The Good, the Bad and the Ugly in Cybersecurity – Week 31

The Good

Let’s introduce this week’s good news with a pop quiz: What do four Russians, two Chinese and three organizations based in China, North Korea and Russia all have in common? No, they’re not all part of some multinational cybercrime gang, although they have all been accused of being involved in various cybercrime activities. The thread that ties all these actors together is that they are the first names to appear on a list of EU sanctions aimed directly at hacking crews.

Two Chinese individuals, Gao Qiang and Zhang Shilong, along with a Chinese company, Huaying Haitai, have been sanctioned for their suspected role in hacking MSPs as part of Operation Cloud Hopper and for being members of APT10, an advanced persistent threat group that has repeatedly targeted pharmaceutical, aerospace and defense industries. Meanwhile, Russian nationals Alexey Valeryevich Minin, Aleksei Sergeyvich Morenets, Evgenii Mikhaylovich Serebriakov, and Oleg Mikhaylovich Sotnikov were included in the sanctions list for their participation in APT28 and an attempted intrusion of the OPCW (Organisation for the Prohibition of Chemical Weapons) in 2018.

© iStock/pixinoo

The two remaining organizations added to the sanctions list are the GRU’s Main Center for Special Technologies (GTsST), thought responsible for releasing NotPetya ransomware on the world, and Chosun Expo, a North Korean business said to have financed the development and outbreak of WannaCry ransomware. Chosun Expo is also believed to be supporting the Lazarus group’s activities.

Those on the list will be subject to asset freezes and travel bans, and they will also be prevented from doing business with any individual or company within the EU. The great benefits of economic sanctions are that they neither require irrefutable proof in a court of law nor the physical apprehension of the suspects. The sanctions will restrict those named in their ability to operate within the EU and hit the bad guys where it hurts most: in their wallets.

The Bad

A joint alert from the UK’s National Cyber Security Centre (NCSC) and the Cybersecurity and Infrastructure Security Agency (CISA) in the United States has warned that a strain of malware known as ‘QSnatch’ or ‘Derek’ is infecting tens of thousands of QNAP NAS devices worldwide. Almost half the known infections are in Western Europe, but a significant number, almost 8000, are in the US and just under 4000 are in the UK.

Location of QNAP NAS devices infected by QSnatch

Analysis shows that the malware has a number of functionalities, including a password logger, credential scraper, backdoor and data exfiltration. Persistence is achieved through preventing updates and modifying the NAS’ hosts file so that updates are never installed. It is not yet known how devices become infected, but QSnatch is said to be injected into the device’s firmware during the initial infection stage.

Although the alert stresses that the attacker infrastructure does not seem to be currently active, the malware remains a threat to unpatched devices. Organizations are urged to ensure their devices are fully patched, and those still running a vulnerable version are advised to do a full factory reset. More details on mitigation can be found here.

The Ugly

With genuine news stories repeatedly labelled “fake news” and fake news increasingly being redistributed on social media platforms as trustworthy, uncovering online disinformation is getting harder by the day, and disinformation campaigns appear to be getting uglier.

This week, it has been reported that one particular threat actor group has gone the proverbial extra mile by hacking the content management systems of news websites and posting their own fake stories. These have included fabricated content claiming a US armored car ran over and killed a Lithuanian child and that the first COVID-19 patient in Lithuania was a US soldier engaged in “events with child and youth participation.”

The smears have not been restricted to Lithuania. The same hackers have also targeted news sites in Poland, again with a focus on anti-US and anti-NATO sentiment, and the deep concern now is whether this tactic will spread to the US as we run up to the 2020 election. Although the researchers investigating the campaign, dubbed Ghostwriter, say they can’t concretely tie it to Russian-backed actors at the present time, they have warned that “it’s certainly in line with” Russian interests and they “wouldn’t be surprised” if that’s “where the evidence leads us.”

Clearly, fake news, deep fakes and online disinformation are threats we will all have to be extra vigilant against as the already-tumultuous year of 2020 plays out to a close.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Cisco acquires Modcam to make Meraki smart camera portfolio even smarter

As the Internet of Things proliferates, security cameras are getting smarter. Today, these devices have machine learning capability that helps the camera automatically identify what it’s looking at — for instance, an animal or a human intruder? Today, Cisco announced that it has acquired Swedish startup Modcam and is making it part of its Meraki smart camera portfolio with the goal of incorporating Modcam computer vision technology into its portfolio.

