Week in review 25 January 2020 – Phishing dominates UK, Ransomware payments doubled, 160,000 breaches reported under GDPR, Citrix vulns exploited, Internet Explorer zero-day
Week in review 25 January 2020 – Phishing dominates UK, Ransomware payments doubled, 160,000 breaches reported under GDPR, Citrix vulns exploited, IE 0-day
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Phishing dominates UK cybercrime landscape
If there’s one thing General Data Protection Regulation (GDPR) did for sure, it gave us a clearer picture of the UK cyber security landscape.
A new report says that more security breaches were reported to the Information Commissioner’s Office (ICO) in 2019 than in any previous year. A total of 2,376 reports were made, compared with 1,854 in 2018, and 540 in 2017.
The report shows that there was a 28 per cent increase in the number of reported incidents between 2018 and 2019.
In particular, reports of phishing skyrocketed, rising from 16 reports in 2017, to 877 in 2018, to 1,080 in 2019. Of all of the incidents reported to the ICO in 2019, 45 per cent were related to phishing.
Other notable methods included unauthorised access (791 reported incidents), malware/ransomware (243), hardware and software misconfiguration (64), and brute force password attacks (34).
Read more here: https://www.itproportal.com/news/phishing-dominates-uk-cyber-threat-landscape/
Ransomware Payments Doubled and Downtime Grew in Q4
The average ransomware payment more than doubled quarter-on-quarter in the final three months of 2019, while average downtime grew by several days, according to the latest figures from a security firm.
The security vendor analysed anonymised data from cases handled by its incident response team and partners to compile its Q4 Ransomware Marketplace report.
It revealed that the average payment in the quarter was $84,116, up 104% from the previous three months. The belief being the jump highlights the diversity of hackers utilising ransomware today.
Some variants such as Ryuk and Sodinokibi have moved into the large enterprise space and are focusing their attacks on large companies, where they can attempt to extort the organization for a seven-figure payout. Ryuk ransom payments reached a new high of $780,000 for impacted enterprises.
At the other end of the spectrum, smaller ransomware-as-a-service variants such as Dharma, Snatch, and Netwalker continue to blanket the small business space with a high number of attacks, but with demands as low as $1500.
Sodinokibi (29%) and Ryuk (22%) accounted for the majority of cases spotted in Q4 2019. Attackers using the former variant began during the quarter to use data theft to force firms to pay-up, which may have increased the figure for total losses.
During the quarter, the amount of downtime experienced by victim organizations increased from the previous three months — from 12.1 to 16.2 days. This increase was driven by the larger number of attacks targeting major enterprises with more complex network architectures, which can therefore take weeks to restore and remediate.
Phishing, RDP targeting and vulnerability exploitation remain the most popular attack methods, it added. Professional services (20%), healthcare (19%) and software services (12%) were the top three sectors targeted.
According to the data, 98% of organizations that paid a ransom received a decryption key, and those victims successfully decrypted 97% of their data. However, with multi-million-dollar ransoms now commonplace, the official advice is still not to give in to the hackers’ demands, especially as it will lead to continued attacks.
Read the original article here: https://www.infosecurity-magazine.com/news/ransomware-payments-doubled/
GDPR: 160,000 data breaches reported already, so expect the big fines to follow
Over 160,000 data-breach notifications have been made to authorities in the 18 months since Europe's new digital privacy regulation came into force, and the number of breaches and other security incidents being reported is on the rise.
Analysis by a UK law firm found that after the General Data Protection Regulation (GDPR) came into force on 25 May 2018, the first eight months saw an average of 247 breach notifications per day. In the time since, that has risen to an average of 278 notifications a day.
"GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year's report and regulators have been busy road-testing their new powers to sanction and fine organisations," according to a partner at the firm who specialises in cyber and data protection.
Read the full article on ZDNet here: https://www.zdnet.com/article/gdpr-160000-data-breaches-reported-already-so-expect-the-big-fines-to-follow/
Hackers target unpatched Citrix servers to deploy ransomware
Companies still running unpatched Citrix servers are in danger of having their networks infected with ransomware.
Multiple sources in the infosec community are reporting about hacker groups using the CVE-2019-19781 vulnerability in Citrix appliances to breach corporate networks and then install ransomware.
Ransomware infections traced back to hacked Citrix servers have been confirmed by security researchers at FireEye and Under the Breach.
The REvil (Sodinokibi) ransomware gang has been identified as one of the groups attacking Citrix servers to gain a foothold on corporate networks and later install their custom ransomware strain.
