Category: Cyber security news

The same standard that allows wireless devices to remain connected and roam between access points also allows attackers to easily collect critical Wi-Fi keys that can then later be hashed to find Wi-F network passwords, a researcher found in a wardriving experiment.

Ido Hoorvitch, a security researcher with identity and access management provider CyberArk, found that he could recover the network passwords for more than 70% of the networks he scanned, merely by using information collected as he pedaled his bike—and sometimes walked or drove—along the streets in Tel Aviv, Israel. 

He used a homemade wireless scanner based on a $50 network card connected to a laptop running Ubuntu Linux, and the Hcxdumptool tool available on GitHub to collect WiFi Protected Access (WPA) packets from nearby networks.

Many wireless networks in Israel use a cellphone number as a password. Using a custom decryption system comprising of eight graphic processing units (GPUs), Hoorvitch could test each possible password in about 15 seconds.

“All of us know that passwords are problematic—they are too hard to remember. And if they are easy to remember, then they are too easy to crack,” Hoorvitch says. “What is special about this research is that it changed the state from a hypothesis to an empirical experiment. We now know that the WiFi password for most of the networks is really not secure enough.”

Wireless networks continue to be a weak point for many consumers and enterprises. In May 2021, a doctoral researcher at New York University Abu Dhabi warned that every Wi-Fi device is vulnerable to at least one of three design flaws, after spending nine months helping major wireless-device manufacturers close the vulnerabilities. In 2017, the same researcher warned that a series of issues could allow attackers to conduct key reinstallation attacks (KRACKs), which could allow them to hijack wireless connections.

Cybersecurity specialists have also warned that weak, default, or easily guessable passwords put wireless networks at risk. With more employees working from home, consumer Wi-Fi networks have also become a gateway to corporate data.

“The threat of a compromised WiFi network presents serious risk to individuals, small business owners and enterprises alike,” the CyberArk blog post stated. “And as we’ve shown, when an attacker can crack more than 70% of WiFi networks in a major global city with relative ease, greater attention must be paid to protecting oneself.”

In the latest research, CyberArk researchers showed that an attacker—rather then needing to be nearby a targeted wireless network—could record the necessary packets as they drove through a neighborhood and then use that information to have a high probability of discovering the password to any particular network.

The Problem with PMK

The key to the attack is poor password selection and the ability of attackers to capture the Pairwise Master Key (PMK) Identifier (PMKID) and other necessary information. The PMK allows a device to remain connected to a network even if the device moves to a different access point on the same network. Rather than requiring the user to re-authenticate, the device keeps the PMK to send as its authentication. Most consumer networks do not use this functionality, but often the feature is on by default.

The attack method, discovered by Jens Steube, the lead developer for Hashcat, gives attackers the ability to scan networks and discover passwords at at a later time.

The attack uses four piece of data from the network: The wireless network SSID, the hardware—or media access control (MAC)—address of the access point, the MAC address of the client computer, and the PMKID that the computer and access point use to remain authenticated. By combining knowledge of a wireless networks SSID, the attacker can create a list of PMKs for possible passwords. Those PMKs are then used in another hashing algorithm to create a list of PMKIDs. An attacker just has to keep changing the password to create new PMKs, which is then used to create new PMKIDs, until a match is found.

The number of potential alphanumeric-plus-symbols combinations creates a massive search space, but Hoorvitch and CyberArk used the fact that many Israeli consumers use their cell phone numbers as their password as a way to limit the search. For each network, the researcher had to try every possibility for 8-digit cell numbers or 100 million. While that seems to be a massive endeavor, the worst case scenario—having to try every possible number—requires 15 seconds on CyberArk’s custom eight-GPU decryption machine or about nine minutes on a good laptop, Hoorvitch says.

Of the 5,000 networks on which the researcher collected information, 44% had a cell phone number as a password, while another 18% were found on the common password list known as RockYou.txt. The rest were other simple combinations of numbers and letters. 

In total, the researchers found passwords for 3,633 of the 5,000 targeted networks, and likely some of the rest could have been found as well.

“We know we can crack harder passwords, but that is not the idea of this research,” he says. “What bothered me is not, [whether] someone did not have a complex password, but whether, with three- to four days on a normal laptop, what can we crack?”

Choosing a non-guessable, complex password for wireless network should protect against the attack. While 18% of passwords were found by using the popular password list, RockYou.txt, almost half of the total used only numbers, and most of those the users’ cell phone number, a scheme that provides little security.

