Cyber Weekly Flash Briefing 14 August 2020: Travelex goes bust following ransomware, Microsoft fix 120 vulns inc two zero-days, more ransomware victims paying up, Cloud misconfigurations create risks
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Travelex Forced into Administration After Ransomware Attack
Ransomware victim Travelex has been forced into administration, with the loss of over 1000 jobs.
PwC announced late last week that it had been appointed joint administrators of the currency exchange business.
The Sodinokibi (REvil) ransomware variant is believed to have struck the firm on New Year’s Eve last year, forcing its website offline and impacting its bricks-and-mortar stores and banking services. It took until January 17 for the firm to get its first customer-facing systems live again in the UK.
Why this matters:
Firms of any size can call victim to ransomware and many firms will not survive a significant cyber event such as this. Unconfirmed reports at the time suggested that a critical unpatched vulnerability in a VPN (Virtual Private Network) may have allowed attackers to remotely execute malicious code. A security researcher said he reached out to the firm in September 2019 to flag the issue but was ignored. This again shows the importance of ensuring all security updates are applied quickly. Has this software had the security updates applied those vulnerabilities would not have been able to be used in this attack.
Read more: https://www.infosecurity-magazine.com/news/travelex-forced-administration/
Microsoft August 2020 Patch Tuesday fixes 120 vulnerabilities, two zero-days
Microsoft’s August 2020 Patch Tuesday security updates fell this week and this month the company has patched 120 vulnerabilities across 13 different products, from Edge to Windows, and from SQL Server to the .NET Framework.
Among these 120 vulnerabilities, 17 bugs have received the highest severity rating of "Critical," and there are also two zero-days — vulnerabilities that have been exploited by hackers before Microsoft was able to provide a fix.
Why this matters:
All security updates should be applied as soon as possible to prevent vulnerabilities from being exploited in attacks. When vulnerabilities are announced criminals will waste no time in weaponizing them (creating exploits to use in attacks) so the quicker the vulnerabilities are closed the safer you will be.
More ransomware victims are paying up, even when data recovery is possible
The proportion of ransomware attack victims actually paying ransoms increased in the last quarter, even in instances where ransomed data could be recovered, new figures have revealed.
According to a commercial ransomware recovery service, data exfiltration attacks are becoming more common and blending with traditional ransomware hacks. Data exfiltration extortion involves an attacker taking possession of stolen data and putting it up for sale on forums or marketplaces. Once monetised, the hacker asks the victim to pay a ransom to prevent the information’s release.
The recover firm added that tools currently on the market vary wildly when it comes to data recovery success following a ransomware attack. What’s more, the company has noted an uptick in the number of companies experiencing operating system and registry corruption even after ransomed data is restored.
Why this matters:
It used to be that backups were the best defence against ransomware attacks, but if your data is stolen a backup won’t help you avoid having to pay out to keep your sensitive or confidential data out of the public domain.
Intel, SAP, and Citrix release critical security updates
Intel released 18 advisories, including fixes for Denial of Service, Information Disclosure and Elevation of Privilege flaws affecting various products on Windows, Chrome OS and Linux OS.
SAP’s released 15 security notes and an update to a previously released one to address flaws in a variety of offerings, including SAP ERP, SAP Business Objects Business Intelligence Platform, SAP S/4 HANA and various SAP NetWeaver components.
Citrix’s has released patches for a set of vulnerabilities in certain on-premises instances of Citrix Endpoint Management (aka XenMobile Server).
Why this matters:
Security upgrades should always be applied as soon as possible. Whether announced vulnerabilities are already being exploited or not as they become known they likely will be exploited and patching them (applied the fixes made available) prevent them from being exploited.
Read more: https://www.helpnetsecurity.com/2020/08/12/intel-sap-citrix-security-updates-august-2020/
IT Pros Name Misconfiguration #1 Cloud Security Threat
Configuration errors are the number one threat to cloud security, according to a new poll of IT and security professionals.
A security vendor interviewed 653 industry professionals to compile its 2020 Cloud Security Report.
Three-quarters (75%) claimed to be “very” or “extremely” concerned about cloud security, with most (52%) believing that the risks are higher in the public cloud than on-premises.
The top four threats were cited as: misconfiguration (68%), unauthorized cloud access (58%), insecure interfaces (52%), and account hijacking (50%).
These security concerns have created multiple barriers to further adoption of cloud services. The top inhibitor of adoption was a lack of qualified staff (55%), up from fifth place last year.
