Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Cyber Flash Briefing 60 second video version

The Importance of Maintaining Good Cyber Hygiene During the Coronavirus Crisis

Businesses are making significant changes in response to the virus, including asking employees to work from home for the first time. These new practices have often been implemented as quickly as possible, with a priority on keeping the business operations going.

At the same time, the cyber and information security consultants at Black Arrow are seeing reports from specialist intelligence and the wider media which show cyber criminals are feasting on the current chaos as they target employees and companies who let their guard down.

‘Cyber criminals usually target people, not technology, to get into their employer’s systems. Companies need to ensure they consider all the basic risks to prevent this, and implement layers of defence that start with the user.

Read more here: https://guernseypress.com/news/2020/03/24/maintaining-good-cyber-hygiene/

Half of all UK Firms and Three-Quarters of Large Firms Suffered Security Breach Last Year

Nearly half (46%) of UK firms reported suffering a security breach or cyber-attack over the past year, an increase on previous years, but they are getting better at recovering from and deflecting such blows, according to the government.

The annual Cyber Security Breaches Survey revealed an increase in the overall volume of businesses reporting incidents, up from 32%. The number of medium (68%) and large (75%) businesses reporting breaches or attacks also jumped, from 60% and 61% respectively.

This puts the 2020 report’s findings in line with the first government analysis in 2017, it claimed.

Of those businesses that reported incidents, more are experiencing these at least three times a week than in 2017 (32% versus 22%).

The government also claimed that organisations are experiencing more phishing attacks (from 72% to 86%) whilst fewer are seeing malware (from 33% to 16%) than three years ago.

More here: https://www.infosecurity-magazine.com/news/threequarters-firms-security/

#COVID19 Drives Phishing Emails Up 667% in Under a Month

Phishing emails have spiked by over 600% since the end of February as cyber-criminals look to capitalize on the fear and uncertainty generated by the COVID-19 pandemic.

A security vendor observed just 137 incidents in January, rising to 1188 in February and 9116 so far in March. Around 2% of the 468,000 global email attacks detected by the firm were classified as COVID-19-themed.

As is usually the case, the attacks used widespread awareness of the subject to trick users into handing over their log-ins and financial information, and/or unwittingly downloading malware to their computers

Of the COVID-19 phishing attacks, 54% were classified as scams, 34% as brand impersonation attacks, 11% blackmail and 1% as business email compromise (BEC).

As well as the usual lures to click through for more information on the pandemic, some scammers are claiming to sell cures and/or face-masks, while others try to elicit investment in companies producing vaccines, or donations to fight the virus and provide support to victims.

This is a new low for cyber-criminals, who are acting like piranha fish, cowardly attacking people on mass when they are at their most vulnerable. It’s vital that the public remain vigilant against scam emails during this challenging time.

More here: https://www.infosecurity-magazine.com/news/covid19-drive-phishing-emails-667/

Attackers exploiting critical zero-day Windows flaw

Microsoft has discovered a severe vulnerability in all supported versions of Windows, which enables criminals to remotely run malware – including ransomware – on a target machine.

According to the report, the security vulnerability has not been previously disclosed and there is currently no fix.

The “critical” vulnerability revolves around how the operating system handles and renders fonts. All it takes is for the victim to open or preview a malicious document, and the attacker can remotely run different forms of malware.

Microsoft said the vulnerability is being exploited in the wild, and different hacking groups are initiating “limited, targeted attacks”.

Although there is as yet no patch, the company announced a temporary workaround for affected Windows users, which involves disabling the Preview and Details panes in Windows explorers.

Read more here: https://www.itproportal.com/news/attackers-exploiting-critical-zero-day-windows-flaw/

WHO Targeted in Espionage Attempt, COVID-19 Cyberattacks Spike

The DarkHotel group could have been looking for information on tests, vaccines or trial cures.

The World Health Organization (WHO) has attracted the notice of cybercriminals as the worldwide COVID-19 pandemic continues to play out, with a doubling of attacks recently, according to officials there. Problematically, evidence has also now apparently surfaced that the DarkHotel APT group has tried to infiltrate its networks to steal information.

A cyber security researcher told Reuters that he personally observed a malicious site being set up on March 13 that mimicked the WHO’s internal email system. Its purpose was to steal passwords from multiple agency staffers, and noted that he realised “quite quickly that this was a live attack on the World Health Organization in the midst of a pandemic.”

The attack appeared to be aimed at achieving a foothold at the agency rather than being an end unto itself. The targeting infrastructure seems to focus on certain types of healthcare and humanitarian organisations that are uncommon for cybercriminals and this could suggest the actor or actors behind the attacks are more interested in gathering intelligence, rather than being financially motivated.

Read the full article here: https://threatpost.com/who-attacked-possible-apt-covid-19-cyberattacks-double/154083/

Stolen data of company that refused REvil ransom payment now on sale

Operators of the Sodinokibi (aka Sodin or REvil) Ransomware as a Service (RaaS) recently published over 12GB of data that allegedly belongs to one of its victims – Brooks International – that refused to pay ransom.

