Information Technology

The FBI is investigating a global business email compromise (BEC) campaign that has netted cybercriminals at least $15 million in illicit proceeds. 

On Wednesday, cybersecurity researchers from Mitiga said the campaign, which is ongoing, uses social engineering techniques to impersonate senior executives using Microsoft Office 365 email services. 
The Israeli incident response company said over 150 organizations — ranging from law, construction, finance, and retail — have been identified as victims worldwide. The majority of those tracked so far are in the United States. 
See also: This latest phishing scam is spreading fake invoices loaded with malware
BEC scams focus on targeting businesses and organizations through email fraud, often with financial gain in mind. Analysts estimate that in Q2 2020, the average successful BEC campaign now nets fraudsters $80,000 — an increase from $54,000 in Q1 2020 — but in the worst cases, financial theft can reach millions of dollars. 
It was a “multi-million-dollar global transaction,” Mitiga told us, that alerted the researchers to the campaign. Emails were sent between a buyer and seller over several months, in which a threat actor impersonated “senior parties” involved in the transaction, providing alternative wire payment instructions, and vanishing with the proceeds. 
However, this single case of criminality was only one of what appears to be many widespread BEC campaigns run by one or more cybercriminal groups. 
CNET: Facebook says fake accounts tied to Russia posed as journalists and promoted other websites
Digital clues linked over a dozen clusters of rogue domains to the BEC campaign and the researchers say that “each cluster was a coordinated attack on its own.”
Numerous rogue domains have been registered via GoDaddy’s Wild West Domain registrar, and these domains mask themselves as legitimate businesses. In what is known as a homograph technique, the website addresses used to impersonate a company include alterations made via letters or symbols that would be difficult to spot — such as the difference between ‘paypal.com,’ and ‘paypall.com.” Office 365 accounts were then linked to email addresses associated with these domains in order to send fraudulent messages. If a victim accepted a phishing message and unwittingly executed a payload, this could also lead to their inboxes becoming compromised. 
The team believes that Microsoft’s email service is being abused to reduce “suspicious discrepancies and the likelihood of triggering malicious detection filtering.”
TechRepublic: Cybersecurity: How to properly perform vulnerability assessments in your organization
When conversations were intercepted via compromised accounts, the attackers used a forwarding rule to bounce all communication back to another attacker-controlled account. 
“This provided the threat actor with full visibility of the transaction and allowed for the introduction of the fake domain at just the right moment, i.e., when the wire transfer details were provided,” the company added. 
An investigation into the widespread BEC scam is ongoing. Microsoft and relevant law enforcement agencies have been notified. 
“We’re are experiencing a dramatic increase — 63% in fact — of ransomware and BEC attacks across our customer base,” Tal Mozes, Mitiga CEO told ZDNet. “These attacks are originating mainly from African countries and are showing an increasing level of sophistication. With this specific BEC campaign, our analysts were able to identify a digital fingerprint that allowed us to identify and notify the victims, as well as alert law enforcement of threat vectors.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A phishing attack taking place against an organization has revealed a crafty method to bounce between victims in a way deemed “ingenious” by a researcher. 

