Mozilla has released a new version of Firefox browser in order to strengthen the security and privacy for users.
The Foundation quietly made announcement last week in a blogpost. With release of Firefox version 69, Enhanced Tracking Protection (ETP) will be turned on by default for all users, which will block the third-party tracking cookies and crypto mining.
Mozilla started its Enhanced Tracking Protection in June as an optional feature, but this was limited to new users only. The company has finally made it available to all the users worldwide.
“With today’s release, we expect to provide protection for 100% of ours users by default. Enhanced Tracking Protection works behind-the-scenes to keep a company from forming a profile of you based on their tracking of your browsing behavior across websites — often without your knowledge or consent,”Marissa Wood, vice president of product at Mozilla explained in the post.
“Those profiles and the information they contain may then be sold and used for purposes you never knew or intended. Enhanced Tracking Protection helps to mitigate this threat and puts you back in control of your online experience,” she added.
Users will see a shield icon in the address bar when Enhanced Tracking Protection is enabled. If users want to track the companies that are blocked by Mozilla, they can simply click on the shield icon, navigate to the Content Blocking section, and then click on Blocking Tracking Cookies right next to Cookies.
Another new capability is a Script Mode, that will protect from fingerprint scripts. Users don’t want to run their fingerprint scripts on their browsers because these can include the computer configurations. Script Mode will be available by default in the future release.
At the DEF CON 27 security conference in Las Vegas, Eclypsium security research team uncovered serious security flaws in more than 40 device drivers from 20 different vendors. These flaws could allow attackers to deploy malware on the vulnerable devices.
“Drivers that provide access to system BIOS or system components for the purposes of updating firmware, running diagnostics, or customizing options on the component can allow attackers to turn the very tools used to manage a system into powerful threats that can escalate privileges and persist invisibly on the host,”Eclypsium wrote in its report.
These drivers can provide an attacker the most privileged access that can be used to launch malicious actions within all versions of Windows including Windows Kernel. All the affected drivers are certified by Microsoft.
In a statement to ZDNet, Mickey Shkatov, Principal Researcher at Eclypsium noted that the design flaw in Windows device drivers have a functionality that can be misused to perform read/write of sensitive resources without any restriction from Microsoft. Shkatov blamed bad coding practices as the major cause of this issue.
Below is a list of some of the affected vendors and hardware manufacturers as published by Eclypsium researchers:
American Megatrends International (AMI)
ATI Technologies (AMD)
Micro-Star International (MSI)
“Microsoft will be using its HVCI (Hypervisor-enforced Code Integrity) capability to blacklist drivers that are reported to them,”Shaktov said.
However, the HVCI feature is available on 7th gen Intel CPUs and newer processors only. For older operating systems, manual installation would be needed, as well as the newer ones where HVCI can’t be enabled.
Furthermore, Microsoft recommends its users to use a Windows Defender Application Control or turn on memory integrity for supported devices in the Windows Security to block malwares in software and drivers.
Microsoft has made some highly important recommendations for the users of Windows OS to protect against the BlueKeep vulnerability.
BlueKeep (CVE-2019-0708) is a wormable vulnerability that exists in the Remote Desktop Protocol (RDP) used by the Windows OS, including both 32- and 64-bit versions, and Service Pack versions.
According to Microsoft’s Detection and Response Team (DART), this vulnerability can cause large-scale outbreaks like WannaCry and Conflicker. What BlueKeep does is allow the attackers to exploit the vulnerability to perform remote code execution on the unprotected systems.
The attackers can perform several actions on the vulnerable systems, like adding accounts with full user rights, view/change/delete the data, or install programs. It doesn’t require any user interaction and the attack can happen without authentication.
The DART team said that there are more than 400K endpoints that lack any network level authentication. All these systems are at potential risk from the BlueKeep vulnerability.
“By exploiting a vulnerable RDP system, attackers will also have access to all user credentials used on the RDP system,” warned Microsoft DART team in a blog post.
To prevent against BlueKeep vulnerability, Microsoft has strongly recommended users to apply the Windows update. It’s critical for the users to apply all the updates if they are using Remote Desktop in their environment.
For the users who have RDP listening on the internet, it is recommended to move the RDP listener behind a second factor authentications, like VPN, SSL Tunnel, or RDP gateway.
Furthermore, Microsoft advised enabling Network Level Authentication (NLA) to protect un-authenticated access to the RDP tunnel.
The popular Ad management plugin named Ad Inserter is the latest WordPress asset to be found vulnerableto a serious security issue. An authenticated user of the plugin can easily execute PHP code on the vulnerable websites.
