Information Technology

Image: CyberArk
Cyber-security firm CyberArk has released today a new free tool that can detect “shadow administrator accounts” inside cloud environments like Amazon Web Services (AWS) and Microsoft Azure.
The new tool, named SkyArk, comes with two components, namely AWStealth and AzureStealth, each for scanning a company’s respective AWS and Azure environments.
Both components work by analyzing a company’s entire list of AWS or Azure accounts and the permissions assigned to each user, looking for so-called “shadow admins.”
The term, rather rare, describes low-level accounts that receive basic permissions that when combined can grant the user broadened or full admin-level access to AWS or Azure infrastructure, but without the user being intended to have so much control.
Furthermore, shadow admins can also be created by accident when companies integrate cloud environments with on-premise assets, resulting in unforeseen interactions and access to data and company resources, in certain scenarios.

AWStealth scan results
Image: CyberArk

AzureStealth scan results
Image: CyberArk

“While organizations may be familiar with their list of straightforward admin accounts, Shadow Admins are much more difficult to discover due to the thousands of permissions that exist in standard cloud environments (i.e. AWS and Azure each have more than 5,000 different permissions),” CyberArk said today.
“As a result, there are many cases where Shadow Admins might be created,” the company said.
The new SkyArk tool has been open-sourced on GitHub today.
The tool comes with the appropriate documentation to get system administrators started.
SkyArk is the second open source tool CyberArk has released this year. In April, the company released SkyWrapper, a tool that can scan AWS infrastructure and detect if hackers have abused self-replicating tokens to maintain access to compromised systems. More

[embedded content]
Researchers exploring OkCupid for security holes have found a way for hackers to pillage the sensitive data of users. 

OkCupid has catered to over 50 million registered users since its launch. As one of the most popular options out there for dating — alongside rivals such as Tinder, Plenty of Fish, eHarmony, Match, and Grindr — the online dating platform is used to organize roughly 50,000 dates per week. 
In a time where the novel coronavirus pandemic and social distancing measures make meeting new people in a bar or other public space more difficult, many of us have turned to online dating and virtual meetups as an alternative. 
See also: Threesome app exposes user data, locations from London to the White House
Dating apps experiencing a surge in users or requests for new features — such as video chats — began changing the way their platforms worked, and OkCupid was no exception. The dating platform has experienced a 20% increase in conversations worldwide and a 10% increase in matches since the beginning of lockdowns imposed due to COVID-19.

