Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Cyber Weekly Flash Briefing 31 July 2020: 386M user records stolen, Twitter spear-phishing, Garmin may have paid ransom, 27% of consumers hit with Covid19 phishing scams, Netflix phishing scam
Cyber Weekly Flash Briefing 31 July 2020: 386M user records stolen, Twitter says attack was spear-phishing, Criminals still exploiting COVID19, Netwalker ransomware, Garmin may have paid ransom, QNAP NAS devices infected, Hackers exploit networking vulns, 27% of consumers hit with pandemic-themed phishing scams, New Netflix phishing scam
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
386 million user records stolen in data breaches — and they're being given away for free
A notorious hacker or group of hackers is giving away copies of databases said to contain 386 million user records, after posting links to the databases on a marketplace used by cyber criminals.
The threat actor, who goes by the name ShinyHunters, claims to have data stolen from 18 different websites in the past seven months. According to reports, ShinyHungers last week began uploading the databases to a forum where anyone can download them free of charge.
ShinyHunters is believed to have played a role in high-profile data breaches at HomeChef, Promo.com, Mathway, Chatbooks, Dave.com, Wattpad and even Microsoft's GitHub account. Many of these records were previously offered for sale online.
Why this matters:
Any details stolen from one site or service will be used against other sites and services, this is why it is critical that passwords are not reused across different sites and that all passwords are unique. Using multi factor authentication is also very effective at safeguarding against these types of attacks.
Read more here: https://www.tomsguide.com/news/shinyhunters-breach-giveaway
Twitter says spear-phishing attack on employees led to breach
Twitter said a large hack two weeks ago targeted a small number of employees through a phone “spear-phishing” attack.
The social media platform said the hackers targeted about 130 accounts, tweeted from 45, accessed the inboxes of 36, and were able to download Twitter data from seven.
Attackers also targeted specific employees who had access to account support tools, Twitter said. The company added it has since restricted access to its internal tools and systems.
Twitter suffered a major security breach on 15 July that saw hackers take control of the accounts of major public figures and corporations, including Joe Biden, Barack Obama, Elon Musk, Bill Gates, Jeff Bezos and Apple.
The hack unfolded over the course of several hours, and in the course of halting it, Twitter stopped all verified accounts from tweeting – an unprecedented measure.
Publicly available blockchain records show the apparent scammers received more than $100,000 worth of cryptocurrency.
Why this matters?
It is nearly always a lot easier for attackers to attack your users than it is to attack your systems. IT controls alone cannot protect against social engineering attacks so making sure your staff are trained so they don’t fall for social engineering attacks is a critical part of your defence.
Read more here: https://www.theguardian.com/technology/2020/jul/30/twitter-breach-hackers-spear-phishing-attack
Cyber-Criminals Continue to Exploit #COVID19 During Q2
Cyber-criminals’ exploitation of the COVID-19 pandemic to target individuals and businesses has continued unabated during the second quarter of 2020, according to one Cyber Security firm’s Q2 2020 Threat Report published today. The findings highlight how the crisis is defining the cybersecurity landscape in Q2 in a similar way as it did in Q1 after the pandemic first struck.
The firm observed a continuous focus on phishing using COVID-19 lures in this period. This included criminals taking advantage of the rise in online shopping that has occurred during the pandemic, with a 10-fold increase in phishing emails impersonating one of the world’s leading package delivery services found in comparison to Q1.
The shift to remote working as a result of the pandemic has also led to increased targeting of Remote Desktop Protocol’s in recent months.
Ransomware tactics were found to be “rapidly developing” in this period, with operators moving away from doxing and random data leaking towards auctioning the stolen data on dedicated underground sites.
Why does this matter?
The Coronavirus crisis gave criminals an efficient lure to bait phishing emails with and for as long as it is working they will continue to exploit this crisis. It’s like we always say “cyber criminals will never let a good crisis or tragedy go to waste”
Read more here: https://www.infosecurity-magazine.com/news/cyber-criminals-exploit-covid/
FBI Releases Flash Alert on Netwalker Ransomware
The US Federal Bureau of Investigations (FBI) released a flash alert in which it warned organisations about the dangers of Netwalker ransomware.
The FBI said that it had received notifications of attacks involving Netwalker against U.S. and foreign government organisations along with entities operating in the healthcare and education sectors.
In its alert, the FBI noted that those responsible for Netwalker had used COVID-19 phishing emails and unpatched vulnerabilities affecting VPN apps to gain entry into an organisation. The malicious actors had then used their crypto-malware to harvest administrator credentials and steal data from their victims. Ultimately, the attackers uploaded that stolen information to a file-sharing service.
Once they had come into possession of a victim’s data, the nefarious individuals activated the ransomware’s encryption routine. This step led the threat to encrypt all connected Windows-based devices and information before dropping a ransom note on the infected machine.
Why does this matter?
Ransomware remains one of the biggest risks for all firms, organisations and individuals, and the majority of the time the ransomware infection will stem from a phishing email that a user within an organisation clicked on. As with all social engineering attacks IT controls alone are of limited effectiveness and defending against these attacks comes down to educating your users and instilling in them the importance of the role they play in defending an organisation.
Read more here: https://www.tripwire.com/state-of-security/security-data-protection/fbi-releases-flash-alert-on-netwalker-ransomware/
Garmin may have paid hackers ransom, reports suggest
Fitness wearable and Navtech supplier Garmin may have given in to the demands of cyber criminals who encrypted its systems with ransomware, according to news reports that suggest the firm has obtained a decryption key to recover its files, strongly suggesting it has either paid up, or brokered some kind of deal.
In a statement issued four days after its services first went offline, Garmin finally confirmed it had been the victim of a cyber attack, having previously limited its response to saying it was experiencing an outage. It has not yet confirmed it was the victim of a ransomware incident, although this is now all but certain.
A spokesperson said: “Garmin today announced it was the victim of a cyber attack that encrypted some of our systems on July 23, 2020. As a result, many of our online services were interrupted including website functions, customer support, customer-facing applications, and company communications. We immediately began to assess the nature of the attack and started remediation,” said the firm.
“We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen. Additionally, the functionality of Garmin products was not affected, other than the ability to access online services.
Why does this matter?
Ransomware can affect firms of any size, from the smallest to the largest, no firm or organisation is immune and even firms that are spending millions or tens of millions on advanced protections and controls can still fall victim. These types of attacks go after the people working for an organisation, not the organisations technical infrastructure and technical controls are of limited use in defending against these types of attacks. An organisation needs to ensure their users are efficient at spotting phishing emails, it only takes one user clicking on one malicious email to take down a multinational corporation.
Read more here: https://www.computerweekly.com/news/252486775/Garmin-may-have-paid-hackers-ransom-reports-suggest
Cyber-security agencies from the UK and the US say 62,000 QNAP NAS devices have been infected with the QSnatch malware
The UK NCSC and US CISA published a joint security alert this week about QSnatch, a strain of malware that has been infecting network-attached storage (NAS) devices from Taiwanese device maker QNAP.
In alerts by the United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom's National Cyber Security Centre (NCSC), the two agencies say that attacks with the QSnatch malware have been traced back to 2014, but attacks intensified over the last year when the number of reported infections grew from 7,000 devices in October 2019 to more than 62,000 in mid-June 2020.
Of these, CISA and the NSCS say that approximately 7,600 of the infected devices are located in the US, and around 3,900 in the UK.
Why this matters?
Vulnerable devices can be used to steal credentials (usernames and passwords) and exfiltrate information from devices on the network. It is important to keep devices up to date with the latest security patches to close any vulnerabilities before they can be exploited.
Read more here: https://www.zdnet.com/article/cisa-says-62000-qnap-nas-devices-have-been-infected-with-the-qsnatch-malware/
Hackers actively exploit high-severity networking vulnerabilities
Hackers are actively exploiting two unrelated high-severity vulnerabilities that allow unauthenticated access or even a complete takeover of networks run by FTSE100/Fortune 500 companies and government organisations.
The most serious exploits are targeting a critical vulnerability in F5’s Big-IP advanced delivery controller, a device that’s typically placed between a perimeter firewall and a Web application to handle load balancing and other tasks. The vulnerability, which F5 patched three weeks ago, allows unauthenticated attackers to remotely run commands or code of their choice. Attackers can then use their control of the device to hijack the internal network it’s connected to.
Why this matters?
Vulnerable devices such as this can be used to gain access to internal networks. It is important to keep devices up to date with the latest security patches to close any vulnerabilities before they can be exploited. When a vendor releases updates they should be installed as soon as possible, ideally having been tested before updates are applied in your live environment.
Read more here: https://arstechnica.com/information-technology/2020/07/hackers-actively-exploit-high-severity-networking-vulnerabilities/
27% of consumers hit with pandemic-themed phishing scams
Phishing is the top digital fraud scheme worldwide related to the COVID-19 pandemic, according to new research.
Among consumers reporting being targeted with digital COVID-19 schemes globally, 27% said they were hit with pandemic-themed phishing scams.
Identity fraud is a primary way fraudsters leverage stolen consumer data from phishing and other social engineering schemes. It can have long-term impacts for consumers such as the compromise of multiple online accounts and bringing down credit scores, which we anticipate will increase during pandemic reconstruction.
To better understand the impacts of COVID-19 on consumers, 7,384 adults in Canada, Colombia, Hong Kong, South Africa, the U.K., and the U.S. have been surveyed between June 30 and July 6, 2020.
It asked the consumers if they had been targeted by digital COVID-19 fraud and if so, which digital fraud scheme(s) related to COVID-19 were they targeted with. Globally, 32% said they had been targeted by digital fraud related to COVID-19 with the below being the top types of COVID-19 fraud they faced:
Top global online COVID-19 scams targeting consumers:
Why this matters?
Whatever works for criminals they will continue doing. Until consumers, as well as businesses, get better at detecting these scams and get better at spotting phishing emails criminals will carry on using the latest crisis or tragedy to get users to click on malicious emails and open their networks to attackers.
Read more here: https://www.helpnetsecurity.com/2020/07/24/pandemic-themed-phishing-scams/
New Netflix phishing scam uncovered - here’s how to stay safe
Security analysts have uncovered a dangerous and highly convincing new Netflix phishing scam, capable of evading traditional email security software.
The phishing email masquerades as a billing error alert, pressing the victim to update their payment details within 24 hours or have their Netflix subscription voided.
The link provided in the email redirects to a functioning CAPTCHA form, used in legitimate scenarios to distinguish between humans and AI. Although this step adds a layer of friction to the process, it serves to enhance the sense of legitimacy the attacker is attempting to cultivate.
After handing over account credentials, billing address and payment card information, the victim is then redirected to the genuine Netflix home page, unaware their data has been compromised.
Why does this matter?
Phishing campaigns like this cast a wide net and only need a small number of victims to fall for it to turn a profit, and that means these types of scams are not going to go away any time soon. If no one fell for them they would stop. Always question any email that urges you to take action quickly under the guise of some threat.
