Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 12 February 2021
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Stories of the Last Week
2020 Sees Ransomware Increase By Over 400 Percent
A new study from Cyber Security company, finds that last year malware increased by 358 percent overall and ransomware increased by 435 percent as compared with 2019. The report which analyzes millions of attacks taking place across the year finds distribution of the Emotet malware skyrocketed by 4,000 percent, while malware threats attacking Android phones increased by 263 percent. July saw the largest increase in malicious activity, up by 653 percent compared with the previous year. Microsoft Office documents are the most manipulated document attack vector and these attacks were up by 112 percent.
https://betanews.com/2021/02/10/ransomware-increase-400-percent/
Remote Desktop Protocol Attacks Surge By 768%
Remote desktop protocol (RDP) attacks increase by 768% between Q1 and Q4 last year, fuelled by the shift to remote working. However, a slower rate of growth was observed in the final quarter of the year, indicating that organizations have enhanced their security for remote users.
https://www.infosecurity-magazine.com/news/remote-desktop-protocol-attacks/
Even Minor Phishing Operations Can Distribute Millions Of Malicious Emails Per Week
Even small-scale phishing campaigns are capable of distributing millions and millions of malicious emails to victims around the world, according to a new report. Describing the most popular styles of phishing attack, criminal today rely on fast-churning campaigns. They create a single phishing email template (usually in English) and send it out to anywhere between 100 and 1,000 targets.
With One Update, This Malicious Android App Hijacked Millions Of Devices
With a single update, a popular barcode scanner app on Google Play transformed into malware and was able to hijack up to 10 million devices. Lavabird Ltd.'s Barcode Scanner was an Android app that had been available on Google's official app repository for years. The app, accounting for over 10 million installs, offered a QR code reader and a barcode generator -- a useful utility for mobile devices.
Cd Projekt Hit By Ransomware Attack, Refused To Pay Ransom, Data Reportedly Sold Off By Hackers
Polish video game maker CD Projekt, which makes Cyberpunk 2077 and The Witcher, has confirmed it was hit by a ransomware attack. In a statement posted to its Twitter account, the company said it will “not give in nor negotiate” with the hackers, saying it has backups in place. “We have already secured our IT infrastructure and begun restoring data,” the company said.
https://techcrunch.com/2021/02/09/cd-projekt-red-hit-by-ransomware-attack-refuses-to-pay-ransom/
Hacked Florida Water Plant Used Shared Passwords And Windows 7 PCs
The Oldsmar, Florida water plant hacked earlier this week used outdated Windows 7 PCs and shared passwords, the Associated Press has reported. A government advisory also revealed that the relatively unsophisticated attack used the remote-access program TeamViewer. However, officials also said that the hacker’s attempt to boost chemicals to dangerous levels was stopped almost immediately after it started.
Top Web Hosting Provider Shuts Down Following Cyber Attack
Cybercriminals often attack websites in order to extort a ransom from their victims but a recent cyberattack against the web hosting company No Support Linux Hosting took quite a different turn. After a hacker managed to breach the company's internal systems and compromise its entire operation, No Support Linux Hosting has announced that it is shutting down. The company alerted its customers to the situation before shutting down its website in a message.
https://www.techradar.com/news/top-web-hosting-provider-shuts-down-following-cyberattack
High Demand For Hacker Services On Dark Web Forums
Nine in 10 (90%) users of dark web forums are searching for a hacker who can provide them with a particular resource or who can download a user database. This is according to new research by Positive Technologies, which analyzed activity on the 10 most prominent forums on the dark web, which offer services such as website hacking and the buying/selling of databases. The study highlights the growing demand for hackers’ services and stolen data, exacerbated by the increased internet usage by both organizations and individuals since the start of COVID-19.
https://www.infosecurity-magazine.com/news/demand-hacker-services-dark-web/
Facebook Phishing Campaign Tricked Nearly 500,000 Users In Two Weeks
A recent investigation uncovered a large scale phishing operation on Facebook. The Facebook phishing campaign is dangerous and targets user personal information. The phishing scam “Is that you” currently on Facebook has been around in multiple forms for years. The whole trouble starts with a “friend” sending you a message claiming to have found a video or image with you in it. The message is usually a video and after clicking, it takes you through a series of websites. These websites have malicious scripts that get your location, device type, and operating system.
