Executive Summary

Microsoft has detected a significant increase in malware targeted at Linux systems to create botnets which can be used for distributed denial-of-service (DDOS) and other types of attack. Internet-of-Things (IoT) or Smart Devices often use a Linux operating system to run their service. These are often not patched regularly, if at all, making them a target for this type of attack. Cloud service providers also often use Linux based operating systems.

What’s the risk to me or my business?

While IoT/Smart Devices are normally associated with home use, there has been an increase of their usage in business locations. As these devices are often not as well supported by the manufacturer for security updates, and use internet connectivity for function, they are a prime target for attackers. Once a device has been compromised and added to a botnet, it could be used to bring targeted services down via a DDOS attack or could be used to compromise other devices through brute force attacks.

What can I do?

It is important to keep all devices and systems used updated to patch vulnerabilities which enable the attacks described above to take place. It is also important to have Anti-Virus and endpoint management enabled on these devices where supported. IoT/Smart Devices pose their own challenge with this, as it is often not immediately clear who is responsible for updating the device (the vendor or user), and if security updates will be provided by the vendor. It is also not always possible for services such as Anti-Virus and endpoint management to be installed on these devices.

The following list are good practice points for mitigating the risk that IoT/Smart devices pose:

1.       Separation: Ensure that IoT/Smart devices do not sit on the same network as corporate devices. This layer of separation may be logical using network technologies such as VLANs with access control lists, or physical separation with different network infrastructure for the devices. This will help to prevent a compromised device from being used to gain access to corporate systems.

2.       Inventory: Take inventory and track what IoT/Smart devices are in use, with justification on their function. It is important to keep track of support information for these devices to establish if updates are still being published by the manufacturer, and when it is a good time to replace the devices if updates are no longer supported.

3.       Updates: While most IoT/Smart devices will automatically update when an update is published by the vendor, this is not always the case. It is important to check how frequently updates are applied to the devices, and if this is something which needs to be done manually by the device administrator. At end of manufacturer support for updates, it is important to consider replacing the device.

4.       Monitoring: It is important to monitor the activity of a IoT device, to establish a baseline on expected connectivity for the service it provides. This can then be used to provide alerts for anomalous activity outside of this baseline as an indicator of compromise, making it quick to lock down and remove a device from the network.

5.       Physical Protection: Take steps to physically protect the IoT device from tampering. These devices may contain USB ports designed for delivering updates or debugging errors, but these ports could also potentially be used to install malware.

6.       Account Protection: Ensure that the accounts used to access and administer the devices are appropriately secured, following the relevant corporate Identity and Access Management policies and Password policies. These accounts often allow access to the device via the internet, which if compromised could be a potential route into the network bypassing boundary perimeters.

Technical Summary

The specific attack identified by Microsoft is a Linux Trojan named XorDdos. This is not new malware and was originally discovered in 2014. Research shows that once compromised, these devices are often infected with additional malware used for different purposes.

Further technical details can be found here: Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices - Microsoft Security Blog. Further information on IoT best practices can be found here: Internet of Things (IoT) security best practices | Microsoft Docs, Code of Practice for consumer IoT security - GOV.UK (www.gov.uk), Ten best practices for securing the Internet of Things in your organization | ZDNet

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

Cyber crime costs the world more than $1 trillion, a 50% increase from 2018

Cyber crime costs the world economy more than $1 trillion, or just more than one percent of global GDP, which is up more than 50 percent from a 2018 study that put global losses at close to $600 billion. Beyond the global figure, the report also explored the damage reported beyond financial losses, finding 92 percent of companies felt effects beyond monetary losses.

https://www.helpnetsecurity.com/2020/12/07/cybercrime-costs-world/

FireEye, one of the world's largest security firms, discloses security breach

FireEye, one of the world largest security firms, said today it was hacked and that a "highly sophisticated threat actor" accessed its internal network and stole hacking tools FireEye uses to test the networks of its customers.

The firm said the threat actor also searched for information related to some of the company's government customers.

