Although the new EU Digital Operational Resilience Act (DORA) applies to regulated financial services organisations in the EU from January, the effects will be felt in the Channel Islands.

For example, if you are a fund or asset manager for a regulated EU financial services client, then you will feature on your client’s new DORA risk register that must address the risk exposure to and from other financial entities.

We expect your client will contact you to evaluate your cyber security controls. The outcome may determine whether your EU client can continue a business relationship depending on the quality of your cyber risk management, the EU client’s own risk appetite, and their interpretation of their local regulatory compliance.

Remember you will be dealing with an EU client that has been deep-diving into DORA for some time, so their knowledge and experience on this may be greater than yours at present and their questions may be challenging. Remember too that DORA includes managing the risks of third-party IT providers, so your risk analysis and management must be independent of your IT provider.

We know how long the journey can be for some organisations to implement proportionate cyber risk controls across people, operations, and technology. Your approach to managing cyber security risks is now a key competitive advantage, when your client compares your approach to that of your competitors locally and in other locations. 

We recommend starting now, to avoid being on the back foot when contacted by your EU clients. The UK Government has expressed its intention to implement similar legislation in the UK.

Contact us now to discuss our refined cyber risk analysis and leadership training designed for Channel Islands customers.

Although the new EU Digital Operational Resilience Act (DORA) applies to regulated financial services organisations in the EU from January, the effects will be felt in the London fund and asset management sector.

If you have regulated EU financial services clients for example in Ireland or Luxembourg, then you will feature on their new DORA risk register that must address the risk exposure to and from other financial entities.

We expect your client will contact you to evaluate your cyber security controls. The outcome may determine whether your EU client can continue a business relationship depending on the quality of your cyber risk management, the EU client’s own risk appetite, and their interpretation of their local regulatory compliance.

Remember you will be dealing with an EU client that has been deep-diving into DORA for some time, so their knowledge and experience on this may be greater than yours at present and their questions may be challenging. Remember too that DORA includes managing the risks of third-party IT providers, so your risk analysis and management must be independent of your IT provider.

We know how long the journey can be for some organisations to implement proportionate cyber risk controls across people, operations, and technology. Your approach to managing cyber security risks is now a key competitive advantage, when your client compares your approach to that of your competitors locally and in other locations. 

We recommend starting now, to avoid being on the back foot when contacted by your EU clients. The UK Government has expressed its intention to implement similar legislation in the UK.

Join our free webinar at 12:00 noon on Tuesday 21 May 2024, to learn more including how to conduct a proportionate cyber risk analysis and prepare for conversations with your clients. Places are limited. Contact us for details on training@blackarrowcyber.com.

The next open Cyber User Education and Awareness Training session with any availability left is on Wednesday 06 October 2021 from 10am-12pm.

We currently have 4 spaces remaining and the cost per delegate is £150.

Firms can send between 1-14 staff to these open training courses meaning less disruption to business operations and new starters, for example, don't need to wait until the next time the whole firm gets cyber training.

These open courses are run at least once per week so we can offer a lot of flexibility.

Remember only with Black Arrow do you get access to world-class cyber security experts from British Intelligence, Defence, Law Enforcement, Big-4 Advisory, FTSE100, Global Financial Services and the GFSC.

Call us on 711 988 or email training@blackarrowcyber.com to book places for your staff members.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

91% Of IT Teams Have Felt 'Forced' To Trade Security For Business Operations

A new survey suggests that most IT staff have felt pressured to ignore security concerns in favour of business operations. On Thursday, a new study report was released, which combines data from an online YouGov survey targeting office workers that adopted WFH and global research conducted with IT decision-makers. In total, 91% of those surveyed said that they have felt "pressured" to compromise security due to the need for business continuity during the COVID-19 pandemic. 76% of respondents said that security had taken a backseat, and furthermore, 83% believe that working from home has created a "ticking time bomb" for corporate security incidents. https://www.zdnet.com/article/91-of-it-teams-have-felt-forced-to-trade-security-for-business-operations/

