Information Technology

Liquid, one of today’s top 20 cryptocurrency exchange portals, has disclosed a security breach on Wednesday.

In a blog post on its website, the company said that last week, on Friday, November 13, a hacker managed to breach employee email accounts and pivot to its internal network.
The company said it detected the intrusion before the hacker stole any funds, but a subsequent investigation revealed that the attacker was able to collect personal information from Liquid’s database that stored user details.
Stolen information included real name, home address, emails, and encrypted passwords.
Liquid CEO Mike Kayamori said the company is still investigating if the intruder was able to steal proofs-of-identity that all users must provide when making their first transaction on the platform.
“We do not believe there is an immediate threat to your account due to our use of strong password encryption. Nevertheless, we recommend that all Liquid customers change their password and 2FA credentials at the earliest convenience,” Kayamori said.
Another social engineering attack leading to a DNS hijack
The company blamed the intrusion on its domain name provider, which fell victim to a social engineering attack and incorrectly transferred Liquid’s account to the hacker.

Immediately after gaining control of this account, Liquid said the attacker hijacked the company’s DNS records, pointing incoming traffic to a server under their control.
The hacker is believed to have used access over the company’s DNS records to redirect employees to fake login pages and collect their work email credentials, which they later used to access employee work email accounts, and later pivot to Liquid’s internal infrastructure.
DNS hijacking attacks like these are bold, but they have also been very common against cryptocurrency services over the past few years. For example: More

Palo Alto Networks is rolling out new 5G security capabilities that the company said are designed to help service providers and enterprises secure and protect global network traffic in the 5G era.
The offering aims to provide granular network visibility and control across all 5G network layers and traffic, giving service providers and enterprises end-to-end protection across their 5G networks, services, applications and devices, the company said. Key capabilities of Palo Alto’s 5G security approach include containerization and secure network slices, as well as real-time correlation of threats against users and devices.
Hand-out
“For 5G to live up to its promise of transforming industries, companies need the confidence that 5G networks and services have enterprise-grade security,” said Anand Oswal, SVP and GM of Firewall as a Platform for Palo Alto Networks. “We created 5G-native security in order to give enterprises the confidence they need to harness 5G for business transformation and to help service providers secure the new enterprise services they are creating.”
The company’s new 5G security capabilities are available on the Palo Alto Networks PA-5200 Series and PA-7000 Series hardware firewalls as well as all VM-Series software models running PAN-OS 10.0 or greater, the company said. Security services can be added based on use case requirements, the company said.
Palo Alto Networks also announced this week its first quarter financial results, which topped market estimates. The company reported a net loss of $92.2 million or 97 cents per share. Non-GAAP earnings came to $1.62 per share on revenue of $946 million million, up 23% year-over-year.
Wall Street was looking for earnings of $1.33 a share on $921.7 million in revenue. Looking ahead, Palo Alto expects total revenue the second quarter in the range of $975 million to $990 million. It’s forecasting diluted non-GAAP net income per share in the range of $1.42 to $1.44, using 98 million to 100 million shares.

RELATED: More

Over a quarter of organisations which fall victim to ransomware attacks opt to pay the ransom as they feel as if they have no other option than to give into the demands of cyber criminals – and the average ransom amount is now over $1 million.
A Crowdstrike study based on responses from thousands of information security professionals and IT decision makers across the globe found that 27 percent said their organisation had paid the ransom after their network got encrypted with ransomware.
While law enforcement agencies say organisations should never give in and pay the ransom, many businesses justify making the payment because getting the decryption key from the attackers is viewed as the quickest and easiest way to restore the network.
However, not only does paying the bitcoin ransom just encourage ransomware gangs to continue campaigns because they know they’re profitable, there’s also no guarantee that the hackers will actually restore the network in full.
But infecting networks with ransomware is proving to be highly lucrative for cyber criminals, with figures in the report suggesting the average ransom amount paid per attack is $1.1 million.
In addition to the cost of paying the ransom, it’s also likely that an organisation which comes under a ransomware attack will lose revenue because of lost operations during downtime, making falling victim to these campaigns a costly endeavour.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