Read more here: https://www.techradar.com/news/dangerous-new-netflix-phishing-scam-hits-the-scene-heres-what-you-need-to-know
Cyber Weekly Flash Briefing 24 July 2020: Cyber crime up 23% Over Past Year, Nearly 50% of employees have made a serious security mistake at work, 99.9% of Hacked Microsoft Accounts Don’t Use 2FA
Cyber Weekly Flash Briefing 24 July 2020: Cyber crime up 23% Over Past Year, Nearly 50% of employees have made a serious security mistake at work, 99.9% of Hacked Microsoft Accounts Don’t Use 2FA
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cybercrime Jumped 23% Over Past Year, Says ONS
Cybercrime offenses reported by individuals and businesses have risen 23% over the past year, according to the Office for National Statistics (ONS).
The UK government body explained that 26,215 incidents were referred to the National Fraud Intelligence Bureau (NFIB) by Action Fraud in the year ending March 2020.
The year-on-year increase was driven by a large uptick in the two highest-volume “computer misuse” types reported to Action Fraud. “Hacking – social media and email” saw a 55% increase from 12,894 offenses, and “computer viruses/malware” incidents soared by 61% to reach 6745 cases.
The double-digit increase in reported cybercrime came in spite of improvements to “internal case review processes” and an online reporting tool at Action Fraud in October 2018 which meant some offenses previously categorized as computer misuse are now being properly identified as fraud, ONS said.
Why this matters:
Any increase in reported cyber crime is significant, but such a large rise is even more alarming and demonstrates that firms and individuals need to make sure they are treating these threats seriously.
Read more here: https://www.infosecurity-magazine.com/news/cybercrime-jumped-23-over-past-year#disqus_thread
Nearly half of employees have made a serious security mistake at work
Distraction and burnout can lead to serious mistakes when working online
New research from an email security firm has revealed that almost half (43%) of employees in the US and UK have made mistakes at work that have resulted in cyber security repercussions for themselves or their company.
A survey of 2,000 professionals between the ages of 18 and 51 to find out more about why workers make mistakes and how they can be prevented before they end up turning into data breaches.
Of the employees surveyed, a quarter of them confessed to clicking on links in a phishing email at work. The research also found that employees between 31 and 40 years of age were four times more likely than employees over age 51 to click on a phishing email. At the same time, male employees were twice as likely to do so than their female coworkers.
Why does this matter:
Cyber and Information Security is fundamentally a human problem, not an IT problem, and all the IT controls in the world are worth very little if humans bypass them or fail to follow safe working practices. Ensure your users, at all levels, are aware of the role they play in securing your organisation and make sure they receive adequate and suitable training.
99.9 Percent of Hacked Microsoft Accounts Don’t Use 2FA
Two-factor authentication (2FA) is the single most effective method of preventing unauthorised access to an online account as number from Microsoft prove.
Microsoft tracks over 1 billion active accounts monthly, which is nearly 1/8 of the world’s population. These generate more than 30 billion monthly login events. Every login to a corporate O365 account can generate multiple login entries across multiple apps, as well as additional events for other apps that use O365 for single sign-on.
If that number sounds big, bear in mind that Microsoft stops 300 million fraudulent sign-in attempts every day. Again, that’s not per year or per month, but 300 million per day.
In January 2020, 480,000 Microsoft accounts—0.048 percent of all Microsoft accounts—were compromised by spraying attacks. This is when an attacker runs a common password (like “Spring2020!”) against lists of thousands of accounts, in the hopes that some of those will have used that common password.
Sprays are just one form of attack; hundreds and thousands more were caused by credential stuffing. To perpetuate these, the attacker buys usernames and passwords on the dark web and tries them on other systems.
Then, there’s phishing, which is when an attacker convinces you to log in to a fake website to get your password. These methods are how online accounts are typically “hacked,” in common parlance.
In all, over 1 million Microsoft accounts were breached in January. That’s just over 32,000 compromised accounts per day, which sounds bad until you remember the 300 million fraudulent login attempts stopped per day.
But the most important number of all is that 99.9 percent of all Microsoft account breaches would have been stopped if the accounts had two-factor authentication enabled.
Why this matters:
Two-factor authentication (2FA) is the single most effective method of preventing unauthorised access to online accounts, remediating (or preventing) approximately 95% of attacks. That this simple step, normally available free of charge from online account providers, is so effective means it should be implemented wherever and whenever possible.
Read more here: https://www.howtogeek.com/681419/watch-out-99.9-of-hacked-microsoft-accounts-dont-use-2fa/
Adobe issues emergency fixes for critical vulnerabilities in Photoshop, Bridge, Prelude
Adobe has released an out-of-band emergency security update for Photoshop, Prelude, and Bridge.
On Tuesday, a week after issuing the firm's standard monthly security update, Adobe published security advisories revealing a total of 13 vulnerabilities, 12 of which are deemed critical.
Five vulnerabilities have now been resolved in Photoshop CC 2019 -- versions 20.0.9 and earlier -- and Photoshop 2020 -- versions 21.2 and earlier -- on Windows machines.
All of these vulnerabilities are considered critical, as if exploited, can lead to arbitrary code execution.
Why does this matter:
Vulnerabilities in software are exploited by attackers, patching these vulnerabilities means the vulnerabilities cannot then be exploited. Updates should always be installed as soon as possible to prevent them from being used in attacks.
Read more: https://www.zdnet.com/article/adobe-issues-emergency-fixes-for-vulnerabilities-in-photoshop-prelude/
Blackbaud Hack: Universities lose data to ransomware attack
At least 10 universities in the UK, US and Canada have had data stolen about students and/or alumni after hackers attacked a cloud computing provider.
Human Rights Watch and the children's mental health charity, Young Minds, have also confirmed they were affected.
The hack targeted Blackbaud, one of the world's largest providers of education administration, fundraising, and financial management software.
The US-based company's systems were hacked in May and it has been criticised for not disclosing this externally until July and for having paid the hackers an undisclosed ransom.
In some cases, the data was limited to that of former students, who had been asked to financially support the establishments they had graduated from. But in others it extended to staff, existing students and other supporters.
The institutions the BBC has confirmed have been affected are:
· University of York
· Oxford Brookes University
· Loughborough University
· University of Leeds
· University of London
· University of Reading
· University College, Oxford
· Ambrose University in Alberta, Canada
· Human Rights Watch
· Young Minds
· Rhode Island School of Design in the US
· University of Exeter
In some cases, the stolen data included phone numbers, donation history and events attended. Credit card and other payment details do not appear to have been exposed.
Why does this matter:
Every entity, business, organisation and individual is at risk from ransomware, the bigger the organisation the more point of entries exist but this does not mean this is not a major threat to smaller businesses too. Nearly all these attacks stem from a user clicking on a link in a phishing email so make sure your staff are adept at spotting phishing emails.
Amazon Prime phishing scam returns - here's all you need to know
Shoppers warned of phone and email attacks against Amazon Prime users
Shoppers using Amazon Prime have been warned about a major phishing scam which appears to have resurfaced across the country
The scammers target victims via an automated telephone call claiming that they have opened an Amazon Prime account and that they should "press one" to cancel the transaction.
Doing so will connect the call to a fraudster posing as an Amazon customer service representative who then informs the recipient of the call that their subscription was purchased fraudulently due to a supposed "security flaw" on the targeted person's computer. The bogus Amazon representative then asks for remote access to the recipient's computer, supposedly to fix the security breach. Remote access gives control access allowing the scammers to steal personal information, including passwords and banking information.
There is also an email version of the same scam.
The email version of this scam sees the victim receiving a message stating they have started an Amazon Music subscription charged at £28.99 per month. The email then asks the recipient to click a link if they want to cancel the subscription and receive a refund - but the page they are taken to in order to input their card details and receive the refund will instead send their details to fraudsters.
Why does this matter:
Scammers only need a small number of people they target to fall for the scam for it to be profitable for them, so unfortunately these types of scams are not going to go away any time soon. Make sure you keep up to date with the latest and emerging scams and make sure relatives who might fall victim to these scams are also aware that these types of attacks are happening all the time so to exercise caution if they receive calls or emails of this nature.
Read more here: https://www.techradar.com/uk/news/amazon-prime-phishing-scam-returns-heres-all-you-need-to-know
Phishing attacks concealed in Google Cloud Services
Cyber criminals are increasingly concealing phishing efforts behind legitimate resources.
A lie is best concealed between two truths, an old saying goes, and it seems hackers are using this wisdom to better hide their phishing efforts.
Cyber security researchers are warning of a phishing campaign that utilises Google Cloud Services and offers legitimate PDF whitepapers to victims that give away their login credentials.
According to the researchers, it all starts with a PDF document uploaded to Google Drive, containing a link to a phishing page. The landing page requires the user to log in with their Office 365 or organisation email.
After the victim gives away their login credentials, they are redirected to a genuine PDF report published by a “renowned global consulting firm.”
Why does this matter:
Since the phishing page is hosted on Google Cloud Storage, the user might not become suspicious. Hackers are swarming around the cloud storage services that we rely on and trust, making it much tougher to identify actual phishing attacks. Traditional red flags of a phishing attack, such as look-alike domains or websites without certificates, won’t help us much as we enter a potential cyber pandemic. Users of Google Cloud Platform, even AWS and Azure users, should all beware of this fast-growing trend and learn how to protect themselves. It starts by thinking twice about the files you receive from senders.
Read more here: https://www.itproportal.com/news/phishing-attacks-concealed-in-google-cloud-services/
Analysts Detect New Banking Malware
A new strain of banking malware dubbed BlackRock has been detected by researchers
An investigation into its origins has revealed BlackRock to be derived from the Xerxes banking malware. Xerxes was in turn spawned out of the LokiBot Android banking Trojan, first detected around four years ago.
The source code of the Xerxes malware was made public by its author around May 2019, making it possible for any threat actor to get their hands on it. Despite the code's availability, researchers found that the only Android banking Trojan based on Xerxes' source code that is currently operating appears to be BlackRock.
Why this matters:
This malevolent malware steals credentials not only from banking apps but also from other apps designed to facilitate communication, shopping and business. In total, the researchers found 337 Android apps were impacted, including dating, social networking and cryptocurrency apps.
Read more here: https://www.infosecurity-magazine.com/news/analysts-detect-new-banking/#disqus_thread
Hackers wipe out more than 1,000 databases, leaving only the word 'meow'
Over 1000 unsecured databases have been permanently deleted, leaving only the word “meow” behind.
The attack saw a database that had details of the UFO VPN. UFO VPN, and other products from seemingly the same company, had recently been in the news for exposing user information.
Information exposed include unencrypted account passwords, location information, and IP addresses of user devices and VPN servers.
The VPN, and others like it, claimed that it was not logging user details. Reports alleged that this was not the case.
The attack seems to have come from a bot, according to Forbes, as the attack script overwrites database indexes with random numerical strings and the word ‘Meow’.
Why does this matter:
Unsecured databases are wide open to attackers and not only can the contents be read and information gleaned used in other attacks they can also, as was the case in this attack, be deleted, losing all data.
Is your smart home hosting malware attacks?
It’s not only computers that can be compromised by hackers, almost any electronic device can be compromised – including your smart home gadgets.
Researchers have discovered a new family of malware called Mozi that has been quickly spreading online since last year and appears to have been designed specifically to attack low-power smart devices. Once installed, the malware tries to make contact with other infected devices, adding itself to a botnet (a collection of other compromised devices).
Infected device continues to operate normally however the devices constantly ‘listening’ for instructions from the botnet. The botnet has been designed to launch Distributed Denial of Service attacks (DDoS) that can be used to attack and crash online services and websites. Once activated, your infected devices will be used by hackers to participate in large DDoS attacks.
