Vulnerability disclosure leads to stock price manipulation

Late last week a hedge fund by the name of Muddy Waters and information security company MedSec made a surprising maneuver. They shorted the stock of St Jude Medical after telling them of two vulnerabilities which St. Jude Medical said were non issues. After being told this, they shorted the stock and published their findings. The St. Jude Medical stock took a 10% tumble on Thursday and a further 2% before trading was halted. MW with MedSec made a tidy profit.

This is the first time we have seen vulnerabilities in cyber defenses being actively exploited to gain a market advantage by hurting a publicly traded company.

So considering the general path for disclosure is either tell the vendor and wait, or sell the vulnerabilities into the vulnerability market (if they can find a buyer) this shows a departure from the standard venues to people finding vulns and making a profit.

60 million accounts from dropbox hack has been dumped on the internet

On the 31st of august 60 million account details for online cloud storage provider Dropbox has now surfaced on the internet. The accounts were stolen during a previously disclosed breach in 2012, and Dropbox has already forced password resets earlier this week, previously it was not known how many users had been affected, and only now is it clear that it was the entire database at the time that was compromised.

Sources for various publications have received samples and in all the leak contains about 5GB of data and include the account details of 68,680,741 accounts including usernames, e-mail addresses and encrypted password hashes.

The data is legitimate, according to a senior Dropbox employees.

Earlier this week, Dropbox announced it was forcing password resets for a number of users after discovering a set of account details linked the 2012 data breach. Dropbox did not publish any figure on the number of resets performed. According to dropbox statement in 2012

Credential stuffing and resold accounts on the dark web

This month several databases including databases claiming to be from targeted attacks of companies like o2 and other providers has surfaced on the dark web. o2 is denying that there has been any data breach and are citing the cause as a likely incident of Credential stuffing. Credential stuffing is an attack where the attacker take previously known leaked credentials and cross reference them against other services. Many companies are now experiencing similar types of attacks where we have mega breaches and criminal organizations are working as fast as possible to reuse old credentials after the original breach is discovered so their hacking investment has not gone to waste and the maximum amount of value is extracted.

What can one do to protect yourself? Often it’s very difficult to stop this outright if a customers credentials are identical and you’re using traditional passwords for authentication. A great way to thwart these attacks is to turn on mandatory 2FA for your customers. A next step would be acquiring these breach lists and doing a internal comparison of customer passwords by hash, and forcing a password reset if you’re worried about two factor authentication running over a side channel. In summary just because a competitor or an unrelated company is compromised doesn’t mean it can’t affect you.

National Democratic party hacked and emails released to the public

This months Wikileaks have published internally sensitive documents that come from a hack that targeted the Democratic National Committee (DNC). This lead to the eventual resignation of the Chair Debbie Wasserman Schultz. CrowdStrike broke news that the Russians had hacked the Democratic National Convention email but not details of how the attribution was performed have been shared with the public. Researchers could not definitively find how the groups got into the system, but the typical way in for the groups is through carefully crafted deceptive emails, called “spearphishing,” that trick recipients into clicking malicious links.

At the same time a independent threat actor known as “Guccifier 2.0” as a homage to the independent Rumanian hacker “Guccifier” That now awaits sentencing for similar hacks in the U.S. claims responsibility for the attacks and has posted other documents claimed to be from the attack online on various forums. Sources close to Wikileaks seems to support this version. Weather the attack can be attributed to Russian Nation State attackers or independent adversaries is of little relevance. What matters, for the DNC hack, is that people learn the importance of end-to-end encryption via S/MIME or PGP for email, and people start focusing more on those problems.

SMS-based Two-Factor Authentication (2FA) has been declared insecure

Two-Factor Authentication or 2FA adds an extra layer of security by entering a random passcode sent to you via an SMS or call when you log on to your account. Two factor authentication via telephone text messages has up until today been one of the most common forms of 2FA. While 2FA tokens are used to deter attackers due to the need for real-time data from the potential victim, today’s malware is specifically designed to circumvent this security measure.

US National Institute of Standards and Technology (NIST) has released a new draft of its Digital Authentication Guideline that says SMS-based two-factor authentication should be banned in future due to security concerns. NIST says: “If the out of band verification is to be made using an SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre- registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB [Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance.” This goes well in hand with a large number of reports that the end point devices might be under control of the attacker via malware. 

Malware in syndicated adverts

Over the last month we have seen a great increase in adversaries buying access to existing ad providers that are accepted by the large advertising syndicates and has been using these domains to serve targeted malware through main stream and well known media sites. This targeted malware seems to be originating from Russia and Eastern Europe.

JPEG image exploits found on most popular adult sites

There have been increased reports of JPEG malware, where malicious code can be inserted into what appears to be an innocuous file, with real jpeg files containing an image and designed to execute the code upon the opening of the file. The viewing of porn may not be allowed in your business, nor is it likely to be a comfortable topic you wish to openly discuss in your office.

However, businesses can’t escape the reality that porn sites get more visits per month than Netflix, Amazon and Twitter combined. The increased risk that malware on porn sites pose on businesses is no longer a topic businesses can afford to avoid. The chances of finding a porn site without images is about as likely coming across a text book without words, which makes it a perfect target for malware exploits hidden within image and video files.

Continuous Increase of Hacked Databases Offered On The Dark Web

The adversary called ‘thedarkoverlord’ operating on ‘TheRealDeal’ market is offering to sell copies of hacked US and UK health services. The database dumps contain between 41,000 and 220,000 unique personal records and medical records.

The purchase price ranges from 150BTC to 607BTC (BitCoin) ($395,000). This is a continuation of a trend that medical systems are being actively targeted because of their sensitive data and relatively poor protection.

LinkedIn Data Leak

Everyone has most likely already heard about the recent leak of the 6.5 million LinkedIn passwords. Although the information dates back to 2012, Intelliagg has found the leaked source files and has determined that 30% of the leaked passwords are still valid. LinkedIn is a professional social networking platform, which links people to their past and current employers and both personal and professional contacts.

This creates a greater risk to your business, as employees in most cases enable the launch point for an external intrusion. In addition to addressing the need for password changes, businesses should make their employees aware of the increased risks of social engineering attacks through use of the users contact base and known interests. Your employees also need to be on alert for brand jacked email notifications, which include links to Blackhole exploit kits – users should only accept invitations via the Linkedin application, rather than click on notification links sent via email.