The companies did not reveal the purchase price, but Cisco tells us that the acquisition has closed.

In a blog post announcing the deal, Cisco Meraki’s Chris Stori says Modcam is going to up Meraki’s machine learning game, while giving it some key engineering talent, as well.

“In acquiring Modcam, Cisco is investing in a team of highly talented engineers who bring a wealth of expertise in machine learning, computer vision and cloud-managed cameras. Modcam has developed a solution that enables cameras to become even smarter,” he wrote.

What he means is that today, while Meraki has smart cameras that include motion detection and machine learning capabilities, this is limited to single camera operation. What Modcam brings is the added ability to gather information and apply machine learning across multiple cameras, greatly enhancing the camera’s capabilities.

“With Modcam’s technology, this micro-level information can be stitched together, enabling multiple cameras to provide a macro-level view of the real world,” Stori wrote. In practice, as an example, that could provide a more complete view of space availability for facilities management teams, an especially important scenario as businesses try to find safer ways to open during the pandemic. The other scenario Modcam was selling was giving a more complete picture of what was happening on the factory floor.

All of Modcams employees, which Cisco described only as “a small team,” have joined Cisco, and the Modcam technology will be folded into the Meraki product line, and will no longer be offered as a standalone product, a Cisco spokesperson told TechCrunch.

Modcam was founded in 2013 and has raised $7.6 million, according to Crunchbase data. Cisco acquired Meraki back in 2012 for $1.2 billion.

Even as cloud infrastructure growth slows, revenue rises over $30B for quarter

The cloud market is coming into its own during the pandemic as the novel coronavirus forced many companies to accelerate plans to move to the cloud, even while the market was beginning to mature on its own.

This week, the big three cloud infrastructure vendors — Amazon, Microsoft and Google — all reported their earnings, and while the numbers showed that growth was beginning to slow down, revenue continued to increase at an impressive rate, surpassing $30 billion for a quarter for the first time, according to Synergy Research Group numbers.

Three Charged in July 15 Twitter Compromise

Three individuals have been charged for their alleged roles in the July 15 hack on Twitter, an incident that resulted in Twitter profiles for some of the world’s most recognizable celebrities, executives and public figures sending out tweets advertising a bitcoin scam.

Amazon CEO Jeff Bezos’s Twitter account on the afternoon of July 15.

Nima “Rolex” Fazeli, a 22-year-old from Orlando, Fla., was charged in a criminal complaint in Northern California with aiding and abetting intentional access to a protected computer.

Mason “Chaewon” Sheppard, a 19-year-old from Bognor Regis, U.K., also was charged in California with conspiracy to commit wire fraud, money laundering and unauthorized access to a computer.

A U.S. Justice Department statement on the matter does not name the third defendant charged in the case, saying juvenile proceedings in federal court are sealed to protect the identity of the youth. But an NBC News affiliate in Tampa reported today that authorities had arrested 17-year-old Graham Clark as the alleged mastermind of the hack.

17-year-old Graham Clark of Tampa, Fla. was among those charged in the July 15 Twitter hack. Image: Hillsborough County Sheriff’s Office. said Clark was hit with 30 felony charges, including organized fraud, communications fraud, one count of fraudulent use of personal information with over $100,000 or 30 or more victims, 10 counts of fraudulent use of personal information and one count of access to a computer or electronic device without authority. Clark’s arrest report is available here (PDF).

On Thursday, Twitter released more details about how the hack went down, saying the intruders “targeted a small number of employees through a phone spear phishing attack,” that “relies on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.”

By targeting specific Twitter employees, the perpetrators were able to gain access to internal Twitter tools. From there, Twitter said, the attackers targeted 130 Twitter accounts, tweeting from 45 of them, accessing the direct messages of 36 accounts, and downloading the Twitter data of seven.

Among the accounts compromised were democratic presidential candidate Joe BidenAmazon CEO Jeff BezosPresident Barack ObamaTesla CEO Elon Musk, former New York Mayor Michael Bloomberg and investment mogul Warren Buffett.

The hacked Twitter accounts were made to send tweets suggesting they were giving away bitcoin, and that anyone who sent bitcoin to a specified account would be sent back double the amount they gave. All told, the bitcoin accounts associated with the scam received more than 400 transfers totaling more than $100,000.