Some variants can also steal data, or execute additional code, allowing hackers to gain control of your network.
As the malware evolves, the list of affected devices will undoubtedly grow.
Why does this matter:
Almost any electronic device can be compromised to serve malware, be co-opted into taking part in distributed denial of service attacks or otherwise be exploited or used as a point of entry into a network. As more and more of these devices appear in our homes and offices many people do not realise they are significantly increasing their potential attack surface.
Read more: https://www.pandasecurity.com/mediacenter/mobile-news/smart-home-hosting-malware/
Russian cyber attacks an 'urgent threat' to national security
Russia's cyber attack capabilities -- and its willingness to use them -- pose an "immediate and urgent threat" to the UK's national security, according to a report from a committee of MPs.
The long- delayed Russia report from the UK parliament's Intelligence and Security Committee (ISC) describes how it sees Russia's abilities to use malicious cyber activities to further its aims.
"Russia's cyber capability, when combined with its willingness to deploy it in a malicious capacity, is a matter of grave concern, and poses an immediate and urgent threat to our national security," the report said.
Why does this matter:
Given the immediate threat that Russia poses to UK national security, it is concerning that there is no clear coordination of the numerous organisations across the UK intelligence community working on this issue. The risks posed by Russia, and other nation states such as China, Iran and North Korea should not be understated or ignored.
Read more here: https://www.zdnet.com/article/russian-cyberattacks-an-urgent-threat-to-national-security/
Cyber Weekly Flash Briefing 29 May 2020: Criminals impersonate Google to target remote workers, ransomware up 950% in 2019, cloud collab tool use surges along with attacks, EasyJet £18 billion suit
Cyber Weekly Flash Briefing 29 May 2020: Criminals impersonate Google to target remote workers, ransomware up 950% in 2019, cloud collab tool use surges along with attacks, EasyJet £18 billion suit
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
60ish second video roundup
Cyber-Criminals Impersonating Google to Target Remote Workers
Remote workers have been targeted by up to 65,000 Google-branded cyber-attacks during the first four months of 2020, according to a new report. The study found that Google file sharing and storage websites were used in 65% of nearly 100,000 form-based attacks the security firm detected in this period.
According to the analysis, a number of Google-branded sites, such as storage.googleapis.com, docs.google.com, storage.cloud.google.com and drive.google.com, were used to try and trick victims into sharing login credentials. Google-branded attacks were far in excess of those impersonating Microsoft, with the sites onedrive.live.com, sway.office.com and forms.office.com making up 13% of attacks.
Other form-based sites used by attackers included sendgrid.net (10%), mailchimp.com (4%) and formcrafts.com (2%).
Read the full article here: https://www.infosecurity-magazine.com/news/cyber-criminals-impersonating/
Ransomware Demands Soared 950% in 2019
Ransomware operators had another standout year in 2019, with attacks and ransom demands soaring according to new data.
A new report claimed that, after a relatively quiet 2018, ransomware was back with a vengeance last year, as attack volumes climbed by 40%.
As large enterprises became an increasing focus for attacks, ransom demands also soared: from $8,000 in 2018 to $84,000 last year. That’s a 950% increase.
The “greediest ransomware families with highest pay-off” were apparently Ryuk, DoppelPaymer and REvil, the latter on occasion demanding $800,000.
Read more: https://www.infosecurity-magazine.com/news/ransomware-demands-soared-950-in/
Use of cloud collaboration tools surges and so do attacks
The COVID-19 pandemic has pushed companies to adapt to new government-mandated restrictions on workforce movement around the world. The immediate response has been rapid adoption and integration of cloud services, particularly cloud-based collaboration tools such Microsoft Office 365, Slack and videoconferencing platforms. A new report shows that hackers are responding to this with increased focus on abusing cloud account credentials.
Analysis of cloud usage data that was collected between January and April from over 30 million enterprise indicated a 50% growth in the adoption of cloud services across all industries. Some industries, however, saw a much bigger spike--for example manufacturing with 144% and education with 114%.
The use rate of certain collaboration and videoconferencing tools has been particularly high. Cisco Webex usage has increased by 600%, Zoom by 350%, Microsoft Teams by 300% and Slack by 200%. Again, manufacturing and education ranked at the top.
Huge rise in hacking attacks on home workers during lockdown
Hackers have launched a wave of cyber-attacks trying to exploit British people working from home, as the coronavirus lockdown forces people to use often unfamiliar computer systems.
The proportion of attacks targeting home workers increased from 12% of malicious email traffic before the UK’s lockdown began in March to more than 60% six weeks later, according to new data.
Attacks specifically aimed at exploiting the chaos wrought by Sars-CoV-2 have been evident since January, when the outbreak started to garner international news headlines.
The attacks have increased in sophistication, specifically targeting coronavirus-related anxieties rather than the more usual attempts at financial fraud or extortion.
In early May “a large malicious email campaign” was detected against UK businesses that told employees they could choose to be furloughed if they signed up to a specific website.
Read more here: https://www.theguardian.com/technology/2020/may/24/hacking-attacks-on-home-workers-see-huge-rise-during-lockdown?CMP=share_btn_tw
EasyJet faces £18 billion class-action lawsuit over data breach
UK budget airline easyJet is facing an £18 billion class-action lawsuit filed on behalf of customers impacted by a recently-disclosed data breach.
Made public on May 19, easyJet said that information belonging to nine million customers may have been exposed in a cyber attack, including over 2,200 credit card records.
The "highly sophisticated" attacker to blame for the security incident managed to access this financial information, as well as email addresses and travel details. EasyJet is still contacting impacted travelers.
The carrier did not explain how or exactly when the data breach took place, beyond that "unauthorized access" has been "closed off."
The National Cyber Security Centre (NCSC) and the UK's Information Commissioner's Office (ICO) have been notified, of which the latter has the power to impose heavy fines under GDPR if an investigation finds the carrier has been lax in data protection and security.
Last year, British Airways faced a "notice of intent" filed by the ICO to fine the airline £183.4 million for failing to protect the data of 500,000 customers in a data breach during 2018.
Read the full article here: https://www.zdnet.com/article/easyjet-faces-18-billion-class-action-lawsuit-over-data-breach/
Data Breach at Bank of America
Bank of America Corporation has disclosed a data breach affecting clients who have applied for the Paycheck Protection Program (PPP).
Client information was exposed on April 22 when the bank uploaded PPP applicants' details onto the US Small Business Administration's test platform. The platform was designed to give lenders the opportunity to test the PPP submissions before the second round of applications kicked off.
The breach was revealed in a filing made by Bank of America with the California Attorney General's Office. As a result of the incident, other SBA-authorized lenders and their vendors were able to view clients' information.
Data exposed in the breach consisted of details relating not only to individual businesses, but also to their owners. Compromised data may have included the business address and tax identification number along with the owner's name, address, Social Security number, phone number, email address, and citizenship status.
More Here: https://www.infosecurity-magazine.com/news/data-breach-at-bank-of-america/
Apple sends out 11 security alerts – get your fixes now!
Apple has just blasted out 11 email advisories detailing its most recent raft of security fixes.
There were 63 distinct CVE-tagged vulnerabilities in the 11 advisory emails.
11 of these vulnerabilities affected software right across Apple’s mobile, Mac and Windows products.
Read more: https://nakedsecurity.sophos.com/2020/05/27/apple-sends-out-11-security-alerts-get-your-fixes-now/
NSA warns of new Sandworm attacks on email servers
The US National Security Agency (NSA) has published a security alert warning of a new wave of cyber attacks against email servers conducted by one of Russia's most advanced cyber-espionage units.
The NSA says that members of Unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service, have been attacking email servers running the Exim mail transfer agent (MTA).
Also known as "Sandworm," this group has been hacking Exim servers since August 2019 by exploiting a critical vulnerability.
Read more: https://www.zdnet.com/article/nsa-warns-of-new-sandworm-attacks-on-email-servers/
DoubleGun Group Builds Massive Botnet Using Cloud Services
An operation from the China-based cybercrime gang known as DoubleGun Group has been disrupted, which had amassed hundreds of thousands of bots that were controlled via public cloud services, including Alibaba and Baidu Tieba.
Researchers in a recent post said that they noticed DNS activity in its telemetry that traced back to a suspicious domain controlling mass amounts of infected Windows devices. Analysis of the command-and-control (C2) infrastructure of the operation and the malware used to build the botnet showed that the effort could be attributed to a known threat group – DoubleGun, a.k.a. ShuangQiang.
Read more: https://threatpost.com/doublegun-massive-botnet-cloud-services/156075/
Malicious actor holds at least 31 stolen SQL databases for ransom
A malicious cyber actor or hacking collective has reportedly been sweeping the internet for online stores’ unsecured SQL databases, copying their contents, and threatening to publish the information if the rightful owners don’t pay up.
The perpetrator has stolen the copied versions of at least 31 SQL databases, which have been put up for sale on an unnamed website. These databases constitute roughly 1.620 million rows of information, including e-commerce customers’ names, usernames, email addresses, MD5-hashed passwords, birth dates, addresses, genders, account statuses, histories and more
Cyber Weekly Flash Briefing 15 May 2020: Attacks on UK up 30% in Q1, 238% surge against banks, Microsoft fixes 111 vulns, Adobe patches 36 vulns, Thunderspy, 73m user records for sale on dark web
Cyber Weekly Flash Briefing 15 May 2020: Attacks on UK up 30% in Q1, 238% surge against banks, Microsoft fixes 111 vulns, Adobe patches 36 vulns, Thunderspy, 73m user records for sale on dark web
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber-Attacks on UK Organisations Up 30% in Q1 2020
New research has revealed that the volume of cyber-attacks on UK businesses increased by almost a third in the first three months of 2020.
Analysts identified 394,000 unique IP addresses used to attack UK businesses in the first quarter of 2020, discovering that companies with internet connections experienced 157,000 attacks each, on average – the equivalent of more than one a minute.
This rate of attack was 30% higher than the same period in 2019 when UK businesses received 120,000 internet-borne attempts to breach their systems each.
IoT applications were cited as the most common targets for cyber-criminals in the first quarter, attracting almost 19,000 online attacks per company. Company databases and file-sharing systems were also targeted frequently, with companies experiencing approximately 5000 attacks for each application, on average.
Read more here: https://www.infosecurity-magazine.com/news/cyberattacks-uk-orgs-up-30-q1/
COVID-19 blamed for 238% surge in cyber attacks against banks
The coronavirus pandemic has been connected to a 238% surge in cyber attacks against banks, new research claims.
On Thursday, VMware Carbon Black released the third edition of the Modern Bank Heists report, which says that financial organizations experienced a massive uptick in cyber attack attempts between February and April this year -- the same months in which COVID-19 began to spread rapidly across the globe.
The cyber security firm's research, which includes input from 25 CIOS at major financial institutions, adds that 80% of firms surveyed have experienced more cyber attacks over the past 12 months, an increase of 13% year-over-year.
VMware Carbon Black data already indicates that close to a third -- 27% -- of all cyber attacks target either banks or the healthcare sector.
An interesting point in the report is how there appears to have been an uptick in financially-motivated attacks around pinnacles in the news cycle, such as when the US confirmed its first case of COVID-19.
