Cyber Weekly Flash Briefing for 27 March 2020 – Half of UK firms suffer breach last year, COVID19 drives phishing up 667%, WHO targeted, Windows zero-day, ransom refuser’s data published online
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber Flash Briefing 60 second video version
The Importance of Maintaining Good Cyber Hygiene During the Coronavirus Crisis
Businesses are making significant changes in response to the virus, including asking employees to work from home for the first time. These new practices have often been implemented as quickly as possible, with a priority on keeping the business operations going.
At the same time, the cyber and information security consultants at Black Arrow are seeing reports from specialist intelligence and the wider media which show cyber criminals are feasting on the current chaos as they target employees and companies who let their guard down.
‘Cyber criminals usually target people, not technology, to get into their employer’s systems. Companies need to ensure they consider all the basic risks to prevent this, and implement layers of defence that start with the user.
Read more here: https://guernseypress.com/news/2020/03/24/maintaining-good-cyber-hygiene/
Half of all UK Firms and Three-Quarters of Large Firms Suffered Security Breach Last Year
Nearly half (46%) of UK firms reported suffering a security breach or cyber-attack over the past year, an increase on previous years, but they are getting better at recovering from and deflecting such blows, according to the government.
The annual Cyber Security Breaches Survey revealed an increase in the overall volume of businesses reporting incidents, up from 32%. The number of medium (68%) and large (75%) businesses reporting breaches or attacks also jumped, from 60% and 61% respectively.
This puts the 2020 report’s findings in line with the first government analysis in 2017, it claimed.
Of those businesses that reported incidents, more are experiencing these at least three times a week than in 2017 (32% versus 22%).
The government also claimed that organisations are experiencing more phishing attacks (from 72% to 86%) whilst fewer are seeing malware (from 33% to 16%) than three years ago.
More here: https://www.infosecurity-magazine.com/news/threequarters-firms-security/
#COVID19 Drives Phishing Emails Up 667% in Under a Month
Phishing emails have spiked by over 600% since the end of February as cyber-criminals look to capitalize on the fear and uncertainty generated by the COVID-19 pandemic.
A security vendor observed just 137 incidents in January, rising to 1188 in February and 9116 so far in March. Around 2% of the 468,000 global email attacks detected by the firm were classified as COVID-19-themed.
As is usually the case, the attacks used widespread awareness of the subject to trick users into handing over their log-ins and financial information, and/or unwittingly downloading malware to their computers
Of the COVID-19 phishing attacks, 54% were classified as scams, 34% as brand impersonation attacks, 11% blackmail and 1% as business email compromise (BEC).
As well as the usual lures to click through for more information on the pandemic, some scammers are claiming to sell cures and/or face-masks, while others try to elicit investment in companies producing vaccines, or donations to fight the virus and provide support to victims.
This is a new low for cyber-criminals, who are acting like piranha fish, cowardly attacking people on mass when they are at their most vulnerable. It’s vital that the public remain vigilant against scam emails during this challenging time.
More here: https://www.infosecurity-magazine.com/news/covid19-drive-phishing-emails-667/
Attackers exploiting critical zero-day Windows flaw
Microsoft has discovered a severe vulnerability in all supported versions of Windows, which enables criminals to remotely run malware – including ransomware – on a target machine.
According to the report, the security vulnerability has not been previously disclosed and there is currently no fix.
The “critical” vulnerability revolves around how the operating system handles and renders fonts. All it takes is for the victim to open or preview a malicious document, and the attacker can remotely run different forms of malware.
Microsoft said the vulnerability is being exploited in the wild, and different hacking groups are initiating “limited, targeted attacks”.
Although there is as yet no patch, the company announced a temporary workaround for affected Windows users, which involves disabling the Preview and Details panes in Windows explorers.
Read more here: https://www.itproportal.com/news/attackers-exploiting-critical-zero-day-windows-flaw/
WHO Targeted in Espionage Attempt, COVID-19 Cyberattacks Spike
The DarkHotel group could have been looking for information on tests, vaccines or trial cures.
The World Health Organization (WHO) has attracted the notice of cybercriminals as the worldwide COVID-19 pandemic continues to play out, with a doubling of attacks recently, according to officials there. Problematically, evidence has also now apparently surfaced that the DarkHotel APT group has tried to infiltrate its networks to steal information.
A cyber security researcher told Reuters that he personally observed a malicious site being set up on March 13 that mimicked the WHO’s internal email system. Its purpose was to steal passwords from multiple agency staffers, and noted that he realised “quite quickly that this was a live attack on the World Health Organization in the midst of a pandemic.”
The attack appeared to be aimed at achieving a foothold at the agency rather than being an end unto itself. The targeting infrastructure seems to focus on certain types of healthcare and humanitarian organisations that are uncommon for cybercriminals and this could suggest the actor or actors behind the attacks are more interested in gathering intelligence, rather than being financially motivated.
