Millions of Office 365 Accounts Hit with Password Stealers*:
- A new wave of phishing attacks aims to dupe users and steal their passwords by disguising malicious emails as tax-related notifications from the IRS.
- This threat lures victims with Microsoft 365 Office files claiming to be tax forms or other official documents.
- Examples of this tactic include files named “taxletter.doc”.
- The use of popular file types like Word and Excel, which are globally known and used, further ensures victims will fall for it.
- Users are hit with the password stealer when they download and open the malicious document.
- Tens of millions of people have been affected by these phishing emails; while Exchange server makes up a large portion of people affected, other types of email accounts are also targeted with the malicious files.
- Password theft is increasing overall, a sign of attackers shifting their goals and strategies.
- Ransomware was big last year; this year, password stealers are appearing in phishing emails, browser extensions, and other programs as criminals hunt login data.
- Cybercriminals are aiming for mass data theft and many are impersonating executives to request W-2 information from human resources.
- It's a timely opportunity for attackers to capitalize on users' wariness of tax season and make their campaigns more effective.
*Source: Dark Reading, March 02, 2018
Breaches on the Rise as 70% of Healthcare Firms Are Hit*:
- Some 70% of global healthcare organizations (HCOs) have suffered a data breach, as the sector increasingly shifts towards using digital platforms.
- A recent report revealed that only 30% have yet to suffer a breach, a 17% decrease from 2016.
- In the past year, 39% of HCOs were hit and over half (55%) of respondents claimed they now feel “very” or “extremely” vulnerable to data breaches.
- The growing risk to HCOs comes as virtually all (93%) now use cloud, big data, IoT and container technologies with sensitive data.
- Almost all (96%) said they are using IoT technologies, including internet-connected heart-rate monitors, implantable defibrillators and insulin pumps.
- On the plus side, 84% said they plan to increase spending on cybersecurity over the next year, although only 40% want to do so on encryption tools, despite the forthcoming GDPR coming into force in May.
- Last year the NHS suffered yet another security wake-up call after the WannaCry ransomware campaign caused widespread damage, leading to the cancellation of an estimated 19,000 operations and appointments.
*Source: Info Security, March 05, 2018
Equifax Says 2.4 Million More People Were Impacted by Huge 2017 Breach*:
- Equifax has disclosed that an additional 2.4 million people were impacted by a massive cybersecurity breach last year, bringing the total to about 148 million people.
- The credit reporting agency says the new consumers were identified during forensic examination of the breach.
- They were previously unidentified, the company says, because their Social Security numbers were not stolen, but their names and some of their driver’s license information was taken.
- Equifax says it will directly notify these 2.4 million people “and will offer identity theft protection and credit file monitoring services at no cost to them.”
- The company has struggled to rebuild public trust after the revelation of the breach and what is widely perceived as a bungled response.
- Democrats from the House Committee on Oversight and Government Reform recently pressed Equifax to extend their free identity theft protection and credit file monitoring from one year to three.
- When the breach was first disclosed, the number of American consumers affected was about 44 percent of the US population.
- A new survey from CreditCards.com found that 50 percent of adults surveyed have not checked their credit scores and reports since the breach.
- Additionally, "twenty percent of all respondents have heard little or nothing about the Equifax breach, including 46 percent of those aged 18-37.”
*Source: National Public Radio, March 01, 2018
GitHub Hit by 1.35 Tbps DDoS attack*:
- The online version control and code distribution platform GitHub has suffered a series of massive distributed denial of service (DDoS) attacks, causing service disruption by forcing its website to go offline.
- In the first phase of the attack, GitHub’s website suffered a shocking 1.35 terabits per second (Tbps) spike while in the second phase Github’s network monitoring system detected 400 Gbps spike.
- The attacks lasted for over 8 minutes and due to the massive traffic used by the attacks, this is the largest DDoS attack ever witnessed.
- In this case, the DDoS attacks were possible due to a critical security flaw in Memcached servers.
- According to researchers, implementation of the Memcached servers’ UDP protocol is flawed and anyone can launch a major DDoS attack without much ado.
- GitHub has confirmed it was an amplification attack using the memcached-based approach.
