Cryptocurrency is one of those things that most of us have heard about and maybe even discussed, even if we don’t truly understand it. But for those who have a good grasp of it, opportunity awaits. Though there is not a centralized bank for cryptocurrency, it is not immune from people trying to rob it. Unlike the bank heists of the past, these crimes are committed purely online.
Apple iPhone users take note: A vulnerability that might affect tens of millions of users leaves devices open to dangerous attacks, China-based researchers have warned. The flaw, dubbed ZipperDown, resides in 15,978 iOS apps that have been downloaded 100 million times, according to famous iPhone jailbreakers Pangu Team.
A Tesla car was driving in “autopilot” mode when it crashed into a stopped firetruck in Utah, the company said in a report to police that repeatedly cast blame on the driver, not its semi-autonomous driving system.
The operators of the Satori botnet are mass-scanning the Internet for exposed Ethereum mining rigs, according to three sources in the infosec community who’ve observed the malicious behavior —SANS ISC, Qihoo 360 Netlab, and GreyNoise Intelligence.
With a week until GDPR hits, new research from Paymentsense (https://www.paymentsense.co.uk) reveals a correlation between ‘bring your own device’ (BYOD) schemes and increased cybersecurity risk in small businesses. Six in 10 (61%) SMEs have experienced a cybersecurity incident since introducing a BYOD policy, according to the study from the merchant services provider*.
Increasingly popular, BYOD policies see employees using personal devices like laptops, tablets and smartphones for work, as well as for their general day-to-day activities. Some businesses believe it brings productivity gains and cost-savings, and the BYOD and the global enterprise mobility market is estimated to reach USD 73.30 billion by 2021.
The Paymentsense study revealed that BYOD schemes are prevalent across small businesses of all sizes, but larger SMEs are more likely to employ such a policy. For microbusinesses of up to 10 staff, the rate is 40%, increasing to 51% for businesses of between 51 and 100 people, and then again to 69% in businesses of 101 to 250 people.
Worryingly, Paymentsense found that as BYOD popularity increases, so do cybersecurity incidents. Just one in seven (14%) microbusinesses (up to 10 staff) reported a cybersecurity incident since implementing BYOD, but this figure rises significantly to 70% for businesses of 11 to 50 people, and again to 94% for SMEs of 101 to 250 people.
The most common cybersecurity incident suffered by respondents over the last 12 months was malware, which affected two thirds (65%) of SMEs, followed by viruses (42%), distributed denial of service (26%), data theft (24%) and phishing (23%).
Chafic Badr, Head of Digital at Paymentsense, comments: “Although our study shows the popularity of BYOD amongst small businesses, it’s alarming to see so many reporting incidents since implementing these schemes. As with all cybersecurity issues, the biggest factor is the human one – employees need to be aware of their responsibilities and the risks associated with a BYOD system. This is particularly important when you consider personal data responsibilities in the post-GDPR landscape – our GDPR compliance notes for small business owners expands further.
Business owners should create concise guidelines to help staff use best security practices in their daily activities – both within the office and outside. It’s also worth remembering that when mobile device users are away from work, susceptibility to threats such as phishing tends to increase. We’ve created a cybersecurity guide for small business owners as a starting point. Regular engagement and communication with staff at all levels is important – business owners can’t afford to assume all staff will educate themselves to the right standard. If mistakes are made, having an incident response plan clarifies responsibilities and ensures the timely action is taken to contain and control the situation.”
Top 10 SME cybersecurity incidents (last 12 months)
Over the past 12 months, CrowdStrike, the leader in cloud-delivered endpoint protection, has typically observed two different types of Business Email Compromise (BEC) scams: Wire transfer attempts and compromises that have led to follow-on spam campaigns. Regarding fraudulent wire transfers, the criminals typically get caught on the initial attempt, or they get caught on the second attempt, which usually involves a much larger amount than the first attempt.
The wire transfer scams that have been observed follow similar patterns in some cases, even though the companies and personnel targeted have varied.
In many BEC cases, CrowdStrike has observed Office 365 (or Google suites) being compromised because 2FA was not enabled. When this happens, the attackers can take over the entire approval chain for Office 365, and then add rules in order to monitor email traffic and intercept messages of employees who may be trying to report suspicious activity.
The tactics of the scammers
In general, the majority of these attacks are coming from Nigerian IP addresses, the mailboxes are going to Nigerian IPs, and they are just now starting to use proxies. Although there is not one set of standard tactics for BEC, CrowdStrike, in 2017, has observed numerous BEC campaigns that use tactics mirroring these:
A spear-phishing email, often containing a PDF attachment or a link, is sent to a pre-determined individual in the target company. Emails sent to victims seem to be relatively targeted, but generally very simple. They usually contain links to fake DocuSign or One Drive login pages, sometimes hidden behind URL shortening services.
Once the PDF is opened in the browser, the link contained in the PDF is visited by the browser. Otherwise, links contained in the emails lead to a phishing site often containing the email address of the targeted account. The email address form field can then be pre-populated with this value.