RaaS is the malware for lazy crooks who just want to launch attacks at the press of a button: it enables novice cybercriminals to build automated campaigns using third-party kits sold on the dark web. They don’t have to break a sweat by learning about malware, teaching themselves how encryption works, writing ransomware code, running an anonymous webserver on Tor to collect the loot, distributing decryption keys, or otherwise getting their hands dirty with technical details.

Sodinokibi – a GandCrab derivative blamed for numerous attacks that took place last year – is a prime example of RaaS.

More here: https://nakedsecurity.sophos.com/2020/03/23/stolen-data-of-company-that-refused-revil-ransom-payment-now-on-sale/

IT security report finds 97% of enterprise networks have suspicious network activity

A study using advanced network traffic analysis tools, found that 97% of the surveyed companies show evidence of suspicious activity in their network traffic and that 81% of the companies were being subject to malicious activity.

More here: https://www.techrepublic.com/article/it-security-report-finds-97-have-suspicious-network-activity/

Concern over Zoom video conferencing after MoD bans it over security fears

Concerns have been raised over the security of video conferencing service Zoom after the Ministry of Defence banned staff from using it.

Downing Street published pictures of Prime Minister Boris Johnson using the app to continue holding Cabinet meetings with senior MPs – where sensitive information like matters of national security are discussed – while observing rules on social distancing to curb the coronavirus outbreak.

But MoD staff were told this week that use of the software was being suspended with immediate effect while ‘security implications’ were investigated, with users reminded of the need to be ‘cautious about cyber resilience’ in ‘these exceptional times’.

One source commented that ‘it is astounding that thousands of MoD staff have been banned from using Zoom only to find a sensitive Government meeting like that of the Prime Minister’s Cabinet is being conducted over it’.

A message to MoD staff said: ‘We are pausing the use of Zoom, an internet-based video conferencing service, with immediate effect whilst we investigate security implications that come with it.’ The email added that a decision will then be made about whether to continue using the programme.

More here: https://metro.co.uk/2020/03/25/concern-zoom-video-conferencing-mod-bans-security-fears-12455327/

Adobe issues emergency fix for file-munching bug

Adobe has released another security patch outside of its usual routine this month to deal with a strange bug that can allow attackers to delete victims’ files.

The file-deleting bug stems from a time-of-check to time-of-use race condition vulnerability, which happens when two system operations try to access shared data at the same time. That allows an attacker to manipulate files on the victim’s system. The company warned that successful exploitation could lead to arbitrary file deletion.

To successfully exploit the flaw, an attacker would need to convince a victim to open a malicious file, Adobe has said.

More here: https://nakedsecurity.sophos.com/2020/03/26/adobe-issues-emergency-fix-for-file-munching-bug/

Emerging Chinese APT Group ‘TwoSail Junk’ Mounts Mass iPhone Surveillance Campaign

The malware, the work of a new APT called TwoSail Junk, allows deep surveillance and total control over iOS devices.

A recently discovered, mass-targeted watering-hole campaign has been aiming at Apple iPhone users in Hong Kong – infecting website visitors with a newly developed custom surveillance malware. The bad code – the work of a new APT called “TwoSail Junk” – is delivered via a multistage exploit chain that targets iOS vulnerabilities in versions 12.1 and 12.2 of Apple’s operating system, according to researchers.

Watering-hole campaigns make use of malicious websites that lure visitors in with targeted content – cyberattackers often post links to that content on discussion boards and on social media to cast a wide net. When visitors click through to a malicious website, background code will then infect them with malware.

Read the full article here: https://threatpost.com/emerging-apt-mounts-mass-iphone-surveillance-campaign/154192/

New attack on home routers sends users to spoofed sites that push malware

A recently discovered hack of home and small-office routers is redirecting users to malicious sites that pose as COVID-19 informational resources in an attempt to install malware that steals passwords and cryptocurrency credentials, researchers said on Wednesday.

The compromises are hitting Linksys routers and D-Link devices.

It remains unclear how attackers are compromising the routers. The researchers suspect that the hackers are guessing passwords used to secure routers’ remote management console when that feature is turned on. It was also hypothesized that compromises may be carried out by guessing credentials for users’ Linksys cloud accounts.

More here: https://arstechnica.com/information-technology/2020/03/new-attack-on-home-routers-sends-users-to-spoofed-sites-that-push-malware/

Russia’s FSB wanted its own IoT botnet

If you thought the Mirai botnet was bad, what about a version under the control of Russia’s military that it could point like an electronic cannon at people it didn’t like? That’s the prospect we could face after the reported emergence of secret Russian project documents online last week.

The documents, which come from hacking group Digital Revolution but haven’t been verified, suggest that Russia’s Federal Security Service (in Russian, the FSB), has been working on an internet of things (IoT) botnet of its own called Fronton.

Mirai was a botnet that infected IoT devices by the million, taking advantage of default login credentials to co-opt them for attackers. They then pointed it at DNS service provider Dyn, mounting a DDoS attack that took down large internet services for hours.

