The Jim Bakker Show

Vietnam’s neighbors, ASEAN, targeted by hackers: report

SINGAPORE (Reuters) – A hacking group previously linked to the Vietnamese government or working on its behalf has broken into the computers of neighboring countries as well as a grouping of Southeast Asian nations, according to cybersecurity company Volexity.

Steven Adair, founder and CEO, said the hacking group was still active, and had compromised the website of the Association of Southeast Asian Nations (ASEAN) over several high-profile summit meetings. ASEAN is holding another summit of regional leaders in the Philippines capital Manila this week.

In May, cybersecurity company FireEye reported that the group, which it calls APT32 and is also known as OceanLotus, was actively targeting foreign multinationals and dissidents in Vietnam. FireEye said at the time the group’s activity was “of interest to the nation of Vietnam.”

Adair told Reuters he had no basis to definitely say who was behind the group but said its capabilities rivalled those of most other advanced persistent threat (APT) groups, a term often used to refer to hacker groups that are believed to have state support.

“What we can say is that this is a very well resourced attacker that is able to conduct several simultaneous attack campaigns.”

Vietnamese officials did not immediately respond to requests for comment. But Hanoi has in the past denied accusations of cyber-attacks against organizations or individuals, and said it would prosecute any cases.

Adair said it was not clear how much information the group had stolen. “We do not really have anything on the scale of data theft, but we can tell you the scale and reach of the sites they have compromised is very far reaching,” he said.

Volexity said in a report that the group had compromised websites of ministries or government agencies in Laos, Cambodia and the Philippines so they would load malicious code onto the computers of targeted victims.

This code would then direct them to a Google page which asked for their permission to access their Google account. If the user agrees, the hackers then have access to their contacts and emails.

The ministries included Cambodia’s ministries of foreign affairs, the environment, the civil service and social affairs, as well as its national police. In the Philippines it had compromised the websites of the armed forces and the office of the president.

Three ASEAN websites, and the websites of dozens of Vietnamese non-government groups, individuals and media, were similarly targeted. The group also infected websites belonging to several Chinese oil companies.

Officials at ASEAN’s headquarters in Jakarta were not immediately available for comment.

Kirt Chanthearith, a spokesman for the Cambodian national police, said the police website was hacked about six months ago but he did not know who was responsible. “It was hacked and we lost some data”, he said, without giving further details.

Officials in Thailand said they were not aware of any hacking of government or police websites.

In Manila, Allan Cabanlong, executive director of the Cybercrime Investigation and Coordination Centre, said there was no damage to government web sites in the Philippines but authorities were taking preventive measures.

“We’ve taken measures like cyber hygiene programs,” he told Reuters. “We are conducting due diligence in the Philippines and we are clearing our network.”

(Reporting by Jeremy Wagstaff; Additional reporting by Chansy Chhorn in PHNOM PENH, Matthew Tostevin in HANOI, Patpicha Tanakasempipat and Suphanida Thakral in BANGKOK, Agustinus Beo Da Costa in JAKARTA and Neil Jerome Morales in MANILA; Editing by Raju Gopalakrishnan)

Global Banks fearing North Korea hacking, prepare defenses

Binary code is seen on a screen against a North Korean flag in this illustration photo November 1, 2017.

By Jim Finkle and Alastair Sharp

WASHINGTON/TORONTO (Reuters) – Global banks are preparing to defend themselves against North Korea potentially intensifying a years-long hacking spree by seeking to cripple financial networks as Pyongyang weighs the threat of U.S. military action over its nuclear program, cyber security experts said.

North Korean hackers have stolen hundreds of millions of dollars from banks during the past three years, including a heist in 2016 at Bangladesh Bank that yielded $81 million, according to Dmitri Alperovitch, chief technology officer at cyber security firm CrowdStrike.

Alperovitch told the Reuters Cyber Security Summit on Tuesday that banks were concerned Pyongyang’s hackers may become more destructive by using the same type of “wiper” viruses they deployed across South Korea and at Sony Corp’s <6758.T> Hollywood studio.

The North Korean government has repeatedly denied accusations by security researchers and the U.S. government that it has carried out cyber attacks.

North Korean hackers could leverage knowledge about financial networks gathered during cyber heists to disrupt bank operations, according to Alperovitch, who said his firm has conducted “war game” exercises for several banks.

“The difference between theft and destruction is often a few keystrokes,” Alperovitch said.

Security teams at major U.S. banks have shared information on the North Korean cyber threat in recent months, said a second cyber security expert familiar with those talks.