In total, 82% of chief information officers contributing to the report said that alongside a spike in attacks, techniques also appear to be improving -- including the use of social engineering and more advanced tactics to exploit not only the human factor but also weak links caused by processes and technologies in use by the supply chain.
Read more here: https://www.zdnet.com/article/covid-19-blamed-for-238-surge-in-cyberattacks-against-banks/
May 2020 Patch Tuesday: Microsoft fixes 111 vulnerabilities, 13 Critical
Microsoft's May 2020 Patch Tuesday fell this week, and Microsoft have released fixes for 111 vulnerabilities in Microsoft products. Of these vulnerabilities, 13 are classified as Critical, 91 as Important, 3 as Moderate, and 4 as Low.
This month there are no zero-day or unpatched vulnerabilities.
Users should install these security updates as soon as possible to protect Windows from known security risks.
Read more here: https://www.bleepingcomputer.com/news/microsoft/may-2020-patch-tuesday-microsoft-fixes-111-vulnerabilities-13-critical/
Adobe issues patches for 36 vulnerabilities in DNG, Reader, Acrobat
Adobe has released security patches to resolve 36 vulnerabilities present in DNG, Reader, and Acrobat software.
On Tuesday, the software giant issued two security advisories (1, 2) detailing the bugs, the worst of which can be exploited by attackers to trigger remote code execution attacks and information leaks.
The first set of patches relate to Adobe Acrobat and Reader for Windows and macOS, including Acrobat / Acrobat Reader versions 2015 and 2017, as well as Acrobat and Acrobat Reader DC.
In total, 12 critical security flaws have been resolved. Six of the bugs, a single heap overflow problem, two out-of-bounds write errors, two buffer overflow issues, and two use-after-free vulnerabilities can all lead to arbitrary code execution in the context of the current user.
Read more here: https://www.zdnet.com/article/adobe-issues-patches-for-36-vulnerabilities-in-dng-reader-acrobat/
Thunderbolt flaw ‘Thunderspy’ allows access to a PC’s data in minutes
Vulnerabilities discovered in the Thunderbolt connection standard could allow hackers to access the contents of a locked laptop’s hard drive within minutes, a security researcher from the Eindhoven University of Technology has announced. Reports state that the vulnerabilities affect all Thunderbolt-enabled PCs manufactured before 2019.
Although hackers need physical access to a Windows or Linux computer to exploit the flaws, they could theoretically gain access to all data in about five minutes even if the laptop is locked, password protected, and has an encrypted hard drive. The entire process can reportedly be completed with a series of off-the-shelf components costing just a few hundred dollars. Perhaps most worryingly, the researcher says the flaws cannot be patched in software, and that a hardware redesign will be needed to completely fix the issues.
Read more here: https://www.theverge.com/2020/5/11/21254290/thunderbolt-security-vulnerability-thunderspy-encryption-access-intel-laptops
A hacker group is selling more than 73 million user records on the dark web
A hacker group going by the name of ShinyHunters claims to have breached ten companies and is currently selling their respective user databases on a dark web marketplace for illegal products.
The hackers are the same group who breached last week Tokopedia, Indonesia's largest online store. Hackers initially leaked 15 million user records online, for free, but later put the company's entire database of 91 million user records on sale for $5,000.
Encouraged and emboldened by the profits from the Tokopedia sale, the same group has, over the course of the current week, listed the databases of 10 more companies.
This includes user databases allegedly stolen from organizations such as:
· Online dating app Zoosk (30 million user records)
· Printing service Chatbooks (15 million user records)
· South Korean fashion platform SocialShare (6 million user records)
· Food delivery service Home Chef (8 million user records)
· Online marketplace Minted (5 million user records)
· Online newspaper Chronicle of Higher Education (3 million user records)
· South Korean furniture magazine GGuMim (2 million user records)
· Health magazine Mindful (2 million user records)
· Indonesia online store Bhinneka (1.2 million user records)
· US newspaper StarTribune (1 million user records)
The listed databases total for 73.2 million user records, which the hacker is selling for around $18,000, with each database sold separately.
Read more here: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
A cybercrime store is selling access to more than 43,000 hacked servers
MagBo, a shadowy online marketplace where hackers sell and buy hacked servers, is doing better than ever and has soared in popularity to become the largest criminal marketplace of its kind since its launch in the summer of 2018.
Two years later, the MagBo portal has grown more than 14 times in size and is currently selling access to more than 43,000 hacked websites, up from the 3,000 sites listed in September 2018.
Today, MagBo has become the de-facto go-to marketplace for many cybercrime operations. Some groups register on the MagBo platform to sell hacked servers, while others are there just to buy.
Those who buy, do it either in bulk (for black-hat SEO or for malware distribution) or selectively, for intrusions at high-value target (e-commerce stores for web skimming, intranets for ransomware).
All in all, the MagBo platform cannot be ignored anymore, as it appears to be here to stay, and is placing itself at the heart of many of today's cybercrime operations.
Ransomware: Why paying the crooks can actually cost you more in the long run
Ransomware is so dangerous because in many cases the victim doesn't feel like they have any other option other than to pay up – especially if the alternative is the whole organisation being out of operation for weeks, or even months, as it attempts to rebuild the network from scratch.
But handing over a bitcoin ransom to cyber criminals can actually double the cost of recovery according to analysis by researchers at Sophos, published in the new State of Ransomware 2020 report, which has been released three years to the day from the start of the global WannaCry ransomware outbreak.
A survey of organisations affected by ransomware attacks found that the average total cost of a ransomware attack for organisations that paid the ransom is almost $1.4m, while for those who didn't give into ransom demands, the average cost is half of that, coming in at $732,000.
Often, this is because retrieving the encryption key from the attackers isn't a simple fix for the mess they created, meaning that not only does the organisation pay out a ransom, they also have additional costs around restoring the network when some portions of it are still locked down after the cyber criminals have taken their money.
According to the report, one in four organisations said they paid the ransom in order to get their files back. It's one of the key reasons why ransomware remains a successful tactic for crooks, because victims pay up – often sums of six-figures or more – and are therefore encouraging cyber criminals to continue with attacks that often can't be traced back to a culprit.
Read the full article here: https://www.zdnet.com/article/ransomware-why-paying-the-crooks-can-actually-cost-you-more-in-the-long-run/
This powerful Android malware stayed hidden for years, infecting tens of thousands of smartphones
A carefully managed hacking and espionage campaign is infecting smartphones with a potent form of Android malware, providing those behind it with total control of the device, while also remaining completely hidden from the user.
Mandrake spyware abuses legitimate Android functions to help gain access to everything on the compromised device in attacks that can gather almost any information about the user.
The attacker can browse and collect all data on the device, steal account credentials for accounts including banking applications. secretly take recordings of activity on the screen, track the GPS location of the user and more, all while continuously covering their tracks.
The full capabilities of Mandrake – which has been observed targeting users across Europe and the Americas – are detailed in a paper released by cybersecurity researchers this week. Mandrake has been active since 2016 and researchers previously detailed how the spyware operation was specifically targeting Australian users – but now it's targeting victims around the world.
Companies wrestle with growing cyber security threat: their own employees
Businesses deploy analytic tools to monitor staff as remote working increases data breach risk
As cyber criminals and hackers ramp up their attacks on businesses amid coronavirus-related disruption, companies are also facing another equally grave security threat: their own employees.
Companies are increasingly turning to Big Brother-style surveillance tools to stop staff from leaking or stealing sensitive data, as millions work away from the watchful eyes of their bosses and waves of job cuts leave some workers disgruntled.
In particular, a brisk market has sprung up for cyber security groups that wield machine learning and analytics to crunch data on employees’ activity and proactively flag worrying behaviours.
Read more here: https://www.ft.com/content/cae7905e-ced7-4562-b093-1ab58a557ff4
Cognizant: Ransomware Costs Could Reach $70m
IT services giant Cognizant has admitted that a ransomware attack it suffered back in April may end up costing the company as much as $70m.
The firm announced revenue of $4.2bn for the first quarter of 2020, an increase of 2.8% year-on-year. In this context, the $50-70m hit it expects to take in Q2 from the ransomware attack will not make a huge impact on the company.
However, the big numbers involved are illustrative of the persistent financial threat posed by ransomware, not to mention the reputational impact on customers.
The firm claimed on an earnings call that the company responded immediately to the threat, proactively taking systems offline after some internal assets were compromised. However, the resulting downtime and suspension of some customer accounts took their toll financially.
“Some clients opted to suspend our access to their networks,” they explained. “Billing was therefore impacted for a period of time, yet the cost of staffing these projects remained on our books.”
Remote workers were also affected as the attack hit the firm’s system for supporting its distributed workforce during the current pandemic.
Read more: https://www.infosecurity-magazine.com/news/cognizant-ransomware-costs-could/
Package delivery giant Pitney Bowes confirms second ransomware attack in 7 months
Package and mail delivery giant Pitney Bowes has suffered a second ransomware attack in the past seven months, ZDNet has learned.
The incident came to light earlier in the week after a ransomware gang known as Maze published a blog post claiming to have breached and encrypted the company's network.
The Maze crew provided proof of access in the form of 11 screenshots portraying directory listings from inside the company's computer network.
Pitney Bowes confirmed the incident stating they had detected a security incident related to Maze ransomware.
The company said it worked with third-party security consultants to take steps to stop the attack before any of its data was encrypted.
This is the second ransomware incident for Pitney Bowes in seven months.
In October 2019, Pitney Bowes disclosed a first ransomware attack. At the time, the company said it had some critical systems infected and encrypted by the Ryuk ransomware gang. The incident caused limited downtime to some package tracking systems.
Both the Ryuk and Maze ransomware gangs are what experts call "human-operated" ransomware strains. These types of ransomware infections take place after hackers breach a company's network, and take manual control of the malware to expand access to as many internal systems as possible before executing the actual ransomware to encrypt data and demand a ransom.
Read more here: https://www.zdnet.com/article/package-delivery-giant-pitney-bowes-confirms-second-ransomware-attack-in-7-months/
Law Firm Representing Drake, Lady Gaga, Madonna And More Hit By Cyber Attack As Hackers Claim To Have Stolen Personal Information And Contracts
A law firm representing many of the world's most famous celebrities has been hacked.
The website of Grubman Shire Meiselas & Sacks has been taken offline, and hackers claim to have stolen some 756GB of data relating to its clients.
Singers, actors and other stars have worked with the law firm, according to old versions of its website, with more than 200 very high-profile celebrities and companies said to have used its services.
They include Madonna, Lady Gaga, Elton John and Drake.
The hackers behind the attack claim to have person information on celebrities including letters, as well as official contracts.
Hackers have already released a purported screenshot of a Madonna contract in an attempt to prove they have access to personal files.
It is not known what the hackers are demanding in return for the files, or whether negotiations are ongoing.
"We can confirm that we've been victimised by a cyber-attack," the firm said in a media statement. "We have notified our clients and our staff.
"We have hired the world's experts who specialise in this area, and we are working around the clock to address these matters."
The hack used a piece of software known as REvil or Sodinokibi. Similar software took foreign exchange company Travelex offline in January, as part of a major hack.
Traditionally, such ransomware has been used to lock down computers and demand money from their owners to unlock them again, and grant access to files.
Increasingly, hackers threaten to release those files to the public if their demands are not met.