More here: https://nakedsecurity.sophos.com/2020/03/24/russias-fsb-wanted-its-own-iot-botnet/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Nasty phishing scams aim to exploit coronavirus fears

Phoney emails about health advice and more are being used to steal login credentials and financial details.

Cyber criminals are aiming to take advantage of fears over coronavirus as a means of conducting phishing attacks and spreading malware, along with stealing login credentials and credit card details.

Cybersecurity companies have identified a number of campaigns by hackers who are attempting to exploit concerns about the COVID-19 outbreak for their own criminal ends. Crooks often use current affairs to make their scams more timely.

Researchers have identified a Trickbot banking trojan campaign specifically targeting Italian email addresses in an attempt to play on worries about the virus. The phishing email comes with a Word document which claims to contain advice on how to prevent infection – but this attachment is in fact a Visual Basic for Applications (VBA) script which drops a new variant of Trickbot onto the victim's machine.

The message text claims to offer advice from the World Health Organization (WHO) in a Word document which claims to be produced using an earlier version of Microsoft Word which means the user needs to enable macros in order to see the content. By doing this, it executes a chain of commands which installs Trickbot on the machine.

Read more here: https://www.zdnet.com/article/nasty-phishing-scams-aim-to-exploit-coronovirus-fears/

Backdoor malware is being spread through fake security certificate alerts

Victims of this new technique are invited to install a malicious "security certificate update" when they visit compromised websites.

Backdoor and Trojan malware variants are being distributed through a new phishing technique that attempts to lure victims into accepting an "update" to website security certificates.

Certificate Authorities (CAs) distribute SSL/TLS security certificates for improved security online by providing encryption for communication channels between a browser and server -- especially important for domains providing e-commerce services -- as well as identity validation, which is intended to instill trust in a domain.

Read the full article here: https://www.zdnet.com/article/backdoor-malware-is-being-spread-through-fake-security-certificate-alerts/

Boots Advantage and Tesco Clubcard both suffer data breaches in same week

Boots has blocked all Advantage card holders from ‘paying with points’ after 150,000 accounts were subjected to attempted hacks using stolen passwords.

The news comes just days after Tesco said it would issue replacement Clubcards to more than 620,000 customers after a similar security breach.

Read more here: https://www.which.co.uk/news/2020/03/boots-advantage-card-tesco-clubcard-both-suffer-data-breaches-in-same-week/

Academics find 30 file upload vulnerabilities in 23 web apps, CMSes, and forums

Through the use of an automated testing toolkit, a team of South Korean academics has discovered 30 vulnerabilities in the file upload mechanisms used by 23 open-source web applications, forums, store builders, and content management systems (CMSes).

When present in real-world web apps, these types of vulnerabilities allow hackers to exploit file upload forms and plant malicious files on a victim's servers.

These files could be used to execute code on a website, weaken existing security settings, or function as backdoors, allowing hackers full control over a server.

Read the full article here: https://www.zdnet.com/article/academics-find-30-file-upload-vulnerabilities-in-23-web-apps-cmses-and-forums/

UK Home Office breached GDPR 100 times through botched management of EU Settlement Scheme

ID cards sent to the wrong addresses, third party data disclosures, and lost passports are only some examples of mishandling.

The UK Home Office has breached European data protection regulations at least 100 times in its handling of the EU Settlement Scheme (EUSS).

IDs have been lost, documents misplaced, passports have gone missing, and applicant information has been disclosed to third parties without permission in some of the cases, according to a new report.

Read more here: https://www.zdnet.com/article/uk-home-office-breached-gdpr-100-times-through-botched-handling-of-eu-settlement-scheme/

Legal services giant Epiq Global offline after ransomware attack

The company, which provides legal counsel and administration that counts banks, credit giants, and governments as customers, confirmed the attack hit on February 29.

“As part of our comprehensive response plan, we immediately took our systems offline globally to contain the threat and began working with a third-party forensic firm to conduct an independent investigation,” a company statement read. “Our technical team is working closely with world class third-party experts to address this matter, and bring our systems back online in a secure manner, as quickly as possible.”

The company’s website, however, says it was “offline to perform maintenance.”

A source with knowledge of the incident but who was not authorized to speak to the media said the ransomware hit the organization’s entire fleet of computers across its 80 global offices.

Read more here: https://techcrunch.com/2020/03/02/epiq-global-ransomware/

Android Patch Finally Lands for Widespread “MediaTek-SU” Vulnerability

Android has quietly patched a critical security flaw affecting millions of devices containing chipsets from Taiwanese semiconductor MediaTek: a full year after the security vulnerability – which gives an attacker root privileges – was first reported.

More here: https://www.cbronline.com/news/android-patch-mediatek-su

5G and IoT security: Why cybersecurity experts are sounding an alarm

Without regulation and strong proactive measures, 5G networks remain vulnerable to cyberattacks, and the responsibility falls on businesses and governments.

Seemingly everywhere you turn these days there is some announcement about 5G and the benefits it will bring, like greater speeds, increased efficiencies, and support for up to one million device connections on a private 5G network. All of this leads to more innovations and a significant change in how we do business.

