Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Cyber-Attacks on UK Organisations Up 30% in Q1 2020

New research has revealed that the volume of cyber-attacks on UK businesses increased by almost a third in the first three months of 2020.

Analysts identified 394,000 unique IP addresses used to attack UK businesses in the first quarter of 2020, discovering that companies with internet connections experienced 157,000 attacks each, on average – the equivalent of more than one a minute.

This rate of attack was 30% higher than the same period in 2019 when UK businesses received 120,000 internet-borne attempts to breach their systems each.

IoT applications were cited as the most common targets for cyber-criminals in the first quarter, attracting almost 19,000 online attacks per company. Company databases and file-sharing systems were also targeted frequently, with companies experiencing approximately 5000 attacks for each application, on average.

Read more here: https://www.infosecurity-magazine.com/news/cyberattacks-uk-orgs-up-30-q1/

COVID-19 blamed for 238% surge in cyber attacks against banks

The coronavirus pandemic has been connected to a 238% surge in cyber attacks against banks, new research claims.

On Thursday, VMware Carbon Black released the third edition of the Modern Bank Heists report, which says that financial organizations experienced a massive uptick in cyber attack attempts between February and April this year -- the same months in which COVID-19 began to spread rapidly across the globe.  

The cyber security firm's research, which includes input from 25 CIOS at major financial institutions, adds that 80% of firms surveyed have experienced more cyber attacks over the past 12 months, an increase of 13% year-over-year.

VMware Carbon Black data already indicates that close to a third -- 27% -- of all cyber attacks target either banks or the healthcare sector.

An interesting point in the report is how there appears to have been an uptick in financially-motivated attacks around pinnacles in the news cycle, such as when the US confirmed its first case of COVID-19.

In total, 82% of chief information officers contributing to the report said that alongside a spike in attacks, techniques also appear to be improving -- including the use of social engineering and more advanced tactics to exploit not only the human factor but also weak links caused by processes and technologies in use by the supply chain.

Read more here: https://www.zdnet.com/article/covid-19-blamed-for-238-surge-in-cyberattacks-against-banks/

May 2020 Patch Tuesday: Microsoft fixes 111 vulnerabilities, 13 Critical

Microsoft's May 2020 Patch Tuesday fell this week, and Microsoft have released fixes for 111 vulnerabilities in Microsoft products. Of these vulnerabilities, 13 are classified as Critical, 91 as Important, 3 as Moderate, and 4 as Low.

This month there are no zero-day or unpatched vulnerabilities.

Users should install these security updates as soon as possible to protect Windows from known security risks.

Read more here: https://www.bleepingcomputer.com/news/microsoft/may-2020-patch-tuesday-microsoft-fixes-111-vulnerabilities-13-critical/

Adobe issues patches for 36 vulnerabilities in DNG, Reader, Acrobat

Adobe has released security patches to resolve 36 vulnerabilities present in DNG, Reader, and Acrobat software.

On Tuesday, the software giant issued two security advisories (1, 2) detailing the bugs, the worst of which can be exploited by attackers to trigger remote code execution attacks and information leaks.

The first set of patches relate to Adobe Acrobat and Reader for Windows and macOS, including  Acrobat / Acrobat Reader versions 2015 and 2017, as well as Acrobat and Acrobat Reader DC.

In total, 12 critical security flaws have been resolved. Six of the bugs, a single heap overflow problem, two out-of-bounds write errors, two buffer overflow issues, and two use-after-free vulnerabilities can all lead to arbitrary code execution in the context of the current user.

Read more here: https://www.zdnet.com/article/adobe-issues-patches-for-36-vulnerabilities-in-dng-reader-acrobat/

Thunderbolt flaw ‘Thunderspy’ allows access to a PC’s data in minutes

Vulnerabilities discovered in the Thunderbolt connection standard could allow hackers to access the contents of a locked laptop’s hard drive within minutes, a security researcher from the Eindhoven University of Technology has announced. Reports state that the vulnerabilities affect all Thunderbolt-enabled PCs manufactured before 2019.

Although hackers need physical access to a Windows or Linux computer to exploit the flaws, they could theoretically gain access to all data in about five minutes even if the laptop is locked, password protected, and has an encrypted hard drive. The entire process can reportedly be completed with a series of off-the-shelf components costing just a few hundred dollars. Perhaps most worryingly, the researcher says the flaws cannot be patched in software, and that a hardware redesign will be needed to completely fix the issues.

Read more here: https://www.theverge.com/2020/5/11/21254290/thunderbolt-security-vulnerability-thunderspy-encryption-access-intel-laptops

A hacker group is selling more than 73 million user records on the dark web

A hacker group going by the name of ShinyHunters claims to have breached ten companies and is currently selling their respective user databases on a dark web marketplace for illegal products.

The hackers are the same group who breached last week Tokopedia, Indonesia's largest online store. Hackers initially leaked 15 million user records online, for free, but later put the company's entire database of 91 million user records on sale for $5,000.

Encouraged and emboldened by the profits from the Tokopedia sale, the same group has, over the course of the current week, listed the databases of 10 more companies.

