ERPScan is the most respected and credible Business Application Security provider. ERPScan’s primary mission is to close the gap between technical and business security, and provide solutions to evaluate and secure ERP systems and business-critical applications from both, cyber-attacks as well as internal fraud.
International hotel group Marriott International confirmed a cyber attack and revealed that the data of about 500 million guests, including passport and credit card details, might have been compromised. The attack on the organization was called the biggest in the last five years since the attack on Yahoo in 2013, when the attackers accessed all of its three billion users. and the hotelier said Marriott was investigating “unauthorised access” of guest reservation database at its Starwood unit since 2014. The hotel group officials received an alert on September 8 from an internal security tool and found out that someone made attempts to access its Starwood guest reservation database. “Marriott recently discovered that an unauthorised party had copied and encrypted information, and took steps towards removing it,” the officials commented.
As a result of a cyber attack, information of 2.7 million UK Uber customers has been exposed. The company has been fined £385,000 by a UK watchdog for failing to protect critical data. “Avoidable data security flaws” allowed malefactors access the details of the customers including full names, email addresses and phone numbers, and download them, the Information Commissioner’s Office (ICO) commented. Also, the details of almost 82,000 UK drivers including details of journeys made and how much they were paid were accessed as well during the incident in October and November 2016. “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,” said ICO director of investigations Steve Eckersley, “At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.” The affected customers and drivers were only informed about the incident when Uber made an announcement in November 2017.
Uber confirmed paying the attackers responsible $100,000 to delete the obtained data. Uber was handed a separate €600,000 fine by the data protection authority in the Netherlands as well.
A hacking group that presumably works on behalf of the Russian state is believed to stand behind delivering malware to targets across Europe. The criminals use Brexit as a lure for conducting cyber operations. The UK’s departure from the European Union is said to be the latest in a line of latest in a line of current affairs topics. Fancy Bear group, which is also known as APT28, Sofacy and a variety of other names uses them aiming to trick targets into downloading malware. Earlier this month, the hacking operation that is thought to have links to the Kremlin was applying phishing lures relating the recent Lion Air crash just off the coast of Indonesia. Speaking about the current campaign, the group is referred to as SNAKEMACKEREL and exploits Brexit in order to deliver trojan malware. The campaign is also believed to have targeted a number of government departments including ministries of foreign affairs, political think-tanks, and defence organisations across Europe. “The threat group is likely to be seeking access to insights on the latest political affairs, including confidential documents on national interests related to current news headlines such as Brexit,” ,” Michael Yip, security principal at Accenture Security’s iDefense Threat Intelligence commented.
Actually, the “Russian malware” was not the only thing targeting governmental organizations last week. In another cyber incident, Emirati government may have been compromised and the critical data has been left vulnerable to blackmail. Researchers at the Cisco Talos Intelligence Group said that UAE police and the country’s Telecommunication Regulatory Authority, which is also responsible for protection against cyber attacks, were among the victims. According to the experts, Lebanon’s finance ministry and the Lebanese carrier Middle East Airlines were also targeted. The experts also presume that the attackers first examined their victims before launching their attack as they had a special scheme that allowed them to access confidential records and emails.
The data loss of 500 million guests, attacks on a number of financial organizations – what is next? Follow us on Twitter, Facebook, and LinkedIn.
You might have already heard of Magecart, the e-commerce payment card-skimming threat. Recently, it has recently vtargeted Ticketmaster, British Airways, and Newegg. Now, the next victim in the row is InfoWars online store: this time, the malware has been disclosed by the Dutch researcher Willem De Groot. InfoWars is operated by the radio show host Alex Jones who informed ZDNet about the incident, as a result of which 1,600 of his clients were affected. According to ZDNet, a card skimmer is a generic Magecart variety hidden in the site’s Google Analytics code. It was active for some 24 hours starting on November 11. The affected customers were informed soon after that about the possible compromise of their payment card data.
Some Instagram lovers have been notified about a probable data exposure. The accident was caused by a security bug. The officials of the social network commented that the exposure was “discovered internally and affected a very small number of people.” The bug has probably was a result of a feature that the company introduced in April that allowed users to download their data.
People that used the new feature had their passwords included in a URL in their web browsers; also the passwords were stored on Facebook’s servers, which is the Instagram’s parent company. A security researcher commented that such incident was only possible if Instagram stored its passwords in plain text – and this could be a large security issue for the company. Instagram officials denied this claiming that the network hashes and salts its stored passwords.
However, Facebook that has been mentioned above also could have suffered due to a bug in its system. A reported vulnerability could give attackers an access to personal data of its users meaning that their information was potentially put at risk. The vuln was discovered by cybersecurity researchers from Imperva and resided in the way Facebook search feature displayed results for entered queries. The page with search results should include iFrame elements associated with each outcome. Here, the endpoint URLs of the iFrames did not have any protection mechanisms against cross-site request forgery (CSRF) attacks. It is worth mentioning that the newly reported vulnerability has already been patched. It also turned out that it is not that difficult to exploit the vuln: the malefactor just needs to trick users into visiting a malicious site on their web browser with their Facebook accounts logged in.
