• Windows & Linux get options to disable Intel TSX to prevent Zombieload v2 attacks
    Both Microsoft and the Linux kernel teams have added ways to disable support for Intel Transactional Synchronization Extensions (TSX). TSX is the Intel technology that opens the company's CPUs to attacks via the Zombieload v2 vulnerability. Intel said it would release microcode (CPU firmware) updates -- available on the company's Support & Downloads center. Many skip on applying the microcode updates, or even if they do, they also disable the technology that allows the attack surface, if they're not using it, just to be sure they're not impacted by any attacks or performance slowdowns. Earlier this week, Microsoft published guidance on how system administrators can do so with Intel's TSX, using registry keys. On Linux systems where administrators have applied Intel's microcode updates, there is also now a model-specific register (MSR) that can be used to disable TSX.Read More
  • Tracking Iran-linked APT33 group via its own VPN networks
    “Among active infections in 2019 are two separate locations of a private American company that offers services related to national security, from a university and a college in the U.S., a victim most likely related to the U.S. , and several victims in the Middle East and Asia.” According to a report published by the experts from Recorder Future in July, Iran-linked cyberespionage group APT33 has updated its infrastructure after the publication of a report detailing its activities. The APT group recently targeted organizations in the oil and aviation industries, a private American company that offers services related to national security, victims connected to a university and a college in the US, a victim most likely related to the US military, and several entities in the Middle East and Asia. The above scheme shows that the APT group leverage a VPN layer build with a custom-built network of VPN nodes, APT33 was operating its own private VPN network. We have been tracking some of the group’s private VPN exit nodes for more than a year and we have listed known associated IP addresses in the table below.Read More
  • 'Cryptoqueen' brother admits role in OneCoin fraud
    Konstantin Ignatov, the brother of "missing cryptoqueen" Dr Ruja Ignatova, has admitted his role in the OneCoin crypto-currency fraud. Ignatov pleaded guilty to several charges, including money laundering and fraud. OneCoin and the disappearance of its co-founder, Dr Ruja Ignatova, have been the subject of a BBC Sounds podcast. By complying with the terms of the plea deal, Ignatov will not face further criminal charges for his role in OneCoin, other than any criminal tax violations that may emerge. During that trial, Ignatov has revealed more details about the disappearance of his sister Dr Ruja Ignatova. Ignatov's plea deal will come as a great relief to OneCoin's critics.Read More
  • New Study Shows Financial Loss from Multi-Party Cyber Incidents Is 13X Larger than Single-Party Incidents
    Today the Cyentia Institute published “Ripples Across the Risk Surface,” an in-depth study sponsored by RiskRecon that analyzes more than 800 cyber incidents and their impact on multiple downstream organizations. According to the study, multi-party loss events that impact thousands of downstream organizations, otherwise known as “ripple events,” result in 13X larger financial loss than traditional single-party incidents. The objective of this first-of-its-kind study is to raise market awareness on the hyper interdependencies organizations have on other organizations, and the ripple effect that grows by an order of magnitude beyond that singular data loss event. “Most breach research doesn’t explain the downstream impact of ripple events and that these incidents no longer simply impact a single organization. Cyentia Institute leveraged cyber loss database, Advisen, for an objective view into historical data comprised of more than 90,000 cyber events. And of these approximately 800 multi-party incidents, a total of 5,437 downstream loss events occurred – i.e., organizations impacted by cyber incidents other than the primary victim.Read More
  • CISA Wants Feedback on Its Vulnerability Assessments
    The Homeland Security Department is looking for feedback on a program that lets critical infrastructure operators see how their cyber defenses stack up against one another. The vulnerability assessment program, run by the Cybersecurity and Infrastructure Security Agency, also helps participants spot specific weaknesses in their digital infrastructure and develop strategies to close those gaps. The program is voluntary and available to organizations across all 16 critical infrastructure sectors. To assess participants’ security posture, CISA personnel collect “basic, high-level information” on their physical and cyber defenses. The assessments also logged in an internal database that CISA uses to inform its own infrastructure protection policies and operations, according to the post. Through the most recent solicitation, officials are specifically looking for comments on the program’s effectiveness, as well as measures that might improve its assessments or make it easier for participants to use.Read More