Sheppard’s alleged alias Chaewon was mentioned twice in stories here since the July 15 incident. On July 16, KrebsOnSecurity wrote that just before the Twitter hack took place, a member of the social media account hacking forum OGUsers advertised they could change email address tied to any Twitter account for $250, and provide direct access to accounts for between $2,000 and $3,000 apiece.

The OGUsers forum user “Chaewon” taking requests to modify the email address tied to any twitter account.

On July 17, The New York Times ran a story that featured interviews with several people involved in the attack, who told The Times they weren’t responsible for the Twitter bitcoin scam and had only purchased accounts from the Twitter hacker — who they referred to only as “Kirk.”

One of the people interviewed by The Times used the alias “Ever So Anxious,” and said he was a 19-year from the U.K. In my follow-up story on July 22, it emerged that Ever So Anxious was in fact Chaewon.

The person who shared that information was the principal subject of my July 16 post, which followed clues from tweets sent from one of the accounts claimed during the Twitter compromise back to a 21-year-old from the U.K. who uses the nickname PlugWalkJoe.

That individual shared a series of screenshots showing he had been in communications with Chaewon/Ever So Anxious just prior to the Twitter hack, and had asked him to secure several desirable Twitter usernames from the Twitter hacker. He added that Chaewon/Ever So Anxious also was known as “Mason.”

The negotiations over highly-prized Twitter usernames took place just prior to the hijacked celebrity accounts tweeting out bitcoin scams. PlugWalkJoe is pictured here chatting with Ever So Anxious/Chaewon/Mason using his Discord username “Beyond Insane.”

On July 22, KrebsOnSecurity interviewed Sheppard/Mason/Chaewon, who confirmed that PlugWalkJoe had indeed asked him to ask Kirk to change the profile picture and display name for a specific Twitter account on July 15. He acknowledged that while he did act as a “middleman” between Kirk and others seeking to claim desirable Twitter usernames, he had nothing to do with the hijacking of the VIP Twitter accounts for the bitcoin scam that same day.

“Encountering Kirk was the worst mistake I’ve ever made due to the fact it has put me in issues I had nothing to do with,” he said. “If I knew Kirk was going to do what he did, or if even from the start if I knew he was a hacker posing as a rep I would not have wanted to be a middleman.”

Feature Spotlight – Enhanced USB & Bluetooth Device Control

Back in 2018, we announced Device Control to our platform, offering admins and security teams the ability to manage the use of USB and other peripheral devices across the network. Today, we are excited to announce the latest updates to this feature, which now allows management of USB, Bluetooth and Bluetooth Low Energy devices with the greatest granularity possible. Our updated Device Control feature means IT and SOC teams can ensure business continuity for all end users requiring the use of external devices while limiting the attack surface to the bare minimum.

What Are the Security Risks of USB and other Peripherals?

Peripherals connected via USB or Bluetooth are ubiquitous and still a necessary feature of business devices, from laptops to workstations and even IoT smart devices. The prevalence of peripherals connected to endpoints in the enterprise has not gone unnoticed by malicious actors. A recent report found that cyber threats to operational technology systems through USB removable media devices have almost doubled in the last 12 months, for example. Malware borne on removable media has been used for opening backdoors, establishing persistent remote access and delivering further malicious payloads, among other things.

Attackers have been finding creative ways to lure users into plugging alien USB thumb sticks into their corporate devices. In one incident, hospitality victims were sent an envelope containing a fake BestBuy gift card, along with a USB thumb drive containing malware. USB drives are also a prime vector for the egress of confidential and business critical data, and the recent shift to “work from home” (or anywhere except the office) only adds to the risk of employees connecting non-company sanctioned peripherals to facilitate this new work environment.

In designing this feature we took into account requirements like system stability, interoperability and cross-platform support (Windows and macOS).

Device Control: Simple Policy Management to Add, Block or Restrict Devices

To facilitate implementation, we’ve designed this feature to allow maximum granularity and flexibility when defining an enterprise Device Control policy.

You can set a Device Control policy for the entire enterprise, a specific Site or even a specific Group of devices. Policy is constructed by a set of Device Control rules.

Rule definition starts by selecting the interface type (USB or Bluetooth), then rule type and action. For instance, we can control USB devices based on the following attributes:

  • Vendor ID
  • Class
  • Serial ID
  • Product ID

Then the desired action:

  • Allow Read & Write
  • Allow Read Only
  • Block

This enables the administrator to set fine-grained policies. For example, it is possible to construct a rule that allows specific users to access certain types of USB devices, permits others to use USB removable media to read files only, and blocks all other users from using external USB devices completely.