Well, unfortunately, these were not the only recent accidental leakages. A misconfigured MongoDB made publicly accessible data of thousands of Kars4Kids donors and customers. 21,612 records that contained emails and personal information were found open to the public by Bob Diachenko, HackenProof’s director of cyber risk research. Also, the exposed data gave access to the information on the vacation vouchers provided to people who had donated their vehicles and receipts with like emails, home addresses, and phone numbers. But this was not the only trouble: the researcher also found evidence of a ransom note. “We cannot confirm or deny that cybercriminals have downloaded the entire Kars4Kids’ database, but the ransom note provides reasonable suspicion that it is a possibility. It is unclear how long the data was exposed or how many others gained have access to it before the notification was sent and ultimately secured,” commented the researcher.
We have made sure once again that sometimes the faults of the organizations can cause themselves even more harm than hackers do. Also, never forget to follow us on Twitter, Facebook, and LinkedIn.
Experts believe that the recent spear phishing activity may be caused by the Russian APT group Cozy Bear that may have become active once again. Last week, CrowdStrike and FireEye cybersecurity compamies published warnings referencing a widespread phishing campaign that affected several industry sectors. The campaign implemented tactics and techniques that resembled the ones of Cozy Bear, aka APT29.
Believed Cozy Bear is now associated with Russian intelligence and considered responsible for hacking the Democratic National Committee along with another Russian APT group Fancy Bear back in 2016 at the time of U.S. elections. Not a long ago, the threat actor has been accused of targeting Norwegian and Dutch ministries and U.S.-based think tanks and NGOs, still it had seemingly remain in hibernation in 2018. CrowdStrike’s Vice President of Intelligence Adam Meyers said that the campaign was detected by his firm on Nov. 14. The malicious emails “purported to be from an official with the U.S. Department of State and contained links to a compromised legitimate website.” The officials of FireEye commented that the attackers “compromised the email server of a hospital and the corporate website of a consulting company in order to use their infrastructure to send phishing emails.”
Two young men have been sentenced to a combined sentence of 20 months for their involvement in the October 2015 TalkTalk cyber attack. Matthew Hanley, 23, and Connor Allsopp, 21. As a result of the attack, thousands of customers’ data has been affected. The malefactors managed to access personal information, financial detals and other sensitive data of 156,959 customers. The hack lasted seven days and its final cost is estimated to be £77 million. This sum also includes the £400,000 fine from the Information Commissioner’s Office for security vulnerabilities that were used by attackers.
Hanley was sentenced for 12 months and Allsopp was sentenced for eight months. Judge Anuja Dhir QC commented that it was a tragedy to find “two individuals of such extraordinary talent” in the dock.
“Your actions, the actions of others, resulted in the then-CEO of TalkTalk being subjected to repeated attempts to blackmail her for money. You were not personally involved in making those attempts but your actions helped facilitate it,” Judge Dhir said.
Charitable organization is affected by cryptojacking
The website of the Make-A-Wish charitable organization became affected by a cryptojacking operation.
Make-A-Wish foundation is aimed to fulfill the wishes of children diagnosed with critical illnesses.
Researchers believe that malicious actors injected a CoinImp browser-based cryptomining script. The malware was able to harness the processing power of any computer whose browsers visited the domain worldwish.org. It is possible that the website may have had the Drupalgeddon 2 vulnerability as the mining script was hosted by the domain drupalupdates.tk. It is also possible that drupalupdates.tk is part of a larger campaign known to exploit Drupalgeddon 2. Currently, the injected script has been removed from the website.
In a major cyber attack, thousands of Italian certified email accounts have been targeted recently. Hackers also managed to attack those of magistrates and security officials. That attack started on November 12 and targeted a server near Rome; the server gave the malefactors access to certified email accounts for the public administration. Finally, data from around 500,000 accounts, including some 9000 ones of magistrates as well as members of a top inter-governmental security agency, have been affected. There is no evidence that the accounts of any ministers, spy chiefs or military bigwigs had been compromised.
As all the targeted emails were certified, they guarantee the validity of a sender’s identity. This also provides the information on the date and time of sending and receiving the email. “This was the worst attack we have had since January this year and it has had important repercussions, but the situation is under control,” commented Roberto Baldoni, state cyber security expert, “The only thing we know for sure is that this attack was not launched from Italy.”
No banks, no hospitals, no social networks were targeted last week – have you noticed? Yes, this happens. For further news, follow us on Twitter, Facebook, and LinkedIn.
The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyber attacks. The idea behind the monthly SAP Cyber Threat Intelligence report is to provide an insight into the latest security vulnerabilities and threats.
The recent patch update consists of 16 patches with the majority of them rated medium.
The most common vulnerability types are Implementation Flaw and Denial of Service.
This month, SAP fixes a security vulnerability in SAP HANA Streaming Analytics with Hot News priority rating (related CVEs – CVE-2018-1270, CVE-2018-1275)
SAP Security Notes – November 2018
SAP has released the monthly critical patch update for November 2018. This patch update closes 16 SAP Security Notes (12 SAP Patch Day Notes and 4 Support Package Notes ). 4 of the patches are updates to previously released Security Notes.
The number of released patches is progressively decreasing.
Below is a chart illustrating the SAP security notes distribution by priority.
SAP Security Notes Distribution by Priority (June – November 2018)
This month, two types of security issues prevalent. Implementation Flaw and Denial of Service are the largest groups in terms of the number of vulnerabilities.
