Severe SolarWinds Hacking: 250 Organizations Affected?

Investigators Reportedly Finding Many More Victims Suffered Serious Intrusions

Mathew J. Schwartz (euroinfosec) • January 5, 2021    

Severe SolarWinds Hacking: 250 Organizations Affected?
SolarWinds security advisory FAQ

As investigators probe the SolarWinds hack, they’re finding that the supply chain campaign appears to have reached farther than they first suspected.

The New York Times reports that investigators now believe that up to 250 organizations may have been subjected to more advanced hacking as part of the campaign.

The supply chain attack installed a backdoor in Orion – a widely used security tool developed by Texas-based SolarWinds – that shipped beginning in March. For nine months, the backdoor, known as Sunburst, phoned home from about 18,000 customers’ systems to attackers’ command-and-control servers. For a subset of infected endpoints, attackers dropped second-stage malware called Teardrop that could exfiltrate data, install additional malware and backdoors, and help hackers reach other systems

Federal Update

On Tuesday, the federal Cyber Unified Coordination Group, formed to investigate the breach, noted in a statement: “An advanced persistent threat actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”

The group, which comprises the U.S. Cybersecurity and Infrastructure Security Agency, the FBI, the National Security Agency and the Office of the Director of National Intelligence, said that the investigation so far has revealed that “fewer than 10” federal agencies have been affected by follow-on activities tied to the attack.

The Discovery

The alleged Russian intelligence campaign was discovered and brought to light on Dec. 13 – not by the U.S. intelligence establishment, but rather by California-based cybersecurity firm FireEye – a victim that investigated the theft of some of its own penetration testing tools. FireEye CEO Kevin Mandia subsequently estimated that perhaps 50 organizations had been subjected to second-stage attacks that involved not just systems phoning home, but being infected with the Teardrop malware

Microsoft on Dec. 17 reported that at least 40 of its customers had fallen victim to second-stage attacks. Subsequently, however, the technology giant revealed that both it and its resellers had also been breached. On Thursday, Microsoft warned in a blog post that attackers even accessed source code for undisclosed products, although it said the risk posed to customers was low.

Confirmed Sunburst victims include the U.S. Commerce, Homeland Security, State and Energy departments, as well as some branches of the Pentagon. Other targeted organizations include technology giants Belkin, Cisco, Intel, NVidia and VMware, as well as Iowa State University, Pima County in Arizona and Hilton Grand Vacations, among many others.

Feds Issue Emergency Alert

The risk posed by Sunburst is considered to be so severe that, on Thursday, CISA issued an emergency directive requiring that all federal organizations still running vulnerable SolarWinds Orion software update to the latest version by the end of the day, or else “disconnect or power down” the software.

The latest estimate that up to 250 organizations may have been compromised as part of the supply chain attack comes via Amazon’s intelligence team, The New York Times reports, adding that unnamed officials have cautioned that some victims may have been counted twice.

SolarWinds has issued patches for Orion against Sunburst, as well as for malware called Supernova – aka CosmicGale – that targeted flaws in Orion.

Some security experts say it now appears that Sunburst is not connected to Supernova. Microsoft security engineer Nick Carr reports in a post to GitHub that Supernova and Sunburst “have not been conclusively tied to the same threat actor.” While both used malicious DLL files, unlike Sunburst, the Supernova web shell was not signed using the SolarWinds digital certificate, but rather appears to have been installed by attackers exploiting a zero-day flaw that was already present in the software.

Intelligence Gathering

Experts say the campaign to install backdoors on valuable systems has all the hallmarks of an intelligence gathering operation.

“The real objective it to gain information – what Treasury is thinking, what Commerce is thinking, what Homeland Security is thinking, what the State Department does. They want insights into what’s going on in our country,” retired Gen. Keith Alexander, who previously directed the National Security Agency and U.S. Cyber Command, said on the “CBS Sunday Morning” TV program.

