Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 03 December 2021
Black Arrow Cyber Threat Briefing 03 December 2021
-Double Extortion Ransomware Victims Soar 935%
-MI6 Boss: Digital Attack Surface Growing "Exponentially"
-How Phishing Kits Are Enabling A New Legion Of Pro Phishers
-Crooks Are Selling Access To Hacked Networks. Ransomware Gangs Are Their Biggest Customers
-Omicron Phishing Scam Already Spotted in UK
-Phishing Remains the Most Common Cause of Data Breaches, Survey Says
-Ransomware Victims Increase Security Budgets Due To Surge In Attacks
-Control Failures Are Behind A Growing Number Of Cyber Security Incidents
-MI6 Spy Chief Says China, Russia, Iran Top UK Threat List
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Double Extortion Ransomware Victims Soar 935%
Researchers have recorded a 935% year-on-year increase in double extortion attacks, with data from over 2300 companies posted onto ransomware extortion sites.
Group-IB’s Hi-Tech Crime Trends 2021/2022 report covers the period from the second half of 2020 to the first half of 2021.
During that time, an “unholy alliance” of initial access brokers and ransomware-as-a-service (RaaS) affiliate programs has led to a surge in breaches, it claimed.
In total, the number of breach victims on ransomware data leak sites surged from 229 in the previous reporting period to 2371, Group-IB noted. During the same period, the number of leak sites more than doubled to 28, and the number of RaaS affiliates increased 19%, with 21 new groups discovered.
Group-IB warned that, even if victim organisations pay the ransom, their data often end up on these sites.
https://www.infosecurity-magazine.com/news/double-extortion-ransomware-soar/
MI6 Boss: Digital Attack Surface Growing "Exponentially"
Head of the Secret Intelligence Service (SIS), Richard Moore, explained in a rare speech this week that, unlike the character Q from the James Bond films, even MI6 cannot source all of its tech capabilities in-house.
New partners and tech capabilities will help address MI6’s four key priorities: Russia, China, Iran and global terrorism. It’s a challenge made more acute as technology rapidly advances, he said.
“The ‘digital attack surface’ that criminals, terrorists and hostile states threats seek to exploit against us is growing exponentially. We may experience more technological progress in the next ten years than in the last century, with a disruptive impact equal to the industrial revolution,” Moore argued.
https://www.infosecurity-magazine.com/news/mi6-digital-attack-surface-growing/
How Phishing Kits Are Enabling A New Legion Of Pro Phishers
Some cybercriminals are motivated by political ideals, others by malice or mischief, but most are only interested in cold, hard cash. To ensure their criminal endeavours are profitable, they need to balance the potential payday against the time, resources and risk required.
It’s no wonder then that so many use phishing as their default attack method. Malicious emails can be used to reach many targets with relative ease, and criminals can purchase ready-made phishing kits that bundle together everything they need for a lucrative campaign.
https://www.helpnetsecurity.com/2021/12/02/phishing-kits-pro/
Crooks Are Selling Access To Hacked Networks. Ransomware Gangs Are Their Biggest Customers
Dark web forum posts offering compromised VPN, RDP credentials and other ways into networks have tripled in the last year.
There's been a surge in cyber criminals selling access to compromised corporate networks as hackers look to cash in on the demand for vulnerable networks from gangs looking to initiate ransomware attacks.
Researchers at cybersecurity company Group-IB analysed activity on underground forums and said there's been a sharp increase in the number of offers to sell access to compromised corporate networks, with the number of posts offering access tripling between 2020 and 2021
Omicron Phishing Scam Already Spotted in UK
The global pandemic has provided cover for all sorts of phishing scams over the past couple of years, and the rise in alarm over the spread of the latest COVID-19 variant, Omicron, is no exception.
As public health professionals across the globe grapple with what they fear could be an even more dangerous COVID-19 variant than Delta, threat actors have grabbed the opportunity to turn uncertainty into cash.
UK consumer watchdog “Which?” has raised the alarm that a new phishing scam, doctored up to look like official communications from the National Health Service (NHS), is targeting people with fraud offers for free PCR tests for the COVID-19 Omicron variant
https://threatpost.com/omicron-phishing-scam-uk/176771/
Phishing Remains the Most Common Cause of Data Breaches, Survey Says
Phishing, malware, and denial-of-service attacks remained the most common causes for data breaches in 2021. Data from Dark Reading’s latest Strategic Security Survey shows that more companies experienced a data breach over the past year due to phishing than any other cause. The percentage of organisations reporting a phishing-related breach is slightly higher in the 2021 survey (53%) than in the 2020 survey (51%). The survey found that malware was the second biggest cause of data breaches over the past year, as 41% of the respondents said they experienced a data breach where malware was the primary vector.
Ransomware Victims Increase Security Budgets Due To Surge In Attacks
As the end of 2021 approaches, there’s no doubt ransomware became a top cybersecurity concern across multiple industries. Successful ransomware attacks like the Colonial Pipeline, which took down critical US infrastructure, and Kaseya, which hit over 1,500 companies in a single attack, became a popular topic in the news.
Research conducted by Cymulate, however, shows that despite the increase in the number of attacks this past year, overall victims suffered limited damage in both severity and duration. Potential victims have improved their level of preparedness, with 70% reporting an increase of awareness at the boardroom and business management level. The majority (55%) undertook proactive measures to prevent ransomware attacks before they could cause any significant damage, and many of those respondents (38%) prevented attacks even before they could cause any serious downtime. Only 14% of respondents that experienced an attack were down for a week or more.
Control Failures Are Behind A Growing Number Of Cyber Security Incidents
Data from a survey of 1,200 enterprise security leaders reveals that an increase in tools and manual reporting combined with control failures are contributing to the success of threats such as ransomware, which costs organisations an average of $1.85 million in recovery, according to Panaseer.
Currently, only 36% of security leaders feel very confident in their ability to prove controls were working as intended. This is despite 99% of respondents believing it’s valuable to know that all controls are fully deployed and operating within policy, and cybersecurity control failures are currently being listed as the top emerging risk in the latest Gartner Emerging Risks Monitor Report. Attacks only succeed when they hit systems that haven’t been patched or don’t have security controls monitoring them.
https://www.helpnetsecurity.com/2021/12/01/control-failures-cybersecurity/
MI6 Spy Chief Says China, Russia, Iran Top UK Threat List
China, Russia and Iran pose three of the biggest threats to the U.K. in a fast-changing, unstable world, the head of Britain’s foreign intelligence agency said Tuesday.
MI6 chief Richard Moore said the three countries and international terrorism make up the “big four” security issues confronting Britain’s spies.
In his first public speech since becoming head of the Secret Intelligence Service, also known as MI6, in October 2020, Moore said China is the intelligence agency’s “single greatest priority” as the country’s leadership increasingly backs “bold and decisive action” to further its interests.
Calling China “an authoritarian state with different values than ours,” he said Beijing conducts “large-scale espionage operations” against the U.K. and its allies, tries to ”distort public discourse and political decision-making” and exports technology that enables a “web of authoritarian control” around the world.
Moore said the U.K. also continues “to face an acute threat from Russia.” He said Moscow has sponsored killing attempts, such as the poisoning of former spy Sergei Skripal in England in 2018, mounts cyber attacks and attempts to interfere in other countries’ democratic processes.
https://www.securityweek.com/mi6-spy-chief-says-china-russia-iran-top-uk-threat-list
Threats
Ransomware
Microsoft Exchange Servers Hacked To Deploy BlackByte Ransomware (Bleepingcomputer.Com)
New Ransomware Variant Could Become Next Big Threat (darkreading.com)
Yanluowang Ransomware Tied to Thieflock Threat Actor | Threatpost
Yanluowang Ransomware Operation Matures With Experienced Affiliates (Bleepingcomputer.Com)
Ransomware Attack On Planned Parenthood Exposes 400,000 Patients' Personal Data - CNN
Phishing
APT Groups Adopt New Phishing Method. Will Cybercriminals Follow? (darkreading.com)
Hackers Increasingly Using RTF Template Injection Technique in Phishing Attacks (thehackernews.com)
Malware
Emotet Now Spreads Via Fake Adobe Windows App Installer Packages (Bleepingcomputer.Com)
New Malvertising Campaigns Spreading Backdoors, Malicious Chrome Extensions (thehackernews.com)
Password-Stealing And Keylogging Malware Is Being Spread Through Fake Downloads | ZDNet
Malware Variants In 2021: Harder To Detect And Respond To - Help Net Security
Mobile
Surge Of Info-Stealing Android Malware FluBot Detected Again • The Register
Fake Support Agents Call Victims To Install Android Banking Malware (Bleepingcomputer.Com)
Multi-Platform Spyware Tracks Users Across Windows And Android | Techradar
IOT
Vulnerabilities
Pretty Much All Wi-Fi Routers Are Vulnerable To Attack, Study Finds | Techradar
Warning: Yet Another Zoho ManageEngine Product Found Under Active Attacks (thehackernews.com)
New Ubuntu Linux Kernel Security Patches Address 6 Vulnerabilities, Update Now - 9to5Linux
Netgear Router Vulnerabilities Affecting SME Products Fixed • The Register
Data Breaches/Leaks
UK Government Fined £500,000 For New Year Honours Data Breach - BBC News
Panasonic Discloses Four-Months-Long Data Breach - The Record By Recorded Future
Organised Crime & Criminal Actors
Cryptocurrency/Cryptojacking
Iranians Charged for Cryptojacking After U.S. Firm Gets $760,000 Cloud Bill | SecurityWeek.Com
Threat Actors Stole $120 M In Crypto From BadgerDAO DeFi Platform - Security Affairs
Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify (trendmicro.com)
How Do Criminals Exploit Cryptocurrencies? | Financial Times (ft.com)
Insider Threats
Fraud & Financial Crime
Insurance
Lloyd’s Carves Out Cyber-Insurance Exclusions for State-Sponsored Attacks | Threatpost
Cyber War Victims Might Not Get Payouts – Insurer • The Register
OT, ICS, IIoT and SCADA
Nation State Actors
MI6 Spy Chief Says China, Russia, Iran Top UK Threat List | SecurityWeek.Com
Lloyd’s Carves Out Cyber-Insurance Exclusions for State-Sponsored Attacks | Threatpost
Jumping The Air Gap: 15 Years Of Nation‑State Effort | WeLiveSecurity
Israel and Iran Broaden Cyberwar to Attack Civilian Targets - The New York Times (nytimes.com)
North Korea-Linked Zinc APT Posed As Samsung Recruiters To Target Security Firms - Security Affairs
Cloud
Parental Controls
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 14 May 2021
Black Arrow Cyber Threat Briefing 14 May 2021: Two Thirds Of CISOs Expect Damaging Cyber Attack In Next 12 Months; Ransomware - Don't Pay, It Just Shows Cyber Criminals That Attacks Work; Most Significant Cyber Attacks 2006-2020; The Shape Of Fraud And Cyber Crime, 10 Things We Learned From 2020; US Pipeline Ransomware Serves As Warning To Persistent Corporate Inertia Over Security; Ransomware Attackers Now Using Triple Extortion Tactics; AXA Pledges To Stop Reimbursing French Ransomware Victims; Cyber Experts Warn Over Online Wine Scams
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Two Thirds Of CISOs Across World Expect Damaging Cyber Attack In Next 12 Months
More than 1,000 CISOs around the world have expressed concerns about the security ramifications of the massive shift to remote work since the beginning of the pandemic. One hundred CISOs from the US, Canada, the UK, France, Germany, Italy, Spain, Sweden, the Netherlands, UAE, Saudi Arabia, Australia, Japan, and Singapore were interviewed for the report, with many highlighting significant problems in the current cyber security landscape.
Ransomware: Don't Pay Up, It Just Shows Cyber Criminals That Attacks Work, Warns Home Secretary
For victims of ransomware attacks, paying the ransom does not guarantee that their network will be restored – and handing money to criminals only encourages them to try their luck infecting more companies with the file-encrypting malware. The impact of ransomware attacks continues to rise as cyber criminals encrypt networks, while also blackmailing victims with the prospect of stolen data being published, to generate as much money as possible from extortion.
The Most Significant Cyber Attacks From 2006-2020, By Country
Committing a cyber crime can have serious consequences. In the US, a cyber criminal can receive up to 20 years in prison for hacking into a government institution if it compromises national security. Yet, despite the consequences, cyber criminals continue to wreak havoc across the globe. But some countries seem to be targeted more than others. Using data from SpecOps Software, this graphic looks at the countries that have experienced the most significant cyber attacks over the last two decades.
https://www.visualcapitalist.com/cyber-attacks-worldwide-2006-2020/
The Shape Of Fraud And Cyber Crime: 10 Things We Learned From 2020
While it remains true that the older you are, the greater the financial loss, why would fraudsters target the young, who are arguably less well off? The answer lies in volume. Criminals have been offsetting higher monetary gain for higher attack rates, capitalising on the fact that the young are perhaps both more liberal with personal information (and privacy in general) and, at the same time, heavy digital users (social media, surveys, games, and so on). In fact, it is scary to see how much value the humble email address can have for criminals. We often forget that once obtained, it can be used further down the line to commit more fraud.
Is Third-Party Software Leaving You Vulnerable To Cyber Attacks?
When companies buy digital products, they expect them to be secure. In most cases, they do not test for vulnerabilities down the digital supply chain — and do not even have adequate processes or tools to do so. Hackers have taken note, and incidents of supply chain cyber attacks, which exploit weaknesses within the digital supply chain to break into organisations’ internal networks, are on the rise. As a result, there have been many headline incidents that not only bring shame to the companies involved, but rachet up the visibility of these threats to top executives who want to know their offerings are secure.
https://hbr.org/2021/05/is-third-party-software-leaving-you-vulnerable-to-cyberattacks
US Pipeline Ransomware Attack Serves As Fair Warning To Persistent Corporate Inertia Over Security
Organisations that continue to disregard the need to ensure they have adopted basic cyber security hygiene practices should be taken to task. This will be critical, especially as cyber criminals turn their attention to sectors where cyber threats can result in real-world risks, as demonstrated in the US Colonial Pipeline attack. In many of my conversations with cyber security experts, there is a shared sense of frustration that businesses still are failing to get some of the most basic things right. Default passwords are left unchanged, frontline staff and employees are still falling for common scams and phishing attacks, and major businesses think nothing of using technology that are decades old.
