Cyber Weekly Flash Briefing 26 June 2020: Covid changes infosec landscape, ransomware actors lurk post attack, hacker earns millions, rogue bank staff steal $3.2m, massive DDoS against European bank
If you’re pressed for time watch the 60 second quick fire video summary of the top Cyber and InfoSec stories from the last week:
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Businesses believe the pandemic will change the security landscape forever
After Covid-19, nothing will ever be the same again, at least in terms of how businesses approach cyber security. This is according to a new report based on a poll of 6,700 infosec professionals around the world.
The report states that 81 percent expect long-term changes to the way their business operates, mostly because of remote working.
With this in mind, examining how remote employees approach cyber security will become paramount if an organisation is to maintain a strong security posture.
A third of respondents said they worry employees may feel more relaxed about cyber security than when they are working out of the office. Employees may also be less likely to follow protocol at home, particularly when it comes to identifying and flagging suspicious activity.
Further, almost a third (31 percent) fear employees might unintentionally leak sensitive data or fall prey to a phishing scam and a quarter are afraid staff might fall victim to malware attacks.
Of the largest risks associated with remote working, respondents singled out “using untrusted networks” as the most significant. Other people accessing employees' company devices, the use of personal messaging services for work, and the unintentional sharing of company data are also high on the list of risks.
Ransomware operators lurk on your network after their attack
When a company suffers a ransomware attack, many victims feel that the attackers quickly deploy the ransomware and leave so they won't get caught. Unfortunately, the reality is much different as threat actors are not so quick to give up a resource that they worked so hard to control.
Instead, ransomware attacks are conducted over time, ranging from a day to even a month, starting with a ransomware operator breaching a network.
This breach is through exposed remote desktop services, vulnerabilities in VPN software, or via remote access given by malware such as TrickBot, Dridex, and QakBot.
Once they gain access, they use tools such as Mimikatz, PowerShell Empire, PSExec, and others to gather login credentials and spread laterally throughout the network.
As they gain access to computers on the network, they use these credentials to steal unencrypted files from backup devices and servers before deploying the ransomware attack.
Once the ransomware is deployed, many victims believe that while their network is still compromised, they think the ransomware operators are now gone from the system.
This belief is far from the truth, as illustrated by a recent attack by the Maze Ransomware operators.
Read the full article here: https://www.bleepingcomputer.com/news/security/ransomware-operators-lurk-on-your-network-after-their-attack/
Prolific Hacker Made Millions Selling Network Access
A notorious Russian cyber-criminal made over $1.5m in just the past three years selling access to corporate networks around the world, according to a new report.
The study profiles the work of “Fxmsp” on underground forums where he published his first ad selling access to business networks in 2017.
Over the following years he would compromise banks, hotels, utilities, retailers, tech companies and organisations in many more verticals.
In just three years he claimed to have compromised over 130 targets in 44 countries, including four Fortune 500 firms. Some 9% of his victims were governments.
The report calculated the $1.5m figure purely from publicised sales, although 20% of those Fxmsp compromised were made through private sales, meaning the hacker’s trawl is likely to be even bigger.
Fxmsp even hired a sales manager in early 2018.
Read more here: https://www.infosecurity-magazine.com/news/infamous-hacker-millions-selling/
Rogue Postbank employees steal master encryption key; make off with $3.2 million
South Africa's Postbank has been forced to replace 12 million bank cards after a calamitous security breach that saw the bank's master encryption key printed off in plain, unencrypted language.
According to internal documents acquired by the Sunday Times of South Africa, the 36-digit code security key “allows anyone who has it to gain unfettered access to the bank’s systems, and allows them to read and rewrite account balances, and change information and data on any of the bank’s 12-million cards".
The master key was apparently printed out on plain paper in a data centre in Pretoria in 2018, enabling the fraudsters to make over 25,000 fraudulent transactions, mostly from cards used by people receiving social benefits from the government.
The crime, which is being pinned on a number of rogue bank employees, went unnoticed for months. More than $3.2 million was stolen in the raid.
The cost to the bank of replacing all the compromised cards is expected to reach $58 million.
Read more here: https://www.finextra.com/newsarticle/36059/rogue-postbank-employees-steal-master-encryption-key-make-off-with-32-million
Massive Distributed Denial of Service (DDoS) attack launched against European bank
This week, security firm Akamai mitigated what it claims to be the “largest ever packet per second (pps) DDoS attack”, launched against an unnamed European bank.
The attack reportedly generated 809 million packets per second (Mpps) - a new high for pps-focused attacks, and well over double the size of the previous record attack identified by the Akamai platform.
What also makes this DDoS attack unique is the “massive increase” in the quantity of source IP addresses observed. During the attack, Akamai identified more than 600 times average number of source IP addresses per minute, suggesting the attack was highly distributed in nature.
Further, most of the traffic came from previously unknown IP addresses (96.2 percent), which could indicate the assault was driven by an emerging botnet. Given that most of the source IP addresses could be identified within large ISPs via AS lookups, Akamai believes most of the devices used were compromised end user machines.