While multi-factor authentication (MFA) is often the solution to password security issues and would also strengthen a wireless network’s security, MFA is notoriously hard to implement on consumer WiFi networks.

From headline-grabbing stories of ransomware to personal experiences of identity theft, cyber is increasingly finding its way into collective consciousness. During the pandemic, an escalation in threat levels also reminded IT and business leaders what’s at stake. Now we’re gradually entering a new era of hybrid work, it’s vital that teams go a stage further and embed security into every aspect of an organization. Too often, it’s still treated as something of an afterthought. There are also worrying signs that younger staff members in particular are resistant to anything that impacts their productivity.

That’s why one of the key themes during this year’s Cybersecurity Awareness Month is “Cybersecurity First.” It’s a simple idea, but one that may take some effort to operationalize. Security must be built-in rather than bolted-on – but not necessarily at the expense of business growth and innovation.

When employees rebel

We all know what happened during the pandemic. With mass remote work and digital transformation came an expanded corporate attack surface, and new gaps in protection ruthlessly exploited by threat actors. They hit unpatched Virtual Private Network (VPN) services and Exchange servers, hijacked Remote Desktop Protocol (RDP) endpoints protected by weak or breached passwords, target misconfigured cloud systems, and much more. In this context, driving a secure-by-design culture would do much to eliminate the gaps so frequently exploited by attackers.

Yet there is resistance. In new research, three-quarters (76 percent) of global IT leaders admit that security took a backseat to business continuity during the pandemic. That may have been justifiable at the time, but not now that operational risk is receding. Yet younger workers appear to be ignorant of policies, apathetic towards security in general, and increasingly frustrated at having their productivity “restricted.” Almost half (48 percent) of those aged 18-24 years old claimed security tools were a hindrance, and nearly a third (31 percent) said they’d tried to circumvent corporate policies to get work done.

Cybersecurity First will, therefore, require careful planning and execution to avoid a user backlash.

When security is an afterthought

There must be progress, because bolted-on security is failing organizations everywhere. A classic example is in the world of DevOps, where processes are geared towards time-to-value rather than risk mitigation. The result is often software that’s shipped with vulnerabilities which end up being exploited in attacks. One recent study claims that upstream attacks, in which threat actors inject new vulnerabilities into open source code, surged 650% year-on-year.

The costs of patching, plus the reputational damage that comes attached to a serious incident, can far exceed those associated with building better security into the CI/CD pipeline. There are many more examples. Just consider the huge financial and reputational fallout from the 2017 Equifax breach, said to have affected nearly half of all US adults. It could have been prevented by prompt patching. Or the 2019 Capital One breach that hit 100 million consumer credit applicants. Closer monitoring for cloud misconfigurations may have saved the bank’s blushes.

We need to get cybersecurity to a point where safety is now in the car industry. In this sector, safety teams are closely involved in the design and rollout of virtually every new feature in vehicles. It’s why we now have high-performance braking, shatter-resistant windshields, roll bars, air bags and many other technology innovations as standard in most cars today. And the operators of these vehicles are trained and tested to use them in a safe and compliant manner. Cybersecurity must be the same.

Putting security first

Secure-by-design is a key principle of the GDPR, widely regarded as a standard-setter in global privacy regulation. Building in rather than bolting on also just makes sense, from a risk mitigation and a cost perspective. So what does it look like in practice? Here are some suggestions:

• Data minimization and encryption everywhere can help to reduce data security risks and information exposure
• Continuous IT asset management and control across the entire environment will help you understand what you have, and then protect it
• Regular staff training and awareness sessions can turn a weak link in the security chain into a formidable first line of defense, and help create a culture of security first
• Close consultation with users will ensure that when policies are redesigned for the hybrid workforce, they’re done in a way that minimizes disruption to staff
• A focus on access management, following the principle of least privilege and featuring two-factor authentication by default, could prevent 90 percent of attacks
• Automated, risk-based patching programs can drive major improvements in cyber hygiene to reduce the size of the corporate attack surface
• Logging, monitoring and detection and response are also critical to finding and mitigating any breaking attacks across the environment
• Continuous monitoring and vetting of the supply chain will also help to proactively address a major source of cyber risk
• A Zero Trust security strategy is an increasingly popular way to head off risk through continuous authentication and other controls

The bottom line is that Cybersecurity First is all about turning security from a reactive to a proactive stance. And if you’re struggling to find the budget to undertake lasting change, remember to position it as an enabler. Brakes aren’t there only to slow down the vehicle, but also to ensure it can safely travel faster. That’s why secure-by-design organizations innovate faster, and ultimately pull ahead of their rivals. They have the confidence to drive ambitious digital transformation projects, because they’re built on a secure foundation.