This includes user databases allegedly stolen from organizations such as:

·         Online dating app Zoosk (30 million user records)

·         Printing service Chatbooks (15 million user records)

·         South Korean fashion platform SocialShare (6 million user records)

·         Food delivery service Home Chef (8 million user records)

·         Online marketplace Minted (5 million user records)

·         Online newspaper Chronicle of Higher Education (3 million user records)

·         South Korean furniture magazine GGuMim (2 million user records)

·         Health magazine Mindful (2 million user records)

·         Indonesia online store Bhinneka (1.2 million user records)

·         US newspaper StarTribune (1 million user records)

The listed databases total for 73.2 million user records, which the hacker is selling for around $18,000, with each database sold separately.

Read more here: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/

A cybercrime store is selling access to more than 43,000 hacked servers

MagBo, a shadowy online marketplace where hackers sell and buy hacked servers, is doing better than ever and has soared in popularity to become the largest criminal marketplace of its kind since its launch in the summer of 2018.

Two years later, the MagBo portal has grown more than 14 times in size and is currently selling access to more than 43,000 hacked websites, up from the 3,000 sites listed in September 2018.

Today, MagBo has become the de-facto go-to marketplace for many cybercrime operations. Some groups register on the MagBo platform to sell hacked servers, while others are there just to buy.

Those who buy, do it either in bulk (for black-hat SEO or for malware distribution) or selectively, for intrusions at high-value target (e-commerce stores for web skimming, intranets for ransomware).

All in all, the MagBo platform cannot be ignored anymore, as it appears to be here to stay, and is placing itself at the heart of many of today's cybercrime operations.

Read more: https://www.zdnet.com/article/a-cybercrime-store-is-selling-access-to-more-than-43000-hacked-servers/

Ransomware: Why paying the crooks can actually cost you more in the long run

Ransomware is so dangerous because in many cases the victim doesn't feel like they have any other option other than to pay up – especially if the alternative is the whole organisation being out of operation for weeks, or even months, as it attempts to rebuild the network from scratch.

But handing over a bitcoin ransom to cyber criminals can actually double the cost of recovery according to analysis by researchers at Sophos, published in the new State of Ransomware 2020 report, which has been released three years to the day from the start of the global WannaCry ransomware outbreak.

A survey of organisations affected by ransomware attacks found that the average total cost of a ransomware attack for organisations that paid the ransom is almost $1.4m, while for those who didn't give into ransom demands, the average cost is half of that, coming in at $732,000.

Often, this is because retrieving the encryption key from the attackers isn't a simple fix for the mess they created, meaning that not only does the organisation pay out a ransom, they also have additional costs around restoring the network when some portions of it are still locked down after the cyber criminals have taken their money.

According to the report, one in four organisations said they paid the ransom in order to get their files back. It's one of the key reasons why ransomware remains a successful tactic for crooks, because victims pay up – often sums of six-figures or more – and are therefore encouraging cyber criminals to continue with attacks that often can't be traced back to a culprit.

Read the full article here: https://www.zdnet.com/article/ransomware-why-paying-the-crooks-can-actually-cost-you-more-in-the-long-run/

This powerful Android malware stayed hidden for years, infecting tens of thousands of smartphones

A carefully managed hacking and espionage campaign is infecting smartphones with a potent form of Android malware, providing those behind it with total control of the device, while also remaining completely hidden from the user.

Mandrake spyware abuses legitimate Android functions to help gain access to everything on the compromised device in attacks that can gather almost any information about the user.

The attacker can browse and collect all data on the device, steal account credentials for accounts including banking applications. secretly take recordings of activity on the screen, track the GPS location of the user and more, all while continuously covering their tracks.

The full capabilities of Mandrake – which has been observed targeting users across Europe and the Americas – are detailed in a paper released by cybersecurity researchers this week. Mandrake has been active since 2016 and researchers previously detailed how the spyware operation was specifically targeting Australian users – but now it's targeting victims around the world.

Read more: https://www.zdnet.com/article/this-powerful-android-malware-stayed-hidden-years-infected-tens-of-thousands-of-smartphones/

Companies wrestle with growing cyber security threat: their own employees

Businesses deploy analytic tools to monitor staff as remote working increases data breach risk

As cyber criminals and hackers ramp up their attacks on businesses amid coronavirus-related disruption, companies are also facing another equally grave security threat: their own employees. 

Companies are increasingly turning to Big Brother-style surveillance tools to stop staff from leaking or stealing sensitive data, as millions work away from the watchful eyes of their bosses and waves of job cuts leave some workers disgruntled.

In particular, a brisk market has sprung up for cyber security groups that wield machine learning and analytics to crunch data on employees’ activity and proactively flag worrying behaviours.

Read more here: https://www.ft.com/content/cae7905e-ced7-4562-b093-1ab58a557ff4

Cognizant: Ransomware Costs Could Reach $70m

IT services giant Cognizant has admitted that a ransomware attack it suffered back in April may end up costing the company as much as $70m.

The firm announced revenue of $4.2bn for the first quarter of 2020, an increase of 2.8% year-on-year. In this context, the $50-70m hit it expects to take in Q2 from the ransomware attack will not make a huge impact on the company.