SAP Security Notes Distribution by Vulnerability Type – November 2018
28% of all vulnerabilities belong to the SAP NetWeaver ABAP platform, as a pie chart shows:
Affected Platforms – November 2018
SAP users are recommended to implement security patches as they are released as it helps protect the SAP landscape.
Critical issues closed by SAP Security Notes in November
The following SAP Security Notes can patch the most severe vulnerabilities of this update :
2681280: SAP HANA Streaming Analytics has a Security vulnerability in Spring Framework (CVSS Base Score: 9.9 CVE-2018-1270CVE-2018-1275). An attacker can use a Remote command execution vulnerability for unauthorized execution of commands remotely. Executed commands will run with a same privileges of a service that executed a command. An attacker can access to arbitrary files and directories located in a SAP server file system including application source code, configuration and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.
Install this SAP Security Note to prevent the risks.
2691126: SAP Fiori Client has multiple vulnerabilities (DoS, HTML Injection, Missing Authorization Check) (CVSS Base Score: 8.6
An attacker can use multiple vulnerabilities and exploit one of the listed or mix them together.
An attacker can use a Denial of service vulnerability to terminate a process of vulnerable component, and nobody would use this service. Missing authorization check vulnerability can be used for accessing a service without authorization procedures and for employing service functionality with restricted access that can lead to information disclosure or attacks like privilege escalation. Cross-site scripting vulnerability allows injecting a malicious script into a page.
Reflected XSS feature refers to tricking a user who would follow a malicious link. In case of stored XSS, malicious script is injected and permanently stored in a page body,so that user would be attacked without performing any actions. The malicious script can access critical information that are stored by browser (including all cookies, session tokens, etc.) and used for interacting with a site. An attacker can gain access to user’s session and see all business-critical information or even get control over it. XSS can be used for unauthorized modifying of displayed site content. Install this SAP Security Note to prevent the risks.
2657670: Web Intelligence Richclient 3 Tiers Mode has a Denial of service (DOS) vulnerability (CVSS Base Score: 7.7 CVE-2018-2473 ). An attacker can use a Denial of service vulnerability for terminating a process of avulnerable component, and nobody would use this service. This fact negatively influences business processes, system downtime and business reputation as a result.
Install this SAP Security Note to prevent the risks.
Advisories for these SAP vulnerabilities with technical details will be available in three months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.
It is no surprise that hackers have always been into the financial sphere. But recently, their engagement into the sector has visibly increased. And this week in our week 45 cyber attack digest, we have collected cyber incidents that touched financial organizations exclusively.
HSBC suffered a data leakage
HSBC has reported a data leakage. As a result of the attack, details of thousands of the bank’s online-banking customers have been stolen. Now, the bank is drawing a plan of notifying folks of the major data theft. According to the law of California, affected organizations are to notify their customers whenever a cyber incident touches 500 or more people in the state. The bank’s representatives did not reveal the exact number of affected customers, but commented that the malefactors stole the details of “less than 1 per cent” of some 1.2 million US customers. This means that 12,000 Americans might have had their personal information fall into the hands of cyber thieves. “We are reminding our customers to protect access to their banking accounts by regularly changing their passwords, and by using unique passwords they are not using elsewhere, including on any social media accounts,” an HSBC spokesperson revealed.
A spyware program was discovered and removed from Google Play last month. The malicious program was found by Trend Micro researchers available for download on Google Play. The program was fraudulently disguised as a Spanish-language banking app aiming to collect users’ information that was used in smishing schemes. The fake application is said to be associated with multinational Spanish banking group Banco Bilbao Vizcaya Argentaria (BBVA). Google has also removed Movil Secure in addition to three more applications provided by the same developer with the same malicious functionality. The three other apps claimed to be affiliated with Spanish banks Evo, Bankia and Compte de Credit. However, Trend Micro says that this is not connected to any influential financial organization. Movil Secure was downloaded over 100 times and claimed to provide BVVA customers with a mobile banking token service for identity management and transaction authorization purposes. In fact, the malicious program gathered a victim’s SMS messages and phone numbers, along with other ID data.
Supply chain attack with a bitcoin-stealing script
On the back of the incidents affecting financial organizations, The Bank of England (BoE) is organizing a day-long gaming exercise. This is designed to test the security state of the financial system and their ability to stand against cyber attacks. About 40 financial institutions are taking part in the training, including the BoE, the Treasury, City regulator the Financial Conduct Authority and UK Finance, the industry trade body. Simulated attacks are hosted by the BoE every couple of years attempting to disclose any weaknesses in the response of financial institutions to a major cyber incidents. Another essential issue that is being tested during such events is the ability of organizations to communicate with each other during an attack. “The exercise will help authorities and firms identify improvements to our collective response arrangements, improving the resilience of the sector as a whole,” the representatives of BoE explained.
Financial sector is one of the most fructiferous targets for attackers and the explosion of incidents in this sphere should definitely cause alertness of both financial organizations and banks’ clients. For more information, as always, follow us on Twitter, Facebook, and LinkedIn.
Voting systems have never been out of attackers’ attention. Ahead of the 2018 midterm elections, over 20 different state voter databases have been found that contained some 81.5 million voter records. Such data included names, genders, voter IDs, addresses, citizenship status, and phone numbers and was supposed to be sold on the dark web. Thousands of Instagram followers, Facebook likes, YouTube views and Twitter retweets were found on sale there for “a small amount of cryptocurrency” with some listings offering “’laser-focused’ ads” to recipients. Such databases are quite easy to be bought with the help of freelancers or dark web-oriented search engines. “Being offered for sale and being purchased are very different. A lot of this information is either public, already leaked by services like Facebook or can be purchased legally from several sources,” commented Gabriel Gumbs, vice president of product strategy at STEALTHbits Technologies.