However, falling foul of a ransomware attack does serve as a wakeup call for the majority of victims; over three-quarters or respondents to the survey say that in the wake of a successful ransomware attack, their organisation upgraded its security software and infrastructure in order to reduce the risk of future attacks, while two-thirds made changes to their security staff with the same purpose in mind.
It’s unclear why almost a quarter of those who fall victim to ransomware attacks don’t plan to make any changes to their cybersecurity plans, but by leaving things unchanged, they’re likely putting themselves at risk from falling victim to future attacks.
That’s especially the case during 2020, which has brought additional cybersecurity vulnerabilities to organisations due to the rise of people working from home because of the coronavirus pandemic.
“In a remote working situation the attack surface has increased many times and security cannot be secondary business priority,” said Zeki Turedi, Chief Technology Officer for EMEA at CrowdStrike.
To avoid falling victim to ransomware attacks, it’s recommended that organisations ensure that systems are updated with the latest security patches, something which can prevent cyber criminals taking advantage of known vulnerabilities to deliver ransomware.
It’s also recommended that two-factor authentication is deployed throughout the organisation, so that in the event of criminal hackers breaching the perimeter, it’s harder for them to move laterally around the network and compromise more of it with ransomware or any other form of malware.

READ MORE ON CYBERSECURITY More

It’s that time of year again — when we see whether or not password security has improved over the past 12 months. 

Going back to 2015, the worst passwords still commonly used included “123456” and “password.” Fast forward five years, and these examples are still very much alive. 
After analyzing 275,699,516 passwords leaked during 2020 data breaches, NordPass and partners found that the most common passwords are incredibly easy to guess — and it could take less than a second or two for attackers to break into accounts using these credentials. Only 44% of those recorded were considered “unique.”
See also: NSA publishes list of top vulnerabilities currently targeted by Chinese hackers
On Wednesday, the password manager solutions provider published its annual report on the state of password security, finding that the most popular options were “123456,” “123456789,” “picture1,” “password,” and “12345678.”
With the exception of “picture1,” which would take approximately three hours to decipher using a brute-force attack, each password would take seconds using either dictionary scripts — which compile common phrases and numerical combinations to try — or simple, human guesswork. 
As one of the entrants on the 200-strong list describes the state of affairs when it comes to password security, “whatever,” it seems many of us are still reluctant to use strong, difficult-to-crack passwords — and instead, we are going for options including “football,” “iloveyou,” “letmein,” and “pokemon.”

The 10 most common passwords of 2020, based on NordPass’ dataset, are listed below:

CNET: Rules for strong passwords don’t work, researchers find. Here’s what does
When selecting a password, you should avoid patterns or repetitions, such as letters or numbers that are next to each other on a keyboard. Adding a capital letter, symbols, and numbers in unexpected places can help, too — and in all cases, you should not use personal information as a password, such as birthdates or names. 
While vendors need to be reminded that allowing easy and simple combinations do nothing to protect the privacy and security of users, it is also up to us to take responsibility for our own accounts. 
TechRepublic: Hackers for hire target victims with cyber espionage campaign
If you find it hard to remember complex passwords for different accounts, you may want to consider using a password locker. If you need somewhere to start, check out our recommendations for the best password managers and vaults in 2020. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Amazon Web Services (AWS) has announced the general availability of AWS Network Firewall. 

The managed security service has been created in order to give customers improved visibility into their AWS setups and architecture, as well as to bolster network security. 
AWS’ system can be enabled in Amazon Virtual Private Cloud (VPC) environments via the AWS console, and will automatically add a layer of network protection across AWS workloads and servers. In addition, AWS Network Firewall will scale up based on network traffic rates. 
See also: Optus turns to AWS for help with becoming ‘end-to-end’ cloud solutions supplier
The solution’s rules engine can be customized or imported from AWS Partner Network (APN) providers such as CrowdStrike, Fortinet, and Trend Micro, among others. Snort and Suricata rules can also be implemented.
According to Steve Schmidt, chief information security officer at AWS, the solution was built in mind of customer feedback, in which clients said they wanted a cloud network firewall and network protections that “work with their existing security systems and without the headache of managing the underlying infrastructure.”
AWS already provides Web Application Firewall (WAF), AWS Shield — designed to stop Distributed Denial-of-Service (DDoS) attacks, AWS Security Groups for the protection of Amazon Elastic Compute Cloud (EC2) instances, and AWS Firewall Manager, a console to monitor firewall controls across AWS setups. 

CNET: Trump fires top cybersecurity official for debunking election fraud claims
Amazon says that while existing offerings do address specific firewall security needs, Network Firewall will provide a blanket network security layer across all workloads. The system is able to monitor domain-based access controls, identify malicious traffic and implement web filtering, and inspect traffic packets from the network layer to the application layer. 
AWS Network Firewall is now available in the US East, West, and European regions, with more regional deployments coming “soon.”
Amazon’s security solution is paid for based on hours deployed and gigabytes of data processed. 
TechRepublic: How to secure your Zoom account with two-factor authentication
“AWS Network Firewall provides scalable network protections that allow customers to deploy highly customizable rules for their entire AWS infrastructure, and integrates with many of the APN partner services that customers already use,” Schmidt commented. “Best of all, there’s no need to configure or maintain additional infrastructure.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Researchers have uncovered a worldwide campaign targeting businesses using the recently-disclosed ZeroLogon vulnerability. 