Ad Inserter is currently active on more than 200K websites, leaving a massive number of WordPress websites open to cyberattacks.
Website owners use this plugin to insert ads at optimal positions. It supports Google AdSense, Google Ad Manager, contextual Amazon Native Shopping Ads, Media.net and rotating banners.
According to Wordfenceresearchers who discovered the vulnerability, the Ad Inserter is using check_admin_referer () function to bring an additional security control to the plugin.
The role of this function is to protect against cross-site request forgery (CSRF) attacks. The function checks that a one-time token (nonce) is present in the request to prevent unwanted repeated, expired or malicious requests.
However, many developers believe that checking this one-time token is enough for access control, and stop their efforts here. But, the WordPress documentation clearly mentions that this function is not intended for access control.
The vulnerability in Ad Inserter is a good example for developers to understand that using this function for authorization is not a good idea.
Wordfence mentioned that the weakness could allow an authenticated user (even the subscriber) to execute arbitrary PHP code on the vulnerable sites. The Wordfence disclosed the issue to the developers of Ad Inserter who released the fix the very next day.
All the websites running Ad Inserter 2.4.21 or below must update the plugin to the latest version (v2.4.22).
With the consequent rise in the use of smartphones and mobile applications, cyber-attacks on mobiles are also increasing constantly. The risks of cyber-attacks on Android OS are costing users sensitive data and money. In 2018, over 3 million malware were detected on Android OS and the landscape is expected to continuously rise this year, as per a report by Quick Heal Security Labs.
Despite the rapid rise in cyberattacks on mobile devices, the owners aren’t investing on security practices, says cyber security experts.
“There will be a significant rise in the number of mobile-focused malware and banking trojans. Another major mobile-based threat expected to gain prominence is the introduction of malicious code into clean owned applications post update. This is most likely to take place once the download count has hit a significant landmark on the Google Play Store,” according to Quick Heal’s Annual Threat Report 2019.
In 2019 Android test, AV-Comparatives performed a test to check the efficiency of Android antivirus apps from the Google Play Store. They tested 250 Android Anti-Virus apps out of which more than two thirds failed to achieve a block rate of even 30 percent. Only less than 1 in 10 of the apps tested could defend all the 2,000 malicious apps.
This shows that while there are many cheap and free antivirus apps accessible in the market, only a few of those provide powerful protection against cyber threats. Consequently, before a consumer decides on to install an AV app, it is essential to at least validate its effectiveness.
Top Android Maware of 2018
Throughout 2018, Android.Agent.GEN14722 was in the top 10 android malware list, with nearly 0.1 million detections in 2018. Android.Agent.A1a92 and Android.Gmobi.A remained the most prevalent malware impacting mobile devices worldwide.
Trends in android security threats
Use of social media accounts for malicious purpose.
Applications on Google Play Store that hide themselves after installation. The main purpose is to display full-screen ads to users and earn revenue.
FakeApp trick to increase the number of sponsored app download counts and reviews.
PDF attachments sent via phishing emails to launch malware on device.
It is important to use the right anti-malware for the android mobile devices as these has a camera, speaker and a location tracker that quickly collects data from every place the consumer goes. The problem is the users are not aware about antivirus.
The best solution to this is to invest on the AV apps that come from genuine security vendors, who regularly release the updated versions to protect the users from the latest threats.
For full report and detailed statistics, click here.
At the recent CISO Summit held in Mumbai, Sidharth Mutreja, the Enterprise Solutions Architect at Kaspersky Lab, shared his views on “Efficiently Managing Risks with Cyber Threat Intelligence”.
Cyber threat intelligence (CTI) is a practice of organizing, analyzing, and refining the information related to current or potential cyber threats that can affect an organization. The aim of CTI is to help businesses learn the risks of most common cyber attacks, like zero-day threats, advanced persistent threats, and exploits.
For responding and counter-attacking the modern cyber attacks, organizations need a complete view of the tricks and tools used by attackers. Sidharth Mutreja shed light on the best practices to make well-informed strategies for detecting the attacks, identify the cybercriminals, and impacts of attacks in short-term as well as long-term.
“With the ever-evolving threat landscape, organizations need to be more proactive in their approach for cybersecurity. As a proactive measure, security teams need to embrace cyber threat intelligence encompassing technical, operational, tactical and strategic threat intelligence into their existing security operations to leverage specific intelligence for proactive countermeasures and threat hunting,” said Mutreja.
