Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Week in review 19 January 2020 – hacker leaks IoT passwords, WordPress plugin vulns, Oracle record patch haul, 25% of users fall for phishing, quarter of PCs vulnerable now Windows 7 unsupported
Week in review 19 January 2020 – hacker leaks IoT passwords, WordPress plugin vulns, Oracle record patch haul, 25% of users fall for phishing, quarter of PCs vulnerable now Windows 7 unsupported
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices
A hacker has published this week a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT (Internet of Things) "smart" devices.
The list, which was published on a popular hacking forum, includes each device's IP address, along with a username and password for the Telnet service, a remote access protocol that can be used to control devices over the internet.
According to experts, and a statement from the leaker himself, the list was compiled by scanning the entire internet for devices that were exposing their Telnet port. The hacker than tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations.
Read more here: https://www.zdnet.com/article/hacker-leaks-passwords-for-more-than-500000-servers-routers-and-iot-devices/
Equifax Breach Settlement Could Cost Firm Billions
Equifax could end up paying as much as $9.5bn following a data breach settlement branded one of the largest in history by its presiding judge.
The credit reporting giant suffered a major cyber-attack in 2017 after hackers exploited an unpatched Apache Struts vulnerability, compromising highly sensitive personal and financial information on around 148 million customers.
Over two-fifths (44%) of the population of the US are thought to have been affected.
This week, a court in Georgia finally approved a settlement in the long-running class action case that followed the breach, which will require Equifax to pay $380.5m, plus potentially an extra $125m, to satisfy claims of out-of-pocket losses.
Read more here: https://www.infosecurity-magazine.com/news/equifax-breach-settlement-could/
WordPress plugin vulnerability can be exploited for total website takeover
A WordPress plugin has been found to contain "easily exploitable" security issues that can be exploited to completely take over vulnerable websites.
The plugin at the heart of the matter, WP Database Reset, is used to reset databases -- either fully or based on specific tables -- without the need to go through the standard WordPress installation process.
According to the WordPress library, the plugin is active on over 80,000 websites.
The two severe vulnerabilities were found on January 7 and either of the vulnerabilities can be used to force a full website reset or takeover.
Tracked as CVE-2020-7048, the first critical security flaw has been issued a CVSS score of 9.1. As none of the database reset functions were secured through any checks or security nonces, any user was able to reset any database tables they wished without authentication.
Oracle Issues Record Critical Patch Update cycle with 334 Patches
Oracle has hit an all-time record for number of security fixes issued in a critical patch update (CPU), providing sysadmins with over 330 in its first quarterly release of the decade.
The enterprise software giant issued 334 patches in total across more than 90 products this week. As such, January 2020 easily beats the previous largest CPU, consisting of 308 fixes in July 2017.
Oracle strongly urged firms to apply the patches as soon as possible, claiming that attacks have had success in compromising customers that failed to update their systems promptly.
Among the products affected by this quarter’s CPU are popular platforms including: Oracle Database Server, which featured 12 new patches including three remotely exploitable; Oracle Communications Applications (25 patches, 23 of which are remotely exploitable); Oracle E-Business Suite (23, 21); Oracle Enterprise Manager (50, 10); Fusion Middleware (38, 30); Java SE (12); JD Edwards (9); MySQL (19, 6); Siebel CRM (5); Oracle Virtualization (22, 3); and PeopleSoft (15, 12).
It’s a busy time of the year for IT administrators. Earlier this week, Microsoft released fixes for scores of vulnerabilities in the last regular Patch Tuesday for Windows 7 and Server 2008.
Read the original article here: https://www.infosecurity-magazine.com/news/oracle-issues-record-cpu-with-334/
Giant botnet has just sprung back to life pushing a big phishing campaign
One of the world's most prolific botnets has returned and is once again attempting to deliver malware to victims via phishing attacks.
Emotet started life as a banking trojan before evolving into a botnet, which its criminal operators leased out to other hackers as a means of delivering their own malware to previously compromised machines.