Ransomware Attackers Are Now Using Triple Extortion Tactics
The number of organisations affected by ransomware so far this year has more than doubled, compared with the same period in 2020, according to the report. Since April, Check Point researchers have observed an average of 1,000 organisations impacted by ransomware every week. For all of 2020, ransomware cost businesses worldwide around $20 billion, more than 75% higher than the amount in 2019. The healthcare sector has been seeing the highest volume of ransomware with around 109 attacks per organization each week. Amid news of a ransomware attack against gas pipeline company Colonial Pipeline, the utilities sector has experienced 59 attacks per organization per week. Organisations in the insurance and legal sector have been affected by 34 such attacks each week.
https://www.techrepublic.com/article/ransomware-attackers-are-now-using-triple-extortion-tactics/
AXA Pledges To Stop Reimbursing Ransom Payments For French Ransomware Victims
Insurance company AXA has revealed that, at the request of French government officials, it will end cyber insurance policies in France that pay ransomware victims back for ransoms paid out to cyber criminals. While unconfirmed, the Associated Press reported that the move was an industry first. AXA is one of the five biggest insurers in Europe and made the decision as ransomware attacks become a daily occurrence for organisations across the world.
The Dystopic Future Of Cyber Security And The Importance Of Empowering CISOs
Over a decade ago, in 2007, the first iPhone was released and with it emerged an ecosystem of apps that continues to expand to this day. This was a watershed moment, not solely for the technology industry, but civilization. It was a catalyst for what was to come. Suddenly, every consumer could access the internet at a touch of a button, and the accumulation of their data by private companies began en masse. It was at this point that data was established as an increasingly valuable commodity, and in turn, became a heightened exploitation risk. It also instigated a wave of innovation that has yet to break and is only growing rapidly in pace. In this state, technology providers, users, and manufacturers get excited about new functionalities, new features, new developments, while little thought is given to the negative consequences that could arise as a result. Indeed, fear has no place in the state of innovation as it is this primal thinking that inhibits creativity.
https://www.infosecurity-magazine.com/blogs/the-dystopic-future-of/
Cyber Security Experts Warn Over Online Wine Scams
Online wine scams became a bigger threat as cyber criminals sought to take advantage of more people and businesses organising virtual drinks and ordering bottles on the internet in the wake of Covid-19 restrictions, suggests the report. So-called ‘phishing emails’ were a particular concern, according to findings published in April by US-based group Recorded Future in partnership with Area 1 Security. From January 2020 onwards, the authors found a significant rise in legitimate wine-themed web domain registrations using terms like Merlot, Pinot, Chardonnay or Vino.
https://www.decanter.com/wine-news/cyber-security-experts-warn-over-online-wine-scams-457647/
Threats
Ransomware
New Ransomware: CISA Warns Over Fivehands File-Encrypting Malware Variant
Energy Companies Are The Firms Most Likely To Pay Cyber Attack Ransoms
A Student Pirating Software Led To A Full-Blown Ryuk Ransomware Attack
BEC
Phishing
Other Social Engineering
Coronavirus-Related Cyber Crime Contributes To 15-Fold Surge In Scam Takedowns
She Responded To A Smishing Scam. Then The Spam Texts Got Worse.
Malware
Mobile
IOT
Vulnerabilities
Don’t Delay Installing Your Windows 10 May Patch Tuesday Update – It Fixes 3 Zero-Day Exploits
WiFi Vulnerability May Leave Millions Of Devices Open To 'Frag Attacks'
Remote Mouse Mobile App Contains Raft Of Zero-Day RCE Vulnerabilities
Lemon Duck Hacking Group Adopts Microsoft Exchange Server Vulnerabilities In New Attacks
Data Breaches
Organised Crime & Criminal Actors
Supply Chain
Nation State Actors
Russian Hackers Are Targeting These Vulnerabilities, So Patch Now
NCSC Warns British Start-Ups Of Threat From Chinese And Russian Hackers
Privacy
Reports Published in the Last Week
Other News
Your Old Mobile Phone Number Could Compromise Your Cyber Security
Biden Signs Executive Order Aiming To Prevent Future Cyber Security Disasters
Train Firm’s ‘Worker Bonus’ Email Is Actually Cyber Security Test
Half Of Government Security Incidents Caused By Missing Patches
90% Of Security Leaders View Bot Management As A Top Priority
'Everyone Had To Rethink Security': What Microsoft Learned In Last Year
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Top Tips for Guernsey Businesses During the Second Coronavirus Lockdown, Cyber Tip Tuesday
Top Tips for Guernsey Businesses During the Second Coronavirus Lockdown, Cyber Tip Tuesday 26 January 2021
Top Tips for Guernsey Businesses During the Second Coronavirus Lockdown, Cyber Tip Tuesday 26 January 2021
Cyber Weekly Flash Briefing 31 July 2020: 386M user records stolen, Twitter spear-phishing, Garmin may have paid ransom, 27% of consumers hit with Covid19 phishing scams, Netflix phishing scam
Cyber Weekly Flash Briefing 31 July 2020: 386M user records stolen, Twitter says attack was spear-phishing, Criminals still exploiting COVID19, Netwalker ransomware, Garmin may have paid ransom, QNAP NAS devices infected, Hackers exploit networking vulns, 27% of consumers hit with pandemic-themed phishing scams, New Netflix phishing scam
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
386 million user records stolen in data breaches — and they're being given away for free
A notorious hacker or group of hackers is giving away copies of databases said to contain 386 million user records, after posting links to the databases on a marketplace used by cyber criminals.
The threat actor, who goes by the name ShinyHunters, claims to have data stolen from 18 different websites in the past seven months. According to reports, ShinyHungers last week began uploading the databases to a forum where anyone can download them free of charge.
ShinyHunters is believed to have played a role in high-profile data breaches at HomeChef, Promo.com, Mathway, Chatbooks, Dave.com, Wattpad and even Microsoft's GitHub account. Many of these records were previously offered for sale online.
Why this matters:
Any details stolen from one site or service will be used against other sites and services, this is why it is critical that passwords are not reused across different sites and that all passwords are unique. Using multi factor authentication is also very effective at safeguarding against these types of attacks.
Read more here: https://www.tomsguide.com/news/shinyhunters-breach-giveaway
Twitter says spear-phishing attack on employees led to breach
Twitter said a large hack two weeks ago targeted a small number of employees through a phone “spear-phishing” attack.
The social media platform said the hackers targeted about 130 accounts, tweeted from 45, accessed the inboxes of 36, and were able to download Twitter data from seven.
Attackers also targeted specific employees who had access to account support tools, Twitter said. The company added it has since restricted access to its internal tools and systems.
Twitter suffered a major security breach on 15 July that saw hackers take control of the accounts of major public figures and corporations, including Joe Biden, Barack Obama, Elon Musk, Bill Gates, Jeff Bezos and Apple.
The hack unfolded over the course of several hours, and in the course of halting it, Twitter stopped all verified accounts from tweeting – an unprecedented measure.
Publicly available blockchain records show the apparent scammers received more than $100,000 worth of cryptocurrency.
Why this matters?
It is nearly always a lot easier for attackers to attack your users than it is to attack your systems. IT controls alone cannot protect against social engineering attacks so making sure your staff are trained so they don’t fall for social engineering attacks is a critical part of your defence.
Read more here: https://www.theguardian.com/technology/2020/jul/30/twitter-breach-hackers-spear-phishing-attack
Cyber-Criminals Continue to Exploit #COVID19 During Q2
Cyber-criminals’ exploitation of the COVID-19 pandemic to target individuals and businesses has continued unabated during the second quarter of 2020, according to one Cyber Security firm’s Q2 2020 Threat Report published today. The findings highlight how the crisis is defining the cybersecurity landscape in Q2 in a similar way as it did in Q1 after the pandemic first struck.
The firm observed a continuous focus on phishing using COVID-19 lures in this period. This included criminals taking advantage of the rise in online shopping that has occurred during the pandemic, with a 10-fold increase in phishing emails impersonating one of the world’s leading package delivery services found in comparison to Q1.
The shift to remote working as a result of the pandemic has also led to increased targeting of Remote Desktop Protocol’s in recent months.
Ransomware tactics were found to be “rapidly developing” in this period, with operators moving away from doxing and random data leaking towards auctioning the stolen data on dedicated underground sites.
Why does this matter?
The Coronavirus crisis gave criminals an efficient lure to bait phishing emails with and for as long as it is working they will continue to exploit this crisis. It’s like we always say “cyber criminals will never let a good crisis or tragedy go to waste”
Read more here: https://www.infosecurity-magazine.com/news/cyber-criminals-exploit-covid/
FBI Releases Flash Alert on Netwalker Ransomware
The US Federal Bureau of Investigations (FBI) released a flash alert in which it warned organisations about the dangers of Netwalker ransomware.
The FBI said that it had received notifications of attacks involving Netwalker against U.S. and foreign government organisations along with entities operating in the healthcare and education sectors.
In its alert, the FBI noted that those responsible for Netwalker had used COVID-19 phishing emails and unpatched vulnerabilities affecting VPN apps to gain entry into an organisation. The malicious actors had then used their crypto-malware to harvest administrator credentials and steal data from their victims. Ultimately, the attackers uploaded that stolen information to a file-sharing service.
Once they had come into possession of a victim’s data, the nefarious individuals activated the ransomware’s encryption routine. This step led the threat to encrypt all connected Windows-based devices and information before dropping a ransom note on the infected machine.
Why does this matter?
Ransomware remains one of the biggest risks for all firms, organisations and individuals, and the majority of the time the ransomware infection will stem from a phishing email that a user within an organisation clicked on. As with all social engineering attacks IT controls alone are of limited effectiveness and defending against these attacks comes down to educating your users and instilling in them the importance of the role they play in defending an organisation.
Read more here: https://www.tripwire.com/state-of-security/security-data-protection/fbi-releases-flash-alert-on-netwalker-ransomware/
Garmin may have paid hackers ransom, reports suggest
Fitness wearable and Navtech supplier Garmin may have given in to the demands of cyber criminals who encrypted its systems with ransomware, according to news reports that suggest the firm has obtained a decryption key to recover its files, strongly suggesting it has either paid up, or brokered some kind of deal.
In a statement issued four days after its services first went offline, Garmin finally confirmed it had been the victim of a cyber attack, having previously limited its response to saying it was experiencing an outage. It has not yet confirmed it was the victim of a ransomware incident, although this is now all but certain.
A spokesperson said: “Garmin today announced it was the victim of a cyber attack that encrypted some of our systems on July 23, 2020. As a result, many of our online services were interrupted including website functions, customer support, customer-facing applications, and company communications. We immediately began to assess the nature of the attack and started remediation,” said the firm.
“We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen. Additionally, the functionality of Garmin products was not affected, other than the ability to access online services.
Why does this matter?
Ransomware can affect firms of any size, from the smallest to the largest, no firm or organisation is immune and even firms that are spending millions or tens of millions on advanced protections and controls can still fall victim. These types of attacks go after the people working for an organisation, not the organisations technical infrastructure and technical controls are of limited use in defending against these types of attacks. An organisation needs to ensure their users are efficient at spotting phishing emails, it only takes one user clicking on one malicious email to take down a multinational corporation.
Read more here: https://www.computerweekly.com/news/252486775/Garmin-may-have-paid-hackers-ransom-reports-suggest
Cyber-security agencies from the UK and the US say 62,000 QNAP NAS devices have been infected with the QSnatch malware
The UK NCSC and US CISA published a joint security alert this week about QSnatch, a strain of malware that has been infecting network-attached storage (NAS) devices from Taiwanese device maker QNAP.
In alerts by the United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom's National Cyber Security Centre (NCSC), the two agencies say that attacks with the QSnatch malware have been traced back to 2014, but attacks intensified over the last year when the number of reported infections grew from 7,000 devices in October 2019 to more than 62,000 in mid-June 2020.
Of these, CISA and the NSCS say that approximately 7,600 of the infected devices are located in the US, and around 3,900 in the UK.
Why this matters?
Vulnerable devices can be used to steal credentials (usernames and passwords) and exfiltrate information from devices on the network. It is important to keep devices up to date with the latest security patches to close any vulnerabilities before they can be exploited.
Read more here: https://www.zdnet.com/article/cisa-says-62000-qnap-nas-devices-have-been-infected-with-the-qsnatch-malware/
Hackers actively exploit high-severity networking vulnerabilities
Hackers are actively exploiting two unrelated high-severity vulnerabilities that allow unauthenticated access or even a complete takeover of networks run by FTSE100/Fortune 500 companies and government organisations.
The most serious exploits are targeting a critical vulnerability in F5’s Big-IP advanced delivery controller, a device that’s typically placed between a perimeter firewall and a Web application to handle load balancing and other tasks. The vulnerability, which F5 patched three weeks ago, allows unauthenticated attackers to remotely run commands or code of their choice. Attackers can then use their control of the device to hijack the internal network it’s connected to.
Why this matters?
Vulnerable devices such as this can be used to gain access to internal networks. It is important to keep devices up to date with the latest security patches to close any vulnerabilities before they can be exploited. When a vendor releases updates they should be installed as soon as possible, ideally having been tested before updates are applied in your live environment.
Read more here: https://arstechnica.com/information-technology/2020/07/hackers-actively-exploit-high-severity-networking-vulnerabilities/
27% of consumers hit with pandemic-themed phishing scams
Phishing is the top digital fraud scheme worldwide related to the COVID-19 pandemic, according to new research.
Among consumers reporting being targeted with digital COVID-19 schemes globally, 27% said they were hit with pandemic-themed phishing scams.
Identity fraud is a primary way fraudsters leverage stolen consumer data from phishing and other social engineering schemes. It can have long-term impacts for consumers such as the compromise of multiple online accounts and bringing down credit scores, which we anticipate will increase during pandemic reconstruction.
To better understand the impacts of COVID-19 on consumers, 7,384 adults in Canada, Colombia, Hong Kong, South Africa, the U.K., and the U.S. have been surveyed between June 30 and July 6, 2020.
It asked the consumers if they had been targeted by digital COVID-19 fraud and if so, which digital fraud scheme(s) related to COVID-19 were they targeted with. Globally, 32% said they had been targeted by digital fraud related to COVID-19 with the below being the top types of COVID-19 fraud they faced:
Top global online COVID-19 scams targeting consumers:
Why this matters?
Whatever works for criminals they will continue doing. Until consumers, as well as businesses, get better at detecting these scams and get better at spotting phishing emails criminals will carry on using the latest crisis or tragedy to get users to click on malicious emails and open their networks to attackers.
Read more here: https://www.helpnetsecurity.com/2020/07/24/pandemic-themed-phishing-scams/
New Netflix phishing scam uncovered - here’s how to stay safe
Security analysts have uncovered a dangerous and highly convincing new Netflix phishing scam, capable of evading traditional email security software.
The phishing email masquerades as a billing error alert, pressing the victim to update their payment details within 24 hours or have their Netflix subscription voided.
The link provided in the email redirects to a functioning CAPTCHA form, used in legitimate scenarios to distinguish between humans and AI. Although this step adds a layer of friction to the process, it serves to enhance the sense of legitimacy the attacker is attempting to cultivate.