With an expanding user base, however, there comes additional risk to personal data when security is not up to scratch. 
On Wednesday, Check Point Research disclosed a set of vulnerabilities in OkCupid that could lead to the exposure of sensitive profile data on the OkCupid app, the hijack of user accounts to perform various actions without their permission, and the theft of user authentication tokens, IDs, and email addresses.
The app in question is OkCupid on Android, with version 40.3.1 on Android 6.0.1 becoming the test subject. 
The cybersecurity researchers reverse-engineered the mobile software and discovered “deep link” functionality, which meant that it could be possible for attackers to send custom, malicious links to open the mobile app. 
Reflected Cross-Site Scripting (XSS) attack vectors were also discovered due to coding issues in the app’s user settings functionality, which opened up a path for the deployment of JavaScript code. 
CNET: Face masks are thwarting even the best facial recognition algorithms, study finds
Combined, an attacker could send an HTTP GET request and an XSS payload from their own server, of which JavaScript could then be executed via WebView.
If a victim clicks on a crafted link — potentially sent personally through the app or posted on a public forum — PII, profile data, user characteristics — such as those submitted when profiles are created — preferences, email addresses, IDs, and authentication tokens could all be compromised and exfiltrated to the attacker’s command-and-control server (C2). 
As the vulnerabilities could be used to steal IDs and tokens, this could also lead to attackers executing actions on their behalf, such as sending messages. However, a full account takeover is not possible due to existing cookie protections. 
Check Point also uncovered a misconfigured Cross-Origin Resource Sharing (CORS) policy in the API server of api.OkCupid.com, allowing any origin to send requests to the server and to read responses. Further attacks could lead to the filtration of user data from the profile API endpoint. 
TechRepublic: Which workers are your biggest security nightmare? It might not be the people you expect
While the theft of information submitted to a dating app may not seem like such a big deal, the wealth of personal data possibly harvested by attackers could be used in social engineering attempts, leading to far more damaging consequences. 
“The app and platform were created to bring people together, but of course where people go, criminals will follow, looking for easy pickings,” the researchers commented. 
Check Point Research informed OkCupid of its findings and the security issues have now been resolved. 
“Not a single user was impacted by the potential vulnerability on OkCupid, and we were able to fix it within 48 hours,” the company said. “We’re grateful to partners like Checkpoint who with OkCupid, put the safety and privacy of our users first.”
In related news, in May, MobiFriends was central to a data leak in which the personal information of 3.6 million users was compromised and posted online. The data dump also included poorly-encrypted passwords. 
ZDNet has reached out to OkCupid with additional queries and will update when we hear back. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Fresh off dismissing spying charges against two former Twitter employees and another individual on Tuesday, the US government has unfurled a new superseding indictment that accuses the three individuals of even more offences. The two former Twitter employees, Ahmad Abouammo and Ali Alzabarah, and the third person named Ahmed Almutairi were originally charged with fraudulently accessing private information and acting as illegal agents of a foreign government for allegedly spying on Twitter users critical of the Saudi royal family.
This time around, the individuals have been charged with seven offences instead of two. The charges include acting as an agent for a foreign government without notice to the attorney general; conspiracy to commit wire fraud; wire fraud; money laundering; destruction, alteration, or falsification of records in federal investigations; aiding and abetting; and criminal forfeiture. 
The factual accusations made by the US government are largely the same when compared to the original complaint, with the two former Twitter employees still being accused of using their company privileges to provide non-public information of Twitter accounts to the Saudi government and royal family. 
The original complaint had claimed that the two former Twitter employees accessed information such as telephone numbers, recent IP address information, devices used, user-provided biographical information, logs containing a user’s browser information, and a complete log of a user’s actions on Twitter without authorisation or consent.
In the new indictment, the US government provides more detail on whose information was allegedly taken. According to the new indictment, Abouammo and Alzabarah accessed information on the accounts of journalists, celebrities, and public interest and branded organisations in the Middle East.

The new indictment also accuses Saudi officials of paying Abouammo at least $200,000, via wire transfer to a shell company and a bank account in Lebanon. It is also alleged that he was given a watch valued around $20,000. The amount stated in the original complaint was around $300,000.  
The US government is also accusing Abouammo of lying to the Federal Bureau of Investigation (FBI) about the money he received, the watch, and communications with Saudi officials. Abouammo allegedly lied to the FBI by not reporting the watch and provided a falsified, backdated receipt that showed a $100,000 payment from Saudi officials, which he said was provided in exchange for media consulting services.
ZDNet has reached out to Twitter for comment about its former employees.
RELATED COVERAGE More

The average cost of a “mega” data breach has risen astronomically over the past year and enterprise players impacted by such a security incident can expect to pay up to $392 million.

Data breaches are a commonplace occurrence now and cyberattacks launched against companies have spawned a new cyberinsurance industry, the emergence of regulatory and class-action lawsuits against firms that fail to protect data, and new laws — such as the EU’s GDPR — that can be used to impose heavy penalties against data controllers with lax security. 
Yet, the data breaches keep rolling in, some of which lead to the theft of consumer records for sale on underground forums and an increased risk of identities being stolen. 
In order to tackle the aftermath of a data breach, organizations may need to spend funds on repairing systems and upgrading architectures, they may need to invest in new cybersecurity services and cyberforensics, and they may also face lawsuits or regulatory penalties — and the cost continues to increase year-on-year when customer PII is involved. 
On Wednesday, IBM released its annual Cost of a Data Breach Report which says that the average data breach now costs $3.86 million. While this average has decreased by 1.5% in comparison to 2019, when over 50 million consumer records are involved, these “mega” breaches can cost up to $392 million to remedy, up from $388 million in 2019.

