Cyber Weekly Flash Briefing 18 Sept 2020: Higher cyber losses; old MS Office exploit; banking Trojan given away free; new Bluetooth flaw; IoT risks; DDoS attacks up; US charge Iranians & Russians

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.


Cyber losses are increasing in frequency and severity

Research by a cyber insurance provider in North America shows cyber attacks have increased in number and severity since the onset of the coronavirus pandemic. The changes that organisations implemented to facilitate remote work have given cyber criminals new opportunities to launch campaigns exploiting mass uncertainty and fear.

The severity of ransomware attacks has increased since the beginning of COVID-19, with researchers having observed a 47% increase on top of a 100% increase in Q1 2020.

Researchers also found that newer strains of ransomware have been particularly malicious, with costly ransom demands and criminal actors threatening to expose an organisation’s data if they don’t pay. They report that the average demand from attackers using the Maze variety of ransomware is approximately six times larger than the overall average.

Researchers also reported a 35% increase in funds transfer fraud and social engineering claims filed by their policyholders since the pandemic began. Reported losses from these types of attack have ranged from the low thousands to well above $1 million per event.

Additionally, COVID-19 has resulted in a notable surge of business email compromise. The insurer observed a 67% increase in the number of email attacks during the pandemic.

Why this matters:

The report refers to North America but the findings are applicable to us all. They indicate that the most frequent types of losses incurred by victims were from ransomware (41%), funds transfer loss (27%), and business email compromise incidents (19%) — accounting for 87% of reported incidents and 84% of the insurer’s claim pay-outs in the first half of 2020.

Clearly with the landscape getting worse, firms more likely to fall victim, and with losses increasing all the time, firms should ensure they are taking these threats seriously.

Read more: https://www.helpnetsecurity.com/2020/09/14/cyber-losses-are-increasing-in-frequency-and-severity/


Hackers have revived a decade-old Microsoft Office exploit - and they’re having a field day

Hackers have ramped up attempts to abuse a decade-old Microsoft Office flaw with the help of creative new email scams, new research has found.

According to analysis commissioned by NordVPN, attempts to exploit the vulnerability (CVE-2017-11882) rose by 400% in the second quarter of the year - with further growth expected.

Why this matters:

If exploited successfully, the memory corruption bug could allow attackers to execute code on the target device remotely. This is especially problematic if the affected user’s account has administrative privileges, in which case the hacker could seize control of the system.

Read more: https://www.techradar.com/news/hackers-have-revived-a-decade-old-microsoft-office-exploit-and-theyre-having-a-field-day


Cerberus banking Trojan source code released for free to cyber attackers

The source code of the Cerberus banking Trojan has been released as free malware on underground hacking forums following a failed auction.

The leaked code, distributed under the name Cerberus v2, presents an increased threat for smartphone users and the banking sector at large. 

Why this matters:

Cerberus is a mobile banking Trojan designed for the Google Android operating system. In circulation since at least July 2019, the Remote Access Trojan (RAT) is able to conduct covert surveillance, intercept communication, tamper with device functionality, and steal data including banking credentials by creating overlays on existing banking, retail, and social networking apps.

The malware is able to read text messages that may contain one-time passcodes (OTP) and two-factor authentication (2FA) codes, thereby bypassing typical 2FA account protections. OTPs generated through Google Authenticator may also be stolen.

Read more: https://www.zdnet.com/article/cerberus-banking-trojan-source-code-released-for-free-to-cyberattackers/


Critical Bluetooth security vulnerability could affect billions of devices worldwide

A new security flaw in the Bluetooth software stack discovered over the summer has the potential to affect billions of smartphones, laptops and IoT devices using the Bluetooth Low Energy (BLE) protocol.

The new vulnerability has been given the name BLESA (Bluetooth Low Energy Spoofing Attack) by the team of seven academic researchers at Purdue University who first discovered it.

Unlike the recently discovered BLURtooth vulnerability that deals with how Bluetooth devices pair with one another, BLESA was found in the reconnection process. Reconnections occur when two BLE devices move out of range and then move back into range. Normally BLE devices check the cryptographic keys negotiated during the pairing process when reconnecting.

The research team found that the official BLE specification did not contain strong-enough language to describe the reconnection process properly leading to two systemic issues making their way into BLE software implementations.

The first deals with the fact that authentication during device reconnection is optional as opposed to mandatory while the second relates to how authentication can potentially be circumvented if a user's BLE device fails to force another device to authenticate the cryptographic keys sent while reconnecting.

Why this matters:

Billions of devices could be vulnerable to these BLESA attacks where a nearby attacker bypasses reconnection verification and sends spoofed data to a BLE device with incorrect information. This can lead both humans and automated processes to make incorrect decisions when it comes to allowing two devices to reconnect with one another.

Read more: https://www.techradar.com/news/critical-bluetooth-security-vulnerability-could-affect-billions-of-devices-worldwide


Coffee machines, cuddly toys and cars: The Internet of Things devices that could put you at risk from hackers

Connected teddy bears, connected coffee machines and connected cars are just some of the unusual Internet of Things (IoT) devices being insecurely connected to corporate networks that could leave whole organisations open to cyber attacks.

A research paper by Palo Alto Networks details the surge in IoT devices being connected to corporate networks and their wide variety.

Some of the most common irregular devices being connected to organisations' networks include connected vehicles, connected toys and connected medical devices, with connected sports equipment such as fitness trackers, gaming devices and connected cars also being deployed.

These devices are being connected because they can often help people through the working day or help manage aspects of their personal life, but they're also creating additional problems for the corporate network.

Why this matters:

In many cases, these 'shadow IoT' devices are being added to the network without the knowledge of the security team.