After handing over account credentials, billing address and payment card information, the victim is then redirected to the genuine Netflix home page, unaware their data has been compromised.
Why does this matter?
Phishing campaigns like this cast a wide net and only need a small number of victims to fall for it to turn a profit, and that means these types of scams are not going to go away any time soon. If no one fell for them they would stop. Always question any email that urges you to take action quickly under the guise of some threat.
Read more here: https://www.techradar.com/news/dangerous-new-netflix-phishing-scam-hits-the-scene-heres-what-you-need-to-know
Cyber Weekly Flash Briefing 19 June 2020: Widespread Office 365 phishing attacks, new cyber storm as businesses reopen, cyber spies use LinkedIn, largest ever DDoS attack, Ripple20 IoT vulns
Cyber Weekly Flash Briefing 19 June 2020: Widespread Office 365 phishing attacks, new cyber storm as businesses reopen, cyber spies use LinkedIn, largest ever DDoS attack, Ripple20 IoT vulns
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
If you’re pressed for time watch the 60 second quick fire video summary of the top Cyber and InfoSec stories from the last week:
Office 365 Phishing Campaign Exploits Samsung, Adobe and Oxford Servers
Over the last few years, the adoption of Office 365 in the corporate sector has significantly increased. Its popularity has attracted the attention of cyber criminals who launch phishing campaigns specifically to attack the platform. As 90% of cyber-attacks start with a phishing campaign, Office 365 is an attractive target for threat actors who work to evade the continuously introduced security solutions.
Recently, a seemingly unsophisticated Office 365 phishing campaign caught our attention. The attackers abused an Adobe Campaign redirection mechanism, using a Samsung domain to redirect victims to an O365 themed phishing website. The hackers took advantage of the fact that access to a reputable domain, such as Samsung’s, would not be blocked by security software.
To expand their campaign, the attackers also compromised several websites to inject a script that imitates the same mechanism offered by the Adobe redirection service. Further investigation revealed that the actors behind the campaign implemented a few other interesting tricks to hide the phishing kit and avoid detection at each stage of the attack.
Read more here: https://research.checkpoint.com/2020/phishing-campaign-exploits-samsung-adobe-and-oxford-servers/
Guernsey Police warn businesses in Guernsey using Office 365 also targeted by scammers
Guernsey Police are warning local businesses about an online scam targeting users of Office 365.
Officers have been in contact with several businesses using the service who have fallen victim to phishing scams which have allowed hackers access to their email inbox.
The hackers then distribute malicious links to their contacts.
Police say using multi-factor authentication can help keep personal data safe.
Anyone who receives an unexpected email from someone they trust containing a link should contact them directly to make sure they sent it.
As Businesses Reopen, A New Storm Of Cybercrime Activity Looms
There is nothing ordinary about the amount of disruption that will impact our lives moving forward as countries and states reopen following the coronavirus pandemic. In the context of the cloud, disruptions caused by COVID-19 have opened the door to another type of virus: cybersecurity threats. Today we are witnessing a rapid rise of opportunistic cybercriminal activity taking advantage of the chaos created by COVID-19.
Focal concerns about economic recovery and a potential second wave of human infection are abounding. Still, the concern for many companies should also include heightened cybersecurity threats that can easily break companies before they have a chance to relaunch. For the many companies that are already fighting to remain afloat due to challenges faced during COVID-19, a cybersecurity breach could quickly mean the end. As businesses navigate this “new normal,” they must address weaknesses in their IT strategies exposed by COVID-19 and consider implementing a better preparedness plan to avoid long-term damage.
Microsoft: COVID-19 malware attacks were barely a blip in total malware volume
Microsoft says that despite all the media headlines over the past few months, malware attacks that abused the coronavirus (COVID-19) theme have barely been a blip in the total volume of threats the company sees each month.
These COVID-19 attacks included emails carrying malicious file attachments (also referred to as malspam) and emails containing malicious links that redirect users to phishing sites or malware downloads.
According to Microsoft's Threat Protection Intelligence Team, the first attacks abusing a COVID-19 lure started after the World Health Organization (WHO) declared COVID-19 a global pandemic on January 30.
As the world yearned to learn more about this new disease, attacks intensified, and they peaked in March when most of the world's countries enforced stay-at-home measures.
"The week following [the WHO] declaration saw these attacks increase eleven-fold," Microsoft said. "By the end of March, every country in the world had seen at least one COVID-19 themed attack."
Cyber spies use LinkedIn to hack European defence firms
LONDON (Reuters) - Hackers posed as recruiters working for U.S. defence giants Collins Aerospace and General Dynamics (GD.N) on LinkedIn to break into the networks of military contractors in Europe, cyber security researchers said on Wednesday.
The cyber spies were able to compromise the systems of at least two defence and aerospace firms in Central Europe last year by approaching employees with pseudo job offers from the U.S. firms.
The attackers then used LinkedIn’s private messaging feature to send documents containing malicious code which the employees were tricked into opening.
The researcher declined to name the victims, citing client confidentiality, and said it was unclear if any information was stolen. General Dynamics and Collins Aerospace, which is owned by Raytheon Technologies RTX.N, declined immediate comment.
The researchers were unable to determine the identity of the hackers but said the attacks had some links to a North Korean group known as Lazarus, which has been accused by U.S. prosecutors of orchestrating a string of high-profile cyber heists on victims including Sony Pictures and the Central Bank of Bangladesh.
Read more here: https://uk.reuters.com/article/us-cyber-linkedin-hacks/cyber-spies-use-linkedin-to-hack-european-defence-firms-idUKKBN23O2L7
Australian PM says nation under serious state-run 'cyber attack' – Microsoft, Citrix, Telerik UI bugs 'exploited'
Australian Prime Minister Scott Morrison has called a snap press conference to reveal that the nation is under cyber-attack by a state-based actor, but the nation’s infosec advice agency says that while the attacker has gained access to some systems it has not conducted “any disruptive or destructive activities within victim environments.”
Morrison said the attack has targeted government, key infrastructure and the private sector, and was sufficiently serious that he took the courteous-in-a-crisis, but not-compulsory step, of informing the leader of the opposition about the incident. He also said that the primary purpose of the snap press conference was to inform and educate Australians about the incident.
But Morrison declined to state whether Australian defence agencies have identified the source of the attack and said evidence gathered to date does not meet the government’s threshold of certainty to name the attacker.
Read more here: https://www.theregister.com/2020/06/19/australia_state_cyberattack/
Google removes 106 Chrome extensions for collecting sensitive user data
Google has removed 106 malicious Chrome extensions that have been caught collecting sensitive user data.
The 106 extensions are part of a batch of 111 Chrome extensions that have been identified as malicious in a report published this week.
These extensions posed as tools to improve web searches, convert files between different formats, as security scanners, and more.
But in reality the extensions contained code to bypass Google's Chrome Web Store security scans, take screenshots, read the clipboard, harvest authentication cookies, or grab user keystrokes (such as passwords).
Read more here: https://www.zdnet.com/article/google-removes-106-chrome-extensions-for-collecting-sensitive-user-data/
AWS stops largest DDoS attack ever
Amazon has revealed that its AWS Shield service was able to mitigate the largest DDoS attack ever recorded at 2.3 Tbps back in February of this year.
The company's new AWS Shield Threat Landscape report provided details on this attack and others mitigated by its AWS Shield protection service.
While the report did not identify the AWS customer targeted in the DDoS attack, it did say that the attack itself was carried out using hijacked CLDAP (Connection-less Lightweight Directory Access Protocol) web servers and lasted for three days.
https://www.techradar.com/news/aws-stops-largest-ddos-attack-ever
Ripple20 Vulnerabilities Affect Hundreds of Millions of IoT Devices
Zero-day vulnerabilities have been discovered that could impact millions of IoT devices found in data centres, power grids, and elsewhere.
The flaws, dubbed Ripple20, includes multiple remote code execution vulnerabilities and affects "hundreds of millions of devices (or more)."
Researchers named the vulnerabilities Ripple20 to reflect the widespread impact they have had as a natural consequence of the supply chain "ripple-effect" that has seen the widespread dissemination of the software library and its internal flaws.
"A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people," wrote researchers.
Ripple20 reached critical IoT devices involving a diverse group of vendors from a wide range of industries. Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, and Baxter.
Read more: https://www.infosecurity-magazine.com/news/ripple20-vulnerabilities-discovered/
Unpatched vulnerability identified in 79 Netgear router models
A whopping 79 Netgear router models are vulnerable to a severe security flaw that can let hackers take over devices remotely.
The vulnerability has been discovered by two security researchers independently, namely Adam Nichols from cyber-security GRIMM and a security researcher going by the nickname of d4rkn3ss, working for Vietnamese internet service provider VNPT.
According to Nichols, the vulnerability impacts 758 different firmware versions that have been used on 79 Netgear routers across the years, with some firmware versions being first deployed on devices released as far back as 2007.
This lack of proper security protections opens the door for an attacker to craft malicious HTTP requests that can be used to take over the router.
More here: https://www.zdnet.com/article/unpatched-vulnerability-identified-in-79-netgear-router-models/
New Mac malware uses 'novel' tactic to bypass macOS Catalina security
Security researchers have discovered a new Mac malware in the wild that tricks users into bypassing modern macOS app security protections.
In macOS Catalina, Apple introduced new app notarization requirements. The features, baked in Gatekeeper, discourage users from opening unverified apps — requiring malware authors to get more creative with their tactics.
As an example, researchers have discovered a new Trojan horse malware actively spreading in the wild via poisoned Google search results that tricks users into bypassing those protections themselves.
The malware is delivered as a .dmg disk image masquerading as an Adobe Flash installer. But once it's mounted on a user's machine, it displays instructions guiding users through the malicious installation process.
Cyber Weekly Flash Briefing 15 May 2020: Attacks on UK up 30% in Q1, 238% surge against banks, Microsoft fixes 111 vulns, Adobe patches 36 vulns, Thunderspy, 73m user records for sale on dark web
Cyber Weekly Flash Briefing 15 May 2020: Attacks on UK up 30% in Q1, 238% surge against banks, Microsoft fixes 111 vulns, Adobe patches 36 vulns, Thunderspy, 73m user records for sale on dark web
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber-Attacks on UK Organisations Up 30% in Q1 2020
New research has revealed that the volume of cyber-attacks on UK businesses increased by almost a third in the first three months of 2020.
Analysts identified 394,000 unique IP addresses used to attack UK businesses in the first quarter of 2020, discovering that companies with internet connections experienced 157,000 attacks each, on average – the equivalent of more than one a minute.
This rate of attack was 30% higher than the same period in 2019 when UK businesses received 120,000 internet-borne attempts to breach their systems each.
IoT applications were cited as the most common targets for cyber-criminals in the first quarter, attracting almost 19,000 online attacks per company. Company databases and file-sharing systems were also targeted frequently, with companies experiencing approximately 5000 attacks for each application, on average.
Read more here: https://www.infosecurity-magazine.com/news/cyberattacks-uk-orgs-up-30-q1/
COVID-19 blamed for 238% surge in cyber attacks against banks
The coronavirus pandemic has been connected to a 238% surge in cyber attacks against banks, new research claims.
On Thursday, VMware Carbon Black released the third edition of the Modern Bank Heists report, which says that financial organizations experienced a massive uptick in cyber attack attempts between February and April this year -- the same months in which COVID-19 began to spread rapidly across the globe.
The cyber security firm's research, which includes input from 25 CIOS at major financial institutions, adds that 80% of firms surveyed have experienced more cyber attacks over the past 12 months, an increase of 13% year-over-year.
VMware Carbon Black data already indicates that close to a third -- 27% -- of all cyber attacks target either banks or the healthcare sector.
An interesting point in the report is how there appears to have been an uptick in financially-motivated attacks around pinnacles in the news cycle, such as when the US confirmed its first case of COVID-19.
In total, 82% of chief information officers contributing to the report said that alongside a spike in attacks, techniques also appear to be improving -- including the use of social engineering and more advanced tactics to exploit not only the human factor but also weak links caused by processes and technologies in use by the supply chain.
Read more here: https://www.zdnet.com/article/covid-19-blamed-for-238-surge-in-cyberattacks-against-banks/
May 2020 Patch Tuesday: Microsoft fixes 111 vulnerabilities, 13 Critical
Microsoft's May 2020 Patch Tuesday fell this week, and Microsoft have released fixes for 111 vulnerabilities in Microsoft products. Of these vulnerabilities, 13 are classified as Critical, 91 as Important, 3 as Moderate, and 4 as Low.
This month there are no zero-day or unpatched vulnerabilities.
Users should install these security updates as soon as possible to protect Windows from known security risks.
Read more here: https://www.bleepingcomputer.com/news/microsoft/may-2020-patch-tuesday-microsoft-fixes-111-vulnerabilities-13-critical/
Adobe issues patches for 36 vulnerabilities in DNG, Reader, Acrobat
Adobe has released security patches to resolve 36 vulnerabilities present in DNG, Reader, and Acrobat software.
On Tuesday, the software giant issued two security advisories (1, 2) detailing the bugs, the worst of which can be exploited by attackers to trigger remote code execution attacks and information leaks.
The first set of patches relate to Adobe Acrobat and Reader for Windows and macOS, including Acrobat / Acrobat Reader versions 2015 and 2017, as well as Acrobat and Acrobat Reader DC.
In total, 12 critical security flaws have been resolved. Six of the bugs, a single heap overflow problem, two out-of-bounds write errors, two buffer overflow issues, and two use-after-free vulnerabilities can all lead to arbitrary code execution in the context of the current user.
Read more here: https://www.zdnet.com/article/adobe-issues-patches-for-36-vulnerabilities-in-dng-reader-acrobat/
Thunderbolt flaw ‘Thunderspy’ allows access to a PC’s data in minutes
Vulnerabilities discovered in the Thunderbolt connection standard could allow hackers to access the contents of a locked laptop’s hard drive within minutes, a security researcher from the Eindhoven University of Technology has announced. Reports state that the vulnerabilities affect all Thunderbolt-enabled PCs manufactured before 2019.
Although hackers need physical access to a Windows or Linux computer to exploit the flaws, they could theoretically gain access to all data in about five minutes even if the laptop is locked, password protected, and has an encrypted hard drive. The entire process can reportedly be completed with a series of off-the-shelf components costing just a few hundred dollars. Perhaps most worryingly, the researcher says the flaws cannot be patched in software, and that a hardware redesign will be needed to completely fix the issues.
Read more here: https://www.theverge.com/2020/5/11/21254290/thunderbolt-security-vulnerability-thunderspy-encryption-access-intel-laptops
A hacker group is selling more than 73 million user records on the dark web
A hacker group going by the name of ShinyHunters claims to have breached ten companies and is currently selling their respective user databases on a dark web marketplace for illegal products.