When organizations assess the risks related to their digital footprint, they can direct the focus of their defensive strategy in the right areas. It also helps in making well-informed decisions related to budgets and staffs.
“Today’s cybersecurity approach in terms of solutions and services don’t just have to be as advanced as the threats but should be able to strike down a threat even before it hits. Hence, it is of critical importance that organization’s today enhance their predictive and pre-emptive capabilities with cyber threat intelligence,” added Mutreja.
Further, Mutreja also talked about the Kaspersky CyberTrace, a threat intelligence fusion and analytics tool, which the company launchedin February this year.
The Kaspersky CyberTrace is a free tool that integrates multiple threat data feeds with SIEM solutions. It will help enterprises to identify the threats that can be dangerous for the organization and allow security teams to focus on the right areas.
Machine learning is declining the risks of phishing attacks, but the number of such attacks are still on the rise, finds the 24th edition of the Microsoft Security Intelligence Report (SIR).
Microsoft analyzes over 6.5 trillion security signals every day to get a wide and unique perspective into latest trends in the cybersecurity arena. The company has been releasing the security intelligence report for more than a decade now to share its expert insights with the enterprises.
The SIR this year is reflected on security events in 2018, including overview of security landscape, lessons learnt from it, and best practices that need to be followed. Some of the cybersecurity trends in 2018 included rise in cryptocurrency mining and supply chain compromises, decline in ransomware, and more.
Attackers are increasingly mining cryptocurrency in the background of user systems, without their permission and awareness. This activity significantly consumes bandwidth and causes security risks to users.
Having said that, let’s have a deep dive into the key findings of the Microsoft’s latest security report.
Key takeaways from Microsoft Security Intelligence Report:
1. Ransomware encounters declined significantly in 2018
Ransomware attacks like WannaCrypt and Petya were the biggest security events in 2017. Such attacks locks or encrypt computers and then demands money from users to restore access. It was anticipated that these ransomware attacks will increase in future.
However, the latest report says that ransomware encounter rates have declined by around 60% between March 2017 and December 2018.
The main reason behind this decline is improved detection and education among enterprises. This made it tough for cybercriminals to get what they were intending.
Highest ransomware encounter rate:
The highest average ransomware encounter rate per month were found in Ethiopia (0.77%), followed by Mongolia (0.46%), Cameroon (0.41%), Myanmar (0.33%), and Venezuela (0.31%).
Lowest ransomware encounter rate:
On the other hand, the lowest ransomware encounter rates per month were found in Ireland (0.01%), Japan (0.01%), the United States (0.02%), United Kingdom (0.02%), and Sweden (0.02%).
2. Cryptocurrency mining is becoming prevalent
Since the cybercriminals found it difficult to conduct ransomware attacks, they shifted their efforts to cryptocurrency mining. As a result, the cryptocurrency mining is increasing.
While the average ransomware encounter rate in 2018 was just 0.05%, the same for cryptocurrency coin mining encounter was 0.12%.
Cryptocurrencies like Bitcoin and Ethereumwork as digital money and can be used anonymously. However, the cryptocurrencies require users to perform some calculations that are resource intensive. While new cryptocurrency coins are released very frequently these days, the calculations are becoming more difficult.
Mining of top cryptocurrencies like Bitcoinis almost impossible, if the immense computing resources are not accessible. As a result, the cybercriminals have turned to a malware that helps them gain access to the computers of victims and then mine cryptocurrency coins. By this way, they can leverage the processing power of hundreds of thousands of computers, rather than one or two.
Highest cryptocurrency mining encounter rate:
Ethiopia (5.58%), Tanzania (1.83%), Pakistan (1.47%), Kazakhstan (1.24%), and Zambia (1.13%) are the five locations with the highest cryptocurrency coin mining encounter rates in 2018.
Lowest cryptocurrency mining encounter rate:
The lowest average monthly coin mining encounter rate was approx. 0.02% in 2018. Ireland, Japan, the US, and China were the locations with lowest rate during the period.
3. Browser-based cryptocurrency mining comes to the scene
Typically, the cryptocurrency miners are installed on the computers of victims in the form of malware. But a new kind of threat has come to scene, where the malware is based entirely within web browsers, which doesn’t need to be installed on the computers.
These are browser-based cryptocurrency miners that don’t need to compromise the computers. Such miners can impact the computer performance and waste electricity while the users browse the compromised websites.
According to the report, Brocoiner was the most prevalent browser-based cryptocurrency in 2018.
4. Software supply chains are at risk
Attackers try to compromise the development or update process of a legitimate software to gain access to the software and systems of people who use the compromised software.