However, the big numbers involved are illustrative of the persistent financial threat posed by ransomware, not to mention the reputational impact on customers.

The firm claimed on an earnings call that the company responded immediately to the threat, proactively taking systems offline after some internal assets were compromised. However, the resulting downtime and suspension of some customer accounts took their toll financially.

“Some clients opted to suspend our access to their networks,” they explained. “Billing was therefore impacted for a period of time, yet the cost of staffing these projects remained on our books.”

Remote workers were also affected as the attack hit the firm’s system for supporting its distributed workforce during the current pandemic.

Read more: https://www.infosecurity-magazine.com/news/cognizant-ransomware-costs-could/

Package delivery giant Pitney Bowes confirms second ransomware attack in 7 months

Package and mail delivery giant Pitney Bowes has suffered a second ransomware attack in the past seven months, ZDNet has learned.

The incident came to light earlier in the week after a ransomware gang known as Maze published a blog post claiming to have breached and encrypted the company's network.

The Maze crew provided proof of access in the form of 11 screenshots portraying directory listings from inside the company's computer network.

Pitney Bowes confirmed the incident stating they had detected a security incident related to Maze ransomware.

The company said it worked with third-party security consultants to take steps to stop the attack before any of its data was encrypted.

This is the second ransomware incident for Pitney Bowes in seven months.

In October 2019, Pitney Bowes disclosed a first ransomware attack. At the time, the company said it had some critical systems infected and encrypted by the Ryuk ransomware gang. The incident caused limited downtime to some package tracking systems.

Both the Ryuk and Maze ransomware gangs are what experts call "human-operated" ransomware strains. These types of ransomware infections take place after hackers breach a company's network, and take manual control of the malware to expand access to as many internal systems as possible before executing the actual ransomware to encrypt data and demand a ransom.

Read more here: https://www.zdnet.com/article/package-delivery-giant-pitney-bowes-confirms-second-ransomware-attack-in-7-months/

Law Firm Representing Drake, Lady Gaga, Madonna And More Hit By Cyber Attack As Hackers Claim To Have Stolen Personal Information And Contracts

A law firm representing many of the world's most famous celebrities has been hacked.

The website of Grubman Shire Meiselas & Sacks has been taken offline, and hackers claim to have stolen some 756GB of data relating to its clients.

Singers, actors and other stars have worked with the law firm, according to old versions of its website, with more than 200 very high-profile celebrities and companies said to have used its services.

They include Madonna, Lady Gaga, Elton John and Drake.

The hackers behind the attack claim to have person information on celebrities including letters, as well as official contracts.

Hackers have already released a purported screenshot of a Madonna contract in an attempt to prove they have access to personal files.

It is not known what the hackers are demanding in return for the files, or whether negotiations are ongoing.

"We can confirm that we've been victimised by a cyber-attack," the firm said in a media statement. "We have notified our clients and our staff.

"We have hired the world's experts who specialise in this area, and we are working around the clock to address these matters."

The hack used a piece of software known as REvil or Sodinokibi. Similar software took foreign exchange company Travelex offline in January, as part of a major hack.

Traditionally, such ransomware has been used to lock down computers and demand money from their owners to unlock them again, and grant access to files.

Increasingly, hackers threaten to release those files to the public if their demands are not met.

Read the original article: https://www.independent.co.uk/life-style/gadgets-and-tech/news/celebrity-hack-law-firm-cyber-attack-drake-madonna-lady-gaga-a9511976.html

Lights stay on despite cyber-attack on UK's electricity system

Britain’s energy system has fallen victim to a cyber-attack targeting the IT infrastructure used to run the electricity market.

The electricity system’s administrator, Elexon, confirmed that it was affected by a cyber-attack on Thursday afternoon but that the key systems used to govern the electricity market were not affected.

National Grid is investigating whether the attack could affect the part of its business tasked with keeping the lights on.

A spokesman for the energy system operator said electricity supplies had not been affected, and there were “robust cybersecurity measures in place” to make sure the UK continues to receive reliable electricity.

“We’re aware of a cyber intrusion on Elexon’s internal IT systems. We’re investigating the matter and any potential impact on our own IT networks,” he said.

Elexon is a vital part of the UK electricity market because it carefully monitors the electricity generated by energy companies to match this with what National Grid expects to receive, and to make sure that generators are paid the correct amount for the energy they generate.

Read more: https://www.theguardian.com/business/2020/may/14/lights-stay-on-despite-cyber-attack-on-uks-electricity-system

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

If you’re pressed for time watch the 60 second video version:

Half of remote workers feel vulnerable to growing cyber attacks

New research has revealed that almost half (49%) of employees working remotely feel vulnerable online due to the insecurity of the company laptops and PCs they are using to connect to corporate networks.

1,550 UK employees working from home during the pandemic were surveyed to better understand the security issues they've faced while working remotely.

The survey found that 42 percent of respondents received suspicious emails while 18 percent have dealt with a security breach while working from home. Of those who suffered a cyberattack, over half (51%) believed it was because they clicked on a malicious link and 18 percent believed an infected attachment was responsible.