Hackers Are Tweaking Their Approach To Phishing Attacks In 2021
Cyber criminals are a creative bunch, constantly coming up with new ways to avoid detection and advance their sinister goals. A new report from cyber security experts at BitDam describes a few fresh techniques used in the wild so far in 2021. According to the report, email protection solutions tend to trust newly created email domains that are yet to be flagged as dangerous. Criminals are now increasingly exploiting this fact to increase the chances that phishing, and malware emails make it into victims' inboxes.
https://www.itproportal.com/news/hackers-are-tweaking-their-approach-to-phishing-attacks-in-2021/
Threats
Ransomware
Researchers identify 223 vulnerabilities used in recent ransomware attacks (Potential headline)
This old form of ransomware has returned with new tricks and new targets
Phishing
Malware
Mobile
IOT
Vulnerabilities
Attackers Exploit Critical Adobe Flaw to Target Windows Users
Microsoft issues emergency fix for Wi-Fi foul-up delivered hot and fresh on Patch Tuesday
Data Breaches
Organised Crime
Supply Chain
Nation-State Actors
Android spyware strains linked to state-sponsored Confucius threat group
'BendyBear' APT malware linked to Chinese government hackers
Microsoft to alert Office 365 users of nation-state hacking activity
Privacy
Reports Published in the Last Week
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber Weekly Flash Briefing 03 July 2020: Ransomware attacks increasing, Microsoft emergency updates, ransomware gang auction data, 'return to work' traps, new Windows botnet, Cisco SMB router flaws
Cyber Weekly Flash Briefing 03 July 2020: Ransomware attacks increasing, Microsoft emergency updates, ransomware gang auction data, 'return to work' traps, new Windows botnet, Cisco SMB router flaws
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Ransomware attacks are increasing, do you have an emergency plan in place?
Cyber attacks and data breaches can have serious implications for organisations in terms of downtime, financial damage and reputation of the business. Ransomware attacks that seek to encrypt a victim’s data and demand a fee to restore it continue to be prevalent. Unfortunately, the damage caused can be severe and widespread, yet 39% of organizations either have no ransomware emergency plan in place or are not aware if one exists. This is despite more ransomware attacks being recorded in the past 12 months than ever before.
The largest ransomware attack to date – WannaCry – was estimated to have affected more than 200,000 computers across 150 separate countries. Ransomware today is rife and has been exacerbated by the current work-from-home trend.
21% of respondents to a recent survey said they had experienced a ransomware attack, and of those, 26% admitted they couldn’t access any working backup after the attack. Even when organisations could access a working backup, 22% of them could either only restore a partial amount of data or none at all.
In most countries, employees have been working under a completely different set of parameters for a couple of months; ones where new security risks are high and where cybercriminals are finding new ways to exploit any weaknesses they can find.
Read more: https://www.helpnetsecurity.com/2020/07/01/ransomware-emergency-plan/
Further reading: The 11 Biggest Ransomware Attacks Of 2020 (So Far) https://www.crn.com/slide-shows/security/the-11-biggest-ransomware-attacks-of-2020-so-far-?itc=refresh
Microsoft releases emergency update to fix two serious Windows flaws
Microsoft on Tuesday released emergency security patches to plug a pair of serious vulnerabilities in its Windows Codecs library that impact several Windows 10 and Windows Server versions. Indexed as CVE-2020-1425 and CVE-2020-1457, the two remote-code execution (RCE) flaws are rated as ‘critical’ and ‘important’ in severity, respectively.
Both security loopholes have to do with how Microsoft Windows Codecs Library handles objects in memory. An attacker of the first flaw could obtain information to further compromise the user’s system, while successful exploitation of the second flaw could enable attackers to execute arbitrary code on the targeted machine.
Details are very sparse and there’s no word on specific attack vectors, but Microsoft said that exploitation of either vulnerability “requires that a program process a specially crafted image file”. This could, for example, involve luring the target into downloading and opening a malicious image file shared via email or a compromised website.
Researchers Find New Calendar-Based Phishing Campaign
Researchers have once again spotted crooks using calendar invitations to mount phishing attacks using iCalendar. iCalendar is a media type that lets users store and exchange calendaring and scheduling information, including events and tasks.
Whilst this is evidence of a new campaign, this is not a new technique. A similar attack cropped up last June, when researchers found attackers using Google's auto-add feature. In that attack, smartphone users would see the invitation as a pop-up invitation, displaying a link to a phishing URL that asked for their credit card data and personal information.
Read more: https://www.infosecurity-magazine.com/news/calendar-phishing-campaign/
REvil Ransomware Gang Adds Auction Feature for Stolen Data
The REvil ransomware gang (also known as Sodinokibi) has added an auction feature to its underground website that allows anonymous bidding on information stolen in its targeted ransomware campaigns.