On September 29, cybersecurity architect and bug bounty hunter Craig Hays outlined a recent phishing attempt which went far beyond the usual spray-and-pray tactics and basic attempts to compromise a network, to become “the greatest password theft he had ever seen.”  
In a Medium blog post, Hays detailed how a response team received an alert from their organization at 10 am, when a user fell prey to a phishing attack. 
Originally, the security expert simply deemed the notification “another day, another attack.” The team locked the impacted account down and began to investigate the incident in order to find the root cause and any potential damage. 
Within minutes, several more alerts pinged their inbox. This, in itself, isn’t unusual. As Hayes noted, “emails that made it through the filtering rules tended to hit a number of people at the same time.”
However, after the sixth report, the responders noticed this was potentially something more substantial — and by the time they had conducted an initial damage assessment and two accounts had been recovered, they faced a “huge wave of account takeovers.”
“We could see that all of the accounts were being accessed from strange locations all over the globe and sending out a large number of emails,” Hays said. “For so many accounts to be hit at once, it was either a really, really effective phishing attack, or someone had been biding their time after stealing credentials over a long period.”
The problem was, the initial credential theft vector wasn’t obvious and no victim had received an email from a new contact on the day — the latter of which being how phishing messages are generally sent, often appearing from a spoofed or seemingly-legitimate source. 
See also: What is phishing? Everything you need to know to protect yourself from scam emails and more
Eventually, the team turned to sign-in timestamps to connect the account takeovers with emailed communication — and this revealed the attack vector.  
“The phishing emails were being sent as replies to genuine emails,” the researcher explained. “Emails exchanged between our people and our suppliers, our customers, and even internally between colleagues.”
This is how it worked: once one email account was compromised, the credentials for the account were sent to a remote bot. The bot would then sign into the account and analyze emails sent within the past several days.
“For each unique email chain it found, it replied to the most recent email with a link to a phishing page to capture credentials,” Hays said. “The wording was generic enough to fit almost any scenario and the link to a ‘document’ didn’t feel out of place.”
Sent as a reply-all, using a legitimate email account, and given the conversation history, trying to distinguish the bot from the genuine account owner was difficult. 
The technique, resulting in worm-like mass takeovers, left Hays “in awe” of the “phenomenal number of accounts [that] were compromised within a few hours.”
CNET: SIM swap fraud: How to prevent your phone number from being stolen
Unfortunately, as the bot grew in size and took over account after account, this allowed it to propagate beyond the impacted company itself — the phishing emails were also sent to other people outside of the organization. 
The phishing attack was out of control by this point and the only way the team was able to clamp down on it was by finding a pattern in the URL of the phishing pages that could be used to add a quarantine rule. 
While Hays calls the campaign “ingenious” and “the most favorite attack I’ve seen in person,” he also notes that the bot was “too effective” and its eagerness to propagate set up red flags and alerts too quickly to reach its full potential. 
TechRepublic: FBI says hackers want to stoke doubt about the 2020 election
Multi-factor authentication was quickly implemented for email accounts that had not enabled the additional security measure. 
“The goal for this attacker was probably to harvest credentials to sell on the dark web. They achieved their goal of harvesting a lot of credentials, but they were too noisy about how they went about it and immediately raised alarms, losing any value they had gained,” Hays commented. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Singapore has developed a blockchain-powered application touted to better manage and secure medical records. Enabling healthcare data to be stored in a digital wallet, the software has been used in a pilot in which COVID-19 discharge memos have been verified more than 1.5 million times. 
Government-owned investment firm SGInnovate and local startup Accredify jointly developed the “digital health passport” to support the management of medical records. Work on the application had begun in May during the height of the global pandemic, when SGInnovate roped in Accredify on the project. The Singapore startup specialises in document lifecycle management products, including document management and verification. 
Funded by the Ministry of Finance, SGInnovate focuses its investment on deep tech startups that work on emerging technologies such as artificial intelligence, quantum technology, and medical technology. 