Ransomware Attacks Increased Exponentially In 2021

The growing threat of ransomware has been highlighted by NCC Group's Research Intelligence and Fusion Team (RIFT) analysis. Between January-March 2021 and April-June 2021, the number of ransomware assaults studied by the team climbed by 288%, indicating that enterprises are still facing waves of digital extortion in the form of targeted ransomware. https://www.ehackingnews.com/2021/09/ransomware-attacks-increased.html

Phishing Attacks: One In Three Suspect Emails Reported By Employees Really Are Malicious

All the time spent ticking boxes in cyber security training sessions seems to be paying off after all: according to a new report, about a third of emails reported by employees really are malicious or highly suspect, demonstrating the effectiveness of the well-established maxim "Think before you click".  Researchers analysed over 200,000 emails that were flagged by employees from organisations across the globe in the first half of 2021 and found that 33% of the reports could be classified as phishing. https://www.zdnet.com/article/phishing-attacks-one-in-three-suspect-emails-reported-by-employees-really-are-malicious/

Hackers Shift From Malware To Credential Hijacking

Adversaries are relying less on malware to conduct attacks that are consequently more difficult to detect, according to an annual report conducted by researchers. “According to data from our customer base indexed by Threat Graph, 68% of detections from the last three months were not malware-based,” reads the report released Wednesday. “Attackers are increasingly attempting to accomplish their objectives without writing malware to the endpoint, using legitimate credentials and built-in tools (living off the land)—which are deliberate efforts to evade detection by traditional antivirus products.” https://www.nextgov.com/cybersecurity/2021/09/report-hackers-shift-malware-credential-hacking/185209/

Attacker Breakout Time Now Less Than 30 Minutes

The average time it takes threat actors to move from initial access to lateral movement has fallen by 67% over the past year, putting extra pressure on security operations (SecOps) teams, according to researchers. The findings come from researchers own investigations with customers across around 248,000 unique global endpoints. For incidents where this “breakout time” could be derived over the past year, it averaged just 1 hour 32 minutes. However, in over a third (36%) of intrusions, adversaries managed to move laterally to additional hosts in under 30 minutes. https://www.infosecurity-magazine.com/news/attacker-breakout-time-now-less/

Hackers Leak VPN Account Passwords From 87,000 Fortinet FortiGate Devices

Network security solutions provider Fortinet confirmed that a malicious actor had unauthorizedly disclosed VPN login names and passwords associated with 87,000 FortiGate SSL-VPN devices. "These credentials were obtained from systems that remained unpatched at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable," the company said in a statement on Wednesday. https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html

53% Find It Difficult To Prevent An Insider Attack During Data Aggregation

Recent data from researchers found that 53% of companies find it impossible or very difficult to prevent an insider attack when data is being aggregated, a key indicator of intent of an attack. The vast majority of security threats follow a pattern or sequence of activity leading up to an attack, and insider threats are no exception. To fully understand any insider incident, visibility into the entire kill chain of an attack is imperative to preventing the exfiltration of critical data. https://venturebeat.com/2021/09/02/53-find-it-difficult-to-prevent-an-insider-attack-during-data-aggregation/

The Impact Of Ransomware On Cyber Insurance Driving The Need For Broader Cyber Security Knowledge

Not only have ransomware attacks spiked, the amount of ransom demanded has grown exponentially—to somewhere between $50 and $70 million dollars. Cyber Insurers can’t cover “whatever amount the hacker demands”—so major policies lost money. Insurers have responded by raising premiums, restricting coverage, or even getting out of the cyber-insurance game altogether in vulnerable markets. https://www.helpnetsecurity.com/2021/09/10/cyber-insurance-ransomware/