SAN JOSE, Calif. – October 19, 2021 – Just months after announcing the availability of its backup as a service offering (BaaS), Cohesity, a leader in next-gen data management, today announced the general availability of its next ‘as a service’ offering – disaster recovery as a service (DRaaS). This new offering extends the exceptional disaster recovery (DR) capabilities provided by Cohesity SiteContinuity and adds the ability to use Amazon Web Services (AWS) as a recovery location for failover and failback in a Software as a Service (SaaS) model. This not only provides customers with more choice and flexibility, but also offers the following benefits:

• Minimize downtime and data loss: This greatly reduces the risks of potential downtime and data loss with snapshot-based backup and near-sync replication that together help ensure all data is captured and ready to failover in the event of disaster or cyberattack.
• Meet service level agreements (SLAs): Customers can easily design recovery plans and assign SLAs – and design it in minutes rather than weeks – to deliver the right level of resiliency across a broad range of applications while meeting business requirements.
• Simplify operations: Cohesity uniquely combines disaster recovery orchestration, snapshot-based backup, near-sync replication, and seamless failover to the public cloud in a single comprehensive offering – all managed through a single user interface to significantly simplify disaster recovery operations.
• Lower costs and improve time-to-value: Reduce idle infrastructure by using on-demand pay-as-you-go cloud infrastructure from AWS in the event of a disaster or test drill. Cohesity uniquely supports standard AWS infrastructure, such as Amazon Elastic Compute Cloud (Amazon EC2), in a DRaaS model. Customers also can speed up time to value by quickly spinning up a disaster recovery strategy without having to procure additional hardware or physical data centers.

“There has never been a more critical time to offer disaster recovery as a service,” said Matt Waxman, vice president of product management, Cohesity. “In an age of crippling ransomware attacks, the number one concern many IT leaders have is maintaining business continuity if they get hit. DRaaS can help organizations recover quickly and cost effectively. And, as with other Cohesity SaaS and on-premises offerings, customers can manage everything through the Cohesity Helios multicloud platform. It’s simplicity redefined.”

“The Cohesity DRaaS offering provides multiple benefits that are incredibly appealing to our organization,” said Francois Lepage, cybersecurity and architecture manager, The Master Group. “Application uptime and the ability to recover in the cloud top the list. But, we also like the pay-as-you-go cloud infrastructure model from AWS, which can help reduce costs. And, we like the simplicity of it all. We can manage this offering along with our on-premises Cohesity deployment through one platform on one UI. That’s the Cohesity difference.”

Expanding Data Management as a Service

Cohesity DRaaS is the next offering from Cohesity’s comprehensive Data Management as a Service (DMaaS) portfolio. DMaaS is a portfolio of ‘as a service’ offerings designed to provide organizations with a radically simple way to back up, secure, govern, and analyze their data – all managed directly by Cohesity. This reduces the separate services, solutions, and administrative consoles that organizations have traditionally had to invest in and maintain for data backup, disaster recovery, and other data management use cases.

“Solutions that offer flexibility, resiliency, and scalability are integral to organizations working to address ever-evolving challenges, including cyberattacks,” said Doug Yeum, head of AWS Partner Organization, AWS. “With the introduction of disaster recovery as a service, Cohesity is providing these critical capabilities to customers to help reduce the risk of downtime while also reducing costs, all supported with the industry-leading cloud services from AWS.”

“With the increased frequency and cost of cyberattacks, a robust set of disaster recovery processes combined with proven technology have never been more essential,” said Christophe Bertrand, senior analyst, ESG. “Organizations should look for ease of use, automation, and the ability to truly control their data recovery and application availability service-level agreements. That is why Cohesity’s web-scale converged backup and disaster recovery solution is not only timely, but also offers an essential set of capabilities to take on the disaster recovery challenges businesses are facing today.”

For more information:

• Read this blog to learn more about Cohesity SiteContinuity.
• Learn about upcoming SaaS solutions from Cohesity designed to address increasingly sophisticated ransomware attacks Read about upcoming.

An interesting thing about the Cybersecurity Maturity Model Certification (CMMC) is that organizations could previously self-certify their cybersecurity maturity before applying for a grant or bidding on a contract with the US Department of Defense (DoD). Under the CMMC, organizations now need to pass a third-party audit — a requirement that didn’t exist before — before they can do any of those things.