But 5G also creates new opportunities for hackers.

There are five ways in which 5G networks are more susceptible to cyberattacks than their predecessors, according to the 2019 Brookings report, Why 5G requires new approaches to cybersecurity. They are:

1. The network has moved from centralized, hardware-based switching to distributed, software-defined digital routing. Previous networks had "hardware choke points" where cyber hygiene could be implemented. Not so with 5G.

2. Higher-level network functions formerly performed by physical appliances are now being virtualized in software, increasing cyber vulnerability.

3. Even if software vulnerabilities within the network are locked down, the 5G network is now managed by software. That means an attacker that gains control of the software managing the network can also control the network.

4. The dramatic expansion of bandwidth in 5G creates additional avenues of attack.

5. Increased vulnerability by attaching tens of billions of hackable smart devices to an IoT network.

Read the full article here: https://www.techrepublic.com/article/5g-and-iot-security-why-cybersecurity-experts-are-sounding-an-alarm/

Virgin Media apologises after data breach affects 900,000 customers

Virgin Media has apologised after a data breach left the personal details of around 900,000 customers unsecured and accessible.

The company said that the breach occurred after one of its marketing databases was “incorrectly configured” which allowed unauthorised access.

It assured those affected by the breach that the database “did not include any passwords or financial details” but said it contained information such as names, home and email addresses, and phone numbers.

Virgin said that access to the database had been shut down immediately following the discovery but by that time the database was accessed “on at least one occasion”.

Read more here: https://www.itv.com/news/2020-03-05/virgin-media-apologises-after-data-breach-affects-900-000-customers/

Do these three things to protect your web security camera from hackers

NCSC issues advice on how to keep connected cameras, baby monitors and other live streaming security tools secure from cyberattacks.

Owners of smart cameras, baby monitors and other Internet of Things products have been urged to help keep their devices safe by following three simple steps to boost cybersecurity – and making it more difficult for hackers to compromise them.

The advice from the UK's National Cyber Security Centre (NCSC) – the cyber arm of the GCHQ intelligence agency – comes as IoT security cameras and other devices are gaining popularity in households and workplaces.

1. Change the default password

2. Apply updates regularly

3. Disable unnecessary alerts

For more refer to the original article here: https://www.zdnet.com/article/do-these-three-things-to-protect-your-web-security-camera-from-hackers/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Microsoft Patch Tuesday fixes IE zero‑day and 98 other flaws

This month’s Patch Tuesday fell this week and it came with fixes for no fewer than 99 security vulnerabilities in Windows and other Microsoft software.

Twelve flaws have received the highest severity ranking of “critical”, while 5 security holes are listed as publicly known at the time of release.

In fact, one vulnerability ticks both boxes – an actively exploited zero-day in Internet Explorer (IE). Microsoft disclosed this flaw, indexed as CVE-2020-0674, three weeks ago but didn’t roll out a patch until now. Successful exploitation of this remote code execution (RCE) vulnerability enables remote attackers to run code of their choice on the vulnerable system.

Another 16 RCE holes are being plugged as part of this month’s bundle of security patches. This includes two severe vulnerabilities in the Windows Remote Desktop Client, CVE-2020-0681 and CVE-2020-0734, where exploitation is seen as likely by Microsoft.

Updates have been released for various flavours of Windows, as well as for Office, Edge, Exchange Server, SQL Server and a few more products. The number of fixes this month is unusually high; for example, last month’s Patch Tuesday rollout fixed 49 vulnerabilities.

Read more here: https://www.welivesecurity.com/2020/02/12/microsoft-patch-tuesday-fixes-99-vulnerabilities-ie-zero-day/

Nedbank says 1.7 million customers impacted by breach at third-party provider

Nedbank, one of the biggest banks in the South Africa region, has disclosed a security incident yesterday that impacted the personal details of 1.7 million users.

The bank says the breach occurred at Computer Facilities (Pty) Ltd, a South African company the bank was using to send out marketing and promotional campaigns.

In a security notice posted on its website, Nedbank said there was a vulnerability in the third-party provider's systems that allowed an attacker to infiltrate its systems.

The data of 1.7 million past and current customers is believed to have been affected. Details stored on the contractor's systems included things like names, ID numbers, home addresses, phone numbers, and email addresses.

The bank began notifying customers about the breach yesterday

More information here: https://www.zdnet.com/article/nedbank-says-1-7-million-customers-impacted-by-breach-at-third-party-provider/

Why you can’t bank on backups to fight ransomware anymore

Ransomware operators stealing data before they encrypt means backups are not enough.

The belief that no personally identifying information gets breached in ransomware attacks is common among victims of ransomware—and that's partially because ransomware operators had previously avoided claiming they had access to victims' data in order to maintain the "trust" required to extract a payment. Cyber insurance has made paying out an attractive option in cases where there's no need for an organisation to reveal a breach, so the economics had favoured ransomware attackers who provided good "customer service" and gave (usually believable) assurances that no data had been taken off the victims' networks.