- If hackers manage to prepare the amplification attack well, they can launch an attack with lowest possible IP spoofing capacity, as low as 1Gbps, and successfully launch very large attacks.
- To mitigate the attacks, GitHub decided to use Akamai’s Prolexic which provides fully managed DDoS protection and as expected Akamai filtered and blocked the malicious traffic packets.
- GitHub has apologized to its users, maintained that at no point was user data at risk.
*Source: Hack Read, March 02, 2018
Cybercrime 'Pandemic' May Have Cost the World $600 Billion Last Year*:
- The global cost of cybercrime has now reached as much as $600 billion – about 0.8 percent of global GDP – according to a new report.
- More worrying than that figure may be the massive growth from 2014, when the same analysis showed the cost was only as much as $445 billion.
- That rapid increase is largely due to the lower cost of entry and advancements in technology such as machine learning and artificial intelligence.
- Cybercrime is the only criminal enterprise that has a “help desk,” and would-be criminals don’t need to be technologically advanced to conduct a cyber-attack.
- Certain nation states have come to be regarded as safe havens for cybercriminals; countries such as North Korea, Iran, and Russia tend to go after financial services and “espionage activities” are more common in China.
- A headline-grabbing example is the recent hack of Tokyo-based cryptocurrency exchange Coincheck, where almost 58 billion yen of NEM coins were stolen.
- Cryptocurrency users and investors have voiced concerns about the need for higher standards and broad regulatory systems to safeguard their interests.
*Source: CNBC, February 22, 2018
Pennsylvania AG says Uber Must Pay Over Data Breach*:
- Pennsylvania Attorney General filed a lawsuit against Uber after the San Francisco-based ride-sharing company took more than 12 months to inform users that it suffered a major hack.
- In a press release, Uber is accused of violating Pennsylvania law by failing to put residents on timely notice of the massive data breach.
- The attackers accessed the information of 25 million users in the US, 4.1 million of whom were drivers.
- Approximately 600,000 driver's license numbers were compromised, but no credit card or Social Security numbers were stolen; about 13,500 of the affected Uber drivers lived in Pennsylvania.
- Under Pennsylvania law, they can sue for $1,000 for each violation and that means the attorney general's office could seek $13.5 million from Uber.
- Although the hack took place in October 2016, the company didn’t notify the public until November 2017, and the lawsuit asserts Uber failed to notify users in a “reasonable” time frame.
- An Uber spokesman said, “While we make no excuses for the previous failure to disclose the data breach, Uber’s new leadership has taken a series of steps to be accountable and respond responsibly.”
- During his testimony, Uber’s chief security explained the steps Uber has taken to strengthen its security systems and procedures going forward.
- Data breaches, meanwhile, have become a fact of life in a world devoted to apps, e-commerce and an internet overstuffed with personal information.
- The Pennsylvania AG’s office is asking any state residents who feel they were affected by Uber’s breach to file a complaint with the Bureau of Consumer Protection.
*Source: CNET, March 05, 2018
Women Create Alternate Tech Conference, Protesting Snub at Big Security Confab*:
- After a furor over the lack of women in the line-up at one of the world's largest computer security conferences, a group of women and their allies have organized an alternate conference to run at the same time and in the same city.
- The alternate conference is dubbed "Our Security Advocates Conference," or OURSA – a not-so-subtle dig at RSA.
- RSA Conference was criticized last week for having announced just one female keynote speaker out of 22 this year.
- The alternate conference was inspired by a lack of diverse representation at other computer security events.
- RSA blamed the lack of women in the field, where just 11% of positions worldwide are held by women, according to a recent estimate from research firm Forrester.
- In response, the group of women and men in security came together and created their alternative conference on the fly.
- The vice president of the RSA Conference said, “we applaud the efforts of OURSA for putting this event together, and bringing attention to the need for diversity in information security.”
- The OURSA organizers hope this will be a one-off event and their intent is not to create an ongoing, separate conference for women and those who are underrepresented in security.
- The conference will only have space for a few hundred attendees as compared with the 43,000 who attended RSA last year, but will have a live feed as well so others can take part.
*Source: USA today, March 05, 2018