Appointed in May 2017 as Special Counsel to the investigation, Mueller found that Russia's interference in the 2016 election included social media activity, which related back to the Cambridge Analytica exposé in March 2018, and "a Russian intelligence service conducted computer-intrusion operations against entities, employees, and volunteers working on the Clinton Campaign and then released stolen documents."
"The Internet Research Agency (IRA) carried out the earliest Russian interference operations identified by the investigation – a social media campaign designed to provoke and amplify political and social discord in the United States," says the report. "The IRA was based in St. Petersburg, Russia, and received funding from Russian oligarch Yevgeniy Prigozhin and companies he controlled.
"At the same time that the IRA operation began to focus on supporting candidate Trump in early 2016, the Russian government employed a second form of interference: cyber intrusions (hacking) and releases of hacked materials damaging to the Clinton Campaign. The Russian intelligence service known as the Main Intelligence Directorate of the General Staff of the Russian Army (GRU) carried out these operations."
Interestingly, data loss was discussed in the report as "the Office" had learned that some of the individuals they had interviewed – including some associated with the Trump Campaign – had deleted relevant communications or communicated during the relevant period using encrypted applications. In some instances this hindered the investigation, according to Mueller.
However, the report concludes, there isn't sufficient evidence to prove a crime had been committed in relation to the US election.
"The Russian contacts consisted of business connections, offers of assistance to the campaign, invitations for candidate Trump and [Russian president Vladimir] Putin to meet in person, invitations for campaign officials and representatives of the Russian government to meet, and policy positions seeking improved US-Russian relations," says the report."While the investigation identified numerous links between individuals with ties to the Russian government and individuals associated with the Trump campaign, the evidence was not sufficient to support criminal charges."
According to USA Today, the Kremlin hit back at Mueller's investigation: The report "does not present any reasonable proof at all that Russia allegedly meddled in the electoral process in the US," said Dmitry Peskov, spokesman for Russian president Vladimir Putin.
Cyber-Attack Knocks the Weather Channel Off the Air
The Weather Channel, based in Atlanta, Georgia, has been hit with a cyber-attack that knocked it off the air for 90 minutes.
On April 18, 2019, the organization took to its Twitter channel to confirm that it had been hit by a "malicious software attack" on its network but as of press time hasn't released any specifics on the attack itself. When the AMHQ show should have started, viewers saw taped programming, Heavy Rescue. AMHQ's Twitter feed also confirmed that it was "experiencing technical difficulties."
Around 90 minutes later, the show returned with its anchors informing of the cyber incident.
"The Weather Channel, sadly, has been the victim of a malicious software attack today," said anchor Jim Cantore.
"Yes, and it has affected our ability to bring you your weather information," added anchor Stephanie Abrams. "So we just wanted to say thank you again for your patience and we want to get right to today's severe weather."
While attacks on television networks do not always make mainstream news, many countries have fallen victim to them. In February 2018, a cyber-attack on the PyeongChang Olympic Games, attributed to Russia, took the official Olympic website offline for 12 hours and disrupted Wi-Fi and televisions at the PyeongChang Olympic stadium.
Facebook Uploaded 1.5 Million Email Contacts Without Consent
Since 2016, Facebook has reportedly harvested email contacts of 1.5 million users without their consent. According to Business Insider, the media outlet that broke the story, the company had been collecting the contact lists of new users since May 2016.
In a statement, Facebook confirmed that it had been unintentionally uploading this data when people were verifying their accounts.
"Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time," said the statement. "When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account.
"We estimate that up to 1.5 million people's email contacts may have been uploaded. These contacts were not shared with anyone and we're deleting them. We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings."
According to Business Insider, a security researcher realized that Facebook was asking some users to "enter their email passwords when they signed up for new accounts to verify their identities." The outlet then discovered that when a user entered their email password, "a message popped up saying it was 'importing' contacts, without asking for permission first."