Such was the power of the botnet that at one point last year it accounted for almost two-thirds of of malicious payloads delivered in phishing attacks.
But after seemingly disappearing towards the end of 2019, Emotet has now returned with a giant email-spamming campaign, as detailed by researchers at cybersecurity company Proofpoint.
Read more here: https://www.zdnet.com/article/this-giant-botnet-has-just-sprung-back-into-life-pushing-a-big-phishing-campaign/
A quarter of users will fall for basic phishing attacks
Slightly more than a quarter of people will fall for a phishing scam that claims to be an urgent message prompting them to change a password, according to statistics gathered by a cyber security testing and training firm.
The security firm studied tens of thousands of email subject lines both from simulated phishing tests and those found in the wild, and found many of the most-clicked emails related either to security or urgent work-related matters.
It revealed its top 10 most effective simulated subject lines to be: Change of Password Required Immediately (26% opened); Microsoft/Office 365: De-activation of Email in Process (14% opened); Password Check Required Immediately (13% opened); HR: Employees Raises (8% opened); Dropbox: Document Shared With You (8% opened); IT: Scheduled Server Maintenance – No Internet Access (7% opened); Office 365: Change Your Password Immediately (6% opened); Avertissement des RH au sujet de l’usage des ordinateurs personnels (6% opened); Airbnb: New device login (6% opened); and Slack: Password Reset for Account (6% opened).
In the wild, subject lines often tended to relate to Microsoft, with emails about SharePoint and Office 365 particularly likely to be opened, as well as notifications about Google and Twitter accounts. People were also likely to fall for emails pretending to be related to problems with a shipping company, with FedEx the most widely impersonated, as well as the US Postal Service.
Read the full article here: https://www.computerweekly.com/news/252476845/A-quarter-of-users-will-fall-for-basic-phishing-attacks
Business Disruption Attacks Most Prevalent in Last 12 Months
Business disruption was the main objective of attackers in the last year, with ransomware, DDoS and malware commonly used.
According to the CrowdStrike Services Cyber Front Lines Report, which offers observations from its incident response and proactive services, a third (36%) of incidents often involved ransomware, destructive malware or denial of service attacks. Crowdstrike determined that these three factors to be focused on “business disruption,” and while an adversary’s main goal in a ransomware attack is financial gain, the impact of disruption to a business can often outweigh the loss incurred by paying the ransom.
Also observed in 25% of the investigated incidents was data theft, including the theft of intellectual property, personally identifiable information and personal health information. IP theft has been linked to numerous nation state adversaries that specialize in targeted intrusion attacks, while PII and PHI data theft can enable both espionage and criminally-motivated operations.
Read more here: https://www.infosecurity-magazine.com/news/business-disruption-attacks/
Quarter of PCs could now be more at risk from ransomware
Last week saw the day when Windows 7 reached end of life. That means that Microsoft will no longer issue regular patches or updates for the famed operating system. From now on, any flaw or vulnerability discovered will remain unpatched, and the machines running the old system will remain at risk.
Any businesses or individuals running legacy and unsupported operating systems will be at a greater risk of ransomware than before.
WannaCry, one of the most devastating ransomwares of all time, was successful mostly because of unpatched systems. Roughly 200,000 devices in 150 countries around the world will be vulnerable to similar malware, now that Windows 7 is no longer receiving security updates from Microsoft.
From this month, a quarter of all PCs are going to fall into this unsupported category so it is vital that any organisations that rely on Windows 7 are aware of the risks and what they need to mitigate them.
Read the original article here: https://www.itproportal.com/news/quarter-of-pcs-could-now-be-more-at-risk-from-ransomware/
5 tips to avoid spear-phishing attacks
Phishing, very briefly defined, is where a cybercriminal tricks you into revealing something electronically that you ought to have kept to yourself.
The good news is that most of us have learned to spot obvious phishing attacks these days.