This may go some way to explaining respondents’ concerns around configuration errors, especially as 68% of these organisations are using two or more public cloud providers — adding to the complexity.
Why this matters?
Organisations’ cloud migrations and deployments are racing ahead of their security teams’ abilities to defend them against attacks and breaches. Their existing security solutions only provide limited protections against cloud threats, and teams often lack the expertise needed to improve security and compliance processes
Read more: https://www.infosecurity-magazine.com/news/misconfiguration-error-cloud/
RedCurl cybercrime group has hacked companies for three years
Security researchers have uncovered a new Russian-speaking hacking group that they claim has been focusing on the past three years on corporate espionage, targeting companies across the world to steal documents that contain commercial secrets and employee personal data.
Named RedCurl, the activities of this new group have been detailed in a 57-page report released this week.
Researchers have been tracking the group since the summer of 2019 and have since identified 26 other RedCurl attacks, carried out against 14 organisations, going as far back as 2018.
Why this matters:
This Russian group have targeted victims across different countries and industry sectors, and included construction companies, retailers, travel agencies, insurance companies, banks, and law and consulting firms from countries like Russia, Ukraine, Canada, Germany, Norway, and the UK. Many firms could fall victim to cyber crime groups like this if their defences are not able to withstand such attackers.
Read more: https://www.zdnet.com/article/redcurl-cybercrime-group-has-hacked-companies-for-three-years/
Why You Must Beware What You Ask Amazon Alexa
The same cyber team that cracked open TikTok, WhatsApp, Microsoft’s cloud and even Philips lightbulbs has just turned its attention to Amazon’s Alexa. And, unsurprisingly, it hasn’t disappointed. After “speculating” that Amazon’s 200 million devices “could be a prime entry-point for hackers,” Check Point Research has just lifted the lid to unmask “serious security flaws in Alexa.” According to the team, “in just one click, a user could have given up their voice history, home address and control of their Amazon account.”
Why this matters:
Warnings about the dangers of smart speakers and their extended families of virtual assistants are not new. These are the same devices that causes such scandal last year, when it transpired humans were listening to conversations to better train the AI. The issue here is different, much more akin to the broader problem of IoT security. Every different gadget you connect to the internet becomes a potential vulnerability and the methods needed to crack Amazon’s devices were not particularly sophisticated.
Ex-Uber engineer sentenced to 18 months in prison for stealing driverless car secrets from Google
A star engineer who admitted stealing self-driving car secrets from Google has been sentenced to 18 months in prison.
Anthony Levandowski, who helped found Google's self-driving car project, now known as Waymo, pleaded guilty to downloading documents containing data about the company's work and accessing one of them after he had left to found his own trucking startup.
Sentencing him in a San Francisco court, the judge said he was imposing prison time as a deterrent.
An early star in the self-driving car scene, Mr Levandowski pushed for Google to develop the technology but later became disillusioned, leaving in early 2016 to start trucking company Otto, which was bought by Uber less than eight months later.
Waymo sued Uber, a case which was settled in 2018, with Uber paying out $245m (£187m) in equity and agreeing not to use its technology.
Uber had signed an indemnification agreement with Mr Levandowski, forcing it to pay his legal fees, but has refused to pay a $179m debt he owes to the Google spin-out, a consequence of separate legal action relating to his departure.
Why this matters:
Your staff present one of your biggest risks, and a disgruntled or disillusioned employee can be very dangerous. The theft of intellectual property for personal gain is a classic example of this kind of behaviour. Data Loss Prevention (DLP) systems can help to spot unusual behaviour in employees and detect sensitive data being extracted from corporate systems.
Google and Amazon are now the most imitated brands for phishing
You may want to think twice about opening that email claiming to be from Google or Amazon, after new research found the tech giants were being used as lures for phishing scams.
Earlier this year, Check Point revealed that Apple was the most imitated brand for phishing, but over the course of the last few months, the iPhone maker has fallen to seventh place with Google and Amazon now taking the top spots.
Why this matters:
Phishing is estimated to be the starting point of over 90 percent of all cyberattacks and according to Verizon's 2019 Data Breach Investigations Report, nearly one third (32%) of all data breaches involved phishing activity. Additionally phishing was present in 78 percent of cyber espionage incidents and the installation and use of backdoors in company networks.
Read more: https://www.techradar.com/news/google-and-amazon-are-now-the-most-imitated-brands-for-phishing