This could potentially leave the corporate network vulnerable because not only do some IoT devices have poor security that means they can easily be discovered and exploited, but some workplaces still have flat networks and if a device is compromised then an attacker can move from the IoT product to another system.

Read more: https://www.zdnet.com/article/coffee-machines-cuddly-toys-and-cars-the-internet-of-things-devices-which-could-put-you-at-risk-from-hackers/


DDoS Attacks Skyrocket as Pandemic Bites

More people being online during lockdowns and more people working from home has proven to be lucrative for DDoS type attacks.

The first half of 2020 saw a significant uptick in the number of distributed denial-of-service (DDoS) attacks compared to the same period last year — a phenomenon that appears to be directly correlated to the global coronavirus pandemic.

One firm’s Security Operations Centre (SOC) saw a 151 percent increase in DDoS activity in the period, including one of the largest and longest attacks they had has ever mitigated – that attack came in at 1.17 terabits-per-second (Tbps), and lasted five days and 18 hours.

These figures are representative of the growing number, volume and intensity of network-type cyber attacks as organizations shifted to remote operations and workers’ reliance on the internet increased.

Why this matters:

DDoS attacks are getting bigger, with a “noticeable spike” in volume: The number of attacks sized 100Gbps and above grew a whopping 275 percent. Emblematic of this is a 2.3Tbps attack targeting an Amazon Web Services client in February – the largest volumetric DDoS attack on record. And the aforementioned 1.17Tbps attack was 192 percent bigger than the largest attack mitigated during the first half of 2019.

Read more: https://threatpost.com/ddos-attacks-skyrocket-pandemic/159301/


US charges two Russians for stealing $16.8m via cryptocurrency phishing sites

The US Department of Justice has filed charges this week against two Russian nationals for orchestrating a multi-year phishing operation against the users of three cryptocurrency exchanges.

The two suspects stand accused of creating website clones for the Poloniex, Binance, and Gemini cryptocurrency exchanges, luring users on these fake sites, and collecting their account credentials. These phishing operations began around June 2017.

US officials said the Russian duo — made up of Danil Potekhin (aka cronuswar) and Dmitrii Karasavidi; residents of Voronezh and Moscow, respectively — used the stolen credentials to access victim accounts and steal their Bitcoin (BTC) and Ether (ETH) crypto-assets.

Why this matters:

In total, US officials estimated the victims in the hundreds. Court documents cite 313 defrauded Poloniex users, 142 Binance victims, and 42 users at Gemini. Losses were estimated at $16,876,000.

Whilst bitcoin has waned in popularity after its highs a few years back there is still value in holdings held in different exchanges and these holdings remain popular targets for attackers.

Read more: https://www.zdnet.com/article/us-charges-two-russians-for-stealing-16-8m-via-cryptocurrency-phishing-sites/


US charges two Iranian hackers for years-long cyber-espionage, cybercrime spree

The US has also filed charges against and is seeking the arrest of two Iranian nationals believed to have carried out cyber-intrusions at the behest of the Iranian government and for their own personal financial gain.

In an indictment unsealed this week, prosecutors accused Hooman Heidarian and Mehdi Farhadi, both from Hamedan, Iran, of launching cyber-attacks against a wide range of targets since at least 2013.

Past victims included several US and foreign universities, a Washington think tank, a defense contractor, an aerospace company, a foreign policy organization, non-governmental organizations (NGOs), non-profits, and foreign government and other entities the defendants identified as rivals or adversaries to Iran, with most targets located in the US, Israel, and Saudi Arabia.

US officials said Heidarian and Farhadi focused on gaining access to their victims' accounts, computers, and internal networks, from where they stole confidential data and communications pertaining to topics such as national security, foreign policy, nuclear energy, and aerospace.

Why this matters:

Financial data and personally identifiable information wasn't off-limits, and the two also stole intellectual property, such as unpublished scientific research.

In addition, the two also targeted and stole personal information and communications of Iranian dissidents, human rights activists, and opposition leaders, according to George M. Crouch Jr., Special Agent in Charge of the FBI Newark Division.

Prosecutors believe that some of the stolen data was handed over to Iranian government intelligence officials, but that other information was also sold on black markets for the hackers' personal gains.

Read more: https://www.zdnet.com/article/us-charges-two-iranian-hackers-for-years-long-cyber-espionage-cybercrime-spree/


Alert issued to UK universities and colleges about spike in cyber attacks

British universities and colleges have been warned about a spike in ransomware attacks targeting the education sector by the UK's National Cyber Security Centre (NCSC), a part of GCHQ.

Academic institutions are being urged to follow NCSC guidance following a sharp increase in attacks which have left some teachers fearing they won't be able to accept students when term begins.

Last week staff at Newcastle University warned Sky News they had "no idea how we are going to welcome students in three weeks' time" following one such ransomware attack, which has impacted IT services across the whole university.

Similar attacks in which criminal hackers infiltrated computer networks and stole data before encrypting the machines and demanding a ransom payment to unlock them again, have hit Northumbria University, Bolton Sixth Form College, Leeds City College and others in August alone.

Speaking to Sky News, NCSC's director of operations Paul Chichester said the agency had seen an increase in the "utterly reprehensible" attacks over the past 18 months and was concerned they would disrupt young people's education.

Why this matters:

There are more than a dozen criminal groups which are currently earning millions by encrypting their victim's computer networks and then leaking stolen documents online to pressure the victims into paying up.

Read more: https://news.sky.com/story/alert-issued-to-uk-universities-and-colleges-about-spike-in-cyber-attacks-12073450


As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Previous
Previous

What is the CIA Triad? You're probably heard it mentioned but what is it, and why do you need to know it - Cyber Tip Tuesday video

Next
Next

The Most Effective Phishing Lures - which ones will you fall for...?! Cyber Tip Tuesday video 15 September 2020