The auction capability appeared at the beginning of June and in announcing the feature, REvil included details on its first lot, the firm said, containing accounting information, files and databases stolen from a Canadian agricultural company.
A few days later on June 8, bidding went live, giving interested parties the choice to submit a bid (starting at $50,000) or buy the data outright, with a higher “blitz” price ($100,000).
Other victims whose data went up for sale in auction include a U.S. food distributor (accounts and documents with a starting price of $100,000 and a blitz price of double that); a U.S. law firm (50GB of data including confidential and personal information on clients, with a starting price of $30,000 and a blitz price of $50,000); and a U.S. intellectual property law firm (1.2TB of data including ‘all’ internal documentation, correspondence, patent agreements and client confidential information with a starting price of $1 million and a blitz price of $10 million).
As for why the latter’s data is so valuable, “data stolen from the intellectual property law firm reportedly includes information related to new technologies and unfiled patents that, given the high-profile client list, likely explains the high starting and blitz prices,” the firm noted in a report Monday, adding that the data would possibly be of interest to competitors or even a nation-state seeking to gain economic advantages.
Read more here: https://threatpost.com/revil-ransomware-gang-auction-stolen-data/157006/
Criminals set 'return to work' traps
Just because workers are returning to their offices, that doesn't mean criminals can't still abuse Covid-19 to spread malware and steal sensitive data.
According to a new report criminals are setting “return to work traps”, taking advantage of the training employees need to go through as they return to the office in its new form.
Many workers now need to go through various tutorials, webinars and training sessions, to ensure they are compliant with new workplace rules set up to prevent viral transmission. Sensing an opportunity, cybercriminals are disguising malware as webinar recordings and other educational material.
According to the report, these new practices are mostly reserved for businesses in North America and Europe, where lockdown measures are slowly being eased up and people are being allowed to return to work.
Read more here: https://www.itproportal.com/news/criminals-set-return-to-work-traps/
This new botnet has recruited an army of Windows devices
A new botnet is exploiting close to a dozen high and critical-severity vulnerabilities in Windows systems to turn them into cryptomining clients as well as to launch DDoS attacks.
The malware behind the botnet has been given the name Satan DDoS though security researchers have taken to referring to its as Lucifer in order to avoid confusion with the Satan ransomware.
A security firm began looking into the botnet after discovering it while following multiple incidents involving the exploitation of a critical vulnerability in a component of a web framework which can lead to remote code execution.
At first the Lucifer malware was believed to be used to mine the cryptocurrency Monero. However, it later become apparent that the malware also contains a DDoS component as well as a self-spreading mechanism that uses severe vulnerabilities and brute-forcing to its advantage.
Read more here: https://www.techradar.com/news/this-new-botnet-has-recruited-an-army-of-windows-devices
Cisco SMB routers hit with another major security flaw
Security researchers have discovered a significant cross-site scripting (XSS) vulnerability in the web admin interface of two small business routers from Cisco.
The XSS vulnerability exists in the company's RVO42 and RV042G routers and it provides attackers with an easy way to take control of the devices' web configuration utility.
This could allow an attacker to perform a number of admin actions from viewing and modifying sensitive information to taking control of the router or even having the ability to move laterally and gain access to other systems on the network.
Read more here: https://www.techradar.com/news/cisco-smb-routers-hit-with-another-major-security-flaw
Xerox apparently victim of Maze attack
It appears that Xerox is the latest victim of Maze ransomware attackers, if screenshots posted by the ransomware’s operators are legitimate.
The hackers claim to have obtained more than 100GB of information and are threatening to publish it, according to a reports.
Maze has hit a number of high-profile targets and in recent months has joined forces with other ransomware groups.
Read more: https://www.scmagazine.com/home/security-news/ransomware/xerox-apparent-victim-of-maze-attack/
FakeSpy Android Malware Spread Via ‘Postal-Service’ Apps
Android mobile device users are being targeted in a new SMS phishing campaign that’s spreading the FakeSpy infostealer. The malware, which is disguised as legitimate global postal-service apps, steals SMS messages, financial data and more from the victims’ devices.
The campaign was first discovered several weeks ago targeting South Korean and Japanese speakers, but it has now expanded that targeting to China, Taiwan, France, Switzerland, Germany, the United Kingdom and the United States. The attacker uses text messages as an initial infection vector, prompting the Android recipients to click on a malicious link, in a practice known as SMS phishing or “smishing.”
Read more here: https://threatpost.com/fakespy-android-malware-spread-via-postal-service-apps/157102/
New Mac Ransomware Is Even More Sinister Than It Appears
There haven't been too many strains tailored specifically to infect Apple's Mac computers since the first full-fledged Mac ransomware surfaced four years ago but new findings published this week have highlighted a new example of Mac ransomware called ThiefQuest.
