Black Arrow Cyber Threat Briefing 13 November 2020
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
Five Emerging Cyber-Threats to Watch Out for in 2021
What was the driving force behind your company’s digital strategy in 2020? Was it your CEO? Probably not. Your CTO or CISO? Perhaps.
For most organisations, it was COVID-19. In 2019, one company after another said: “work-from-home isn’t an option for us” or “we aren’t interested in shifting operations to the cloud.”
Then everything changed. The pandemic drove a massive shift towards remote work. For many companies, this wasn’t even an option — it was a case of ‘do or die.’
By April 2020, almost half of the American workforce was working from home. As organisations and employees become more comfortable with this, we shouldn’t expect a full return to the traditional in-office model anytime soon, if ever. Work-from-anywhere is the new way of doing business, with employees accessing cloud services, collaborative tools and remote systems from home and public networks – and not always through the safety of a VPN.
https://www.infosecurity-magazine.com/blogs/five-cyber-threats-2021/
Guernsey law firm fined £10,000 for data security breach
Trinity Chambers LLP sent private details about an individual and their family via emails and post, the Data Protection Authority (ODPA) found.
It said a lack of security had given "unconnected" third parties access to the data.
The breach of data by Trinity was the result of "repeated human error", an investigation found.
https://www.bbc.co.uk/news/world-europe-guernsey-54854333
Every employee has a cyber security blind spot
80% of companies say that an increased cyber security risk caused by human factors has posed a challenge during the COVID-19 pandemic, particularly in times of heightened stress.
This is a new report that explores the role employees and their personality play in keeping organisations safe from cyber threats. Including that:
· Cyber crime has increased by 63% since the COVID-19 lockdown was introduced
· Human error has been the biggest cyber security challenge during the COVID-19 pandemic, according to CISOs
· Just a quarter of businesses consider their remote working strategy effective
· 47% of people are concerned about their ability to manage stress during the coronavirus crisis
https://www.helpnetsecurity.com/2020/11/09/cybersecurity-blind-spot/
Zoom settles FTC charges for misleading users about security features
Video conferencing software maker Zoom has reached a deal today with the US Federal Trade Commission to settle accusations that its misled users about some of its security features.
During the height of the COVID-19 pandemic, Zoom had attracted users to its platform with misleading claims that its product supported "end-to-end, 256-bit encryption" and that its service would store recorded calls in an encrypted format.
However, in a complaint filed earlier this year, the investigators found that Zoom's claims were deceptive.
Despite claiming to support end-to-end encrypted (E2EE) calls, Zoom didn't support E2EE calls in the classic meaning of the word.
https://www.zdnet.com/article/zoom-settles-ftc-charges-for-misleading-users-about-security-features/
Threats
Ransomware
How Ryuk Ransomware operators made $34 million from one victim
One hacker group that is targeting high-revenue companies with Ryuk ransomware received $34 million from one victim in exchange for the decryption key that unlocked their computers.
The threat actor is highly proficient at moving laterally inside a compromised network and erasing as much of their tracks as possible before detonating Ryuk ransomware.
Ransomware hits e-commerce platform X-Cart
E-commerce software vendor X-Cart suffered a ransomware attack at the end of October that brought down customer stores hosted on the company's hosting platform.
The incident is believed to have taken place after attackers exploited a vulnerability in a third-party software to gain access to X-Cart's store hosting systems.
https://www.zdnet.com/article/ransomware-hits-e-commerce-platform-x-cart
Linux version of RansomEXX ransomware discovered
A Linux version of the RansomEXX ransomware, marking the first time a major Windows ransomware strain has been ported to Linux to aid in targeted intrusions.
RansomEXX is a relatively new ransomware strain that was first spotted earlier this year in June.
https://www.zdnet.com/article/linux-version-of-ransomexx-ransomware-discovered/
Laptop mega-manufacturer Compal hit by DoppelPaymer ransomware – same one that hit German hospital
Compal, the world’s second-largest white-label laptop manufacturer, has been hit by the file-scrambling DoppelPaymer ransomware gang – and the hackers want $17m in cryptocurrency before they'll hand over the decryption key.
The Taiwanese factory giant, which builds systems for Apple, Lenovo, Dell, and HP, finally admitted malware infected its computers and encrypted its documents after first insisting it had suffered no more than an IT "abnormality" and that its staff had beaten off a cyber-attack.
https://www.theregister.com/2020/11/09/compal_ransomware_report/
Capcom hit by ransomware attack, is reportedly being extorted for $11 million
Earlier this week it emerged that third-party giant Capcom's internal systems had been hacked, though the company claimed that no customer data was affected.
It has now emerged that the publisher was targeted by the Ragnar Locker ransomware, software designed to exfiltrate information from internal networks before encrypting the lot: at which point the victim is locked-out, contacted, and extorted.
Business Email Compromise (BEC)
Jersey business targeted in £130,000 invoice scam
A Jersey building company has been targeted by a sophisticated impersonation scam, which saw fraudsters intercept more than £130,000 in invoice payments.