A Facebook spokesperson also confirmed that these contacts were uploaded into Facebook's systems, where they were used to build "Facebook's web of social connections" and recommend friends.
It's not known if these contacts were also used for ad-targeting purposes, similar to that of the Cambridge Analytica scandal that happened last year. The exposé, which was released by The Observer, had led to Facebook having to answer questions to the US Senate and the UK government.
“The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control. In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security,” explained UpGuard.
In regards to the latest data mishap, Facebook plans to notify the 1.5 million users affected and delete their contacts from the company's systems.
A security researcher identified eight unsecured databases that held "approximately 60 million records of LinkedIn user information."
GDI Foundation, where the security researcher is from, is a nonprofit organization with a mission to "defend the free and open Internet by trying to make it safer." The researcher, Sanyam Jain, contacted Bleeding Computer when he noticed "something strange." He was seeing unsecured databases containing the LinkedIn data "appearing and disappearing from the Internet under different IP addresses."
While the majority of the LinkedIn data was reportedly public, some of the data contained email addresses.
"According to my analysis the data has been removed every day and loaded on another IP. After some time the database becomes either inaccessible or I can no longer connect to the particular IP, which makes me think it was secured. It is very strange," Jain told Bleeding Computer. The total size of all of the databases was 229 GB, with each database ranging between 25 GB to 32 GB.
As an experiment, Bleeding Computer editor Lawrence Abrams asked Jain pull his record from one of the databases and review it. According to the article, Abrams found the data contained in the record included "his LinkedIn profile information, including IDs, profile URLs, work history, education history, location, listed skills, other social profiles, and the last time the profile was updated."
The email address Abrams used when he registered his LinkedIn account was also included. The editor doesn't know how the information got onto this database as he "always had the LinkedIn privacy setting configured to not publicly display his email address."
Each profile also contains what appears to be internal values that describe the type of LinkedIn subscription the user has and whether they utilize a particular email provider, according to Bleeding Computer. These values were labeled "isProfessional," "isPersonal," "isGmail," "isHotmail" and "isOutlook."
Bleeding Computer contacted Amazon, who was hosting the databases, and as of April 15, 2019, the databases were secured and were no longer accessible via the internet.
LinkedIn's Paul Rockwell, head of trust and safety, told the website: "We are aware of claims of a scraped LinkedIn database. Our investigation indicates that a third-party company exposed a set of data aggregated from LinkedIn public profiles, as well as other, non-LinkedIn sources. We have no indication that LinkedIn has been breached."
LinkedIn also told the outlet that in some cases an email address could be public and provided a link to a privacy page that allows users to configure who can see a profile's email address.
TA505 Targets Financial and Retail Using 'Undetectable' Methods
A financially motivated gang is targeting retailers and financial institutions around the world using remote access software.
CyberInt's Research Lab has found that TA505 is using tactics and an off-the-shelf commercial remote administration tool, developed by Russian-based company TektonIT. The group was behind attacks on the global financial industry between December 2018 and February 2019 and is using the same techniques, according to the company.
Proofpoint says that according to its actor profile, "TA505 is responsible for the largest malicious spam campaigns we have ever observed, distributing instances of the Dridex banking Trojan, Locky ransomware, Jaff ransomware, The Trick banking Trojan and several others in very high volumes."
"Although they are using phishing and social engineering to get the software into the organisations, once its installed, it’s virtually undetectable by traditional threat protection systems because it’s legitimate software,” says Adi Peretz, senior strategic consultant and head of research at CyberInt. “They are still very much active and this is only the beginning of our deep-dive investigation.”
According to the report, TA505 tried its hand at payloads such as stealing back doors and remote access Trojans following the decline in the popularity of ransomware, likely due to mitigation tactics. However, the illegitimate software is throwing others off the scent and making the group undetectable.
"Tried and tested attack patterns appear to be consistent across these recently observed campaigns and commence with the delivery of phishing emails that have lure document attachments," says the CyberInt report. "Utilising legitimate logos, language and terminology consistent with common business interactions or the target organization, the email encourages the potential victim to open the lure document attachment which in turn instructs them to disable security controls within Microsoft Office to allow a nefarious macro to be executed."