In addition to ransomware, ThiefQuest has a whole other set of spyware capabilities that allow it to exfiltrate files from an infected computer, search the system for passwords and cryptocurrency wallet data, and run a robust keylogger to grab passwords, credit card numbers, or other financial information as a user types it in. The spyware component also lurks persistently as a backdoor on infected devices, meaning it sticks around even after a computer reboots, and could be used as a launchpad for additional, or "second stage," attacks. Given that ransomware is so rare on Macs to begin with, this one-two punch is especially noteworthy.
Read more here: https://www.wired.com/story/new-mac-ransomware-thiefquest-evilquest/
Cyber Weekly Flash Briefing for 24 April 2020 – increase in data breaches with staff WFH, MS out of band patch for Office, hackers breach ad servers, 309m Facebooks users details compromised
Cyber Weekly Flash Briefing for 24 April 2020 – increase in data breaches with staff WFH, MS out of band patch for Office, hackers breach ad servers, 309m Facebooks users compromised
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
The week in 60 seconds - video flash briefing
Over half of organisations expect remote workers to increase the risk of a data breach
Apathy towards cyber security remains one of the biggest challenges for businesses.
The majority of UK’s IT decision-makers believe remote workers will expose their businesses to the risk of a data breach.
This is according to a new report which claims the awareness of the issue has been “steadily growing” over the last three years.
While the report does not offer definitive explanations for the rise, it cites increased remote working due to the coronavirus as a contributing factor.
The percentage of employees intentionally putting data at risk dropped slightly (from 47 to 44 percent), but apathy continues to be a “major problem”.
However, remote working appears to have forced IT decision-makers to pay closer attention to security.
Almost all (96 percent) respondents acknowledged risks associated with BYOD policies and a significant portion of those (42 percent) only allow the use of pre-approved gear (up from 11 percent last year).
This change is “crucial”, as lost and misplaced devices are now the second biggest data breach cause (24 percent), behind intentionally putting data at risk (33 percent) and ahead of mishandling corporate data.
Trickbot Named Most Prolific #COVID19 Malware
Notorious malware Trickbot has been linked to more COVID-19 phishing emails than any other, according to new data from Microsoft.
The Microsoft Security Intelligence Twitter account made the claim on Friday.
“Based on Office 365 ATP data, Trickbot is the most prolific malware operation using COVID-19 themed lures,” it said. “This week’s campaign uses several hundreds of unique macro-laced document attachments in emails that pose as messages from a non-profit offering a free COVID-19 test.”
Microsoft has been providing regular updates through the current crisis as organizations struggle to securely manage an explosion in home working while cyber-criminals step up efforts to exploit stretched IT security teams and distracted employees.
Read more: https://www.infosecurity-magazine.com/news/trickbot-named-most-prolific/
Microsoft Issues Out-Of-Band Security Update For Office, Paint 3D
Microsoft has released an out-of-band security update for Microsoft Office, Office 365 ProPlus and Paint 3D. The applications are affected by multiple Autodesk vulnerabilities that, if exploited, could enable remote code execution.
The flaws, all rated “important” in severity, are tied to six CVEs stemming from Autodesk’s library for FBX, a popular file format format that supports 3D models. This library is integrated into certain Microsoft applications
Read more: https://threatpost.com/microsoft-issues-out-of-band-security-update-for-office-paint-3d/155016/
1,000 may be hit by CISI website fraud attack
The CISI has launched an investigation after a website attack resulted in 1,000 customers and members being exposed to the risk of credit card fraud.
The professional body with 45,000 members says some members have reported “fraudulent activity” on their cards following a payment transaction on the CISI website.
The organisation, which provides the Certified Financial Planner and Chartered Wealth manager designations, has launched a probe with help from its insurers and KPMG.
The CISI has contacted 5,785 customers that processed a payment transaction through its website between 1 February 2020 and 15 April 2020.
It said not all of these have seen “fraudulent activity” but it anticipates about 1,000 have been exposed to a risk of fraud.
Here's a list of all the ransomware gangs who will steal and leak your data if you don't pay
Starting with late 2019 and early 2020, the operators of several ransomware strains have begun adopting a new tactic.
In an attempt to put additional pressure on hacked companies to pay ransom demands, several ransomware groups have also begun stealing data from their networks before encrypting it.
If the victim -- usually a large company -- refuses to pay, the ransomware gangs threaten to leak the information online, on so-called "leak sites" and then tip journalists about the company's security incident.