Alexander, who’s now president of IronNet Cybersecurity, says government hackers having backdoor access to key systems is dangerous not just from an intelligence standpoint, but because it would also have allowed Moscow to unleash attack code – for example, to disrupt systems or delete data – if it chose to do so.

Expect Code Updates From Microsoft

Incident response efforts at organizations affected by Sunburst are continuing.

What’s the risk posed by victims that are suppliers to other organizations? Multiple organizations, including the U.S. Treasury, appear to have had their Microsoft 365 environments breached after attackers subverted infrastructure used by their Microsoft reseller.

Attackers also viewed – but reportedly would not have been able to alter – the source code for several, as yet unnamed, Microsoft products. But the company says it has designed its source code repositories with an “assume breach” mindset. “We do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code,” Microsoft says in a Thursday blog post about the SolarWinds supply chain attack, which it calls Solorigate instead of Sunburst.

The technology giant likely is already putting in place specific defenses to counter any potential flaws that attackers might attempt to exploit, says Jake Williams, a former member of the NSA’s offensive hacking team who’s now president of Atlanta-based consultancy Rendition Infosec.

Microsoft already has some of the industry’s most advanced security processes in place, nearly two decades after it “practically invented the ‘secure software development lifecycle,'” he says. “The attackers are unlikely to find some secret engineering backdoor in the code,” he tweets. “So is this still a big deal? Perhaps. Source code access makes a lot of things way easier. If you need to write rootkits … then source code access really helps.”

Despite Microsoft’s assurances, developers may also have inadvertently left details in the code that attackers could exploit.

“Whether usernames/passwords, API keys or tokens, modern applications are built as a mesh network of microservices, libraries, APIs and software development kits that often require authentication to deliver the core service,” says Andrew Fife, vice president of marketing at source code control vendor Cycode, in a blog post. “It’s common for developers to write these secrets directly into the source code on the assumption that only insiders can view them.”

Reverse-Engineering Threat

Attackers could also reverse-engineer Microsoft code to find new ways to exploit it.

“Math lesson: View source code and nation-state reverse-engineering resources equals a strong possibility of endless zero days and remote-code exploitation against vulnerabilities found in that source code,” tweets Ian Thornton-Trump, CISO at London-based threat intelligence firm Cyjax.

“Strap in,” he adds. “It’s going to be a wild next couple of months.”

From 2014 to 2017, Thornton-Trump served as a cybersecurity adviser to SolarWinds. He tells The New York Times that he departed after the company failed to heed his warnings to take a more proactive approach to internal security controls.

Thornton-Trump declined to comment further.

The New York Times cites former employees saying that SolarWinds, driven by the need to comply with the EU’s General Data Protection Regulation that came into full effect in May 2018, hired its first-ever CIO in 2017 and created a new vice president of “security architecture” role.

SolarWinds Investigation Continues

SolarWinds says that, in the wake of the attack campaign being uncovered, it has moved to improve its security processes. “We have reviewed our environment, giving an initial focus on ensuring the security of our build environment, including our source code repositories,” the company says in a security advisory FAQ. “We have reviewed the architecture of the build environment, the privileged and non-privileged users that have access to the build environment and the network surrounding the build environment.”

The company says it has also brought in outside digital forensics experts to help it identify where and when the vulnerabilities were exploited and to protect future software builds. SolarWinds says that, so far, it appears that its software build system was compromised to add the backdoor.

The New York Times reports that SolarWinds’ engineering operations are now largely based in Eastern Europe – the Czech Republic, Poland and Belarus – and investigators are exploring whether those operations may have been subverted by Russian intelligence to sneak Sunburst into the Orion software development pipeline.

Ransomware Payday: Average Payments Jump to $178,000

Mathew J. Schwartz (euroinfosec) • August 18, 2020    

Ransomware Payday: Average Payments Jump to $178,000

Ransomware gangs continue to see bigger payoffs from their ransom-paying victims.