Last Sunday, Karachi-based Bank Islami reported a security breach. It was previously mentioned by an unknown source that the attack had been performed as of a flood of suspicious PoS transactions made at Target stores in Brazil and US that had resulted in a loss of $6 million. Local press characterized the case as the biggest cyber-attack in the country’s history. Still, according to the officials, the attack affected the payment cards system of the bank, but there was no evidence that any financial losses had taken place there. The malicious actions were detected Saturday morning, October 27, when internal security system informed about “abnormal transactions” originating from Pakistani debit cards outside the country’s borders. After that, the bank’s access to international payment networks was shut down. The bank’s representatives claim that the bank returned all the funds withdrawn from customers’ accounts. The sum was only estimated at around 2.6 million Pakistani rupees, or, roughly$19.500. “There is a clear breach of information at BankIslami’s part and it is being speculated that a digital copy of BankIslami customer’s credit card information was leaked to hackers,” comments the local newspaper PakistaniToday presuming that the bank may know more than it’s letting up.
Hotel service is another sphere of human activity that is supposed to be a quite common target. This time, the Radisson Hotel Group reported its Radisson Rewards program was affected by a data breach sometime before 1 October. Malefactors got away with member’s personally identifiable information. According to the organization’s officials, an attacker gained access to the database storing member name, address (including country of residence), email address, and in some cases, company name, phone number, Radisson Rewards member number and any frequent flyer numbers. As Radisson claimed, no credit card or password information had been compromised. “The fact that passwords and financial information does not seem to be affected makes the likely impact of the breach much smaller. The two large implications of this particular incident revolve around how the EU decides to enforce GDPR,” explained Ross Rustici, Cybereason’s senior director, intelligence services.
It has never been a secret that adult websites – due to their popularity – have always been a dangerous place in a security sense. As it has been reported recently that an employee of the U.S. Geological Survey (USGS) had infected his agency’s network with a malware by spreading it on adult websites. As it was said by Matthew T. Elliott Assistant Inspector General for Investigations in a letter to the USGS, a malefactor visited over 9,000 pornographic webpages on the agency’s network. Many of them had connections with Russian servers. The malware infected the organization’s network when the man downloaded these images to his personal USB device and personal Android cell phone. By doing this, the employee he eventually connected to a government-issued computer which subsequently infected the network. “We recommend that the USGS enforce a strong blacklist policy of known rogue Uniform Resource Locators (more commonly known as a web address) or domains and regularly monitor employee web usage history,” commented Matthew T. Elliott.
So, as you can see, this week we have collected attacks on the most influential and therefore attractive spheres: government, hotel service, finances and… adult websites, yes. To learn about cyberattacks, follow us on Twitter, Facebook, and LinkedIn.
Attacks on adult websites are not as common as, for example, the ones on financial organizations, still a data breach that affected Wife Lovers exposed data of over 1.2M users. Wife Lovers and seven sister adult-themed sites including asiansex4u[.]com; bbwsex4u[.]com; indiansex4u[.]com; nudeafrica[.]com; nudelatins[.]com; nudemen[.]com; and wifeposter[.]com, were targeted by attackers. The sites were dedicated to sharing intimate adult photos and went offline in the aftermath of the hack. The scenario of attacks reminds the 2015 Ashley Madison case that exposed 36 million cheaters’ information. According to the independent researcher Troy Hunt, who examined the incident, “Wife Lovers acknowledged the breach, which impacted names, usernames, email and IP addresses and passwords.” Experts conducted a web research with the use of some of the private email addresses associated with the compromised profiles and “quickly returned accounts on Instagram, Amazon and other big sites that gave the users’ first and last names, geographic location, and information about hobbies, family members and other personal details,” which means that the risk to victims in these breaches is very high.
Another cyber incident exploded the Interned that was also called the world’s biggest airline data breach. Cathay Pacific Airways Ltd. s confirmed that a hacker accessed personal information of 9.4 million customers. “This is quite shocking,” commented Shukor Yusof, founder of aviation consulting firm Endau Analytics in Malaysia. “It’s probably the biggest breach of information in the aviation sector.” Among the stolen information, there were names, nationalities, dates of birth, telephone numbers, email, physical addresses, numbers for passports, identity cards and frequent-flier programs, and historical travel information, 403 expired credit card numbers, 27 credit numbers with no CVV, or a security code, some 860,000 passport numbers and 245,000 Hong Kong IDs.
Several lawmakers criticized Cathay for taking so long to publish the details of the breach. Lam Cheuk-ting from the Legislative Council’s security committee said that many people in Hong Kong were angry as the airline should’ve taken the initiative the very first day it found out. Cathay’s Chief Customer and Commercial Officer Paul Loo replied that the airline didn’t want to “create unnecessary panic.”