Read more here: https://www.zdnet.com/article/hackers-target-unpatched-citrix-servers-to-deploy-ransomware/
Why the Jeff Bezos phone hack is a wake-up call for the powerful
When deeply personal information about one of the world’s most powerful businessmen is exposed through an attack apparently coming from the WhatsApp account of a future head of state, then who can truly feel safe?
This week’s assertion that Jeff Bezos’s iPhone X was probably hacked by the personal account of Mohammed bin Salman, crown prince of Saudi Arabia, had plenty of shock value. For anyone operating at a senior level of business or government, it is a clear wake-up call.
Read more on the FT here: https://www.ft.com/content/b5f6f3d0-3e05-11ea-a01a-bae547046735
Top UK law firms falling victim to human error
Nearly half (48%) of the top 150 law firms have reported data breaches since the GDPR came into force in May 2018. And, of those breaches, 41% were a result of emailing the wrong person.
Read more on LegalFutures here: https://www.legalfutures.co.uk/blog/gdpr-top-uk-law-firms-falling-victim-to-human-error
Regus data breach sees staff performance data published online
A spreadsheet with names, addresses and job performance data was easily found via Google, the media claim.
Personal details, as well as professional performance, of more than 900 employees of Regus have been published online after a mishap following staff review.
The media are reporting that the major office space provider had been recording its staff, with the help of mystery shopping firm Applause, for the sake of training and improving the performance of the employees. The details were subsequently published online.
Reports state that a spreadsheet with names, addresses and job performance data was easily found via Google.
Read the full article here: https://www.itproportal.com/news/regus-data-breach-sees-staff-performance-data-published-online/
Cisco Warns of Critical Network Security Tool Flaw
The critical flaw exists in Cisco’s administrative management tool, used with network security solutions like firewalls.
A critical Cisco vulnerability exists in its administrative management tool for Cisco network security solutions. The flaw could allow an unauthenticated, remote attacker to gain administrative privileges on impacted devices.
The flaw exists in the web-based management interface of the Cisco Firepower Management Center (FMC), which is its platform for managing Cisco network security solutions, like firewalls or its advanced malware protection service. Cisco has released patches for the vulnerability (CVE-2019-16028), which has a score of 9.8 out of 10 on the CVSS scale, making it critical in severity.
Read more on ThreatPost here: https://threatpost.com/cisco-critical-network-security-tool-flaw/152131/
Microsoft Zero-Day Actively Exploited, Patch Forthcoming
An unpatched remote code-execution vulnerability in Internet Explorer is being actively exploited in the wild, Microsoft has announced. It’s working on a patch. In the meantime, workarounds are available.
The bug (CVE-2020-0674) which is listed as critical in severity for IE 11, and moderate for IE 9 and IE 10, exists in the way that the jscript.dll scripting engine handles objects in memory in the browser, according to Microsoft’s advisory, issued Friday.
The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user – meaning that an adversary could gain the same user rights as the current user.
Read more here: https://threatpost.com/microsoft-zero-day-actively-exploited-patch/152018/
Big Microsoft data breach – 250 million records exposed
Microsoft on Wednesday announced a data breach that affected one of its customer databases.
The blog article, entitled Access Misconfiguration for Customer Support Databases, admits that between 05 December 2019 and 31 December 2019, a database used for “support case analytics” was effectively visible from the cloud to the world.
Microsoft didn’t give details of how big the database was. However, consumer the firm that says it discovered the unsecured data online, claims it was to the order of 250 million records containing:
…logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019.
According to the company that found the records, that same data was accessible on five different servers.
The company informed Microsoft, and Microsoft quickly secured the data.
Read more here: https://nakedsecurity.sophos.com/2020/01/22/big-microsoft-data-breach-250-million-records-exposed/
Exposed AWS buckets again implicated in multiple data leaks
The lack of care being taken to correctly configure cloud environments has once again been highlighted by two serious data leaks in the UK caused by leaking Amazon Simple Storage Service (S3) bucket databases.
As a default setting, Amazon S3 buckets are private and can only be accessed by individuals who have explicitly been granted access to their contents, so their continued exposure points to the concerning fact that consistent messaging around cloud security policy, implementation and configuration is failing to get through to many IT professionals.
Read the full article on ComputerWeekly: https://www.computerweekly.com/news/252476870/Exposed-AWS-buckets-again-implicated-in-multiple-data-leaks
What Is Smishing, and How Do You Protect Yourself?
You’re probably familiar with email-based phishing, where a scammer emails you and tries to extract sensitive information like your credit card details or social security number. “Smishing” is SMS-based phishing—scam text messages designed to trick you.
How-To Geek have a useful guide explaining what Smishing is and how best to protect yourselves. Read the guide here: https://www.howtogeek.com/526115/what-is-smishing-and-how-do-you-protect-yourself/