Spam email with an attached Microsoft Word document that contains a malicious macro designed to download and execute Emotet malware (Source: Brad Duncan)

Emotet Malware Returns to Work After Holiday Break

Mathew J. Schwartz • January 18, 2019

Cybercrime outfits appeared to take a vacation around the December holidays. But attacks involving Emotet, Hancitor and Trickbot have resurged following their December slowdown, as has the Fallout exploit kit, lately serving GandCrab ransomware.

Cyberwarfare / Nation-state attacks

Staff Disciplined in Wake of SingHealth Breach

Latest

Breach Preparedness

Ransomware: A Pervasive, Evolving Threat

Nick Holland • January 18, 2019

Leading the latest edition of the ISMG Security Report is an in-depth look at why ransomware remains a pervasive threat and how it's evolving. Also featured: updates on venture capital investments in cybersecurity and a study of vulnerabilities in industrial remotes.

Cybercrime

Insider Trading: SEC Describes $4.1 Million Hacking Scheme

Mathew J. Schwartz • January 16, 2019

The U.S. Securities and Exchange Commission has charged seven individuals and two organizations with being part of an international scheme that hacked the SEC's EDGAR document system, stole nonpublic corporate information and used it to illegally earn $4.1 million via insider trading.

Cybersecurity

Your Garage Opener Is More Secure Than Industrial Remotes

Jeremy Kirk • January 16, 2019

Radio controllers used in the construction, mining and shipping industries are vulnerable to hackers, Trend Micro says in a new report. To address the issue, researchers say, manufacturers need to move away from proprietary communication protocols and embrace secure standards, such as Bluetooth Low Energy.

Cybercrime

Ransomware Claims to Fund Child Cancer Treatments

Mathew J. Schwartz • January 15, 2019

Ransomware attacks continue, with the city of Del Rio, Texas, saying its operations have been disrupted by crypto-locking malware. Meanwhile, CryptoMix ransomware urges victims to pay ransoms, claiming it will fund treatments for seriously ill children, while GandCrab gets distributed via malvertising attacks.

Governance

Hard-Coded Credentials Found in ID, Access Control Software

Jeremy Kirk • January 15, 2019

Researchers from Tenable Security claim they have found what is essentially a skeleton key for an ID and access control system that could open the doors for anyone, plus other less severe but nonetheless zero-day vulnerabilities.

Application Security

Why Software Bugs Are So Common

Suparna Goswami • January 15, 2019

The recent exposure of customer data on the website of Singapore Airlines as a result of a software bug is further evidence of the persistent challenge of adequately addressing security during the development stage.

Cybercrime

UK Sentences Man for Mirai DDoS Attacks Against Liberia

Jeremy Kirk • January 14, 2019

A U.K. court has sentenced Daniel Kaye, 30, after he admitted launching DDoS attacks against Liberia's largest telecommunications company in 2015 and 2016. A rival internet services provider paid Kaye $100,000 to launch the attacks.

Breach Preparedness

Government Shutdown: Experts Fear Deep Cybersecurity Impact

Jeremy Kirk • January 11, 2019

The U.S. government shutdown is impacting agencies integral to the nation's cybersecurity readiness, and experts fear its long-term impact on the country's cyberattack response capabilities, as well as the risk that it will drive away desperately needed new cybersecurity talent from entering public service.

General Data Protection Regulation (GDPR)

'Right to Be Forgotten' Should Be EU-Only, Adviser Says

Mathew J. Schwartz • January 11, 2019

Europe's "right to be forgotten" should not apply worldwide, but only inside the EU, according to a nonbinding opinion issued to the European Court of Justice by one of its advocate generals regarding a case that arose from a dispute between France's data privacy watchdog and Google.

Breach Response

Card-Not-Present Fraud Costs Mount

Nick Holland • January 11, 2019

A Juniper Research analysis of why card-not-present fraud will continue to grow leads this week's edition of the ISMG Security Report. Also featured: Updates on a Neiman Marcus breach lawsuit settlement and a German hacking incident.

Authentication

Why Are We So Stupid About Passwords? German Edition

Mathew J. Schwartz • January 11, 2019

German officials say the suspect behind the mega-leak of politicians' and celebrities' personal details exploited their weak passwords to access email, social media and cloud service accounts. What can the security industry do to help address the password problem?

Awareness & Training

Lessons From Report on Massive Singapore Healthcare Hack

Marianne Kolbasuk McGee • January 10, 2019

A variety of security weaknesses contributed to a massive 2017 health data security breach in Singapore, according to a new report. What can healthcare organizations around the world learn from the report's security recommendations?