In certain cases, after the initial link is visited, a redirect occurs that lands on DocuSign pages with the option to log into legitimate mail providers such as Office 365. Phishing pages are hosted on what appear to be hacked web servers. They contain login forms for victims to enter their email and password.
Browsers are then redirected to legitimate web pages for logging into email services, where user credentials are then stolen. The backend code that collects entered credentials is written in PHP. It forwards the entered data per email to an attacker-controlled email account.
The stolen credentials are then used by criminals to access the victim’s mailbox from a remote IP address, in some cases the same IP address used in the initial spear phish.
The compromised account is then used to gain access to additional mailboxes including accounts typically in the finance and accounting departments. Search queries are then completed for terms such as wire transfer, invoice, payment, CEO, or bank.
An email sent from one of the compromised email addresses is then sent to the company’s financial institution requesting a wire transfer, in some cases as high as $1M USD.
Additional emails from hacked accounts are also sent to the financial institution approving the transaction.
Once the payment details are intercepted by the criminals, the account number (or IBAN), name of bank, and SWIFT/BIC codes are changed to a criminally controlled account, typically in Hong Kong or China.
Nigerian confraternities, most notably Black Axe, have developed into formidable criminal organizations that include cyber components. The Black Axe confraternity maintains a pyramidal command structure at the national level, and also operates Black Axe “Zones” that conduct wire fraud in foreign locations. In mid-2015, police in Toronto, Canada arrested three Nigerian criminals on fraud charges for stealing more than $600,000 USD from a Canadian widow through a romance scam. Police also charged one with the crime “money laundering for criminal organization” because they identified him as the bookkeeper for Black Axe’s Canada zone.
Although the perpetration of Nigerian 419 scams is not as advanced technically as the activity conducted by Russian actors who develop and manage sophistication banking Trojans, Nigerian BEC scams are just as advanced given their global scale, the amount of money involved, and the advanced money laundering techniques that include the use of banks in China.
Business email compromise (BEC) has become a massive eCrime challenge; it is essentially a global problem that affects all geographical regions and involves actors conducting fraud on multiple continents. The FBI has estimated that this fraud has resulted in billions of dollars stolen from large and small businesses alike, and CrowdStrike has observed cases were singe BEC cases have resulted in losses in the seven figures.
Many descriptions and advisories or press releases on BEC describe it in relatively simple terms, and the basic construct is simple in nature, which makes the success of the scam more impressive. However, the different variations of BEC that have been crafted show that in its different forms, it is actually a complex series of movements and events that require a multifunctional criminal team. When BEC scams are combined or conducted in conjunction with romance scams, money mule recruitments, and complex money-laundering operations, they present an enormous challenge to law enforcement, businesses, cyber security firms, and even individuals.
The health care industry is consistently under attack thanks to cybercriminals who eagerly attempt to snatch valuable data, costing organizations substantial financial and reputational damage.
People often weigh in and wonder why the overall industry can’t sufficiently beef up its cybersecurity strategies. However, the headlines they see that alert the public about breaches and other issues don’t tell the whole story.
The Health Sector Appeals to Hackers
Besides the scope of the records to steal and the details that range from Social Ssecurity numbers to home addresses, hackers set their sights on the health care industry because, historically, it hasn’t kept up with the times.
A 2015 Sophos survey found 20 percent of respondents in the medical industry didn’t use encryption at all. Hackers are typically ahead of their targets. That means they likely knew about the widespread lack of encryption before researchers did.
Also, a profile of health care-related attacks in 2017 is especially eye-opening. In numerous cases, more than one security issue occurred on the same day in different locations. The frequency of attacks is a factor that’s urging health care organizations to spend billions of dollars over the next several years to make improvements.
Some facilities aren’t equipped to deal with large-scale attacks, which is alluring to hackers that want to earn notoriety for their efforts. In February 2016, ransomware attacks forced a medical center in California to endure a week-long computer shutdown while its employees relied on paper records and fax machines.
The study found almost half — 48 percent — of the people on the inside who compromised data security were financially motivated, presumably aiming to use stolen data to open new lines of credit or take similar actions.
However, problems also arise when employees don’t treat data correctly due to human error or a lack of training. They might throw sensitive data into trashcans instead of shredding it, or make mistakes when sending paper documents to external companies.
Numerous Challenges Exist
Outsiders are not always aware of the massive number of obstacles involved in getting the health care industry well-equipped against cybersecurity attacks.
For example, all communications platforms used to transmit patient data must comply with the Health Insurance Portability and Accountability Act (HIPPA). This means that health care organizations have to follow strict rules in regards to the security of how they send and receive all patient information. While this does help with potential security issues, it can be extremely time consuming, though some organizations hope to change that soon.
Another issue is that people in the medical field are characteristically time-starved and focused on patient care. That means they often find it difficult to fit security training into their schedules or understand why it’s relevant.