This change raises several questions for me: How will CMMC impact research universities looking to work with the DoD? How will certification change the business models of these universities?

CMMC and the University Business Model
Higher education has a lot of downward pressure on it in terms of income streams. We’re seeing consolidation of higher education because the demand for it is less than it used to be in certain areas. Also, when the downturn of 2008 happened, state and local funding for higher education was cut and never recovered. Now with COVID-19, and it’s getting cut again.

So university leadership is prioritizing the academic mission and research at the expense of IT and security. (I would argue at the expense of security and then IT.) And there is CMMC, coming around the corner … everything converging at the same time.

Since state and local funding sources are less reliable than they used to be, research universities are looking to research funding sources as the way to recover that revenue and continue to grow. They will need to manage their security posture (and be confident of having good security) if they’re going to have a reliable income stream that can carry other education costs.

Research Universities as a Prime Attack Target
Higher education is already a target for cybersecurity threats. Theft of personal data is the obvious target, but there’s also the threat to intellectual property, often by nation-state attackers. And research data is the primary target across universities.

University leaders are aware of this, but they don’t really understand security. They still think of security as an IT problem and not a business problem. Up until this point, the implementation of security controls and the remediation of security weaknesses has been left in the hands of the security teams at research universities. Those teams may be part of central IT or part of the office of research. But there isn’t a coordinated security effort across the university because senior leadership hasn’t really grasped the nature of the threat.

In general, higher education is not particularly mature from a security perspective, so they are an easy target. It’s not just targeted attacks they have to worry about — universities are subject to opportunistic attacks in degrees that other industries tend not to be. This is directly related to academia’s highly collaborative culture, where the default is to assume openness, trust, and share. This is the direct opposite of every other industry vertical that we serve.

CMMC Will Change How Research Universities Approach Security
Under the older DoD standards, an institution like a research university wouldn’t have to submit themselves to a third-party assessment. And they also didn’t have to proactively monitor their controls. So they just had to attest that they had controls and hope that nothing would go wrong.

But with CMMC, external assessors will now come in and put research universities in a position where they must validate the effectiveness of controls over time. Not only that, but they must achieve compliance everywhere before they can make a bid for a research grant. This proactive and continuous compliance is new, and it’s not easy to meet without the support of the entire institution.

Ultimately, the controls aren’t new in CMMC, but the oversight governance and monitoring component is. Are these things documented? Is there the right governance at the institution? Is it at the right level? Do the people who are responsible for this risk know what the risks are and how they’re being managed? This implies quite a heavy oversight function. It is going to be a significant administrative burden for research universities to comply with CMMC. It will also be a strategic differentiator for universities that are early adopters of it.

CMMC Will Be a Good Thing for Research Universities
… and I dare say other companies, as well.

If universities can embrace security as a differentiator and as an accelerator of innovation and research, they will be much better off than fighting it.

As mentioned above, CMMC requirements in terms of the basic controls are things institutions have been self-certifying to in the past, so they should already be doing them. They likely aren’t always doing all of those things, though. So it’s important to understand not only how to implement CMMC, but also how to make it part of the strategic plan and an opportunity generator.

There are also many other regulatory requirements that most institutions should meet, such as PCI, HIPAA, etc. Almost all of them are based on the NIST standards. The same goes for CMMC. So once you meet the CMMC standard, you are on your way to meeting these other standards as well.

Finally, CMMC is starting to require conversations with university leadership. Whether it’s the president’s office, the board, or other leadership, it requires those individuals to engage in the security landscape of the moment. This is helping to shape research universities’ approach to security.

Companies Can Help Research Universities Achieve CMMC Certification
Colleges and universities have broad technology footprints. So they need a partner who understands the scope of their technology footprint and can help with the heavy lift of meeting all the requirements of CMMC.

Perhaps most intriguingly, this has broader ramifications beyond research university business models because it influences everyone in the supply chain for not only DOD research contacts, but also potentially other federal agencies, and other current private investors and financier’s underfunding of research at these hospitals. Many private companies are also using pieces of the CMMC standards as the de-facto requirement for sharing sensitive data they may come across in their research efforts. Therefore, it pays for all to begin to better understand these requirements and make a distinct effort to help research universities — an important source of innovation in this country — better understand and prepare for these ongoing requirements moving forward.

AUSTIN, Texas–(Oct. 25, 2021)–Forcepoint, a global leader in data-first security, today announced the company completed its acquisition of Security Service Edge (SSE) leader Bitglass on October 22, 2021.