The newly developed digital health passport is touted to enable personal medical documents to be stored in a digital wallet, secured with blockchain technology, for easy access and verification. It also digitises medical documents for distribution such as COVID-19 discharge memos and swab results, helping to streamline the workflow of healthcare services providers. 
This feature bypasses the need for paper-based documents, which are difficult to manage and  easily replicated, lost, or misplaced, the organisations said in a joint statement Wednesday. The application is built on the OpenAttestation platform, which was developed by the Singapore government’s CIO office, GovTech, as an open source framework to notarise documents using blockchain.
“Digital Health Passport leverages blockchain technology to generate tamper-proof cryptographic protections for each medical document. Users can automatically verify the digital records via a mobile app and present it to officials via QR code, for a quick and seamless verification process,” SGInnovate said. It added that blockchain-powered data storage allowed for greater transparency, security, and privacy, and ensured personal health data would not be revealed. 
For added security, users will be able to log into their SingPass account — used to access e-government services — and choose the relevant records they want shared and set expiry timings. 
According to SGInnovate, an early version of the digital health passport was deployed in a July 2020 pilot involving Singapore’s health and manpower ministries. Introduced as a new feature in the Manpower Ministry’s FWMOMCARE app, the health passport helped manage and display digital COVID-19 discharge memos for foreign workers, verifying such documents more than 1.5 million times. Foreign workers require the discharge memos to return to work. 
The digital health passport also was used on other medical records such as COVID-19 swab results, immunity proof, and vaccination records.
The application could potentially be extended to the travel industry and facilitate checks and verifications on the health status of travellers, such as the application process for “green lane” essential and official travels, or at boarding and border check-points for greater safety.
SGInnovate’s deputy director of venture building Simon Gordon said: “As the pandemic tested Singapore’s healthcare sector, we identified a gap in the large-scale management of medical records. We wanted to quickly build a solution that enables a trusted authentication process, to create more efficiencies for healthcare practitioners and officials working at the frontline, and support the safe reopening of the economy.”
RELATED COVERAGE More

Image: Twitter (supplied)
After leaving the position unfilled for months and suffering a major hack over the summer, Twitter has hired this week a new Chief Information Security Officer (CISO) in industry veteran Rinki Sethi.
Sethi joins Twitter from her previous role as Vice President and CISO at Rubrik, a cloud data management company.
Before that, Sethi also served as Vice President for Information Security at IBM, Vice President for Information Security at cyber-security firm Palo Alto Networks, Director & Head of Product Security at software giant Intuit, and in other cyber-security roles dating back to 2004, at companies like at eBay, Walmart, and PG&E.
In her new role at Twitter, Sethi will report to Nick Tornow, Platform lead. She will oversee Twitter’s information security (InfoSec) posture, which includes areas like Enterprise Risk, Security Risk, Application Security, and Detection & Response.
Twitter says Sethi will also work closely with teams such as the Privacy & Data Protection to address key company initiatives, and will also keep Twitter staff and the company’s board up to date on security-related issues.

Mike Convertino served as Twitter’s previous CISO. Convertino left his position in December 2019, and the role remained unfilled.
Twitter has been criticized this summer for not filling the CISO role fast enough. The criticism came after the social network suffered a major security breach in July when hackers broke into Twitter’s backend admin tools and defaced the timelines of tens of high-profile verified accounts with a cryptocurrency scam.
Sethi’s hiring will quiet most of this criticism as the San Francisco-based exec is one of today’s most respected infosec figures.
Outside her extensive career credentials, Sethi also stood on the boards of major security conferences (WyCiS and SecureWorld), consulted on infosec books, and received numerous industry awards.
In addition, Sethi was also one of the founders of an initiative to develop the first set of national cybersecurity badges and curriculum for the Girl Scouts of USA. More

Image: Microsoft

For many years, the Microsoft Security Intelligence Report has been the gold standard in terms of providing a yearly overview of all the major events and trends in the cyber-security and threat intelligence landscape.
While Microsoft unceremoniously retired the old SIR reports back in 2018, the OS maker appears to have realized its mistake, and has brought it back today, rebranded as the new Microsoft Digital Defense Report.
Just like the previous SIR reports, Microsoft has yet again delivered.
Taking advantage of its vantage points over vast swaths of the desktop, server, enterprise, and cloud ecosystems, Microsoft has summarized the biggest threats companies deal with today in the face of cybercrime and nation-state attackers.
The report is 88 pages long, includes data from July 2019 and June 2020, and some users might not have the time to go through it in its entirety. Below is a summary of the main talking points, Microsoft’s main findings, and general threat landscape trends.
Cybercrime
2020 will, without a doubt, be remembered for the COVID-19 (coronavirus) pandemic. While some cybercrime groups used COVID-19 themes to lure and infect users, Microsoft says these operations were only a fraction of the general malware ecosystem, and the pandemic appears to have played a minimal role in this year’s malware attacks.
Email phishing in the enterprise sector has also continued to grow and has become a dominant vector. Most phishing lures center around Microsoft and other SaaS providers, and the Top 5 most spoofed brands include Microsoft, UPS, Amazon, Apple, and Zoom.
Microsoft said it blocked over 13 billion malicious and suspicious mails in 2019, and out of these, more than 1 billion contained URLs that have been set up for the explicit purpose of launching a credential phishing attack.
Successful phishing operations are also often used as the first step in Business Email Compromise (BEC) scams. Microsoft said that crooks gain access to an executive’s email inbox, watch email communications, and then spring in to trick the hacked users’ business partners into paying invoices into wrong bank accounts.