Hackers Exploit Camera Vulnerabilities To Spy On Parents

Various zero day vulnerabilities in home baby monitor could be compromised that lets threat actors hack into camera feed and put malicious codes like malware. The security issues were found in the IoT gadgets, made by China based developer Victure, that were found by researchers. In a security report, researchers revealed about the stack-based buffer flaw present in ONVIF server Victure PC420 component camera that allows hackers to plant remote codes on the victim device. When compromised, hacker can discover cameras (not owned by them) and command devices to broadcast camera feeds to third party and exploit the camera firmware. https://www.ehackingnews.com/2021/09/hackers-exploit-camera-vulnerabilities.html

39% Of All Internet Traffic Is From Bad Bots

Automated traffic takes up 64% of internet traffic – and whilst just 25% of automated traffic was made up by good bots, such as search engine crawlers and social network bots, 39% of all traffic was from bad bots, a Barracuda report reveals.

These bad bots include both basic web scrapers and attack scripts, as well as advanced persistent bots. These advanced bots try their best to evade standard defences and attempt to perform their malicious activities under the radar. The report revealed that the most common of these persistent bots were ones that went after e-commerce applications and login portals. https://www.helpnetsecurity.com/2021/09/07/bad-bots-internet-traffic/

Threats

Ransomware

• REvil Ransomware Group Returns Following Kaseya Attack

• Ragnar Locker Gang Warns Victims Not To Call The FBI

• This Is The Perfect Ransomware Victim, According To Cyber Criminals

• 5 Surefire Things That’ll Get You Targeted By Ransomware

• Hive Is Dangerous New Ransomware Threat, FBI Says

• Why Ransomware Hackers Love A Holiday Weekend

BEC

Phishing

• Microsoft Outlook Shows Real Person’s Contact Info For IDN Phishing Emails

Other Social Engineering

• 'Bitcoin Fraud Cost Me £500,000'

Malware

• Traffic Exchange Networks Distributing Malware Disguised As Cracked Software

• New Malware Uses Novel Fileless Technique To Evade Detection

Mobile

• Dangerous New Cable Can Hack iPhones From One Mile Away

• This Android Security Flaw Could Let Hackers Follow All Your Movements

IOT

• IoT Attacks Skyrocket, Doubling In 6 Months

Vulnerabilities

• Zoho ManageEngine Password Manager Zero-Day Gets A Fix, Amid Attacks

• New CPU Side-Channel Attack Takes Aim At Chrome’s Site Isolation Feature

• Microsoft, CISA Urge Mitigations For Zero-Day RCE Flaw In Windows

• Atlassian CISO Defends Company's Confluence Vulnerability Response, Urges Patching

• PoC Released For GhostScript Vulnerability That Exposed Airbnb, Dropbox

• Netgear Smart Switches Open To Complete Takeover

• New 0-Day Attack Targeting Windows Users With Microsoft Office Documents

• Cisco Patches Critical Authentication Bug With Public Exploit

Data Breaches/Leaks

• Guntrader Breach Perp: I Don't Think It's A Crime To Dump 111k People's Details Online In Google Earth Format

Organised Crime & Criminal Actors

• TrickBot Gang Developer Arrested At The Seoul International Airport

• The Secret Vulnerability Of Cyber Criminals: Burnout

Cryptocurrency/Cryptojacking

• Financial Cyber Crime: Why Crypto Currency Is The Perfect ‘Getaway Car’

Insider Threats

• Enterprises Are Missing The Warning Signs Of Insider Threats

DoS/DDoS

• Yandex Is Battling The largest DDoS In Russian Internet history

Nation State Actors

• Microsoft Says Chinese Hackers Were Behind SolarWinds Serv-U SSH 0-Day Attack

Cloud

• Organisations Struggling To Develop Cloud Applications That Meet Security Requirements

Privacy

• WhatsApp “End-To-End Encrypted” Messages Aren’t That Private After All

• ProtonMail Logs Activist's IP Address With Authorities After Swiss Court Order

Other News

• OWASP Shakes Up Web App Threat Categories With Release Of Draft Top 10

• SIEM Market Size To Reach $6436.2 Million By 2027

• A Zero-Trust Future: Why Cyber Security Should Be Prioritized For The Hybrid Working World