“We know they attacked South Korean banks,” said the source, who added that fears have grown that banks in the United States will be targeted next.

Tensions between Washington and Pyongyang have been building after a series of nuclear and missile tests by North Korea and bellicose verbal exchanges between U.S. President Donald Trump and North Korean leader Kim Jong Un.

John Carlin, a former U.S. assistant attorney general, told the Reuters summit that other firms, among them defense contractors, retailers and social media companies, were also concerned.

“They are thinking ‘Are we going to see an escalation in attacks from North Korea?'” said Carlin, chair of Morrison & Foerster international law firm’s global risk and crisis management team.

Jim Lewis, a cyber expert with Washington’s Center for Strategic and International Studies, said it is unlikely that North Korea would launch destructive attacks on American banks because of concerns about U.S. retaliation.

Representatives of the U.S. Federal Reserve and the Office of the Comptroller of the Currency, the top U.S. banking regulators, declined to comment. Both have ramped up cyber security oversight in recent years.

(Reporting by Jim Finkle in Washington and Alastair Sharp in Toronto; additional reporting by Dustin Volz in Washington; editing by Grant McCool)

NotPetya hackers likely behind BadRabbit attack: researchers

By Jack Stubbs

MOSCOW (Reuters) – Technical indicators suggest a cyber attack which hit Russia and other countries this week was carried out by hackers behind a similar but bigger assault on Ukraine in June, security researchers who analyzed the two campaigns said on Wednesday.

Russia-based cyber firm Group-IB said the BadRabbit virus used in this week’s attack shared a key piece of code with the NotPetya malware that crippled businesses in Ukraine and worldwide earlier this year, suggesting the same group was responsible.

The BadRabbit attack hit Russia, Ukraine and other countries on Tuesday, taking down Russia’s Interfax news agency and delaying flights at Ukraine’s Odessa airport.

Multiple cyber security investigators have linked the two attacks, citing similarities in the malware coding and hacking methods, but stopped short of direct attribution.

Still, experts caution that attributing cyber attacks is notoriously difficult, as hackers regularly use techniques to cover their tracks and sometimes deliberately mislead investigators about their identity.

Security researchers at Cisco’s Talos unit said BadRabbit bore some similarities with NotPetya as they were both based on the same malware, but large parts of code had been rewritten and the new virus distribution method was less sophisticated.

They confirmed BadRabbit used a hacking tool called Eternal Romance, believed to have been developed by the U.S. National Security Agency (NSA) before being stolen and leaked online in April.

NotPetya also employed Eternal Romance, as well as another NSA tool called Eternal Blue. But Talos said they were used in a different way and there was no evidence Bad Rabbit contained Eternal Blue.

“It is highly likely that the same group of hackers was behind (the) BadRabbit ransomware attack on Oct. 25, 2017 and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine in June 2017,” Group-IB said in a technical report.

Matthieu Suiche, a French hacker and founder of the United Arab Emirates-based cyber security firm Comae Technologies, said he agreed with the Group-IB assessment that there was “serious reason to consider” that BadRabbit and NotPetya were created by the same people.

But some experts have said the conclusion is surprising as the NotPetya attack is widely thought to have been carried out by Russia, an allegation Moscow denies.

Ukrainian officials have said the NotPetya attack directly targeted Ukraine and was carried about by a hacking group widely known as Black Energy, which some cyber experts say works in favor of Russian government interests. Moscow has repeatedly denied carrying out cyber attacks against Ukraine.

The majority of BadRabbit’s victims were in Russia, with only a few in other countries such Ukraine, Bulgaria, Turkey and Japan.

Group-IB said some parts of the BadRabbit virus dated from mid-2014, however, suggesting the hackers used old tools from previous attacks. “This corresponds with BlackEnergy timeframes, as the group started its notable activity in 2014,” it said.

(Additional reporting by Eric Auchard; Editing by Jim Finkle/Mark Heinrich)

U.S. warns public about attacks on energy, industrial firms

By Jim Finkle

(Reuters) – The U.S government issued a rare public warning about hacking campaigns targeting energy and industrial firms, the latest evidence that cyber attacks present an increasing threat to the power industry and other public infrastructure.

The Department of Homeland Security and Federal Bureau of Investigation warned in a report distributed via email late on Friday that the nuclear, energy, aviation, water and critical manufacturing industries have been targeted along with government entities in attacks dating back to at least May.

The agencies warned that hackers had succeeded in compromising some targeted networks, but did not identify specific victims or describe any cases of sabotage.