Image: Microsoft
Per Microsoft, the most targeted accounts in BEC scams were the ones for C-suites and accounting and payroll employees.
But Microsoft also says that phishing isn’t the only way into these accounts. Hackers are also starting to adopt password reuse and password spray attacks against legacy email protocols such as IMAP and SMTP. These attacks have been particularly popular in recent months as it allows attackers to also bypass multi-factor authentication (MFA) solutions, as logging in via IMAP and SMTP doesn’t support this feature.
Furthermore, Microsoft says it’s also seeing cybercrime groups that are increasingly abusing public cloud-based services to store artifacts used in their attacks, rather than using their own servers. Further, groups are also changing domains and servers much faster nowadays, primarily to avoid detection and remain under the radar.
Ransomware groups
But, by far, the most disruptive cybercrime threat of the past year have been ransomware gangs. Microsoft said that ransomware infections had been the most common reason behind the company’s incident response (IR) engagements from October 2019 through July 2020.
And of all ransomware gangs, it’s the groups known as “big game hunters” and “human-operated ransomware” that have given Microsoft the most headaches. These are groups that specifically target select networks belonging to large corporations or government organizations, knowing they stand to receive larger ransom payments.
Most of these groups operate either by using malware infrastructure provided by other cybercrime groups or by mass-scanning the internet for newly-disclosed vulnerabilities.

Image: Microsoft
In most cases, groups gain access to a system and maintain a foothold until they’re ready to launch their attacks. However, Microsoft says that this year, these ransomware gangs have been particularly active and have reduced the time they need to launch attacks, and especially during the COVID-19 pandemic.
“Attackers have exploited the COVID-19 crisis to reduce their dwell time within a victim’s system – compromising, exfiltrating data and, in some cases, ransoming quickly – apparently believing that there would be an increased willingness to pay as a result of the outbreak,” Microsoft said today.
“In some instances, cybercriminals went from initial entry to ransoming the entire network in under 45 minutes.”
Supply-chain security
Another major trend that Microsoft chose to highlight was the increased targeting of supply chains in recent months, rather than attacking a target directly.
This allows a threat actor to hack one target and then use the target’s own infrastructure to attack all of its customers, either one by one, or all at the same time.
“Through its engagements in assisting customers who have been victims of cybersecurity intrusions, the Microsoft Detection and Response Team has observed an uptick in supply chain attacks between July 2019 and March 2020,” Microsoft said.
But Microsoft noted that while “there was an increase, supply chain attacks represented a relatively small percentage of DART engagements overall.”
Nonetheless, this doesn’t diminish the importance of protecting the supply chain against possible compromises. Here, Microsoft highlights dangers coming from the networks of Managed Service Providers (MSPs, third-parties that provide a very specific service and are allowed to access a company’s network), IoT devices (often installed and forgotten on a company’s network), and open-source software libraries (which make up most of a company’s software these days).
Nation-state groups
As for nation-state hacking groups (also known as APTs, or advanced persistent threats), Microsoft said this year has been quite busy.
Microsoft said that between July 2019 and June 2020, it sent out more than 13,000 nation-state notification (NSN) to its customers via email.
According to Microsoft, most were sent for hacking operations linked back to Russian state-sponsored groups, while most of the victims were located in the US.