Unfortunately, that sort of model is being blown up by the Maze and Sodinokibi (REvil) ransomware rings, which have adopted a model of using stolen data as leverage to ensure customers will make a payment. Even in cases where a victim can relatively quickly recover from a ransomware attack, they still will face demands for payment in order to avoid the publication or sale of information stolen by the attackers before the ransomware was triggered.

Read more here: https://arstechnica.com/information-technology/2020/02/why-you-cant-bank-on-backups-to-fight-ransomware-anymore/

Newly discovered PC malware version spreads through Wi-Fi networks

A new version of a highly sophisticated Trojan that can spread via Wifi networks has been discovered. The Emotet Trojan that also acts as a loader for other malware has found to now take advantage of the wlanAPI interface to spread to all PCs on a network through the Wi-fi. The Trojan was previously known to spread only through spam emails and infected networks.

The ability of this Trojan to brute force its way into networks through Wi-fi from the infected PC has supposedly gone undetected for at least two years. When the malicious software enters into a system, it begins listing and profiling wireless networks using the wlanAPI.dll calls so that it can spread to any networks that are accessible. This is because the wlanAPI.dll calls are used by Native Wi-Fi to manage wireless network profiles and wireless network connections.

Read more here: https://www.neowin.net/news/newly-discovered-pc-malware-version-spreads-through-wi-fi-networks/

Why the ransom is only a fraction of the cost of a ransomware attack

The expense of dealing with a ransomware attack is far in excess of what was previously thought, according to a report published on Tuesday.

Estimate for the total ransom payments demanded in 2019 was $25 billion. But this is only one seventh of the actual cost to the companies affected, which could be as much as $170 billion, according to estimates. Most of these costs arise from downtime and are associated with dealing with the attack, rather than the ransom itself, according to the report.

Read more here: https://decrypt.co/19084/why-ransom-fraction-cost-ransomware-attack

5 Critical Zero-day Vulnerabilities Affected Tens of Millions of Cisco Switches, Routers, IP Phones and Cameras

Researchers discovered 5 critical zero-day vulnerabilities (dubbed CDPwn)  in Cisco Discovery Protocol that are used in multiple Cisco products such as Routers, Switches, IP phones, Cameras and more.

Cisco Discovery Protocol is also known as CDP is the Cisco proprietary Layer 2 (Data Link Layer) network protocol and is virtually implemented in Cisco products including switches, routers, IP phones, and cameras to discover the information about the Cisco equipment.

Four of the five vulnerabilities are remote code execution (RCE) vulnerabilities that affected 10 of millions of users, and it allows attackers to completely take over the vulnerable devices without any sort of user interaction.

One vulnerability cause Denial of Service in Cisco FXOS, IOS XR and NX-OS Software Cisco Discovery Protocol implemented target routers, and in turn, completely disrupt target networks.

Read more here: https://gbhackers.com/zero-day-vulnerability-affected-cisco-cdp-devices/

Average tenure of a CISO is just 26 months due to high stress and burnout

Chief Information Security Officers (CISOs, or CSOs) across the industry are reporting high levels of stress.

Many say the heightened stress levels has led to mental and physical health issues, relationship problems, medication and alcohol abuse, and in some cases, an eventual burnout, resulting in an average 26-month tenure before CISOs find new employment.

The numbers, reported by Nominet, represent a growing issue that's been commonly acknowledged, but mostly ignored across the information security (infosec) community, but one that is slowly starting to rear its ugly head as once-ignored infosec roles are becoming more prominent inside today's companies.

Today, many companies are adopting CISO roles. The constant threat of hacks, ransomware, phishing, and online scams makes establishing a cyber-security department in any company a unavoidable decision.

However, most companies are not ready to embed CISOs into their company culture and day-to-day operations.

Today, CISO jobs come with low budgets, long working hours, a lack of power on executive boards, a diminishing pool of trained professionals they can hire, but also a constant stress of not having done enough to secure the company's infrastructure against cyber-attacks, continuous pressure due to newly arising threats, and little thanks for the good work done, but all the blame if everything goes wrong.

Across the years, many CISOs have often pointed out the problems with their jobs and the stress and damage they inflict. However, there has been no conclusive study to support broad assertations.

Read the full article here: https://www.zdnet.com/article/average-tenure-of-a-ciso-is-just-26-months-due-to-high-stress-and-burnout/

Ex-GCHQ spy chief says scammers are running rings around Google

Bogus investment and savings adverts banned by Google are reappearing at the top of its search results because con artists can easily circumnavigate the internet giant’s systems, according to a former spy.

Scammers are able to dupe the world’s most powerful search engine simply by making slight alterations to the names of their fake firms.

For example, one website, info.bond-finder.co.uk, appeared at the top of Google’s search results when consumers typed in “best fixed rate Isa”. But the website had the same contact details as another site, bonds-finder.com, which was identified by the financial regulator, the Financial Conduct Authority (FCA), as a likely scam in January and deleted by Google.