Comparing the first and second quarters of this year, the average ransom paid by a victim – when they paid – increased by 60%, rising from $111,605 to $178,254. So says ransomware incident response firm Coveware, in a new report that charts trends among its clients.

“New entrants entice cybercrime beginners with low upfront costs and little required technical expertise” 

Coveware says the increase in the average ransom payoffs has been driven by several trends: “Big-game hunting,” increased data exfiltration and smaller players seeking bigger returns.

The ransomware operator landscape also continues to diversify. “In Q1, nearly 60% of ransomware attacks were carried out by the three most common variants – Sodinokibi, Maze and Phobos,” Coveware says. “However, in Q2 only 30% of attacks were attributed to the top three families. The rest were distributed among smaller and/or newer variants, such as Mamba, Snatch and DeathHiddenTear.”

From April to July, a number of new ransomware-as-a-service offerings also debuted, including LockBit, Lock2bits, MedusaLocker and Payment45. “These new entrants entice cybercrime beginners with low upfront costs and little required technical expertise,” Coveware says.

In addition, free, roll-your-own ransomware kits have further lowered the barrier to entry – even for individuals who don’t have deep technical skills, Coveware says. While such kits used to be common, they became much more scarce after many criminals moved away from crypto-locking ransomware beginning at the end of 2017, to focus instead on hacking for bitcoins as well as cryptocurrency mining.

Over the past couple of years, however, criminal interest in ransomware has once again risen.

Impact of the Pandemic

More recently, ongoing economic fallout from the COVID-19 pandemic may also have been driving some types of adoption. “It is also possible that the increase of RaaS usage is related to the economic impact of the coronavirus pandemic, driving more financially stressed individuals toward cybercrime,” Coveware says.

One illustration of this involves schools, which the firm says typically get targeted in July and August, before they reopen, by attackers who want to maximize the chance that they’ll get paid a ransom to unlock the systems.

This year, however, as schools suddenly shut their doors and shifted to remote-learning models, “the hastiness with which the shift occurred left many remote access vulnerabilities open,” Coveware says, noting that “the number of vulnerable and cheap school targets increased, and the attacks quickly followed.”

‘Big-Game Hunting’ Continues

One explanation for the ongoing rise in ransomware attacks since 2018 is the shift to “big-game hunting,” which refers to taking down big enterprises. In the ransomware sphere, the use of this tactic started in 2018 with BitPaymer and Ryuk using it as a way to maximize revenue by targeting large organizations. Before then, most ransomware attacks appeared to be scattershot affairs.

“Prior to big-game tactics, the ransomware sphere was dominated by opportunistic, spray-and-pray threat actors who rarely exercised victim profiling and issued nominal demands that remained constant whether the victim was a 10-person company or a 1,000 person enterprise,” Coveware says.

But the rise of more targeted ransomware attacks by some gangs allowed them to maximize the return on their investment of time and energy. More recently, Maze in particular has also focused on this strategy, Coveware says, noting that “six and seven-figure demands” are now common for these types of attacks.

Source: Coveware

Another big-game trend seen from April to June was Maze dramatically expanding its use of specialists to help it take down targets. “Maze currently relies on a host of other specialists to carry out and extort their victims,” Coveware says. “The specialists include people skilled in Tor cloud bulletproof hosting, cloud data storage and migration, front-end web development, and facilitating negotiations. All of these are separate skill sets, and Maze uses a network of different people in each of these groups to run their organization.”

More Data Exfiltration

In November 2019, Maze began exfiltrating data before crypto-locking systems, and more than a dozen other gangs have followed suit. The MO is to name and shame victims by posting their identity on a dedicated data-leaking site, then trickle out stolen data for organizations that don’t pay up quickly. Any organization that fails to pay can see all of its stolen data get dumped – or in some cases auctioned – to serve as a lesson to future victims.

“The reason that they’re creating leak sites is because the message got across, right? People, I believe, were paying less and less,” Raj Samani, chief scientist at McAfee, told me earlier this year.