• Microsoft Has A $20 Billion Hacking Plan, But Cyber Security Has A Big Spending Problem

• Misbehaving Microsoft Teams Ad Brings Down The Entire Windows 11 Desktop

• This Seemingly Normal Lightning Cable Will Leak Everything You Type

• HSE Cyber Attack: Irish Health Service Still Recovering Months After Hack

• Brute-Force Attacks Target Inboxes For Gift Card Data

• Glasgow Firm Fined £150k After Half A Million Nuisance Calls, Spoofing Phone Number, Using False Trading Names

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Time’s up. Are you ready to evidence compliance with the new GFSC Cyber Rules now in effect?

Guernsey Regulated Financial Services Firms, the deadline for compliance with the GFSC Cyber Rules is today!

Will you be ready to explain your strategy and governance when the GFSC turn up for a regulatory visit?

The Cyber Rules compel Boards to take accountability for Cyber risks where previously it may have belonged to IT. Technology is only one piece of the puzzle, and often it is your people that present your weakest link.

We support our clients with an independent and proportionate gap analysis report that assesses risks and controls across people, operations and technology. This informs the strategy and governance that shows the GFSC what they want to see, reinforced by objective education and awareness for Boards and users.

We help our clients get the best performance from their IT Provider, to see and remediate the risks that cannot be revealed in a self-assessment either by the provider or the client.

Talk to the professionals today, with the experience and qualifications you can count on.

Contact us on contact@blackarrowcyber.com or call us on 711988

Priority action for all regulated firms in Guernsey: Microsoft announced that email servers are being attacked, and the GFSC rules require you to record how you have reviewed your cyber security controls to address this.

In an alarming announcement earlier this month, Microsoft alerted all customers across the world that their Exchange email servers may have been compromised by “state-sponsored [attackers] operating out of China”. Microsoft then announced that it continues to see the attacks growing by “multiple actors taking advantage of unpatched systems”.

The new GFSC Cyber Security Rules, which all regulated firms must comply with immediately, foresaw that sinister events such as these will increasingly occur. The Rules require Boards to review their controls if there is a “trigger event” which is defined as a “significant occurrence which would indicate that the licensee may be susceptible to a cyber security event” including “a vulnerability announcement issued by a software or hardware provider” and “international warnings of cyber security threats, vulnerabilities or incidents”.

Here, we share Black Arrow’s observations on how this ‘trigger event’ occurred, and how firms in Guernsey can demonstrate compliance with the GFSC Cyber Security Rules.

An attack on Microsoft Exchange email servers across the world

On 3rd March 2021 Microsoft released a statement indicating that their on-premises email server, Microsoft Exchange, was subject to several zero-day exploits of  “critical” vulnerabilities. A zero-day exploit is where an attacker uses a previously unknown weakness in computer systems for which there is no known mitigation such as a software security patch from the vendor. Microsoft stated that it wanted to “emphasize the critical nature of these vulnerabilities” which was evidenced in the way it gave comprehensive advice on what their customers should do.

Attackers will make the best use of the zero-day vulnerability until the software vendor, in this case Microsoft, creates and releases a fix. Although Microsoft has now released a corrective software patch, the troubling feature of this incident is that Microsoft says that just applying the patch “will not evict an adversary who has already compromised a server”. This means that cyber security teams in Guernsey need to investigate and implement controls that will identify and address activity by someone who is already in the firm’s network.

What the GFSC Rules require you to do

Microsoft strongly urged customers to “update on-premises systems immediately”, which include those of local IT providers, but it highlighted that “Exchange Online is not affected”. It also advised thoroughly investigating specific Indicators of Compromise that it listed, to identify whether the environment had been compromised through these vulnerabilities.