Google launched an investigation after it was alerted to the matter by this newspaper and, after a connection between the two sites was confirmed, the advert was removed.

The company has been in talks with the FCA for almost a year about how to solve the problem of unregulated investment firms and fraudsters duping consumers by paying to appear first in search results through Google’s Ads service.

Read more here: https://www.telegraph.co.uk/money/consumer-affairs/ex-gchq-spy-chief-says-scammers-running-rings-around-google/

FBI: Cybercrime losses tripled over the last 5 years

In 2019, the United States’ Federal Bureau of Investigation (FBI) received more than 467,000 cybercrime complaints that caused an estimated US$3.5 billion in losses, according to the Bureau’s annual 2019 Internet Crime Report (IC3). Last year saw both the highest number of complaints and the highest dollar losses on record; in 2015, for example, annual losses totaled ‘only’ US$1.1 billion.

Business Email Compromise (BEC) fraud remains the costliest type of fraud on the list, accounting for more than half of the total losses and costing businesses almost US$1.8 billion. These schemes are constantly evolving, too. Back in 2013, scammers would typically hack or spoof the email account of a CEO or CFO to request a fraudulent transfer of funds to accounts under their control. Over the years the tactics have evolved to also include compromising personal or vendor emails as well as spoofing lawyers’ email accounts.

Payroll diversion emerged as a popular form of BEC fraud last year. Scammers target HR and payroll departments by acting as employees who want to update their direct deposit information for the current payment period. The updated information then usually directs the funds to a pre-paid card account.

Elder fraud is also an increasingly pressing issue. With 68,013 victims, this type of fraud had the highest number of victims; under-twenties claimed “just” 10,724 victims. The number of victims may not reflect the true extent of the problem since providing the age range is voluntary.

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Week in review 08 December 2019

Round up of the most significant open source stories of the last week

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

5,183 breaches in first nine months of 2019 exposed 7.9b data records

As many as 7.9 billion data records were leaked, stolen or exposed as a result of 5,183 data breaches that took place in the first nine months of 2019, making it the worst year ever for data breaches.

This alarming statistic was revealed by security firm Risk Based Security which observed that based on recent trends, the number of breached data records could touch 8.5 billion by the end of the year.

The firm also noted that the total number of data breaches worldwide rose by 33.3 percent compared to the mid-year of 2018 and the number of records breached also rose by 112 percent. As many as 3.1 million data records were breached as a result of six data breach incidents that took place between 1 July and 30 September.

The majority of data records were exposed or leaked as a result of accidental exposure of data on the internet by organisations. The fact that hackers are quite willing to take advantage of such data exposure has also led to a rise in the number of breached records.

https://www.teiss.co.uk/data-records-breached-2019/ 

44 million Microsoft customers found using compromised passwords

Microsoft's identity threat researchers have revealed that 44 million of its users are still using passwords that have previously been compromised in past data breaches.

The 44 million weak accounts comprised both Microsoft Services Accounts (regular users) and Azure AD accounts too, suggesting businesses are not adopting proper password hygiene.

A total of three billion user credentials were checked in a database populated from numerous sources including law enforcement and public databases.

Using the data set of three billion credentials, Microsoft was able to identify the number of users who were reusing credentials across multiple online services.

Microsoft forced a password reset for all of those users who were found to have leaked credentials during the scan which took place between January and March 2019.

https://www.itpro.co.uk/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using

Evil Corp: US charges Russians over hacking attacks

US authorities have filed charges against two Russian nationals alleged to be running a global cyber crime organisation named Evil Corp.

An indictment named Maksim Yakubets and Igor Turashev - who remain at large - as figures in a group which used malware to steal millions of dollars in more than 40 countries.

Those affected by the hacks include schools and religious organisations. It is also alleged that Mr Yakubets worked for Russian intelligence.

The attacks are said to be amongst the worst computer hacking and bank fraud schemes of the past decade. The $5m reward being offered for information leading to their arrest and prosecution is the largest yet for catching cyber criminals.

Thursday's indictment came after a multi-year investigation by the US and British law enforcement agencies.

Authorities allege that the group stole at least $100m (£76m) using Bugat malware - known as Dridex.

The malware was spread through so-called "phishing" campaigns, which encouraged victims to click on malicious links sent by email from supposedly trusted entities.

Once a computer was infected, the group stole personal banking information which was used to transfer funds.

A network of money launderers - targeted by the NCA and Britain's Metropolitan Police - were then utilised to funnel the criminal proceeds to members of Evil Corp. Eight members of this network have been sentenced to a total of over 40 years in prison.

https://www.bbc.co.uk/news/world-us-canada-50677512 

New ransomware attacks target your NAS devices, backup storage

New ransomware that targets Network Attached Storage devices and other backup devices has surged in recent months with many users unprepared for the increased level of threat.

As with all ransomware paying the ransom is no guarantee of getting data back and should only ever be an absolute last resort.