Image: Microsoft
These email notifications were sent for email phishing attacks against its customers. Microsoft said it tried to counter some of these attacks by using court orders to seize domains used in these attacks.
Over the past year, Microsoft seized domains previously operated by nation-state groups like Strontium (Russia), Barium (China), Phosphorus (Iran), and Thallium (North Korea).
Another interesting finding of the Microsoft Digital Defense Report is that the primary targets of APT attacks have been non-governmental organizations and the services industry.
This particular finding goes against the grain. Most industry experts often warn that APT groups prefer to target critical infrastructure, but Microsoft says its findings tell a different story.
“Nation state activity is more likely to target organizations outside of the critical infrastructure sectors by a significant measure, with over 90% of notifications served outside of these sectors,” Microsoft said.
As for the techniques that have been preferred this past year (July 2019 to June 2020) by nation-state groups, Microsoft noted several interesting developments, with the rise of:
Password spraying (Phosphorus, Holmium, and Strontium)
Use of penetration testing tools (Holmium)
The use of ever-more-complex spear-phishing (Thallium)
The use of web shells to backdoor servers (Zinc, Krypton, Gallium)
The use of exploits targeting VPN servers (Manganese)

Image: Microsoft
All in all, Microsoft concludes that criminal groups have evolved their techniques over the past year to increase the success rates of their campaigns, as defenses have gotten better at blocking their past attacks.
Just like in years prior, the entire cybersecurity landscape appears to be sitting on a giant merry-go-round, and constant learning and monitoring is required from defenders to keep up with the ever-evolving attackers, may them be financially-motivated or nation-sponsored groups. More

James Gosling, the father of Java, one of the world’s most widely used programming languages, has talked with research scientist Lex Fridman about Java’s origins and his motivations for creating a language that would be used on tens of billions of devices and become central to the development of Android at Google. 
Gosling designed Java 25 years ago while at Sun Microsystems. In 2009, Java would be one of the key reasons Oracle acquired Sun. According to Oracle, today there are 51 billion active Java Virtual Machines (JVMs) deployed globally. 
But long before Oracle’s acquisition of Sun, Gosling said he and a team at Sun “kind of worried that there was stuff going on in the universe of computing that the computing industry was missing out on” – what would become today’s Internet of Things.

