61% Indian IT managers clueless how bandwidth is being consumed
According to British IT security company Sophos’ global survey titled “The Dirty Secrets of Network Firewalls,” 89 percent of Indian IT heads opined that stopping malware threats have become harder over the last year “While 94 percent agree that stopping ransomware should be a top priority in organisations, a lack of effective application visibility is a serious security concern for 90 percent of Indian businesses,” said the report. While 72 percent want to see applications by risk levels through their organisation’s firewall, 60 percent concerned on productivity loss due to unwanted apps and 52 percent had legal liability or compliance concerns due to potentially illegal content,” the report said. Nearly 57 percent Indian IT managers can’t identify network traffic while 61 percent don’t know how their bandwidth is consumed, a new report said on Wednesday, adding that the majority of Indian IT managers have legal liabilities when it comes to unidentified traffic at their workplaces. The survey further stated that 61 percent would like to see better perimeter security in their organisation’s network firewall along with better threat visibility and better protection. Controlling network traffic is an essential role of every firewall yet, 61 percent IT managers can’t tell you how their bandwidth is being consumed,” said Sunil Sharma, Managing Director Sales at Sophos India & Saarc. On an average, organisations are spending 7 working days to remediate infected machines,” said Sharma. Considering the debilitating impact cyber attacks can have on a business, it’s unsurprising that 90 percent of respondents agree that a lack of application visibility is a serious security concern. About 79 percent of IT heads face security risks from unwanted or unnecessary apps. Companies are looking for the kind of next-generation, integrated network and endpoint protection that can stop advanced threats and prevent an isolated incident from turning into a widespread outbreak,” Sharma informed.
Website of Supreme Court of India is Allegedly Hacked
Living in the period of AI IoT and ML, the digital hack has become the latest first line of crime. While the US, the UK cyberwar with Russia has just raised to another level, as Russia supposedly murdered its two agents residing in London, many Indian government sites have clearly turned into a favourable spot for hackers. Recently, after the hack of Ministry of Law, Defense, Labor, Home Affairs and more than 100 other portals of government, the Supreme Court of India website has today been hacked exactly after the judgment on Justice Loya’s demise came. The site stopped working on a bench led by Dipak Misra, Chief Justice convened a hard-hitting judgment about the demise of B H LoyaSpecial CBI Judge who was handling the encounter case of Sohrabuddin Sheik. The website hack cause details of the Loyajudgement to be posted online. When endeavours to reach the website were made, “Website under maintenance” was the outcome of the Supreme Court site. Reporters who were waiting for the decision to be posted on the website made frantic inquiries with the implicated officials regarding the speculated hacking. Following the postponement till late afternoon, an SC authorities issue, although called it a “technical issue”- as PTI revealed. The authorities, who asked for anonymity, were prevaricated on affirming whether the site was hacked and stated that the information technology of top courts was in contact with (NIC) the National Informatics Center as uploaded on India today.in dated 20/04/2018. Interestingly, in case of last breaches, where many government portals including Ministry of Defense were down indicating Chinese characters, the state denied to take them as an incident of attack and asserted the matter as a technical glitch. However, the case of the Supreme Court, according to the message, it’s a clear matter of hacking. The Ministry of Information Technology and Electronics affirmed that website of the Supreme Court had been attacked. According to the report, the Ministry’s crisis reaction team has instructed the Supreme Court on the measures that required to be taken to reestablish the site and will likewise research the details of the occurrence.
Karnataka minister H K Patil’s website hacked
A personal website of H K Patil, senior Congress leader and minister for rural development and panchayat raj, was hacked by miscreants and derogatory information posted against him and the nation. Based on a complaint from Patil cybercrime police registered a case on Sunday. N Satheesh Kumar, joint commissioner of police (crime) said the case was booked against unknown miscreants. In his complaint, Patil, a senior cabinet minister in the Siddaramaiah government, stated that he owns the website www.hkpatil.com and it contained information about his achievement as a minister and in various capacities of his political career. “Miscreants hacked the website on Saturday and put up content which is against the people of this country and against the nation,” he stated. “This act appears deliberately done to bring the bad name to me and spoil my reputation in society,” Patil told police that miscreants had posted content which could harm national integrity. A case has been registered under section 66C (punishment for identity theft) of IT Act and IPC sections 504 (intentional insult with intent to provoke breach of the peace) and 295a (deliberate and malicious acts, intended to outrage religious feelings of any class by insulting its religious beliefs). A team has been formed to nab the culprits.
