Tag Archive for: Giant

FBI Raids Chinese Point-of-Sale Giant PAX Technology – Krebs on Security

/in


U.S. federal investigators today raided the Florida offices of PAX Technology, a Chinese provider of point-of-sale devices used by millions of businesses and retailers globally. KrebsOnSecurity has learned the raid is tied to reports that PAX’s systems may have been involved in cyberattacks on U.S. and E.U. organizations.

FBI agents entering PAX Technology offices in Jacksonville today. Source: WOKV.com.

Headquartered in Shenzhen, China, PAX Technology Inc. has more than 60 million point-of-sale terminals in use throughout 120 countries. Earlier today, Jacksonville, Fla. based WOKV.com reported that agents with the FBI and Department of Homeland Security (DHS) had raided a local PAX Technology warehouse.

In an official statement, investigators told WOKV only that they were executing a court-authorized search at the warehouse as a part of a federal investigation, and that the inquiry included the Department of Customs and Border Protection and the Naval Criminal Investigative Services (NCIS). The FBI has not responded to requests for comment.

Several days ago, KrebsOnSecurity heard from a trusted source that the FBI began investigating PAX after a major U.S. payment processor started asking questions about unusual network packets originating from the company’s payment terminals.

According to that source, the payment processor found that the PAX terminals were being used both as a malware “dropper” — a repository for malicious files — and as “command-and-control” locations for staging attacks and collecting information.

“FBI and MI5 are conducting an intensive investigation into PAX,” the source said. “A major US payment processor began asking questions about network packets originating from PAX terminals and were not given any good answers.”

KrebsOnSecurity reached out to PAX Technology’s CEO on Sunday. The company has not yet responded to requests for comment.

The source said two major financial providers — one in the United States and one in the United Kingdom — had already begun pulling PAX terminals from their payment infrastructure, a claim that was verified by two different sources.

“My sources say that there is tech proof of the…

Source…

New “Plague” DDoS Attack Hits Internet Giant Yandex

/in


BACKGROUND:

Researchers at Yandex & Qrator Labs have been tracking what they are calling the “Mēris” botnet (meaning Plague in Latvian) and it may be the largest DDoS attack ever. The ongoing attack was also confirmed by the US company Cloudflare, and was said to have peaked at the rate of 21.8 million requests per second. While the Russian Internet giant Yandex has been the headline for an ongoing record DDoS attack, Qrator says other countries have seen similar attacks from this same source these past few weeks.

Although the initial botnet army was thought to be in the 30 – 50,000 device range, they now estimate a collection of more than 200,000 devices to be involved in a rotating attack matrix, where not all of the devices attack at one time. Though referred to by some as the old Mirai botnet, Qrator says they think not, as Mirai was a grouping of many differing devices and this latest attack seems to all be from just one manufacturer, Mikrotik.  Excerpts:

We do not know precisely what particular vulnerabilities lead to the situation where Mikrotik devices are being compromised on such a large scale

It is also clear that this particular botnet is still growing. There is a suggestion that the botnet could grow in force through password brute-forcing, although we tend to neglect that as a slight possibility.

In the last couple of weeks, we have seen devastating attacks towards New Zealand, United States and Russia, which we all attribute to this botnet species. Now it can overwhelm almost any infrastructure, including some highly robust networks. All this is due to the enormous RPS power that it brings along.

Source…

So nice of China to put all of its network zero-day vulns in one giant database no one will think to break into • The Register

/in


Chinese makers of network software and hardware must alert Beijing within two days of learning of a security vulnerability in their products under rules coming into force in China this year.

Details of holes cannot be publicized until the bugs are fixed. Malicious exploit code cannot be released. There are restrictions on disclosing details of flaws to foreign organizations. And vendors will be under pressure to address these vulnerabilities as soon as they can and set up bounty programs to reward researchers.

The regulations are intended to tighten up the nation’s cyber-security defenses, crack down on the handling and dissemination of bugs, and keep China’s elite up to speed on exploitable flaws present in Chinese-made communications systems, wherever in the world that technology may be deployed.

It appears these rules ensure Beijing will be among the first to know of security weaknesses in equipment and software potentially present in foreign infrastructure and networks as well as domestic deployments. The rules were issued on Tuesday, come into effect on September 1, and apply to people and organizations operating within China. The following articles stuck out to us:

Though the rules are a little ambiguous in places, judging from the spirit of them, they throw a spanner in the works for Chinese researchers who work with, or hope to work with, zero-day vulnerability brokers. These sorts of regulations matter a lot: infosec experts in the Middle Kingdom earlier pulled out of exploit contests like Pwn2Own due to changes to the law within China.

“Chinese teams stopped participating in Pwn2Own after 2017 when there were regulatory changes that no longer allowed for participation in global exploit contests,” Brian Gorenc, head of ZDI and Pwn2Own at Trend Micro, told The Register on Wednesday.

It will also complicate matters for those hoping to engage with foreign bug bounty programs, which may or may not follow…

Source…

Cyber insurance giant CNA hit by ransomware attack • Graham Cluley

/in


Insurance firm CNA Hardy says that it has suffered a “sophisticated cybersecurity attack” that has impacted its operations, including its email system.

According to a statement posted on the firm’s website, CNA determined it had fallen foul of hackers on March 21:

“Out of an abundance of caution, we have disconnected our systems from our network, which continue to function. We’ve notified employees and provided workarounds where possible to ensure they can continue operating and serving the needs of our insureds and policyholders to the best of their ability.”

“The security of our data and that of our insureds ’and other stakeholders is of the utmost importance to us. Should we determine that this incident impacted our insureds’ or policyholders’ data, we’ll notify those parties directly.”

CNA doesn’t go into details regarding the nature of the attack, but according to a report on Bleeping Computer, the insurer was hit by a new type of ransomware known as Phoenix CryptoLocker, possibly linked to Evil Corp.

Sign up to our newsletter
Security news, advice, and tips.

The ransomware reportedly encrypted data on over 15,000 devices on CNA’s corporate network, as well as the computers of remote-working employees who were logged into the firm’s VPN when the attack occurred.

Of course, one of the types of insurance that CNA sells is err… cyber insurance:

“We understand that no matter what industry your clients operate within, cybercrime poses one of their greatest risks. In fact, cybercrime is the world’s fastest growing criminal activity, estimated to cost businesses more than €340bn a year. Whilst money is the primary motivator for cyber criminals, other factors such as ideology, sympathy, anger and espionage are also significant drivers of cybercrime.”

“Through our NetProtect® product line we provide first – and third party cyber coverage to address a broad range of exposures including security breaches, mistakes and unauthorised employee acts, virus attacks, hacking, identity theft or private information loss, and infringing or disparaging content.”

Just last week I described how ransomware gangs were…

Source…