Source: Coveware

As of June, nearly every Maze and Dopplepaymer (aka Doppelpaymer) attack included data exfiltration, as did one-quarter of Sodinokibi attacks, Coveware found.

Unfortunately, this strategy appears to be working. “Data exfiltration resulted in ransom payments from companies even where ransomware recovery from backups was possible,” it says.

RaaS Operations Seek Bigger Returns

Whereas ransomware such as Ryuk is tied to a specific gang, which uses and refines its own code for highly targeted attacks, other ransomware gets supplied via an affiliate model. These so-called ransomware-as-a-service operations involve operators developing and maintaining the code, then supplying it to affiliates, who infect endpoints. For any victim that pays a ransom, the operator and affiliate share the proceeds. In the case of the highly prevalent Sodinokibi – aka REvil – RaaS offering, operators take a 40% cut, falling to 30% after a handful of an affiliate’s victims have paid.

Historically, less-advanced attackers appeared to avail themselves more of RaaS approaches. But over the past year, at least, more advanced attackers have begun working with Sodinokibi and other players, targeting larger victims, and seeking bigger payoffs while still sharing proceeds. “For instance, Q2 marked the first series of six-figure ransom payments to the Dharma group, an affiliate ransomware platform that for years has kept pricing in the mid-to-low five figures, and lower,” Coveware says.

Top Attack Vectors: RDP, Phishing

To prevent ransomware attacks, security experts continue to recommend that all organizations store offline up-to-date backups, so they can wipe and restore systems in the event of a breach, as well as ensure all systems are running updated anti-virus programs and have the latest software updates and patches.

Preventing attackers from gaining a foothold in networks also remains essential.

Over the second quarter of this year, Coveware found that remote desktop protocol and email phishing attacks remained the top attack vectors, followed by the exploitation of software vulnerabilities. Targeting flaws in software seems to have decreased, it says, while noting that unless organizations have robust intrusion monitoring and logging in place, they may not know if attackers successfully exploited a vulnerability.

Source: Coveware

“An uptick in RDP and phishing comes as no surprise, given the increase in amateur, affiliate-based ransomware services; remote intrusion and malware delivery via phishing require little expertise,” Coveware says. Indeed, valid RDP credentials get regularly harvested via brute-force attacks, then sold for as little as $20 – or less – on cybercrime forums.

Cybercrime forum selling network access to a British company (Source: Trend Micro)

Organizations can take a number of steps to lock down RDP endpoints. Best practices include protecting them with strong passwords and multifactor authentication and restricting access to only corporate VPN users. Among other controls, RDP can be configured for network-level authentication, which requires a user to authenticate before they’re allowed to establish an RDP session.

One piece of good news from Coveware’s study is that larger organizations, at least, are more likely to have secured their RDP connections. Phobos, for example, often hits smaller targets via RDP. But for larger organizations, Maze typically uses phishing instead.

Source: Coveware

Unfortunately, many of these phishing attacks continue to be successful. “The phished employee’s account is used as an initial foothold to perform privilege escalation and network enumeration,” Coveware says. “Privilege escalation will be complete once admin credentials and control of a domain controller are obtained.”

The realities of ransomware: Five signs you’re about to be attacked

Peter Mackenzie – Sophos

A manager on the Managed Threat Response team explains what to expect when you’re expecting a ransomware attack

Whenever we work with ransomware victims, we spend some time looking back through our telemetry records that span the previous week or two. These records sometimes include behavioral anomalies that (on their own) may not be inherently malicious, but in the context of an attack that has already taken place, could be taken as an early indicator of a threat actor conducting operations on the victim’s network.

Listen to this article on SoundCloud!

If we see any of these five indicators, in particular, we jump on them straight away. Any of these found during an investigation is almost certainly an indication that attackers have poked around: to get an idea of what the network looks like, and to learn how they can get the accounts and access they need to launch a ransomware attack.