Additionally, 42 percent of respondents reported that someone else in their household had experienced a hack of their social media accounts during the lockdown.

Read more here: https://www.techradar.com/news/half-of-remote-workers-feel-vulnerable-to-growing-cyberattacks

Many remote workers given no cyber security training

Two in three remote workers have not received any cyber security training in the past 12 months, according to a new report.

Based on a poll of 2,000 remote workers in the UK, the report states that more than three quarters (77 percent) are unconcerned about cyber security. Further, more than six in ten said they use personal devices when working from home, which poses a distinct threat to business data.

The report highlights the dangers associated with working from home and the fact cyber criminals are capitalising on the coronavirus outbreak to infect unwitting victims with malware.

With most businesses transitioning to remote working in response to lockdown measures, IT and security teams have been left with a network of unsecured, often naive workers who are easy prey for various forms of attack - especially phishing.

Read the full article here: https://www.itproportal.com/news/many-remote-workers-given-no-cybersecurity-training/

Spear-phishing campaign compromises executives at 150+ companies

A cyber crime group operating since mid-2019 has breached the email accounts of high-ranking executives at more than 150 companies, cyber-security firm Group-IB reported today.

The group, codenamed PerSwaysion, appears to have targeted the financial sector primarily, which accounted for more than half of its victims; although, victims have been recorded at companies active across other verticals as well.

PerSwaysion operations were not sophisticated, but have been extremely successful, nonetheless. Group-IB says the hackers didn't use vulnerabilities or malware in their attacks but instead relied on a classic spear-phishing technique.

They sent boobytrapped emails to executives at targeted companies in the hope of tricking high-ranking executives into entering Office 365 credentials on fake login pages.

Read the full article here: https://www.zdnet.com/article/spear-phishing-campaign-compromises-executives-at-150-companies/

Microsoft: Ransomware gangs that don't threaten to leak your data steal it anyway

Just because ransomware attackers haven't threatened to leak your company's data, it doesn't mean they haven't stolen it, Microsoft warns. 

And human-operated ransomware gangs – typically associated with multi-million dollar ransom demands – haven't halted activity during the global coronavirus pandemic.

In fact, they launched more of the file-encrypting malware on target networks in the first two weeks of April than in earlier periods, causing chaos at aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, according to Microsoft.

Read More: https://www.zdnet.com/article/microsoft-ransomware-gangs-that-dont-threaten-to-leak-your-data-steal-it-anyway/

Google Confirms New Security Threat For 2 Billion Chrome Users

Google has warned of yet more security vulnerabilities in Chrome 81, which was only launched three weeks ago.

Google has confirmed two new high-rated security vulnerabilities affecting Chrome, prompting yet another update since the release of Chrome 81 on April 7. These new security threats could enable an attacker to take control of an exploited system, which is why the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has advised users to apply that update now.

More here: https://www.forbes.com/sites/daveywinder/2020/04/29/google-confirms-new-security-threats-for-2-billion-chrome-users/#7a3dc3cc39bc

These popular antivirus tools share a major security flaw

More than two dozen popular antivirus solutions contain a flaw that could enable hackers to delete files, trigger crashes and install malware, according to a new report.

Popular antivirus solutions such as Microsoft Defender, McAfee Endpoint Security and Malwarebytes all feature the bug, which is described as “trivial” to abuse.

The report refers to the shared vulnerability as “symlink race” – the use of symbolic links and directory junctions to link malicious files to legitimate counterparts. This all occurs in the short space of time between an antivirus scanning and deleting a file.

"Make no mistake about it, exploiting these flaws was pretty trivial and seasoned malware authors will have no problem weaponising the tactics outlined in this blog post," said the report.

Read more: https://www.itproportal.com/news/these-popular-antivirus-tools-could-have-major-security-flaws/

Hackers are exploiting a Sophos firewall zero-day

Cyber-security firm Sophos has published an emergency security update on Saturday to patch a zero-day vulnerability in its XG enterprise firewall product that was being abused in the wild by hackers.

Sophos said it first learned of the zero-day on late Wednesday, April 22, after it received a report from one of its customers. The customer reported seeing "a suspicious field value visible in the management interface."

After investigating the report, Sophos determined this was an active attack and not an error in its product.

Read more: https://www.zdnet.com/article/hackers-are-exploiting-a-sophos-firewall-zero-day/

This sophisticated new Android trojan threatens hundreds of financial apps

Researchers have discovered a sophisticated new Android trojan that bypasses security measures and scrapes data from financial applications.

First identified in March, the EventBot banking trojan abuses Android’s accessibility features to harvest financial data and intercept SMS messages, allowing the malware to circumvent two-factor authentication.

According to the firm responsible for the discovery, EventBot targets over 200 financial applications, spanning banking, money transfer and cryptocurrency wallet services.

Affected applications include those operated by major players such as HSBC, Barclays, Revolut, Paypal and TransferWise - but many more are thought to be at risk.

More: https://www.techradar.com/uk/news/this-sophisticated-new-android-trojan-threatens-hundreds-of-financial-apps

Microsoft Office 365: US issues security alert over rushed remote deployments

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has published security advice for organizations that may have rushed out Office 365 deployments to support remote working during the coronavirus pandemic.