The speed at which the attack reached its peak was also remarkable. The company claims it grew from normal traffic levels to 418 Gbps in seconds, and took roughly two minutes to hit 809 Mpps. The attack lasted for a total of 10 minutes and was fully mitigated.
Read more here: https://www.itproportal.com/news/massive-ddos-attack-launched-against-european-bank/
'Unstoppable' Malware Uses Bitcoin To Retrieve Secret Messages - Report
Glupteba, a sneaky malware that can be controlled from afar includes a range of components to cover its tracks, and it updates itself using encrypted messages hidden in the Bitcoin blockchain.
The Glupteba bot is a malware campaign that creates backdoors with full access to contaminated devices, which are added to its growing botnet. The analysis describes it as a “highly self-defending malware” with “enhancing features that enable the malware to evade detection.”
The most interesting aspect of Glupteba is that it uses the Bitcoin blockchain as a communication channel for receiving updated configuration information, given that bitcoin transactions can also include a comment of up to 80 characters.
Glupteba uses this messaging space for encrypted messages. These messages contain secrets, such as command-and-control server names, thus cleverly hiding them in the public blockchain - in plane sight.
Read more: https://cryptonews.com/news/unstoppable-malware-uses-bitcoin-to-retrieve-secret-messages-6947.htm
Woman who deliberately deleted firm’s Dropbox is sentenced
58-year-old Danielle Bulley may not look like your typical cyber criminal, but the act of revenge she committed against a company had just as much impact as a conventional hacker breaking into a business’s servers and causing havoc.
Bulley has been successfully prosecuted under the UK’s Computer Misuse Act after deleting thousands of important files from a company that went on to collapse.
She was a director of a business called Property Press that produced a weekly property newspaper focused on south east Devon. Things turned sour, and Bulley resigned her position at the firm in 2018 before the company went into liquidation. However, fellow director Alan Marriott started a new business venture – without Bulley’s involvement – using the assets of the old firm.
Things clearly didn’t sit well with Bulley after her departure from the business, and several months after her resignation she managed to gain unauthorised access to the new company’s Dropbox account.
More than 5,000 documents were permanently erased, and the company claimed that the damage to business was so great that it could no longer operate, with people losing their jobs and a loss of almost £100,000.
The Police warned other companies of the threat which can be posed by former employees:
Ex-employees can pose a serious risk to a business because they are familiar with the company’s IT infrastructure and procedures. This can make it easier for them to carry out cyber crimes against their former organisation.
If someone is leaving your company, especially if they are quitting your firm under something of a cloud, you would be wise to check that they don’t know your business’s passwords or have retained access to sensitive information.
Passwords should be changed, and additional authentication methods should be in place to prevent unauthorised access. Dropbox, for instance, provides a two-step verification feature which all users would be wise to enable.
EasyJet Lawsuit Over Data Breach Attracts 10,000 Passengers
EasyJet Plc faces a lawsuit over a data breach disclosed last month that potentially exposed private details of 9 million passengers.
More than 10,000 people have joined the suit since it was filed last month, according to the law firm handling the lawsuit. Victims are entitled to as much as £2,000 in compensation, meaning the case could be worth as much as £18 billion.
EasyJet said last month that the email addresses and travel data of about 9 million customers were taken by hackers in one of the biggest privacy breaches to hit the airline industry. The credit card details of roughly 2,200 people was also accessed.
“This is a monumental data breach and a terrible failure of responsibility that has a serious impact on EasyJet’s customers, who are coming forward in their thousands,” the law firm said in a statement. “This is personal information that we trust companies with, and customers should expect that every effort is made to protect their privacy.”
Read more here: https://www.bloomberg.com/news/articles/2020-06-24/easyjet-lawsuit-over-data-breach-attracts-10-000-passengers
Twitter apologises for business data breach
Twitter has emailed its business clients to tell them that personal information may have been compromised.
Unbeknownst to users, billing information of some clients was stored in the browser's cache, it said.
In an email to its clients, Twitter said it was "possible" others could have accessed personal information.
The personal data includes email addresses, phone numbers and the last four digits of clients' credit card numbers.
The tech company says that there is no evidence that clients' billing information was compromised.
Read more here: https://www.bbc.co.uk/news/technology-53150157
Huge Data Dump of Police Files Dubbed “Blue Leaks” Leaked Online
Nearly 270 gigabytes worth of sensitive files including FBI, “fusion center” and police department data from across the US dubbed “Blue Leaks” has been stolen and leaked online on June 19 by a collective called DDoSecrets.
Fusion centres are hubs for threat and intelligence sharing. The concept was created after September 11, in a bid by the Department of Homeland Security to improve cooperation between state, local, and territorial law enforcement
The National Fusion Centre Association (NFCA) says that the data was taken after a security breach at web development firm Netsential in Houston, Texas. It includes 490 documents pertaining to the UK. Computer Business Review was not immediately able to open these to assess the contents.
DDoSecrets stated that the Blue Leaks archive spans “ten years of data from over 200 police departments, fusion centres and other law enforcement training and support resources […] among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more”.
Read more here: https://www.cbronline.com/news/blue-leaks-data-dump