Bluetooth Security – Plugging the Gaps

The Bluetooth protocol has been riddled with vulnerabilities. Most of these reside in older Bluetooth versions and security-conscious enterprises should refrain from allowing users to connect such devices to corporate endpoints (and, subsequently, networks).

For Bluetooth devices, SentinelOne Device Control makes it possible to allow or restrict the use of all Bluetooth devices, Bluetooth devices according to their type (e.g. keyboard, mouse, headset) or to allow the operation of devices based on the Bluetooth protocol version they support (to reduce the risk stemming from vulnerabilities in older Bluetooth versions).

Flexibility and Control Over Every Device

SentinelOne Device Control allows administrators to easily define policies, but we also recognize that new devices can be introduced to the enterprise every day. We realize that administrators need the flexibility to respond “on the go” and approve new USB devices as they appear on (and are blocked by) the system.

To facilitate this, an administrator can see every case of a device that was blocked in the management console’s Activity Log, and directly from there, approve the blocked device if they choose.


Together with SentinelOne Firewall Control, Device Control provides what some considered the missing pieces to fully replace legacy antivirus (AV) solutions with its next-gen product. Like other features of the platform, these are delivered via SentinelOne’s single agent across all platforms and from the same management console.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about SentinelOne’s Features

Buildots raises $16M to bring computer vision to construction management

Buildots, a Tel Aviv and London-based startup that is using computer vision to modernize the construction management industry, today announced that it has raised $16 million in total funding. This includes a $3 million seed round that was previously unreported and a $13 million Series A round, both led by TLV Partners. Other investors include Innogy Ventures, Tidhar Construction Group, Ziv Aviram (co-founder of Mobileye & OrCam), Magma Ventures head Zvika Limon, serial entrepreneurs Benny Schnaider and  Avigdor Willenz, as well as Tidhar chairman Gil Geva.

The idea behind Buildots is pretty straightforward. The team is using hardhat-mounted 360-degree cameras to allow project managers at construction sites to get an overview of the state of a project and whether it remains on schedule. The company’s software creates a digital twin of the construction site, using the architectural plans and schedule as its basis, and then uses computer vision to compare what the plans say to the reality that its tools are seeing. With this, Buildots can immediately detect when there’s a power outlet missing in a room or whether there’s a sink that still needs to be installed in a kitchen, for example.

“Buildots have been able to solve a challenge that for many seemed unconquerable, delivering huge potential for changing the way we complete our projects,” said Tidhar’s Geva in a statement. “The combination of an ambitious vision, great team and strong execution abilities quickly led us from being a customer to joining as an investor to take part in their journey.”

The company was co-founded in 2018 by Roy Danon, Aviv Leibovici and Yakir Sundry. Like so many Israeli startups, the founders met during their time in the Israeli Defense Forces, where they graduated from the Talpiot unit.

“At some point, like many of our friends, we had the urge to do something together — to build a company, to start something from scratch,” said Danon, the company’s CEO. “For us, we like getting our hands dirty. We saw most of our friends going into the most standard industries like cloud and cyber and storage and things that obviously people like us feel more comfortable in, but for some reason we had like a bug that said, ‘we want to do something that is a bit harder, that has a bigger impact on the world.’ ”

So the team started looking into how it could bring technology to traditional industries like agriculture, finance and medicine, but then settled upon construction thanks to a chance meeting with a construction company. For the first six months, the team mostly did research in both Israel and London to understand where it could provide value.

Danon argues that the construction industry is essentially a manufacturing industry, but with very outdated control and process management systems that still often relies on Excel to track progress.

Image Credits: Buildots

Construction sites obviously pose their own problems. There’s often no Wi-Fi, for example, so contractors generally still have to upload their videos manually to Buildots’ servers. They are also three dimensional, so the team had to develop systems to understand on what floor a video was taken, for example, and for large indoor spaces, GPS won’t work either.

The teams tells me that before the COVID-19 lockdowns, it was mostly focused on Israel and the U.K., but the pandemic actually accelerated its push into other geographies. It just started work on a large project in Poland and is scheduled to work on another one in Japan next month.