CISA warns that it continues to see organizations that have failed to implement security best practices for their Office 365 implementation. It is concerned that hurried deployments may have lead to important security configuration oversights that could be exploited by attackers.

"In recent weeks, organizations have been forced to change their collaboration methods to support a full 'work from home' workforce," CISA notes in the new alert. 

Read more: https://www.zdnet.com/article/microsoft-office-365-us-issues-security-alert-over-rushed-remote-deployments/

Financial sector is seeing more credential stuffing than DDoS attacks

The financial sector has seen more brute-force attacks and credential stuffing incidents than DDoS attacks in the past three years according to a report published this week.

Statistics about attacks carried out against banks, credit unions, brokers, insurance, and the wide range of organizations that serve them, such as payment processors and financial Software as a Service (Saas).

The report's findings dispel the notion that DDoS attacks are one of today's most prevalent threats against the financial vertical.

The report states that brute force attacks, credential stuffing, and all the other account takeover (ATO) attacks have been a much bigger threat to the financial sector between 2017 and 2019. This includes all the ATO variations such as:

·         Brute-force attacks - attackers try common or weak username/passwords pairs (from a preset list) to brute-force their way into an account

·         Credential stuffing - attackers try username/password pairs leaked at other sites

·         Password spraying - attackers try the same password, but against different usernames

Read more here: https://www.zdnet.com/article/financial-sector-has-been-seeing-more-credential-stuffing-than-ddos-attacks-in-recent-years/

This buggy WordPress plugin allows hackers to lace websites with malicious code

Security researchers have identified a flaw in the Real-Time Find and Replace WordPress plugin that could allow hackers to lace websites with malicious code.

The affected plugin affords WordPress users the ability to edit website code and text content in real-time, without having to go into the backend - and reportedly features on over 100,000 sites.

The exploit manipulates a Cross-Site Request Forgery (CSRF) flaw in the plugin, which the hacker can use to push infected content to the website and create new admin accounts.

Read more here: https://www.techradar.com/news/this-buggy-wordpress-plugin-allows-hackers-to-lace-websites-with-malicious-code

Zoom Gets Stuffed: Here’s How Hackers Got Hold Of 500,000 Passwords

At the start of April, the news broke that 500,000 stolen Zoom passwords were up for sale. Here's how the hackers got hold of them.

More than half a million Zoom account credentials, usernames and passwords were made available in dark web crime forums earlier this month. Some were given away for free while others were sold for as low as a penny each.

Researchers at a threat intelligence provider obtained multiple databases containing Zoom credentials and got to work analysing exactly how the hackers got hold of them in the first place.

Read more here: https://www.forbes.com/sites/daveywinder/2020/04/28/zoom-gets-stuffed-heres-how-hackers-got-hold-of-500000-passwords/#6586d7be5cdc

Sophisticated Android Spyware Attack Spreads via Google Play

The PhantomLance espionage campaign is targeting specific victims, mainly in Southeast Asia — and could be the work of the OceanLotus APT.

A sophisticated, ongoing espionage campaign aimed at Android users in Asia is likely the work of the OceanLotus advanced persistent threat (APT) actor, researchers said this week.

Dubbed PhantomLance by Kaspersky, the campaign is centered around a complex spyware that’s distributed via dozens of apps within the Google Play official market, as well as other outlets like the third-party marketplace known as APKpure.

The effort, though first spotted last year, stretches back to at least 2016, according to findings released at the SAS@home virtual security conference on Tuesday.

Read more here: https://threatpost.com/sophisticated-android-spyware-google-play/155202/

Skype phishing attack targets remote workers

Remote workers have been warned to take extra care when using video conferencing software after a new phishing scam was uncovered.

Researchers from a security firm have revealed hackers are using emails pretending to be from Skype, the popular Microsoft-owned video calling tool, in order to trick home workers into handing over their login details.

Criminals could then use these logins to access corporate networks to spread malware or steal valuable information.

Read more here: https://www.techradar.com/news/skype-phishing-attack-targets-remote-workers

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

60 second video flash briefing

UK NCSC and US CISA issue joint Advisory: COVID-19 exploited by malicious cyber actors

A joint advisory was put out from the United Kingdom’s National Cyber Security Centre (NCSC) and the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) relating to information on exploitation by cyber criminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice.

Read more here: https://www.ncsc.gov.uk/news/covid-19-exploited-by-cyber-actors-advisory

Download the advisory notice here: https://www.ncsc.gov.uk/files/Final%20Joint%20Advisory%20COVID-19%20exploited%20by%20malicious%20cyber%20actors%20v3.pdf

Travelex paid $2.3M in Bitcoin to get its systems back from hackers

Travelex paid hackers $2.3 million worth of Bitcoin to regain access to its computer systems after a devastating ransomware attack on New Year’s Eve.

The London-based company said it decided to pay the 285 BTC based on the advice of experts, and had kept regulators and partners in the loop throughout the recovery process.

Although Travelex, which manages the world’s largest chain of money exchange shops and kiosks, did confirm the ransomware attack when it happened, it hadn’t yet disclosed a Bitcoin ransom had been paid to restore its systems.