The hackers are the same group who breached last week Tokopedia, Indonesia's largest online store. Hackers initially leaked 15 million user records online, for free, but later put the company's entire database of 91 million user records on sale for $5,000.
Encouraged and emboldened by the profits from the Tokopedia sale, the same group has, over the course of the current week, listed the databases of 10 more companies.
This includes user databases allegedly stolen from organizations such as:
· Online dating app Zoosk (30 million user records)
· Printing service Chatbooks (15 million user records)
· South Korean fashion platform SocialShare (6 million user records)
· Food delivery service Home Chef (8 million user records)
· Online marketplace Minted (5 million user records)
· Online newspaper Chronicle of Higher Education (3 million user records)
· South Korean furniture magazine GGuMim (2 million user records)
· Health magazine Mindful (2 million user records)
· Indonesia online store Bhinneka (1.2 million user records)
· US newspaper StarTribune (1 million user records)
The listed databases total for 73.2 million user records, which the hacker is selling for around $18,000, with each database sold separately.
Read more here: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
A cybercrime store is selling access to more than 43,000 hacked servers
MagBo, a shadowy online marketplace where hackers sell and buy hacked servers, is doing better than ever and has soared in popularity to become the largest criminal marketplace of its kind since its launch in the summer of 2018.
Two years later, the MagBo portal has grown more than 14 times in size and is currently selling access to more than 43,000 hacked websites, up from the 3,000 sites listed in September 2018.
Today, MagBo has become the de-facto go-to marketplace for many cybercrime operations. Some groups register on the MagBo platform to sell hacked servers, while others are there just to buy.
Those who buy, do it either in bulk (for black-hat SEO or for malware distribution) or selectively, for intrusions at high-value target (e-commerce stores for web skimming, intranets for ransomware).
All in all, the MagBo platform cannot be ignored anymore, as it appears to be here to stay, and is placing itself at the heart of many of today's cybercrime operations.
Ransomware: Why paying the crooks can actually cost you more in the long run
Ransomware is so dangerous because in many cases the victim doesn't feel like they have any other option other than to pay up – especially if the alternative is the whole organisation being out of operation for weeks, or even months, as it attempts to rebuild the network from scratch.
But handing over a bitcoin ransom to cyber criminals can actually double the cost of recovery according to analysis by researchers at Sophos, published in the new State of Ransomware 2020 report, which has been released three years to the day from the start of the global WannaCry ransomware outbreak.
A survey of organisations affected by ransomware attacks found that the average total cost of a ransomware attack for organisations that paid the ransom is almost $1.4m, while for those who didn't give into ransom demands, the average cost is half of that, coming in at $732,000.
Often, this is because retrieving the encryption key from the attackers isn't a simple fix for the mess they created, meaning that not only does the organisation pay out a ransom, they also have additional costs around restoring the network when some portions of it are still locked down after the cyber criminals have taken their money.
According to the report, one in four organisations said they paid the ransom in order to get their files back. It's one of the key reasons why ransomware remains a successful tactic for crooks, because victims pay up – often sums of six-figures or more – and are therefore encouraging cyber criminals to continue with attacks that often can't be traced back to a culprit.
Read the full article here: https://www.zdnet.com/article/ransomware-why-paying-the-crooks-can-actually-cost-you-more-in-the-long-run/
This powerful Android malware stayed hidden for years, infecting tens of thousands of smartphones
A carefully managed hacking and espionage campaign is infecting smartphones with a potent form of Android malware, providing those behind it with total control of the device, while also remaining completely hidden from the user.
Mandrake spyware abuses legitimate Android functions to help gain access to everything on the compromised device in attacks that can gather almost any information about the user.
The attacker can browse and collect all data on the device, steal account credentials for accounts including banking applications. secretly take recordings of activity on the screen, track the GPS location of the user and more, all while continuously covering their tracks.
The full capabilities of Mandrake – which has been observed targeting users across Europe and the Americas – are detailed in a paper released by cybersecurity researchers this week. Mandrake has been active since 2016 and researchers previously detailed how the spyware operation was specifically targeting Australian users – but now it's targeting victims around the world.
Companies wrestle with growing cyber security threat: their own employees
Businesses deploy analytic tools to monitor staff as remote working increases data breach risk
As cyber criminals and hackers ramp up their attacks on businesses amid coronavirus-related disruption, companies are also facing another equally grave security threat: their own employees.
Companies are increasingly turning to Big Brother-style surveillance tools to stop staff from leaking or stealing sensitive data, as millions work away from the watchful eyes of their bosses and waves of job cuts leave some workers disgruntled.
In particular, a brisk market has sprung up for cyber security groups that wield machine learning and analytics to crunch data on employees’ activity and proactively flag worrying behaviours.
Read more here: https://www.ft.com/content/cae7905e-ced7-4562-b093-1ab58a557ff4
Cognizant: Ransomware Costs Could Reach $70m
IT services giant Cognizant has admitted that a ransomware attack it suffered back in April may end up costing the company as much as $70m.
The firm announced revenue of $4.2bn for the first quarter of 2020, an increase of 2.8% year-on-year. In this context, the $50-70m hit it expects to take in Q2 from the ransomware attack will not make a huge impact on the company.
However, the big numbers involved are illustrative of the persistent financial threat posed by ransomware, not to mention the reputational impact on customers.
The firm claimed on an earnings call that the company responded immediately to the threat, proactively taking systems offline after some internal assets were compromised. However, the resulting downtime and suspension of some customer accounts took their toll financially.
“Some clients opted to suspend our access to their networks,” they explained. “Billing was therefore impacted for a period of time, yet the cost of staffing these projects remained on our books.”
Remote workers were also affected as the attack hit the firm’s system for supporting its distributed workforce during the current pandemic.
Read more: https://www.infosecurity-magazine.com/news/cognizant-ransomware-costs-could/
Package delivery giant Pitney Bowes confirms second ransomware attack in 7 months
Package and mail delivery giant Pitney Bowes has suffered a second ransomware attack in the past seven months, ZDNet has learned.
The incident came to light earlier in the week after a ransomware gang known as Maze published a blog post claiming to have breached and encrypted the company's network.
The Maze crew provided proof of access in the form of 11 screenshots portraying directory listings from inside the company's computer network.
Pitney Bowes confirmed the incident stating they had detected a security incident related to Maze ransomware.
The company said it worked with third-party security consultants to take steps to stop the attack before any of its data was encrypted.
This is the second ransomware incident for Pitney Bowes in seven months.
In October 2019, Pitney Bowes disclosed a first ransomware attack. At the time, the company said it had some critical systems infected and encrypted by the Ryuk ransomware gang. The incident caused limited downtime to some package tracking systems.
Both the Ryuk and Maze ransomware gangs are what experts call "human-operated" ransomware strains. These types of ransomware infections take place after hackers breach a company's network, and take manual control of the malware to expand access to as many internal systems as possible before executing the actual ransomware to encrypt data and demand a ransom.
Read more here: https://www.zdnet.com/article/package-delivery-giant-pitney-bowes-confirms-second-ransomware-attack-in-7-months/
Law Firm Representing Drake, Lady Gaga, Madonna And More Hit By Cyber Attack As Hackers Claim To Have Stolen Personal Information And Contracts
A law firm representing many of the world's most famous celebrities has been hacked.
The website of Grubman Shire Meiselas & Sacks has been taken offline, and hackers claim to have stolen some 756GB of data relating to its clients.
Singers, actors and other stars have worked with the law firm, according to old versions of its website, with more than 200 very high-profile celebrities and companies said to have used its services.
They include Madonna, Lady Gaga, Elton John and Drake.
The hackers behind the attack claim to have person information on celebrities including letters, as well as official contracts.
Hackers have already released a purported screenshot of a Madonna contract in an attempt to prove they have access to personal files.
It is not known what the hackers are demanding in return for the files, or whether negotiations are ongoing.
"We can confirm that we've been victimised by a cyber-attack," the firm said in a media statement. "We have notified our clients and our staff.
"We have hired the world's experts who specialise in this area, and we are working around the clock to address these matters."
The hack used a piece of software known as REvil or Sodinokibi. Similar software took foreign exchange company Travelex offline in January, as part of a major hack.
Traditionally, such ransomware has been used to lock down computers and demand money from their owners to unlock them again, and grant access to files.
Increasingly, hackers threaten to release those files to the public if their demands are not met.
Read the original article: https://www.independent.co.uk/life-style/gadgets-and-tech/news/celebrity-hack-law-firm-cyber-attack-drake-madonna-lady-gaga-a9511976.html
Lights stay on despite cyber-attack on UK's electricity system
Britain’s energy system has fallen victim to a cyber-attack targeting the IT infrastructure used to run the electricity market.
The electricity system’s administrator, Elexon, confirmed that it was affected by a cyber-attack on Thursday afternoon but that the key systems used to govern the electricity market were not affected.
National Grid is investigating whether the attack could affect the part of its business tasked with keeping the lights on.
A spokesman for the energy system operator said electricity supplies had not been affected, and there were “robust cybersecurity measures in place” to make sure the UK continues to receive reliable electricity.
“We’re aware of a cyber intrusion on Elexon’s internal IT systems. We’re investigating the matter and any potential impact on our own IT networks,” he said.
Elexon is a vital part of the UK electricity market because it carefully monitors the electricity generated by energy companies to match this with what National Grid expects to receive, and to make sure that generators are paid the correct amount for the energy they generate.
Cyber Weekly Flash Brief 08 May 2020: Predatory Cyber Criminals & Hostile States Target Uk, Ransomware Payments Up, New Phishing Attack, Remote Accounts Attacked, Legal Docs Exposed, Samsung Vulns
Cyber Weekly Flash Briefing 08 May 2020: Predatory cyber criminals & hostile states target UK, ransomware payments up, new phishing attack, remote accounts attacked, legal docs exposed, Samsung vulns
If you’re pressed for time watch the 60 second quick fire summary of the top cyber and infosec stories from the last week:
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Coronavirus: ‘Predatory’ cyber criminals and hostile states targeting UK citizens and institutions, Dominic Raab warns UK
Dominic Raab has warned that “predatory” cyber criminals and hostile states are seeking to exploit the coronavirus pandemic, saying that UK citizens, businesses and institutions will be targeted for weeks and months ahead.
His remarks follow a joint warning from cyber security agencies in Britain and the US, urging healthcare and medical research staff to improve their password security to prevent criminals exploiting the crisis further.
Speaking at No 10 earlier in the week, Mr Raab said that while the vast majority of people and countries had rallied together, “there will always be some who seek to exploit a crisis for their own criminal and hostile ends”.
The foreign secretary said he was aware that cyber criminals and “other malicious groups” are targeting individuals and organisations in the UK by deploying Covid-19 related scams and phishing emails.
“That includes groups that in the cyber security world are known as advanced persistent threat (APT) groups – sophisticated groups of hackers who try to breach computer systems,” he said.
“We have clear evidence now that these criminal gangs are actively targeting national and international organisations which are responding to the Covid-19 pandemic, which I have to say makes them particular dangers and venal at this time.”
Read the full article here: https://www.independent.co.uk/news/uk/politics/coronavirus-cyber-crime-hack-business-dominic-raab-a9500316.html
New phishing attack targeting Microsoft Teams users aims to steal Office 365 credentials
Microsoft Teams has seen a surge in usage owing to the increased need for collaboration services as more and more employees are working from home in the wake of the COVID-19 Coronavirus pandemic. With the increased adoption, the tool has also been receiving multiple improvements to help enhance functionality. While the communication of new features is a given, a new phishing attack that mimics notifications from the Redmond giant is being targeted at Teams users.
The specifics of the attack suggests that the goal is to steal users’ Teams/Office 365 credentials by serving messages that redirect to phishing websites. The report states that the email notifications impersonate automated notification emails from Teams that are convincing enough owing to the content and design. The sender email comes from the “sharepointonline-irs.com” domain, something that is misleading and one that is not owned by Microsoft.
Read more here: https://www.neowin.net/news/new-phishing-attack-targeting-microsoft-teams-users-aims-to-steal-office-365-credentials
Ransomware Payments Surge 33% as Attacks Target Remote Access
The average sum paid by enterprises to ransomware attackers surged by 33% quarter-on-quarter in the first three months of the year, as victim organisations struggled to mitigate remote working threats.
A security vendor analysed ransomware cases handled by its own incident response team during the period to compile its latest findings.
It revealed the average enterprise ransomware payment rose to over $111,000 in the quarter, although the median remained at around $44,000, reflecting the fact that most demands from online attackers are more modest.
Sodinokibi (27%), Ryuk (20%) and Phobos (8%) remained the top three most common variants in Q1 2020, although prevalence of Mamba ransomware, which features a boot-locker program and full disk encryption via commercial software, increased significantly.
Poorly secured RDP endpoints continued to be the number one vector for attacks, more popular than phishing emails or exploitation of software vulnerabilities.
Read the full article here: https://www.infosecurity-magazine.com/news/ransomware-payments-surge-33/
Millions of remote desktop accounts attacked every week
Since the start of the outbreak, we've seen cyber criminals target Zoom and spread coronavirus-related phishing campaigns, in a bid to take advantage of the increase in remote working.
Now, new research suggests criminals are also targeting employees reliant on Microsoft's proprietary Remote Desktop Protocol (RDP) with far greater regularity.
According to this new report, hundreds of thousands of employees use RDP as a way to remotely connect to their office computer with the same privileges they would have on site.
However, RDP is also an enticing target for criminals, who are reportedly bombarding the service with brute-force attacks in a bid to gain entry.
Prior to the coronavirus pandemic, researchers typically recorded around 100,000–150,000 attacks of this kind per day, but that number has shot up to almost a million.
Read more: https://www.itproportal.com/news/millions-of-remote-desktop-accounts-are-being-attacked-ever-week/
This phishing campaign targets executives with fake emails from their phone provider
A new spear-phishing campaign has targeted executives and others in attempt to steal login credentials and bank account details by posing as their smartphone provider.
Uncovered by researchers, the attacks come in the form of emails claiming to be from their mobile phone provider, and refer to a problem with their bill.
The security company said the spoof mail had been sent to "a few executives, including one at a leading financial firm".
The messages come with the vague subject 'View Bill – Error – Message' and are designed with branding that looks like they could come from EE. The message tells the victim that the company is working on fixing an unspecified problem and that the user should login to their account to update their details.
Users should be cautious about unexpected messages like this – especially, if like this one, they urge some sort of immediate action – but there's also some elements of the phishing email that should act as a warning that all is not right.