The report goes on to say that if the macro, if executed, subsequently attempts to download "malicious payloads from the threat actor’s C2 infrastructure that in most cases also masquerades as, or mimics, legitimate-looking domains such as using names and misspellings related to ‘Cloud’, ‘Microsoft Office 365’ or ‘Security.’"
Fraudsters are preying on the goodwill of people everywhere by using the tragic fire of Notre Dame to their advantage.
According to research by security company ZeroFOX, cyber-criminals are "spreading misinformation about the disaster," which includes fake donation pages and launching new phishing campaigns. The company says in a blog post that "preying on the sympathy of those wanting to help victims is nothing new, but the technical underpinnings of the internet and its social media platforms allow hackers and spammers to scale their efforts at an unprecedented rate."
The blog goes onto explain that these threat actors use a variety of tactics, such as:
Using bots on Twitter to spread donation links leading to spam or malware sites
Impersonating websites and social media accounts of legitimate charity organizations
Sending fraudulent charity emails with bad links or attachments
Registering domains related to the disaster
Creating fake donation campaigns on crowdfunding sites
Using fraud messaging that includes vague victim stories, pressure to act quickly or promises of high payouts for a company involved in cleanup
Most worryingly, the crowdfunding tactics might work more than anything else. There is a rise of raising money this way for help people in need, especially around tragic events such as this. Sites such as JustGiving might be copied to set up fake donation sites. "People looking to donate quickly may easily mistake a fraudulent donation page for the real page – losing their money and putting money in the hands of bad actors, not those in need," says the blog post.
One example the ZeroFox Alpha Team found was on justgiving.com, where an anonymous user created this crowdfunding campaign supporting “Friends of Notre-Dame De Paris Inc.” "Based on the information provided (and lack of details) in the post, any supporter should be hesitant to donate to this particular fundraising effort," the post goes on to say.
Another tactic targets social media users who follow trending hashtags.
"In the case of the Notre Dame disaster, we have seen multiple instances of posters using the hashtag #NotreDameCathedralFire looking to capitalize on the tragedy," explains the post.
"[This example of one such post] is looking to sell 'services' using the Notre Dame fire hashtag." Users need to be be careful, it goes on, of any seller using hijacked hashtags, as they are "typically associated with scams and malicious links."
Example of potential crowdfunding scam – note the warning signs.
When it comes to avoiding scams related to this disaster, ZeroFOX recommends the following:
Global spending on cloud security is set to grow nearly 18% to reach $12.7bn by 2023, with protection for public cloud deployments prioritized over the coming years, according to a new report from Forrester.
Organizations spent $178bn on public cloud services last year, a figure that will grow to $236bn by 2020 — making security increasingly important to protect mission critical systems and sensitive data.
Infrastructure decision makers are particularly concerned about cyber risk, with over half (54%) implementing cloud solutions, the analyst claimed in its report, Forrester Analytics: Cloud Security Solutions Forecast, 2018 To 2023 (Global).
The sheer complexity of cloud deployments, often covering multiple providers and hybrid deployments, also requires enhanced security to monitor data, detect anomalies, and intercept threats.
Public cloud remains the biggest focus for security investment. Some $4bn was spent on public cloud native platform security in 2018, accounting for over 70% of total cloud security spend and this will be the fastest-growth area to 2023, when it will reach $9.7bn, Forrester claimed
The good news is that these efforts appear to be working: just 12% of breaches targeted public cloud environments, while 37% of global infrastructure decision makers cited improved security as an important reason to move to the public cloud, according to Forrester.
The analyst was also keen to point out that there’s no single solution which can meet all an organization’s cloud security needs.
As mentioned, public cloud native solutions are growing fastest. These cover areas like: data classification, categorization and segmentation; server access control; user IAM; encryption; and logging, auditing, and anomaly detection.