Travelex previously blamed the attack on malware known as Sodinokibi, a ‘Ransomware-as-a-Service’ tool-kit that has recently begun publishing data stolen from companies that don’t pay up.

Travelex‘ operations were crippled for almost all of January, with its public-facing websites, app, and internal networks completely offline. It also reportedly interrupted cash deliveries to major banks in the UK, including Barclays and Lloyds.

At the time, BBC claimed that Travelex‘ attackers had demanded $6 million worth of Bitcoin to unlock its systems.

Read more: https://thenextweb.com/hardfork/2020/04/09/travelex-paid-2-3m-in-bitcoin-to-get-its-systems-back-from-hackers/

Zoom sets up CISO Council and hires ex-CSO of Facebook to clean up its privacy mess

The ongoing coronavirus pandemic has seen people relying on work collaboration apps like Teams and Slack to talk to others or conduct meetings. Zoom, in particular, has seen incredible growth over the past few weeks but it came at a cost. The company has been under a microscope after various researchers discovered a number of security flaws in the app. To Zoom’s credit, the company responded immediately and paused feature updates to focus on security issues.

The company announced that it’s taking help from CISOs to improve the security and patch the flaws in the app. Zoom will be taking help from CISOs from HSBC, NTT Data, Procore, and Ellie Mae, among others. Moreover, the company is also setting up an Advisory Board that will include security leaders from VMware, Netflix, Uber, Electronic Arts, and others. Lastly, the company has also asked Alex Stamos, ex-CSO of Facebook to join as an outside advisor. Alex is a well-known personality in the cybersecurity world who left Facebook after an alleged conflict of interest with other executives about how to address the Russian government’s use of its platform to spread disinformation during the 2016 U.S. presidential election.

Read more here: https://mspoweruser.com/zoom-ciso-hires-ex-facebook-cso-clean-its-mess/

Researchers discover IoT botnet capable of launching various DDoS attacks

Cyber security researchers have found a new botnet comprised of more than a thousand IoT devices, capable of launching distributed denial of service (DDoS) attacks.

According to a report, researchers have named the botnet Dark Nexus, and believe it was created by well-known malware developer greek.Helios - a group that has been selling DDoS services and botnet code for at least the past three years.

Analysing the botnet through a honeypot, the researchers found it is comprised of 1,372 bots, but believe it could grow extremely quickly.

Dark Nexus is based on Mirai and Qbot, but has seen some 40 iterations since December 2020, with improvements and new features added almost daily.

Read the original article here: https://www.itproportal.com/news/researchers-discover-iot-botnet-capable-of-launching-various-ddos-attacks/

Microsoft: Cyber-Criminals Are Targeting Businesses Through Vulnerable Employees

Microsoft has warned that cyber-criminals are preying on people’s vulnerable psychological states during the COVID-19 pandemic to attack businesses. During a virtual press briefing, the multinational technology company provided data showing how home working and employee stress during this period has precipitated a huge amount of COVID-19-related attacks, particularly phishing scams.

Working from home at this time is very distracting for a lot of people, particularly if they are looking after children. Additionally, many individuals are in a stressful state with the extra pressures and worries as a result of COVID-19. This environment is providing new opportunities for cyber-criminals to operate.

“We’re seeing a significant increase in COVID-related phishing lures for our customers,” confirmed Microsoft. “We’re blocking roughly 24,000 bad emails a day with COVID-19 lures and we’ve also been able to see and block through our smart screen 18,000 malicious COVID-themed URLs and IP addresses on a single day, so the volume of attacks is quite high.”

Read the original article here: https://www.infosecurity-magazine.com/news/cybercriminals-targeting/

Stolen Zoom account credentials are freely available on the dark web

Loved, hated, trusted and feared in just about equal measure, Zoom has been all but unavoidable in recent weeks. Following on from a combination of privacy and security scandals, credentials for numerous Zoom account have been found on the dark web.

The credentials were hardly hidden -- aside from being on the dark web. Details were shared on a popular forum, including the email address, password, meeting ID, host key and host name associated with compromised accounts.

Read more: https://betanews.com/2020/04/08/zoom-account-credentials-dark-web/

Shadow IT Represents Major #COVID19 Home Working Threat

Rising threat levels and remote working challenges stemming from the COVID-19 pandemic are putting increased pressure on IT security professionals, according to new data.

A poll of over 400 respondents from global organisations with over 500 employees was conducted to better understand the current challenges facing security teams.

It revealed that 71% of security professionals had reported an increase in security threats or attacks since the start of the virus outbreak. Phishing (55%), malicious websites (32%), malware (28%) and ransomware (19%) were cited as the top threats.

These have been exacerbated by home working challenges, with 95% of respondents claiming to be under new pressures.

Top among these was providing secure remote access for employees (56%) and scalable remote access solutions (55%). However, nearly half (47%) of respondents complained that home workers using shadow IT solutions represented a major problem.

These challenges are only going to grow, according to the research.

Read more here: https://www.infosecurity-magazine.com/news/shadow-it-covid19-home-working/

'Unkillable' Android malware gives hackers full remote access to your phone

Security experts are warning Android users about a particularly nasty strain of malware that's almost impossible to remove.