The bad news is that you can’t reliably spot phishing attacks just by watching out for obvious mistakes, or by relying on the crooks saying “Dear Customer” rather than using your name.
You need to watch out for targeted phishing, often rather pointedly called spear-phishing, where the crooks make a genuine effort to tailor each phishing email, for example by customising it both to you and to your company.
Spear-phishing, where the fake emails really are believable, isn’t just an issue for high-profile victims such as the Burismas of the world.
Acquiring the specific data needed to come up with personalised phishing emails is easier than you might think, and much of the data gathering can be automated.
So here are Sophos’ 5 tips for dealing with phishing attacks, especially if you’re facing a crook who’s willing to put in the time and effort to win your trust instead of just hammering you with those “Dear Customer” emails:
1. Don’t be swayed just because a correspondent seems to know a lot about you
2. Don’t rush to send out data just because the other person tells you it’s urgent
3. Don’t rely on details provided by the sender when you check up on them
4. Don’t follow instructions on how to view an email that appear inside the email itself
5. Don’t be afraid to get a second opinion
Read the full article here: https://nakedsecurity.sophos.com/2020/01/17/5-tips-to-avoid-spear-phishing-attacks/
Organized cybercrime -- not your average mafia
Does the common stereotype for "organised crime" hold up for organisations of hackers? Research from a University in US is one of the first to identify common attributes of cybercrime networks, revealing how these groups function and work together to cause an estimated $445-600 billion of harm globally per year.
"It's not the 'Tony Soprano mob boss type' who's ordering cybercrime against financial institutions," said Thomas Holt, MSU professor of criminal justice and co-author of the study. "Certainly, there are different nation states and groups engaging in cybercrime, but the ones causing the most damage are loose groups of individuals who come together to do one thing, do it really well - and even for a period of time - then disappear."
In cases like New York City's "Five Families," organised crime networks have historic validity, and are documented and traceable. In the online space, however, it's a very difficult trail to follow, Holt said.
Read more here: https://eurekalert.org/pub_releases/2020-01/msu-oc-011620.php
Cybercrime Statistics in 2019
It doesn’t make for cheery reading but a researcher has compiled a list of statistics for cyber crime, here are few choice headlines:
Cybercrime will cost as much as $6 trillion annually by 2021
Financial losses reached $2.7 billion in 2018
The total cost of cybercrime for each company in 2019 reached US$13M
The total annual cost of all types of cyberattacks is increasing
Read the full article here: https://securityaffairs.co/wordpress/96531/cyber-crime/cybercrime-statistics-in-2019.html
Week in review 01 December 2019: staff susceptible to phishing, businesses fail to implement IT disaster plans, ransomware unlikely to go away, the most notable cyber events of the last 10 years
A summary of the top cyber news from the last week and how they relate to business and individuals in Guernsey and the CI. This week: staff members susceptible to phishing attacks, businesses failing to implement IT disaster plans, ransomware unlikely to go away when chance of being caught is so slim, the most notable cyber events of the last 10 years, authorities take down remote access trojan.
A summary of the top cyber news events from the last week and how they relate to business and individuals in Guernsey and the wider Channel Islands.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Nearly half of workers have clicked on a phishing email
New research released this week has revealed that almost a quarter of businesses have fallen victim to a phishing attack.
A survey of 714 people working in businesses across the US discovered that many organizations are not taking the proper measures to protect themselves from phishing attacks including employee training and the implementation of two-factor authentication.
Of those surveyed, only 64 percent said they currently use a two-factor authentication system to help protect their organization's data. This means that over one third of organizations are potentially leaving themselves exposed to phishing attacks.
Some phishing schemes, such as spear phishing, target specific members of staff within an organisation and this is typically accomplished through social engineering.
In order to combat these phishing scams firms should ensure the provide staff with suitable social engineering training.
https://www.techradar.com/news/nearly-half-of-workers-have-clicked-on-a-phishing-email
Phishing emails are still managing to catch everyone out
Staying with Phishing, another article this week points out that workers are still finding it too hard to spot phishing emails, with nearly three-quarters of companies seeing staff hand over passwords when tested by a security company.