Attackers use legitimate admin tools to set the stage for ransomware attacks. Without knowing what tools administrators normally use on their machines, one could easily overlook this data. In hindsight, these five indicators represent investigative red flags.

1 – A network scanner, especially on a server.

Attackers typically start by gaining access to one machine where they search for information: is this a Mac or Windows, what’s the domain and company name, what kind of admin rights does the computer have, and more. Next, attackers will want to know what else is on the network and what can they access. The easiest way to determine this is to scan the network. If a network scanner, such as AngryIP or Advanced Port Scanner, is detected, question admin staff. If no one cops to using the scanner, it is time to investigate.

A network scanner found among a repository of tools used by Netwalker ransomware

2 – Tools for disabling antivirus software.

Once attackers have admin rights, they will often try to disable security software using applications created to assist with the forced removal of software, such as Process Hacker, IOBit Uninstaller, GMER, and PC Hunter. These types of commercial tools are legitimate, but in the wrong hands, security teams and admins need to question why they have suddenly appeared.

3 – The presence of MimiKatz

Any detection of MimiKatz anywhere should be investigated. If no one on an admin team can vouch for using MimiKatz, this is a red flag because it is one of the most commonly used hacking tools for credential theft. Attackers also use Microsoft Process Explorer, included in Windows Sysinternals, a legitimate tool that can dump LSASS.exe from memory, creating a .dmp file. They can then take this to their own environment and use MimiKatz to safely extract user names and passwords on their own test machine.

Mimikatz and related PowerShell scripts used to launch it, found among a repository of tools used by the Netwalker ransomware threat actors

4 – Patterns of suspicious behavior

Any detection happening at the same time every day, or in a repeating pattern is often an indication that something else is going on, even if malicious files have been detected and removed. Security teams should ask “why is it coming back?” Incident responders know it normally means that something else malicious has been occurring that hasn’t (as of yet) been identified.

5 – Test attacks

Occasionally, attackers deploy small test attacks on a few computers in order to see if the deployment method and ransomware executes successfully, or if security software stops it. If the security tools stop the attack, they change their tactics and try again. This will show their hand, and attackers will know their time is now limited. It is often a matter of hours before a much larger attack is launched.

CIA Finds It Failed to Secure Its Own Systems

Scott Ferguson (Ferguson_Writes) , Doug Olenick (DougOlenick) • June 16, 2020    

CIA Finds It Failed to Secure Its Own Systems
Photo: CIA

An internal CIA report released Tuesday found that the agency’s failure to secure its own systems led to the massive 2017 data breach that enabled classified information, including details on 35 CIA hacking tools, to be leaked to WikiLeaks.

A redacted version of the report, prepared by the CIA’s WikiLeaks Task Force in 2017, was released by Ron Wyden, D-Ore., a member of the Senate Intelligence Committee.

The report calls out the CIA’s Center for Cyber Intelligence for not prioritizing internal cybersecurity and focusing, instead, on developing offensive cyber weapons.

This lax attitude toward preventive cybersecurity measures within the CIA continued even after previous high-profile data breaches of the agency and other intelligence departments, the report states.

On Tuesday, Wyden wrote to John Ratcliffe, the director of national intelligence, demanding to know if the U.S. intelligence community planned to implement better cybersecurity practices and questioning why the CIA did not do more to protect its internal security operations from both outside attacks and internal threats.

“The lax cybersecurity practices documented in the CIA’s WikiLeaks Task Force report do not appear to be limited to just one part of the intelligence community,” Wyden writes. “The Office of the Inspector General of the Intelligence Community revealed in a public summary of a report it published last year that it found a number of deficiencies in the intelligence community’s cybersecurity practices.”

CIA Report

The WikiLeaks Task Force report was prepared after the leaking of the CIA hacking tools, which were referred to as “Vault 7” (see: WikiLeaks Dumps Alleged CIA Malware and Hacking Trove).