Because the construction industry is very project-driven, sales often start with getting one project manager on board. That project manager also usually owns the budget for the project, so they can often also sign the check, Danon noted. And once that works out, then the general contractor often wants to talk to the company about a larger enterprise deal.

As for the funding, the company’s Series A round came together just before the lockdowns started. The company managed to bring together an interesting mix of investors from both the construction and technology industries.

Now, the plan is to scale the company, which currently has 35 employees, and figure out even more ways to use the data the service collects and make it useful for its users. “We have a long journey to turn all the data we have into supporting all the workflows on a construction site,” said Danon. “There are so many more things to do and so many more roles to support.”

Image Credits: Buildots

New Relic is changing its pricing model to encourage broader monitoring

In the monitoring world, typically when you spin up a new instance, you pay a fee to monitor it. If you are particularly active in any given month, that can result in a hefty bill at the end of the month. That leads to limiting what you choose to monitor, to control costs. New Relic wants to change that, and today it announced it’s moving to a model where customers pay by the user instead, with a smaller, less costly data component.

The company is also simplifying its product set with the goal of encouraging customers to instrument everything instead of deciding what to monitor and what to leave out to control cost. “What we’re announcing is a completely reimagined platform. We’re simplifying our products from 11 to three, and we eliminate those barriers to standardizing on a single source of truth,” New Relic founder and CEO Lew Cirne told TechCrunch.

The way the company can afford to make this switch is by exposing the underlying telemetry database that it created to run its own products. By taking advantage of this database to track all of your APM, tracing and metric data all in one place, Cirne says they can control costs much better and pass those savings onto customers, whose bills should be much smaller based on this new pricing model, he said.

“Prior to this, there has not been any technology that’s good at gathering all of those data types into a single database, what we would call a telemetry database. And we actually created one ourselves and it’s the backbone of all of our products. [Up until now], we haven’t really exposed it to our customers, so that they can put all their data into it,” he said.

New Relic Telemetry Data. Image Credit: New Relic

The company is distilling the product set into three main categories. The first is the Telemetry Data Platform, which offers a single way to gather any events, logs or traces, whether from their agents or someone else’s or even open-source monitoring tools like Prometheus.

The second product is called Full-stack Observability. This includes all of their previous products, which were sold separately, such as APM, mobility, infrastructure and logging. Finally they are offering an intelligence layer called New Relic AI.

Cirne says by simplifying the product set and changing the way they bill, it will save customers money through the efficiencies they have uncovered. In practice, he says, pricing will consist of a combination of users and data, but he believes their approach will result in much lower bills and more cost certainty for customers.

“It’ll vary by customer, so this is just a rough estimate, but imagine that the typical New Relic bill under this model will be a 70% per user charge and 30% data charge, roughly, but so if that’s the case, and if you look at our competitors, 100% of the bill is data,” he said.

The new approach is available starting today. Companies can try it with a 100 GB single-user account.

Atlassian acquires asset management company Mindville

Atlassian today announced that it has acquired Mindville, a Jira-centric enterprise asset management firm based in Sweden. Mindville’s more than 1,700 customers include the likes of NASA, Spotify and Samsung.

Image Credits: Atlassian

With this acquisition, Atlassian is getting into a new market, too, by adding asset management tools to its lineup of services. The company’s flagship product is Mindville Insights, which helps IT, HR, sales, legal and facilities to track assets across a company. It’s completely agnostic as to which assets you are tracking, though, given Atlassian’s user base, most companies will likely use it to track IT assets like servers and laptops. But in addition to physical assets, you also can use the service to automatically import cloud-based servers from AWS, Azure and GCP, for example, and the team has built connectors to services like Service Now and Snow Software, too.

Image Credits: Mindville

“Mindville Insight provides enterprises with full visibility into their assets and services, critical to delivering great customer and employee service experiences. These capabilities are a cornerstone of IT Service Management (ITSM), a market where Atlassian continues to see strong momentum and growth,” Atlassian’s head of tech teams Noah Wasmer writes in today’s announcement.

Co-founded by Tommy Nordahl and Mathias Edblom, Mindville never raised any institutional funding, according to Crunchbase. The two companies also didn’t disclose the acquisition price.

Like some of Atlassian’s other recent acquisitions, including Code Barrel, the company was already an Atlassian partner and successfully selling its service in the Atlassian Marketplace.

“This acquisition builds on Atlassian’s investment in [IT Service Management], including recent acquisitions like Opsgenie for incident management, Automation for Jira for code-free automation, and Halp for conversational ticketing,” Atlassian’s Wasmer writes.

