Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Cyber Weekly Flash Briefing 14 August 2020: Travelex goes bust following ransomware, Microsoft fix 120 vulns inc two zero-days, more ransomware victims paying up, Cloud misconfigurations create risks
Cyber Weekly Flash Briefing 14 August 2020: Travelex Forced into Administration After Ransomware Attack, Microsoft fixes 120 vulnerabilities inc two zero-days, More ransomware victims are paying up, Misconfiguration #1 Cloud Security Threat, Beware What You Ask Amazon Alexa, Ex-Uber engineer sentenced to 18 months in prison for stealing driverless car secrets from Google, Google and Amazon are now the most imitated brands for phishing
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Travelex Forced into Administration After Ransomware Attack
Ransomware victim Travelex has been forced into administration, with the loss of over 1000 jobs.
PwC announced late last week that it had been appointed joint administrators of the currency exchange business.
The Sodinokibi (REvil) ransomware variant is believed to have struck the firm on New Year’s Eve last year, forcing its website offline and impacting its bricks-and-mortar stores and banking services. It took until January 17 for the firm to get its first customer-facing systems live again in the UK.
Why this matters:
Firms of any size can call victim to ransomware and many firms will not survive a significant cyber event such as this. Unconfirmed reports at the time suggested that a critical unpatched vulnerability in a VPN (Virtual Private Network) may have allowed attackers to remotely execute malicious code. A security researcher said he reached out to the firm in September 2019 to flag the issue but was ignored. This again shows the importance of ensuring all security updates are applied quickly. Has this software had the security updates applied those vulnerabilities would not have been able to be used in this attack.
Read more: https://www.infosecurity-magazine.com/news/travelex-forced-administration/
Microsoft August 2020 Patch Tuesday fixes 120 vulnerabilities, two zero-days
Microsoft’s August 2020 Patch Tuesday security updates fell this week and this month the company has patched 120 vulnerabilities across 13 different products, from Edge to Windows, and from SQL Server to the .NET Framework.
Among these 120 vulnerabilities, 17 bugs have received the highest severity rating of "Critical," and there are also two zero-days — vulnerabilities that have been exploited by hackers before Microsoft was able to provide a fix.
Why this matters:
All security updates should be applied as soon as possible to prevent vulnerabilities from being exploited in attacks. When vulnerabilities are announced criminals will waste no time in weaponizing them (creating exploits to use in attacks) so the quicker the vulnerabilities are closed the safer you will be.
More ransomware victims are paying up, even when data recovery is possible
The proportion of ransomware attack victims actually paying ransoms increased in the last quarter, even in instances where ransomed data could be recovered, new figures have revealed.
According to a commercial ransomware recovery service, data exfiltration attacks are becoming more common and blending with traditional ransomware hacks. Data exfiltration extortion involves an attacker taking possession of stolen data and putting it up for sale on forums or marketplaces. Once monetised, the hacker asks the victim to pay a ransom to prevent the information’s release.
The recover firm added that tools currently on the market vary wildly when it comes to data recovery success following a ransomware attack. What’s more, the company has noted an uptick in the number of companies experiencing operating system and registry corruption even after ransomed data is restored.
Why this matters:
It used to be that backups were the best defence against ransomware attacks, but if your data is stolen a backup won’t help you avoid having to pay out to keep your sensitive or confidential data out of the public domain.
Intel, SAP, and Citrix release critical security updates
Intel released 18 advisories, including fixes for Denial of Service, Information Disclosure and Elevation of Privilege flaws affecting various products on Windows, Chrome OS and Linux OS.
SAP’s released 15 security notes and an update to a previously released one to address flaws in a variety of offerings, including SAP ERP, SAP Business Objects Business Intelligence Platform, SAP S/4 HANA and various SAP NetWeaver components.
Citrix’s has released patches for a set of vulnerabilities in certain on-premises instances of Citrix Endpoint Management (aka XenMobile Server).
Why this matters:
Security upgrades should always be applied as soon as possible. Whether announced vulnerabilities are already being exploited or not as they become known they likely will be exploited and patching them (applied the fixes made available) prevent them from being exploited.
Read more: https://www.helpnetsecurity.com/2020/08/12/intel-sap-citrix-security-updates-august-2020/
IT Pros Name Misconfiguration #1 Cloud Security Threat
Configuration errors are the number one threat to cloud security, according to a new poll of IT and security professionals.