In addition, the GFSC Rules require regulated firms to review, and importantly to record, whether their approach to cyber security is still appropriate in the light of a ‘trigger event’ such as this. This goes to the heart of the Rules, which highlights that cyber security is never a one-time project but that firms must periodically review their controls across people, operations and technology, especially after the major alert this month.

To be effective, the review should be objective and impartial, and it should cover people, operations and technology. Cyber security is owned by the Board, and can never be handed to IT as a one-stop-shop to achieve compliance.

At Black Arrow, we work with clients to perform documented assurance for events like this as well as undertaking a gap analysis that identifies the priority areas of focus for organisations to achieve and demonstrate compliance with the GFSC Rules. The GFSC Rules were established following the thematic review conducted by one of our founding directors. Contact us to gain a better understanding of how the recent attacks affect your business, and what you can do to improve your protection in line with GFSC requirements.

https://guernseypress.com/news/2021/02/19/the-new-gfsc-cyber-security-rules-what-the-gfsc-demands-of-you-and-why-you-cannot-simply-pass-it-to-it/

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

GFSC new Cyber Rules and Guidance out for consultation

The GFSC have put the Cyber Security Rules and Guidance Consultation Paper up on their website and consultation hub.

Why this matters:

The new rules and accompanying guidance came out of the 18 month thematic review which ended last year, which found that regulated financial service firms within the Bailiwick of Guernsey were not taking risks from cyber threats seriously enough and were lacking in appropriate protections and controls. These new rules seek to rectify this but many firms on the Island are going to have to do work to become compliant, especially around their ability to monitor for and detect unusual activity that could be indicative of a actual or attempted intrusion or breach.

The rules and guidance can be found here:

https://consultationhub.gfsc.gg/banking-and-insurance-supervision-and-policy/cyber-security-rules-and-guidance-consultation-pap/

Leaked FinCEN files expose poor data security

Leaked documents, dubbed the “FinCEN Files,” describe global money laundering of $2 trillion processed by many of the world’s biggest banks between 2000 and 2017. The reveal illuminates the struggle for the financial industry and government to provide ironclad data protection.

“This sensational and unprecedented leak clearly demonstrates a wide spectrum of data protection weaknesses in the governmental sector, affecting even the most developed Western countries,” Ilia Kolochenko, founder and CEO of  ImmuniWeb, said of the files.

“From a cybersecurity standpoint, we may expect a growing lack of trust to governmental agencies, which on one side have quasi-unlimited access to the most sensitive data of the largest organisations, while cannot duly safeguard this data on the other side,” he said.

The latest disclosure exposing apparently insufficient attempts by the public and private sectors to curb corruption came to light in a BuzzFeed News report which detailed more than 2,500 reported cases, including 2,100 Suspicious Activity Reports (SAR) filed by financial institutions with the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN).

JPMorgan Chase, Citigroup, Bank of America, Deutsche Bank, HSBC and Standard Chartered are among the financial institutions cited in the leaked files as processing dirty money around the world. The documents may have come from a whistleblower or insider at FinCEN. The International Consortium of Investigative Journalists (ICIJ), which represents 108 news organizations in 88 countries, is conducting a probe of the matter.

Why this matters:

Other similar investigative reports on similar wrongdoing focused single financial, tax or legal institutions, such as the 2017 Panama Papers emanating from clients of the law firm Mossack Fonseca. But the FinCEN docs reveal that a wide array of people from oligarchs and corrupt politicians to drug dealers and organised crime throughout the world know how to circumvent the system’s supposed checks and balances.

Read more: https://www.scmagazine.com/home/security-news/leaked-fincen-files-expose-poor-data-security/

Microsoft says it detected active attacks leveraging Zerologon vulnerability

Hackers are actively exploiting the Zerologon vulnerability in real-world attacks, Microsoft's security intelligence team said this week.

The attacks were expected to happen, according to security industry experts.

Multiple versions of weaponized proof-of-concept exploit code have been published online in freely downloadable form since details about the Zerologon vulnerability were revealed a week ago.