“It was all about what was happening in terms of computing hardware, processors and networking that was outside the computing industry,” he said. 
“That was everything from the early glimmers of cell phones that were happening then to – you look at elevators and locomotives and process-control systems in factories and all kinds of audio and video equipment.  
“They all had processors in them they were all doing stuff with them and it felt like there was something going on there that we needed to understand.” 
At that stage C and C++ “absolutely owned the universe” and everything was being written in those languages. 
Gosling says his team went on several “epic road trips” around 1990 to visit Toshiba, Sharp, Mitsubishi and Sony in Japan, Samsung and several other South Korean companies, and went “all over Europe” to visit the likes of Philips, Siemens and Thomson. 
“One of the things that leapt out was that they were doing all the usual computer things that people had been doing 20 years before,” he recalls.
“They were reinventing computer networking and they were making all the mistakes that people in the computer industry had made.
“Since I’ve done a lot of work in the networking area, we’d go and visit company X that would describe this networking thing they were doing, and just without anything, I could tell them like 25 things that were going to be complete disasters.”
Discovering that industry outside the traditional computing world was now repeating earlier mistakes was one of the key reasons Gosling and his colleagues thought they could offer something useful in Java. 
However, he also realized the consumer electronics industry and the computer industry had a very different view of customers, which helped inform how he would design Java. 
“High on the list was that [consumer electronics companies] viewed their relationship with the customer as sacred. They were never ever willing to make trade-offs for safety. One of the things that always made me nervous in the computer industry was that people were willing to make trade-offs in reliability to get performance,” said Gosling.  
“Just figuring out … how to make sure that if you put a piece of toast in the toaster, it’s not going to kill the customer. It’s not going to burst into flames and burn the house down,” he added.         
After those road trips, Gosling and the company built a prototype control system in C and C++ code for home electronics goods, such as a TV and VCR. Security was a key consideration in his objectives for what would become Java. 
“Back in the early 1990s it was well understood that the number one source of security vulnerabilities was just pointers, was just bugs, like 50% to 60% to 70% were bugs and the vast majority of them were like buffer overflows. We have to make sure this cannot happen. And that was the original thing for me was ‘This cannot continue’.”    
But earlier this year, Gosling read a news report about the Chromium team finding that 70% of security bugs in the Chrome code base were memory management and safety bugs.  
“Chrome is a like a giant piece of C++ code. And 60% to 70% of all the security vulnerabilities were stupid pointer tricks. And I thought it’s 30 years later and we’re still there,” said Gosling.  
Beyond safety and security considerations for Java, he wanted to ensure “developer velocity”. 
“I got really religious about that because I’d spent an ungodly amount of time of my life hunting down mystery pointer bugs. The mystery pointer bugs tend to be the hardest to find because … the ones that hurt are a one in a million chance,” he notes.  
“When you’re doing a billion operations a second, it means it’s going to happen. I got religious about if something fails it happens immediately and visibly. One of the things that was a real attraction of Java to lots of development shops was that we know we get our code up and running twice as fast.”
Object-oriented programming was also an important concept for Java, according to Gosling. 
“One of the things you get out of object-oriented programming is a strict methodology about what are the interfaces between things and being really clear about how parts relate to each other.”
This helps address situations when a developer tries to “sneak around the side” and breaks code for another user. 
He admits he upset some people by preventing developers from using backdoors. It was a “social engineering” thing, but says people discovered that restriction made a difference when building large, complex pieces of software with lots of contributors across multiple organizations. It gave these teams clarity about how that stuff gets structured and “saves your life”. 
He offered a brief criticism of former Android boss Andy Rubin’s handling of Java in the development of Android. Gosling in 2011 had a brief stint at Google following Oracle’s acquisition of Sun. Oracle’s lawsuit against Google over its use of Java APIs is still not fully settled after a decade of court hearings. 
“I’m happy that [Google] did it,” Gosling said, referring to its use of Java in Android. “Java had been running on cell phones for quite a few years and it worked really, really well. There were things about how they did it, in particular various ways that they kind of violated all kinds of contracts.” 
“They guy who led it, Andy Rubin, he crossed a lot of lines. Lines were crossed that have since mushroomed into giant court cases. [Google] didn’t need to do that and in fact it would have been so much cheaper for them not to cross lines,” he added. 
“I came to believe it didn’t matter what Android did, it was going to blow up. I started to think of [Rubin] as like a manufacturer of bombs.”

James Gosling: “People were willing to make trade-offs in reliability to get performance.”  
Image: James Gosling/UserGroupsAtGoogle/YouTube More