A security vendor interviewed 653 industry professionals to compile its 2020 Cloud Security Report.
Three-quarters (75%) claimed to be “very” or “extremely” concerned about cloud security, with most (52%) believing that the risks are higher in the public cloud than on-premises.
The top four threats were cited as: misconfiguration (68%), unauthorized cloud access (58%), insecure interfaces (52%), and account hijacking (50%).
These security concerns have created multiple barriers to further adoption of cloud services. The top inhibitor of adoption was a lack of qualified staff (55%), up from fifth place last year.
This may go some way to explaining respondents’ concerns around configuration errors, especially as 68% of these organisations are using two or more public cloud providers — adding to the complexity.
Why this matters?
Organisations’ cloud migrations and deployments are racing ahead of their security teams’ abilities to defend them against attacks and breaches. Their existing security solutions only provide limited protections against cloud threats, and teams often lack the expertise needed to improve security and compliance processes
Read more: https://www.infosecurity-magazine.com/news/misconfiguration-error-cloud/
RedCurl cybercrime group has hacked companies for three years
Security researchers have uncovered a new Russian-speaking hacking group that they claim has been focusing on the past three years on corporate espionage, targeting companies across the world to steal documents that contain commercial secrets and employee personal data.
Named RedCurl, the activities of this new group have been detailed in a 57-page report released this week.
Researchers have been tracking the group since the summer of 2019 and have since identified 26 other RedCurl attacks, carried out against 14 organisations, going as far back as 2018.
Why this matters:
This Russian group have targeted victims across different countries and industry sectors, and included construction companies, retailers, travel agencies, insurance companies, banks, and law and consulting firms from countries like Russia, Ukraine, Canada, Germany, Norway, and the UK. Many firms could fall victim to cyber crime groups like this if their defences are not able to withstand such attackers.
Read more: https://www.zdnet.com/article/redcurl-cybercrime-group-has-hacked-companies-for-three-years/
Why You Must Beware What You Ask Amazon Alexa
The same cyber team that cracked open TikTok, WhatsApp, Microsoft’s cloud and even Philips lightbulbs has just turned its attention to Amazon’s Alexa. And, unsurprisingly, it hasn’t disappointed. After “speculating” that Amazon’s 200 million devices “could be a prime entry-point for hackers,” Check Point Research has just lifted the lid to unmask “serious security flaws in Alexa.” According to the team, “in just one click, a user could have given up their voice history, home address and control of their Amazon account.”
Why this matters:
Warnings about the dangers of smart speakers and their extended families of virtual assistants are not new. These are the same devices that causes such scandal last year, when it transpired humans were listening to conversations to better train the AI. The issue here is different, much more akin to the broader problem of IoT security. Every different gadget you connect to the internet becomes a potential vulnerability and the methods needed to crack Amazon’s devices were not particularly sophisticated.
Ex-Uber engineer sentenced to 18 months in prison for stealing driverless car secrets from Google
A star engineer who admitted stealing self-driving car secrets from Google has been sentenced to 18 months in prison.
Anthony Levandowski, who helped found Google's self-driving car project, now known as Waymo, pleaded guilty to downloading documents containing data about the company's work and accessing one of them after he had left to found his own trucking startup.
Sentencing him in a San Francisco court, the judge said he was imposing prison time as a deterrent.
An early star in the self-driving car scene, Mr Levandowski pushed for Google to develop the technology but later became disillusioned, leaving in early 2016 to start trucking company Otto, which was bought by Uber less than eight months later.
Waymo sued Uber, a case which was settled in 2018, with Uber paying out $245m (£187m) in equity and agreeing not to use its technology.
Uber had signed an indemnification agreement with Mr Levandowski, forcing it to pay his legal fees, but has refused to pay a $179m debt he owes to the Google spin-out, a consequence of separate legal action relating to his departure.
Why this matters:
Your staff present one of your biggest risks, and a disgruntled or disillusioned employee can be very dangerous. The theft of intellectual property for personal gain is a classic example of this kind of behaviour. Data Loss Prevention (DLP) systems can help to spot unusual behaviour in employees and detect sensitive data being extracted from corporate systems.
Google and Amazon are now the most imitated brands for phishing
You may want to think twice about opening that email claiming to be from Google or Amazon, after new research found the tech giants were being used as lures for phishing scams.
Earlier this year, Check Point revealed that Apple was the most imitated brand for phishing, but over the course of the last few months, the iPhone maker has fallen to seventh place with Google and Amazon now taking the top spots.