Then there are cloud workload solutions designed to centralize and automate cloud security across multiple platforms and environments. This market is set to grow at 17.3% CAGR to reach $1.9bn by 2023.
Finally, cloud security gateways succeed where traditional security tools fail by encrypting data before it’s sent to SaaS applications; detecting shadow IT; data loss prevention (DLP); malware detection; and cloud access anomaly detection.
Dark Web Fraudsters Defraud Each Other with Fraud Guides
Cyber-criminals are doing a roaring trade in “how-to” fraud guides for their fellow scammers, although many are out-of-date and incomplete, according to new dark web research from Terbium Labs.
The cyber-intelligence firm analyzed nearly 30,000 of these guides to compile its latest report, Fraud Guides 101: Dark Web Lessons on How to Defraud Companies and Exploit Data.
These online documents typically include instructions on specific fraud capabilities such as account takeover, phishing, cashing out, doxing, synthetic fraud, account creation and so on.
They could feature instructions, personal notes from the author on their experiences of what works and what doesn’t, social engineering and technical advice, and more.
However, while it appears to be an ominously thriving industry, it’s unclear exactly how much value these guides are offering to the typical fraudster.
According to Terbium Labs, over a quarter (26%) of guides are more than a decade old, and there are more out there from 2010 than 2017 and 2018 combined.
“Any guidance or information from within a few years is bound to still be helpful for criminals looking to get started, but once we get five or 10 years out, the value certainly decreases,” Terbium Labs VP of research, Emily Wilson, told Infosecurity.
“If buyers think they’re getting the most up-to-date methods in these major fraud collections, they’re going to be surprised and disappointed. These collections represent the information gathered over a couple of decades, rather than a highly curated group of the most recent materials.”
What’s more, three-quarters (75%) of those analyzed were found to be duplicates which have simply been repackaged and resold, at an average of £6 each.
“What we see here is a criminal community gathering information over time, and then doing what vendors do best: repackaging it and reselling it under their own name, looking for a new way to turn a profit,” Wilson continued.
“These guides require little work to gather, and even less work to throw into a zip file and market under your own brand. They’re in business to make money, and what better way to make money than to repackage someone else’s work and pass it off as your own?”
In addition, some 11% of fraud guide purchases the researchers attempted to make on the dark web turned out to be scams, the report revealed.
However, despite all the scams and the old and incomplete data found in many guides, the info gathered by the dark web intelligence vendor could still be useful for organizations trying to get inside the fraudster’s head. It could even be used by risk teams to help evaluate current fraud controls and detection services, for example.
Terbium Labs also ran a check on the appearance of personal and financial information in the guides to see what was of greatest interest to fraudsters.
Security experts are warning of a new state-sponsored DNS hijacking campaign affecting at least 40 organizations across 13 countries.
Cisco Talos revealed in a blog post yesterday that the “Sea Turtle” campaign began back in January 2017 and has been active until the first quarter of this year, targeting mainly public and private sector organizations in the Middle East and North Africa.
Attackers sought first to gain DNS credentials from target organizations, either by exploiting known vulnerabilities or sending spear-phishing emails. They then typically used these log-ins to target the firm’s registrar, accessing their DNS records and modifying them to point users to a malicious server under the hackers’ control.
The group then set-up a classic man-in-the-middle (MiTM) operation, impersonating legitimate services to harvest user credentials.
“Once these credentials were captured, the user would then be passed to the legitimate service. To evade detection, the actors performed ‘certificate impersonation,’ a technique in which the attacker obtained a certificate authority-signed X.509 certificate from another provider for the same domain imitating the one already used by the targeted organization,” explained Cisco.
“This tactic would make detecting the MitM attack more difficult, as a user's web browser would still display the expected "SSL padlock" in the URL bar.”
With access to the target’s network, the attackers then stole the organization’s SSL certificate, enabling them to perform more MiTM attacks to harvest other credentials, expanding their access. Stolen certs were used for just a day to maintain good OpSec.
