Threat Intelligence Blog

Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.

Antony Cleal Antony Cleal

Week in review 29 December 2019 Round up of the most significant open source stories of the last week

Black Arrow Cyber Security review of top open source news articles for week ending 29 December 2019: 10 biggest hacks of the decade, biggest malware threats, MI6 floorplans lost, Citrix vulnerabilities, popular chat app actually spying tool, jobs in infosec

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Black Arrow Cyber Consulting would like to wish everyone a happy, prosperous, and cyber safe, 2020

A bit of a quiet week as one would expect with Christmas festivities. As it’s the end of the year, and indeed the end of a decade, there are lots of round ups of the last year and the last decade, and a lot of predictions for what 2020 will hold (we suspect more bad stuff, more ransomware and more devious and nasty strains of ransomware at that, and more breaches) and in that vein on to our first story:


The 10 biggest data hacks of the decade

This article comes from CNBC in the US and whilst the content is US centric a lot of people on this side of the Atlantic would have been caught up in a lot of these breaches too.

Since 2010, data breaches have exposed over 38 billion records, and there have been at least 40,650 data hacks in this time. And while many were smaller data breaches, there were a few mega hacks that will likely remain records for years to come.

Amongst the biggest breaches are:

  • UnderArmour (MyFitnessPal), from March 2018 with 143.6 million records hacked

  • Equifax from September 2017 with 147 million records hacked

  • Marriott (Starwood) from November 2018 with 383 million records hacked

  • Veeam from September 2018 with 445 million records hacked

  • Yahoo! from September and December 2016 with up to 3 billion records hacked

There have been many other breaches affecting other companies, such as WhatsApp and Fortnite, who have reported security flaws in the past year that could have exposed millions of customers’ data, but the extent of the accessed data has not yet been fully ascertained.

Read the full article here: https://www.cnbc.com/2019/12/23/the-10-biggest-data-hacks-of-the-decade.html


Live visualisations of the World’s Biggest Data Breaches and Hacks can be found anytime by clicking here or on the image below: https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/


Biggest Malware Threats of 2019

2019 was another banner year for bots, trojans, RATS and ransomware. Let’s take a look back.

One out of five computer users were subject to at least one malware-class web attack in 2019. This past year cities such as New Orleans were under ransomware siege by the likes of malware Ryuk. Zero-day vulnerabilities were also in no short supply with targets such as Google Chrome and Operation WizardOpium.

Threatpost have taken a look back over their coverage from the last 12 months.

Remote desktop protocol vulnerabilities BlueKeep, and then DejaBlue, allowed unauthenticated, remote attackers to exploit and take complete control of targeted endpoints. The fear of BlueKeep and its wormable potential to mimic the WannaCry forced Microsoft’s hand to patch systems as old as Windows XP and Windows 2000.

This past year had its fair share of zero-day vulnerabilities. One of the most prominent of the zero days was Urgent/11, impacting 11 remote code execution vulnerabilities in the real-time OS VxWorks. Because of VxWorks use in so many critical infrastructure devices, the U.S. Food and Drug Administration took the unusual step and released a warning, urging admins to patch.

We were warned last year when mitigating against Meltdown and Spectre that we would face more side-channel related CPU flaws in the future. And this year we did, with variants ranging from ZombieLoad to Bounds Check Bypass Store, Netspectre and NetCAT. For 2020? Expect even more variants, say experts.

2019 was the year ransomware criminals turned their attention away from consumers and started focusing on big targets such as hospitals, municipalities and schools. There was the Ryuk attack against New Orleans, Maze ransomware behind Pensacola attack and rash of attacks against hospitals that resulted in some care facilities turning patients away.

Botnets continued to be a key tool in cyberattacks in 2019. This past year saw the return of the notorious Emotet botnet. Crooks behind Trickbot partnered with bank trojan cybercriminals from IcedID and Ursif. Lastly, Echobot, an IoT botnet, casts a wider net in 2019 with raft of exploit additions.

Perhaps the highest-profile cryptominer attack occurred in May when researchers found 50,000 servers were infected for over four months as part of a high-profile cryptojacking campaign featuring the malware Nansh0u. The past year also saw a new XMRig-based cryptominer called Norman emerge, which stood apart because of its clever ability to go undetected.

Even though the target is smaller, mobile devices offer criminals top-tier data. Not only are APTs shifting focus on mobile, but so are garden-variety crooks. Take, for example, the Anubis mobile banking trojan that only goes into action after it senses the targeted device is in motion. Then there was the Instagram-initiated campaign using the Gustuff Android mobile banking trojan that rolled out in October.

Google’s Project Zero, in August, found 14 iOS vulnerabilities in the wild since September 2016. According to Google's Threat Analysis Group (TAG) the flaws could allow malware easily steal messages, photos and GPS coordinates. These flaws highlighted five exploit chains in a watering hole attack that has lasted years. Google said malware payload used in the attack is a custom job, built for monitoring.