The first proof-of-concept exploit was published hours after the explanatory blog post, confirming initial analysis that the Zerologon bug is easy to exploit, even by low-skilled threat actors.

Why this matters:

Put simply the Zerologon bug is a vulnerability in Netlogon, the protocol used by Windows systems to authenticate against a Windows Server running as a domain controller. Exploiting the Zerologon bug can allow hackers to take over the domain controller, and inherently a company's internal network.

Zerologon was described by many as the most dangerous bug revealed this year. US federal agencies were given three days to patch domain controllers or disconnect them from federal networks.

As several security experts have recommended since Microsoft revealed the attacks, companies that have their domain controller exposed on the internet should take systems offline to patch them.

These internet-reachable servers are particularly vulnerable as attacks can be mounted directly, without the hacker first needing a foothold on internal systems.

Read more: https://www.zdnet.com/article/microsoft-says-it-detected-active-attacks-leveraging-zerologon-vulnerability/

Doppelpaymer ransomware crew fingered for attack on German hospital that caused death of a patient

The Doppelpaymer ransomware gang were behind the cyber-attack on a German hospital that led to one patient's death, according to local sources.

A German newspaper carried a report that Doppelpaymer's eponymous ransomware had been introduced to the University Hospital Düsseldorf's network through a vulnerable Citrix product.

That ransomware infection, activated last week, is said by local prosecutors to have led to the death of one patient who the hospital was unable to treat on arrival. She died in an ambulance while being transported to another medical facility with functioning systems.

Why this matters:

According to a report handed to the provincial government of North Rhine-Westphalia and seen by the German Press Association (DPA), the ransomware's loader had been lurking on the hospital's network since December 2019, the same month a patch was issued by Citrix for CVE-2019-19781 – the same vuln exploited to hit the hospital.

Whilst this is the first time a loss of life has been directly attributed to ransomware the threats are increasing all the time.

Vulnerabilities must be patched as soon as possible to stop known vulnerabilities from being used in attacks.

Read more: https://www.theregister.com/2020/09/23/doppelpaymer_german_hospital_ransomware/

“LokiBot,” the malware that steals your most sensitive data, is on the rise

Agencies in the US have reported seeing a big uptick in infections coming from LokiBot, an open source DIY malware package for Windows that’s openly sold or traded for free in underground forums. It steals passwords and cryptocurrency wallets, and it can also download and install new malware.

The increase was measured by an automated intrusion-detection system for collecting, correlating, analysing, and sharing computer security information.

US cyber agency CISA observed a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020 according to an alert issued this week.

Why this matters:

While not quite as prevalent or noxious as the Emotet malware, LokiBot remains a serious and widespread menace. The infostealer spreads through a variety of methods, including malicious email attachments, exploitation of software vulnerabilities, and trojans sneaked into pirated or free apps. Its simple interface and reliable codebase make it attractive to a wide range of crooks, including those who are new to cybercrime and have few technical skills.

Read more: https://arstechnica.com/information-technology/2020/09/lokibot-the-malware-that-steals-your-most-sensitive-data-is-on-the-rise/

Ransomware is evolving, but the key to preventing attacks remains the same

Ransomware attacks are getting more aggressive according to a senior figure at Europe's law enforcement agency, but there are simple steps which organisations can follow to protect themselves – and their employees – from falling victim to attacks.

"Ransomware is one of the main threats," said the head of operations at Europol's European Cybercrime Centre (EC3). Europol supports the 27 EU member states in their fight against terrorism, cybercrime and other serious and organised forms of crime.

"Criminals behind ransomware attacks are adapting their attack vectors, they're more aggressive than in the past – they're not only encrypting the files, they're also exfiltrating data and making it available," he explained. "From a law enforcement perspective, we have been monitoring this evolution."

Why this matters:

This year has seen a rise in ransomware attacks where cyber criminals aren't just encrypting the networks of victims and demanding six-figure bitcoin payment to return the files, but they're also threatening to publish sensitive corporate information and other stolen data if the victim doesn't pay the ransom.