A CVE-2018-0229 flaw in SAML implementation threatens Firepower, AnyConnect and ASA products
The flaw affects the Cisco AnyConnect Secure Mobility Client, and ASA Software and FTD Software configured for SAML 2.0-based SSO for AnyConnect Remote Access VPN that is running on the following Cisco products: 3000 Series Industrial Security Appliances (ISA) ASA 5500 Series Adaptive Security Appliances ASA 5500-X Series Next-Generation Firewalls ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers Adaptive Security Virtual Appliance (ASAv) Firepower 2100 Series Security Appliance Firepower 4100 Series Security Appliance Firepower 9300 ASA Security Module FTD Virtual (FTDv) Cisco confirmed that only ASA software running version 9. “A vulnerability in the implementation of Security Assertion Markup Language (SAML) Single Sign-On (SSO) authentication for Cisco AnyConnect Secure Mobility Client for Desktop Platforms, Cisco Adaptive Security Appliance (ASA) Software, and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software. ” The CVE-2018-0229 flaw affects the following Cisco solutions: Single sign-on authentication for the AnyConnect desktop mobility client; Adaptive Security Appliance (ASA) software; and Firepower Threat Defense (FTD) software. The CVE-2018-0229 flaw could be exploited by an unauthenticated, remote attacker to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software. The flaw affects the Cisco AnyConnect Secure Mobility Client, and ASA Software and FTD Software configured for SAML 2. In this scenario, the attacker can hijack a valid authentication token and use that to establish and set up an AnyConnect session through an affected device running ASA or FTD Software. According to Cisco, the flaw exists because there the ASA or FTD Software doesn’t implement any mechanism to detect that the authentication request originates from the AnyConnect client directly. 1 and later are vulnerable, the issue also affects FTD software running version 6. ” reads the security advisory published by CISCO. 1 and later, and AnyConnect version 4.
Health Stream left exposed online a database containing contact data for roughly 10,000 medics
The IT expert Brian Wethern has discovered that the US healthcare company Health Stream left exposed online a database containing contact information for roughly 10,000 medics. Wethern reported his discovery to Health Stream ten days ago, he explained that the data are hosted one of the websites that have been removed. Records in the archive left open online includes last names of medics connected to Health Stream’s Neonatal Resuscitation Program, their email addresses, and ID numbers. The site hosting the medics’ records was taken offline shortly after Wethern reported the data leak, but even if the website is no more accessible, leaked data are still available in different online caches. Leaked data could be used by threat actors to launch a spear phishing campaign against medics at Health Stream. “What I found was a front-side database,” Wethern told El Reg. “I don’t need their passwords … because I have the front-side database.” Wethern decided to disclose the data leak to warn of the risks of such kind of incidents and highlight the importance of reserving a budget for cybersecurity of IT infrastructure. “Hire a basic researcher, first and foremost. Allow your company to budget for these types of intrusions,” Wethern added. “And before this, all happens, make sure to have a data breach summary in place. Be current with bug bounty programs, own up to your mistakes, and honour the fact that security researchers can be good people out to do good things.” Health Stream did not comment the data leak.
SunTrust unfaithful employee may have stolen data from 1.5 Million customers
A former employee at the SunTrust Bank may have stolen data on 1.5 million clients, including names, addresses, phone numbers, and account balances. “The company became aware of potential theft by a former employee of information from some of its contact lists. Although the investigation is ongoing, SunTrust is proactively notifying approximately 1.5 million clients that certain information, such as name, address, phone number and certain account balances may have been exposed.” reads the press release published by the bank. “The contact lists did not include personally identifying information, such as social security number, account number, PIN, User ID, password, or driver’s license information. SunTrust is also working with outside experts and coordinating with law enforcement. ”The bank said it believes the information doesn’t include personally identifiable information, such as social security numbers, account numbers, pins, user IDs, passwords or driver’s license numbers. SunTrust is notifying approximately 1.5 million clients that certain information may have been exposed. According to the Reuters agency, the unfaithful employee tried to download the client data a few weeks ago in an attempt to sell it to a criminal. “Chief Executive Officer William Rogers brought the incident to light on a post-earnings call with analysts on Friday. He said the attempt to download client information was made six to eight weeks ago.” reported the Reuters. SunTrust CEO William Rogers said that there was no indication of fraudulent activity using the exposed information, likely the data had not been sent outside the bank. The SunTrust is now offering free identity protection services to all of its clients. “SunTrust Banks, Inc. (NYSE: STI) is now offering Identity Protection for all current and new consumer clients at no cost on an ongoing basis. Experian IDnotify™ will be provided to those who sign up for the service.” continues the press release. “The IDnotify product by Experian is being offered in addition to existing SunTrust security protocols: ongoing monitoring of accounts, FICO score program, alerts, tools and zero liability fraud protection.”
Security experts at Trend Micro have spotted spam campaigns delivering XTRAT and DUNIHI Backdoors and Loki malware bundled with the Adwind RAT.