SSE addresses today’s market need to make security easier to deploy and operate by consolidating technologies for protecting people everywhere as they access and use business data in cloud applications, on the web, and in private apps in data centers and private clouds. With this acquisition, Forcepoint will be delivering a best-in-class SSE platform featuring state-of-the-art Cloud Access Security Broker (CASB), Secure Web Gateway (SWG), and Zero Trust Network Access (ZTNA) combined with Data Loss Prevention (DLP) all managed seamlessly from a single console.

“Bitglass and Forcepoint share the same vision for disrupting and transforming the security industry with the first modern distributed edge architecture which continuously optimizes to deliver the best performance and experience for the hybrid worker. We have to reduce the complexity of security. It should be a business enabler, leveraging integrated and automated technologies that are easy to manage and swiftly adapt to changing business needs,” said Anurag Kahol, Chief Technology Officer at Bitglass. “In today’s hybrid work environment, access is table stakes. The real game-changer is in delivering a full set of integrated security technologies that enable employees, trusted partners and contractors to safely get to—and use—applications, data, and other corporate resources while maintaining visibility and control through a common control plane.”

“Today Forcepoint is the only Secure Access Service Edge (SASE) company to incorporate advanced capabilities such as enterprise-class DLP, true Zero Trust Content, Disarm and Reconstruction (CDR), advanced Remote Browser Isolation (RBI) and pioneering SD-WAN technology,” said Manny Rivelo, CEO of Forcepoint. “We are excited to welcome Bitglass into the Forcepoint family. With the integration of Bitglass, Forcepoint will become the only company delivering all of the strategic components of SSE and SASE. And we will continue to add new capabilities over time, from Forcepoint directly as well as our technology partner ecosystem, to deliver the most robust set of integrated security capabilities from a cloud-native platform with the elasticity to expand and contract as business needs change. Making security easier to deploy and operate is what customers are asking for, and we look forward to making this a reality in 2022.”

The acquisition of Bitglass will be the third technology acquisition for Forcepoint this year as the company executes its mission to strategically build, partner and acquire technologies that deliver the industry’s best-in-class SASE architecture. Previous acquisitions in 2021 included Remote Browser Isolation (RBI) innovator Cyberinc and Content, Disarm and Reconstruction (CDR) leader Deep Secure.

Further details on the integration of Bitglass SSE within Forcepoint’s Data-first SASE architecture will be announced in Q1 2022. To learn more about Forcepoint’s Data-first SASE, please visit www.forcepoint.com/sase.

Additional Resources

· Blog: Forcepoint Closes Acquisition of Bitglass

· News Release: Forcepoint to Acquire Security Service Edge Leader Bitglass

About Forcepoint

Forcepoint is the global leader for data-first security. Forcepoint’s behavior-based solutions adapt to risk in real-time and delivered through a cloud-native SASE security platform that protects users, devices, and networks as people access the web and cloud, prevents the theft or loss of sensitive data and intellectual property no matter where people are working, and eliminates breaches caused by insiders. Based in Austin, Texas, Forcepoint creates safe, trusted environments for thousands of enterprise and government customers and their employees in more than 150 countries. www.forcepoint.com

About Bitglass

Bitglass delivers data and threat protection for any interaction, anywhere, on any device to ensure secure business continuity across the distributed enterprise. Operating at cloud scale across a global network of over 300 points of presence, its Polyscale Architecture boasts an industry-leading uptime of 99.99% five years running and delivers unrivaled performance and real-time scalability. Based in Silicon Valley with offices worldwide, the company was founded in 2013 by a team of industry veterans with a proven track record of innovation and execution.

WATERLOO, ON, Oct. 25, 2021 /PRNewswire/ — OpenText™ (NASDAQ: OTEX), (TSX: OTEX) announced new capabilities for Carbonite Server®, including hourly backups, early warning, and classifications upgrades that will enhance organizations’ ability to detect, protect, and respond to increased ransomware and other data threats.

“With ransomware attacks on the rise, businesses need a reliable and comprehensive backup and recovery solution as part of their layered cybersecurity defense,” said Prentiss Donohue, EVP, SMB/C Sales. “The addition of these new features in Carbonite Server increases the ability for businesses to not only avoid having to pay in a ransomware attack, but also able to withstand data losses of any kind and return to normal operations quickly.”