A researcher has written a blog post explaining how the xHelper malware uses a system of nested programs, not unlike a Russian matryoshka doll, that makes it incredibly stubborn.

The xHelper malware was first discovered last year, but the researcher has only now established exactly how it gets its claws so deeply into your device, and reappears even after a system restore.

Although the Google Play Store isn't foolproof, unofficial third party app stores are much more likely to harbour malicious apps. App-screening service Google Play Protect blocked more than 1.9 million malware-laced app installs last year, including many side-loaded or installed from unofficial sources, but it's not foolproof.

xHelper is often distributed through third-party stores disguised as a popular cleanup or maintenance app to boost your phone's performance, and once there, is amazingly stubborn.

More here: https://www.techradar.com/uk/news/beware-the-unkillable-android-malware-lurking-on-third-party-app-stores

Decade of the RATs (Remote Access Trojan): Novel APT Attacks Targeting Linux, Windows and Android

BlackBerry researchers have released a new report that examines how five related APT groups operating in the interest of the Chinese government have systematically targeted Linux servers, Windows systems and Android mobile devices while remaining undetected for nearly a decade.

The report comes on the heels of the U.S. Department of Justice announcing several high-profile indictments from over 1,000 open FBI investigations into economic espionage as part of the DOJ’s China Initiative.

The BlackBerry report, titled Decade of the RATs: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android, examines how APTs have leveraged the “always on, always available” nature of Linux servers to establish a “beachhead” for operations. Given the profile of the five APT groups involved and the duration of the attacks, it is likely the number of impacted organisations is significant.

The cross-platform aspect of the attacks is also of particular concern in light of security challenges posed by the sudden increase in remote workers. The tools identified in these ongoing attack campaigns are already in place to take advantage of work-from-home mandates, and the diminished number of personnel onsite to maintain security of these critical systems compounds the risks. While the majority of the workforce has left the office as part of containment efforts in response to the Covid-19 outbreak, intellectual property remains in enterprise data centres, most of which run on Linux.

Most large organizations rely on Linux to run websites, proxy network traffic and store valuable data. While Linux may not have the visibility that other front-office operating systems have, it is arguably the most critical where the security of critical networks is concerned. Linux runs nearly all of the top 1 million websites, 75% of all web servers, 98% of the world’s supercomputers and 75% of major cloud service providers (Netcraft, 2019, Linux Foundation, 2020).

More here: https://blogs.blackberry.com/en/2020/04/decade-of-the-rats

Bot traffic fueling rise of fake news and cybercrime

The coronavirus pandemic has disrupted daily life around the world and the WHO recently warned that an overabundance of information about the virus makes it difficult for people to differentiate between legitimate news and misleading information.

At the same time, EU security services have warned that Russia is aggressively exploiting the coronavirus pandemic to push disinformation and weaken Western society through its bot army.

A cyber security firm has been using its bot manager to monitor internet traffic in an attempt to track the “infodemic” that both the WHO and EU security services have issued warnings on.

According to the data, bots have upped their game and organisations in the social media, ecommerce and digital publishing industries have experienced a surge in bad bot traffic following the coronavirus outbreak.

The bots have been found to be executing various insidious activities including spreading disinformation, spam commenting and more. In February, 58.1 percent of bots had the capability to mimic human behaviour. This means that they can disguise their identities, create fake accounts on social media sites and post their masters' propaganda while appearing as a genuine user.

Read more here: https://www.techradar.com/news/bot-traffic-fueling-rise-of-fake-news-and-cybercrime

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Round up of the most significant open source stories of the last week

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

A criminal gang posing as Russian Government hackers are extorting companies in the financial services sector

Fake "Fancy Bear" group is demanding money from companies in the financial sector, threatening DDoS attacks

For the past week, a group of criminals has been launching DDoS attacks against companies in the financial sector and demanding ransom payments while posing as "Fancy Bear," the infamous hacking group associated with the Russian government, known for hacking the White House in 2014 and the DNC in 2016.

The group is launching large scale, multi-vector demo DDoS attacks when sending victims the ransom letter and demanding ransom payments of 2 bitcoin, which is about $15,000 at today's exchange rate.

Full article here: https://www.zdnet.com/article/a-ddos-gang-is-extorting-businesses-posing-as-russian-government-hackers/

Ransomware, Mobile Malware Attacks to Surge in 2020

Targeted ransomware, mobile malware and other attacks will surge, while companies will adopt AI, better cloud security and cyber insurance to help defend and protect against them.

Cyber threats like targeted ransomware, mobile malware and sophisticated phishing attacks will escalate in 2020, researchers warn.

However, defences like artificial intelligence (AI), cyber insurance and faster security response will also increase, helping defend companies against imminent threats, according to new predictions by Check Point Software.

Check Point outlined “key security and related trends” it expects to see in 2020 in a blog post Wednesday, including a series of technology trends that can both be used to attack systems and mitigate against threats. Some of the predictions are for technologies that have already both surged in popularity and increased in sophistication this year, including targeted ransomware and phishing attacks that go beyond email.