See also: EasyJet faces £18 billion class-action lawsuit over data breach
If an organization is acting as a data controller for between 40 and 50 million records, the cost on average is $364 million, and organizations could face a cost of up to $175 per consumer record involved in data theft or leaks.
The study, conducted by the Ponemon Institute, includes interviews with over 3,200 security professionals working at companies that have experienced a data breach in the past year. 
Compromised employee and insider accounts, as highlighted by the recent Twitter hack, are one of the most expensive factors in data breaches today, bringing the average cost of a data breach up to $4.77 million. When insider accounts were involved, 80% of incidents resulted in the exposure of customer records. 
In total, stolen or compromised account credentials — alongside cloud misconfigurations — account for close to 40% of security incidents. 
IBM says that in one out of five breaches, compromised account credentials have been used as an entryway for attackers, leading to the exposure of over 8.5 billion records in 2019 alone. Cloud misconfigurations account for close to 20% of network breaches. 
CNET: Apple’s new security program gives special iPhone hardware, with restrictions attached
The exploit of third-party vulnerabilities, such as zero-days or unpatched security flaws in enterprise software, are also a costly factor in data breaches. An enterprise company that suffers a data breach due to such vulnerabilities can expect to pay up to $4.5 million. 
State-sponsored attacks, including those conducted by advanced persistent threat (APT) groups, are far less common and only represent 13% of overall data breaches reported by enterprise companies. However, when these threat actors are involved, the damage they cause often results in higher recovery costs, represented by an average of $4.43 million. 
If cyberinsurance has been taken out by organizations, this can reduce the damage bill on average by $200,000, with the majority of insurance payouts used for legal services and consultancy fees. 
TechRepublic: The challenges and opportunities of shadow IT
Within the report, IBM cites AI, machine learning, and automaton as valuable tools for responding to data breaches that may cut down incident response times by up to 27%.
“At a time when businesses are expanding their digital footprint at an accelerated pace and security industry’s talent shortage persists, teams are overwhelmed securing more devices, systems and data,” commented Wendi Whitmore, VP of IBM X-Force Threat Intelligence. “When it comes to businesses’ ability to mitigate the impact of a data breach, we’re beginning to see a clear advantage held by companies that have invested in automated technologies.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The US government has requested to drop charges against two former Twitter employees and another individual who had been accused of spying on Twitter users critical of the Saudi royal family.
The two former Twitter employees, Ahmad Abouammo and Ali Alzabarah, and the third person named Ahmed Almutairi had been arrested on charges of fraudulently accessing private information and acting as illegal agents of a foreign government.  
First reported by Bloomberg, prosecutors filed a notice on Tuesday requesting for the charges to be dropped. 
While the two-page notice itself does not provide reasons for the dismissal, the request was submitted “without prejudice”, meaning that the government could file new charges if the notice is approved.
The charges, originally unsealed late last year, alleged that from November 2014 and May 2015, Almutairi and Saudi officials convinced the two former Twitter employees to use their credentials to access private information about individuals behind certain Twitter accounts, particularly those who were critical of the Saudi government and royal family. 

The complaint also revealed the two former Twitter employees could access information such as recent IP address information, device used, user-provided biographical information, logs containing a user’s browser information, and a complete log of a user’s actions on Twitter.
ZDNet has reached out to Twitter for comment about the dropped charges.
Earlier this month, Twitter suffered a security incident that saw accounts of public figures — such as Barrack Obama, Joe Biden, Bill Gates, Elon Musk, Jeff Bezos, Apple, Uber, Kanye West, Kim Kardashian, Michael Bloomberg, and many others — be breached. The breached accounts issued tweets promoting a cryptocurrency scam. The scam asked followers to send money to a blockchain address in exchange for a larger payback.  
Within 24 hours of the incident, Twitter commenced an investigation and confirmed internal tools were used to breach the verified accounts. Twitter has since provided various updates of its investigation, confirming that hackers accessed the direct messages of 36 users, targeted 130 accounts, tweeted on behalf of 45, and downloaded data from eight. 
Related Coverage More

Amazon Web Services (AWS) has announced the general availability of its machine learning-based fraud detection service.
Amazon Fraud Detector is a fully managed service touted as making it easy to quickly identify potentially fraudulent online activities, such as online payment and identity fraud, the creation of fake accounts, and loyalty account and promotion code abuse “in milliseconds”.
To use the service, customers can select a pre-built machine learning model template; upload historical event data of both fraudulent and legitimate transactions to build, train, and deploy machine learning models; and create decision logic to assign outcomes to the predictions.
“Customers of all sizes and across all industries have told us they spend a lot of time and effort trying to decrease the amount of fraud occurring on their websites and applications,” Amazon machine learning VP Swami Sivasubramanian said.
“By leveraging 20 years of experience detecting fraud coupled with powerful machine learning technology, we’re excited to bring customers Amazon Fraud Detector so they can automatically detect potential fraud, save time and money, and improve customer experiences — with no machine learning experience required.”