The key functionalities in this release include:

• Hourly Backups: Administrators can now configure hourly backup and retention settings. Combined with Carbonite Server’s immutable backup capability, hourly backup greatly decreases the risk of ransomware compromising your data. New monitoring, alerting and reporting functions keep admins fully informed of progress and status of hourly backups, enabling them to manage any scheduling issues that may occur using a shorter backup window.
• Scan and Flag for Potential Ransomware: Carbonite Server now includes automatic early warning alerts for potential ransomware activity on Windows systems based on anomalous activity, with the option to then review flagged backups, enabling improved detection and review of possible ransomware.
• Ransomware Classification: Clear indications of ransomware risk status also appear within the management dashboard, monitor page, and job views, so immediate attention is drawn to any risk.

“Ransomware and malware attacks have unfortunately become an everyday norm as of late. The ability to schedule hourly, immutable backups along with Carbonite Server’s ransomware detection features increases our overall ability to recover from ransomware attacks and other data losses quickly,” says Simon Calloway, International Procurement Manager, Ocean Telecom. “More importantly, they increase the likelihood that our backups remain uncorrupted, strengthening our overall security and data protection posture.”

Carbonite Server is a powerful, all-in-one backup and recovery solution for physical, virtual, and legacy systems that keeps data secure onsite and, in the cloud, minimizing downtime and ensuring higher levels of ransomware resilience for businesses. With flexible recovery options and easy management, Carbonite Server safeguards data and helps businesses recover from data losses.

To learn more about Carbonite Server, click here.

About OpenText
OpenText, The Information Company™, enables organizations to gain insight through market leading information management solutions, powered by OpenText Cloud Editions. For more information about OpenText (NASDAQ: OTEX, TSX: OTEX) visit opentext.com.

Palo Alto, Calif. — October 25, 2021 — Jumio, the leading provider of AI-powered end-to-end identity verification, eKYC and AML solutions, today announced the launch of an intuitive no-code orchestration layer for its KYX Platform that unifies an entire set of risk and fraud detection capabilities to address identity proofing, compliance verifications and AML use cases. Jumio pioneered the ID + selfie approach to identity verification and is now significantly expanding its platform capabilities for business customers. The KYX Platform will now provide multi-layered, end-to-end risk detection with flexible workflows, increasing visibility by showing a holistic view of the consumer identity and any underlying risk.

As fraudsters become increasingly sophisticated, businesses are having to layer in countless risk signals from multiple vendors in an attempt to protect their ecosystems. The Jumio KYX Platform addresses these pain points by enabling its customers to orchestrate the controls and assurances needed to know and trust their end users — all through a single API layer powered by AI and automation, achieving record high catch rates and low false positives.

“Jumio’s next-generation KYX orchestration platform reimagines the process from one-off authentication to holistic user recognition and verification,” said Jumio CEO Robert Prigge. “Rather than treating all users as potential threats, the platform puts the business customer at the center of the verification process. This delivers a more seamless user experience that verifies consumer or employee data coupled with enhanced authentication using a document such as a government-issued ID.”

With the addition of an orchestration layer, Jumio’s platform leverages its best-in-class identity verification technology to address today’s market challenges caused by the rampant theft of personally identifiable information (PII) via large-scale data breaches. Jumio’s ability to quickly verify and validate consumers, via government-issued IDs and other data sources and risk signals, completely differentiates the next-generation KYX Platform from other providers who rely on data that have been compromised in breaches. The engine behind the platform allows enterprises to create custom risk and fraud workflows using a no-code interface and presents a unified risk score to provide a single outcome across multiple risk checks.

“Our intent is to take the heavy lifting of fraud prevention out of the hands of our customers. By leveraging our KYX Platform, complete with flexible workflows, no-code orchestration and multi-layered risk signals, organizations can assess not only the risk of the individual, but also the devices associated with them, the IDs they furnish and their facial biometrics — all in one platform through a single API layer,” said Bala Kumar, chief product officer of Jumio. “We want to enable our customers to focus on their primary business and leave the fraud prevention to us. We are their first and strongest defense for bringing in valuable customers while keeping the bad actors out. Suspicious transactions will get pushed to our integrated case management solution so fraud and compliance analysts can quickly triage and resolve any issues.”

Latam fintech pioneer, Rappi, is one of the first Jumio customers to sign up for early access to the next-generation Jumio KYX Platform.

“We’re excited to work with a platform that gives us the flexibility to add data sources, maximize conversions and optimize the user workflow and overall customer experience,” said Juan Pablo Ortega, Rappi co-founder. “This vision aligns and supports our expansion ambitions and goals for the future.”