Companies who may try to keep the incident under wraps, or who may not want intellectual property leaked online, where competitors could get, will usually cave in and pay the ransom demand.
While initially the tactic was pioneered by the Maze ransomware gang in December 2019, it is now becoming a widespread practice among other groups as well.
Clop, Doppenpaymer, Maze, Nefilim, Nemty, Ragnarlocker, Revil (Sodinokibi), Sekhmet, Snatch
Read the original article here for full details: https://www.zdnet.com/article/heres-a-list-of-all-the-ransomware-gangs-who-will-steal-and-leak-your-data-if-you-dont-pay/
Hackers have breached 60 ad servers to load their own malicious ads
A mysterious hacker group has been taking over ad servers for the past nine months in order to insert malicious ads into their ad inventory, ads that redirect users to malware download sites.
This clever hacking campaign was discovered last month and appears to have been running for at least nine months, since August 2019.
Hackers have targeted advertising networks running old versions of the Revive open-source ad server. Hackers breach outdated Revive servers and silently append malicious code to existing ads.
Once the tainted ads load on legitimate sites, the malicious code hijacks and redirects site visitors to websites offering malware-laced files -- usually disguised as Adobe Flash Player updates.
Read more: https://www.zdnet.com/article/hackers-have-breached-60-ad-servers-to-load-their-own-malicious-ads/
GCHQ calls on public to report coronavirus-related phishing emails
GCHQ is asking members of the public to report suspicious emails they have received amid a wave of scams and hacking attacks that seek to exploit fear of Covid-19 to enrich cybercriminals.
The National Cyber Security Centre, a branch of the intelligence agency, has launched the suspicious email reporting service with a simple request of the public: forward any dubious emails to report@phishing.gov.uk, and the NCSC’s automated scanning system will check for scam emails and immediately remove criminal sites.
Read more here: https://www.theguardian.com/technology/2020/apr/21/gchq-calls-public-report-coronavirus-phishing-emails
Hackers exploit bug to access iPhone users’ emails
Hackers have devised a way to install malicious software on iPhones without getting the victim to download an attachment or click on any links.
Cybersecurity researchers have discovered a bug in the phone’s email app that hackers may have been exploiting since January 2018. It enables hackers to access all emails on a phone, as well as remotely modify or delete them.
Typically, an attack on a phone requires a user to download the malware, such as clicking on a link in a message or on an attachment. Yet in this case, hackers send a blank email to the user. When the email is opened, a bug is triggered that causes the Mail app to crash, forcing the user to reboot it. During the reboot, hackers could access information on the device.
The hack is virtually undetectable by victims due to the sophisticated nature of the attack and Apple’s own security measures, which often make investigating the devices for potential vulnerabilities a challenge, experts claim.
More here: https://www.thetimes.co.uk/article/hackers-exploit-bug-to-access-iphone-users-emails-ssvvztrgf
FBI Sees Cybercrime Reports Increase Fourfold During COVID-19 Outbreak
Instances of cybercrime appear to have jumped by as much as 300 percent since the beginning of the coronavirus pandemic, according to the FBI. The bureau’s Internet Crime Complain Center (IC3) said last week that it’s now receiving between 3,000 and 4,000 cybersecurity complaints every day, up from the average 1,000 complaints per day the center saw before COVID-19 took hold.
While much of this jump can be attributed to America’s daily activities increasingly moving online — newly remote workers unaware of basic security measures or companies struggling to keep externally-accessed systems secure, for example — the FBI says a lot of the increased cybercrime is coming from nation states seeking out COVID-19-related research.
309 million Facebook users’ phone numbers found online
Last weekend, researchers came across a database with 267m Facebook user profiles being sold on the Dark Web.
Looking to verify the records and add them to the firm’s breach notification service, the researchers bought it, for the grand total of £500.
That works out to USD $540 — or about 0.0002 cents — per record. The records held Facebook users’ IDs, which are unique, public numbers associated with specific accounts that can be used to figure out an account’s username and other profile info. The records also included full names, email addresses, phone numbers, timestamps for last connection, relationship status and age.
Fortunately, there were no passwords exposed, but the breach still forms a perfect tool kit for an email or text phishing campaign that looks like it’s coming from Facebook itself. If enough users get fooled into clicking on spearphishers’ rigged links, it could lead to the exposure of even more, and more valuable, data.
Read more here: https://nakedsecurity.sophos.com/2020/04/22/309-million-facebook-users-phone-numbers-and-more-found-online/
Google Issues Warning For 2 Billion Chrome Users
Google just gave its two billion Chrome users a brilliant (if long overdue) upgrade, but it doesn’t mask all of the controversial changes, security problems and data concerns which have worried users about the browser recently. And now Google has issued a new critical warning you need to know about.