The objective of the attackers is to compromise organizational networks with malicious emails and tainted websites to obtain credentials for accessing computer networks of their targets, the report said.

U.S. authorities have been monitoring the activity for months, which they initially detailed in a confidential June report first reported by Reuters. That document, which was privately distributed to firms at risk of attacks, described a narrower set of activity focusing on the nuclear, energy and critical manufacturing sectors.

Homeland Security and FBI representatives could not be reached for comment on Saturday morning.

Robert Lee, an expert in securing industrial networks, said the report describes activities from two or three groups that have stolen user credentials and spied on organizations in the United States and other nations, but not launched destructive attacks.

“This is very aggressive activity,” said Lee, chief executive of cyber-security firm Dragos.

He said the report appears to describe groups working in the interests of the Russian government, though he declined to elaborate. Dragos is also monitoring other groups targeting infrastructure that appear to be aligned with China, Iran, North Korea, he said.

The hacking described in the government report is unlikely to result in dramatic attacks in the near term, Lee said, but he added that it is still troubling: “We don’t want our adversaries learning enough to be able to do things that are disruptive later.”

The report said that hackers have succeeded in infiltrating some targets, including at least one energy generator, and conducting reconnaissance on their networks. It was accompanied by six technical documents describing malware used in the attacks.

Homeland Security “has confidence that this campaign is still ongoing and threat actors are actively pursuing their objectives over a long-term campaign,” the report said.

Government agencies and energy firms previously declined to identify any of the victims in the attacks described in June’s confidential report.

(Reporting by Jim Finkle in Toronto; Editing by Nick Zieminski)

Merck cyber attack may cost insurers $275 million: Verisk’s PCS

NEW YORK (Reuters) – Insurers could pay $275 million to cover the insured portion of drugmaker Merck & Co’s loss from a cyber attack in June, according to a forecast by Verisk Analytics Inc’s Property Claim Services (PCS) unit.

Merck, however, has not disclosed the magnitude of its uninsured losses from the “NotPetya” attack, which disrupted production of some Merck medicines and vaccines.

The company was among dozens of firms worldwide hit in the June 27 attack, which began in Ukraine, then rapidly spread through corporate networks of multinationals with operations or suppliers in Eastern Europe.

“Merck has not yet fully quantified its losses, much less given any of its insurers an estimate of the total amount of those losses,” Merck spokeswoman Claire Gillespie said in a statement.

She reiterated that Merck has insurance that would cover some costs, but declined to elaborate or say how much Merck expects to have to pay on its own.

The drugmaker said in July that it had suffered a worldwide disruption of its operations as a result of the malware. It was still in the process of restoring its manufacturing operations a month later.

Merck said then that it was confident it would be able to maintain a continuous supply of its top-selling and life-saving drugs, but warned of temporary delays in delivering some other products.

NotPetya is a destructive virus that spread quickly across computer networks, crippling computers by encrypting hard drives so that machines cannot run. The attacks caused massive disruptions to industrial networks that rely on computers because businesses must individually replace damaged drives, a labor-intensive process.

Cyber insurance can be expensive to buy and is not widely used outside the United States, with one insurer previously describing the cost as $100,000 for $10 million in data breach insurance.

Policies typically cover expenses stemming from a data breach, such as forensics and data restoration, among other costs. Coverage also helps pay for business interruption expenses when a breach or malware attack shuts down a company’s website.

Some companies without cyber insurance have used their policies covering kidnap, ransom and extortion to recoup losses caused by ransomware viruses.

PCS provides estimates on a wide variety of insured losses, ranging from damages caused by hacks to hurricanes and wildfires.

(Reporting by Michael Erman in New York and Noor Zainab Hussain in Bengaluru, additional reporting by Suzanne Barlyn; editing by Jim Finkle and G Crosse)

Researchers uncover flaw that makes Wi-Fi vulnerable to hacks

FILE PHOTO: A magnifying glass is held in front of a computer screen in this picture illustration taken in Berlin May 21, 2013. REUTERS/Pawel Kopczynski

(Reuters) – Cyber security watchdogs and researchers are issuing warnings over risks associated with a widely used system for securing Wi-Fi communications after the discovery of a flaw that could allow hackers to read information thought to be encrypted, or infect websites with malware.

An alert from the U.S. Department of Homeland Security Computer Emergency Response Team on Monday said the flaw could be used within range of Wi-Fi using the WPA2 protocol to hijack private communications. It recommended installing vendor updates on affected products, such as routers provided by Cisco Systems Inc <CSCO.O> or Juniper Networks Inc <JNPR.N>.