The Mindville team says it will continue to support existing customers and that Atlassian will continue to build on Insight’s tools while it works to integrate them with Jira Service Desk. That integration, Atlassian argues, will give its users more visibility into their assets and allow them to deliver better customer and employee service experiences.

Image Credits: Mindville

“We’ve watched the Insight product line be used heavily in many industries and for various disciplines, including some we never expected! One of the most popular areas is IT Service Management where Insight plays an important role connecting all relevant asset data to incidents, changes, problems, and requests,” write Mindville’s founders in today’s announcement. “Combining our solutions with the products from Atlassian enables tighter integration for more sophisticated service management, empowered by the underlying asset data.”

Is Your Chip Card Secure? Much Depends on Where You Bank

Chip-based credit and debit cards are designed to make it infeasible for skimming devices or malware to clone your card when you pay for something by dipping the chip instead of swiping the stripe. But a recent series of malware attacks on U.S.-based merchants suggest thieves are exploiting weaknesses in how certain financial institutions have implemented the technology to sidestep key chip card security features and effectively create usable, counterfeit cards.

A chip-based credit card. Image: Wikipedia.

Traditional payment cards encode cardholder account data in plain text on a magnetic stripe, which can be read and recorded by skimming devices or malicious software surreptitiously installed in payment terminals. That data can then be encoded onto anything else with a magnetic stripe and used to place fraudulent transactions.

Newer, chip-based cards employ a technology known as EMV that encrypts the account data stored in the chip. The technology causes a unique encryption key — referred to as a token or “cryptogram” — to be generated each time the chip card interacts with a chip-capable payment terminal.

Virtually all chip-based cards still have much of the same data that’s stored in the chip encoded on a magnetic stripe on the back of the card. This is largely for reasons of backward compatibility since many merchants — particularly those in the United States — still have not fully implemented chip card readers. This dual functionality also allows cardholders to swipe the stripe if for some reason the card’s chip or a merchant’s EMV-enabled terminal has malfunctioned.

But there are important differences between the cardholder data stored on EMV chips versus magnetic stripes. One of those is a component in the chip known as an integrated circuit card verification value or “iCVV” for short — also known as a “dynamic CVV.”

The iCVV differs from the card verification value (CVV) stored on the physical magnetic stripe, and protects against the copying of magnetic-stripe data from the chip and the use of that data to create counterfeit magnetic stripe cards. Both the iCVV and CVV values are unrelated to the three-digit security code that is visibly printed on the back of a card, which is used mainly for e-commerce transactions or for card verification over the phone.

The appeal of the EMV approach is that even if a skimmer or malware manages to intercept the transaction information when a chip card is dipped, the data is only valid for that one transaction and should not allow thieves to conduct fraudulent payments with it going forward.

However, for EMV’s security protections to work, the back-end systems deployed by card-issuing financial institutions are supposed to check that when a chip card is dipped into a chip reader, only the iCVV is presented; and conversely, that only the CVV is presented when the card is swiped. If somehow these do not align for a given transaction type, the financial institution is supposed to decline the transaction.

The trouble is that not all financial institutions have properly set up their systems this way. Unsurprisingly, thieves have known about this weakness for years. In 2017, I wrote about the increasing prevalence of “shimmers,” high-tech card skimming devices made to intercept data from chip card transactions.

A close-up of a shimmer found on a Canadian ATM. Source: RCMP.

More recently, researchers at Cyber R&D Labs published a paper detailing how they tested 11 chip card implementations from 10 different banks in Europe and the U.S. The researchers found they could harvest data from four of them and create cloned magnetic stripe cards that were successfully used to place transactions.

There are now strong indications the same method detailed by Cyber R&D Labs is being used by point-of-sale (POS) malware to capture EMV transaction data that can then be resold and used to fabricate magnetic stripe copies of chip-based cards.

Earlier this month, the world’s largest payment card network Visa released a security alert regarding a recent merchant compromise in which known POS malware families were apparently modified to target EMV chip-enabled POS terminals.

“The implementation of secure acceptance technology, such as EMV® Chip, significantly reduced the usability of the payment account data by threat actors as the available data only included personal account number (PAN), integrated circuit card verification value (iCVV) and expiration date,” Visa wrote. “Thus, provided iCVV is validated properly, the risk of counterfeit fraud was minimal. Additionally, many of the merchant locations employed point-to-point encryption (P2PE) which encrypted the PAN data and further reduced the risk to the payment accounts processed as EMV® Chip.”