The active cyberattack is thought to be the handiwork of Cicada, also tracked as APT10, Stone Panda, and Cloud Hopper. 
Historically, the threat group — first discovered in 2009 and one that the US believes may be sponsored by the Chinese government — has targeted organizations connected to Japan, and this latest attack wave appears to be no different.
Symantec researchers have documented companies and their subsidiaries in 17 regions, involved in automotive, pharmaceutical, engineering, and the managed service provider (MSP) industry, which have been recently targeted by Cicada.
See also: Chaes malware strikes customers of Latin America’s largest e-commerce platform
According to the company, Cicada’s latest attack wave has been active since mid-October in 2019 and has continued up to at least October this year. 
Cicada appears to be well-resourced and uses a variety of tools and techniques. This includes DLL side-loading, network reconnaissance, credential theft, command-line utilities able to install browser root certificates and decode data, PowerShell scripts, and both RAR archiving and a legitimate cloud hosting provider for the download, packaging, and exfiltration of stolen information. 

Of particular note is a recent addition to the hacking group’s toolkit; a tool able to exploit ZeroLogon. Tracked as CVE-2020-1472, issued a CVSS score of 10, and both disclosed and patched by Microsoft in August, the vulnerability can be used to spoof domain controller accounts and hijack domains, as well as compromise Active Directory identity services.
CNET: Trump fires top cybersecurity official for debunking election fraud claims
Cicada has also launched Backdoor.Hartip, a custom form of malware not before seen in connection to the APT, against its targets. 
It appears that the group is focused on the theft of information and cyberespionage. Data of interest — including corporate records, HR documents, meeting memos, and expense information — is often packaged up and whisked away to Cicada’s command-and-control (C2) servers. 
“The amount of time the attackers spent on the networks of victims varied, with the attackers spending a significant amount of time on the networks of some victims, while spending just days on other victim networks,” the researchers say. “In some cases, too, the attackers spent some time on a network but then the activity would cease, but start again some months later.”
TechRepublic: How to secure your Zoom account with two-factor authentication
The campaign has been assessed with “medium” confidence to Cicada due to clues in how code is obfuscated; the use of DLL side-loading and DLL names including “FuckYouAnti,” which has been previously documented in a Cylance report on the same APT. In addition, the final payload combines QuasarRAT, used in the past by Cicada, as well as Backdoor.Hartip.
“Cicada clearly still has access to a lot of resources and skills to allow it to carry out a sophisticated and wide-ranging campaign like this, so the group remains highly dangerous,” Symantec says. “Its use of a tool to exploit the recently disclosed ZeroLogon vulnerability and a custom backdoor […] show that it continues to evolve its tools and tactics to actively target its victims.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyber criminals are increasingly going after the pharmaceuticals industry by targeting employees with phishing and malware campaigns tailored to take advantage of potential security vulnerabilities in smartphones and tablets.
Pharmaceuticals is an extremely high-profile target right now, as drug companies attempt to develop a vaccine for COVID-19 and there have already been several recorded instances of nation-state-backed hacking campaigns attempting to steal intellectual property from medical research institutions.

More on privacy

And researchers at mobile cybersecurity company Lookout say there’s been a spike in mobile phishing attacks targeting pharmaceutical employees over the course of this year as cyber criminals attempt to gain access to sensitive data.
SEE: Cybersecurity: Do these ten things to keep your networks secure from hackers
The company analyses security telemetry from almost 200 million mobile devices and over 125 million mobile apps from across its customer base: the claim comes following analysis of de-identified and aggregated data from Lookout customers in the pharmaceutical industry. 
According to the report, one of the reasons for the rise in attacks targeting mobile devices is because of the shift to remote working as a result of the coronavirus pandemic – meaning employees suddenly became more reliant on mobile devices to be productive while working from home.
While email remains the most common avenue for phishing attacks, the wide variety of messaging apps and social media platforms people use on their smartphones provide hackers with a number of different options for delivering tailored messages and malicious links.