Chrome has a critical security flaw across Windows, Mac and Linux and it urges users to upgrade to the latest version of the browser (81.0.4044.113). Interestingly, at the time of publication, Google is also keeping the exact details of the exploit a mystery.
Zoom announces 5.0 update with tougher encryption and new security features
Zoom has today announced its new 5.0 update, bringing robust new security features including AES 256-bit GCM encryption.
Zoom says that AES 256-bit GCM encryption will "raise the bar for securing our users' data in transit", providing "confidentiality and integrity assurances on your Zoom Meeting, Zoom Video Webinar and Zoom Phone Data." The systemwide enablement of this new security standard will take place on May 30.
Zoom has also introduced a new security icon, where it has grouped its security features in one place within Zoom's meeting menu bar. It has also introduced more robust host controls, including a 'report a user' feature. Waiting rooms now default to on, as do meeting passwords and cloud recording passwords. Zoom has also introduced a new data structure for linking contacts within larger organizations. Previously, a Zoom feature designed to group users by domain name had seen thousands of random users grouped together, sharing lots of information with strangers.
Read more: https://www.androidcentral.com/zoom-announces-50-update-tougher-encryption-and-new-security-features
Temporary coronavirus hospitals face growing cybersecurity risks
The coronavirus outbreak has led to a series of temporary medical facilities opening across the U.S., most of which will use remote-care devices without the proper protection against hackers. Because of their remoteness and the overall uncertainty that pandemic’s created, cybersecurity at these temporary hospitals has fallen to the wayside and risks are at an all-time high.
Further complicating matters, most of these temporary units are highly dependent on connected medical devices to facilitate remote care. This leaves these hospitals open to hackers stealing patients’ personal health information via these connected devices.
Fortunately, there are a number of steps health care organizations can take to protect their remote facilities. Not only should organizations ensure their software is up to date and fully patched, but they should also consider enabling two-factor authentication for every account that’s granted access to the remote center’s system.
To assist with securing these remote health care locations, Microsoft has expanded the availability of its AccountGuard security service program. Currently offered at no cost to health care providers on the front lines of the coronavirus outbreak, Microsoft’s AccountGuard service helps targeted organizations protect themselves from ongoing cybersecurity threats.
Cyber Weekly Flash Briefing for 13 March 2020 – more Coronavirus based phishing, adapting ways of working, emergency Microsoft patch, businesses breached due to employee error, IoT traffic unencrypted
Cyber Weekly Flash Briefing for 13 March 2020 – more Coronavirus based phishing, adapting ways of working, emergency Microsoft patch, businesses breached due to employee error, IoT traffic unencrypted
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
More coronavirus phishing campaigns detected
Caution required when accessing coronavirus-related emails.
Cybercriminals often use major global events to spread malware and steal data, and the recent coronavirus outbreak is no different.
Security experts have identified two phishing campaigns that take advantage of coronavirus concerns to infect devices with the Agent Tesla keylogger.
According to the report, cybercriminals are distributing emails that appear to originate from The Centre for Disease Control (CDC) or the World Health Organisation (WHO). The emails claim the virus is now airborne and that new cases have been confirmed in the victim’s vicinity.
Attached to the messages is a file named "SAFETY PRECAUTIONS", which looks like an Excel document, but is in fact an executable file (.exe) capable of sowing the trojan.
More here: https://www.itproportal.com/news/more-coronavirus-phishing-campaigns-detected/
How coronavirus COVID-19 is accelerating the future of work
The coronavirus is forcing enterprises to rethink the way they do business and dust off policies for security, business continuity, and remote workers. Chances are that some of these efforts will stick
The coronavirus outbreak may speed up the evolution of work and ultimately retool multiple industries as everything from conferences to collaboration to sales and commercial real estate are rethought.
Read the original article here: https://www.zdnet.com/article/how-coronavirus-may-accelerate-the-future-of-work/
Millions of UK businesses experience data breaches due to employee error
Employees often click on fraudulent links and can't spot a phishing email.
Employee error is the cause of 60 percent of all data breaches among UK businesses according to a new report from insurance broker Gallagher.
Polling 1,000 UK business leaders, Gallagher found the most common cause (39 percent) of employee-related breaches was malware downloaded accidentally via fraudulent links.
Phishing is also a major risk factor, responsible for 35 percent of infections. While employees pushing sensitive data outside company systems accounted for a further 28 percent.
The report also claims that almost a third of affected businesses (30 percent) have had their operations knocked out for four to five days as a result of employee error.