Read more here: https://www.zdnet.com/article/this-phishing-campaign-targets-executives-with-fake-emails-from-their-phone-provider/
This ransomware spreads across hundreds of devices in no time at all
The LockBit ransomware contains a feature that allows attackers to encrypt hundreds of devices in just a few hours once they've breached a corporate network.
LockBit is a fairly new Ransomware-as-a-Service (RaaS) that was launched in September of last year. The developers of the ransomware are in charge of maintaining its payment site and updates while affiliates sign up to distribute the malware. LockBit's developers then earn around 25-40 percent of the ransom payments received while the affiliates earn a slightly larger share at 60-75 percent.
Researchers have published a report revealing how a LockBit ransomware affiliate hacked into a corporate network and encrypted 25 servers and 255 workstations in just three hours.
The hackers began their attack by brute-forcing an administrator account through an outdated VPN service. This gave them the administrative credentials they needed in order to deploy the LockBit ransomware on the network.
Read more: https://www.techradar.com/news/this-ransomware-spreads-across-hundreds-of-devices-in-no-time-at-all
Data security flaw exposes details of thousands of legal documents
A data security flaw has left more than 10,000 legal documents containing sensitive details of commercial property owners unsecured for years in an online database, potentially affecting the clients of about 190 law firms.
The cache of documents, which included Companies House property transaction forms containing authentication details such as email addresses and passwords, had been scanned and uploaded by legal firms — including three of the “magic circle” — using a product from Advanced Computer Software, Britain’s third-largest software company.
Advanced, said in a statement: “We discovered some exposed data on one of our historic software platforms and took immediate steps to address the issue, secure the data and make contact with the small number of affected customers.”
Leaving a security hole open for an extended period of time exposing authentication and other details was serious.
Though the exposure of legal documents is of a different scale to recent incidents — including at Virgin Media and British Airways — involving much larger customer databases, the inclusion of authentication information raised concerns about the potential impact if the exposed data fell into the wrong hands.
Read more here: https://www.ft.com/content/e0d6b6b7-825f-4102-b78f-204e1be205b6
Vulnerabilities in two VPNs opened door to fake, malicious updates
Hackers can exploit critical vulnerabilities in PrivateVPN and Betternet – since fixed – to push out fake updates and plant malicious programs or steal data.
Attackers can intercept VPN communications and force the apps to download fake updates according to the researchers who discovered the flaws.
The researchers stated they were very surprised because these are VPNs – important cybersecurity tools that are meant to keep users safe – have a lot of users trusting these tools to provide them with more security and privacy, not less.
Read more here: https://www.scmagazine.com/home/security-news/vulnerabilities-in-two-vpns-opened-door-to-fake-malicious-updates/
Samsung Confirms Critical Security Issue For Millions: Every Galaxy After 2014 Affected
The monthly security updates from Samsung have started rolling out. If you own a Samsung smartphone that was sold from late 2014 onward, you'd better hope that update hits your device soon. Why so? Only the small matter of a "perfect 10" critical security vulnerability that can enable arbitrary remote code execution (RCE) if exploited. Oh yes, and that arbitrary RCE can happen without any user interaction needed, as this is a "zero-click" vulnerability. And if you think that sounds pretty serious, and it is, there's more to come: the vulnerability affects every Galaxy smartphone that Samsung has made from late 2014 onward.
A hacker group tried to hijack 900,000 WordPress sites over the last week
A hacker group has attempted to hijack nearly one million WordPress sites in the last seven days, according to a security alert issued this week.
Since April 28, this particular hacker group has engaged in a hacking campaign of massive proportions that caused a 30x uptick in the volume of attack traffic being tracked.
The group launched attacks from across more than 24,000 distinct IP addresses and attempted to break into more than 900,000 WordPress sites.
The attacks peaked on Sunday, May 3, when the group launched more than 20 million exploitation attempts against half a million domains.
Read the full article here: https://www.zdnet.com/article/a-hacker-group-tried-to-hijack-900000-wordpress-sites-over-the-last-week/
Popular adult streaming site just accidentally outed millions of users
Adult live streaming platform CAM4 has suffered a massive data breach, exposing the identity of millions of its users.
Discovered by security researchers, the breach was caused by a server configuration error that made 7TB of user data (comprising 10.88 billion records in total) easily discoverable online.
While the misconfigured ElasticSearch database did not betray users’ specific sexual preferences, it did include personally identifiable information including names, email addresses, payment details, chat logs and sexual orientation.
The popular adult platform is used primarily by amateur webcam models to stream explicit content to live audiences. To gain access to premium content or tip performers, users must first register with the site - parting ways with both personal and financial data.
Read more here: https://www.techradar.com/news/this-popular-adult-streaming-site-accidentally-outed-millions-of-users
Hacker Group Selling Databases With Millions Of User Credentials Busted In Poland And Switzerland
Polish and Swiss law enforcement authorities, supported by Europol and Eurojust, dismantled InfinityBlack, a hacking group involved in distributing stolen user credentials, creating and distributing malware and hacking tools, and fraud.
On 29 April 2020, the Polish National Police (Policja) searched six locations in five Polish regions and arrested five individuals believed to be members of the hacking group InfinityBlack. Police seized electronic equipment, external hard drives and hardware cryptocurrency wallets, all worth around €100 000. Two platforms with databases containing over 170 million entries were closed down by the police.
The hacking group created online platforms to sell user login credentials known as ‘combos’. The group was efficiently organised into three defined teams. Developers created tools to test the quality of the stolen databases, while testers analysed the suitability of authorisation data. Project managers then distributed subscriptions against cryptocurrency payments.
The hacking group’s main source of revenue came from stealing loyalty scheme login credentials and selling them on to other, less technical criminal gangs. These gangs would then exchange the loyalty points for expensive electronic devices.
Read more here: https://www.europol.europa.eu/newsroom/news/hacker-group-selling-databases-millions-of-user-credentials-busted-in-poland-and-switzerland
Cyber Weekly Flash Briefing for 11 April 2020 – NCSC advisory on COVID activity, Travelex pays $2.3M ransom, Zoom tries to get better, Shadow IT risks, Unkillable Android malware, Bot traffic up
Cyber Weekly Flash Briefing for 11 April 2020 – NCSC advisory on COVID activity, Travelex pays $2.3M ransom, Zoom tries to get better, Shadow IT risks, Unkillable Android malware, Bot traffic up
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
60 second video flash briefing
UK NCSC and US CISA issue joint Advisory: COVID-19 exploited by malicious cyber actors
A joint advisory was put out from the United Kingdom’s National Cyber Security Centre (NCSC) and the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) relating to information on exploitation by cyber criminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice.
Read more here: https://www.ncsc.gov.uk/news/covid-19-exploited-by-cyber-actors-advisory
Download the advisory notice here: https://www.ncsc.gov.uk/files/Final%20Joint%20Advisory%20COVID-19%20exploited%20by%20malicious%20cyber%20actors%20v3.pdf
Travelex paid $2.3M in Bitcoin to get its systems back from hackers
Travelex paid hackers $2.3 million worth of Bitcoin to regain access to its computer systems after a devastating ransomware attack on New Year’s Eve.
The London-based company said it decided to pay the 285 BTC based on the advice of experts, and had kept regulators and partners in the loop throughout the recovery process.
Although Travelex, which manages the world’s largest chain of money exchange shops and kiosks, did confirm the ransomware attack when it happened, it hadn’t yet disclosed a Bitcoin ransom had been paid to restore its systems.
Travelex previously blamed the attack on malware known as Sodinokibi, a ‘Ransomware-as-a-Service’ tool-kit that has recently begun publishing data stolen from companies that don’t pay up.
Travelex‘ operations were crippled for almost all of January, with its public-facing websites, app, and internal networks completely offline. It also reportedly interrupted cash deliveries to major banks in the UK, including Barclays and Lloyds.
At the time, BBC claimed that Travelex‘ attackers had demanded $6 million worth of Bitcoin to unlock its systems.
Zoom sets up CISO Council and hires ex-CSO of Facebook to clean up its privacy mess
The ongoing coronavirus pandemic has seen people relying on work collaboration apps like Teams and Slack to talk to others or conduct meetings. Zoom, in particular, has seen incredible growth over the past few weeks but it came at a cost. The company has been under a microscope after various researchers discovered a number of security flaws in the app. To Zoom’s credit, the company responded immediately and paused feature updates to focus on security issues.
The company announced that it’s taking help from CISOs to improve the security and patch the flaws in the app. Zoom will be taking help from CISOs from HSBC, NTT Data, Procore, and Ellie Mae, among others. Moreover, the company is also setting up an Advisory Board that will include security leaders from VMware, Netflix, Uber, Electronic Arts, and others. Lastly, the company has also asked Alex Stamos, ex-CSO of Facebook to join as an outside advisor. Alex is a well-known personality in the cybersecurity world who left Facebook after an alleged conflict of interest with other executives about how to address the Russian government’s use of its platform to spread disinformation during the 2016 U.S. presidential election.
Read more here: https://mspoweruser.com/zoom-ciso-hires-ex-facebook-cso-clean-its-mess/
Researchers discover IoT botnet capable of launching various DDoS attacks
Cyber security researchers have found a new botnet comprised of more than a thousand IoT devices, capable of launching distributed denial of service (DDoS) attacks.
According to a report, researchers have named the botnet Dark Nexus, and believe it was created by well-known malware developer greek.Helios - a group that has been selling DDoS services and botnet code for at least the past three years.
Analysing the botnet through a honeypot, the researchers found it is comprised of 1,372 bots, but believe it could grow extremely quickly.
Dark Nexus is based on Mirai and Qbot, but has seen some 40 iterations since December 2020, with improvements and new features added almost daily.
Read the original article here: https://www.itproportal.com/news/researchers-discover-iot-botnet-capable-of-launching-various-ddos-attacks/
Microsoft: Cyber-Criminals Are Targeting Businesses Through Vulnerable Employees
Microsoft has warned that cyber-criminals are preying on people’s vulnerable psychological states during the COVID-19 pandemic to attack businesses. During a virtual press briefing, the multinational technology company provided data showing how home working and employee stress during this period has precipitated a huge amount of COVID-19-related attacks, particularly phishing scams.
Working from home at this time is very distracting for a lot of people, particularly if they are looking after children. Additionally, many individuals are in a stressful state with the extra pressures and worries as a result of COVID-19. This environment is providing new opportunities for cyber-criminals to operate.
“We’re seeing a significant increase in COVID-related phishing lures for our customers,” confirmed Microsoft. “We’re blocking roughly 24,000 bad emails a day with COVID-19 lures and we’ve also been able to see and block through our smart screen 18,000 malicious COVID-themed URLs and IP addresses on a single day, so the volume of attacks is quite high.”
Read the original article here: https://www.infosecurity-magazine.com/news/cybercriminals-targeting/
Stolen Zoom account credentials are freely available on the dark web
Loved, hated, trusted and feared in just about equal measure, Zoom has been all but unavoidable in recent weeks. Following on from a combination of privacy and security scandals, credentials for numerous Zoom account have been found on the dark web.
The credentials were hardly hidden -- aside from being on the dark web. Details were shared on a popular forum, including the email address, password, meeting ID, host key and host name associated with compromised accounts.
Read more: https://betanews.com/2020/04/08/zoom-account-credentials-dark-web/
Shadow IT Represents Major #COVID19 Home Working Threat
Rising threat levels and remote working challenges stemming from the COVID-19 pandemic are putting increased pressure on IT security professionals, according to new data.
A poll of over 400 respondents from global organisations with over 500 employees was conducted to better understand the current challenges facing security teams.
It revealed that 71% of security professionals had reported an increase in security threats or attacks since the start of the virus outbreak. Phishing (55%), malicious websites (32%), malware (28%) and ransomware (19%) were cited as the top threats.
These have been exacerbated by home working challenges, with 95% of respondents claiming to be under new pressures.
Top among these was providing secure remote access for employees (56%) and scalable remote access solutions (55%). However, nearly half (47%) of respondents complained that home workers using shadow IT solutions represented a major problem.
These challenges are only going to grow, according to the research.
Read more here: https://www.infosecurity-magazine.com/news/shadow-it-covid19-home-working/
'Unkillable' Android malware gives hackers full remote access to your phone
Security experts are warning Android users about a particularly nasty strain of malware that's almost impossible to remove.
A researcher has written a blog post explaining how the xHelper malware uses a system of nested programs, not unlike a Russian matryoshka doll, that makes it incredibly stubborn.
The xHelper malware was first discovered last year, but the researcher has only now established exactly how it gets its claws so deeply into your device, and reappears even after a system restore.
Although the Google Play Store isn't foolproof, unofficial third party app stores are much more likely to harbour malicious apps. App-screening service Google Play Protect blocked more than 1.9 million malware-laced app installs last year, including many side-loaded or installed from unofficial sources, but it's not foolproof.
xHelper is often distributed through third-party stores disguised as a popular cleanup or maintenance app to boost your phone's performance, and once there, is amazingly stubborn.
Decade of the RATs (Remote Access Trojan): Novel APT Attacks Targeting Linux, Windows and Android
BlackBerry researchers have released a new report that examines how five related APT groups operating in the interest of the Chinese government have systematically targeted Linux servers, Windows systems and Android mobile devices while remaining undetected for nearly a decade.
The report comes on the heels of the U.S. Department of Justice announcing several high-profile indictments from over 1,000 open FBI investigations into economic espionage as part of the DOJ’s China Initiative.
The BlackBerry report, titled Decade of the RATs: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android, examines how APTs have leveraged the “always on, always available” nature of Linux servers to establish a “beachhead” for operations. Given the profile of the five APT groups involved and the duration of the attacks, it is likely the number of impacted organisations is significant.
The cross-platform aspect of the attacks is also of particular concern in light of security challenges posed by the sudden increase in remote workers. The tools identified in these ongoing attack campaigns are already in place to take advantage of work-from-home mandates, and the diminished number of personnel onsite to maintain security of these critical systems compounds the risks. While the majority of the workforce has left the office as part of containment efforts in response to the Covid-19 outbreak, intellectual property remains in enterprise data centres, most of which run on Linux.
Most large organizations rely on Linux to run websites, proxy network traffic and store valuable data. While Linux may not have the visibility that other front-office operating systems have, it is arguably the most critical where the security of critical networks is concerned. Linux runs nearly all of the top 1 million websites, 75% of all web servers, 98% of the world’s supercomputers and 75% of major cloud service providers (Netcraft, 2019, Linux Foundation, 2020).
More here: https://blogs.blackberry.com/en/2020/04/decade-of-the-rats
Bot traffic fueling rise of fake news and cybercrime
The coronavirus pandemic has disrupted daily life around the world and the WHO recently warned that an overabundance of information about the virus makes it difficult for people to differentiate between legitimate news and misleading information.