Read the full article on ThreatPost here: https://threatpost.com/ransomware-mobile-malware-attacks-to-surge-in-2020/149539/

Mobile malware may be the greatest security threat around

BlackBerry uncovers new mobile threats and actors targeting various industries

Mobile malware is more prevalent and popular that first thought and researchers are only now learning just how much it is in use for surveillance and espionage campaigns. In reality, there are many active actors and advanced persistent threats we never knew existed.

Blackberry’s new report, called Mobile Malware and APT Espionage: Prolific, Pervasive, and Cross-Platform, says the company’s researchers identified three new advanced persistent threat campaigns, originating mostly in China, Iran, North Korea and Vietnam, which leveraged mobile malware, in combination with desktop malware.

The end goal is cyber-espionage and intelligence gathering, mostly for economic and political objectives.

Full article here: https://www.itproportal.com/news/mobile-malware-may-be-the-greatest-security-threat-around/

Phishing attacks are a complex problem that requires layered solutions

Most cyber attacks start with a social engineering attempt and, more often than not, it takes the form of a phishing email.

It’s easy to understand the popularity of phishing as an attack vector of choice: phishing campaigns are relatively inexpensive (money and time-wise), yet are often very successful. Attackers don’t need to create or buy technical exploits that may or may not work – instead, they exploit what they can always count on: users’ emotions, fears, desires, and the fact that, despite knowing better, it only takes a moment of inattention to make a mistake.

Cybercriminals play on users’ expectations of trust in email communications, and the human instinct – despite training and warnings to the contrary – to click on malicious links, give away credentials or even install malware and ransomware on endpoint devices. The reality is that people are always soft targets, and social engineering and phishing attacks are outpacing legacy technologies and training-only solutions.

More info here: https://www.helpnetsecurity.com/2019/10/24/phishing-attacks-solutions/

Younger workers could be putting your security at risk

They're bigger risk takers and aren't as security-conscious as their older colleagues.

One might think that the younger generation, those that have grown up surrounded by technology, would be more conscious about the dangers lurking in the internet's depths, and would have adopted cybersecurity best practices from an early age.

The truth is quite different, at least according to NTT's new report about cybersecurity in the workplace. The report says that employees over the age of 30 generally score better when it comes to securing their data and services, compared to those below the age of 30.

The argument is that the older generation has spent more time at the office and has thus acquired “digital DNA”.

Read the full article here: https://www.itproportal.com/news/younger-workers-could-be-putting-your-security-at-risk/

More Companies Adopt Multi Factor Authentication (MFA), but It’s Still Not Enough

Organisations face ever-increasing threats, and password security is paramount. But employees don’t usually use robust password protocols or multi-factor authentication to secure valuable information.

A survey from LogMeIn, which makes the LastPass password manager, shows that the number of companies adopting a multi-factor authentication (MFA) solution is on the rise, with 57% of businesses choosing MFA in 2018, compared with 45% in 2017.

94% of employees chose a smartphone for MFA, while only 4% opted for a hardware-based solution and just 1% wanted biometrics. The trend is set by the abundant availability of smartphones, as opposed to the rest of the options.

Although MFA is used widely, it’s not uniformly distributed across the globe, with some countries leading the change, a few of them by considerable margins. First place is occupied by Denmark, with a 46% adoption rate, followed by the Netherlands with 41% and Switzerland with 38%. The United States is somewhere in the middle, with 28% adoption. Last place is taken by Italy, with only 20%.

More here: https://securityboulevard.com/2019/10/more-companies-adopt-mfa-but-its-still-not-enough/

Amazon’s AWS Hit by DDoS Attack – Google Cloud Issues Unrelated

Google Cloud also faced issues in a separate incident

AWS was hit by a sustained DDoS attack earlier this week, which appears to have lasted some eight hours. The incident hit several different services and raises many questions about the nature of the attack and about AWS’s own DDoS mitigation service, “Shield Advanced”.

Google Cloud Platform (GCP) had a range of issues at a similar time. The two are not understood to be linked. In a status update GCP cited interruptions to multiple different Google cloud services at a similar time although a Google spokesperson stated the service disruptions were unrelated to any kind of DDoS attempt.

https://www.cbronline.com/news/aws-ddos-attack

Motive doesn't matter: The three types of insider threats

In information security, outside threats can get the lion's share of attention. Insider threats to data security, though, can be more dangerous and harder to detect because they are strengthened by enhanced knowledge and/or access.

Not only is it vital, therefore, to distinguish and prepare for insider threats, but it is just as vital to distinguish between different types of insider threats. A lot has been written about the different profiles for insider threats and inside attackers, but most pundits in this area focus on insider motive. Motive, however, doesn't matter. A threat is a threat, a breach is a breach. A vulnerability that can be exploited by one party for profit can be exploited by another for pleasure, by another for country, and so on. Instead of analyzing motives and reasons, it is far more useful to compare insider threats by action and intent.

Insider threats come in three flavors:

• Compromised users,

• Malicious users, and

• Careless users.

 Get the full breakdown of the three types here: https://betanews.com/2019/10/21/3-types-of-insider-threats/