A security consultancy tested 525 businesses for their susceptibility to a range of different hacking techniques and security vulnerabilities. It found that employees at 71% of these businesses handed over access credentials when targeted with phishing attacks by penetration testers -- up from 63% last year.
In 20% of cases, login details were shared by more than half of employees, compared to just 10% last year.
The firm doing the research carried out 623 penetration tests across the US, Europe and the UK, aiming to simulate a range of cyberattacks to assess how well companies were able to cope with them.
Weak passwords and insecure internal procedures, such as improper file-access restrictions and a lack of staff training, along with using out-of-date software, were the three most common vulnerabilities discovered during the tests.
The original article can be found here: https://www.zdnet.com/article/phishing-emails-are-still-managing-to-catch-everyone-out/
Many UK businesses have no IT disaster recovery plan
Disaster recovery plan, a set of steps designed to help businesses get back on their feet after an incident as soon as possible, is not something many UK businesses have.
A Survey of 1,125 IT workers came to the conclusion that a quarter of SMEs don’t have such a plan set up and this equates to “gambling with the continuity of business”.
In the report, it stresses that four fifths of all businesses who suffered a major incident failed within a year and a half.
Among businesses that do have a disaster recovery plan created – more than half (54 per cent) don’t regularly test it. A third has never tested it, at all. A small portion of the firms don’t have automated backups set up, either.
“The message to business leaders is get a DR plan in place and test, test, test!”
https://www.itproportal.com/news/many-uk-businesses-have-no-it-disaster-recovery-plan/
Ransomware: Big paydays and little chance of getting caught means boom time for crooks
Ransomware will continue to plague organisations in 2020 because there's little risk of the cyber criminals behind the network-encrypting malware attacks getting caught; so for them there's only a small amount of risk, but a potentially large reward.
During the last year, there's been many examples of ransomware attacks where victims have given into the extortion demands of the attackers, often paying hundreds of thousands of dollars in bitcoin in exchange for the safe return of their networks.
In many cases, the victims will pay the ransom because it's seen as the quickest – and cheapest – means of restoring the network.
The full article can be found here: https://www.zdnet.com/article/ransomware-big-paydays-and-little-chance-of-getting-caught-means-boom-time-for-crooks/
A decade of hacking: The most notable cyber-security events of the 2010s
The 2010s decade is drawing to a close and ZDNet have taken a look back at the most important cyber-security events that have taken place during the past ten years.
There have been monstrous data breaches, years of prolific hacktivism, plenty of nation-state cyber-espionage operations, almost non-stop financially-motivated cybercrime, and destructive malware that has rendered systems unusable.
Read the full article for the full list here:
Authorities take down 'Imminent Monitor' RAT malware operation
Law enforcement agencies from all over the world announced this week that they took down the infrastructure of the Imminent Monitor remote access trojan (IM-RAT), a hacking tool that has been on sale online for the past six years.
According to a press release from Europol, the operation had two stages. The first occurred in June 2019, when Australian and Belgian police forces searched the homes of the IM-RAT author and one of his employees.
The second stage took place earlier this week, when authorities took down the IM-RAT website, its backend servers, and arrested the malware's author and 13 of the tool's most prolific users.
Europol reported arrests in Australia, Colombia, Czechia, the Netherlands, Poland, Spain, Sweden, and the United Kingdom.
Authorities also served search warrants at 85 locations and seized 430 devices they believed were used to spread the malware.
The UK National Crime Agency (NCA) took credit for a good chunk of the bounty, with 21 search warrants, nine arrests, and more than 100 seized devices.
More here: https://www.zdnet.com/article/authorities-take-down-imminent-monitor-rat-malware-operation/
Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our new regular ‘Cyber Tip Tuesday’ video blog, here and on our YouTube channel.