Respondents also reported reputational damage (14 percent) and financial consequences (12 percent), which included fines issued by data privacy regulators.
Most executives (71 percent) are aware of the problem and almost two thirds (64 percent) said they regularly remind employees about the risk of cyber crime.
Virtually all businesses are at risk of a cyber attack and as this research shows, it is often an employee mistake which causes the problem.
AMD processors going back to 2011 suffer from worrying security holes
Pair of freshly revealed attacks have not yet been patched
AMD’s processors from as early as 2011 through to 2019 are carrying vulnerabilities that are as yet unpatched, according to some freshly published research.
Known as ‘Take A Way’ (every security problem needs a snappy name, of course), security researchers said that they reverse-engineered the L1D cache way predictor in AMD silicon in order to discover two new potential attack vectors.
Given all the attention which has been focused on the flaws in Intel’s CPUs in recent times – vulnerabilities which haven’t affected AMD chips in a number of cases – this might just serve as a reminder that no one’s silicon is bulletproof.
More here: https://www.techradar.com/news/amd-processors-going-back-to-2011-suffer-from-worrying-security-holes
F-Secure reports a steep rise in hacking attempts
The latest Attack landscape H2 2019 report from F-Secure has found that there has been a jump in the volume of cyber attacks targeting internet users
In the report, F-Secure said that in the first half of 2019, the company’s global network of honeypots experienced a jump in cyber attack traffic.
The volume of such attacks rose from 246 million in H1 2017 to 2.9 billion in H1 2019. In the second half of the year, according to F-Secure, the pace of attack traffic continued but at a slightly reduced rate. F-Secure said there were 2.8 billion hits to its honeypot servers in H2 2019. Distributed Denial of Service (DDos) attacks drove this deluge, accounting for two-thirds of the traffic.
Its research found that the US is the country whose IP space played host to the greatest number of attacks, followed by China and Russia.
https://www.computerweekly.com/news/252479470/F-secure-reports-a-steep-rise-in-hacking-attempts
This ransomware campaign has just returned with a new trick
Paradise ransomware is back again - and the criminals behind it appear to be testing out new tactics ahead of what could be a more prolific campaign.
A ransomware campaign has returned with a new trick to fool the unwary into compromising their network with file-encrypting malware. And it's an attack that many Windows machines won't even recognise as potentially malicious.
The new variant of Paradise ransomware, which has been active in one form or another since 2017, spreads via phishing emails, but it's different from other ransomware campaigns because it uses an uncommon – but effective – file type to infiltrate the network.
This campaign leverages Internet Query files (IQY), which are text files read by Microsoft Excel to download data from the internet. IQY is a legitimate file type, so many organisations won't block it.
More here: https://www.zdnet.com/article/this-ransomware-campaign-has-just-returned-with-a-new-trick/
Ransomware Threatens to Reveal Company's 'Dirty' Secrets
Sticking with ransomware, the operators of the Sodinokibi Ransomware are threatening to publicly share a company's "dirty" financial secrets because they refused to pay the demanded ransom.
As organizations decide to restore their data manually or via backups instead of paying ransoms, ransomware operators are escalating their attacks.
In a new post by the Sodinokibi operators to their data leak site, we can see that attackers are not only publishing victim's data but also sifting through it to find damaging information that can be used against the victim.
In the above post, the attackers are threatening to sell the Social Security Numbers and date of births for people in the data to other hackers on the dark web.
They also intimate that they found "dirty" financial secrets in the data and threaten to disclose it.
Read the full article here: https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/
Microsoft Releases Emergency Patch for Wormable Bug That Threatens Corporate LANs
Microsoft released an emergency out-of-band patch to fix a SMBv3 wormable bug on Thursday that leaked earlier this week. The patch for the vulnerability is now rolling out to Windows 10 and Windows Server 2019 systems worldwide, according to Microsoft.
On Wednesday Microsoft warned of a wormable, unpatched remote code-execution vulnerability in the Microsoft Server Message Block protocol – the same protocol that was targeted by the infamous WannaCry ransomware in 2017.
The critical bug affects Windows 10 and Windows Server 2019, and was not included in Microsoft’s Patch Tuesday release this week.
Read more here: https://threatpost.com/wormable-unpatched-microsoft-bug/153632/
Nearly all IoT traffic is unencrypted
IoT devices are considered "low-hanging fruit" among cybercriminals.
Practically all of the traffic flowing from Internet of Things (IoT) devices is not encrypted, consequently putting both businesses and their customers at unnecessary risk of data theft and all others that follow.