Visa did not name the merchant in question, but something similar seems to have happened at Key Food Stores Co-Operative Inc., a supermarket chain in the northeastern United States. Key Food initially disclosed a card breach in March 2020, but two weeks ago updated its advisory to clarify that EMV transaction data also was intercepted.

“The POS devices at the store locations involved were EMV enabled,” Key Food explained. “For EMV transactions at these locations, we believe only the card number and expiration date would have been found by the malware (but not the cardholder name or internal verification code).”

While Key Food’s statement may be technically accurate, it glosses over the reality that the stolen EMV data could still be used by fraudsters to create magnetic stripe versions of EMV cards presented at the compromised store registers in cases where the card-issuing bank hadn’t implemented EMV correctly.

Earlier today, fraud intelligence firm Gemini Advisory released a blog post with more information on recent merchant compromises — including Key Food — in which EMV transaction data was stolen and ended up for sale in underground shops that cater to card thieves.

“The payment cards stolen during this breach were offered for sale in the dark web,” Gemini explained. “Shortly after discovering this breach, several financial institutions confirmed that the cards compromised in this breach were all processed as EMV and did not rely on the magstripe as a fallback.”

Gemini says it has verified that another recent breach — at a liquor store in Georgia — also resulted in compromised EMV transaction data showing up for sale at dark web stores that sell stolen card data. As both Gemini and Visa have noted, in both cases proper iCVV verification from banks should render this intercepted EMV data useless to crooks.

Gemini determined that due to the sheer number of stores affected, it’s extremely unlikely the thieves involved in these breaches intercepted the EMV data using physically installed EMV card shimmers.

“Given the extreme impracticality of this tactic, they likely used a different technique to remotely breach POS systems to collect enough EMV data to perform EMV-Bypass Cloning,” the company wrote.

Stas Alforov, Gemini’s director of research and development, said financial institutions that aren’t performing these checks risk losing the ability to notice when those cards are used for fraud.

That’s because many banks that have issued chip-based cards may assume that as long as those cards are used for chip transactions, there is virtually no risk that the cards will be cloned and sold in the underground. Hence, when these institutions are looking for patterns in fraudulent transactions to determine which merchants might be compromised by POS malware, they may completely discount any chip-based payments and focus only on those merchants at which a customer has swiped their card.

“The card networks are catching on to the fact that there’s a lot more EMV-based breaches happening right now,” Alforov said. “The larger card issuers like Chase or Bank of America are indeed checking [for a mismatch between the iCVV and CVV], and will kick back transactions that don’t match. But that is clearly not the case with some smaller institutions.”

For better or worse, we don’t know which financial institutions have failed to properly implement the EMV standard. That’s why it always pays to keep a close eye on your monthly statements, and report any unauthorized transactions immediately. If your institution lets you receive transaction alerts via text message, this can be a near real-time way to keep an eye out for such activity.

Cybercrime and Cybersecurity in a Post-Covid World

The first half of 2020 has come and gone. I’m certain that no one who made any predictions regarding cybersecurity trends would have guessed correctly that a new virus would send the world into a whirlwind, closing entire countries, stopping all air travel and forcing the largest companies to send all their employees to work from home.

Given this predicament, it would be challenging to try and predict how the second half of the year will unfold. Still, we’ve learnt so much in the last six months, let’s see if we can’t come up with some credible estimations.

Home Alone or in the Company of Cybercriminals?

Let’s start with the users (or victims). Covid-19 sent millions of people home: some permanently (having been laid off) and some to continue working out of office. This overnight transformation seems to be quasi-permanent; some of the worlds’ largest companies (Twitter, Facebook, Shopify, Zillow) have already declared this would be a viable work option for any employee who would prefer it.

Even in more traditional markets, change is happening. One of Japan’s largest employees, Fujitsu Ltd. will cut its office space by 50% over the next three years, encouraging 80,000 office workers to primarily work from home. Today, 42% of U.S. workers are currently working from home (WFH), and some surveys suggest that even after the pandemic subsides and offices reopen, organizations will allow some (or all) of their employees to continue to work remotely.