The owners, who wish to remain anonymous, said they were "left reeling" after realising their email correspondence with a customer had been hacked, and payments diverted to a scam bank account.
After taking swift action, they were able to recover all their money, but they now want to make sure other islanders do not fall victim. They are encouraging businesses in particular to be "extra vigilant".
https://www.itv.com/news/channel/2020-11-13/jersey-business-targeted-in-130000-invoice-scam
Phishing
Smishing attack tells you “mobile payment problem” – don’t fall for it!
As we’ve warned before, phishing via SMS, or smishing for short, is still popular with cybercriminals.
Sure, old-fashioned text messages have fallen out of favour for personal communications, superseded round the world by instant messaging apps such as WhatsApp, WeChat, Instagram, Telegram and Signal.
But for brief, one-off business communications such as “Your home delivery will arrive at 11:30 today” or “Your one-time login code is 217828”, SMS is still a popular and useful messaging system.
That’s because pretty much every mobile phone in the world can receive text messages, regardless of its age, feature set or ability to access the internet.
Even if you’ve got no credit to send messages or make calls, no third-party apps installed, and no Wi-Fi connectivity, SMSes sent to you will still show up.
Malware
Play Store identified as main distribution vector for most Android malware
The official Google Play Store has been identified as the primary source of malware installs on Android devices in a recent academic study — considered the largest one of its kind carried out to date.
Using telemetry data, researchers analysed the origin of app installations on more than 12 million Android devices for a four-month period between June and September 2019.
In total, researchers looked at more than 34 million APK (Android application) installs for 7.9 million unique apps.
This new malware wants to add your Linux servers and IoT devices to its botnet
A new form of malware is targeting Linux servers and Internet of Things (IoT) devices and adding them to a botnet in what appears to be the first stage of a hacking campaign targeting cloud-computing infrastructure – although the purpose of the attacks remains unclear.
The malicious worm has been dubbed Gitpaste-12, reflecting on how it uses GitHub and Pastebin for housing component code and has 12 different means of compromising Linux-based x86 servers, as well as Linux ARM- and MIPS-based IoT devices.
New 'Ghimob' malware can spy on 153 Android mobile applications
Security researchers have discovered a new Android banking trojan that can spy and steal data from 153 Android applications.
Named Ghimob, the trojan is believed to have been developed by the same group behind the Astaroth (Guildma) Windows malware, according to a report published.
Distribution was never carried out via the official Play Store.
Instead, the Ghimob group used emails or malicious sites to redirect users to websites promoting Android apps.
https://www.zdnet.com/article/new-ghimob-malware-can-spy-on-153-android-mobile-applications/
Microsoft Teams Users Under Attack in ‘Fake Updates’ Malware Campaign
Attackers are using ads for fake Microsoft Teams updates to deploy backdoors, which use Cobalt Strike to infect companies’ networks with malware.
The campaign is targeting various types of companies, with recent targets in the K-12 education sector, where organisations are currently dependent on using apps like Teams for videoconferencing due to COVID-19 restrictions.
Cobalt Strike is a commodity attack-simulation tool that’s used by attackers to spread malware, particularly ransomware. Recently, threat actors were seen using Cobalt Strike in attacks exploiting Zerologon, a privilege-elevation flaw that allows attackers to access a domain controller and completely compromise all Active Directory identity services.
https://threatpost.com/microsoft-teams-fakeupdates-malware/161071/
DDoS
DDoS attacks are cheaper and easier to carry out than ever before
DDoS attacks are getting more complex and more sophisticated while also getting cheaper and easier to carry out as cyber criminals take advantage of the sheer number of insecure internet-connected devices.
Distributed Denial of Service attacks have been a problem for many years, with cyber attackers gaining control of armies of devices and directing their internet traffic at targets in order to take the victim offline.
The disruption causes problems for both businesses and individual users who are prevented from accessing digital services they require – and that's especially a problem as 2020's coronavirus pandemic has forced people to be more reliant on digital services than ever before.
https://www.zdnet.com/article/ddos-attacks-are-cheaper-and-easier-to-carry-out-than-ever-before/
IoT
IoT security is a mess. These guidelines could help fix that
The supply chain around the Internet of Things (IoT) has become the weak link in cyber security, potentially leaving organisations open to cyber attacks via vulnerabilities they're not aware of. But a newly released set of guidelines aims to ensure that security forms part of the entire lifespan of IoT product development.
The Guidelines for Securing the IoT – Secure Supply Chain for IoT report from the European Union Agency for Cybersecurity (ENISA) sets out recommendations throughout the entire IoT supply chain to help keep organisations protected from vulnerabilities that can arise when building connected things.
https://www.zdnet.com/article/iot-security-is-a-mess-these-guidelines-could-help-fix-that/
Vulnerabilities
Windows 10 update created a major password problem
A temporary fix for a frustrating Windows 10 bug that prevents software from storing account credentials, meaning the user must re-enter their username and password each time they log-in.