Why this matters:
Phishing is estimated to be the starting point of over 90 percent of all cyberattacks and according to Verizon's 2019 Data Breach Investigations Report, nearly one third (32%) of all data breaches involved phishing activity. Additionally phishing was present in 78 percent of cyber espionage incidents and the installation and use of backdoors in company networks.
Read more: https://www.techradar.com/news/google-and-amazon-are-now-the-most-imitated-brands-for-phishing
Cyber Weekly Flash Briefing 03 April 2020 – GFSC warn over increased fraud & cybercrime, attacks up 37% in a month, criminals sending USB devices in post, Zoom phishers register 2000 domains
Cyber Weekly Flash Briefing for 03 April 2020 – GFSC warns over increased risk of fraud and cyber crime, Attacks Up 37% over last month, criminals sending USB device in post, Zoom Phishers Register 2000 Domains in a Month, increase in DDoS attacks
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
GFSC warns over increased risk of fraud and cyber crime
The GFSC has put out a warning to regulated firms on the Island around increased likelihood of fraud and other cyber crimes as a result of the COVID-19 pandemic.
The Commission has stated that they expect licensees to apply effective controls, including having suitable controls to prevent cybercrime.
Cyber-Attacks Up 37% Over Past Month as #COVID19 Bites
Online threats have risen by as much as six-times their usual levels over the past four weeks as the COVID-19 pandemic provides new ballast for cyber-attacks.
Analysis of UK traffic figures for the past four weeks compared to the previous month noted a sharp uptick in malicious activity.
Hacking and phishing attempts were up 37% month-on-month, while on some days, there were between four- and six-times the number of attacks it would usually see.
More here: https://www.infosecurity-magazine.com/news/cyberattacks-up-37-over-past-month/
Cybercrime spikes during coronavirus pandemic, says Europol
Just like everyone else in the face of a pandemic, criminals seem to be staying home — but they're just turning to different methods to make a buck.
That's the message from a new Europol report out this week, which reveals that criminals are adapting to exploit the global chaos.
While many police departments are reporting a lull in physical crime, other types of crime are having a heyday — and those numbers are only expected to increase.
Europol identified cybercrime, fraud, counterfeit goods and organised property crime as categories of particular concern.
Read more here: https://www.euronews.com/2020/03/27/cybercrime-spikes-during-coronavirus-pandemic-says-europol
Cybercriminal group mails malicious USB dongles to targeted companies
Security researchers have come across an attack where an USB dongle was mailed to a company under the guise of a Best Buy gift card. This technique has been used by security professionals during physical penetration testing engagements in the past, but it has very rarely been observed in the wild. This time it's a known sophisticated cybercriminal group who is likely behind it.
The attack was analysed after a US company in the hospitality sector received the USB sometime in mid-February.
The package contained an official-looking letter with Best Buy's logo and other branding elements informing the recipient that they've received a $50 gift card for being a regular customer. "You can spend it on any product from the list of items presented on an USB stick," the letter read. Fortunately, the USB dongle was never inserted into any computers and was passed along for analysis, because the person who received it had security training.
Top Email Protections Fail in Latest COVID-19 Phishing Campaign
Threat actors continue to capitalize on fears surrounding the spread of the COVID-19 virus through a surge in new phishing campaigns that use spoofing tactics to effectively evade Proofpoint and Microsoft Office 365 advanced threat protections (ATPs), researchers have found.
New phishing attacks were discovered that use socially engineered emails promising access to important information about cases of COVID-19 in the receiver’s local area.
The emails evade basic security checks and user common sense in a number of ways, to circumvent detection and steal the user’s Microsoft log-in credentials, he said. They also don’t include specific names or greetings in the body of the messages, suggesting they are being sent out to a broad target audience, according to the report.
More: https://threatpost.com/top-email-protections-fail-covid-19-phishing/154329/
Zoom Phishers Register 2000 Domains in a Month
Over 2000 new phishing domains have been set up over the past month to capitalise on the surging demand for Zoom from home workers, according to new data.
The report analysed data from a threat hunting system since the start of the year, and found 3300 new domains had been registered with the word “Zoom” in them.
The vast majority of these (67%) were created in March, as the COVID-19 pandemic forced lockdowns in multiple European countries and across parts of the US.
With surging levels of interest in Zoom and other video conferencing apps, comes renewed scrutiny from cyber-criminals.