With millions of people working from home, there is an enormous attack surface ripe for the taking by malicious actors. It is no trivial task to provide the same levels of security for all these employees, operating outside the (relatively) safe perimeter of their offices and local intranet. Furthermore, with time and with numerous IT “temptations” (like letting your kids use your work laptop for browsing) employees’ awareness levels can be eroded, leading to an increase in their vulnerability to cyber crime.

Prediction– WFH will continue to be a major security headache for organizations unless they invest in enhancing and maintaining the security levels of employees regardless of location.
Return to Base | The CISO’s Guide to Preparing A COVID-19 Exit Strategy
Use this time to plan ahead for a secure return to office work.

Post-Covid Opportunities for Cybercrime

Cybercrime has boomed during the Covid-19 pandemic. The FBI Internet Crime Complain Center (IC3) reported a 300% increase in cybercrime complaints.

Traffic to hacking-related sites and searches for hacking related information and tutorials have skyrocketed during the months of March-May, indicating many “n00bs” (newbie hackers) are looking into studying a new profession. Many cybercriminal activities of the past months were related to the virus; the Telco Security Alliance reported a 2000% increase in COVID-19 Cyber threats in the month of March alone.

While overall numbers of cybercriminal activity is on the rise, specific segments are doing better than others. For instance, the demand for stolen credit cards has dropped in the pandemic, while “old-school” scams (advertising of fake or inappropriate drugs and medical equipment, dubious investment opportunities and more) are on the rise. As for the corporate world, cybercriminals seem to have become more brazen, employing much more aggressive techniques and showing a desire for quick monetization over long term profit.

Prediction– Cybercrime will continue to rise. Attackers will increasingly target enterprises and organizations with aggressive malware and custom ransomware designed both to steal and cripple. Tactics like extortion to prevent the publishing of stolen information or the auctioning off of stolen information will become more widespread as means for criminals to effect a quick win.

Cyber Policing – Are The Good Guys Increasing?

Authorities are aware of this situation and are working to mitigate these threats, starting with increased cooperation between nations like the World Economic Forum’s Partnership Against Cybercrime. This initiative launched in April 2020 with the mission to explore ways to amplify public-private collaboration and fight global cybercrime. Enhanced cooperation between national law enforcement agencies is also expected to increase with some great results already in: witness the takedown of EncroChat (an encrypted phone network widely used by criminal by French and Dutch law enforcement and judicial authorities, Europol and Eurojust).

Meanwhile, law enforcement agencies are making advances in their efforts to facilitate the reporting of cyber crime. For instance, the UK National Cyber Security Center launched a dedicated email for reporting online scams, and they have received an astonishing 1 million complaints in under 2 months.

In similar fashion, the state of Michigan inaugurated a dedicated phone line to call for free round-the-clock support and advice regarding cybercrime. The UK is also resorting to more active means, such as launching a paid online ads campaign designed to target young people searching for cybercrime services, and offer them legitimate alternatives instead.

Prediction– Cyber policing by international and national agencies will experience improved collaboration and efficiency, bringing more cybercriminals to justice.

Hacktivism – Playing a Dangerous Game

Although not financially motivated, these offensive cyber activists have been more prominent of late. Recent social unrest in the US has unleashed a flurry of hacktivist activities, including DDoS attacks against municipalities and police stations. This year, we’ve seen data leaks of millions of police and FBI records and aggressive social media attacks against the US administration, President Trump and even the popular social media app Tiktok.

While not directly endangering corporates and individuals, these activities can be directed against individuals or organizations perceived to oppose the principles of the hacker collective.

Prediction– Hacktivist actions are closely related to contemporary events and social unrest. What happens next depends very much on the situation in the US and the run up to the US 2020 elections. A nation at war with itself will undoubtedly lead to a rise in hacktivist activities.


The past 6 months have been truly unique. While it is too soon to estimate the long-lasting effect of Covid-19 on our way of living, it is very likely that this period has caused the biggest change to the work landscape since the invention of the modern office, and as such, has greatly increased organizations and individuals’ vulnerability to nefarious cyber activities.

It’s not all bad news, though; law enforcement agencies are waking up to the scale of the problem and increasing cooperation, and organizations need to understand that the situation is not outside of their control. Manage your risk, deploy a capable behavioral AI solution that prevents, detects and undoes the damage from known and unknown threats, and force cybercriminals to look elsewhere for the easy pickings. If you would like to see how SentinelOne can help protect your business, whether your workforce is at home or in the office, contact us today or request a free demo.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security