Healthcare sector is one of the most beloved by attackers and therefore vulnerable in comparison with other spheres of activity. And last month, the data of 75,000 patients was exposed after a breach at ObamaCare (Affordable Care Act) enrollment portal; the details of the incident came to light only last week. The Centers for Medicare and Medicaid learned about the incident after noticing problems in the online enrollment portal available to agents and brokers October 13; the ACA public healthcare portal was not affected. Experts say that information including Social Security numbers, income, and citizenship or immigration status may have been accessed. Federal authorities now are conducting an investigation: the breach took place just two weeks before the beginning of the annual six-week enrollment period for health coverage although Seema Verma, the administrator for the Centers for Medicare and Medicaid Services; the agency’s response to the incident has been criticized by researchers. Pravin Kothari, chief executive officer of CipherCloud once again stressed that healthcare remains a popular target for malefactors. “The reason? Healthcare records provide the most comprehensive data set available for any individual. Stolen healthcare data facilitates identity theft and for this reason, is highly prized by cyber thieves,”Kothari commented.
Another vulnerable sector is financial field that always has attracted attackers. Last Tuesday, Mexico’s central bank announced that the security alert level in its payment system had been raised after “inconsistencies” in the cash payment matching system being reported by a non-banking financial user.
Insurer AXA reported a cyber attack on Monday that prompted the central bank alert. Still, clients’ information and resources were safe and had not been affected. Some institutions would be operating via an alternative mechanism until further notice as a precautionary measure without providing details. Earlier in May, the central bank said a cyber attack had tapped into payment system connections at five entities, as a result of which around 300 million pesos were lost.
No doubt, healthcare and financial institutions are all-time hackers’ favorites while speaking about the most attacked spheres. But, as you see, some attackers are more into adult sites. To learn about future attacks, follow us on Twitter, Facebook, and LinkedIn.
The considerable number of articles cover machine learning for cybersecurity and the ability to protect us from cyberattacks. Still, it’s important to scrutinize how actually Artificial Intelligence (AI), Machine Learning (ML), and Deep Learning (DL) can help in cybersecurity right now, and what this hype is all about.
First of all, I have to disappoint you. Unfortunately, machine learning will never be a silver bullet for cybersecurity compared to image recognition or natural language processing, two areas where machine learning is thriving. There will always be a man trying to find weaknesses in systems or ML algorithms and to bypass security mechanisms. What’s worse, now hackers are able to use machine learning to carry out all their nefarious endeavors.
Fortunately, machine learning can aid in solving the most common tasks including regression, prediction, and classification. In the era of extremely large amount of data and cybersecurity talent shortage, ML seems to be an only solution.
This article is an introduction written to give the practical technical understanding of the current advances and future directions of ML research applied to cybersecurity.
Machine Learning Terminology
Stop calling everything ‘AI’ — learn the terms.
AI (Artificial Intelligence) — a broad concept. A Science of making things smart or, in other words, human tasks performed by machines (e.g., Visual Recognition, NLP, etc.). The main point is that AI is not exactly machine learning or smart things. It can be a classic program installed in your robot cleaner like edge detection. Roughly speaking, AI is a thing that somehow carries out human tasks.
ML (Machine Learning) — an Approach (just one of many approaches) to AI that uses a system that is capable of learning from experience. It is intended not only for AI goals (e.g., copying human behavior) but it can also reduce the efforts and/or time spent for both simple and difficult tasks like stock price prediction. In other words, ML is a system that can recognize patterns by using examples rather than by programming them. If your system learns constantly, makes decisions based on data rather than algorithms, and change its behavior, it’s Machine Learning.
DL (Deep Learning) — a set of Techniques for implementing machine learning that recognize patterns of patterns – like image recognition. The systems identify primarily object edges, a structure, an object type, and then an object itself. The point is that Deep Learning is not exactly Deep Neural Networks. There are other algorithms, which were improved to learn patterns of patterns, such as Deep Q Learning in Reinforcement task.
The definitions show that cybersecurity field refers mostly to machine learning (not to AI). And a large part of the tasks are not human-related.
Machine learning means solving certain tasks with the use of an approach and particular methods based on data you have.
Most of tasks are subclasses of the most common ones, which are described below.
Regression (or prediction) — a task of predicting the next value based on the previous values.
Classification — a task of separating things into different categories.
Clustering — similar to classification but the classes are unknown, grouping things by their similarity.
Association rule learning (or recommendation) — a task of recommending something based on the previous experience.
Dimensionality reduction — or generalization, a task of searching common and most important features in multiple examples.
Generative models — a task of creating something based on the previous knowledge of the distribution.
There are different approaches in addition to these tasks. You can use only one approach for some tasks, but there can be multiple approaches for other tasks.
Approaches to Solving ML Tasks
Trends of the past
Supervised learning. Task Driven approach. First of all, you should label data like feeding a model with examples of executable files and saying that this file is malware or not. Based on this labeled data, the model can make decisions about the new data. The disadvantage is the limit of the labeled data.
Eensemble learning. This is an extension of supervised learning while mixing different simple models to solve the task. There are different methods of combining simple models.
Unsupervised Learning. Data Driven approach. The approach can be used when there are no labeled data and the model should somehow mark it by itself based on the properties. Usually, it is intended to find anomalies in data and considered to be more powerful in general as it’s almost impossible to mark all data. Currently, it works less precisely than supervised approaches.
Semi-supervised learning. As the name implies, semi-supervised learning tries to combine benefits from both supervised and unsupervised approaches, when there are some labeled data.