Read the original article: https://www.independent.co.uk/life-style/gadgets-and-tech/news/celebrity-hack-law-firm-cyber-attack-drake-madonna-lady-gaga-a9511976.html
Lights stay on despite cyber-attack on UK's electricity system
Britain’s energy system has fallen victim to a cyber-attack targeting the IT infrastructure used to run the electricity market.
The electricity system’s administrator, Elexon, confirmed that it was affected by a cyber-attack on Thursday afternoon but that the key systems used to govern the electricity market were not affected.
National Grid is investigating whether the attack could affect the part of its business tasked with keeping the lights on.
A spokesman for the energy system operator said electricity supplies had not been affected, and there were “robust cybersecurity measures in place” to make sure the UK continues to receive reliable electricity.
“We’re aware of a cyber intrusion on Elexon’s internal IT systems. We’re investigating the matter and any potential impact on our own IT networks,” he said.
Elexon is a vital part of the UK electricity market because it carefully monitors the electricity generated by energy companies to match this with what National Grid expects to receive, and to make sure that generators are paid the correct amount for the energy they generate.
Cyber Weekly Flash Briefing 01 May 2020 – 50% of users feel vulnerable WFH, yet many have had no infosec training in last year, spear-phishing compromises execs in 150+ companies, Sophos zero-day
Cyber Weekly Flash Briefing for 01 May 2020 – Half of users feel vulnerable WFH and many have had no infosec training in last year, spear-phishing compromises execs in 150+ companies, Chrome vulns, Sophos firewall zero-day exploited
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
If you’re pressed for time watch the 60 second video version:
Half of remote workers feel vulnerable to growing cyber attacks
New research has revealed that almost half (49%) of employees working remotely feel vulnerable online due to the insecurity of the company laptops and PCs they are using to connect to corporate networks.
1,550 UK employees working from home during the pandemic were surveyed to better understand the security issues they've faced while working remotely.
The survey found that 42 percent of respondents received suspicious emails while 18 percent have dealt with a security breach while working from home. Of those who suffered a cyberattack, over half (51%) believed it was because they clicked on a malicious link and 18 percent believed an infected attachment was responsible.
Additionally, 42 percent of respondents reported that someone else in their household had experienced a hack of their social media accounts during the lockdown.
Read more here: https://www.techradar.com/news/half-of-remote-workers-feel-vulnerable-to-growing-cyberattacks
Many remote workers given no cyber security training
Two in three remote workers have not received any cyber security training in the past 12 months, according to a new report.
Based on a poll of 2,000 remote workers in the UK, the report states that more than three quarters (77 percent) are unconcerned about cyber security. Further, more than six in ten said they use personal devices when working from home, which poses a distinct threat to business data.
The report highlights the dangers associated with working from home and the fact cyber criminals are capitalising on the coronavirus outbreak to infect unwitting victims with malware.
With most businesses transitioning to remote working in response to lockdown measures, IT and security teams have been left with a network of unsecured, often naive workers who are easy prey for various forms of attack - especially phishing.
Read the full article here: https://www.itproportal.com/news/many-remote-workers-given-no-cybersecurity-training/
Spear-phishing campaign compromises executives at 150+ companies
A cyber crime group operating since mid-2019 has breached the email accounts of high-ranking executives at more than 150 companies, cyber-security firm Group-IB reported today.
The group, codenamed PerSwaysion, appears to have targeted the financial sector primarily, which accounted for more than half of its victims; although, victims have been recorded at companies active across other verticals as well.
PerSwaysion operations were not sophisticated, but have been extremely successful, nonetheless. Group-IB says the hackers didn't use vulnerabilities or malware in their attacks but instead relied on a classic spear-phishing technique.
They sent boobytrapped emails to executives at targeted companies in the hope of tricking high-ranking executives into entering Office 365 credentials on fake login pages.
Read the full article here: https://www.zdnet.com/article/spear-phishing-campaign-compromises-executives-at-150-companies/
Microsoft: Ransomware gangs that don't threaten to leak your data steal it anyway
Just because ransomware attackers haven't threatened to leak your company's data, it doesn't mean they haven't stolen it, Microsoft warns.
And human-operated ransomware gangs – typically associated with multi-million dollar ransom demands – haven't halted activity during the global coronavirus pandemic.
In fact, they launched more of the file-encrypting malware on target networks in the first two weeks of April than in earlier periods, causing chaos at aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, according to Microsoft.
Google Confirms New Security Threat For 2 Billion Chrome Users
Google has warned of yet more security vulnerabilities in Chrome 81, which was only launched three weeks ago.
Google has confirmed two new high-rated security vulnerabilities affecting Chrome, prompting yet another update since the release of Chrome 81 on April 7. These new security threats could enable an attacker to take control of an exploited system, which is why the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has advised users to apply that update now.
These popular antivirus tools share a major security flaw
More than two dozen popular antivirus solutions contain a flaw that could enable hackers to delete files, trigger crashes and install malware, according to a new report.
Popular antivirus solutions such as Microsoft Defender, McAfee Endpoint Security and Malwarebytes all feature the bug, which is described as “trivial” to abuse.
The report refers to the shared vulnerability as “symlink race” – the use of symbolic links and directory junctions to link malicious files to legitimate counterparts. This all occurs in the short space of time between an antivirus scanning and deleting a file.
"Make no mistake about it, exploiting these flaws was pretty trivial and seasoned malware authors will have no problem weaponising the tactics outlined in this blog post," said the report.
Read more: https://www.itproportal.com/news/these-popular-antivirus-tools-could-have-major-security-flaws/
Hackers are exploiting a Sophos firewall zero-day
Cyber-security firm Sophos has published an emergency security update on Saturday to patch a zero-day vulnerability in its XG enterprise firewall product that was being abused in the wild by hackers.
Sophos said it first learned of the zero-day on late Wednesday, April 22, after it received a report from one of its customers. The customer reported seeing "a suspicious field value visible in the management interface."
After investigating the report, Sophos determined this was an active attack and not an error in its product.
Read more: https://www.zdnet.com/article/hackers-are-exploiting-a-sophos-firewall-zero-day/
This sophisticated new Android trojan threatens hundreds of financial apps
Researchers have discovered a sophisticated new Android trojan that bypasses security measures and scrapes data from financial applications.
First identified in March, the EventBot banking trojan abuses Android’s accessibility features to harvest financial data and intercept SMS messages, allowing the malware to circumvent two-factor authentication.
According to the firm responsible for the discovery, EventBot targets over 200 financial applications, spanning banking, money transfer and cryptocurrency wallet services.
Affected applications include those operated by major players such as HSBC, Barclays, Revolut, Paypal and TransferWise - but many more are thought to be at risk.
Microsoft Office 365: US issues security alert over rushed remote deployments
The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has published security advice for organizations that may have rushed out Office 365 deployments to support remote working during the coronavirus pandemic.
CISA warns that it continues to see organizations that have failed to implement security best practices for their Office 365 implementation. It is concerned that hurried deployments may have lead to important security configuration oversights that could be exploited by attackers.
"In recent weeks, organizations have been forced to change their collaboration methods to support a full 'work from home' workforce," CISA notes in the new alert.
Financial sector is seeing more credential stuffing than DDoS attacks
The financial sector has seen more brute-force attacks and credential stuffing incidents than DDoS attacks in the past three years according to a report published this week.
Statistics about attacks carried out against banks, credit unions, brokers, insurance, and the wide range of organizations that serve them, such as payment processors and financial Software as a Service (Saas).
The report's findings dispel the notion that DDoS attacks are one of today's most prevalent threats against the financial vertical.
The report states that brute force attacks, credential stuffing, and all the other account takeover (ATO) attacks have been a much bigger threat to the financial sector between 2017 and 2019. This includes all the ATO variations such as:
· Brute-force attacks - attackers try common or weak username/passwords pairs (from a preset list) to brute-force their way into an account
· Credential stuffing - attackers try username/password pairs leaked at other sites
· Password spraying - attackers try the same password, but against different usernames
Read more here: https://www.zdnet.com/article/financial-sector-has-been-seeing-more-credential-stuffing-than-ddos-attacks-in-recent-years/
This buggy WordPress plugin allows hackers to lace websites with malicious code
Security researchers have identified a flaw in the Real-Time Find and Replace WordPress plugin that could allow hackers to lace websites with malicious code.
The affected plugin affords WordPress users the ability to edit website code and text content in real-time, without having to go into the backend - and reportedly features on over 100,000 sites.
The exploit manipulates a Cross-Site Request Forgery (CSRF) flaw in the plugin, which the hacker can use to push infected content to the website and create new admin accounts.
Read more here: https://www.techradar.com/news/this-buggy-wordpress-plugin-allows-hackers-to-lace-websites-with-malicious-code
Zoom Gets Stuffed: Here’s How Hackers Got Hold Of 500,000 Passwords
At the start of April, the news broke that 500,000 stolen Zoom passwords were up for sale. Here's how the hackers got hold of them.
More than half a million Zoom account credentials, usernames and passwords were made available in dark web crime forums earlier this month. Some were given away for free while others were sold for as low as a penny each.
Researchers at a threat intelligence provider obtained multiple databases containing Zoom credentials and got to work analysing exactly how the hackers got hold of them in the first place.
Read more here: https://www.forbes.com/sites/daveywinder/2020/04/28/zoom-gets-stuffed-heres-how-hackers-got-hold-of-500000-passwords/#6586d7be5cdc
Sophisticated Android Spyware Attack Spreads via Google Play
The PhantomLance espionage campaign is targeting specific victims, mainly in Southeast Asia — and could be the work of the OceanLotus APT.
A sophisticated, ongoing espionage campaign aimed at Android users in Asia is likely the work of the OceanLotus advanced persistent threat (APT) actor, researchers said this week.
Dubbed PhantomLance by Kaspersky, the campaign is centered around a complex spyware that’s distributed via dozens of apps within the Google Play official market, as well as other outlets like the third-party marketplace known as APKpure.
The effort, though first spotted last year, stretches back to at least 2016, according to findings released at the SAS@home virtual security conference on Tuesday.
Read more here: https://threatpost.com/sophisticated-android-spyware-google-play/155202/
Skype phishing attack targets remote workers
Remote workers have been warned to take extra care when using video conferencing software after a new phishing scam was uncovered.
Researchers from a security firm have revealed hackers are using emails pretending to be from Skype, the popular Microsoft-owned video calling tool, in order to trick home workers into handing over their login details.
Criminals could then use these logins to access corporate networks to spread malware or steal valuable information.
Read more here: https://www.techradar.com/news/skype-phishing-attack-targets-remote-workers
Cyber Weekly Flash Briefing for 17 April 2020 – More Top Companies Ban Zoom, Microsoft fixes 3 zero-days, 2 being actively exploited, 500,000 Zoom accounts sold online, Sinister new Botnet
Cyber Weekly Flash Briefing for 17 April 2020 – More Top Companies Ban Zoom, Microsoft fixes 3 zero-days, 2 being actively exploited, 500,000 Zoom accounts sold online, Sinister new Botnet
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
60 second video version of this week’s flash briefing
More top companies ban Zoom following security fears
As usage of Zoom rises amidst the global pandemic, more companies are telling their staff to stay off the video conferencing service due to security concerns.