With networked and backup storage devices falling victim to ransomware infections that emphasises the need to ensure firms have offline copies of backups. Backups that are that are disconnected from systems cannot themselves be corrupted or fall victim to ransomware and would therefore be a firm’s best bet in being able to recover from such an attack.

https://www.zdnet.com/article/new-ransomware-attack-targets-your-nas-devices-backup-storage/ 

New vulnerability lets attackers sniff or hijack VPN connections

Academics have disclosed this week a security flaw impacting Linux, Android, macOS, and other Unix-based operating systems that allows an attacker to sniff, hijack, and tamper with VPN-tunneled connections. OpenVPN, WireGuard, and IKEv2/IPSec VPNs are all vulnerable to attacks.

The vulnerability -- tracked as CVE-2019-14899 -- resides in the networking stacks of multiple Unix-based operating systems, and more specifically, in how the operating systems reply to unexpected network packet probes.

According to the research team, attackers can use this vulnerability to probe devices and discover various details about the user's VPN connection status.

Whilst this vulnerability affects Linux, Android, Mac and other Unix-based operating systems this vulnerability is not currently believed to affect Windows based systems.

https://www.zdnet.com/article/new-vulnerability-lets-attackers-sniff-or-hijack-vpn-connections/  

Newly discovered Mac malware uses “fileless” technique to remain stealthy

Hackers believed to be working for the North Korean government have upped their game with a recently discovered Mac trojan that uses in-memory execution to remain stealthy.

In-memory execution, also known as fileless infection, never writes anything to a computer hard drive. Instead, it loads malicious code directly into memory and executes it from there. The technique is an effective way to evade antivirus protection because there’s no file to be analyzed or flagged as suspicious.

In-memory infections were once the sole province of state-sponsored attackers. By 2017, more advanced financially motivated hackers had adopted the technique. It has become increasingly common since then.

https://arstechnica.com/information-technology/2019/12/north-koreas-lazarus-hackers-up-their-game-with-fileless-mac-malware/ 

Europol seizes more than 30,000 counterfeit sites on Cyber Monday

Europol has taken down more than 30,000 different web domains which allowed cyber criminals to sell counterfeit and pirated items online.

The joint operation between 18 member states and the US National Intellectual Property Rights Coordination Centre, with help Eurojust and INTERPOL, included the seizure of articles such as fake medicines, pirated movies, music, software and counterfeit electronics.

In addition, officials identified and froze more than €150 000 (£128,000) in several bank accounts and online payment platforms.

As a result of the coordinated operation, codenamed IOS X (In Our Sites), three arrests have been made and 26,000 "luxury products" have been seized along with the swathe of illicit websites.

The IOS campaign launched in 2014, one that Europol has gained in strength year-on-year, and aims to "make the internet a safer place for consumers by recruiting more countries and private sector partners to participate in the operation and providing referrals".

You can contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our regular ‘Cyber Tip Tuesday’ video blog here and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Round up of the most significant open source stories of the last week

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Top 10 Cyber Security Myths

SecurityBoulevard.com have a list of the top 10 cyber security myths that criminals love, including the Number 1 ‘This can’t happen to me’ and a few other prime examples that we do hear in conversation quite often.

Read the full list here: https://securityboulevard.com/2019/10/10-cybersecurity-myths-that-criminals-love/

A security breach is inevitable, IT leaders warned

No matter how much IT security tech and training is in place, sophisticated, targeted attacks are going to breach company defences, Carbon Black warns

A survey by security vendor Carbon Black, as part of their Global threat series study, reported that 84% of UK organisations participating in the study said they have suffered one or more breaches in the past 12 months due to external cyber attacks.

The survey reported that the average number of breaches in affected organisations was 2.89, a reduction from the 3.67 seen in the January 2019 report, with more than half (51.5%) of respondents saying they had been breached only once.

Carbon Black said the number of businesses identifying just a single breach has grown from the previous research, where only 15% had suffered only a single breach. This may indicate that businesses are responding more robustly to breach incidents to ensure that frequency is reduced.

At the other end of the scale, 5.5% of the businesses surveyed admitted they had been breached 10 or more times, and 3% said they didn’t know how many times they had been breached.

The study found that among the IT leaders who took part in the research, 84% reported an increase in cyber attacks in the past 12 months, with nine in 10 saying the attacks they face are becoming more sophisticated. This compares with 87% in the previous report and 82% in the summer of 2018.

https://www.computerweekly.com/news/252471594/A-security-breach-is-inevitable-IT-leaders-warned

Employee negligence can be a leading contributor to data breaches

Two thirds (68%) of businesses reported their organisation has experienced at least one data breach in the past 12 months, and nearly three in four (69%) of those data breaches involved the loss or theft of paper documents or electronic devices containing sensitive information, according to a report conducted by the Ponemon Institute.

https://www.helpnetsecurity.com/2019/10/01/workplace-data-breaches-risk/

UK local authorities hit with hundreds of cyberattacks every hour

Councils across the UK have suffered 263 million attacks in the first six months of the year - equivalent to 800 attacks an hour, or 13 attacks every minute. This is according to a new report by Gallagher, based on a Freedom of Information (FoI) request made towards the councils, with 203 of them answering, and another 204 councils who did not respond so the actual number of attacks could more than double the above, exceeding 500 million in the first half of the year. This gives an idea of the sheer scale and number of attacks going on all the time against all organisations.

https://www.itproportal.com/news/uk-local-authorities-hit-with-hundreds-of-cyberattacks-every-hour/

Microsoft: Any form of MFA takes users out of reach of most attacks

There have been several reports in the media regarding SIM hijacking attacks and the ease with which these types of attacks are being perpetrated, and these reports have raised some doubts or concerns about the security of multi-factor authentication.