A cyber espionage campaign is using new malware to infiltrate targets around the world including organisations in media, finance, construction and engineering.
Detailed by cybersecurity company Symantec, the attacks against organisations in the US, Japan, Taiwan and China are being conduced with the aim of stealing information and have been linked to an espionage group known as Palmerworm – aka BlackTech – which has a history of campaigns going back to 2013.
The addition of an US target to this campaign suggests the group is expanding campaigns to embrace a wider, more geographically diverse set of targets in their quest to steal information – although the full motivations remain unclear.
In some cases, Palmerworm maintained a presence on compromised networks for a year or more, often with the aid of ‘living-off-the-land’ tactics which take advantage legitimate software and tools so as to not raise suspicion that something might be wrong – and also thus creating less evidence which can be used to trace the origin of the attack.
Researchers haven’t been able to determine how hackers gain access to the network in this latest round of Palmerworm attacks, but previous campaigns have deployed spear-phishing emails to compromise victims.
SEE: Cybercrime and cyberwar: A spotter’s guide to the groups that are out to get you
However, it’s known that deployment of the malware uses custom loaders and network reconnaissance tools similar to previous Palmerworm campaigns, leaving researchers “reasonably confident” it’s the same group behind these attacks.
Palmerworm’s malware also uses stolen code-signing certificates in the payloads in order to make them look more legitimate and more difficult for security software to detect. This tactic is also known to have been previously deployed by the group.
The trojan malware provides attackers with a secret backdoor into the network and that access is maintained with the use of several legitimate tools including PSExec and SNScan which are exploited to move around the network undetected. Meanwhile, WinRar is used to compress files, making them easier for the attackers to extract from the network.
“The group is savvy enough to move with the times and follow the trend of using publicly available tools where they can in order to minimise the risk of discovery and attribution,” said Dick O’Brien principal on the threat hunter team at Symantec. “Like many state sponsored attackers, they seem to be minimising the use of custom malware, deploying it only when necessary”.
Organisations Symantec have identified as victims of Palmerworm include a media company and a finance company in Taiwan, a construction firm in China and a company in the US; in each case attackers spent months secretly accessing the compromised networks. Shorter compromises of just a few days were detected on the networks of an electronics company in Taiwan and an engineering company in Japan.
SEE: Security Awareness and Training policy (TechRepublic Premium)    
Symantec haven’t attributed Palmerworm to any particular group, but Taiwanese officials have previously claimed that the attacks can be linked back to China. If that is the case, it suggests that Chinese hackers have targeted a Chinese company as part of the campaign – although researchers wouldn’t be drawn on the potential implications of this.
However, what is certain is that whoever Palmerworm is working on behalf of, the group is unlikely to have ceased operations and will remain a threat.
“Give how recent some of the activity is, we consider them still active. The level of retooling we’ve seen, with four new pieces of custom malware, is significant and suggests a group with a busy agenda,” said O’Brien.
While the nature of advanced hacking campaigns means they can be difficult to identify and defend against, organisations can go a long way to protecting themselves by having a clear view of their network and knowledge of what usual and unusual activity looks like – and blocking suspicious activity if necessary.
“Most espionage type attacks are not a single event. They are a long chain of events where the attackers use one tool to perform one task, another tool to perform the next task, and then hop from one computer to another and so on,” said O’Brien
“There are lots of steps the attacker has to take to get to where they want to go and do whatever they want to do. Each individual step is an opportunity for it to be detected, disrupted and even blocked. And what you’d hope is that, if they aren’t detected during one step in that chain, they will be detected in the next,” he added.
READ MORE ON CYBERSECURITY More

Computer security firm McAfee has filed for an initial public offering (IPO) on the NASDAQ market in a move that could see Intel totally divest itself of the company it acquired in 2010. 
Enterprise IT companies have been dominating IPOs in 2020 and McAfeee hopes that the market’s enthusiasm for IT companies will extend to its offering. It is looking to raise capital at around $8 billion valuation but it could go higher.
Intel acquired McAfee for a record $7.7 billion 10 years ago as former Intel CEO Paul Otellinni initiated a strategy to improve enterprise security across hardware and software. 
However, Intel struggled to integrate the company —  renamed as Intel Security — and decided to spin it out under the original McAfee name. In April 2017 Intel sold a 51% stake to TPG Capital at a $4.2 billion valuation — losing nearly half its initial value.  
Intel could regain some of its losses if the IPO does well. The recent Snowflake IPO was expected to start trading at around $75 to $85 but the IT cloud firm started trading at $245 a share before finishing its opening day at $120. Snowflake’s bankers were criticized for leaving too much money on the table by mispricing demand for the shares.
McAfee’s revenues for 2019 were $2.64 billion up 9.4 percent from $2.41 billion in 2018.
McAfee has been acquiring smaller cybersecurity companies to strengthen its portfolio of products and services. It will trade under the ticker symbol $MCFE.

Tech Earnings More