Threat Intelligence Blog

Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.

Black Arrow Admin Black Arrow Admin

Cyber Weekly Flash Briefing for 24 April 2020 – increase in data breaches with staff WFH, MS out of band patch for Office, hackers breach ad servers, 309m Facebooks users details compromised

Cyber Weekly Flash Briefing for 24 April 2020 – increase in data breaches with staff WFH, MS out of band patch for Office, hackers breach ad servers, 309m Facebooks users compromised

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.


The week in 60 seconds - video flash briefing


Over half of organisations expect remote workers to increase the risk of a data breach

Apathy towards cyber security remains one of the biggest challenges for businesses.

The majority of UK’s IT decision-makers believe remote workers will expose their businesses to the risk of a data breach.

This is according to a new report which claims the awareness of the issue has been “steadily growing” over the last three years.

While the report does not offer definitive explanations for the rise, it cites increased remote working due to the coronavirus as a contributing factor.

The percentage of employees intentionally putting data at risk dropped slightly (from 47 to 44 percent), but apathy continues to be a “major problem”.

However, remote working appears to have forced IT decision-makers to pay closer attention to security.

Almost all (96 percent) respondents acknowledged risks associated with BYOD policies and a significant portion of those (42 percent) only allow the use of pre-approved gear (up from 11 percent last year).

This change is “crucial”, as lost and misplaced devices are now the second biggest data breach cause (24 percent), behind intentionally putting data at risk (33 percent) and ahead of mishandling corporate data.

Read more: https://www.itproportal.com/news/over-half-of-organisations-expect-their-remote-workers-to-expose-them-to-the-risk-of-a-data-breach/


Trickbot Named Most Prolific #COVID19 Malware

Notorious malware Trickbot has been linked to more COVID-19 phishing emails than any other, according to new data from Microsoft.

The Microsoft Security Intelligence Twitter account made the claim on Friday.

“Based on Office 365 ATP data, Trickbot is the most prolific malware operation using COVID-19 themed lures,” it said. “This week’s campaign uses several hundreds of unique macro-laced document attachments in emails that pose as messages from a non-profit offering a free COVID-19 test.”

Microsoft has been providing regular updates through the current crisis as organizations struggle to securely manage an explosion in home working while cyber-criminals step up efforts to exploit stretched IT security teams and distracted employees.

Read more: https://www.infosecurity-magazine.com/news/trickbot-named-most-prolific/


Microsoft Issues Out-Of-Band Security Update For Office, Paint 3D

Microsoft has released an out-of-band security update for Microsoft Office, Office 365 ProPlus and Paint 3D. The applications are affected by multiple Autodesk vulnerabilities that, if exploited, could enable remote code execution.

The flaws, all rated “important” in severity, are tied to six CVEs stemming from Autodesk’s library for FBX, a popular file format format that supports 3D models. This library is integrated into certain Microsoft applications

Read more: https://threatpost.com/microsoft-issues-out-of-band-security-update-for-office-paint-3d/155016/


1,000 may be hit by CISI website fraud attack

The CISI has launched an investigation after a website attack resulted in 1,000 customers and members being exposed to the risk of credit card fraud.

The professional body with 45,000 members says some members have reported “fraudulent activity” on their cards following a payment transaction on the CISI website.

The organisation, which provides the Certified Financial Planner and Chartered Wealth manager designations, has launched a probe with help from its insurers and KPMG.

The CISI has contacted 5,785 customers that processed a payment transaction through its website between 1 February 2020 and 15 April 2020.

It said not all of these have seen “fraudulent activity” but it anticipates about 1,000 have been exposed to a risk of fraud.

Read more: https://www.financialplanningtoday.co.uk/news/item/11502-1-000-may-be-hit-by-cisi-website-fraud-attack


Here's a list of all the ransomware gangs who will steal and leak your data if you don't pay

Starting with late 2019 and early 2020, the operators of several ransomware strains have begun adopting a new tactic.

In an attempt to put additional pressure on hacked companies to pay ransom demands, several ransomware groups have also begun stealing data from their networks before encrypting it.

If the victim -- usually a large company -- refuses to pay, the ransomware gangs threaten to leak the information online, on so-called "leak sites" and then tip journalists about the company's security incident.

Companies who may try to keep the incident under wraps, or who may not want intellectual property leaked online, where competitors could get, will usually cave in and pay the ransom demand.

While initially the tactic was pioneered by the Maze ransomware gang in December 2019, it is now becoming a widespread practice among other groups as well.

Clop, Doppenpaymer, Maze, Nefilim, Nemty, Ragnarlocker, Revil (Sodinokibi), Sekhmet, Snatch

Read the original article here for full details: https://www.zdnet.com/article/heres-a-list-of-all-the-ransomware-gangs-who-will-steal-and-leak-your-data-if-you-dont-pay/


Hackers have breached 60 ad servers to load their own malicious ads

A mysterious hacker group has been taking over ad servers for the past nine months in order to insert malicious ads into their ad inventory, ads that redirect users to malware download sites.

This clever hacking campaign was discovered last month and appears to have been running for at least nine months, since August 2019.

Hackers have targeted advertising networks running old versions of the Revive open-source ad server. Hackers breach outdated Revive servers and silently append malicious code to existing ads.

Once the tainted ads load on legitimate sites, the malicious code hijacks and redirects site visitors to websites offering malware-laced files -- usually disguised as Adobe Flash Player updates.

Read more: https://www.zdnet.com/article/hackers-have-breached-60-ad-servers-to-load-their-own-malicious-ads/


GCHQ calls on public to report coronavirus-related phishing emails

GCHQ is asking members of the public to report suspicious emails they have received amid a wave of scams and hacking attacks that seek to exploit fear of Covid-19 to enrich cybercriminals.