By injecting the malicious code into the software, attackers can easily gain the same trust and permissions as the software. This has become a primary concern for IT leaders as these attacks are increasing and can make the enterprise IT departments vulnerable.
For example, the first major software supply chain in 2018 was found in March. Microsoft’s Windows Defender ATP blocked a massive campaign that was delivering Dofoil trojan, also called Smoke Loader.
The attackers had replaced the update package of an application with malicious code. This trojan had carried a coin mining payload and exhibited advanced cross-process injection techniques, persistence mechanisms, and evasion methods.
Windows Defender Antivirus had blocked over 400k infection attempts, in the first 12 hours of the campaign.
5. Email phishing is still a preferred attack method
Office 365 is the most popular enterprise productivity available out there. Microsoft said that it analyzes over 470 billion email messages per month to scan phishing and malware. In 2018, the phishing messages in inbound emails increased by 250%.
It shows that email phishing is still one of the most preferred attack methods for cybercriminals. Microsoft is rapidly strengthening the email security with anti-phishing protection, detection, and investigation. But, since the emails involve human decisions and judgement, it is a problem to completely get rid of the phishing.
Domain spoofing— the email message domain is an exact match with the original domain name.
Domain impersonation— the email message domain is a look alike of the original domain name.
User impersonation— the email message appears to come from someone you trust.
Credential phishing links—the email message contains a link to a page that resembles a login page for a legitimate site, so users will enter their login credentials.
Phishing attachments—the email message contains a malicious file attachment that the sender entices the victim to open.
Links to fake cloud storage locations— the email message appears to come from a legitimate source and entices the user to give permission and/or enter personal information such as credentials in exchange for accessing a fake cloud storage location.
For full Microsoft Security Intelligence Report (SIR), click here. Microsoft has also created an interactive website to allow users dig into the data specific to the regions.
Sectigo (formerly Comodo CA) is looking to protect enterprises in Middle East against phishing, business email compromise (BEC), and other web security threats.
As a part of this, the company has expanded collaboration with its partners in Middle East, which includes BroadBITS, Checksum Consultancy, and Hayyan Horizons.
Sectigo will now deliver web security solutions and consultancy services to enterprises in Bahrain, Dubai, Kuwait, Jordan, Oman, Saudi Arabia, Qatar, and United Arab Emirates. These solutions will modernize the digital identity strategies and help enterprises reduce cybersecurity risks.
“Business email compromise (BEC) attacks are on the rise. In 2018, spoofing or BEC attacks rose 250 percent and spear-phishing attacks in companies saw a 70 percent increase (IndustryWeek),” explained Victor Schooling, Regional Director, Middle East and Africa, Sectigo.
“Organizations throughout the Gulf States and Jordan are eager for email encryption and digital signing solutions that minimize these and other risks. We’ve chosen our initial Middle East partners for their excellent reputations and commitment to addressing important cybersecurity challenges.”
The cybersecurity solutions available to enterprises in Middle East will include Sectigo Certificate Manager, Secure Email Certificates (S/MIME), and Sectigo Private CA.
Sectigo Certificate Manager is a cloud-based platform that allows customers to manage, public, private and IoT device certificates from a single platform. It comes with required tools, support, and capabilities that can help in minimizing risks, respond to threats faster, and optimize operational costs.
“Expired certificates can be incredibly costly to a company,” added Naveed Ahmed, General Manager, BroadBITS.
“By offering Sectigo Certificate Manager, we are helping clients prevent incidents like Ericsson’s global outage in December, which resulted in UK mobile carrier O2 seeking millions in damages.”
The Secure Email Certificates (S/MIME) is going to help in combatting BEC attacks. The solution digitally signs and encrypts email communications across the enterprise. It supports top email apps such as Microsoft Outlook, Exchange, mobile operating systems, etc.
“Checksum is dedicated to ensuring that information security enables businesses to advance their digital strategy. Sectigo innovations, such as its Zero Touch S/MIME solution, will greatly help CIOs and IT managers save time and money through efficient and effective cybersecurity administration,” said Mohamed Omar, Principal Consultant at Checksum Consultancy Co.
Whereas, the Sectigo Private CA allows enterprises to create their own private root certificates. These root certificates can be used to issue private and end-entity certificates for internal servers, users and devices, while meeting compliance requirements of corporate and industry.
“We have found Sectigo a great partner to work with. The company’s offerings are proven and strong, and we appreciate the team’s dedication,” said Ali Tamimi, Founder and Managing Director, Hayyan Horizons.