Future trends (well, probably)
Reinforcement learning. Environment Driven approach can be used when the behavior should somehow react on the changing environment. It’s like a kid who is learning environment by trial and error.
Active learning. It’s more like a subclass of Reinforcement learning that probably will grow into a separate class. Active learning resembles a teacher who can help correct errors and behavior in addition to environmental changes.
Machine Learning tasks and Cybersecurity
Let’s see the examples of different methods that can be used to solve machine learning tasks and how they are related to cybersecurity tasks.
Regression (or prediction) is simple. The knowledge about the existing data is utilized to have an idea of the new data. Take an example of house prices prediction. In cybersecurity, it can be applied to fraud detection. The features (e.g., the total amount of suspicious transaction, location, etc.) determine a probability of fraudulent actions.
As for technical aspects of regression, all methods can be divided into two large categories: machine learning and deep learning. The same is used for other tasks.
For each task, there are the examples of ML and DL methods.
Machine learning for regression
Below is a short list of machine learning methods (having their own advantages and disadvantages) that can be used for regression tasks.
SVR (Support Vector Regression)
You can find out the detailed explanation of each method here.
Deep learning for regression
For regression tasks, the following deep learning models can be used:
Artificial Neural Network (ANN)
Recurrent Neural Network (RNN)
Neural Turing Machines (NTM)
Differentiable Neural Computer (DNC)
Classification is also straightforward. Imagine you have two piles of pictures classified by type (e.g., dogs and cats). In terms of cybersecurity, a spam filter separating spams from other messages can serve as an example. Spam filters are probably the first ML approach applied to Cybersecurity tasks.
The supervised learning approach is usually used for classification where examples of certain groups are known. All classes should be defined in the beginning.
Below is the list related to algorithms.
Machine learning for classification
K-Nearest Neighbors (K-NN)
Support Vector Machine (SVM)
Random Forest Classification
It’s considered that methods like SVM and random forests work best. Keep in mind that there are no one-size-fits-all rules, and they probably won’t operate properly for your task.
Deep learning for classification
Artificial Neural Network
Convolutional Neural Networks
Deep learning methods work better if you have more data. But they consume more resources especially if you are planning to use it in production and re-train systems periodically.
Clustering is similar to classification with the only but major difference. The information about the classes of the data is unknown. There is no idea whether this data can be classified. This is unsupervised learning.
Another interesting area where clustering can be applied is user behavior analytics. In this instance, application users cluster together so that it is possible to see if they should belong to a particular group.
Usually clustering is not applied to solving a particular task in cybersecurity as it is more like one of the subtasks in a pipeline (e.g., grouping users into separate groups to adjust risk values).
Machine learning for clustering
K-nearest neighbours (KNN)
Deep learning for clustering
Self-organized Maps (SOM) or Kohonen Networks
Association Rule Learning (Recommendation Systems)
Netflix and SoundCloud recommend films or songs according to your movies or music preferences. In cybersecurity, this principle can be used primarily for incident response. If a company faces a wave of incidents and offers various types of responses, a system learns a type of response for a particular incident (e.g., mark it as a false positive, change a risk value, run the investigation). Risk management solutions can also have a benefit if they automatically assign risk values for new vulnerabilities or misconfigurations built on their description.
There are algorithms used for solving recommendation tasks.
Machine learning for association rule learning
Deep learning for association rule learning
Deep Restricted Boltzmann Machine (RBM)
Deep Belief Network (DBN)
The latest recommendation systems are based on restricted Boltzmann machines and their updated versions, such as promising deep belief networks.
Dimensionality reduction or generalization is not as popular as classification, but necessary if you deal with complex systems with unlabeled data and many potential features. You can’t apply clustering because typical methods restrict the number of features or they don’t work. Dimensionality reduction can help handle it and cut unnecessary features. Like clustering, dimensionality reduction is usually one of the tasks in a more complex model. As to cybersecurity tasks, dimensionality reduction is common for face detection solutions — the ones you use in your iPhone.
You can find more on dimensionality reduction here (including the general description of the methods and their features).
The task of generative models differs from the above-mentioned ones. While those tasks deal with the existing information and associated decisions, generative models are designed to simulate the actual data (not decisions) based on the previous decisions.
The simple task of offensive cybersecurity is to generate a list of input parameters to test a particular application for Injection vulnerabilities.
Alternatively, you can have a vulnerability scanning tool for web applications. One of its modules is testing files for unauthorized access. These tests are able to mutate existing filenames to identify the new ones. For example, if a crawler detected a file called login.php, it’s better to check the existence of any backup or test its copies by trying names like login_1.php, login_backup.php, login.php.2017. Generative models are good at this.
Machine learning for generative models
Deep learning for generative models
Generative adversarial networks (GANs)
Recently, GANs showed impressive results. They successfully mimic a video. Imagine how it can be used for generating examples for fuzzing.
Cybersecurity Tasks and Machine Learning
Instead of looking at ML tasks and trying to apply them to cybersecurity, let’s look at the common cybersecurity tasks and machine learning opportunities. There are three dimensions (Why, What, and How).