At the same time, EU security services have warned that Russia is aggressively exploiting the coronavirus pandemic to push disinformation and weaken Western society through its bot army.
A cyber security firm has been using its bot manager to monitor internet traffic in an attempt to track the “infodemic” that both the WHO and EU security services have issued warnings on.
According to the data, bots have upped their game and organisations in the social media, ecommerce and digital publishing industries have experienced a surge in bad bot traffic following the coronavirus outbreak.
The bots have been found to be executing various insidious activities including spreading disinformation, spam commenting and more. In February, 58.1 percent of bots had the capability to mimic human behaviour. This means that they can disguise their identities, create fake accounts on social media sites and post their masters' propaganda while appearing as a genuine user.
Read more here: https://www.techradar.com/news/bot-traffic-fueling-rise-of-fake-news-and-cybercrime
Our Top Tips for Small Businesses During the Coronavirus Crisis
In collaboration with the new Guernsey Startup Hub these are our top tips for small businesses to help keep them secure online at this difficult time
In collaboration with the new Guernsey Startup Hub these are our top tips for small businesses to help keep them secure online at this difficult time
Cyber Weekly Flash Briefing 03 April 2020 – GFSC warn over increased fraud & cybercrime, attacks up 37% in a month, criminals sending USB devices in post, Zoom phishers register 2000 domains
Cyber Weekly Flash Briefing for 03 April 2020 – GFSC warns over increased risk of fraud and cyber crime, Attacks Up 37% over last month, criminals sending USB device in post, Zoom Phishers Register 2000 Domains in a Month, increase in DDoS attacks
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
GFSC warns over increased risk of fraud and cyber crime
The GFSC has put out a warning to regulated firms on the Island around increased likelihood of fraud and other cyber crimes as a result of the COVID-19 pandemic.
The Commission has stated that they expect licensees to apply effective controls, including having suitable controls to prevent cybercrime.
Cyber-Attacks Up 37% Over Past Month as #COVID19 Bites
Online threats have risen by as much as six-times their usual levels over the past four weeks as the COVID-19 pandemic provides new ballast for cyber-attacks.
Analysis of UK traffic figures for the past four weeks compared to the previous month noted a sharp uptick in malicious activity.
Hacking and phishing attempts were up 37% month-on-month, while on some days, there were between four- and six-times the number of attacks it would usually see.
More here: https://www.infosecurity-magazine.com/news/cyberattacks-up-37-over-past-month/
Cybercrime spikes during coronavirus pandemic, says Europol
Just like everyone else in the face of a pandemic, criminals seem to be staying home — but they're just turning to different methods to make a buck.
That's the message from a new Europol report out this week, which reveals that criminals are adapting to exploit the global chaos.
While many police departments are reporting a lull in physical crime, other types of crime are having a heyday — and those numbers are only expected to increase.
Europol identified cybercrime, fraud, counterfeit goods and organised property crime as categories of particular concern.
Read more here: https://www.euronews.com/2020/03/27/cybercrime-spikes-during-coronavirus-pandemic-says-europol
Cybercriminal group mails malicious USB dongles to targeted companies
Security researchers have come across an attack where an USB dongle was mailed to a company under the guise of a Best Buy gift card. This technique has been used by security professionals during physical penetration testing engagements in the past, but it has very rarely been observed in the wild. This time it's a known sophisticated cybercriminal group who is likely behind it.
The attack was analysed after a US company in the hospitality sector received the USB sometime in mid-February.
The package contained an official-looking letter with Best Buy's logo and other branding elements informing the recipient that they've received a $50 gift card for being a regular customer. "You can spend it on any product from the list of items presented on an USB stick," the letter read. Fortunately, the USB dongle was never inserted into any computers and was passed along for analysis, because the person who received it had security training.
Top Email Protections Fail in Latest COVID-19 Phishing Campaign
Threat actors continue to capitalize on fears surrounding the spread of the COVID-19 virus through a surge in new phishing campaigns that use spoofing tactics to effectively evade Proofpoint and Microsoft Office 365 advanced threat protections (ATPs), researchers have found.
New phishing attacks were discovered that use socially engineered emails promising access to important information about cases of COVID-19 in the receiver’s local area.
The emails evade basic security checks and user common sense in a number of ways, to circumvent detection and steal the user’s Microsoft log-in credentials, he said. They also don’t include specific names or greetings in the body of the messages, suggesting they are being sent out to a broad target audience, according to the report.
More: https://threatpost.com/top-email-protections-fail-covid-19-phishing/154329/
Zoom Phishers Register 2000 Domains in a Month
Over 2000 new phishing domains have been set up over the past month to capitalise on the surging demand for Zoom from home workers, according to new data.
The report analysed data from a threat hunting system since the start of the year, and found 3300 new domains had been registered with the word “Zoom” in them.
The vast majority of these (67%) were created in March, as the COVID-19 pandemic forced lockdowns in multiple European countries and across parts of the US.
With surging levels of interest in Zoom and other video conferencing apps, comes renewed scrutiny from cyber-criminals.
Nearly a third (30%) of the new “Zoom” websites spotted activated an email server which indicates these domains are being used to facilitate phishing attacks.
More here: https://www.infosecurity-magazine.com/news/zoom-phishers-register-2000/
Across-the-board increase in DDoS attacks of all sizes
There has been a 168% increase in DDoS attacks in Q4 2019, compared with Q4 2018, and a 180% increase overall in 2019 vs. 2018, according to a report.
DDoS attacks grew across all size categories increase in 2019, with attacks sized 5 Gbps and below seeing the largest growth. These small-scale attacks made up more than three quarters of all attacks the company mitigated on behalf of its customers in 2019.
In 2019, the largest mitigated threat, at 587 gigabits per second (Gbps), was 31% larger than the largest attack of 2018, while the maximum attack intensity observed in 2019, 343 million packets per second (Mpps), was 252% higher than that of the most intense attack seen in 2018.
However, despite these higher peaks, the average attack size (12 Gbps) and intensity (3 Mpps) remained consistent year over year. The longest single, uninterrupted attack experienced in 2019 lasted three days, 13 hours and eight minutes.
Though the number of attacks increased significantly across all size categories, small-scale attacks (5 Gbps and below) again saw the largest growth in 2019, continuing the trend from the previous year.
More here: https://www.helpnetsecurity.com/2020/03/27/ddos-attacks-increase-2020/
Cybersecurity insurance firm Chubb investigates its own ransomware attack
A notorious ransomware gang claims to have successfully compromised the infrastructure of a company selling cyber insurance.
The Maze ransomware group says it has encrypted data belonging to Chubb, which claims to be one of the world’s largest insurance companies, and is threatening to publicly release data unless a ransom is paid.
The announcement by the cybercrime gang was published on Maze’s website, where it lists what it euphemistically describes as its “new clients”.
Maze’s normal modus operandi is to compromise an organisation, steal its data, infect the network with its ransomware, and post a pre-announcement on its website as a warning to the corporate victim that if they do not pay a ransom their stolen data will be published on the internet.
Read the full article here: https://hotforsecurity.bitdefender.com/blog/cybersecurity-insurance-firm-chubb-investigates-its-own-ransomware-attack-22753.html
Ransomware Payments on the Rise
More ransomware victims than ever before are complying with the demands of their cyber-attackers by handing over cash to retrieve encrypted files.
New research published this week shows that both the number of ransomware attacks and the percentage of attacks that result in payment have increased every year since 2017.
The report states 62% of organisations were victimised by ransomware in 2019, up from 56% in 2018 and 55% in 2017.
In 2017, just 39% of organizations hit by ransomware paid to retrieve their encrypted data. That figure rose to 45% in 2018, then shot up to 58% in 2019.
Read the full article here: https://www.infosecurity-magazine.com/news/rise-in-ransomware-payments/
Marriott hit by second data breach exposing “up to” 5.2 million people
Hotel chain Marriott International this week announced that it has been hit by a second data breach exposing the personal details of “up to approximately 5.2 million guests”.
The breach, which began in mid-January 2020 and was discovered at the end of February 2020, saw contact details, including names, addresses, birth dates, gender, email addresses and telephone numbers exposed. Employer name, gender, room stay preferences and loyalty account numbers were also exposed.
The hotel company has stressed that not all data was exposed for each person.
Marriott has also said that at present it does not believe passports, payment details or passwords were exposed in the data breach.
The data is believed to have been accessed by an unknown third party using the login credentials of two employees at a group hotel operated as a franchise. Marriott has said that it has notified relevant authorities, and has begun notifying those whose data was exposed in the breach. It has also set up a dedicated website to help those impacted by the breach.
More here: https://www.verdict.co.uk/marriott-second-data-breach/
Lawyers urged to switch off Alexa when working from home
Law firms are warning their employees to turn off their smart speakers while working from home due to security concerns.
Smart speakers such as Amazon’s Echo series and Google’s Nest range have become wildly popular in Britain with an estimated 34pc of households now using them.
But privacy and security experts have repeatedly said the devices may pose a security threat and now law firms have advised staff not to disclose sensitive details when they are in use nearby.
A spokesman from one firm of solicitors said that that hackers could access sensitive details through the speakers, telling their staff to check the default settings on the speaker and to the extent that you can, switch them off during the working day.
More here: https://www.telegraph.co.uk/technology/2020/03/30/lawyers-urged-switch-alexa-working-home/
Cyber Weekly Flash Briefing for 27 March 2020 – Half of UK firms suffer breach last year, COVID19 drives phishing up 667%, WHO targeted, Windows zero-day, ransom refuser’s data published online
Cyber Weekly Flash Briefing for 27 March 2020 – Half of UK firms suffer breach last year, COVID19 drives phishing up 667%, WHO targeted, Windows zero-day, ransom refuser’s data published online
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber Flash Briefing 60 second video version
The Importance of Maintaining Good Cyber Hygiene During the Coronavirus Crisis
Businesses are making significant changes in response to the virus, including asking employees to work from home for the first time. These new practices have often been implemented as quickly as possible, with a priority on keeping the business operations going.
At the same time, the cyber and information security consultants at Black Arrow are seeing reports from specialist intelligence and the wider media which show cyber criminals are feasting on the current chaos as they target employees and companies who let their guard down.
‘Cyber criminals usually target people, not technology, to get into their employer’s systems. Companies need to ensure they consider all the basic risks to prevent this, and implement layers of defence that start with the user.
Read more here: https://guernseypress.com/news/2020/03/24/maintaining-good-cyber-hygiene/
Half of all UK Firms and Three-Quarters of Large Firms Suffered Security Breach Last Year
Nearly half (46%) of UK firms reported suffering a security breach or cyber-attack over the past year, an increase on previous years, but they are getting better at recovering from and deflecting such blows, according to the government.
The annual Cyber Security Breaches Survey revealed an increase in the overall volume of businesses reporting incidents, up from 32%. The number of medium (68%) and large (75%) businesses reporting breaches or attacks also jumped, from 60% and 61% respectively.
This puts the 2020 report’s findings in line with the first government analysis in 2017, it claimed.
Of those businesses that reported incidents, more are experiencing these at least three times a week than in 2017 (32% versus 22%).
The government also claimed that organisations are experiencing more phishing attacks (from 72% to 86%) whilst fewer are seeing malware (from 33% to 16%) than three years ago.
More here: https://www.infosecurity-magazine.com/news/threequarters-firms-security/
#COVID19 Drives Phishing Emails Up 667% in Under a Month
Phishing emails have spiked by over 600% since the end of February as cyber-criminals look to capitalize on the fear and uncertainty generated by the COVID-19 pandemic.
A security vendor observed just 137 incidents in January, rising to 1188 in February and 9116 so far in March. Around 2% of the 468,000 global email attacks detected by the firm were classified as COVID-19-themed.
As is usually the case, the attacks used widespread awareness of the subject to trick users into handing over their log-ins and financial information, and/or unwittingly downloading malware to their computers
Of the COVID-19 phishing attacks, 54% were classified as scams, 34% as brand impersonation attacks, 11% blackmail and 1% as business email compromise (BEC).
As well as the usual lures to click through for more information on the pandemic, some scammers are claiming to sell cures and/or face-masks, while others try to elicit investment in companies producing vaccines, or donations to fight the virus and provide support to victims.
This is a new low for cyber-criminals, who are acting like piranha fish, cowardly attacking people on mass when they are at their most vulnerable. It’s vital that the public remain vigilant against scam emails during this challenging time.
More here: https://www.infosecurity-magazine.com/news/covid19-drive-phishing-emails-667/
Attackers exploiting critical zero-day Windows flaw
Microsoft has discovered a severe vulnerability in all supported versions of Windows, which enables criminals to remotely run malware – including ransomware – on a target machine.
According to the report, the security vulnerability has not been previously disclosed and there is currently no fix.
The “critical” vulnerability revolves around how the operating system handles and renders fonts. All it takes is for the victim to open or preview a malicious document, and the attacker can remotely run different forms of malware.
Microsoft said the vulnerability is being exploited in the wild, and different hacking groups are initiating “limited, targeted attacks”.
Although there is as yet no patch, the company announced a temporary workaround for affected Windows users, which involves disabling the Preview and Details panes in Windows explorers.
Read more here: https://www.itproportal.com/news/attackers-exploiting-critical-zero-day-windows-flaw/
WHO Targeted in Espionage Attempt, COVID-19 Cyberattacks Spike
The DarkHotel group could have been looking for information on tests, vaccines or trial cures.
The World Health Organization (WHO) has attracted the notice of cybercriminals as the worldwide COVID-19 pandemic continues to play out, with a doubling of attacks recently, according to officials there. Problematically, evidence has also now apparently surfaced that the DarkHotel APT group has tried to infiltrate its networks to steal information.
A cyber security researcher told Reuters that he personally observed a malicious site being set up on March 13 that mimicked the WHO’s internal email system. Its purpose was to steal passwords from multiple agency staffers, and noted that he realised “quite quickly that this was a live attack on the World Health Organization in the midst of a pandemic.”
The attack appeared to be aimed at achieving a foothold at the agency rather than being an end unto itself. The targeting infrastructure seems to focus on certain types of healthcare and humanitarian organisations that are uncommon for cybercriminals and this could suggest the actor or actors behind the attacks are more interested in gathering intelligence, rather than being financially motivated.
Read the full article here: https://threatpost.com/who-attacked-possible-apt-covid-19-cyberattacks-double/154083/
Stolen data of company that refused REvil ransom payment now on sale
Operators of the Sodinokibi (aka Sodin or REvil) Ransomware as a Service (RaaS) recently published over 12GB of data that allegedly belongs to one of its victims – Brooks International – that refused to pay ransom.
