Week ending March 3, 2018. Cyber criminals have discovered a new pathway to monetization that’s as trouble free as anthything they could have dreamed up: crypto mining on the back of hacked websites. Security vendor Cyren put out results of a study this week showing a 725% spike in the number of websites hosting cryptocurrency mining software in January 2018 as compared to September 2017.
Dark Reading’s Jai Vijayan reports that much of the growth is being fueled by the insane run-up in cryptocurrency prices in recent months. For instance, the value of Monero, the most widely mined cryptocurrency at the moment, increased by 250% during the four-month period when Cyren was monitoring some 500,000 websites.
Related article: Why massive Mirai IoT botnet is so worrisome
“Crypto mining represents a minuscule portion of all web-based malware,” observes Chris Olson, CEO of security consultancy The Media Trust. “It’s just another weapon employed by bad actors. It’s unlikely that any well-known brand or website would knowingly allow their digital asset to be used for cryptomining without clearly communicating it to users.
“The problem is that most websites don’t know they’ve been compromised. The continuing use of cryptomining script underscores the importance of knowing your digital partners and the code they execute in your digital environment.”
Marines at risk
A data breach that resulted from sloppy operations has put some 21,000 U.S. Marines, sailors and civilians in harm’s way. This happened when an unencrypted email — with an attachment containing their confidential information — got placed in an email distribution list that was sent out indiscriminately.
The Marine Corps Times reports that the message was pused out by the Defense Travel System, a Defense Department system that assists military and civilian defense personnel with travel itineraries and settling expenses from official authorized trips.
The email containing the data was sent within the usmc.mil official unclassified Marine domain, but also to some civilian accounts. Who know where it has been subsequently routed? Garden variety identity theft is, of course, a concern.
But reporter Shawn Snow points out a more serious risk for this subset of potential identity theft victims: In 2015, ISIS posted a ‘kill list’ of 41 Marines and sailors based on information it pulled from publicly accessible online forums and social media accounts.
No botnet required
A record setting Distributed Denial of Service Attack reared up this week, generating a buzz in the security community. Wired reports that on Wednesday, a 1.35 terabits per second of traffic hit the developer platform GitHub all at once.
GitHub struggled with intermittent outages, but was well defended by Akamai Prolexic, its DDoS mitigation contractor. The only other attack that comes close in volume: the late 2016 attack by the Mirai Internet of Things botnet. That was the one that bedeviled UK Internet routing vendor Dyn, resulting in Twitter, Facebook, Spotify and others off line for hours at a time one fateful Friday.
The scary thing about this record setter — the most powerful distributed denial of service attack recorded to date — is that no botnet was required. Instead the attacker leveraged a couple of new techniques referred to as “amplication” and “reflection.”
Instead of sending denial of service traffic directly to the victim directly, a reflection attack bounces traffic through a third party, Nick Bilogorskiy, Cybersecurity Strategist at Juniper Networks tells me.
“Amplification means an attacker exploits vulnerabilities in servers to turn small queries into much larger payloads in an effort to bring down the victims’ servers,” Biogorskiy further explains. “We have seen similar amplification attacks before, but the amplification factor was much larger in the Github attack.”
The big take away here is that DDoS attacks, like every other cyber threat, are here to stay and will continue to escalate. “Cyber-extortionists often start with a small DOS attack and a warning that a larger attack will be done if a Bitcoin ransom is not paid,” Biogoskiy muses. “At this time, it’s unclear if Github received such extortion demands.”
SEC issues guidance
The U.S. Securities and Exchange Commission appears to be cognizant of steadily rising cyber exposures. This week the SEC issued what it calls “interpretive guidance” for publicly traded companies, directing the firms to provide more and more timely information on cybersecurity incidents and risks.
247wallst.com reports that the SEC also declared that corporate officers, directors and other insiders “must not” trade shares in their companies if that have “material nonpublic information,” including knowledge of a cybersecurity incident at the company.
The feds’ move stirred a buzz among cybersecurity vendor. Scott Clemens, CEO of authentication systems company VASCO congratulates the SEC for “acknowledging the rapidly evolving nature of cybersecurity threats and the increasing sophistication of attacks, including the use of stolen credentials, malware, ransomware, and phishing.”
Generally, investors and consumers are kept in the dark about the security practices of many public companies. “The SEC’s action will increase transparency in this critical area and contribute to heightened security at countless companies and this will benefit everyone.” Clemens says.
Brendan Rizzo, technical director, for Voltage Security, notes that it’s “often the threat of regulatory penalties that unlocks a company’s resources to go ahead with data protection programs that could otherwise have been perpetually delayed. In this scenario, companies and consumers both benefit from the increased security.
“Consumers rightfully want to know when the sanctity of their sensitive information has been breached and, with more government and industry regulations arriving each year, it is easy to see why companies are now trying to find a data centric approach to protecting their customers’ data.”
(Editor’s note: This weekly aggregation of news articles is sourced via the underlying stories linked in each summary.)
This is a Security Bloggers Network syndicated blog post authored by bacohido. Read the original post at: The Last Watchdog