Belgian researchers Mathy Vanhoef and Frank Piessens of Belgian university KU Leuven disclosed the bug in WPA2, which secures modern Wi-Fi systems used by vendors for wireless communications between mobile phones, laptops and other connected devices with Internet-connected routers or hot spots.

“If your device supports Wi-Fi, it is most likely affected,” they said on the www.krackattacks.com website, which they set up to provide technical information about the flaw and methods hackers might use to attack vulnerable devices.

It was not immediately clear how difficult it would be for hackers to exploit the bug, or if the vulnerability has previously been used to launch any attacks.

Finnish security firm F-Secure said experts have long been cautious about Wi-Fi’s ability to withstand security challenges of the 21st century.

“But the worst part of it is that it’s an issue with Wi-Fi protocols, which means it affects practically every single person in the world that uses Wi-Fi networks,” it said on its website.

Microsoft Corp <MSFT.O> said it had released a security update for Windows. Customers who applied the update, or had automatic updates enabled, would already be protected, it said in a statement emailed to Reuters.

CERT New Zealand and CERT India asked users to apply security updates. CERT NZ suggested using ethernet cables and to connect directly into the network, when possible.

“Given the complexity of updating smart devices such as mobile phones, CERT NZ also strongly recommends disabling Wi-Fi when it isn’t required,” it said in its advisory. (http://bit.ly/2gfho2b)

The Wi-Fi Alliance, an industry group that represents hundreds of Wi-Fi technology companies, said the issue “could be resolved through a straightforward software update”.

The group said in a statement it had advised members to release patches quickly and recommended that consumers quickly install those security updates.

(Reporting by Jim Finkle in Toronto and Dustin Volz in Washington; Additional reporting by Aradhana Aravindan in Singapore; Editing by Susan Thomas, Dan Grebler and Jacqueline Wong)

Trump administration to order agencies to adopt new email security standards

Jeanette Manfra, Acting Deputy Undersecretary for Cybersecurity at the DHS, testifies about Russian interference in U.S. elections to the Senate Intelligence Committee in Washington, U.S., June 21, 2017.

By Dustin Volz

WASHINGTON (Reuters) – The Trump administration on Monday will order federal agencies to adopt common email security standards in an effort to better protect against hackers, a senior Department of Homeland Security official said.

DHS Assistant Secretary for Cybersecurity Jeanette Manfra, speaking at an event in New York, said the agency would issue a binding directive to require implementation of two cyber security measures, known as DMARC and STARTTLS, intended to guard against email spoofing and phishing attacks.

The new requirements are “discrete steps that have scalable, broad impact” that will improve federal government cyber security, Manfra said.

DMARC, or domain-based message authentication, reporting and conformance, is a popular technical standard that helps detect and block email impersonation, such as when a hacker might try to pose as a government official or agency.

STARTTLS is a form of encryption technology that protects email traveling between servers, making it more difficult for a third-party to intercept.

(Reporting by Dustin Volz; Editing by Chizu Nomiyama and Bill Trott)

IRS puts Equifax contract on hold during security review

FILE PHOTO: Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell/File Photo

By John McCrank

NEW YORK (Reuters) – The U.S. Internal Revenue Service has temporarily suspended a contract worth more than $7 million it recently awarded to Equifax Inc following a security issue with the beleaguered credit reporting agency’s website on Thursday.

Equifax, which disclosed last month that cyber criminals breached its systems between mid-May and late July and made off with sensitive data on 145.5 million people, said on Thursday it shut down one of its website pages after discovering that a third-party vendor was running malicious code on the page.

“The IRS notified us that they have issued a stop-work order under our Transaction Support for Identity Management contract,” an Equifax spokesperson said on Friday.

“We remain confident that we are the best party to perform the services required in this contract,” the spokesperson said. “We are engaging IRS officials to review the facts and clarify available options.”

The IRS is the first organization to say publicly that it is suspending a contract with Equifax since the credit reporting agency’s security problems came to light.

Atlanta-based Equifax said its systems were not compromised by the incident on Thursday, which involved bogus pop-up windows on the web page that could trick visitors into installing software that automatically displays advertising material.

Still, the IRS said it decided to temporarily suspended its short-term contract with Equifax for identity-proofing services.

“During this suspension, the IRS will continue its review of Equifax systems and security,” the agency said in a statement. There was no indication that any of the IRS data shared with Equifax under the contract had been compromised, it added.