RaaS is the malware for lazy crooks who just want to launch attacks at the press of a button: it enables novice cybercriminals to build automated campaigns using third-party kits sold on the dark web. They don’t have to break a sweat by learning about malware, teaching themselves how encryption works, writing ransomware code, running an anonymous webserver on Tor to collect the loot, distributing decryption keys, or otherwise getting their hands dirty with technical details.
Sodinokibi – a GandCrab derivative blamed for numerous attacks that took place last year – is a prime example of RaaS.
IT security report finds 97% of enterprise networks have suspicious network activity
A study using advanced network traffic analysis tools, found that 97% of the surveyed companies show evidence of suspicious activity in their network traffic and that 81% of the companies were being subject to malicious activity.
More here: https://www.techrepublic.com/article/it-security-report-finds-97-have-suspicious-network-activity/
Concern over Zoom video conferencing after MoD bans it over security fears
Concerns have been raised over the security of video conferencing service Zoom after the Ministry of Defence banned staff from using it.
Downing Street published pictures of Prime Minister Boris Johnson using the app to continue holding Cabinet meetings with senior MPs – where sensitive information like matters of national security are discussed – while observing rules on social distancing to curb the coronavirus outbreak.
But MoD staff were told this week that use of the software was being suspended with immediate effect while ‘security implications’ were investigated, with users reminded of the need to be ‘cautious about cyber resilience’ in ‘these exceptional times’.
One source commented that ‘it is astounding that thousands of MoD staff have been banned from using Zoom only to find a sensitive Government meeting like that of the Prime Minister’s Cabinet is being conducted over it’.
A message to MoD staff said: ‘We are pausing the use of Zoom, an internet-based video conferencing service, with immediate effect whilst we investigate security implications that come with it.’ The email added that a decision will then be made about whether to continue using the programme.
More here: https://metro.co.uk/2020/03/25/concern-zoom-video-conferencing-mod-bans-security-fears-12455327/
Adobe issues emergency fix for file-munching bug
Adobe has released another security patch outside of its usual routine this month to deal with a strange bug that can allow attackers to delete victims’ files.
The file-deleting bug stems from a time-of-check to time-of-use race condition vulnerability, which happens when two system operations try to access shared data at the same time. That allows an attacker to manipulate files on the victim’s system. The company warned that successful exploitation could lead to arbitrary file deletion.
To successfully exploit the flaw, an attacker would need to convince a victim to open a malicious file, Adobe has said.
More here: https://nakedsecurity.sophos.com/2020/03/26/adobe-issues-emergency-fix-for-file-munching-bug/
Emerging Chinese APT Group ‘TwoSail Junk’ Mounts Mass iPhone Surveillance Campaign
The malware, the work of a new APT called TwoSail Junk, allows deep surveillance and total control over iOS devices.
A recently discovered, mass-targeted watering-hole campaign has been aiming at Apple iPhone users in Hong Kong – infecting website visitors with a newly developed custom surveillance malware. The bad code – the work of a new APT called “TwoSail Junk” – is delivered via a multistage exploit chain that targets iOS vulnerabilities in versions 12.1 and 12.2 of Apple’s operating system, according to researchers.
Watering-hole campaigns make use of malicious websites that lure visitors in with targeted content – cyberattackers often post links to that content on discussion boards and on social media to cast a wide net. When visitors click through to a malicious website, background code will then infect them with malware.
Read the full article here: https://threatpost.com/emerging-apt-mounts-mass-iphone-surveillance-campaign/154192/
New attack on home routers sends users to spoofed sites that push malware
A recently discovered hack of home and small-office routers is redirecting users to malicious sites that pose as COVID-19 informational resources in an attempt to install malware that steals passwords and cryptocurrency credentials, researchers said on Wednesday.
The compromises are hitting Linksys routers and D-Link devices.
It remains unclear how attackers are compromising the routers. The researchers suspect that the hackers are guessing passwords used to secure routers’ remote management console when that feature is turned on. It was also hypothesized that compromises may be carried out by guessing credentials for users’ Linksys cloud accounts.
Russia’s FSB wanted its own IoT botnet
If you thought the Mirai botnet was bad, what about a version under the control of Russia’s military that it could point like an electronic cannon at people it didn’t like? That’s the prospect we could face after the reported emergence of secret Russian project documents online last week.
The documents, which come from hacking group Digital Revolution but haven’t been verified, suggest that Russia’s Federal Security Service (in Russian, the FSB), has been working on an internet of things (IoT) botnet of its own called Fronton.
Mirai was a botnet that infected IoT devices by the million, taking advantage of default login credentials to co-opt them for attackers. They then pointed it at DNS service provider Dyn, mounting a DDoS attack that took down large internet services for hours.
More here: https://nakedsecurity.sophos.com/2020/03/24/russias-fsb-wanted-its-own-iot-botnet/
Maintaining Good Cyber Hygiene during the Coronavirus Crisis - Guernsey Press 24 March 2020
With more of us working from home in the coronavirus crisis, there is evidence of increasing attacks by cyber criminals who are exploiting those unaware of the risks, according to Tony Cleal, director of Guernsey’s Black Arrow Cyber Consulting BUSINESSES are making significant changes in response to the virus, including asking employees to work from home for the first time. These new practices have often been implemented as quickly as possible, with a priority on keeping the business operations going. At the same time, the cyber and information security consultants at Black Arrow are seeing reports from specialist intelligence and the wider media which show cyber criminals are feasting on the current chaos as they target employees and companies who let their guard down. ‘Cyber criminals usually target people, not technology, to get into their employer’s systems. Companies need to ensure they consider all the basic risks to prevent this, and implement layers of defence that start with the user. As an analogy, the easiest way for a criminal to get into someone’s home is to convince the resident to let them in, for example by pretending to repair an emergency gas leak. It doesn’t matter how good the window locks are, or how sophisticated the burglar alarm is; all they need to do is knock on the front door and be convincing. Thousands of coronavirus scam and malware sites are being created on a daily basis, and we see cyber criminals taking advantage of the crisis to get access to the organisation’s money and information’. That means companies and employees need to maintain good cyber hygiene when working from home, just as they do in the office. People behave differently at home, and are often less alert to information security risks than in the office. ‘We have seen Guernsey employees posting pictures on Facebook to show their new desk at home, but these pictures risk showing confidential documents on the table and screen. This is further evidence that cyber security is a business-wide risk that needs the aligned strength of people and culture, as well as business operations and technology’. Some smaller businesses consider cyber security to be more relevant for larger organisations. ‘Weakened defences will always be exploited, whether by biological viruses or malicious actors. 43% of cyber attacks hit smaller businesses, and a breach now on top of everything else would likely be catastrophic. Luckily, there are things you can do to protect yourself, even with limited resources; we can help ensure that the scarce money is spent wisely by addressing cyber security as a business-wide risk owned by the business leadership.’ Tony concluded: ‘Now more than ever, because of the disruption and changes to business practices, companies need to take appropriate steps to protect themselves against cyber-attacks. We are committed to helping improve cyber hygiene in Guernsey. This started when I used my experience in British Intelligence to lead the review of cyber security across the Bailiwick for the GFSC, which informed the forthcoming new standards. Now at Black Arrow we are reducing our prices during this crisis, to make cyber hygiene easier for all organisations; of course, charities and non-profits can continue to contact us for help free of charge.’ https://guernseypress.com/news/2020/03/24/maintaining-good-cyber-hygiene/
With more of us working from home in the Coronavirus crisis, there is evidence of increasing attacks by cyber criminals who are exploiting those unaware of the risks, according to Tony Cleal, Director of Guernsey’s Black Arrow Cyber Consulting
Businesses are making significant changes in response to the virus, including asking employees to work from home for the first time. These new practices have often been implemented as quickly as possible, with a priority on keeping the business operations going.
At the same time, the cyber and information security consultants at Black Arrow are seeing reports from specialist intelligence and the wider media which show cyber criminals are feasting on the current chaos as they target employees and companies who let their guard down.
‘Cyber criminals usually target people, not technology, to get into their employer’s systems. Companies need to ensure they consider all the basic risks to prevent this, and implement layers of defence that start with the user. As an analogy, the easiest way for a criminal to get into someone’s home is to convince the resident to let them in, for example by pretending to repair an emergency gas leak. It doesn’t matter how good the window locks are, or how sophisticated the burglar alarm is; all they need to do is knock on the front door and be convincing. Thousands of coronavirus scam and malware sites are being created on a daily basis, and we see cyber criminals taking advantage of the crisis to get access to the organisation’s money and information’.
That means companies and employees need to maintain good cyber hygiene when working from home, just as they do in the office. People behave differently at home, and are often less alert to information security risks than in the office.
‘We have seen Guernsey employees posting pictures on Facebook to show their new desk at home, but these pictures risk showing confidential documents on the table and screen. This is further evidence that cyber security is a business-wide risk that needs the aligned strength of people and culture, as well as business operations and technology’.
Some smaller businesses consider cyber security to be more relevant for larger organisations.
‘Weakened defences will always be exploited, whether by biological viruses or malicious actors. 43% of cyber attacks hit smaller businesses, and a breach now on top of everything else would likely be catastrophic. Luckily, there are things you can do to protect yourself, even with limited resources; we can help ensure that the scarce money is spent wisely by addressing cyber security as a business-wide risk owned by the business leadership.’
Tony concluded: ‘Now more than ever, because of the disruption and changes to business practices, companies need to take appropriate steps to protect themselves against cyber-attacks. We are committed to helping improve cyber hygiene in Guernsey. This started when I used my experience in British Intelligence to lead the review of cyber security across the Bailiwick for the GFSC, which informed the forthcoming new standards. Now at Black Arrow we are reducing our prices during this crisis, to make cyber hygiene easier for all organisations; of course, charities and non-profits can continue to contact us for help free of charge.’
https://guernseypress.com/news/2020/03/24/maintaining-good-cyber-hygiene/
Cyber Weekly Flash Briefing for 20 March 2020 – Working from home brings security challenges, COVID-19 scams and malware, VPNs and MFA, broadband strain, critical patches
Cyber Weekly Flash Briefing for 20 March 2020 – Working from home brings security challenges, COVID-19 scams and malware, VPNs and MFA, broadband strain, critical patches
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Working from Home: COVID-19’s Constellation of Security Challenges
Organisations are sending employees and students home to work and learn — but implementing the plan opens the door to more attacks, IT headaches and brand-new security challenges.
As the threat of coronavirus continues to spread, businesses are sending employees home to work remotely, and students are moving to online classes. But with the social distancing comes a new threat – a cyber-related one.
As organisations rush to shift their businesses and classes online, cybercriminals are ramping up their tactics to take advantage of those who may have inadequate or naive security postures as a result. Given the challenges in securing work- and learn-from-home environments, the attack surface represents an attractive opportunity for threat actors
Read more here: https://threatpost.com/working-from-home-covid-19s-constellation-of-security-challenges/153720/
Thousands of COVID-19 scam and malware sites are being created on a daily basis
Malware authors and fraudsters aren't letting a tragedy go to waste.
In the midst of a global coronavirus (COVID-19) pandemic, hackers are not letting a disaster go to waste and have now automated their coronavirus-related scams to industrial levels.
According to multiple reports, cybercriminals are now creating and putting out thousands of coronavirus-related websites on a daily basis.
Most of these sites are being used to host phishing attacks, distribute malware-laced files, or for financial fraud, for tricking users into paying for fake COVID-19 cures, supplements, or vaccines.
EU warns of broadband strain as millions work from home
The EU has called on streaming services such as Netflix and YouTube to limit their services in order to prevent the continent’s broadband networks from crashing as tens of millions of people start working from home.
Until now, telecoms companies have been bullish that internet infrastructure can withstand the drastic change in online behaviour brought about by the coronavirus outbreak.
But on Wednesday evening, Thierry Breton, one of the European commissioners in charge of digital policy, said streaming platforms and telecoms companies had a “joint responsibility to take steps to ensure the smooth functioning of the internet” during the crisis.
Read more on the FT here: https://www.ft.com/content/b4ab03db-de1f-4f98-bcc2-b09007427e1b
COVID-19: With everyone working from home, VPN security has now become paramount
With most employees working from home amid today's COVID-19 (coronavirus) outbreak, enterprise VPN servers have now become paramount to a company's backbone, and their security and availability must be the focus going forward for IT teams.
It is critical that the VPN service is patched and up to date because there will be more scanning against these services.
It is also critical that multi factor authentication (MFA or 2FA) is used to protect connections over VPN.
What do you not want right now? A bunch of Cisco SD-WAN, Webex vulnerabilities? Here are a bunch of them
Cisco has issued a series of security updates for its SD-WAN and Webex software, just when they're most needed.
SD-WAN is host to five vulnerabilities ranging from privilege escalation to remote code injection.
Meanwhile, the Webex video-conferencing software also needs some sorting out right when everyone's working from home amid the coronavirus pandemic.
The patch bundle includes a fix for Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows. A hacker can send a suitably crafted file in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF), and if the recipient clicks on it on a vulnerable computer, they get pwned. iOS users also need to patch an information-disclosure bug.
The other fixes mention SQL injection and cross-site scripting flaws.
More on The Register here: https://www.theregister.co.uk/2020/03/19/cisco_sdwan_bugs/
Windows 10 or Mac user? Patch Adobe Reader and Acrobat now to fix 9 critical security flaws
Adobe has released an important security update for its popular PDF products, Adobe Acrobat and Reader after missing its usual release aligned with Microsoft Patch Tuesday.
The company has released an update for the PDF software for Windows and macOS machines. The update addresses nine critical flaws and four vulnerabilities rated as important.
The critical flaws include an out-of-bounds write, a stack-based overflow flaw, a use-after-free, buffer overflow, and memory corruption bug.
All the critical flaws allow for arbitrary code execution, meaning attackers could use them to rig a PDF to install malware on a computer running a vulnerable version of the software.
WordPress and Apache Struts account for 55% of all weaponized vulnerabilities
Comprehensive study looks at the most attacked web technologies of the last decade.
A study that analysed all the vulnerability disclosures between 2010 and 2019 found that around 55% of all the security bugs that have been weaponized and exploited in the wild were for two major application frameworks, namely WordPress and Apache Struts.
The Drupal content management system ranked third, followed by Ruby on Rails and Laravel, according to a report published this week.
In terms of programming languages, vulnerabilities in PHP and Java apps were the most weaponized bugs of the last decade.
Read the full article here: https://www.zdnet.com/article/wordpress-and-apache-struts-account-for-55-of-all-weaponized-vulnerabilities/
Trickbot malware adds new feature to target telecoms, universities and finance companies
Researchers uncover a Trickbot campaign with new abilities that looks like it's being used in an effort to steal intellectual property, financial data - and potentially for espionage.