Based upon the type of fraud customers want to predict, Amazon Fraud Detector will pre-process the data, select an algorithm, and train a model.
Amazon Fraud Detector trains and deploys a model to a fully managed, private API endpoint. Customers can send new activity to the API, such as signups or new purchases, to receive a fraud risk response, which includes a fraud risk score. Based on the report, a customer’s application can determine the right course of action, for example, to accept a purchase, or pass it to a human for review, AWS explained.
See also: How Amazon Web Services runs security at a global scale
Announcing the service at AWS re:Invent in December, CEO Andy Jassy said at the time that his company is always looking at what it can offer, including within its in-house capabilities, to give value to its customers.
“We have a number of services that we’ve done at scale at Amazon that customers have asked for as a service,” he said, pointing to Amazon Lex, Amazon Personalize, and Amazon Forecast as recent examples.
“We’ve been doing fraud detection for over 20 years.”
Jassy said machine learning is “unbelievably helpful” but that it is hard for most companies to use machine learning for fraud detection.
“You send us the transaction data … email addresses, IPs, perhaps phones numbers, along with transactions that are fraudulent and those which are legitimate and then we take that data along with the algorithms we’ve built … and we build a unique model for you,” he added.
“It’s then exposed via an API.
“A completely different way to manage fraud with machine learning.”
Amazon Fraud Detector is available today in US East (Northern Virginia), US East (Ohio), US West (Oregon), EU (Ireland), Asia Pacific (Singapore), and Asia Pacific (Sydney) regions, with additional regions to be added in the coming months.
LATEST FROM AWS More

Image: rottonara

Wearables and GPS tracker maker Garmin suffered a ransomware attack last week after a hacker gang breached its internal network and encrypted the company’s servers.
The attack caused a five-day outage for the company, during which time, users feared that the hackers might have also stolen their personal details along with geolocation history from the Garmin’s servers.
The practice of stealing data before encrypting the victim’s network has become widespread today among ransomware gangs, who often use the stolen data into coercing victims into paying the ransom demand.
However, three cyber-security firms who spoke with ZDNet this week have said that the hacker group suspected of being behind the Garmin hack is one of the rare groups who don’t engage in this particular practice and has no history of stealing customer data before encrypting files.
Attack linked to EvilCorp gang
Known as EvilCorp, this hacker group operates out of Russia, and two of the gang’s members have been indicted by US officials last December for operating the Dridex malware botnet.