Malware researchers at Trend Micro have uncovered a spam campaign that delivers the infamous Adwind RAT (aka jRAT) alongside the XTRAT backdoor (aka XtremeRAT) and the Loki info stealer. Crooks behind the Adwind, XTRAT, and Loki used weaponized RTF document that triggers the CVE-2017-11882 vulnerability to deliver the Adwind, XTRAT, and Loki bundles. ” “Both variants of Adwind arrive via email, so it is imperative to secure the email gateway to mitigate threats that abuse email as an entry point to the system and network. “Notably, cybercriminals behind the Adwind-XTRAT-Loki and Adwind-DUNIHI bundles abuse the legitimate free dynamic DNS server hopto. The experts also observed Adwind bundled with DUNIHI backdoor, attackers used a JAR dropper that ships a VBS dropper delivered via spam mail. In a separate Adwind RAT spam campaign, the researchers observed the use of the VBScript with backdoor tracked as DUNIHI. XTRAT shares similar capabilities with Adwind, it also implements features to control both device camera and microphone. “The dropped files are effective RATs with multiple backdoor capabilities, anti-VM, anti-AV, and are highly configurable. Notably, Adwind and XTRAT connect to the same C&C server: junpio70. Both campaigns abuse the legitimate free dynamic DNS server hopto[.]org.
Expert devised an exploit for a Code Execution vulnerability in NVIDIA Tegra Chipsets
The expert devised an exploit, dubbed Fusée Gelée, that leverages a cold boot vulnerability to gain full, unauthenticated arbitrary code execution from an early bootROM context via Tegra Recovery Mode (RCM. This bootROM can have minor patches made to it in the factory (‘ipatches‘), but cannot be patched once a device has left the factory. “The relevant vulnerability is the result of a ‘coding mistake’ in the read-only bootROM found in most Tegra devices. “As this vulnerability allows arbitrary code execution on the Boot and Power Management Processor (BPMP) before any lock-outs take effect, this vulnerability compromises the entire root-of-trust for each processor, and allows exfiltration of secrets e. The flaw requires physical access to the affected hardware, the expert highlighted that the flaw in the Tegra chipset is independent of the software stack. According to the researcher, the affected component cannot be patched, the issue affects a large number of devices, including Nintendo Switch console. The flaw affects all NVIDIA Tegra SoCs released prior to the T186 / X2. The expert plans to release technical details of the flaw on June 15, 2018, but it is likely that other actors are also in possession of the Fusée Gelée exploit. “This execution can then be used to exfiltrate secrets and to load arbitrary code onto the main CPU Complex (CCPLEX) “application processors” at the highest possible level of privilege (typically as the TrustZone Secure Monitor at PL3/EL3. The exploitation of the flaw could allow compromising of the entire root-of-trust for each processor that results in the exfiltration of sensitive data.
$3.04 billion has been lost due to internet shutdowns in last five years
India faced around 16,315 hours of internet shutdown during 2012-2017, a report released by Indian Council for Research on International Economic Relations (ICRIER) said on Wednesday. The report titled The Anatomy of an Internet Blackout: Measuring the Economic Impact of Internet Shutdowns in India focuses on the economic impact internet shutdowns in the last five years. In 2017, the number of internet shutdowns in India more than doubled from 2016, while the total hours of the shutdown increased by only 20%, said the report. An internet shutdown is an intentional and complete disruption of fixed-line, or, mobile internet, ordered pursuant to the authority of the state, that renders the internet inaccessible or unusable for a specific population. India has witnessed mobile-only and mobile plus fixed-line internet shutdowns. 37 billion during the period 2012 to 2017 and around 3,700 hours of mobile and fixed-line internet shutdowns costing the economy approximately $678. “Businesses such as e-commerce suffer most during shutdowns along with online freelancers who operate out of small towns and are completely dependent on a functioning internet,” it said. “There have been 12,615 hours of mobile internet shutdowns in India costing the economy approximately $2. 04 billion has been lost due to internet shutdowns in last five years With the government ordering frequent internet shutdowns, approximately $3. It also said that such shutdowns affect smaller businesses relatively more than larger businesses that are able to find alternatives.
Western Digital Cloud Storage Device Exposes Files to All LAN Users
WD’s My Cloud represents a highly popular storage/backup device option, allowing users to easily backup important data (including documents, photos, and media files) and store it on removable media. They are also advised to disable Twonky DLNA Media Server for the entire My Cloud or to disable Media Serving for Shares containing sensitive data. Next, the attacker can use HTTP requests to fetch the actual files from the device, given that they are already in the possession of the URLs leading to those files (from the response collected at the previous step. The My Cloud content can be accessed from the local network when Twonky DLNA Media Server is enabled because the server does not support authentication and is broadcast to any DLNA client without any authentication mechanism. The new drive, however, exposes data to any unauthenticated local network user, because of a Universal Plug and Play (UPnP) media server that the device automatically starts when powered on. By default, it allows any users capable of sending HTTP requests to the drive to grab any files from the device. To ensure their data remains protected, users should keep sensitive data in a Password protected My Cloud Share. This will result in the UPnP server responding with a list of files on the device. The researchers also published a proof-of-concept, explaining that an attacker needs to include XML with Browse action in the HTTP request to port 9000 asking for the TMSContentDirectory/Control resource. Specifically, anyone can issue HTTP requests to TMSContentDirectory/Control on port 9000 passing various actions.