The new form of the infamous Trickbot malware is using never-before-seen behaviour in attacks targeting telecommunications providers, universities and financial services in a campaign that looks to be going after intellectual property and financial data.
Trickbot has been in operation since 2016 and, while it started life as a banking trojan, the modular nature of the malware means it can be easily re-purposed for other means, which has led to it becoming one of the most advanced and capable forms of malware attack delivery in the world today.
And now it has been updated with yet another new capability, with a module that uses brute force attacks against targets mostly in telecoms, education, and financial services in the US and Hong Kong. These targets are pre-selected based on IP addresses, indicating that the attackers are going after them specifically.
Most organizations have yet to fix CVE-2020-0688 Microsoft Exchange flaw
Organisations are delaying in patching Microsoft Exchange Server flaw (CVE-2020-0688) that Microsoft fixed with February 2020 Patch Day updates.
The CVE-2020-0688 flaw resides in the Exchange Control Panel (ECP) component, the root cause of the problem is that Exchange servers fail to properly create unique keys at install time.
A remote, authenticated attacker could exploit the CVE-2020-0688 vulnerability to execute arbitrary code with SYSTEM privileges on a server and take full control.
More here: https://securityaffairs.co/wordpress/99752/hacking/companies-cve-2020-0688-fixed.html
Two Trend Micro zero-days exploited in the wild by hackers
Hackers tried to exploit two zero-days in Trend Micro antivirus products, the company said in a security alert this week.
The Japanese antivirus maker has released patches on Monday to address the two zero-days, along with three other similarly critical issues (although, not exploited in the wild).
According to the alert, the two zero-days impact the company's Apex One and OfficeScan XG enterprise security products.
Trend Micro did not release any details about the attacks.
These two zero-days mark the second and third Trend Micro antivirus bugs exploited in the wild in the last year.
Read more here: https://www.zdnet.com/article/two-trend-micro-zero-days-exploited-in-the-wild-by-hackers/
Most ransomware attacks take place during the night or over the weekend
27% of all ransomware attacks take place during the weekend, 49% after working hours during weekdays
The vast majority of ransomware attacks targeting the enterprise sector occur outside normal working hours, during the night or over the weekend.
According to a report published this week, 76% of all ransomware infections in the enterprise sector occur outside working hours, with 49% taking place during night-time over the weekdays, and 27% taking place over the weekend.
The numbers were compiled from dozens of ransomware incident response investigations from 2017 to 2019.
The reason why attackers are choosing to trigger the ransomware encryption process during the night or weekend is because most companies don't have IT staff working those shifts, and if they do, they are most likely short-handed.
If a ransomware attack does trigger a security alert within the company, then there would be nobody to react right away and shut down a network, or the short-handed staff would have a hard time figuring what's actually happening before the ransomware encryption process ends and the company's network is down & ransomed.
Read more here: https://www.zdnet.com/article/most-ransomware-attacks-take-place-during-the-night-or-the-weekend/
While you're thinking about how you work during this crisis, the criminals are thinking about how they can take advantage of the crisis and exploit the situation to attack you.
While you're thinking about how you work during this crisis, the criminals are thinking about how they can take advantage of the crisis and exploit the situation to attack you.
While you're thinking about how you work during this crisis, the criminals are thinking about how they can take advantage of the crisis and exploit the situation to attack you.
This is what is going while firms are distracted:
Coronavirus: Banks urged to prepare for surge in cyber attacks as hackers look to exploit crisis
-Independent
Chinese Hackers ‘Weaponize’ Coronavirus Data For New Cyber Attack
-Forbes
Banks Told to Prepare for Cybercrime Jump in Coronavirus Fallout
-Bloomberg
Coronavirus Work-from-Home Response A Boon for Cybercriminal Exploitation
-Law.com
Cyber Weekly Flash Briefing for 13 March 2020 – more Coronavirus based phishing, adapting ways of working, emergency Microsoft patch, businesses breached due to employee error, IoT traffic unencrypted
Cyber Weekly Flash Briefing for 13 March 2020 – more Coronavirus based phishing, adapting ways of working, emergency Microsoft patch, businesses breached due to employee error, IoT traffic unencrypted
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
More coronavirus phishing campaigns detected
Caution required when accessing coronavirus-related emails.
Cybercriminals often use major global events to spread malware and steal data, and the recent coronavirus outbreak is no different.
Security experts have identified two phishing campaigns that take advantage of coronavirus concerns to infect devices with the Agent Tesla keylogger.
According to the report, cybercriminals are distributing emails that appear to originate from The Centre for Disease Control (CDC) or the World Health Organisation (WHO). The emails claim the virus is now airborne and that new cases have been confirmed in the victim’s vicinity.
Attached to the messages is a file named "SAFETY PRECAUTIONS", which looks like an Excel document, but is in fact an executable file (.exe) capable of sowing the trojan.
More here: https://www.itproportal.com/news/more-coronavirus-phishing-campaigns-detected/
How coronavirus COVID-19 is accelerating the future of work
The coronavirus is forcing enterprises to rethink the way they do business and dust off policies for security, business continuity, and remote workers. Chances are that some of these efforts will stick
The coronavirus outbreak may speed up the evolution of work and ultimately retool multiple industries as everything from conferences to collaboration to sales and commercial real estate are rethought.
Read the original article here: https://www.zdnet.com/article/how-coronavirus-may-accelerate-the-future-of-work/
Millions of UK businesses experience data breaches due to employee error
Employees often click on fraudulent links and can't spot a phishing email.
Employee error is the cause of 60 percent of all data breaches among UK businesses according to a new report from insurance broker Gallagher.
Polling 1,000 UK business leaders, Gallagher found the most common cause (39 percent) of employee-related breaches was malware downloaded accidentally via fraudulent links.
Phishing is also a major risk factor, responsible for 35 percent of infections. While employees pushing sensitive data outside company systems accounted for a further 28 percent.
The report also claims that almost a third of affected businesses (30 percent) have had their operations knocked out for four to five days as a result of employee error.
Respondents also reported reputational damage (14 percent) and financial consequences (12 percent), which included fines issued by data privacy regulators.
Most executives (71 percent) are aware of the problem and almost two thirds (64 percent) said they regularly remind employees about the risk of cyber crime.
Virtually all businesses are at risk of a cyber attack and as this research shows, it is often an employee mistake which causes the problem.
AMD processors going back to 2011 suffer from worrying security holes
Pair of freshly revealed attacks have not yet been patched
AMD’s processors from as early as 2011 through to 2019 are carrying vulnerabilities that are as yet unpatched, according to some freshly published research.
Known as ‘Take A Way’ (every security problem needs a snappy name, of course), security researchers said that they reverse-engineered the L1D cache way predictor in AMD silicon in order to discover two new potential attack vectors.
Given all the attention which has been focused on the flaws in Intel’s CPUs in recent times – vulnerabilities which haven’t affected AMD chips in a number of cases – this might just serve as a reminder that no one’s silicon is bulletproof.
More here: https://www.techradar.com/news/amd-processors-going-back-to-2011-suffer-from-worrying-security-holes
F-Secure reports a steep rise in hacking attempts
The latest Attack landscape H2 2019 report from F-Secure has found that there has been a jump in the volume of cyber attacks targeting internet users
In the report, F-Secure said that in the first half of 2019, the company’s global network of honeypots experienced a jump in cyber attack traffic.
The volume of such attacks rose from 246 million in H1 2017 to 2.9 billion in H1 2019. In the second half of the year, according to F-Secure, the pace of attack traffic continued but at a slightly reduced rate. F-Secure said there were 2.8 billion hits to its honeypot servers in H2 2019. Distributed Denial of Service (DDos) attacks drove this deluge, accounting for two-thirds of the traffic.
Its research found that the US is the country whose IP space played host to the greatest number of attacks, followed by China and Russia.
https://www.computerweekly.com/news/252479470/F-secure-reports-a-steep-rise-in-hacking-attempts
This ransomware campaign has just returned with a new trick
Paradise ransomware is back again - and the criminals behind it appear to be testing out new tactics ahead of what could be a more prolific campaign.
A ransomware campaign has returned with a new trick to fool the unwary into compromising their network with file-encrypting malware. And it's an attack that many Windows machines won't even recognise as potentially malicious.
The new variant of Paradise ransomware, which has been active in one form or another since 2017, spreads via phishing emails, but it's different from other ransomware campaigns because it uses an uncommon – but effective – file type to infiltrate the network.
This campaign leverages Internet Query files (IQY), which are text files read by Microsoft Excel to download data from the internet. IQY is a legitimate file type, so many organisations won't block it.
More here: https://www.zdnet.com/article/this-ransomware-campaign-has-just-returned-with-a-new-trick/
Ransomware Threatens to Reveal Company's 'Dirty' Secrets
Sticking with ransomware, the operators of the Sodinokibi Ransomware are threatening to publicly share a company's "dirty" financial secrets because they refused to pay the demanded ransom.
As organizations decide to restore their data manually or via backups instead of paying ransoms, ransomware operators are escalating their attacks.
In a new post by the Sodinokibi operators to their data leak site, we can see that attackers are not only publishing victim's data but also sifting through it to find damaging information that can be used against the victim.
In the above post, the attackers are threatening to sell the Social Security Numbers and date of births for people in the data to other hackers on the dark web.
They also intimate that they found "dirty" financial secrets in the data and threaten to disclose it.
Read the full article here: https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/
Microsoft Releases Emergency Patch for Wormable Bug That Threatens Corporate LANs
Microsoft released an emergency out-of-band patch to fix a SMBv3 wormable bug on Thursday that leaked earlier this week. The patch for the vulnerability is now rolling out to Windows 10 and Windows Server 2019 systems worldwide, according to Microsoft.
On Wednesday Microsoft warned of a wormable, unpatched remote code-execution vulnerability in the Microsoft Server Message Block protocol – the same protocol that was targeted by the infamous WannaCry ransomware in 2017.
The critical bug affects Windows 10 and Windows Server 2019, and was not included in Microsoft’s Patch Tuesday release this week.
Read more here: https://threatpost.com/wormable-unpatched-microsoft-bug/153632/
Nearly all IoT traffic is unencrypted
IoT devices are considered "low-hanging fruit" among cybercriminals.
Practically all of the traffic flowing from Internet of Things (IoT) devices is not encrypted, consequently putting both businesses and their customers at unnecessary risk of data theft and all others that follow.
This is according to a new report which analysed 1.2 million IoT devices in thousands of physical locations across enterprise IT and healthcare organisations, finding that 98 per cent of all IoT device traffic is unencrypted.
That basically means that if intercepted, the data could be easily read and used.
So the question arises – how easy is it to eavesdrop on the data exchange between IoT devices and their respective servers? The report claims 57 per cent of IoT devices are vulnerable to either medium or high-severity attacks. IoT is perceived as “low-hanging fruit” for cybercriminals.
Read more here: https://www.itproportal.com/news/nearly-all-iot-traffic-is-unencrypted/
Microsoft takes down global zombie bot network
Microsoft has said it was part of a team that dismantled an international network of zombie bots.
The network call Necurs infected over nine million computers and one of the world's largest botnets.
Necurs was responsible for multiple criminal scams including stealing personal information and sending fake pharmaceutical emails.
Cyber-criminals use botnets to remotely take over internet-connected devices and install malicious software.
The software can be used to send spam, collect information about what activity the computer is used for or delete information without notifying the owner.
Tom Burt, Microsoft's vice-president for customer security and trust, said in a blog post that the takedown of Necurs was the result of eight years of planning and co-ordination with partners in 35 countries.
Watch out for Office 365 and G Suite scams, FBI warns businesses
The menace of Business Email Compromise (BEC) is often overshadowed by ransomware but it’s something small and medium-sized businesses shouldn’t lose sight of.
Bang on cue, the FBI Internet Crime Complaint Center (IC3) has alerted US businesses to ongoing attacks targeting organisations using Microsoft Office 365 and Google G Suite.
Warnings about BEC are ten-a-penny but this one refers specifically to those carried out against the two largest hosted email services, and the FBI believes that SMEs, with their limited IT resources, are most at risk of these types of scams:
Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses from BEC scams targeting Microsoft Office 365 and Google G Suite.
As organisations move to hosted email, criminals migrate to follow them.
As with all types of BEC, after breaking into the account, criminals look for evidence of financial transactions, later impersonating employees to redirect payments to themselves.
For good measure, they’ll often also launch phishing attacks on contacts to grab even more credentials, and so the crime feeds itself a steady supply of new victims.
The deeper question is why BEC scams continue to be such a problem when it’s well understood that they can be defended against using technologies such as multi-factor authentication (MFA).
Microsoft Exchange Server Flaw Exploited by multiple nation state (APT) groups
A vulnerability in Microsoft Exchange servers is being actively exploited by multiple APT groups, researchers warn.
Multiple threat groups are actively exploiting a vulnerability in Microsoft Exchange servers, researchers warn. If left unpatched, the flaw allows authenticated attackers to execute code remotely with system privileges.
The vulnerability in question (CVE-2020-0688) exists in the control panel of Exchange, Microsoft’s mail server and calendaring server, and was fixed as part of Microsoft’s February Patch Tuesday updates. However, researchers in a Friday advisory said that unpatched servers are being exploited in the wild by unnamed advanced persistent threat (APT) actors.
More: https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/
Cyberattackers are delivering malware by using links from whitelisted sites
Legitimate-looking links from OneDrive, Google Drive, iCloud, and Dropbox slip by standard security measures.
Bad actors have added a new snare to their bag of social engineering tricks— malicious OneDrive, Google Drive, iCloud, and Dropbox links. A new whitepaper asking "Is SaaS the New Trojan Horse in the Age of the Cloud?" describes this latest attack vector.
Links to these legitimate sites can often slip by standard security measures that stop malware and block access to suspicious sites. Many of these services are whitelisted by security products because they are approved services, meaning that an enterprise has few or no defences against these advanced attacks. These services are the latest tactic designed to dupe users into divulging their credentials or unknowingly download and install malware.
Tech Firms Offer Free Remote Working Tools, as Coronavirus Cases Surge
Move comes as companies scramble to polish remote working processes
Six technology companies are rolling out free or upgraded enterprise collaboration tools under a new “Open for Business” hub, in a bid to capture new users – and support enterprises scrambling to implement remote working protocols as coronavirus cases surge.
In the US, Amazon, Microsoft and Facebook have advised Seattle-area employees to work from home for the next few weeks. In the UK most companies are holding fire for now, but are most are rapidly updating policies and assessing tools.
Large organisations might be able to work through some of the emerging provisioning issues that come with a surge of remote workers — i.e. by increasing the number of licenses for their firewalls and VPNs — many small businesses don’t have the ability to quickly provision the resources they need to support their employees when working remotely.
More here: https://www.cbronline.com/news/free-remote-working-tools