The National Cyber Security Centre, a branch of the intelligence agency, has launched the suspicious email reporting service with a simple request of the public: forward any dubious emails to report@phishing.gov.uk, and the NCSC’s automated scanning system will check for scam emails and immediately remove criminal sites.

Read more here: https://www.theguardian.com/technology/2020/apr/21/gchq-calls-public-report-coronavirus-phishing-emails


Hackers exploit bug to access iPhone users’ emails

Hackers have devised a way to install malicious software on iPhones without getting the victim to download an attachment or click on any links.

Cybersecurity researchers have discovered a bug in the phone’s email app that hackers may have been exploiting since January 2018. It enables hackers to access all emails on a phone, as well as remotely modify or delete them.

Typically, an attack on a phone requires a user to download the malware, such as clicking on a link in a message or on an attachment. Yet in this case, hackers send a blank email to the user. When the email is opened, a bug is triggered that causes the Mail app to crash, forcing the user to reboot it. During the reboot, hackers could access information on the device.

The hack is virtually undetectable by victims due to the sophisticated nature of the attack and Apple’s own security measures, which often make investigating the devices for potential vulnerabilities a challenge, experts claim.

More here: https://www.thetimes.co.uk/article/hackers-exploit-bug-to-access-iphone-users-emails-ssvvztrgf


FBI Sees Cybercrime Reports Increase Fourfold During COVID-19 Outbreak

Instances of cybercrime appear to have jumped by as much as 300 percent since the beginning of the coronavirus pandemic, according to the FBI. The bureau’s Internet Crime Complain Center (IC3) said last week that it’s now receiving between 3,000 and 4,000 cybersecurity complaints every day, up from the average 1,000 complaints per day the center saw before COVID-19 took hold.

While much of this jump can be attributed to America’s daily activities increasingly moving online — newly remote workers unaware of basic security measures or companies struggling to keep externally-accessed systems secure, for example — the FBI says a lot of the increased cybercrime is coming from nation states seeking out COVID-19-related research.

More: https://www.entrepreneur.com/article/349509


309 million Facebook users’ phone numbers found online

Last weekend, researchers came across a database with 267m Facebook user profiles being sold on the Dark Web.

Looking to verify the records and add them to the firm’s breach notification service, the researchers bought it, for the grand total of £500.

That works out to USD $540 — or about 0.0002 cents — per record. The records held Facebook users’ IDs, which are unique, public numbers associated with specific accounts that can be used to figure out an account’s username and other profile info. The records also included full names, email addresses, phone numbers, timestamps for last connection, relationship status and age.

Fortunately, there were no passwords exposed, but the breach still forms a perfect tool kit for an email or text phishing campaign that looks like it’s coming from Facebook itself. If enough users get fooled into clicking on spearphishers’ rigged links, it could lead to the exposure of even more, and more valuable, data.

Read more here: https://nakedsecurity.sophos.com/2020/04/22/309-million-facebook-users-phone-numbers-and-more-found-online/


Google Issues Warning For 2 Billion Chrome Users

Google just gave its two billion Chrome users a brilliant (if long overdue) upgrade, but it doesn’t mask all of the controversial changes, security problems and data concerns which have worried users about the browser recently. And now Google has issued a new critical warning you need to know about.

Chrome has a critical security flaw across Windows, Mac and Linux and it urges users to upgrade to the latest version of the browser (81.0.4044.113). Interestingly, at the time of publication, Google is also keeping the exact details of the exploit a mystery.

Read more: https://www.forbes.com/sites/gordonkelly/2020/04/18/google-chrome-81-critical-security-exploit-upgrade-warning-update-chrome-browser/#42a057f56bde

Zoom announces 5.0 update with tougher encryption and new security features

Zoom has today announced its new 5.0 update, bringing robust new security features including AES 256-bit GCM encryption.

Zoom says that AES 256-bit GCM encryption will "raise the bar for securing our users' data in transit", providing "confidentiality and integrity assurances on your Zoom Meeting, Zoom Video Webinar and Zoom Phone Data." The systemwide enablement of this new security standard will take place on May 30.

Zoom has also introduced a new security icon, where it has grouped its security features in one place within Zoom's meeting menu bar. It has also introduced more robust host controls, including a 'report a user' feature. Waiting rooms now default to on, as do meeting passwords and cloud recording passwords. Zoom has also introduced a new data structure for linking contacts within larger organizations. Previously, a Zoom feature designed to group users by domain name had seen thousands of random users grouped together, sharing lots of information with strangers.

Read more: https://www.androidcentral.com/zoom-announces-50-update-tougher-encryption-and-new-security-features


Temporary coronavirus hospitals face growing cybersecurity risks

The coronavirus outbreak has led to a series of temporary medical facilities opening across the U.S., most of which will use remote-care devices without the proper protection against hackers. Because of their remoteness and the overall uncertainty that pandemic’s created, cybersecurity at these temporary hospitals has fallen to the wayside and risks are at an all-time high.

Further complicating matters, most of these temporary units are highly dependent on connected medical devices to facilitate remote care. This leaves these hospitals open to hackers stealing patients’ personal health information via these connected devices.

Fortunately, there are a number of steps health care organizations can take to protect their remote facilities. Not only should organizations ensure their software is up to date and fully patched, but they should also consider enabling two-factor authentication for every account that’s granted access to the remote center’s system.

To assist with securing these remote health care locations, Microsoft has expanded the availability of its AccountGuard security service program. Currently offered at no cost to health care providers on the front lines of the coronavirus outbreak, Microsoft’s AccountGuard service helps targeted organizations protect themselves from ongoing cybersecurity threats.

Read more: https://www.itpro.co.uk/security/cyber-security/355420/temporary-coronavirus-hospitals-facing-growing-cybersecurity-risks


As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Read More