Primary targets were military organizations, national security agencies, foreign affairs ministries and energy companies in Libya, Egypt, UAE, Cyprus, Lebanon, Iraq, Jordan, Turkey, Armenia, Syria and Albania.
Secondary targets, infiltrated to gain access to the former, were mainly based in the US and Sweden and included DNS infrastructure firms such as registrars, ISPs, telcos, and one registry. Swedish DNS firm Netnod was one of these.
“Notably, the threat actors were able to gain access to registrars that manage ccTLDs for Amnic, which is listed as the technical contact on IANA for the ccTLD .am,” Cisco continued. “Obtaining access to this ccTLD registrars would have allowed attackers to hijack any domain that used those ccTLDs.”
The firm warned that the group is highly capable and has continued in its operations, undeterred by media reports on some of its activity.
“Most traditional security products such as IDS and IPS systems are not designed to monitor and log DNS requests. The threat actors were able to achieve this level of success because the DNS domain space system added security into the equation as an afterthought. Had more ccTLDs implemented security features such as registrar locks, attackers would be unable to redirect the targeted domains,” it concluded.
“The threat actors also used an interesting techniques called certificate impersonation. This technique was successful in part because the SSL certificates were created to provide confidentiality, not integrity. The attackers stole organizations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials, allowing the actors to gain access to the targeted network.”
Cath Goulding, head of cybersecurity at .uk registry Nominet, claimed its infrastructure was secure thanks to it taking a layered approach.
“While two-factor authentication helps verify authenticity, Domain Lock is a tool by which registrars can literally ‘lock’ domains so that no changes can be made without thorough authentication of the domain name owner via 2FA. We are continually monitoring the situation, and would reassure the majority of consumers trying to access .UK domain names,” she said.
“For businesses that have their own DNS provisions, we would recommend checking your DNS settings manually to ensure they are still pointing to legitimate servers. The issue with this sort of attack is that it’s incredibly difficult to spot. We would recommend implementing stringent access protocols for your DNS settings, such as multi-factor authentication, as this additional layer of security makes it much harder for hackers to gain access to your systems.”
The group is not connected to the DNSpionage attacks revealed in November last year, according to Cisco.
DCMS Shares UK Journalists Emails, Potential GDPR Breach
The government department that is responsible for implementing the General Data Protection Regulation (GDPR) has committed an email faux pas with UK journalists which could also mean it has broken its own rules.
Flagged by Guardian journalist Alex Hern on Twitter, the email was regarding its announcement on age verification rules on online pornography. Hern tweeted: "DCMS has just announced that the porn filters are coming online on July 15, in an email that cc's every media and technology journalist in Britain."
According to the Information Commissioner's Office (ICO)'s website, "The GDPR applies wherever you are processing ‘personal data.' If the email addresses make obvious the name, such as 'firstname.lastname@example.org,' GDPR will apply."
Furthermore, the GDPR protects people from being cold-emailed or spammed requiring explicit consent from individuals. If anyone on the mailing list didn't consent to being on it, there might be a breach.
What counts as consent?
Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data
Consent should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly
Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity
You must make it easy for people to withdraw consent at any time they choose
While DCMS is a high-profile organization, breaches due to human error are not uncommon. In the last two years of reports of UK data breaches to the ICO, just 12% were the result of malicious attacks, according to Kroll. This means that 88% were the result of human error.
"Effective cybersecurity is not just about technology. Often, companies buy the latest software to protect themselves from hackers, but fail to instigate the data management processes and education of employees required to mitigate the risks," said Kroll managing director, Andrew Beckett, to Infosecurity Magazine in September 2018. "The majority of data breaches, and even many cyber-attacks, could be prevented by human vigilance or the implementation of relatively simple security procedures."
The ICO confirmed it was aware of the incident, commenting: "We are in contact with the Department for Digital, Culture, Media and Sport regarding today’s email incident."