The first dimension is a goal, or a task (e.g., detect threats, predict attacks, etc.). According to Gartner’s PPDR model, all security tasks can be divided into five categories:
The second dimension is a technical layer and an answer to the “What” question (e.g., at which level to monitor issues). Here is the list of layers for this dimension:
network (network traffic analysis and intrusion detection);
application (WAF or database firewalls);
Each layer has different subcategories. For example, network security can be Wired,Wireless or Cloud. Restassured thatyou can’t apply the same algorithms with the same hyper parameters to both areas, at least in near future. The reason is the lack of data and algorithms to find better dependencies of the three areas so that it’s possible to change one algorithm to differentones.
The third dimension is a question of “How” (e.g., how to check security of a particular area):
in transit in real time;
For example, if you are about endpoint protection, looking for the intrusion, you can monitor processes of an executable file, do static binary analysis, analyze the history of actions in this endpoint, etc.
Some tasks should be solved in three dimensions. Sometimes,there are no values in some dimensions for certain tasks. Approaches can be the same in one dimension. Nonetheless, each particular point of this three-dimensional space of cybersecurity tasks has its intricacies.
It’s difficult to detail them all so let’s focus on the most important dimension — technology layers. Look at the cybersecurity solution from this perspective.
Machine learning for Network Protection
Network protection is not a single area but a set of different solutions that focus on a protocol such as Ethernet, wireless, SCADA, or even virtual networks like SDNs.
Network protection refers to well-known Intrusion Detection System (IDS) solutions. Some of them used a kind of ML years ago and mostly dealt with signature-based approaches.
ML in network security implies new solutions called Network Traffic Analytics (NTA) aimed at in-depth analysis of all the traffic at each layer and detect attacks and anomalies.
How can ML help here? There are some examples:
regression to predict the network packet parameters and compare them with the normal ones;
classification to identify different classes of network attacks such as scanning and spoofing;
Hungry students are in hacking game once again. An attacker found a way to get free credit for the vending machines on a university campus. The hacker looked at the inner workings of the machine’s accompanying mobile app. The vending machines from Argenta are a popular provider of coffee services in Italy, currently acquired by the Selecta Group B.V. and are used all over the country for automated sales of all sorts of products. Machines support Bluetooth Low Energy (BLE) and Near Field Communication (NFC) technologies to allow user to make payments with a smartphone. The fraudulent actions were disclosed by Matteo Pisani, an Italian hacker and CTO at Remoria VR, while he was searching for a weak spot. The expert decompiled the Argenta mobile app interacting with the vending machines and monitored its activity for anything that could be manipulated. Soon, he found references to RushOrm, a tool for Android that mapped Java classes to SQL tables. This means that it worked with databases, which always hold precious information. The mobile application used a database ‘argenta.db,’ which the expert located and extracted on his laptop. Still, its opening was protected by a password. The found databases contained multiple tables, including the one called ‘UserWallets,’ which came with an editable ‘walletCredit’ field. This entry could tell the app how much credit the user could spend at the vending machines; also, there was an Android tool that automated the interaction with the database and ran wallet-related changes. Pisani commented that there was no need for initial credit to change its value. Also, he posted a picture with an inflated credit of EUR 999.
Anthem is to pay a record $16 million. The company was forced to do that in order to settle potential privacy violations coming from a major data leakage. The attack took place back in 2015 when records of over 80 million current and former patients were compromised. It was reported that the fee is three times larger than the previous amount paid to the governments. The company agreed to pursue a corrective action plan under government monitoring: the company will assess its electronic security risks and take appropriate security measures. As a result of a breach, sensitive personal information was exposed, the stolen records included names, dates of birth, member IDs and Social Security numbers, addresses, phone numbers, email addresses and employment information, e.g. income data. “Anthem takes the security of its data and the personal information of consumers very seriously,” the company’s representatives commented. “We have cooperated with (the government) throughout their review and have now reached a mutually acceptable resolution.”
While BleepingComputer covers ransomware, several fraudsters try to interact with the site in various ways.
Over the past weekend, the Kraken Cryptor Ransomware released version 2.0.6, and now it connects to BleepingComputer going through different stages of the encryption process. Their aims are still unclear, but this provides BleepingComputer with insight into the real amount of victims affected by the ransomware. Kit experts nao_sec and Kafeine first spotted the new version, which was distributed via malvertising and the RIG exploit kit. It was determined that since October 20th, 2018, the ransomware has infected 217 unique victims from all over the world. Kraken Cryptor is written in C# that allows to see how the program operates. The ransomware developers themselves can use IPlogger.com site to check the amount of the ransomware victims.
A bug in Tumblr’s “Recommended Blogs” feature has been fixed recently. The bug was able to disclose private and personal information on the users ob the recommended blogs. The Recommended Blogs is aimed to display a list of blogs that may attract the logged in user. A security researcher learned about the bug through Tumblr’s bug bounty, which was fixed by Tumblr’s engineering team within next 12 hours.
With the help of debugging tools, a user was able to see private account information including IP addresses, email addresses, and hashed passwords. Tumblr claimed that there was no evidence that the bug had been exploited. “We’re not able to determine which specific accounts could have been affected by this bug, but our analysis has shown that the bug was rarely present,” commented Tumblr.
Ironically, a number of recent incidents has happened due to human error, but not hackers, which means that attention during the work process is essential for your security. Still, do not forget about other security measures and follow us on Twitter, Facebook, and LinkedIn.
Oracle closed 1119 issues in 2018 in total that is the same as in 2017.
CPU for October 2018 contains 162 vulnerabilities in business-critical applications.