Among the latest organisations to block the use of Zoom are German industrial giant Siemens, which sent out an internal circular urging its employees to not use the tool for video conferencing, with Standard Chartered Bank also issuing a similar note to its staff.
The latter has told employees to avoid Google Hangouts, which has also emerged as another popular teleconferencing application in recent weeks.
Read more here: https://www.techradar.com/uk/news/more-top-companies-ban-zoom-following-security-fears
Over 500,000 Zoom accounts sold on hacker forums, the dark web
Over 500,000 Zoom accounts are being sold on the dark web and hacker forums for less than a penny each, and in some cases, given away for free.
These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are then compiled into lists that are sold to other hackers.
Some of these Zoom accounts are offered for free on hacker forums so that hackers can use them in zoom-bombing pranks and malicious activities. Others are sold for less than a penny each.
Read more here: https://www.bleepingcomputer.com/news/security/over-500-000-zoom-accounts-sold-on-hacker-forums-the-dark-web/
Microsoft April 2020 Patch Tuesday fixes 3 zero-days – 2 of which being actively exploited, 15 critical flaws
Microsoft's April 2020 Patch Tuesday fell this week, and with everything going on, it is going to be particularly stressful for Windows administrators.
With the release of the April 2020 security updates, Microsoft has released fixes for 113 vulnerabilities in Microsoft products. Of these vulnerabilities, 15 are classified as Critical, 93 as Important, 3 as Moderate, and 2 as Low.
Of particular interest, Microsoft patched three zero-day vulnerabilities, with two of them being seen actively exploited in attacks.
Users should install these security updates as soon as possible to protect Windows from known security risks.
Read more here: https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2020-patch-tuesday-fixes-3-zero-days-15-critical-flaws/
Hackers Are Selling a Critical Zoom Zero-Day Exploit for £400,000
Hackers are selling two critical vulnerabilities for the video conferencing software Zoom, one for Windows and one for MacOS that would allow someone to hack users and spy on their calls.
The two flaws are so-called zero-days, and are currently present in Zoom’s Windows and MacOS clients, according to three sources who are knowledgeable about the market for these kinds of hacks. The sources have not seen the actual code for these vulnerabilities, but have been contacted by brokers offering them for sale.
Zero-day exploits or just zero-days or 0days are unknown vulnerabilities in software or hardware that hackers can take advantage of to hack targets. Depending on what software they’re in, they can be sold for thousands or even millions of dollars.
Phishing kit prices skyrocketed in 2019 by 149%
The average price of a phishing kit sold on cybercrime markets has gone up in 2019 by 149% according to new findings released this week based on analysis of ads posted on known cybercrime markets and hacking forums.
The average price for phishing kits sold on the cybercrime underground in 2019 has skyrocketed to $304 on average last year, up from only $122 recorded in 2018.
Phishing kit prices rose despite an increase in the number of kit sellers (up by 120%) and the number of phishing kit ads (doubled in 2019).
Of the 16,200 phishing kits identified and tracked in 2019, the most targeted login pages were for Amazon, Google, Instagram, Office 365, and PayPal.
Amazon and PayPal are known targets of phishing operations, as access to both accounts can allow hackers to make fraudulent transactions with victims' funds.
More here: https://www.zdnet.com/article/phishing-kit-prices-skyrocketed-in-2019-by-149/
A Sinister New Botnet Could Prove Nearly Impossible To Stop
Security researchers have discovered an emerging threat that they fear could be nearly unstoppable. This growing botnet has already managed to enslave nearly 20,000 computers.
It is known as DDG, and it’s been lurking in the shadows for at least two years. DDG was first discovered in early 2018.
Back then the nascent botnet had control of just over 4,000 so-called zombies and used them to mine the Monero cryptocurrency. Much has changed since then.
Today’s incarnation of DDG isn’t just five times larger. It’s also much more sophisticated.
One of its distinguishing features is its command and control system. Most botnets are designed around a client/server model. Infected machines listen for instructions from the servers and then carry out their orders.
MSC Data Centre Closes Following Suspected Cyber-Attack
A container shipping company has said malware could be to blame for the closure of one of its data centres last week.
The Mediterranean Shipping Company (MSC) took to Twitter on Good Friday to report a network outage issue affecting the website msc.com, which was still down at time of writing.
The incident, which is thought to have occurred on Thursday, April 9, also brought down the shipping company's myMSC portal.
A message posted from the Twitter account MSC Cargo on April 10 stated: "We are sorry to inform you that http://MSC.com and myMSC are currently not available as we've experienced a network outage in one of our data centers. We are working on fixing the issue."
As a result of the outage, self-service tools for making and managing bookings on MSC ships have ceased to be operational. Alternative booking platforms are available, and customers can still book via email and over the phone.
Read the original article here: https://www.infosecurity-magazine.com/news/msc-suffers-suspected-cyberattack/
Cyber Weekly Flash Briefing for 11 April 2020 – NCSC advisory on COVID activity, Travelex pays $2.3M ransom, Zoom tries to get better, Shadow IT risks, Unkillable Android malware, Bot traffic up
Cyber Weekly Flash Briefing for 11 April 2020 – NCSC advisory on COVID activity, Travelex pays $2.3M ransom, Zoom tries to get better, Shadow IT risks, Unkillable Android malware, Bot traffic up
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
60 second video flash briefing
UK NCSC and US CISA issue joint Advisory: COVID-19 exploited by malicious cyber actors
A joint advisory was put out from the United Kingdom’s National Cyber Security Centre (NCSC) and the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) relating to information on exploitation by cyber criminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice.
Read more here: https://www.ncsc.gov.uk/news/covid-19-exploited-by-cyber-actors-advisory
Download the advisory notice here: https://www.ncsc.gov.uk/files/Final%20Joint%20Advisory%20COVID-19%20exploited%20by%20malicious%20cyber%20actors%20v3.pdf
Travelex paid $2.3M in Bitcoin to get its systems back from hackers
Travelex paid hackers $2.3 million worth of Bitcoin to regain access to its computer systems after a devastating ransomware attack on New Year’s Eve.
The London-based company said it decided to pay the 285 BTC based on the advice of experts, and had kept regulators and partners in the loop throughout the recovery process.
Although Travelex, which manages the world’s largest chain of money exchange shops and kiosks, did confirm the ransomware attack when it happened, it hadn’t yet disclosed a Bitcoin ransom had been paid to restore its systems.
Travelex previously blamed the attack on malware known as Sodinokibi, a ‘Ransomware-as-a-Service’ tool-kit that has recently begun publishing data stolen from companies that don’t pay up.
Travelex‘ operations were crippled for almost all of January, with its public-facing websites, app, and internal networks completely offline. It also reportedly interrupted cash deliveries to major banks in the UK, including Barclays and Lloyds.
At the time, BBC claimed that Travelex‘ attackers had demanded $6 million worth of Bitcoin to unlock its systems.
Zoom sets up CISO Council and hires ex-CSO of Facebook to clean up its privacy mess
The ongoing coronavirus pandemic has seen people relying on work collaboration apps like Teams and Slack to talk to others or conduct meetings. Zoom, in particular, has seen incredible growth over the past few weeks but it came at a cost. The company has been under a microscope after various researchers discovered a number of security flaws in the app. To Zoom’s credit, the company responded immediately and paused feature updates to focus on security issues.
The company announced that it’s taking help from CISOs to improve the security and patch the flaws in the app. Zoom will be taking help from CISOs from HSBC, NTT Data, Procore, and Ellie Mae, among others. Moreover, the company is also setting up an Advisory Board that will include security leaders from VMware, Netflix, Uber, Electronic Arts, and others. Lastly, the company has also asked Alex Stamos, ex-CSO of Facebook to join as an outside advisor. Alex is a well-known personality in the cybersecurity world who left Facebook after an alleged conflict of interest with other executives about how to address the Russian government’s use of its platform to spread disinformation during the 2016 U.S. presidential election.
Read more here: https://mspoweruser.com/zoom-ciso-hires-ex-facebook-cso-clean-its-mess/
Researchers discover IoT botnet capable of launching various DDoS attacks
Cyber security researchers have found a new botnet comprised of more than a thousand IoT devices, capable of launching distributed denial of service (DDoS) attacks.
According to a report, researchers have named the botnet Dark Nexus, and believe it was created by well-known malware developer greek.Helios - a group that has been selling DDoS services and botnet code for at least the past three years.
Analysing the botnet through a honeypot, the researchers found it is comprised of 1,372 bots, but believe it could grow extremely quickly.
Dark Nexus is based on Mirai and Qbot, but has seen some 40 iterations since December 2020, with improvements and new features added almost daily.
Read the original article here: https://www.itproportal.com/news/researchers-discover-iot-botnet-capable-of-launching-various-ddos-attacks/
Microsoft: Cyber-Criminals Are Targeting Businesses Through Vulnerable Employees
Microsoft has warned that cyber-criminals are preying on people’s vulnerable psychological states during the COVID-19 pandemic to attack businesses. During a virtual press briefing, the multinational technology company provided data showing how home working and employee stress during this period has precipitated a huge amount of COVID-19-related attacks, particularly phishing scams.
Working from home at this time is very distracting for a lot of people, particularly if they are looking after children. Additionally, many individuals are in a stressful state with the extra pressures and worries as a result of COVID-19. This environment is providing new opportunities for cyber-criminals to operate.
“We’re seeing a significant increase in COVID-related phishing lures for our customers,” confirmed Microsoft. “We’re blocking roughly 24,000 bad emails a day with COVID-19 lures and we’ve also been able to see and block through our smart screen 18,000 malicious COVID-themed URLs and IP addresses on a single day, so the volume of attacks is quite high.”
Read the original article here: https://www.infosecurity-magazine.com/news/cybercriminals-targeting/
Stolen Zoom account credentials are freely available on the dark web
Loved, hated, trusted and feared in just about equal measure, Zoom has been all but unavoidable in recent weeks. Following on from a combination of privacy and security scandals, credentials for numerous Zoom account have been found on the dark web.
The credentials were hardly hidden -- aside from being on the dark web. Details were shared on a popular forum, including the email address, password, meeting ID, host key and host name associated with compromised accounts.
Read more: https://betanews.com/2020/04/08/zoom-account-credentials-dark-web/
Shadow IT Represents Major #COVID19 Home Working Threat
Rising threat levels and remote working challenges stemming from the COVID-19 pandemic are putting increased pressure on IT security professionals, according to new data.
A poll of over 400 respondents from global organisations with over 500 employees was conducted to better understand the current challenges facing security teams.
It revealed that 71% of security professionals had reported an increase in security threats or attacks since the start of the virus outbreak. Phishing (55%), malicious websites (32%), malware (28%) and ransomware (19%) were cited as the top threats.
These have been exacerbated by home working challenges, with 95% of respondents claiming to be under new pressures.
Top among these was providing secure remote access for employees (56%) and scalable remote access solutions (55%). However, nearly half (47%) of respondents complained that home workers using shadow IT solutions represented a major problem.
These challenges are only going to grow, according to the research.
Read more here: https://www.infosecurity-magazine.com/news/shadow-it-covid19-home-working/
'Unkillable' Android malware gives hackers full remote access to your phone
Security experts are warning Android users about a particularly nasty strain of malware that's almost impossible to remove.
A researcher has written a blog post explaining how the xHelper malware uses a system of nested programs, not unlike a Russian matryoshka doll, that makes it incredibly stubborn.