The attacker was described as a "highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack."

https://www.zdnet.com/article/fireeye-one-of-the-worlds-largest-security-firms-discloses-security-breach/

Chinese Breakthrough in Quantum Computing a Warning for Security Teams

China’s top quantum-computer researchers have reported that they have achieved quantum supremacy, i.e., the ability to perform tasks a traditional supercomputer cannot. And while it’s a thrilling development, the inevitable rise of quantum computing means security teams are one step closer to facing a threat more formidable than anything before.

https://threatpost.com/chinese-quantum-computing-warning-security/161935/

Ransom payouts hit record-highs, surging 178% in a year

Average ransom payouts increased by 178% in the third quarter of this year, from $84,000 (£63,000) to almost £234,000, compared with the year before. Ransomware payments reached record-highs in 2020 as employees shifted to remote working to curb the spread of the coronavirus pandemic, creating more attack vectors for hackers.

https://uk.finance.yahoo.com/news/ransomware-payouts-hacking-computers-hit-record-highs-surging-134527988.html

Ransomware Set for Evolution in Attack Capabilities in 2021

Ransomware is set to evolve into a greater threat in 2021 as service offerings and collaborations increase. The year turned out “different than predicted” and the shift to working from home also impacted the e-crime landscape. “This created an industrialization of e-crime groups and their abilities to extend from single groups into business pipelines”

https://www.infosecurity-magazine.com/news/ransomware-evolution-capabilities/

How Organisations Can Prevent Users from Using Breached Passwords

There is no question that attackers are going after your sensitive account data. Passwords have long been a target of those looking to compromise your environment. Why would an attacker take the long, complicated way if they have the keys to the front door?

https://thehackernews.com/2020/12/how-organizations-can-prevent-users.html

Threats

Ransomware

• Hackers demand $34.7 million in Bitcoin after ransomware attack on Foxconn

• Ransomware forces hosting provider Netgain to take down data centers

• Ransomware-struck schools reject £1m demand from crims in timely reminder to always mind the air-gap

• 'Malwareless' ransomware campaign operators pwned 83k victims' MySQL servers, 250k databases up for sale

• Ransomware hits helicopter maker Kopter

Phishing

• Spearphishing Attack Spoofs Microsoft.com to Target 200M Office 365 Users

• Adobe users targeted in dangerous new phishing campaign

IOT

• Millions of IoT devices could be vulnerable to these unfixable security bugs

Malware

• Qbot malware switched to stealthy new Windows autostart method

• Microsoft exposes Adrozek, malware that hijacks Chrome, Edge, and Firefox

• Social media sharing icons could harbor info-stealing malware

• All-new Windows 10 malware is excellent at evading detection

• Rana Android Malware Updates Allow WhatsApp, Telegram IM Snooping

Vulnerabilities

• Critical, Unpatched Bugs Open GE Radiological Devices to Remote Code Execution

• Amnesia:33 vulnerabilities impact millions of smart and industrial devices

• Microsoft December 2020 Patch Tuesday security update address 58 vulnerabilities, 22 of them are remote code execution vulnerabilities.

• Expert discloses zero-click, wormable flaw in Microsoft Teams

• NSA Warns: Patched VMware Bug Under Active Attack

Data Breaches

• FireEye, one of the world's largest security firms, discloses security breach

• HMRC admits to 26 data breaches during 2019-20

• Hackers leak data from Embraer, world's third-largest airplane maker

• Payment service PayPay hacked

Threat Actors

• Norway says Russian hacking group APT28 is behind August 2020 Parliament hack

Insider Threats

• Bank Employee Sells Personal Data of 200,000 Clients

Other News

• Experian predicts 5 key data breach targets for 2021

• 6 new ways threat actors will attack in 2021

• Research: Millions of smart devices vulnerable to hacking

• Finland passes new 5G security law to ban risky equipment

• Ransomware attacks target backup systems, compromising the company ‘insurance policy’

Reports Published in the Last Week

• Sophos 2021 Threat Report

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.