St. Luke’s University Health Network received recognition from the American Hospital Association for its all-encompassing data security strategies. St. Luke’s sends out a quarterly scenario for employees to go through and see why cybersecurity matters. That approach is reportedly working well, probably because it keeps hospital workers’ valuable time in mind.
Ransomware Attack Mitigation Is Getting Better
The news about health care and cybersecurity is not all bad. An investigation about efforts to implement ONC SAFER Guides — which include updated material about stopping ransomware — found that hospitals are taking the recommended strategies against seriously.
The recommendations aim to prevent and reduce downtime of critical hospital systems. When the guidelines are in place, fiascoes such as the one experienced by the previously mentioned Californian facility should become less prevalent.
A Collective Effort Is Necessary
The most effective cybersecurity strategies are ones applied across organizations. Since many hospital systems span across states and countries, keeping everyone on the same page isn’t easy.
Exercising compliance is not enough. Instead, all people associated with respective health care organizations must work together to reduce the damage caused by cybersecurity shortcomings and promote improvements.
PA Consulting Group’s latest research found that airports are ill-equipped to deal with a major cyber attack. The report, ‘Overcome the Silent Threat’, says that the emergence of a hyper-connected model – where passengers in airports want fast internet and digital engagement with airlines and retailers – is increasing the opportunities for cyber criminals to exploit.
There are currently around 1,000 cyber attacks each month on airport and aviation systems worldwide, according to the European Aviation Safety Agency, and according to PA’s research, airports are at a higher risk of cyber attack due to an increasing use of technologies and digital infrastructure in day to day operations, new data sharing obligations and greater connectivity across staff and passenger devices within airports.
David Oliver, global transport security lead at PA Consulting Group, comments: “Fundamentally, the focus on physical security needs to be applied with the same rigour in the cyber arena if airports are going to build resilience to potentially catastrophic cyber attacks. If the industry does not act now, it will find itself at increased vulnerability to cyberattacks as new technologies become part of everyday operations.”
One key trend increasing dependency on systems that could be subject to cyber attacks is that a number of airports are exploring the option of providing remote control and monitoring for air traffic control systems and on the airfield. As remote towers are highly dependent on the data links that transmit information from one place to another, a cyber attack or physical attack could disrupt operations, including making it impossible to manage airport traffic.
David Oliver continues: “With the EU Network and Information Systems Directive, which aims to improve the cyber resilience of the UK’s essential services, now in force, UK airports risk penalties of up to £17M for failing to put in place appropriate cyber security measures.”
The report is based on in-depth analysis and interviews with four major international airports, a diverse group which represents the type and scale of airports globally.
For further information or to download a copy of the report, click here.
Optiv Security, the world’s leading security solutions integrator, has published its 2018 Cyber Threat Intelligence Estimate (CTIE) which details the current state of the cyber-threat landscape and uses estimative intelligence to predict how that landscape stands to change in the future. This report is generated to provide Optiv’s clients with a global view of security threats and trends, so they can effectively adapt their strategic plans to mitigate anticipated enterprise risk.
Among the key findings in the report:
The Rise of the Netherlands and Lebanon. Seemingly benign nation states such as Lebanon and the Netherlands are rising in the ranks of nation-sponsored attackers. The motivations for this rise are unclear, although both countries made headlines this year with cyberattacks: Lebanon for spying on thousands of people across 20 countries via an Android malware campaign; and the Netherlands for penetrating Russia’s Cozy Bear organization and uncovering the hack of the Democratic National Committee during the 2016 presidential election in the U.S.
Cyber-Social is the Next Front for Nation States. Nation-state-sponsored attacks are expanding from “cyber-physical,” where the objective is to compromise data or critical infrastructure, to “cyber-social,” where the goal is to use social media to influence the opinions and actions of large populations of people. Russian cyber-social exploitation of European and American elections showed how relatively easy and cost-effective these can be, which dramatically increases the likelihood that this class of exploit will be exploited by a growing number of nation states, hacktivists and other groups in the future.
Critical Infrastructure has been Breached. The utilities and energy industries experienced high indicators of exploit activity without any high-profile breaches. This suggests that attackers have access to critical infrastructure but are waiting to exploit this access in response to events such as war, or attacks on their own infrastructure.
Healthcare IoT is Vulnerable. The Internet of Things (IoT) continues to suffer from weak security fundamentals and unmitigated vulnerabilities. The healthcare IoT is particularly problematic due to the increasing numbers of networked medical devices and the potential damage that could occur should those devices become compromised.
Phishing Remains the Delivery Vehicle of Choice. Despite years of technology countermeasures, publicity and education campaigns, phishing remains the number one malware delivery mechanism. Additionally, while modern email security solutions can detect and stop emails with malicious attachments, they are still largely impotent against detecting hyperlinks to malicious websites.
Protecting the Brand Rises in Importance. Brand security threats were the second most common source of alerts for Optiv during the year – behind phishing attacks, but ahead of typical security concerns such as data leakage and web vulnerabilities. These alerts were generated in response to the presence of “phony, misleading or malicious sites,” raising the importance of brand risk in the hierarchy of enterprise security concerns.