This is according to a new report which analysed 1.2 million IoT devices in thousands of physical locations across enterprise IT and healthcare organisations, finding that 98 per cent of all IoT device traffic is unencrypted.
That basically means that if intercepted, the data could be easily read and used.
So the question arises – how easy is it to eavesdrop on the data exchange between IoT devices and their respective servers? The report claims 57 per cent of IoT devices are vulnerable to either medium or high-severity attacks. IoT is perceived as “low-hanging fruit” for cybercriminals.
Read more here: https://www.itproportal.com/news/nearly-all-iot-traffic-is-unencrypted/
Microsoft takes down global zombie bot network
Microsoft has said it was part of a team that dismantled an international network of zombie bots.
The network call Necurs infected over nine million computers and one of the world's largest botnets.
Necurs was responsible for multiple criminal scams including stealing personal information and sending fake pharmaceutical emails.
Cyber-criminals use botnets to remotely take over internet-connected devices and install malicious software.
The software can be used to send spam, collect information about what activity the computer is used for or delete information without notifying the owner.
Tom Burt, Microsoft's vice-president for customer security and trust, said in a blog post that the takedown of Necurs was the result of eight years of planning and co-ordination with partners in 35 countries.
Watch out for Office 365 and G Suite scams, FBI warns businesses
The menace of Business Email Compromise (BEC) is often overshadowed by ransomware but it’s something small and medium-sized businesses shouldn’t lose sight of.
Bang on cue, the FBI Internet Crime Complaint Center (IC3) has alerted US businesses to ongoing attacks targeting organisations using Microsoft Office 365 and Google G Suite.
Warnings about BEC are ten-a-penny but this one refers specifically to those carried out against the two largest hosted email services, and the FBI believes that SMEs, with their limited IT resources, are most at risk of these types of scams:
Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses from BEC scams targeting Microsoft Office 365 and Google G Suite.
As organisations move to hosted email, criminals migrate to follow them.
As with all types of BEC, after breaking into the account, criminals look for evidence of financial transactions, later impersonating employees to redirect payments to themselves.
For good measure, they’ll often also launch phishing attacks on contacts to grab even more credentials, and so the crime feeds itself a steady supply of new victims.
The deeper question is why BEC scams continue to be such a problem when it’s well understood that they can be defended against using technologies such as multi-factor authentication (MFA).
Microsoft Exchange Server Flaw Exploited by multiple nation state (APT) groups
A vulnerability in Microsoft Exchange servers is being actively exploited by multiple APT groups, researchers warn.
Multiple threat groups are actively exploiting a vulnerability in Microsoft Exchange servers, researchers warn. If left unpatched, the flaw allows authenticated attackers to execute code remotely with system privileges.
The vulnerability in question (CVE-2020-0688) exists in the control panel of Exchange, Microsoft’s mail server and calendaring server, and was fixed as part of Microsoft’s February Patch Tuesday updates. However, researchers in a Friday advisory said that unpatched servers are being exploited in the wild by unnamed advanced persistent threat (APT) actors.
More: https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/
Cyberattackers are delivering malware by using links from whitelisted sites
Legitimate-looking links from OneDrive, Google Drive, iCloud, and Dropbox slip by standard security measures.
Bad actors have added a new snare to their bag of social engineering tricks— malicious OneDrive, Google Drive, iCloud, and Dropbox links. A new whitepaper asking "Is SaaS the New Trojan Horse in the Age of the Cloud?" describes this latest attack vector.
Links to these legitimate sites can often slip by standard security measures that stop malware and block access to suspicious sites. Many of these services are whitelisted by security products because they are approved services, meaning that an enterprise has few or no defences against these advanced attacks. These services are the latest tactic designed to dupe users into divulging their credentials or unknowingly download and install malware.
Tech Firms Offer Free Remote Working Tools, as Coronavirus Cases Surge
Move comes as companies scramble to polish remote working processes
Six technology companies are rolling out free or upgraded enterprise collaboration tools under a new “Open for Business” hub, in a bid to capture new users – and support enterprises scrambling to implement remote working protocols as coronavirus cases surge.
In the US, Amazon, Microsoft and Facebook have advised Seattle-area employees to work from home for the next few weeks. In the UK most companies are holding fire for now, but are most are rapidly updating policies and assessing tools.
Large organisations might be able to work through some of the emerging provisioning issues that come with a surge of remote workers — i.e. by increasing the number of licenses for their firewalls and VPNs — many small businesses don’t have the ability to quickly provision the resources they need to support their employees when working remotely.
More here: https://www.cbronline.com/news/free-remote-working-tools