“Since most of us use personal mobile devices for work, attackers can socially engineer us using countless channels, such as SMS, iMessage, 3rd party messaging platforms, and social media platforms,” Hank Schless, senior manager of security solutions at Lookout, told ZDNet.
“The attacker can tailor their phishing message depending on which of these options they decide to use. Since we have our mobile device on us all the time, we also tend to trust messages that are sent to them, which makes mobile phishing attacks more effective,” he added.
In many cases, the aim of phishing attacks is credential harvesting, with the attacker looking to trick a victim into handing over their username and password. With this, the cyber criminal can log in as the employee and move around the network infrastructure in an effort to find and steal sensitive data.
Hackers are also targeting smartphones and tablets of people working in pharmaceuticals in an effort to deliver malware – something researchers at Lookout say has more than doubled this year.
These attacks attempt to trick the victim into downloading malware onto their device, which then allows the attacker to secretly monitor the device in the background, snooping on the activity of the user and enabling attackers to gain access to files and storage drives.
“In pharma, mobile devices are used across the entire supply chain from research and development to trialling and all the way to manufacturing and distribution. With so much proprietary data being stored in cloud services and accessed through smartphones and tablets, a successful exploitation could lead to serious legal and compliance-related ramifications for the company,” said Schless.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
Forms of malware that attackers are attempting to deliver include Monokle, SilkBean and Wroba trojan.
One of the reasons why malware is proving to be effective against mobile devices is because a significant number of users continue to use out-of-date operating systems.
Applying operation system updates and security patches goes a long way to protecting users against malicious attacks but organisations and individual users often don’t do this swiftly, potentially enabling hackers to exploit known vulnerabilities that have security fixes.
In order to help protect employees – and, therefore, the whole organisation – from falling victim to hackers targeting smartphones, security updates for mobile devices should be treated as if they’re traditional endpoints and should be applied as quickly as possible.”To fully secure your pharmaceutical workforce, mobile devices need to be included in your overall security strategy,” said Schless.
MORE ON CYBERSECURITY More

Capcom has confirmed that a recent security incident was due to a Ragnar Locker ransomware infection, potentially leading to the exposure of customer records. 

This week, the Japanese gaming giant confirmed that the company had fallen prey to “customized ransomware” which gave attackers unauthorized access to its network — as well as the data stored on Capcom Group systems. 
The firm says it has “verified that some personal information has been compromised,” adding that the ransomware outbreak “destroyed and encrypted data on its servers.”
See also: Capcom quietly discloses cyberattack impacting email, file servers
A ransom payment was demanded, but it does not appear that Capcom bowed to blackmail.
Capcom has provided an extensive list of confirmed and potentially compromised records. As of November 16, the firm has verified that the personal information of former employees — including names, signatures, addresses, and passport information — was exposed. These “five items” join “four items” relating to current employees and their names, as well as human resource records.
Capcom says that sales reports and financial information was also impacted, but has not gone into further detail. 

Together with the confirmed leaks of data, Capcom has also provided a list of potentially exposed records, choosing to list them as worst-case scenarios:
The PII of customers, business partners, and more: 350,000 items
Japan’s customer service video game support, help desk: 134,000 items, including names, addresses, phone numbers, email addresses
North America: Capcom Store member information: 14,000 items, including names, dates of birth, email addresses
Esports operations website members: 4,000 items, including names, email addresses, gender
Shareholder lists: 40,000 items, including names, addresses, shareholder numbers, amounts
Former employees and family: 28,000 people, applicant data (125,000 people): names, dates of birth, addresses, phone numbers, and more
Human resources data: 14,000 people
Confidential corporate information: business partner records, sales documents, and more
Capcom is keen to emphasize that no credit card data has been included in the breach, as payments are managed by a third-party.
CNET: Trump fires top cybersecurity official for debunking election fraud claims
“Because the overall number of potentially compromised data cannot specifically be ascertained due to issues including some logs having been lost as a result of the attack, Capcom has listed the maximum number of items it has determined to potentially have been affected at the present time,” the firm says.
The security incident occurred on November 2. Email systems and a number of file servers were impacted and so the company temporarily cut some services to stop the attack — and also warned investors that “inquiries and/or requests for documents” would not be answered. 
ZDNet learned at the time that Ragnar Locker ransomware may be to blame. In a ransomware note displaying the Capcom brand, the attackers behind the infection demanded that the company get in touch to negotiate a blackmail payment. 
TechRepublic: How to secure your Zoom account with two-factor authentication
The company is working with law enforcement in Japan and the US, as well as external security experts, as part of an investigation into the cyberattack. Capcom also says a new cybersecurity advisory board will be created “towards preventing any reoccurrence.”
“Capcom offers its sincerest apologies for any complications and concerns that this may bring to its potentially impacted customers as well as to its many stakeholders,” the company says. “In order to prevent the reoccurrence of such an event, it will endeavor to further strengthen its management structure while pursuing legal options regarding criminal acts such as unauthorized access of its networks.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More