Read more: https://www.zdnet.com/article/ransomware-is-evolving-but-the-key-to-preventing-attacks-remains-the-same/

A look at the top threats inside malicious emails

Web-phishing targeting various online services almost doubled during the COVID-19 pandemic: it accounted for 46 percent of the total number of fake web pages, Group-IB reveals.

Ransomware, the headliner of the previous half-year, walked off stage: only 1 percent of emails analysed contained this kind of malware. Every third email, meanwhile, contained spyware, which is used by threat actors to steal payment data or other sensitive info to then put it on sale in the darknet or blackmail its owner.

Downloaders, intended for the installation of additional malware, and backdoors, granting cybercriminals remote access to victims’ computers, also made it to top-3. They are followed by banking Trojans, whose share in the total amount of malicious attachments showed growth for the first time in a while.

According to the data, in H1 2020 detected malicious emails were:

• 43 percent of the malicious mails had attachments with spyware or links leading to their downloading

• 17 percent contained downloaders

• 16 percent had backdoors

• 15 percent had banking trojans

• Ransomware, which in the second half of 2019 hid in every second malicious email, almost disappeared from the mailboxes in the first six months of this year with a share of less than 1 percent.

Why this matters:

These findings confirm adversaries’ growing interest in Big Game Hunting. Ransomware operators have switched from attacks en masse on individuals to corporate networks. Thus, when attacking large companies, instead of infecting the computer of a separate individual immediately after the compromise, attackers use the infected machine to move laterally in the network, escalate the privileges in the system and distribute ransomware on as many hosts as possible.

Read more: https://www.helpnetsecurity.com/2020/09/21/top-threats-inside-malicious-emails/

Credential Stuffing: the Culprit of Recent Attacks

A year ago, researchers found that 2.2 billion leaked records, known as Collection 1-5, were being passed around by hackers. This ‘mega leak’ included 1.2 billion unique email addresses and password combinations, 773 million unique email addresses and 21 million plaintext passwords. With this treasure trove, hackers can simply test email and password combinations on different sites, hoping that a user has reused one. This popular technique is known as credential stuffing and is the culprit of many recent data breaches.

There are only a few months left of 2020 but this year has seen its fair share of major data breaches including:

• Marriott International experienced another mega breach, when it was still recovering from the 2018 data breach that exposed approximately 339 million customer records

• Zoom became a new favourite for hackers due to the remote working mandated in many parts of the world - in early April  Zoom fell victim to a credential stuffing attack, which resulted in 500,000 of Zoom’s usernames and passwords being exposed on the Dark Web.

• GoDaddy, the world’s largest domain registrar confirmed in April that credentials of 28,000 of its customer web hosting accounts were compromised in a security incident back in October 2019.

• Nintendo - in March, users reported unauthorised logins to their accounts and charges for digital items without their permission. In June Nintendo advised that approximately 300,000 accounts were affected by the breach, resulting in the compromise of personal identifiable information such as email address, date of birth, country and gender.

Why this matters:

It has become evident that many of the recent data breaches were the result of credential stuffing attacks leveraging compromised passwords or passphrases. Credential stuffing attacks are automated hacks where stolen usernames and password combinations are thrown at the login process of various websites in an effort to break in. With billions of compromised credentials already circulating the Dark Web, credential stuffing attacks can be carried out with relative ease and with a 1-3% success rate.

When the account of an employee is compromised, hackers can gain access to sensitive data that organisation has collected, and sell it on the Dark Web. The stolen data, often including login credentials, can then be used to infiltrate other organisations’ systems which creates a never-ending cycle.

This is why the LinkedIn breach was blamed for several secondary compromises due to users recycling their exposed LinkedIn passwords on other sites.

Read more: https://www.infosecurity-magazine.com/blogs/credential-stuffing-recent-attacks/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.