In September last year, Sectigo had also joined hands Korea Information CA to expand partnership in Asia and offer digital web security solutions in Vietnam and Indonesia.
Global leader in digital web security solutions—Sectigo (formerly Comodo CA), is revamping its Channel Partner Program to provide a new level of support and benefits to the partners.
Sectigo Channel Partner Program is dedicated to build partnerships with web hosts, managed service providers, direct market resellers and domain registrars to develop and deliver website security solutions. The program provides required training, certifications, rewards, support and benefits to the partners, so that they can deliver valuable services to customers.
With the revamped program, partners will get additional support, tools and discounts, which will allow them to expand into new segments within the cybersecurity market.
Partners can now resell the complete suite of services offered by Sectigo. These services include TLS/SSL Certificates, SMIME/Email Certificates, Signing Certificates, Certificate Manager, IoT Manager, and PCI Compliance and Website Vulnerability Scanning.
Sectigo Channel Partner Program will also bring new revenue streams for partners, increased benefits per tier, partner Marketing Development Funds (MDF), and deal registration.
“Sectigo is providing our partners with the necessary resources to increase visibility and profitability, and ensure their future success,” said Heather Bell, Vice President of Enterprise Partners, Sectigo. “The initial input we have received about the new Channel Partner Program has been very positive – and we will continue to explore ways to make it mutually beneficial.”
The certificate authority experienced significant growth in revenue last year, which was partly driven by progress in its global partner revenue. According to the company, the partner revenue increased by 27% year-over-year. By expanding the partner program, Sectigo is planning to boost its growth in 2019.
“It’s evident that Sectigo is committed to making our partnership successful,” said James McGuire of The SSL Store, a Platinum Partner of Sectigo. “With the program tiers, it’s reassuring to know that as our business needs scale, so do the levels of support and benefits. Sectigo has also built in rewards, which are obtainable regardless of the level of partnership, partners will appreciate this flexibility as they grow their business.”
Leading cybersecurity services providers Symantecand Fortinet are joining forces to provide strong security solutions across endpoint, network and cloud environments.
As a part of the partnership, the companies will integrate their respective solutions to form comprehensive and robust security solutions. The solutions which will come into integrations include Symantec’s Web Security Service (WSS), Symantec Endpoint Security for the Cloud Generation, Fortinet’s Next-Generation Firewall (NGFW), and Fortinet Security Fabric platform.
Symantec WSS is an easy to use cloud-delivered network security service which is used to protect enterprises against advanced threats. It offers access control, and secures critical business information. The solution also enables secure and compliant use of cloud applications.
Symantec Endpoint Security for the Cloud Generation
This solution is aimed to safeguard the confidential data through secure access. Customers can detect and respond to threats, and visualize threat data along with other security information.
It provides high threat protection performance with automated visibility to stop attacks. The solution uses security processors and threat intelligence security services from FortiGuard labs to provide protection and encrypted traffic.
Fortinet Security Fabric
Security Fabric’s security spans a broad range of applications, from internet of things (IoT) to the cloud. It provides real-time visibility across devices and applications, streamlines communications among various security solutions, shrinks detection, and remediate attack windows.
Fortinet NGFW + Symantec WSS
The companies mentionedthat the integration of Symantec WSS and Fortinet NGFW will result in the most comprehensive set of cloud-delivered threat prevention capabilities in a single service.
“As the first step in this technology partnership, we plan to deliver best-of-breed security through the combination of enterprise-class advanced firewall controls to Symantec’s industry-leading network security service,” said Art Gilliland, EVP and GM Enterprise Products, Symantec.
“Through this partnership, we hope to provide joint customers the power of Symantec’s Integrated Cyber Defense Platform bolstered by Fortinet’s leading NGFW in an integrated solution that’s easy to use and deploy.”
This integration will provide real-time, actionable threat intelligence, and automated response for exploit-driven attacks and advanced malware.
“With today’s announcement, two industry leaders are coming together to provide enterprise-class capabilities across cloud, network, and endpoint security,” said John Maddison, SVP of products and solutions, Fortinet.
“Upon completion of the integration, Symantec cloud web gateway customers will be able to benefit from Fortinet’s enterprise-class advanced firewall controls, and for the first time ever, Fortinet customers will be able to purchase the industry-leading FortiGate Next-Generation Firewall via FWaaS. With the addition of Symantec as a Fortinet Fabric-Ready Partner, Symantec’s endpoint security solution will be validated to seamlessly integrate with the Fortinet Security Fabric platform to provide more consistent and effective protection for joint customers.”