However, while the group’s malware centerpiece is the vast Dridex botnet, the group has also been tied to ransomware operations.
EvilCorp’s first forays into the ransomware scene happened in 2016 when the group started distributing the Locky and Bart strains, which they mass-spammed across the internet, targeting home consumers.
Circa 2017, as the ransomware landscape evolved from targeting regular users to attacking companies, the EvilCorp gang also changed their ways with the times and launched BitPaymer, a new ransomware strain they used exclusively in attacks against high-profile targets, such as enterprises, government networks, or healthcare organizations.
But the software landscape evolves, and sometimes code becomes inefficient or malware detections get better. As such, earlier this year, EvilCorp evolved again. The actual reasons are unknown, but according to reports from Fox-IT, Malwarebytes, SentinelOne, and Symantec, around May 2020, the EvilCorp gang started replacing BitPaymer with a newer and better ransomware strain called WastedLocker.
This newer WastedLocker version has been identified as the ransomware that encrypted Garmin’s network, according to Garmin employees who spoke with ZDNet and to many other news outlets.
No data theft in past BitPaymer and WastedLocker attacks
Yesterday, Garmin formally admitted to suffering a ransomware attack in SEC 8-K filings and a public press release. A particular sentence from the press release caught our eye.
“We have no indication that any customer data, including payment information from Garmin Pay™, was accessed, lost or stolen.”
Since Garmin’s formal announcement yesterday, ZDNet has reached out to cyber-security firms that are known to provide incident response services for ransomware attacks.
In interviews this week, security researchers from Coveware, Emsisoft, and Fox-IT have told ZDNet that, historically, they have not seen evidence of user data theft during past BitPaymer and WastedLocker attacks.
“Bitpaymer did not have a history of data exfiltration,” Bill Siegel, CEO of Coveware, a company that does incident response and even handles ransomware payments negotiations, told ZDNet.
Siegel said the same thing stands for BitPaymer’s replacement, WastedLocker; with Emsisoft and Fox-IT confirming Siegel’s assessment from their own experience, and the Malwarebytes report claiming the same thing.
“In the WastedLocker cases we were involved in, we didn’t see any indication of data being stolen,” Emsisoft Chief Technical Officer Fabian Wosar told us in an online chat.
“We have not seen them [EvilCorp] stealing customer data to specifically use to force victims to pay,” Frank Groenewegen, Chief Security Expert at Fox-IT, also told ZDNet in a phone call.
However, Groenewegen doesn’t rule out the fact that some data exfiltration might have taken place, in some form or another.
The Fox-IT exec says that EvilCorp often steals data from a company’s network, but this usually includes content such as manuals, employee lists, Active Directory credential dumps, and various other.
The hackers scour this information for details that may aid the EvilCorp hackers in moving laterally across a network and deploying their ransomware to as many computers as possible.
This data could contain small portions of personal information, the Fox-IT exec warns. Furthermore, since logs are usually deleted or encrypted, many companies can’t tell right away if user data was stolen.
Nevertheless, EvilCorp is nowhere near the same category as some other ransomware gangs. Groups like Maze, REvil, Ako, CLOP, and others are widely known today to steal huge swaths of data from the networks they hack, data they threaten to publish on “leak sites” to force victims to pay huge ransomware decryption fees.
EvilCorp stole some user data in the past, long ago
But Groenewegen warns that if EvilCorp hasn’t visibly stolen data to use in extortions in past BitPaymer and WastedLocker attacks, this doesn’t mean they aren’t doing it right now, or won’t do it in the future.
The Fox-IT exec says that EvilCorp is more than capable of exfiltrating data, referring to older attacks.
“Before they started to focus on deploying ransomware, they used to target payment processors to steal debit/credit card data,” Groenewegen said. The EvilCorp gang then turned around and sold this data on carding forums for a profit.
However, based on what the three security firms have told ZDNet, currently, Garmin user data appears to be safe, based on the group’s past modus operandi.
Of course, this article is not definitive in its assessment, and just speculative analysis of the Garmin incident based on past EvilCorp attacks and the expertise of those involved in respective incident responses. More

Box on Tuesday started rolling out a new automated classification feature for Box Shield, its popular content security product. The new feature uses machine learning to automatically scan files as they’re uploaded or edited in Box and apply classification labels. 
Box stressed that the feature should better help organizations meet compliance needs, even as employees work remotely through the COVID-19 pandemic. 
“Remote work has accelerated cloud adoption as businesses seek to enable a distributed workforce and serve their customers digitally,” Box CISO Lakshmi Hanspal said in a statement. “This requires a completely new approach to security and privacy. As more work is done outside office boundaries on both managed and personal devices it is critical to have one source of truth for all of your data in order to meet new regulatory and compliance standards without slowing down business.”
Box Shield, introduced last year, gives Box users natively-integrated threat detection and security controls to protect their content. During the company’s Q1 conference call in May, Box said that Box Shield is the fastest-growing add-on product in the company’s history. The cloud content management company is using add-on products like Box Shield to expand its business with existing customers and land bigger contracts. In the first quarter, nearly 80% of Box’s $100,000-plus deals included at least one add-on product.
With the new classification feature, content is automatically classified based on admin-defined policies. The feature can identify multiple forms of personally identifiable information (PII) within files, such as social security numbers, driver’s licenses, International Bank Account Number (IBAN) codes and International Classification of Diseases (ICD-9/ICD-10) codes. It can also automatically identify custom terms or phrases. It supports the most common unstructured file types in Box, including documents, spreadsheets, and PDFs.

In addition to using automated classification, Box Shield customers can classify files via API, through Box security partners like IBM, Palo Alto Networks, Broadcom, McAfee, Netskope, and Microsoft.
Related stories:  More