Cyber Weekly Flash Briefing for 14 February 2020 – Microsoft patches 99 vulns, Nedbank 1.7m customer breach, PC malware spreads via WiFi, Cybercrime losses triple
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Microsoft Patch Tuesday fixes IE zero‑day and 98 other flaws
This month’s Patch Tuesday fell this week and it came with fixes for no fewer than 99 security vulnerabilities in Windows and other Microsoft software.
Twelve flaws have received the highest severity ranking of “critical”, while 5 security holes are listed as publicly known at the time of release.
In fact, one vulnerability ticks both boxes – an actively exploited zero-day in Internet Explorer (IE). Microsoft disclosed this flaw, indexed as CVE-2020-0674, three weeks ago but didn’t roll out a patch until now. Successful exploitation of this remote code execution (RCE) vulnerability enables remote attackers to run code of their choice on the vulnerable system.
Another 16 RCE holes are being plugged as part of this month’s bundle of security patches. This includes two severe vulnerabilities in the Windows Remote Desktop Client, CVE-2020-0681 and CVE-2020-0734, where exploitation is seen as likely by Microsoft.
Updates have been released for various flavours of Windows, as well as for Office, Edge, Exchange Server, SQL Server and a few more products. The number of fixes this month is unusually high; for example, last month’s Patch Tuesday rollout fixed 49 vulnerabilities.
Read more here: https://www.welivesecurity.com/2020/02/12/microsoft-patch-tuesday-fixes-99-vulnerabilities-ie-zero-day/
Nedbank says 1.7 million customers impacted by breach at third-party provider
Nedbank, one of the biggest banks in the South Africa region, has disclosed a security incident yesterday that impacted the personal details of 1.7 million users.
The bank says the breach occurred at Computer Facilities (Pty) Ltd, a South African company the bank was using to send out marketing and promotional campaigns.
In a security notice posted on its website, Nedbank said there was a vulnerability in the third-party provider's systems that allowed an attacker to infiltrate its systems.
The data of 1.7 million past and current customers is believed to have been affected. Details stored on the contractor's systems included things like names, ID numbers, home addresses, phone numbers, and email addresses.
The bank began notifying customers about the breach yesterday
More information here: https://www.zdnet.com/article/nedbank-says-1-7-million-customers-impacted-by-breach-at-third-party-provider/
Why you can’t bank on backups to fight ransomware anymore
Ransomware operators stealing data before they encrypt means backups are not enough.
The belief that no personally identifying information gets breached in ransomware attacks is common among victims of ransomware—and that's partially because ransomware operators had previously avoided claiming they had access to victims' data in order to maintain the "trust" required to extract a payment. Cyber insurance has made paying out an attractive option in cases where there's no need for an organisation to reveal a breach, so the economics had favoured ransomware attackers who provided good "customer service" and gave (usually believable) assurances that no data had been taken off the victims' networks.
Unfortunately, that sort of model is being blown up by the Maze and Sodinokibi (REvil) ransomware rings, which have adopted a model of using stolen data as leverage to ensure customers will make a payment. Even in cases where a victim can relatively quickly recover from a ransomware attack, they still will face demands for payment in order to avoid the publication or sale of information stolen by the attackers before the ransomware was triggered.
Read more here: https://arstechnica.com/information-technology/2020/02/why-you-cant-bank-on-backups-to-fight-ransomware-anymore/
Newly discovered PC malware version spreads through Wi-Fi networks
A new version of a highly sophisticated Trojan that can spread via Wifi networks has been discovered. The Emotet Trojan that also acts as a loader for other malware has found to now take advantage of the wlanAPI interface to spread to all PCs on a network through the Wi-fi. The Trojan was previously known to spread only through spam emails and infected networks.
The ability of this Trojan to brute force its way into networks through Wi-fi from the infected PC has supposedly gone undetected for at least two years. When the malicious software enters into a system, it begins listing and profiling wireless networks using the wlanAPI.dll calls so that it can spread to any networks that are accessible. This is because the wlanAPI.dll calls are used by Native Wi-Fi to manage wireless network profiles and wireless network connections.
Read more here: https://www.neowin.net/news/newly-discovered-pc-malware-version-spreads-through-wi-fi-networks/
Why the ransom is only a fraction of the cost of a ransomware attack
The expense of dealing with a ransomware attack is far in excess of what was previously thought, according to a report published on Tuesday.
Estimate for the total ransom payments demanded in 2019 was $25 billion. But this is only one seventh of the actual cost to the companies affected, which could be as much as $170 billion, according to estimates. Most of these costs arise from downtime and are associated with dealing with the attack, rather than the ransom itself, according to the report.