  • Samsung, LG, Motorola Phones Hacked Using New Qualcomm ‘Hole’
    Check Point hacked phones from Samsung, LG and Motorola—but the issue is wider, the vulnerability was found within Qualcomm’s hardware that powers almost half of all mobile phones. Check Point spent four months proving this “secure world” is also vulnerable. “Hence,” the team says, “we proved that programmers from the best vendors as well as Qualcomm made mistakes in their code.” Check Point says it disclosed the vulnerabilities to the vendors so that patches could be deployed. According to Check Point, patching such vulnerabilities is a real challenge, Balmas describes it as a “nightmare” as it needs to come from the processor manufacturer to the device manufacturers in tandem with Android, then out to a user group that can be notoriously slow in applying patches. But Slava Makaveev, a security researcher at Check Point confirmed to me that the patches had closed the vulnerabilities found. And so as an additional security measure, Check Point is also suggesting users “check their credit and debit card providers for any unusual activity,” given the nature of the data at risk.Read More
  • Iranian hacking group built its own VPN network
    One of Iran's elite state-sponsored hacking groups has built and has been operating its own private network of VPN nodes, which they've using to connect to hacking infrastructure, perform reconnaissance on future targets, and even casual web browsing, according to research published today by cyber-security firm Trend Micro. VPN layer -- a custom-built network of VPN nodes to hide the operator's real IP address and location -- a custom-built network of VPN nodes to hide the operator's real IP address and location Bot Controller layer -- an intermediary layer of servers Image: Trend Micro Image: Trend Micro But besides connecting to their malware botnet control panels, Trend Micro said that the group had also used the same private VPN exit nodes "for reconnaissance of networks that are relevant to the supply chain of the oil industry."Read More
  • China handles over 45,000 cybercrime cases in first 10 months
    More than 100 cybersecurity and Internet enterprises take part in the expo. (Xinhua/Li Ran) Several cybercrime cases involving criminal gangs that sold personal information or candid cameras were handled in the campaign. BEIJING, Nov. 14 (Xinhua) -- Chinese public security authorities had investigated 45,743 cases in the first 10 months in a special campaign against cybercrime, with 65,832 suspects caught, the Ministry of Public Security said Thursday. Among the cases, 21,933 of the cases involved online fraud, 5,797 cases involved online gambling, and 2,868 cases concerned the abuse of personal information, said Wang Yingwei, a senior official with the ministry's cybersecurity division, at a press conference. Several cybercrime cases of public concern were handled in the campaign, including cases involving criminal gangs that sold personal information or candid cameras, said Wang. The campaign was launched in January 2019.Read More
  • Data Breaches Become Worse as 7.9 Billion Records Get Exposed in the First Nine Months of 2019
    This is an increase of 112% in total records exposed over the same period in 2018. 1,692 out of 5,183 breaches were reported only in the U.S.Read More
  • Strange AnteFrigus Ransomware Only Targets Specific Drives
    Unlike other ransomware, AnteFrigus does not target the C: drive, but only other drives commonly associated with removable devices and mapped network drives. Unusual behavior of the AnteFrigus Ransomware When ransomware is executed on a computer, it will typically enumerate all of the drive letters on a computer and any accessible network shares. When numerous researchers, including BleepingComputer, attempted to install AnteFrigus we found that the ransomware not encrypting anything other than USB drives or mapped network drives. To distribute an in-development ransomware, though, would be foolish as the ransomware dev has to pay for RIG exploit kit installs and sacrifices potential victims to test the ransomware. The AnteFrigus encryption process Regardless of its reasns, the AnteFrigus ransomware will encrypt all files on the D:, E:, F:, G:, H:, and I: drives that do not contain the extensions listed in the previous section. AnteFrigus Encrypted Files The ransomware will also create the C:\qweasd\test.txt file, which is most likely being used as a lock or debug file.Read More