The xHelper malware was first discovered last year, but the researcher has only now established exactly how it gets its claws so deeply into your device, and reappears even after a system restore.
Although the Google Play Store isn't foolproof, unofficial third party app stores are much more likely to harbour malicious apps. App-screening service Google Play Protect blocked more than 1.9 million malware-laced app installs last year, including many side-loaded or installed from unofficial sources, but it's not foolproof.
xHelper is often distributed through third-party stores disguised as a popular cleanup or maintenance app to boost your phone's performance, and once there, is amazingly stubborn.
Decade of the RATs (Remote Access Trojan): Novel APT Attacks Targeting Linux, Windows and Android
BlackBerry researchers have released a new report that examines how five related APT groups operating in the interest of the Chinese government have systematically targeted Linux servers, Windows systems and Android mobile devices while remaining undetected for nearly a decade.
The report comes on the heels of the U.S. Department of Justice announcing several high-profile indictments from over 1,000 open FBI investigations into economic espionage as part of the DOJ’s China Initiative.
The BlackBerry report, titled Decade of the RATs: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android, examines how APTs have leveraged the “always on, always available” nature of Linux servers to establish a “beachhead” for operations. Given the profile of the five APT groups involved and the duration of the attacks, it is likely the number of impacted organisations is significant.
The cross-platform aspect of the attacks is also of particular concern in light of security challenges posed by the sudden increase in remote workers. The tools identified in these ongoing attack campaigns are already in place to take advantage of work-from-home mandates, and the diminished number of personnel onsite to maintain security of these critical systems compounds the risks. While the majority of the workforce has left the office as part of containment efforts in response to the Covid-19 outbreak, intellectual property remains in enterprise data centres, most of which run on Linux.
Most large organizations rely on Linux to run websites, proxy network traffic and store valuable data. While Linux may not have the visibility that other front-office operating systems have, it is arguably the most critical where the security of critical networks is concerned. Linux runs nearly all of the top 1 million websites, 75% of all web servers, 98% of the world’s supercomputers and 75% of major cloud service providers (Netcraft, 2019, Linux Foundation, 2020).
More here: https://blogs.blackberry.com/en/2020/04/decade-of-the-rats
Bot traffic fueling rise of fake news and cybercrime
The coronavirus pandemic has disrupted daily life around the world and the WHO recently warned that an overabundance of information about the virus makes it difficult for people to differentiate between legitimate news and misleading information.
At the same time, EU security services have warned that Russia is aggressively exploiting the coronavirus pandemic to push disinformation and weaken Western society through its bot army.
A cyber security firm has been using its bot manager to monitor internet traffic in an attempt to track the “infodemic” that both the WHO and EU security services have issued warnings on.
According to the data, bots have upped their game and organisations in the social media, ecommerce and digital publishing industries have experienced a surge in bad bot traffic following the coronavirus outbreak.
The bots have been found to be executing various insidious activities including spreading disinformation, spam commenting and more. In February, 58.1 percent of bots had the capability to mimic human behaviour. This means that they can disguise their identities, create fake accounts on social media sites and post their masters' propaganda while appearing as a genuine user.
Read more here: https://www.techradar.com/news/bot-traffic-fueling-rise-of-fake-news-and-cybercrime
Cyber Weekly Flash Briefing 03 April 2020 – GFSC warn over increased fraud & cybercrime, attacks up 37% in a month, criminals sending USB devices in post, Zoom phishers register 2000 domains
Cyber Weekly Flash Briefing for 03 April 2020 – GFSC warns over increased risk of fraud and cyber crime, Attacks Up 37% over last month, criminals sending USB device in post, Zoom Phishers Register 2000 Domains in a Month, increase in DDoS attacks
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
GFSC warns over increased risk of fraud and cyber crime
The GFSC has put out a warning to regulated firms on the Island around increased likelihood of fraud and other cyber crimes as a result of the COVID-19 pandemic.
The Commission has stated that they expect licensees to apply effective controls, including having suitable controls to prevent cybercrime.
Cyber-Attacks Up 37% Over Past Month as #COVID19 Bites
Online threats have risen by as much as six-times their usual levels over the past four weeks as the COVID-19 pandemic provides new ballast for cyber-attacks.
Analysis of UK traffic figures for the past four weeks compared to the previous month noted a sharp uptick in malicious activity.
Hacking and phishing attempts were up 37% month-on-month, while on some days, there were between four- and six-times the number of attacks it would usually see.
More here: https://www.infosecurity-magazine.com/news/cyberattacks-up-37-over-past-month/
Cybercrime spikes during coronavirus pandemic, says Europol
Just like everyone else in the face of a pandemic, criminals seem to be staying home — but they're just turning to different methods to make a buck.
That's the message from a new Europol report out this week, which reveals that criminals are adapting to exploit the global chaos.
While many police departments are reporting a lull in physical crime, other types of crime are having a heyday — and those numbers are only expected to increase.
Europol identified cybercrime, fraud, counterfeit goods and organised property crime as categories of particular concern.
Read more here: https://www.euronews.com/2020/03/27/cybercrime-spikes-during-coronavirus-pandemic-says-europol
Cybercriminal group mails malicious USB dongles to targeted companies
Security researchers have come across an attack where an USB dongle was mailed to a company under the guise of a Best Buy gift card. This technique has been used by security professionals during physical penetration testing engagements in the past, but it has very rarely been observed in the wild. This time it's a known sophisticated cybercriminal group who is likely behind it.
The attack was analysed after a US company in the hospitality sector received the USB sometime in mid-February.
The package contained an official-looking letter with Best Buy's logo and other branding elements informing the recipient that they've received a $50 gift card for being a regular customer. "You can spend it on any product from the list of items presented on an USB stick," the letter read. Fortunately, the USB dongle was never inserted into any computers and was passed along for analysis, because the person who received it had security training.
Top Email Protections Fail in Latest COVID-19 Phishing Campaign
Threat actors continue to capitalize on fears surrounding the spread of the COVID-19 virus through a surge in new phishing campaigns that use spoofing tactics to effectively evade Proofpoint and Microsoft Office 365 advanced threat protections (ATPs), researchers have found.
New phishing attacks were discovered that use socially engineered emails promising access to important information about cases of COVID-19 in the receiver’s local area.
The emails evade basic security checks and user common sense in a number of ways, to circumvent detection and steal the user’s Microsoft log-in credentials, he said. They also don’t include specific names or greetings in the body of the messages, suggesting they are being sent out to a broad target audience, according to the report.
More: https://threatpost.com/top-email-protections-fail-covid-19-phishing/154329/
Zoom Phishers Register 2000 Domains in a Month
Over 2000 new phishing domains have been set up over the past month to capitalise on the surging demand for Zoom from home workers, according to new data.
The report analysed data from a threat hunting system since the start of the year, and found 3300 new domains had been registered with the word “Zoom” in them.
The vast majority of these (67%) were created in March, as the COVID-19 pandemic forced lockdowns in multiple European countries and across parts of the US.
With surging levels of interest in Zoom and other video conferencing apps, comes renewed scrutiny from cyber-criminals.
Nearly a third (30%) of the new “Zoom” websites spotted activated an email server which indicates these domains are being used to facilitate phishing attacks.
More here: https://www.infosecurity-magazine.com/news/zoom-phishers-register-2000/
Across-the-board increase in DDoS attacks of all sizes
There has been a 168% increase in DDoS attacks in Q4 2019, compared with Q4 2018, and a 180% increase overall in 2019 vs. 2018, according to a report.
DDoS attacks grew across all size categories increase in 2019, with attacks sized 5 Gbps and below seeing the largest growth. These small-scale attacks made up more than three quarters of all attacks the company mitigated on behalf of its customers in 2019.
In 2019, the largest mitigated threat, at 587 gigabits per second (Gbps), was 31% larger than the largest attack of 2018, while the maximum attack intensity observed in 2019, 343 million packets per second (Mpps), was 252% higher than that of the most intense attack seen in 2018.
However, despite these higher peaks, the average attack size (12 Gbps) and intensity (3 Mpps) remained consistent year over year. The longest single, uninterrupted attack experienced in 2019 lasted three days, 13 hours and eight minutes.
Though the number of attacks increased significantly across all size categories, small-scale attacks (5 Gbps and below) again saw the largest growth in 2019, continuing the trend from the previous year.
More here: https://www.helpnetsecurity.com/2020/03/27/ddos-attacks-increase-2020/
Cybersecurity insurance firm Chubb investigates its own ransomware attack
A notorious ransomware gang claims to have successfully compromised the infrastructure of a company selling cyber insurance.
The Maze ransomware group says it has encrypted data belonging to Chubb, which claims to be one of the world’s largest insurance companies, and is threatening to publicly release data unless a ransom is paid.
The announcement by the cybercrime gang was published on Maze’s website, where it lists what it euphemistically describes as its “new clients”.
Maze’s normal modus operandi is to compromise an organisation, steal its data, infect the network with its ransomware, and post a pre-announcement on its website as a warning to the corporate victim that if they do not pay a ransom their stolen data will be published on the internet.
Read the full article here: https://hotforsecurity.bitdefender.com/blog/cybersecurity-insurance-firm-chubb-investigates-its-own-ransomware-attack-22753.html
Ransomware Payments on the Rise
More ransomware victims than ever before are complying with the demands of their cyber-attackers by handing over cash to retrieve encrypted files.
New research published this week shows that both the number of ransomware attacks and the percentage of attacks that result in payment have increased every year since 2017.
The report states 62% of organisations were victimised by ransomware in 2019, up from 56% in 2018 and 55% in 2017.
In 2017, just 39% of organizations hit by ransomware paid to retrieve their encrypted data. That figure rose to 45% in 2018, then shot up to 58% in 2019.
Read the full article here: https://www.infosecurity-magazine.com/news/rise-in-ransomware-payments/
Marriott hit by second data breach exposing “up to” 5.2 million people
Hotel chain Marriott International this week announced that it has been hit by a second data breach exposing the personal details of “up to approximately 5.2 million guests”.
The breach, which began in mid-January 2020 and was discovered at the end of February 2020, saw contact details, including names, addresses, birth dates, gender, email addresses and telephone numbers exposed. Employer name, gender, room stay preferences and loyalty account numbers were also exposed.
The hotel company has stressed that not all data was exposed for each person.
Marriott has also said that at present it does not believe passports, payment details or passwords were exposed in the data breach.
The data is believed to have been accessed by an unknown third party using the login credentials of two employees at a group hotel operated as a franchise. Marriott has said that it has notified relevant authorities, and has begun notifying those whose data was exposed in the breach. It has also set up a dedicated website to help those impacted by the breach.
More here: https://www.verdict.co.uk/marriott-second-data-breach/
Lawyers urged to switch off Alexa when working from home
Law firms are warning their employees to turn off their smart speakers while working from home due to security concerns.
Smart speakers such as Amazon’s Echo series and Google’s Nest range have become wildly popular in Britain with an estimated 34pc of households now using them.
But privacy and security experts have repeatedly said the devices may pose a security threat and now law firms have advised staff not to disclose sensitive details when they are in use nearby.
A spokesman from one firm of solicitors said that that hackers could access sensitive details through the speakers, telling their staff to check the default settings on the speaker and to the extent that you can, switch them off during the working day.