This article does a good job of explaining how not all MFA solutions are created equally but the overarching message is that any MFA implementation, anything beyond just a username and password, significantly increases the amount of work for an attacker and as a result accounts with MFA represent less than 0.1% of all attacks.

FBI Stance on Whether Firms Should Pay Ransomware

The FBI in the US came out with hard hitting advice telling firms not to pay ransoms, but to inform the FBI in the event that a firm in the US did decide to pay a ransom.

https://www.zdnet.com/article/fbis-new-ransomware-warning-dont-pay-up-but-if-you-do-tell-us-about-it/

They then softened their stance with an updated version of their guidance including a section discussing the option of paying the hackers to get data decrypted.

https://www.theregister.co.uk/2019/10/03/fbi_softens_stance_on_ransomware/

Best practice around ransomware is always to ensure you have sufficient backups, both online and offline, such that you can restore your data in the event you get hit with ransomware. Firms need to ensure they have tested recovering their data to make sure they could recover if they needed to. It is too late when trying to recover for real to discover the backup doesn’t work or the wrong directory was being backed up.

Do not rely on cloud storage as being sufficient backup as often any ransomware attack will synchronise with files stored in the cloud before the infection is detected.

More Attacks Seen Using ‘Island Hopping’ (using targets with less security to leverage attacks against targets with more security)

Recent attacks, especially recent attacks against the aerospace and defence industries, have seen an increase in ‘island hopping’, where a bigger group or better defended target is attacked indirectly, through its network of weaker, less defended partner companies. These attacks are carried out in a more ‘horizontal' way rather than the more traditional 'vertical' methods.

https://www.zdnet.com/article/this-new-hacking-group-is-using-island-hopping-to-target-victims/

In addition to the recent aerospace attacks island hopping is also becoming more frequently used to attack financial services.

https://www.itpro.co.uk/security/33946/50-of-cyber-attacks-now-use-island-hopping

Half a million British Airways customers have been given the go-ahead to sue the airline over its cybersecurity breach last summer

On Friday a High Court judge granted a group litigation order, paving the way for a mass legal action enabling some 500,000 people affected by a series of breaches between April and September last year.

https://www.thetimes.co.uk/article/half-a-million-customers-can-sue-ba-over-huge-data-breach-n8z0rxpsk 

Cybersecurity breaches to increase nearly 70% in next 5 years

New analysis from Juniper Research has found that the cost of data breaches will rise from $3 trillion each year to over $5 trillion in 2024, an average annual growth of 11%.

 This will primarily be driven by increasing fines for data breaches as regulation tightens, as well as a greater proportion of business lost as enterprises become more dependent on the digital realm.

The new research in The Future of Cybercrime & Security: Threat Analysis, Impact Assessment & Mitigation Strategies 2019-2024 whitepaper noted that while the cost per breach will steadily rise in the future, the levels of data disclosed will make headlines but not impact breach costs directly, as most fines and lost business are not directly related to breach sizes.

https://www.uktech.news/news/cybersecurity-breaches-to-increase-nearly-70%25-in-next-5-years-20191002

Sophisticated tools provide false sense of cyber-security: Survey

Are you confident that your firm is cyber-threat-proof? A Forrester survey among over 250 senior security decision-makers in North America and Europe found that most of them are confident in their firms’ security measures. However, threats to cyber-security remain strong, said the research.

"The abundance of technology investments gives firms a false sense of confidence in their security posture. Their challenges reveal a different story," said the report.

Security executives currently employ a variety of tools and technologies to identify risks and test the effectiveness of their security controls. As a result, they are left with point-in-time assessments that require them to cobble together data from disparate systems to truly understand the organisation’s security posture. This approach is reactive, labour-intensive, and insufficient in scale, explained the report.

https://www.scmagazineuk.com/sophisticated-tools-provide-false-sense-cyber-security-survey/article/1660872 

Fileless Malware on the Rise

According to reports analysing the state of the threat landscape, fileless malware incidents are up to some 265% in the first half of 2019 when compared to the same period in 2018. Fileless malware sometimes has been referred to as a zero-footprint attack or non-malware attack. However, fileless malware may be the best name for the attack method, as the attack is not dependent on end users downloading and running malware via compromised files. Rather, fileless malware executes malicious scripts by piggybacking on legitimate software packages. More often than not, the malware resides in the computer’s random access memory (RAM), not installed on the hard drive.

https://securityboulevard.com/2019/10/fileless-malware-on-the-rise/