The most vulnerable application is Oracle Fusion Middleware totaling 65 security issues. Their criticality is also alarming since 86% of them can be exploited over the network without entering user credentials.
This CPU contains 49 vulnerabilities assessed at critical (CVSS base score 9.0-10.0). The most severe vulnerability of the current CPU with the highest CVSS score of 10.0 is in the Oracle GoldenGate component.
Analysis of Oracle Critical Patch Update for October 2018
ERPScan Research and Security Intelligence teams provide an analysis of the vulnerabilities closed by this Critical Patch Update.
Comparing with the previous CPU for July 2018 that jumped over a 330-issue mark and became the largest ever, this month’s patch update addresses 10% less vulnerabilities, see a bar chart below.
Oracle fixes 1119 security issues in total in 2018. It is worth mentioning that this number rests the same as it was in 2017. The graph below illustrates the trend and the increasing number of patches released by Oracle for each year from 2013 to 2018.
Oracle vulnerabilities by application type
The patch updates touch a wide range of products. The affected product families are shown in a table and sorted in descending order of the closed issues.
Number of Patches
Sun Systems Products Suite
Construction and Engineering Suite
JD Edwards Products
Supply Chain Products Suite
Enterprise Manager Products Suite
Food and Beverage Applications
Financial Services Applications
Health Sciences Applications
As seen from the table and illustrated in a pie chart, Fusion Middleware leads by the number of the closed issues.
Vulnerabilities in Oracle’s business-critical applications
The fact that Oracle has 430,000 applications customers from the wide range of industries in 175 countries makes it of the utmost importance to apply the released security patches.
This quarter’s CPU contains 162 patches for vulnerabilities affecting a scope of the most crucial business applications from Oracle, namely, PeopleSoft, E-Business Suite, Fusion Middleware, Retail, JD Edwards, Siebel CRM, Financial Services, Hospitality Applications, Supply Chain. It’s 54% of vulnerabilities found in Oracle products this quarter.
125 of these security vulnerabilities can be exploited remotely without entering credentials.
Oracle PeopleSoft Security
Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial Management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate business information, depending on modules installed in an organization.
This quarter only, the vendor released 24 fixes (or 8% of the update) addressing this component, see a bar chart. 21 of them can be exploited over a network without requiring user credentials.
As seen from the graph, the number of vulnerabilities in PeopleSoft has fluctuated several times since October 2015 and raised from April to October 2018.
Oracle E-Business Suite Security
Oracle E-Business Suite (EBS) is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.
This critical patch update contains 16 fixes for Oracle EBS, and 14 of the vulnerabilities may be remotely exploitable without authentication. The highest CVSS score is 8.2.
The most critical Oracle vulnerabilities closed by CPU for October 2018
Oracle prepares Risk Matrices and associated documentation describing the conditions that are required to exploit a vulnerability, and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS ). This aims to help Oracle customers to fix the most critical issues first.
The most critical issues closed by the CPU are as follows:
Oracle GoldenGate has CVE-2018-2913 (CVSS Base Score: 10.0) – a vulnerability in the Oracle GoldenGate component of Oracle GoldenGate (subcomponent: Monitoring Manager). Supported versions that are affected are 18.104.22.168.0, 22.214.171.124.0 and 126.96.36.199.0. The easily exploitable vulnerability allows an unauthenticated attacker with network access via TCP to compromise Oracle GoldenGate. While the vulnerability exists in Oracle GoldenGate, attacks may significantly impact additional products. Successful attacks can result in the takeover of Oracle GoldenGate.
Java VM has CVE-2018-3259 (CVSS Base Score: 9.8) – a vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 188.8.131.52, 184.108.40.206, 220.127.116.11 and 18c. The easily exploitable vulnerability allows an unauthenticated attacker with network access via multiple protocols to compromise Java VM. Successful attacks caused by this vulnerability can result in the takeover of Java VM.
Oracle Big Data Discovery has CVE-2018-1275 (CVSS Base Score: 9.8) – a vulnerability in the Oracle Big Data Discovery component of Oracle Fusion Middleware (subcomponent: Data Processing (Spring Framework)). The supported version that is affected is 1.6.0. The easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Big Data Discovery. Successful attacks of this vulnerability can result in takeover of Oracle Big Data Discovery.
JD Edwards EnterpriseOne Orchestrator has CVE-2018-7489 (CVSS Base Score: 9.8) – a vulnerability in the JD Edwards EnterpriseOne Orchestrator component of Oracle JD Edwards Products (subcomponent: IoT Orchestrator Security (jackson-databind)). The supported version that is affected is 9.2. The easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Orchestrator. Successful attacks of this vulnerability can result in the takeover of JD Edwards EnterpriseOne Orchestrator.
MySQL Enterprise Monitor has CVE-2018-11776 (CVSS Base Score: 9.8) – Vulnerability in the MySQL Enterprise Monitor component of Oracle MySQL (subcomponent: Monitoring: General (Apache Struts 2)). Supported versions that are affected are 18.104.22.16837 and prior, 22.214.171.12481 and prior and 126.96.36.19991 and prior. The easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in the takeover of MySQL Enterprise Monitor.
Securing Oracle applications
It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their checklists. The tests for the latest vulnerabilities in Oracle PeopleSoft are included in ERPScan Security Monitoring Suite for Oracle PeopleSoft.