MENTIS

Week of November 10, 2017

MENTIS
news

Week of November 10, 2017

Data Breach Record Exposure Up 305% From 2016*:

  • There have been 3,833 publicly disclosed data breaches in the first nine months of 2017, exposing more than seven billion records.
  • Compared to the first nine months of 2016, the number of reported breaches in 2017 is up 18.2%; the number of exposed records up 305%.
  • Five incidents from this year are among the top 10 largest breaches of all time, and exposed about 78.5% of all exposed records to date.
  • The Equifax incident leads the pack as the most severe breach of 2017.
  • A key reason driving the number of breaches in 2017 is failure to recognize the value of personal data on the black market – data has value, monetary value, and the leadership level has a tendency to lose sight of that.
  • Access credentials in the form of email addresses and passwords are the two most compromised data types, at 44.3% and 40%, respectively.
  • Most breaches are caused by hacking: there were 1997 hacking events, exposing 2.7 billion records, in the first nine months of 2017.
  • There were fewer Web breaches, at 206 incidents, but they caused far more damage with a total of 4.8 billion records exposed.
  • During Q3 there were more breaches exposing between 1 and 100 records, indicating lower severity, and fewer breaches exposed Social Security numbers and other high-value data.
  • For trends to go in a better direction, organizations need to make security a part of their ordinary everyday operations; security has to be an ongoing process.

*Source: Dark Reading, November 08, 2017

https://www.darkreading.com/vulnerabilities---threats/data-breach-record-exposure-up-305--from-2016/d/d-id/1330359


Russia's 'Fancy Bear' Hackers Exploit A Microsoft Office Flaw And NYC Terrorism Fears*:.

  • The Russian hacking group known as APT28, or Fancy Bear, seems to be exploiting last week’s ISIS attack in New York City to advance their espionage tactics again, using a freshly exposed vulnerability in Microsoft’s software.
  • Researchers at McAfee revealed that they've been tracking a new phishing campaign from the Russia-linked hacker team.
  • Security researchers have recently shown that a feature of Microsoft Office known as Dynamic Data Exchange can be exploited to install malware on a victim's computer when they simply open any Office document.
  • McAfee now says APT28 has used that DDE vulnerability since late October.
  • The hackers have been fooling victims into clicking with file names that reference US-focused topics like last week’s ISIS truck attack.
  • McAfee detected Fancy Bear's use of Microsoft's DDE feature, a little over a week after the security research community first noted that it could be used to deliver malware.
  • As APT28 exploited the latest Microsoft Office hacking technique in a new campaign, Microsoft said it has no plans to alter or patch its DDE function – it considers DDE a feature that’s working as intended.
  • The company noted that the DDE attack only works when WIndows' Protected Mode setting is disabled.
  • The latest APT28 campaign serves as a reminder that even state-sponsored hacking teams don't necessarily depend on or use only the "zero day" vulnerabilities, astute hackers can simply learn about new hacking techniques as they arise..

*Source: Wired, November 07, 2017

https://www.wired.com/story/russia-fancy-bear-hackers-microsoft-office-flaw-and-nyc-terrorism-fears/


Windows Vulnerability Puts NTLM Password Hashes at Risk*:

  • An attack known as Pass the Hash has been targeting Windows machines since the days of Windows 3.11, but a security researcher recently discovered that a threat actor could easily obtain NT LAN Manager (NTLM) password hashes without any user intervention.
  • The attack itself is rather simple: A Shell Command File (SCF) is placed in a public folder with no password protection.
  • For some reason, the SCF file is executed as soon as it is placed in the folder, and it then sucks up the NTLM password hash and sends it to the attacker’s server.
  • At that point, the threat actor can decrypt the hash and the password to gain access to the victim’s machine.
  • This is a departure from previous exploits, which began only after the victim had accessed the poisoned folder.
  • The Pass the Hash attack arose from the automatic sharing of NTLM hashes with servers that are located outside of the original network; this is a long-standing architectural flaw in Windows that Microsoft has been reluctant to discuss or fix.
  • The tech giant did issue an optional patch, but the fix only works on Windows 10 and Windows Server 2016, and Microsoft has not announced any plans to extend the patch to previous versions.
  • A simpler solution is to use password-protected public folders.

*Source: Security Intelligence, October 31, 2017

https://securityintelligence.com/news/windows-vulnerability-puts-ntlm-password-hashes-at-risk/


Australian Government Contractor Exposed 50,000 Records*:

  • Nearly 50,000 personal records relating to Australian government employees as well as employees of two banks and a utility were exposed to the internet due to a misconfigured Amazon cloud storage server that was storing backup data.
  • The data exposure is the latest in a string of significant breaches to have affected Australia.
  • The data exposed in the Amazon S3 backup included names, email addresses, phone numbers, IDs, passwords, some credit card numbers and details about staff salaries and expenses.
  • The contractor responsible for the breach was retained to provide expense management services, and the data was partially anonymized.
  • The Australian Cyber Security Center learned of the breach in early October, and the contractor fixed the issue within hours of being notified.
  • Data pertaining to financial institutions Rabobank and AMP and the energy utility UGL was also affected by the data exposure.
  • Amazon's Simple Storage Service is widely used by organizations due to its flexibility and low cost.
  • While Amazon maintains security recommendations that all S3 users should follow, not all do; any mistakes can lead to vast amounts of data being left downloadable by anyone with internet access.