The move means that the IRS will temporarily be unable to create new accounts for taxpayers using its Secure Access portal, which supports applications including online accounts and transcripts. Users who already had Secure Access accounts will not be affected, the IRS said.

IRS granted the $7.25 million contract to Equifax on Sept. 29, weeks after Equifax disclosed the massive data hack that drew scathing criticism from several lawmakers.

“From its initial announcement, the timing and nature of this IRS-Equifax contract raised some serious red flags … we are pleased to see the IRS suspend its contract with Equifax,” Republican Representatives Greg Walden and Robert Latta said in a joint statement on Friday.

“Our focus now remains on protecting consumers and getting answers for the 145 million Americans impacted by this massive breach,” they said.

Government contracts in areas such as healthcare, law enforcement, social services, and tax and revenue, are major sources of revenue for Equifax.

In 2016, government services made up 5 percent of Equifax’s overall $3.1 billion in revenue, accounting for 10 percent of its workforce solutions revenues, 3 percent of its U.S. information solutions revenues, and 7 percent of its international revenues, according to a regulatory financial filing.

(Reporting by John McCrank in New York; additional reporting by Dustin Volz in Washington; Editing by Bill Rigby)

SWIFT says hackers still targeting bank messaging system

By Jim Finkle

TORONTO (Reuters) – Hackers continue to target the SWIFT bank messaging system, though security controls instituted after last year’s $81 million heist at Bangladesh’s central bank have helped thwart many of those attempts, a senior SWIFT official told Reuters.

“Attempts continue,” said Stephen Gilderdale, head of SWIFT’s Customer Security Programme, in a phone interview. “That is what we expected. We didn’t expect the adversaries to suddenly disappear.”

The disclosure underscores that banks remain at risk of cyber attacks targeting computers used to access SWIFT almost two years after the February 2016 theft from a Bangladesh Bank account at the Federal Reserve Bank of New York.

Gilderdale declined to say how many hacks had been attempted this year, what percentage were successful, how much money had been stolen or whether they were growing or slowing down.

On Monday, two people were arrested in Sri Lanka for suspected money laundering from a Taiwanese bank whose computer system was hacked to enable illicit transactions abroad. Police acted after the state-owned Bank of Ceylon reported a suspicious transfer.

SWIFT, a Belgium-based co-operative owned by its user banks, has declined comment on the case, saying it does not discuss individual entities.

Gilderdale said that some security measures instituted in the wake of the Bangladesh Bank heist had thwarted attempts.

As an example, he said that SWIFT had stopped some heists thanks to an update to its software that automatically sends alerts when hackers tamper with data on bank computers used to access the messaging network.

SWIFT shares technical information about cyber attacks and other details on how hackers target banks on a private portal open to its members.

Gilderdale was speaking ahead of the organization’s annual Sibos global user conference, which starts on Monday in Toronto.

At the conference, SWIFT will release details of a plan to start offering security data in “machine digestible” formats that banks can use to automate efforts to discover and remediate cyber attacks, he said.

SWIFT will also unveil plans to start sharing that data with outside security vendors so they can incorporate the information into their products, he said.

(Reporting by Jim Finkle, Editing by Rosalba O’Brien)

Equifax takes down web page after reports of new hack

By John McCrank

NEW YORK (Reuters) – Equifax Inc said on Thursday it has taken one of its customer help web pages offline as its security team looks into reports of another potential cyber breach at the credit reporting company, which recently disclosed a hack that compromised the sensitive information of 145.5 million people.

The move came after an independent security analyst on Wednesday found part of Equifax’s website was under the control of attackers trying to trick visitors into installing fraudulent Adobe Flash updates that could infect computers with malware, the technology news website Ars Technica reported.

“We are aware of the situation identified on the equifax.com website in the credit report assistance link,” Equifax spokesman Wyatt Jefferies said in an email. “Our IT and security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline.”

The Atlanta-based company, which has faced seething criticism from consumers, regulators and lawmakers over its handling of the earlier breach, said it would provide more information as it becomes available.

Equifax disclosed on Sept. 7 that its systems had been breached between mid-May and late July. In the fallout, the company has parted ways with its chief executive, chief information officer and chief security officer.

The breach has prompted investigations by multiple federal and state agencies, including a criminal probe by the U.S. Department of Justice.

As a credit reporting agency, Equifax keeps vast amounts of consumer data for banks and other creditors to use to determine the chances of their customers’ defaulting.

(Reporting by John McCrank; Editing by Bill Rigby)

Sign up for Jim Bakker Show