Visit jumio.com/KYX to learn more.

About Jumio

When identity matters, trust Jumio. Jumio’s mission is to make the internet a safer place by protecting the ecosystems of businesses through a unified, end-to-end identity verification, eKYC and AML platform. The Jumio KYX Platform offers a range of identity proofing and AML services to accurately establish, maintain and reassert trust from account opening to ongoing transaction monitoring.

Leveraging advanced technology including AI, biometrics, machine learning, liveness detection and automation, Jumio helps organizations fight fraud and financial crime, onboard good customers faster and meet regulatory compliance including KYC, AML and GDPR. Jumio has carried out more than 400 million verifications spanning over 200 countries and territories from real-time web and mobile transactions.

Based in Palo Alto, Jumio operates globally with offices in North America, Latin America, Europe and Asia Pacific and has been the recipient of numerous awards for innovation. Jumio is backed by Centana Growth Partners, Great Hill Partners and Millennium Technology Value Partners.

For more information, please visit www.jumio.com.

Nobelium, the Russia-based threat actor behind the supply chain attack on SolarWinds, is targeting cloud service providers and IT services organizations in a large-scale and ongoing campaign designed to infiltrate systems belonging to downstream customers of these companies.

Since May, Nobelium has attacked at least 140 cloud service providers and compromised 14 of them, according to Microsoft, which has been tracking the campaign.

Once on a service provider’s network, Nobelium has been targeting the privileged accounts that providers use to access and manage networks belonging to their downstream customers. It has used several tactics, including password spraying, phishing, token theft, and API abuse, to steal legitimate credentials for these accounts. The attackers have then used the privileged accounts to gain a foothold on systems belonging to targeted downstream customers of the service provider. Victims have included enterprise organizations, technology vendors, government entities, and think tanks, Microsoft said. Most of the organizations that have been targeted are based in the United States or countries across Europe.

The attacks on service providers—and resulting compromises—are not the result of product security vulnerabilities. Rather, they are the result of Nobelium actors taking advantage of any direct access that Internet and cloud service providers have to their customer systems, said Tom Burt, corporate vice president of customer security and trust at Microsoft, in a blog posted Sunday. 

“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers,” Burt wrote.

This latest Nobelium campaign is an example of attackers’ growing focus on targets that provide them with means to compromise multiple organizations at the same time without having to break into each one separately. Examples of such targets include cloud service providers, managed service providers, software vendors, and other trusted entities in the technology supply chain, many of which have privileged access rights on networks belonging to their customers.

In the SolarWinds campaign, Nobelium broke into the company’s software build environment and used its access to quietly embed malicious code into legitimate updates of SolarWinds’ Orion network management product. That single intrusion gave the attacker a way to distribute malware to thousands of organizations, though it was interested in stealing data from only a small subset of its victims. 

“This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers,” Burt said.

In July, threat group REvil used a similar tactic by targeting a Kaseya server technology—which many managed service providers use—to distribute ransomware to thousands of their downstream customers.

For enterprise organizations, the main takeaway from such attacks is that supply chain threats extend well beyond just software vendors, says Jake Williams, cofounder and CTO at BreachQuest. IT service providers often have relatively poor security themselves while simultaneously having access to numerous customer networks, he adds. 

“Every penetration security professional has horror stories about security at IT service providers,” Williams says. “In one example, if I know the organization is serviced by a particular provider and the year the contract began, I know the domain admin password for the network.”

A Persistent Adversary

Nobelium is a threat actor that the US government and others have formally identified as being linked to Russia’s foreign intelligence service, SVR. One of its missions is to collect information and conduct surveillance on organizations and entities thought to be of interest to the Russian government. Microsoft and others believe the group is trying to gain and maintain persistent access to a variety of entry points on the technology supply chain as part of this mission. Burt said that between July 1 and mid-October of 2021, Microsoft security researchers observed some 22,868 Nobelium attacks on organizations in the US and elsewhere. So far, Microsoft has informed 609 customers of being targets of these attacks, he said.

Williams describes Nobelium as a truly persistent adversary. “Nobelium is one of the best in the threat actor ecosystem at remaining undetected after a remediation attempt,” Williams notes. “Often organizations fail to fully remediate incidents, leaving the threat actor access to the network after the remediation is considered complete,” he says.

Microsoft has recommended steps that organizations can take to reduce their exposure to attacks like Nobelium’s that try to take advantage of the delegated administrative privileges that third parties often have on customer networks. The recommendations are different for service providers and for enterprise customers of these providers.