The theft of the hacking tools, which apparently happened sometime in 2016, was not discovered until WikiLeaks published the Vault 7 series in 2017. Later, the U.S. Justice Department brought charges against Joshua Schulte, a former CIA employee, who is suspected of stealing the CIA hacking tools and then giving them to WikiLeaks, according to the Washington Post, which first reported on the Wyden letter.

The WikiLeaks Task Force report is part of the Justice Department’s case against Schulte, who will be tried again for the Vault 7 leak later this year after his first trial ended in a hung jury in March, according to the Post.

In the report, investigators describe how an unnamed former CIA employee managed to take between 180 GB and 34 TB of highly classified agency information and data.

The report describes a CIA culture that only focused on developing offensive cyber weapons and ignored basic security procedures, which led to multiple breaches.

“Day-to-day security practices had become woefully lax. … Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely,” according to the CIA report.

The Vault 7 hacking tools came from an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virginia, according to WikiLeaks.

Difficulties Preventing Leaks

Thomas Rid, a professor at the John Hopkins School of Advanced International Studies who has studied cybersecurity issues, wrote on Twitter that the U.S. intelligence community has had a difficult time stopping leaks, including Vault 7 as well as disclosures from former Army Private Chelsea Manning and former National Security Agency contractor Edward Snowden.Thomas Rid@RidT · Replying to @RidT

Imagine for a moment the logistics of physically getting that amount of data out 😶

View image on Twitter

Thomas Rid@RidT

Seven years after Manning.
Three years after Snowden.
About a year after Shadow Brokers.

View image on Twitter

Jake Williams, president of cybersecurity consultancy Rendition Infosec and a former NSA staffer, noted that the Vault 7 disclosures, along with the release of NSA hacking tools in 2016 by the group known as the Shadow Brokers, show that the U.S. intelligence community did not take its cybersecurity responsibilities seriously.

“In at least two of these cases – Vault 7 and Shadow Brokers – there is no indication that there was any detection ahead of the data being posted publicly,” Williams told Information Security Media Group. “If you compare the intelligence community to a commercial organization that had three major breaches over a few years and didn’t discover two of them until someone leaked data publicly, I’d have a hard time taking their security seriously.”

Security Improvements Needed

In his letter to Ratcliffe, the director of national intelligence, Wyden asked why various agencies failed to heed security guidance. This included:

  • An Oct. 16, 2017 Cybersecurity and Infrastructure Security Agency notice requiring all federal agencies to protect their websites and email using encryption and domain-based message authentication as well as to conform with DMARC email authentication, policy and reporting protocols;
  • A Jan. 22, 2019 emergency directive from CISA requiring agencies to implement multifactor authentication within 10 days to protect their .gov domains.

Wyden also questions why the Joint Worldwide Intel Communications System, the intelligence community’s classified computer network that handles top secret information, still has not implemented multifactor authentication to align itself with National Institute of Standards and Technology Special Publication 800-63B, despite the August 2019 statement by the Defense Intelligence Agency’s cyber and enterprise operations chief that the DIA was looking into this upgrade. 

In the letter, Wyden asks Ratcliffe if he intends to implement numerous cybersecurity recommendations published by the office of the Intelligence Community Inspector General in November 2019.

“Do you intend to adopt each of the 22 cybersecurity recommendations of the Inspector General of the Intelligence Community?” Wyden asks. “If yes, please provide an estimate for when you expect to have implemented each of these recommendations. If no, please explain why.”

A CIA spokesperson told the Washington Post that the agency was not commenting on the 2017 report that Wyden released Tuesday.

Following Guidelines

Tim Wade, the technical director for the CTO team at security firm Vectra, and a former Air Force officer, notes that government agencies – and especially the intelligence community – need to follow cybersecurity guidelines.

“Accepting the risk of continuing to operate such systems in a vulnerable state mitigates the greater risks associated with jeopardizing mission success,” Wade says.