Nearly a third (30%) of the new “Zoom” websites spotted activated an email server which indicates these domains are being used to facilitate phishing attacks.
More here: https://www.infosecurity-magazine.com/news/zoom-phishers-register-2000/
Across-the-board increase in DDoS attacks of all sizes
There has been a 168% increase in DDoS attacks in Q4 2019, compared with Q4 2018, and a 180% increase overall in 2019 vs. 2018, according to a report.
DDoS attacks grew across all size categories increase in 2019, with attacks sized 5 Gbps and below seeing the largest growth. These small-scale attacks made up more than three quarters of all attacks the company mitigated on behalf of its customers in 2019.
In 2019, the largest mitigated threat, at 587 gigabits per second (Gbps), was 31% larger than the largest attack of 2018, while the maximum attack intensity observed in 2019, 343 million packets per second (Mpps), was 252% higher than that of the most intense attack seen in 2018.
However, despite these higher peaks, the average attack size (12 Gbps) and intensity (3 Mpps) remained consistent year over year. The longest single, uninterrupted attack experienced in 2019 lasted three days, 13 hours and eight minutes.
Though the number of attacks increased significantly across all size categories, small-scale attacks (5 Gbps and below) again saw the largest growth in 2019, continuing the trend from the previous year.
More here: https://www.helpnetsecurity.com/2020/03/27/ddos-attacks-increase-2020/
Cybersecurity insurance firm Chubb investigates its own ransomware attack
A notorious ransomware gang claims to have successfully compromised the infrastructure of a company selling cyber insurance.
The Maze ransomware group says it has encrypted data belonging to Chubb, which claims to be one of the world’s largest insurance companies, and is threatening to publicly release data unless a ransom is paid.
The announcement by the cybercrime gang was published on Maze’s website, where it lists what it euphemistically describes as its “new clients”.
Maze’s normal modus operandi is to compromise an organisation, steal its data, infect the network with its ransomware, and post a pre-announcement on its website as a warning to the corporate victim that if they do not pay a ransom their stolen data will be published on the internet.
Read the full article here: https://hotforsecurity.bitdefender.com/blog/cybersecurity-insurance-firm-chubb-investigates-its-own-ransomware-attack-22753.html
Ransomware Payments on the Rise
More ransomware victims than ever before are complying with the demands of their cyber-attackers by handing over cash to retrieve encrypted files.
New research published this week shows that both the number of ransomware attacks and the percentage of attacks that result in payment have increased every year since 2017.
The report states 62% of organisations were victimised by ransomware in 2019, up from 56% in 2018 and 55% in 2017.
In 2017, just 39% of organizations hit by ransomware paid to retrieve their encrypted data. That figure rose to 45% in 2018, then shot up to 58% in 2019.
Read the full article here: https://www.infosecurity-magazine.com/news/rise-in-ransomware-payments/
Marriott hit by second data breach exposing “up to” 5.2 million people
Hotel chain Marriott International this week announced that it has been hit by a second data breach exposing the personal details of “up to approximately 5.2 million guests”.
The breach, which began in mid-January 2020 and was discovered at the end of February 2020, saw contact details, including names, addresses, birth dates, gender, email addresses and telephone numbers exposed. Employer name, gender, room stay preferences and loyalty account numbers were also exposed.
The hotel company has stressed that not all data was exposed for each person.
Marriott has also said that at present it does not believe passports, payment details or passwords were exposed in the data breach.
The data is believed to have been accessed by an unknown third party using the login credentials of two employees at a group hotel operated as a franchise. Marriott has said that it has notified relevant authorities, and has begun notifying those whose data was exposed in the breach. It has also set up a dedicated website to help those impacted by the breach.
More here: https://www.verdict.co.uk/marriott-second-data-breach/
Lawyers urged to switch off Alexa when working from home
Law firms are warning their employees to turn off their smart speakers while working from home due to security concerns.
Smart speakers such as Amazon’s Echo series and Google’s Nest range have become wildly popular in Britain with an estimated 34pc of households now using them.
But privacy and security experts have repeatedly said the devices may pose a security threat and now law firms have advised staff not to disclose sensitive details when they are in use nearby.
A spokesman from one firm of solicitors said that that hackers could access sensitive details through the speakers, telling their staff to check the default settings on the speaker and to the extent that you can, switch them off during the working day.
More here: https://www.telegraph.co.uk/technology/2020/03/30/lawyers-urged-switch-alexa-working-home/