Read the full article here: https://threatpost.com/who-attacked-possible-apt-covid-19-cyberattacks-double/154083/
Stolen data of company that refused REvil ransom payment now on sale
Operators of the Sodinokibi (aka Sodin or REvil) Ransomware as a Service (RaaS) recently published over 12GB of data that allegedly belongs to one of its victims – Brooks International – that refused to pay ransom.
RaaS is the malware for lazy crooks who just want to launch attacks at the press of a button: it enables novice cybercriminals to build automated campaigns using third-party kits sold on the dark web. They don’t have to break a sweat by learning about malware, teaching themselves how encryption works, writing ransomware code, running an anonymous webserver on Tor to collect the loot, distributing decryption keys, or otherwise getting their hands dirty with technical details.
Sodinokibi – a GandCrab derivative blamed for numerous attacks that took place last year – is a prime example of RaaS.
IT security report finds 97% of enterprise networks have suspicious network activity
A study using advanced network traffic analysis tools, found that 97% of the surveyed companies show evidence of suspicious activity in their network traffic and that 81% of the companies were being subject to malicious activity.
More here: https://www.techrepublic.com/article/it-security-report-finds-97-have-suspicious-network-activity/
Concern over Zoom video conferencing after MoD bans it over security fears
Concerns have been raised over the security of video conferencing service Zoom after the Ministry of Defence banned staff from using it.
Downing Street published pictures of Prime Minister Boris Johnson using the app to continue holding Cabinet meetings with senior MPs – where sensitive information like matters of national security are discussed – while observing rules on social distancing to curb the coronavirus outbreak.
But MoD staff were told this week that use of the software was being suspended with immediate effect while ‘security implications’ were investigated, with users reminded of the need to be ‘cautious about cyber resilience’ in ‘these exceptional times’.
One source commented that ‘it is astounding that thousands of MoD staff have been banned from using Zoom only to find a sensitive Government meeting like that of the Prime Minister’s Cabinet is being conducted over it’.
A message to MoD staff said: ‘We are pausing the use of Zoom, an internet-based video conferencing service, with immediate effect whilst we investigate security implications that come with it.’ The email added that a decision will then be made about whether to continue using the programme.
More here: https://metro.co.uk/2020/03/25/concern-zoom-video-conferencing-mod-bans-security-fears-12455327/
Adobe issues emergency fix for file-munching bug
Adobe has released another security patch outside of its usual routine this month to deal with a strange bug that can allow attackers to delete victims’ files.
The file-deleting bug stems from a time-of-check to time-of-use race condition vulnerability, which happens when two system operations try to access shared data at the same time. That allows an attacker to manipulate files on the victim’s system. The company warned that successful exploitation could lead to arbitrary file deletion.
To successfully exploit the flaw, an attacker would need to convince a victim to open a malicious file, Adobe has said.
More here: https://nakedsecurity.sophos.com/2020/03/26/adobe-issues-emergency-fix-for-file-munching-bug/
Emerging Chinese APT Group ‘TwoSail Junk’ Mounts Mass iPhone Surveillance Campaign
The malware, the work of a new APT called TwoSail Junk, allows deep surveillance and total control over iOS devices.
A recently discovered, mass-targeted watering-hole campaign has been aiming at Apple iPhone users in Hong Kong – infecting website visitors with a newly developed custom surveillance malware. The bad code – the work of a new APT called “TwoSail Junk” – is delivered via a multistage exploit chain that targets iOS vulnerabilities in versions 12.1 and 12.2 of Apple’s operating system, according to researchers.
Watering-hole campaigns make use of malicious websites that lure visitors in with targeted content – cyberattackers often post links to that content on discussion boards and on social media to cast a wide net. When visitors click through to a malicious website, background code will then infect them with malware.
Read the full article here: https://threatpost.com/emerging-apt-mounts-mass-iphone-surveillance-campaign/154192/
New attack on home routers sends users to spoofed sites that push malware
A recently discovered hack of home and small-office routers is redirecting users to malicious sites that pose as COVID-19 informational resources in an attempt to install malware that steals passwords and cryptocurrency credentials, researchers said on Wednesday.
The compromises are hitting Linksys routers and D-Link devices.
It remains unclear how attackers are compromising the routers. The researchers suspect that the hackers are guessing passwords used to secure routers’ remote management console when that feature is turned on. It was also hypothesized that compromises may be carried out by guessing credentials for users’ Linksys cloud accounts.
Russia’s FSB wanted its own IoT botnet
If you thought the Mirai botnet was bad, what about a version under the control of Russia’s military that it could point like an electronic cannon at people it didn’t like? That’s the prospect we could face after the reported emergence of secret Russian project documents online last week.
The documents, which come from hacking group Digital Revolution but haven’t been verified, suggest that Russia’s Federal Security Service (in Russian, the FSB), has been working on an internet of things (IoT) botnet of its own called Fronton.
Mirai was a botnet that infected IoT devices by the million, taking advantage of default login credentials to co-opt them for attackers. They then pointed it at DNS service provider Dyn, mounting a DDoS attack that took down large internet services for hours.
More here: https://nakedsecurity.sophos.com/2020/03/24/russias-fsb-wanted-its-own-iot-botnet/