‘Shark’ Gets Hooked for $380K in Email Phishing Scam

“Shark Tank” star Barbara Corcoran is missing nearly $400,000 Wednesday morning after her office was victimized by email scammers who used a tiny typo to gain the upper hand.

The scam started last week when an email chain was forwarded to Barbara’s bookkeeper, a woman named Christine. Folks on Barbara’s team tell us the email appeared to have been sent from Barbara’s executive assistant, Emily … and it informed Christine she had the green light to pay $388,700.11 to a company called FFH Concept GmbH in Germany.

The problem is that email didn’t really come from Emily.

The scammers changed Emily’s email address by removing one letter, so they were the ones actually communicating with Christine … who did ask the right questions. For instance, she asked what the money was for, and got an email back saying FFH was designing German apartment units in which Barbara had invested.

Great cover story because we’re told Barbara really does invest in real estate, and FFH is a real company in Germany. Plus, all of this looks even more legit because it appears to be coming from Barbara’s assistant.

Anyway, on Tuesday … the bookkeeper fires off the wire payment to the account listed in the original email. Afterward, she emails Barbara’s assistant, Emily — at her real address — and it’s only then that Emily uncovers the scam. She noticed her address was altered on the previous chain of emails.

Unfortunately, the money is gone, but we’re told Barbara’s IT folks traced the original scam emails back to a Chinese IP address, and her attorneys are figuring out their next move.

Yes, even a Shark can get hooked by a phishing scam.

Email us NOW for Phishing Training for you and your team – don’t be another headline!

FDA Warns of Cybersecurity Vulnerabilities in Pacemakers, Blood Glucose Monitors

The US Food and Drug Administration (FDA) on Tuesday alerted health professionals and manufacturers to a family of 12 cybersecurity vulnerabilities known as “SweynTooth,” which can allow unauthorized users to potentially cause a device to stop working, stop it from working correctly and/or bypass security to access certain device functions.

Security researchers found the vulnerabilities are associated with a wireless communication technology known as Bluetooth Low Energy (BLE), which allows two devices to exchange information to perform their intended functions while preserving battery life.

FDA said it is not aware of any confirmed adverse events related to these vulnerabilities, but it is currently aware of several system-on-a-chip manufacturers that are affected by them, including Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor.

According to the Department of Homeland Security, “The affected medical devices may include pacemakers, blood glucose monitors, and others using affected BLE SDKs [software development kits].”

As far as recommendations for manufacturers, FDA says that the vulnerabilities should be evaluated, and devices should be monitored for unusual behavior. Any mitigations should include compensating controls while developing software patches, FDA added.

“In general, compensating controls and patches made to address the SweynTooth vulnerabilities are not likely to significantly affect the safety or effectiveness of the device and thus would not likely need FDA premarket review prior to implementation. If the changes to the device needed to address the vulnerabilities could significantly affect the safety or effectiveness of the device, however, premarket review is required,” FDA added.

Jodi Scott, partner in the medical device and technology regulatory practice group with the law firm Hogan Lovells, discussed FDA’s work on cybersecurity in an interview with Focus, explaining that FDA seems to be targeting its efforts on higher-risk products.

She also noted that there’s room for more international harmonization on cybersecurity and that if FDA can provide more examples, the device industry could benefit them, beyond what they do in information sharing organizations.

But, Scott added, “One of the challenges is making sure you don’t flood the field with alerts, thereby decreasing what really matters.”

source –

Mobile Attacks Outpace Desktop Assaults

For the first time in cybercrime’s history, more attacks have been waged against mobile devices than have been hurled at desktops.

This seminal shift in attack strategy was recorded by researchers at LexisNexis Risk Solutions during the creation of their latest cybercrime report, “Fraud Without Borders.”

The report is based on the analysis of 19 billion transactions that took place on LexisNexis’ Digital Identity Network between July and December last year. Among those transactions, researchers identified 401 million attacks, 264 million of which targeted mobile devices, while 137 million struck at desktops. 