*Source: Data Breach Today, November 03, 2017

https://www.databreachtoday.com/australian-government-contractor-exposed-50000-records-a-10432


Attackers Hacked Nepalese Bank's SWIFT Server*:

  • One of Nepal's largest private-sector commercial banks last month suffered a hack attack that led to attackers issuing fraudulent money transfers via the SWIFT interbank messaging service.
  • NIC Asia Bank said attackers initiated $4.4 million in fraudulent money transfers from its accounts to accounts in six other countries.
  • Immediately after spotting the suspicious transactions, NIC Asia Bank informed Nepal’s central bank, and NRB was able to recover $3.9 million, although $580,000 had already been released to overseas bank accountholders.
  • The attackers reportedly struck the bank during Tihar – aka Diwali – one of Nepal’s biggest holidays.
  • The results of the investigation into the incident failed to conclude if the theft resulted from an outside attacker or insider theft.
  • More than 11,000 financial institutions across 200 countries and territories use the interbank messaging system from the Brussels-based SWIFT cooperative to transfer funds.
  • News of the NIC Asia Bank breach first surfaced last month after Nepal Rastra Bank issued an alert to foreign banks asking them to block the fraudulent transfer requests.
  • The bank took its SWIFT server offline immediately after spotting the suspicious transactions.

*Source: Data Breach Today, November 06, 2017

https://www.databreachtoday.com/report-attackers-hacked-nepalese-banks-swift-server-a-10437


WikiLeaks Releases Source Code For Hive - CIA's Malware Control System*:

  • Almost two months after releasing details of 23 different secret CIA hacking tool projects under Vault 7 series, WikiLeaks announced a new Vault 8 series that will reveal source codes and information about the backend infrastructure developed by the CIA hackers.
  • The whistleblower organization has also published its first batch of Vault 8 leak, releasing source code and development logs of Project Hive – a significant backend component the agency used to remotely control its malware covertly.
  • Earlier this year WikiLeaks disclosed that Project Hive is an advanced command-and-control server that communicates with malware to send commands to execute specific tasks on the targets and receive exfiltrated information from the target machines.
  • Hive is a multi-user all-in-one system that can be used by multiple CIA operators to remotely control multiple malware implants used in different operations.
  • Hive’s infrastructure has been specially designed to prevent attribution, which includes a public facing fake website following multi-stage communication over a Virtual Private Network.
  • The whistleblowing organisation has released the source code for Project Hive which is now available for anyone, including investigative journalists and forensic experts, to download and dig into its functionalities.
  • The source code published in the Vault 8 series only contains software designed to run on servers controlled by the CIA, while WikiLeaks assures that the organisation will not release any zero-day or similar security vulnerabilities which could be abused by others.

*Source: The Hacker News, November 09, 2017

https://thehackernews.com/2017/11/cia-hive-malware-code.html


$300m In Cryptocurrency Accidentally Lost Forever Due To Bug*:

  • More than $300m of cryptocurrency has been lost after a series of bugs in a popular digital wallet service led one curious developer to accidentally take control of and then lock up the funds.
  • Unlike most cryptocurrency hacks, however, the money wasn’t deliberately taken – it was effectively destroyed by accident.
  • The lost money was in the form of Ether, the tradable currency that fuels the Ethereum distributed app platform.
  • It was kept in digital multi-signature wallets built by a developer called Parity.
  • Parity revealed that, while fixing a bug that let hackers steal $32m out of a few multi-signature wallets, it had inadvertently left a second flaw in its systems that allowed one user to become the sole owner of every single multi-signature wallet.
  • The user triggered the flaw by accident, and tried to undo the damage by deleting the code; rather than returning the money, that locked all the funds permanently with no way to access them.
  • Effectively, a user accidentally stole hundreds of wallets simultaneously, and then set them on fire in a panic while trying to give them back.
  • Some are pushing for a “hard fork” of Ethereum, which would undo the damage by effectively asking 51% of the currency’s users to agree to pretend that it never happened in the first place.
  • The risk is that some of the community refuses to accept the change, resulting in a split into two parallel groups.
  • Parity says that it is unable to confirm the actual amount lost, and they also dispute that the currency is “lost”, arguing that “frozen” is more accurate.
  • Ethereum has rapidly become the second most important cryptocurrency, after Bitcoin, with its price increasing more than 2,500% over the past year.

Source: The Guardian, November 08, 2017

https://www.theguardian.com/technology/2017/nov/08/cryptocurrency-300m-dollars-stolen-bug-ether

Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

Image CAPTCHA
scroll top