The flaw is also said to delete cookies held in web browsers, preventing websites from memorising credentials and serving bespoke content to the user.
First reported in April, the issue is present in specific builds of Windows 10 version 2004 and affects applications such as Outlook, Chrome, Edge, OneDrive and more.
https://www.techradar.com/news/windows-10-update-made-a-right-mess-of-this-basic-password-feature
Colossal Intel Update Anchored by Critical Privilege-Escalation Bugs
A massive Intel security update this month addresses flaws across a myriad of products – most notably, critical bugs that can be exploited by unauthenticated cyber criminals in order to gain escalated privileges.
These critical flaws exist in products related to Wireless Bluetooth – including various Intel Wi-Fi modules and wireless network adapters – as well as in its remote out-of-band management tool, Active Management Technology (AMT).
Overall, Intel released 40 security advisories on Tuesday, each addressing critical-, high- and medium-severity vulnerabilities across various products. That by far trumps October’s Intel security update, which resolved one high-severity flaw.
https://threatpost.com/intel-update-critical-privilege-escalation-bugs/161087/
Hackers are exploiting unpatched VoIP flaws to compromise business accounts
A hacking campaign has compromised VoIP (Voice over Internet Protocol) phone systems at over 1,000 companies around the world over the past year in a campaign designed to make profit from selling compromised accounts.
While the main purpose appears to be dialling premium rate numbers owned by attackers or selling phone numbers and call plans that others can use for free, access to VoIP systems could provide cyber criminals with the ability to conduct other attacks, including listening to private calls, cryptomining, or even using compromised systems as a steppingstone towards much more intrusive campaigns.
One hacking group has compromised the VoIP networks of almost 1,200 organisations in over 20 countries by exploiting the vulnerability, with over half the victims in the UK. Industries including government, military, insurance, finance and manufacturing are believed to have fallen victim to the campaign
Google patches two more Chrome zero-days
Google has released today Chrome version 86.0.4240.198 to patch two zero-day vulnerabilities that were exploited in the wild.
These two bugs mark the fourth and fifth zero-days that Google has patched in Chrome over the past three weeks.
The difference this time is that while the first three zero-days were discovered internally by Google security researchers, these two new zero-days came to Google's attention after tips from anonymous sources.
https://www.zdnet.com/article/google-patches-two-more-chrome-zero-days/
Data Breaches
Ticketmaster fined £1.25m over payment data breach
Ticketmaster UK has been fined £1.25m for failing to keep its customers' personal data secure.
The fine was issued by the Information Commissioner's Office (ICO) following a cyber-attack on the Ticketmaster website in 2018.
The ICO said personal information and payment details had potentially been stolen from more than nine million customers in Europe.
https://www.bbc.co.uk/news/technology-54931873
Millions of Hotel Guests Worldwide Caught Up in Mass Data Leak
A cloud misconfiguration affecting users of a popular reservation platform threatens travellers with identity theft, scams, credit-card fraud and vacation-stealing.
A widely used hotel reservation platform has exposed 10 million files related to guests at various hotels around the world, thanks to a misconfigured Amazon Web Services S3 bucket. The records include sensitive data, including credit-card details.
Prestige Software’s “Cloud Hospitality” is used by hotels to integrate their reservation systems with online booking websites like Expedia and Booking.com.
https://threatpost.com/millions-hotel-guests-worldwide-data-leak/161044/
DWP exposed 6,000 people’s data online for two years
The Department for Work and Pensions (DWP) has removed the personal details of thousands of people after they were exposed online for two years.
The files, published in March and June 2018, listed routine payments to the outsourcing giant Capita and included the National Insurance (NI) numbers of approximately 6,000 people, according to the Mirror. These individuals were believed to be applying for the disability benefit, PIP. No other personal data was exposed in the incident.
https://www.itpro.co.uk/security/data-breaches/357724/dwp-data-breach-exposed-6000-ni-numbers
Data breach at Mashable leaks users’ personal information online
Technology and culture news website Mashable have announced that the personal data of users has been discovered in a leaked database posted on the internet.
In a statement issued this week, Mashable confirmed that a database containing information from readers who made use of the platform’s social media sign-in feature had been found online.
The media company said that “a hacker known for targeting websites and apps” was responsible for the breach. The suspect has not been named.
Leaked data is said to include the full names, locations, email addresses, genders, IP addresses, and links to social media profiles of users.
Other News
Try to avoid thinking of the internet as a flashy new battlefield, warns former NCSC chief
https://www.theregister.com/2020/11/11/ciaran_martin_speech_cyber_policy/
Microsoft says three APTs have targeted seven COVID-19 vaccine makers
https://www.zdnet.com/article/microsoft-says-three-apts-have-targeted-seven-covid-19-vaccine-makers/
New stealthy hacker-for-hire group mimics state-backed attackers
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.