The recommendations for enterprise organizations include the need to review, audit, and limit third-party access privileges and delegated permissions on their network; the use of multifactor authentication and conditional access policies; and the need to audit and review logs and configurations. For service providers, Microsoft recommended they remove connections with delegated access privileges on customer networks, when not in use. The company also urged service providers to review and audit security controls around connections with customer networks and to conduct a thorough investigation to verify if they had been breached in the current Nobelium campaign.

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, says the recent activity demonstrates the significant risk to organizations when an APT group targets privileged accounts. 

“Trusted relationships between providers and user organizations are highly valuable and an essential part of modern security processes,” he says. “Compromising privileged accounts that have a high-level of access enables threat actors to move through the cyber kill chain with little chance of being detected.” Given that many of the organizations impacted by Nobelium’s activity are reportedly cloud and managed service providers, and considering the group’s established ability to move laterally on compromised networks, it is possible that the scope of Nobelium’s latest campaign could increase, he says.

ImmuniWeb founder Ilia Kolochenko recommends organizations implement a third-party risk management (TPRM) program that goes beyond the usual one-size-fits-all questionnaire for assessing vendor risk. He suggests organizations focus on drafting an adequate, proportional, and threat-aware vendor assessment process as part of their TPRM process. “Reasonable contractual clauses, allocating the risks of data breaches and security incidents, can motivate vendors to maintain better security,” he says. 

The rise of mobile wallet apps like Apple Pay, Google Pay, and Samsung Pay has made it easier for smartphone owners to pay for goods and services without touching a payment terminal. But as researchers found, some inconsistencies could make it easier for cybercriminals to commit fraud on stolen devices.

Tim Yunusov, a senior expert with Positive Technologies, says these inconsistencies specifically exist in contactless payments for public transportation, as seen in major public transit systems in places such as New York City and London. Yunusov and his research team were able to defraud devices, using stores around the globe, without the phone leaving its owner’s pocket.

The team has been exploring different aspects of mobile payment security for years, but their goal for this research was to determine whether it’s possible to make payments on a phone if it’s stolen or lost, then picked up by a fraudster. Two years ago, when they were researching Visa cards and closely looking at Google Pay, Yunusov says at the time it was the only mobile wallet that allowed payment on locked devices. Everything else required a PIN or fingerprint.

In the last two years, however, a lot has changed. One factor has been the use of smartphones to pay for public transit, because as he points out, it’s inconvenient for every rider to unlock their phone before going through the gate. Apple and Samsung introduced a transport scheme in which people didn’t need to unlock their phone to pay for a public transportation system.

This made Yunusov curious. Would it be possible to bypass security mechanisms and use this feature for fraudulent purposes? Mobile wallet providers claim to protect cardholders and their payment details because they don’t disclose the information of the original card, but he wondered if there might be a way to sidestep their protective measures.

Compounding his interest is the popularity of lost-and-stolen fraud, which he says is among the most popular types of fraud affecting modern payment cards. In these attacks, when people lose a phone or card, there’s a gap when the card isn’t yet blocked during which fraudsters can buy goods and services. Modern EMV contactless cards and mobile wallets, as well as their predecessors, don’t allow one to clone a payment card, motivating attackers to steal them. 

“Therefore, the main goal for fraudsters probably would be to use stolen devices or cards for payment fraud,” Yunusov says.

Hacking at The Tube

Conducting the research “was kind of a journey,” he says. Normally, the team buys the devices they need to do their research and does their work at home or in the office. In this case, because he was researching contactless payments for public transportation, his research brought him into the London tube station.

“To carry out most of the checks, I personally had to go to the London metro basically every day, trying to collect all the data and find a way to bypass security mechanisms that were implemented in Apple and Samsung Pay in order to find an answer to the question,” he says.

Six months to a year later, the team found inconsistencies in contactless payments for public transport that lead to potential fraud on lost or stolen mobile phones. Their findings specifically relate to Apple and Samsung, as Google Pay doesn’t yet have a specific transport scheme. 

Yunusov will share more details about the process in an upcoming Black Hat Europe talk, “Hand in Your Pocket Without You Noticing: Current State of Mobile Wallet Security.” The goal, he says, is to highlight some issues with contactless payments in hopes of improving their security.

For the people who use mobile wallets, Yunusov advises locking all cards attached to their wallet as soon as they realize their phone is lost or stolen. Keep an eye on what’s happening in notifications and transactions and stay alert for suspicious activity.