More here: https://www.telegraph.co.uk/technology/2020/03/30/lawyers-urged-switch-alexa-working-home/
Cyber Weekly Flash Briefing for 13 March 2020 – more Coronavirus based phishing, adapting ways of working, emergency Microsoft patch, businesses breached due to employee error, IoT traffic unencrypted
Cyber Weekly Flash Briefing for 13 March 2020 – more Coronavirus based phishing, adapting ways of working, emergency Microsoft patch, businesses breached due to employee error, IoT traffic unencrypted
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
More coronavirus phishing campaigns detected
Caution required when accessing coronavirus-related emails.
Cybercriminals often use major global events to spread malware and steal data, and the recent coronavirus outbreak is no different.
Security experts have identified two phishing campaigns that take advantage of coronavirus concerns to infect devices with the Agent Tesla keylogger.
According to the report, cybercriminals are distributing emails that appear to originate from The Centre for Disease Control (CDC) or the World Health Organisation (WHO). The emails claim the virus is now airborne and that new cases have been confirmed in the victim’s vicinity.
Attached to the messages is a file named "SAFETY PRECAUTIONS", which looks like an Excel document, but is in fact an executable file (.exe) capable of sowing the trojan.
More here: https://www.itproportal.com/news/more-coronavirus-phishing-campaigns-detected/
How coronavirus COVID-19 is accelerating the future of work
The coronavirus is forcing enterprises to rethink the way they do business and dust off policies for security, business continuity, and remote workers. Chances are that some of these efforts will stick
The coronavirus outbreak may speed up the evolution of work and ultimately retool multiple industries as everything from conferences to collaboration to sales and commercial real estate are rethought.
Read the original article here: https://www.zdnet.com/article/how-coronavirus-may-accelerate-the-future-of-work/
Millions of UK businesses experience data breaches due to employee error
Employees often click on fraudulent links and can't spot a phishing email.
Employee error is the cause of 60 percent of all data breaches among UK businesses according to a new report from insurance broker Gallagher.
Polling 1,000 UK business leaders, Gallagher found the most common cause (39 percent) of employee-related breaches was malware downloaded accidentally via fraudulent links.
Phishing is also a major risk factor, responsible for 35 percent of infections. While employees pushing sensitive data outside company systems accounted for a further 28 percent.
The report also claims that almost a third of affected businesses (30 percent) have had their operations knocked out for four to five days as a result of employee error.
Respondents also reported reputational damage (14 percent) and financial consequences (12 percent), which included fines issued by data privacy regulators.
Most executives (71 percent) are aware of the problem and almost two thirds (64 percent) said they regularly remind employees about the risk of cyber crime.
Virtually all businesses are at risk of a cyber attack and as this research shows, it is often an employee mistake which causes the problem.
AMD processors going back to 2011 suffer from worrying security holes
Pair of freshly revealed attacks have not yet been patched
AMD’s processors from as early as 2011 through to 2019 are carrying vulnerabilities that are as yet unpatched, according to some freshly published research.
Known as ‘Take A Way’ (every security problem needs a snappy name, of course), security researchers said that they reverse-engineered the L1D cache way predictor in AMD silicon in order to discover two new potential attack vectors.
Given all the attention which has been focused on the flaws in Intel’s CPUs in recent times – vulnerabilities which haven’t affected AMD chips in a number of cases – this might just serve as a reminder that no one’s silicon is bulletproof.
More here: https://www.techradar.com/news/amd-processors-going-back-to-2011-suffer-from-worrying-security-holes
F-Secure reports a steep rise in hacking attempts
The latest Attack landscape H2 2019 report from F-Secure has found that there has been a jump in the volume of cyber attacks targeting internet users
In the report, F-Secure said that in the first half of 2019, the company’s global network of honeypots experienced a jump in cyber attack traffic.
The volume of such attacks rose from 246 million in H1 2017 to 2.9 billion in H1 2019. In the second half of the year, according to F-Secure, the pace of attack traffic continued but at a slightly reduced rate. F-Secure said there were 2.8 billion hits to its honeypot servers in H2 2019. Distributed Denial of Service (DDos) attacks drove this deluge, accounting for two-thirds of the traffic.
Its research found that the US is the country whose IP space played host to the greatest number of attacks, followed by China and Russia.
https://www.computerweekly.com/news/252479470/F-secure-reports-a-steep-rise-in-hacking-attempts
This ransomware campaign has just returned with a new trick
Paradise ransomware is back again - and the criminals behind it appear to be testing out new tactics ahead of what could be a more prolific campaign.
A ransomware campaign has returned with a new trick to fool the unwary into compromising their network with file-encrypting malware. And it's an attack that many Windows machines won't even recognise as potentially malicious.
The new variant of Paradise ransomware, which has been active in one form or another since 2017, spreads via phishing emails, but it's different from other ransomware campaigns because it uses an uncommon – but effective – file type to infiltrate the network.
This campaign leverages Internet Query files (IQY), which are text files read by Microsoft Excel to download data from the internet. IQY is a legitimate file type, so many organisations won't block it.
More here: https://www.zdnet.com/article/this-ransomware-campaign-has-just-returned-with-a-new-trick/
Ransomware Threatens to Reveal Company's 'Dirty' Secrets
Sticking with ransomware, the operators of the Sodinokibi Ransomware are threatening to publicly share a company's "dirty" financial secrets because they refused to pay the demanded ransom.
As organizations decide to restore their data manually or via backups instead of paying ransoms, ransomware operators are escalating their attacks.
In a new post by the Sodinokibi operators to their data leak site, we can see that attackers are not only publishing victim's data but also sifting through it to find damaging information that can be used against the victim.
In the above post, the attackers are threatening to sell the Social Security Numbers and date of births for people in the data to other hackers on the dark web.
They also intimate that they found "dirty" financial secrets in the data and threaten to disclose it.
Read the full article here: https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/
Microsoft Releases Emergency Patch for Wormable Bug That Threatens Corporate LANs
Microsoft released an emergency out-of-band patch to fix a SMBv3 wormable bug on Thursday that leaked earlier this week. The patch for the vulnerability is now rolling out to Windows 10 and Windows Server 2019 systems worldwide, according to Microsoft.
On Wednesday Microsoft warned of a wormable, unpatched remote code-execution vulnerability in the Microsoft Server Message Block protocol – the same protocol that was targeted by the infamous WannaCry ransomware in 2017.
The critical bug affects Windows 10 and Windows Server 2019, and was not included in Microsoft’s Patch Tuesday release this week.
Read more here: https://threatpost.com/wormable-unpatched-microsoft-bug/153632/
Nearly all IoT traffic is unencrypted
IoT devices are considered "low-hanging fruit" among cybercriminals.
Practically all of the traffic flowing from Internet of Things (IoT) devices is not encrypted, consequently putting both businesses and their customers at unnecessary risk of data theft and all others that follow.
This is according to a new report which analysed 1.2 million IoT devices in thousands of physical locations across enterprise IT and healthcare organisations, finding that 98 per cent of all IoT device traffic is unencrypted.
That basically means that if intercepted, the data could be easily read and used.
So the question arises – how easy is it to eavesdrop on the data exchange between IoT devices and their respective servers? The report claims 57 per cent of IoT devices are vulnerable to either medium or high-severity attacks. IoT is perceived as “low-hanging fruit” for cybercriminals.
Read more here: https://www.itproportal.com/news/nearly-all-iot-traffic-is-unencrypted/
Microsoft takes down global zombie bot network
Microsoft has said it was part of a team that dismantled an international network of zombie bots.
The network call Necurs infected over nine million computers and one of the world's largest botnets.
Necurs was responsible for multiple criminal scams including stealing personal information and sending fake pharmaceutical emails.
Cyber-criminals use botnets to remotely take over internet-connected devices and install malicious software.
The software can be used to send spam, collect information about what activity the computer is used for or delete information without notifying the owner.
Tom Burt, Microsoft's vice-president for customer security and trust, said in a blog post that the takedown of Necurs was the result of eight years of planning and co-ordination with partners in 35 countries.
Watch out for Office 365 and G Suite scams, FBI warns businesses
The menace of Business Email Compromise (BEC) is often overshadowed by ransomware but it’s something small and medium-sized businesses shouldn’t lose sight of.
Bang on cue, the FBI Internet Crime Complaint Center (IC3) has alerted US businesses to ongoing attacks targeting organisations using Microsoft Office 365 and Google G Suite.
Warnings about BEC are ten-a-penny but this one refers specifically to those carried out against the two largest hosted email services, and the FBI believes that SMEs, with their limited IT resources, are most at risk of these types of scams:
Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses from BEC scams targeting Microsoft Office 365 and Google G Suite.
As organisations move to hosted email, criminals migrate to follow them.
As with all types of BEC, after breaking into the account, criminals look for evidence of financial transactions, later impersonating employees to redirect payments to themselves.
For good measure, they’ll often also launch phishing attacks on contacts to grab even more credentials, and so the crime feeds itself a steady supply of new victims.
The deeper question is why BEC scams continue to be such a problem when it’s well understood that they can be defended against using technologies such as multi-factor authentication (MFA).
Microsoft Exchange Server Flaw Exploited by multiple nation state (APT) groups
A vulnerability in Microsoft Exchange servers is being actively exploited by multiple APT groups, researchers warn.
Multiple threat groups are actively exploiting a vulnerability in Microsoft Exchange servers, researchers warn. If left unpatched, the flaw allows authenticated attackers to execute code remotely with system privileges.
The vulnerability in question (CVE-2020-0688) exists in the control panel of Exchange, Microsoft’s mail server and calendaring server, and was fixed as part of Microsoft’s February Patch Tuesday updates. However, researchers in a Friday advisory said that unpatched servers are being exploited in the wild by unnamed advanced persistent threat (APT) actors.
More: https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/
Cyberattackers are delivering malware by using links from whitelisted sites
Legitimate-looking links from OneDrive, Google Drive, iCloud, and Dropbox slip by standard security measures.
Bad actors have added a new snare to their bag of social engineering tricks— malicious OneDrive, Google Drive, iCloud, and Dropbox links. A new whitepaper asking "Is SaaS the New Trojan Horse in the Age of the Cloud?" describes this latest attack vector.
Links to these legitimate sites can often slip by standard security measures that stop malware and block access to suspicious sites. Many of these services are whitelisted by security products because they are approved services, meaning that an enterprise has few or no defences against these advanced attacks. These services are the latest tactic designed to dupe users into divulging their credentials or unknowingly download and install malware.
Tech Firms Offer Free Remote Working Tools, as Coronavirus Cases Surge
Move comes as companies scramble to polish remote working processes
Six technology companies are rolling out free or upgraded enterprise collaboration tools under a new “Open for Business” hub, in a bid to capture new users – and support enterprises scrambling to implement remote working protocols as coronavirus cases surge.
In the US, Amazon, Microsoft and Facebook have advised Seattle-area employees to work from home for the next few weeks. In the UK most companies are holding fire for now, but are most are rapidly updating policies and assessing tools.
Large organisations might be able to work through some of the emerging provisioning issues that come with a surge of remote workers — i.e. by increasing the number of licenses for their firewalls and VPNs — many small businesses don’t have the ability to quickly provision the resources they need to support their employees when working remotely.
More here: https://www.cbronline.com/news/free-remote-working-tools