In May, researchers uncovered a unique Linux-based malware dubbed HiddenWasp that targeted systems to remotely control them. The malware is believed to be used as part of a second-stage attack against already-compromised systems and is composed of a rootkit, trojan and deployment script.

Discussing malware without touching on business email compromise-based attacks would be like talking about the New England Patriots without mentioning Tom Brady. Fake Greta Thunberg emails used to lure victims to download Emotet malware. Of course the Swedish climate-change activist was just one of the lures that in 2018 contributed to 351,000 scams with losses exceeding $2.7 billion.

Read the original article here: https://threatpost.com/biggest-malware-threats-of-2019/151423/


7 types of virus – a short glossary of contemporary cyberbadness

Technically, this article is about malware in general, not about viruses in particular.

These days, however, the crooks don’t really need to program auto-spreading into their malware – thanks to always-on internet connectivity, the “spreading” part is easier than ever, so that’s one attention-grabbing step the crooks no longer need to use.

But the word virus has remained as a synonym for malware in general, and that’s how we’re using the word here.

So, for the record, here are seven categories of malware that give you a fair idea of the breadth and the depth of the risk that malware can pose to your organisation.

Read the full article here: https://nakedsecurity.sophos.com/2019/12/28/7-types-of-virus-a-short-glossary-of-contemporary-cyberbadness/


MI6 floor plans lost by building contractor

Floor plans of MI6's central London headquarters were lost by building contractors during a refurbishment.

The documents, most of which were recovered inside the building, held sensitive information on the layout, including entry and exit points.

Balfour Beatty, the company working on the refurbishment at the headquarters in Vauxhall, is reportedly no longer working on the project.

The Foreign Office said it did not comment on intelligence matters.

The documents, which went missing a few weeks ago, were produced and owned by Balfour Beatty and designed to be used for the refurbishment.

The contractor kept the plans on the site at Vauxhall Cross in a secure location.

BBC security correspondent Gordon Corera said the missing plans were not classified or intelligence documents, but the pages did hold sensitive details.

Most, but not all, of the documents were recovered inside the building after it was noticed they were missing, he said.

Balfour Beatty said it could not comment because of sensitivities.

The incident, first reported by the Sun newspaper, is reportedly a result of carelessness, rather than any hostile activity.

Read the original article here: https://www.bbc.co.uk/news/uk-50927854


Citrix vulnerability allowed criminals to hack 80,000 companies

Researchers have found a vulnerability in popular enterprise software offerings from Citrix which puts tens of thousands of companies at risk of cyber attack.

A security researcher uncovered a critical vulnerability in Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway), which allows direct access to a company network from the internet.

According to a report on the flaw, around 80,000 companies in 158 countries around the world could be at risk. Most companies are located in the US, with the UK, Germany, the Netherlands and Australia sharing a significant portion.

Read the full article here: http://www.itproportal.com/news/citrix-vulnerability-allows-criminals-to-hack-80000-companies


Popular chat app ToTok is actually a spying tool of UAE government – report

A chat app that quickly became popular in the United Arab Emirates for communicating with friends and family is actually a spying tool used by the government to track its users, according to a New York Times report.

The government uses ToTok to track conversations, locations, images and other data of those who install the app on their phones, the Times reported, citing US officials familiar with a classified intelligence assessment and the newspaper’s own investigation.

The Emirates has long blocked Apple’s FaceTime, Facebook’s WhatsApp and other calling apps. Emirati media has been playing up ToTok as an alternative for expatriates living in the country to call home to their loved ones for free.

The Times says ToTok is a few months old and has been downloaded millions of times, with most of its users in the Emirates, a US-allied federation of seven sheikhdoms on the Arabian peninsula. Government surveillance in the Emirates is prolific, and the Emirates long has been suspected of using so-called “zero day” exploits to target human rights activists and others. Zero days exploits can be expensive to obtain on the black market because they represent software vulnerabilities for which fixes have yet to be developed.

The Times described ToTok as a way to give the government free access to personal information, as millions of users are willingly downloading and installing the app on their phones and unknowingly giving permission to enable features.

As with many apps, ToTok requests location information, purportedly to provide accurate weather forecasts, according to the Times. It also requests access to a phone’s contacts, supposedly to help users connect with friends. The app also has access to microphones, cameras, calendar and other data.

Read the full article here: https://www.theguardian.com/world/2019/dec/23/totok-popular-chat-app-spying-tool-uae-government


Jobs in Information Security (InfoSec)

For anyone considering a career in cyber or information security (infosec) there is a useful article detailing different roles and different potential areas of work in this field.

We also run a free mentoring program for anyone either looking to move into cyber security or currently in a cyber security role wanting to progress their careers. Contact us for more information.

Read the article here: https://medium.com/bugbountywriteup/jobs-in-information-security-infosec-93a5efc12ca2


As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our new regular ‘Cyber Tip Tuesday’ video blog, here and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Read More