email address and password for other services were advised to reset them “just to be safe”.

“We take the online security of our fans very seriously, so we’ve advised all Colonel’s Club members to change their passwords as a precaution, despite only a small number of accounts being directly affected,” said Brad Scheiner, Head of IT at KFC UK & Ireland. “We don’t store credit card details as part of our Colonel’s Club rewards scheme, so no financial data was compromised.”

The restaurant chain said it had introduced “additional security measures” in a bid to “safeguard our members’ accounts”, adding that it was “sorry for any inconvenience this may have caused”.

This is a problem nowadays occurring more and more. To be safe, we always should pick a strong unique password by using a combination of numbers, upper and lowercase letters.

Try avoid using words as they are easy to crack and if possible implement two-factor authentication across all accounts that allow it. Never reveal your password and don’t allow your browser to memorise it, try using Password managers.

1...910911912...916Page 911 of 916

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2025 GBHackers On Security - All Rights Reserved