Cyber Weekly Flash Briefing 29 May 2020: Criminals impersonate Google to target remote workers, ransomware up 950% in 2019, cloud collab tool use surges along with attacks, EasyJet £18 billion suit
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
60ish second video roundup
Cyber-Criminals Impersonating Google to Target Remote Workers
Remote workers have been targeted by up to 65,000 Google-branded cyber-attacks during the first four months of 2020, according to a new report. The study found that Google file sharing and storage websites were used in 65% of nearly 100,000 form-based attacks the security firm detected in this period.
According to the analysis, a number of Google-branded sites, such as storage.googleapis.com, docs.google.com, storage.cloud.google.com and drive.google.com, were used to try and trick victims into sharing login credentials. Google-branded attacks were far in excess of those impersonating Microsoft, with the sites onedrive.live.com, sway.office.com and forms.office.com making up 13% of attacks.
Other form-based sites used by attackers included sendgrid.net (10%), mailchimp.com (4%) and formcrafts.com (2%).
Read the full article here: https://www.infosecurity-magazine.com/news/cyber-criminals-impersonating/
Ransomware Demands Soared 950% in 2019
Ransomware operators had another standout year in 2019, with attacks and ransom demands soaring according to new data.
A new report claimed that, after a relatively quiet 2018, ransomware was back with a vengeance last year, as attack volumes climbed by 40%.
As large enterprises became an increasing focus for attacks, ransom demands also soared: from $8,000 in 2018 to $84,000 last year. That’s a 950% increase.
The “greediest ransomware families with highest pay-off” were apparently Ryuk, DoppelPaymer and REvil, the latter on occasion demanding $800,000.
Read more: https://www.infosecurity-magazine.com/news/ransomware-demands-soared-950-in/
Use of cloud collaboration tools surges and so do attacks
The COVID-19 pandemic has pushed companies to adapt to new government-mandated restrictions on workforce movement around the world. The immediate response has been rapid adoption and integration of cloud services, particularly cloud-based collaboration tools such Microsoft Office 365, Slack and videoconferencing platforms. A new report shows that hackers are responding to this with increased focus on abusing cloud account credentials.
Analysis of cloud usage data that was collected between January and April from over 30 million enterprise indicated a 50% growth in the adoption of cloud services across all industries. Some industries, however, saw a much bigger spike--for example manufacturing with 144% and education with 114%.
The use rate of certain collaboration and videoconferencing tools has been particularly high. Cisco Webex usage has increased by 600%, Zoom by 350%, Microsoft Teams by 300% and Slack by 200%. Again, manufacturing and education ranked at the top.
Huge rise in hacking attacks on home workers during lockdown
Hackers have launched a wave of cyber-attacks trying to exploit British people working from home, as the coronavirus lockdown forces people to use often unfamiliar computer systems.
The proportion of attacks targeting home workers increased from 12% of malicious email traffic before the UK’s lockdown began in March to more than 60% six weeks later, according to new data.
Attacks specifically aimed at exploiting the chaos wrought by Sars-CoV-2 have been evident since January, when the outbreak started to garner international news headlines.
The attacks have increased in sophistication, specifically targeting coronavirus-related anxieties rather than the more usual attempts at financial fraud or extortion.
In early May “a large malicious email campaign” was detected against UK businesses that told employees they could choose to be furloughed if they signed up to a specific website.
Read more here: https://www.theguardian.com/technology/2020/may/24/hacking-attacks-on-home-workers-see-huge-rise-during-lockdown?CMP=share_btn_tw
EasyJet faces £18 billion class-action lawsuit over data breach
UK budget airline easyJet is facing an £18 billion class-action lawsuit filed on behalf of customers impacted by a recently-disclosed data breach.
Made public on May 19, easyJet said that information belonging to nine million customers may have been exposed in a cyber attack, including over 2,200 credit card records.
The "highly sophisticated" attacker to blame for the security incident managed to access this financial information, as well as email addresses and travel details. EasyJet is still contacting impacted travelers.
The carrier did not explain how or exactly when the data breach took place, beyond that "unauthorized access" has been "closed off."
The National Cyber Security Centre (NCSC) and the UK's Information Commissioner's Office (ICO) have been notified, of which the latter has the power to impose heavy fines under GDPR if an investigation finds the carrier has been lax in data protection and security.
Last year, British Airways faced a "notice of intent" filed by the ICO to fine the airline £183.4 million for failing to protect the data of 500,000 customers in a data breach during 2018.
Read the full article here: https://www.zdnet.com/article/easyjet-faces-18-billion-class-action-lawsuit-over-data-breach/
Data Breach at Bank of America
Bank of America Corporation has disclosed a data breach affecting clients who have applied for the Paycheck Protection Program (PPP).
Client information was exposed on April 22 when the bank uploaded PPP applicants' details onto the US Small Business Administration's test platform. The platform was designed to give lenders the opportunity to test the PPP submissions before the second round of applications kicked off.
The breach was revealed in a filing made by Bank of America with the California Attorney General's Office. As a result of the incident, other SBA-authorized lenders and their vendors were able to view clients' information.
Data exposed in the breach consisted of details relating not only to individual businesses, but also to their owners. Compromised data may have included the business address and tax identification number along with the owner's name, address, Social Security number, phone number, email address, and citizenship status.
More Here: https://www.infosecurity-magazine.com/news/data-breach-at-bank-of-america/
Apple sends out 11 security alerts – get your fixes now!
Apple has just blasted out 11 email advisories detailing its most recent raft of security fixes.
There were 63 distinct CVE-tagged vulnerabilities in the 11 advisory emails.
11 of these vulnerabilities affected software right across Apple’s mobile, Mac and Windows products.
Read more: https://nakedsecurity.sophos.com/2020/05/27/apple-sends-out-11-security-alerts-get-your-fixes-now/
NSA warns of new Sandworm attacks on email servers
The US National Security Agency (NSA) has published a security alert warning of a new wave of cyber attacks against email servers conducted by one of Russia's most advanced cyber-espionage units.
The NSA says that members of Unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service, have been attacking email servers running the Exim mail transfer agent (MTA).
Also known as "Sandworm," this group has been hacking Exim servers since August 2019 by exploiting a critical vulnerability.
Read more: https://www.zdnet.com/article/nsa-warns-of-new-sandworm-attacks-on-email-servers/
DoubleGun Group Builds Massive Botnet Using Cloud Services
An operation from the China-based cybercrime gang known as DoubleGun Group has been disrupted, which had amassed hundreds of thousands of bots that were controlled via public cloud services, including Alibaba and Baidu Tieba.
Researchers in a recent post said that they noticed DNS activity in its telemetry that traced back to a suspicious domain controlling mass amounts of infected Windows devices. Analysis of the command-and-control (C2) infrastructure of the operation and the malware used to build the botnet showed that the effort could be attributed to a known threat group – DoubleGun, a.k.a. ShuangQiang.
Read more: https://threatpost.com/doublegun-massive-botnet-cloud-services/156075/
Malicious actor holds at least 31 stolen SQL databases for ransom
A malicious cyber actor or hacking collective has reportedly been sweeping the internet for online stores’ unsecured SQL databases, copying their contents, and threatening to publish the information if the rightful owners don’t pay up.
The perpetrator has stolen the copied versions of at least 31 SQL databases, which have been put up for sale on an unnamed website. These databases constitute roughly 1.620 million rows of information, including e-commerce customers’ names, usernames, email addresses, MD5-hashed passwords, birth dates, addresses, genders, account statuses, histories and more