Threat Intelligence Blog

Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.

Antony Cleal Antony Cleal

Week in review 29 September 2019: supply chain attacks hit defense firms, malspam contains malicious URLs, Microsoft block extensions to protect email, users mistakenly believe they can spot phishing

Week in review 29 September 2019: supply chain attacks hit defense firms, malspam contains malicious URLs, Microsoft block extensions to protect email, users mistakenly believe they can spot phishing

Round up of the most significant open source stories of the last week

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.


Airbus hit by series of cyber attacks on suppliers

European aerospace giant Airbus has been hit by a series of attacks by hackers who targeted its suppliers in their search for commercial secrets, security sources told AFP, adding they suspected a China link.

There have been four major attacks on Airbus in the last 12 months, according to two security sources involved in investigating the hacking.

The group has long been considered a tempting target because of the cutting-edge technologies that have made it one of the world's biggest commercial plane manufacturers, as well as a strategic military supplier.

In January, it admitted to a security incident that "resulted in unauthorised access to data", but people with knowledge of the attacks outlined a concerted and far bigger operation over the last year.

Hackers targeted British engine-maker Rolls-Royce and the French technology consultancy and supplier Expleo, as well as two other French contractors working for Airbus that AFP was unable to identify.

Airbus and Rolls-Royce did not immediately reply to AFP's request for comment. Expleo said it would neither "confirm nor deny" that it had been targeted.

https://www.france24.com/en/20190926-airbus-hit-by-series-of-cyber-attacks-on-suppliers

Attacks have also targeted other defence contractors in Europe and North America this month:

https://www.bleepingcomputer.com/news/security/cyber-attacks-hit-defense-contractors-in-europe-and-north-america/


Most malspam contains a malicious URL these days, not file attachments

Most malicious email spam (malspam) sent in the first half of the year has contained links to malicious files, rather than file attachments, according to telemetry gathered by cyber-security firm Proofpoint.

More precisely, 85% of all malspam sent in Q2 2019 (April, May, and June) contained a link to a malicious file download, rather than the actual malicious file attached to the email.

The Q2 number continues a Q1 trend, where malicious URLs also dominated as the favourite way of distributing malware via email spam.

https://www.zdnet.com/article/most-malspam-contains-a-malicious-url-these-days-not-file-attachments/


Microsoft bans 38 file extensions from Outlook to stop you downloading viruses

Microsoft has banned 38 new file extensions from Outlook online, bringing the total number of forbidden file types to 104.

The company hasn't said exactly when the change will roll out, but it's expected to come into force very soon. When it does, you will no longer be able to download files with the blacklisted extensions unless your system admin has made a specific exception.

https://www.techradar.com/uk/news/microsoft-bans-38-file-extensions-from-outlook-to-stop-you-downloading-viruses


Employees are mistakenly confident that they can spot phishing emails

While a majority (79%) of people say they are able to distinguish a phishing message from a genuine one, nearly half (49%) also admit to having clicked on a link from an unknown sender while at work, according to a Webroot survey.

Further, nearly half (48%) of respondents said their personal or financial data had been compromised by a phishing message. However, of that group more than a third (35%) didn’t take the basic step of changing their passwords following a breach.

Not only is this false confidence potentially harmful to an employee’s personal and financial data, but it also creates risks for companies and their data.

The report surveyed 4,000 office professionals from the U.S., U.K., Japan and Australia (1,000 per region) to determine what people know about phishing attacks, what makes them click on a potentially malicious link and other security habits.

There is no foolproof way to prevent being phished but taking a layered approach to cybersecurity including ongoing user training will significantly reduce risk exposure.

https://www.helpnetsecurity.com/2019/09/26/spot-phishing-emails/


Copycat Chrome extensions are filled with malware.

Earlier this month, Google removed a pair of plugins from Chrome with over 1.5 million installs between them. Their names – AdBlock and ublock – might sound familiar, but they definitely weren't the real thing.

First spotted by the AdGuard adblocker team, the plugins were cunningly replicating the well-known and entirely reputable AdBlock by getadblock and uBlock Origin by Raymond Hill.

The fraudulent ad blockers even behaved realistically, simply blocking as normal for a couple of days, after which their behaviour changed to carry out 'cookie stuffing' fraud. At this point, the extension loads tracking cookies onto its users' systems, so its creators can pretend they've referred the user to various sites they might visit, and be rewarded for doing so.

More info and approaches on staying safe here:

https://www.wired.co.uk/article/fake-chrome-extensions-malware


 Windows malware turns PCs into zombies

A new malware campaign responsible for infecting thousands of Windows PCs worldwide has been discovered by Microsoft.

The Microsoft Defender Research Team found the malware, dubbed Nodersok, and explained in a blog post that it is distributed through malicious adverts which force a Windows system to download files that are used in HTML apps.

After a system has been fully infected, Nodersok can then turn it into a zombie-like proxy machine used to launch other cyberattacks and even create a relay server that can give hackers access to command and control servers as well as other compromised devices. This helps hackers hide their activity from security researchers looking for suspicious behaviour.

https://www.techradar.com/uk/news/windows-malware-turns-pcs-into-zombies


GDPR: Only one in three businesses are compliant – here's what is holding them back

DPR came into force over a year ago but many organisations are still struggling to comply with data privacy legislation.

Consultancy firm Capgemini surveyed over 1,000 compliance, privacy and data protection personnel and found that despite three quarters of them having previously been confident about being compliant by the time GDPR came into force in May 2018, that isn't the case in reality and many are still struggling to adhere to the legislation.

Now just 28% of those surveyed believe they're fully GDPR compliant – despite regulators being willing to issue heavy fines.

https://www.zdnet.com/article/gdpr-only-one-in-three-businesses-are-compliant-heres-what-is-holding-them-back/


 99 percent of all misconfigurations in the public cloud go unreported

Today's data breaches often seem to be caused not just by malware infections or external threat actors, but human error, insiders with an ax to grind, and simple security failures.

The surge in adoption of cloud-based technologies and Infrastructure-as-a-Service (IaaS) has added a new facet to cyberthreats -- the loss of information caused by misconfigurations and weak credentials in the public cloud space.

According to new research released Tuesday and conducted by cybersecurity firm McAfee, titled, "Cloud-Native: The Infrastructure-as-a-Service Adoption and Risk," the majority of IaaS misconfigurations are going unnoticed.

Indeed, only one percent of IaaS issues are reported, which may suggest there are countless companies across the globe that are unwittingly leaking data.

1,000 IT professionals were surveyed across 11 countries, and cloud usage data from over 30 million McAfee Mvision cloud users was aggregated to compile the report, which also says companies believe they average 37 IaaS misconfiguration issues per month when in reality this number can reach 3,500.

In total, 90 percent of respondents said they had come across security issues with IaaS, but only 26 percent said they were equipped to deal with misconfiguration audits -- and this lack of visibility into their cloud usage may be contributing to an increased data breach risk.

According to McAfee, IaaS-based data loss incidents triggered by data loss prevention (DLP) rules have increased by 248 percent year-over-year. As an example, the report says 42 percent of storage objects measured with recorded DLP incidents were misconfigured.

Read More