Read more here: https://decrypt.co/19084/why-ransom-fraction-cost-ransomware-attack
5 Critical Zero-day Vulnerabilities Affected Tens of Millions of Cisco Switches, Routers, IP Phones and Cameras
Researchers discovered 5 critical zero-day vulnerabilities (dubbed CDPwn) in Cisco Discovery Protocol that are used in multiple Cisco products such as Routers, Switches, IP phones, Cameras and more.
Cisco Discovery Protocol is also known as CDP is the Cisco proprietary Layer 2 (Data Link Layer) network protocol and is virtually implemented in Cisco products including switches, routers, IP phones, and cameras to discover the information about the Cisco equipment.
Four of the five vulnerabilities are remote code execution (RCE) vulnerabilities that affected 10 of millions of users, and it allows attackers to completely take over the vulnerable devices without any sort of user interaction.
One vulnerability cause Denial of Service in Cisco FXOS, IOS XR and NX-OS Software Cisco Discovery Protocol implemented target routers, and in turn, completely disrupt target networks.
Read more here: https://gbhackers.com/zero-day-vulnerability-affected-cisco-cdp-devices/
Average tenure of a CISO is just 26 months due to high stress and burnout
Chief Information Security Officers (CISOs, or CSOs) across the industry are reporting high levels of stress.
Many say the heightened stress levels has led to mental and physical health issues, relationship problems, medication and alcohol abuse, and in some cases, an eventual burnout, resulting in an average 26-month tenure before CISOs find new employment.
The numbers, reported by Nominet, represent a growing issue that's been commonly acknowledged, but mostly ignored across the information security (infosec) community, but one that is slowly starting to rear its ugly head as once-ignored infosec roles are becoming more prominent inside today's companies.
Today, many companies are adopting CISO roles. The constant threat of hacks, ransomware, phishing, and online scams makes establishing a cyber-security department in any company a unavoidable decision.
However, most companies are not ready to embed CISOs into their company culture and day-to-day operations.
Today, CISO jobs come with low budgets, long working hours, a lack of power on executive boards, a diminishing pool of trained professionals they can hire, but also a constant stress of not having done enough to secure the company's infrastructure against cyber-attacks, continuous pressure due to newly arising threats, and little thanks for the good work done, but all the blame if everything goes wrong.
Across the years, many CISOs have often pointed out the problems with their jobs and the stress and damage they inflict. However, there has been no conclusive study to support broad assertations.
Read the full article here: https://www.zdnet.com/article/average-tenure-of-a-ciso-is-just-26-months-due-to-high-stress-and-burnout/
Ex-GCHQ spy chief says scammers are running rings around Google
Bogus investment and savings adverts banned by Google are reappearing at the top of its search results because con artists can easily circumnavigate the internet giant’s systems, according to a former spy.
Scammers are able to dupe the world’s most powerful search engine simply by making slight alterations to the names of their fake firms.
For example, one website, info.bond-finder.co.uk, appeared at the top of Google’s search results when consumers typed in “best fixed rate Isa”. But the website had the same contact details as another site, bonds-finder.com, which was identified by the financial regulator, the Financial Conduct Authority (FCA), as a likely scam in January and deleted by Google.
Google launched an investigation after it was alerted to the matter by this newspaper and, after a connection between the two sites was confirmed, the advert was removed.
The company has been in talks with the FCA for almost a year about how to solve the problem of unregulated investment firms and fraudsters duping consumers by paying to appear first in search results through Google’s Ads service.
Read more here: https://www.telegraph.co.uk/money/consumer-affairs/ex-gchq-spy-chief-says-scammers-running-rings-around-google/
FBI: Cybercrime losses tripled over the last 5 years
In 2019, the United States’ Federal Bureau of Investigation (FBI) received more than 467,000 cybercrime complaints that caused an estimated US$3.5 billion in losses, according to the Bureau’s annual 2019 Internet Crime Report (IC3). Last year saw both the highest number of complaints and the highest dollar losses on record; in 2015, for example, annual losses totaled ‘only’ US$1.1 billion.
Business Email Compromise (BEC) fraud remains the costliest type of fraud on the list, accounting for more than half of the total losses and costing businesses almost US$1.8 billion. These schemes are constantly evolving, too. Back in 2013, scammers would typically hack or spoof the email account of a CEO or CFO to request a fraudulent transfer of funds to accounts under their control. Over the years the tactics have evolved to also include compromising personal or vendor emails as well as spoofing lawyers’ email accounts.
Payroll diversion emerged as a popular form of BEC fraud last year. Scammers target HR and payroll departments by acting as employees who want to update their direct deposit information for the current payment period. The updated information then usually directs the funds to a pre-paid card account.
Elder fraud is also an increasingly pressing issue. With 68,013 victims, this type of fraud had the highest number of victims; under-twenties claimed “just” 10,724 victims. The number of victims may not reflect the true extent of the problem since providing the age range is voluntary.