Although criminals showed a marked preference for mobile in terms of the volume of attacks, the attack rates targeting transactions were virtually identical. While researchers noted a 56% rise in the mobile attack rate year on year and a 23% decline in the desktop attack rate, the rate of attacks targeting transactions was 2.7% and 2.5% for desktops and mobile devices, respectively.  

Commenting on the online crime world’s historic change of tack, researchers wrote: “Although this is heavily influenced by a key global bot attack, it nevertheless shows a shift in focus of global cybercrime towards targeting the mobile channel.

“These bots are vast, automated and come from multiple global geographies and were particularly targeting new account creation transactions during the second half of 2019.”

When comparing different types of attacks on mobile devices, researchers found that mobile browser transactions were attacked at a higher rate than mobile app transactions. However, attacks on mobile apps were observed to have grown at a rate of 171% year on year. 

In terms of the financial impact of cybercrime, researchers deduced from the data that during a one-month period alone, $40m was at risk from cross-organizational fraud exposure. 

The report portrays cybercrime as borderless, innovative, and highly sophisticated, with researchers noting that criminal networks now mirror legitimate enterprises in their organizational structure. 

Criminal “finance departments” deal with the laundering of money, while “procurement” enlists money mules and “engineering” develops cutting-edge attacks to bypass the latest advances in cyber defenses.

“Analysis in this report shows that cybercrime is operating on a global scale in vast, interconnected networks that are unrestricted by regional, country or industry borders,” wrote researchers. “It’s clear that cybercrime is a highly networked, complex and ever-evolving beast.”

source –

Top CyberSec issues for 2020

Phishing Scams

While phishing scams have often been considered one of the cheapest and easiest ways for hackers to access sensitive data, these scams are becoming more sophisticated than ever. These attacks include luring and engaging with potential victims. The intent is to persuade them to provide sensitive information including passwords, identifying information, payment information, and more. As the world becomes more connected than ever in 2020 the opportunities for these types of covert threats increase.

Third-Party & Supply Chain Attacks

Third-party and supply chain attacks refer to attacks through an outside partner or provider. The changing on-demand and SaaS landscape in business increase these types of threats in 2020. This makes the importance of choosing reliable providers and staying on top of software updates and patches more important.


The use of malware continues to be a threat to businesses. Malware encompasses a wide range of cybersecurity threats including backdoors, downloaders, worms, viruses, or trojans. In these attacks, information is stolen or destroyed while sensitive data like clients’ personal identification information, credit card data, and more are sold for profit on the open market. Not only can these types of attacks debilitate a business’s ability to operate while data backups are restored, but it can also seriously impact the company’s reputation and trust.

Metamorphic/Polymorphic Malware

While traditional malware is an ever-growing threat, polymorphic or metamorphic malware makes this cyber threat even more sophisticated in 2020. This type of malware adapts or changes completely with every iteration, making them more difficult to detect and eradicate.


In ransomware cybersecurity threats, hackers lock a company’s sensitive data or integral operations systems and demand ransom in order to unlock the data. In these types of attacks, not only is the cost of the ransom a cost to the company but so is lost operations while the system is under attack. Small businesses are particularly vulnerable to these attacks as they often do not invest in protections for these systems such as hiring a cybersecurity company to install and manage protections.

AI/ML Ransomware

In 2020, the cyberthreat of ransomware is becoming even more malicious with the addition of artificial intelligence (AI) and machine learning (ML) technology. As these tools become more prominently available, ransomware attacks become more efficient.

Mobile Malware

Mobile devices are coming increasingly under attack. This is especially true with Android devices that often run off of older versions of Android. Since these devices tend to be less secure and often overlooked by security protocols, this makes them an easier target for cyberthreats such as malware.

IoT-Related Threat

The internet of things (IoT) refers to the interconnectedness of infrastructure systems. The internet of things includes smart devices that make managing almost everything more convenient. However, it’s these systems’ convenience and accessibility most susceptible to risk.