Welcome to the final Cyber Tip Tuesday of the year, on this the last day of 2019.

As we look back over the last twelve months, the most significant thing, at least as far as regulated financial services firms in the Bailiwick are concerned, is that the GFSC is putting a lot more focus on, and changing the ways it is assessing, cyber risk - both in terms of operational risk and governance risk.

The Commission will be putting new regulations out to public consultation in the new year, but firms need to think about getting on the front foot and consider whether they are doing all they should be doing in relation to cyber security.

We know what the Commission will be looking for as we were directly involved in the thematic review that led to these new regulations, and provided direction for the regulations themselves and the changes to the way firms will be assessed as part of ongoing supervision.

Talk to us to see how we can help you to ensure that you have appropriate protections and controls in place and to help you meet the new regulations when they come into force.

Have a happy, safe and secure 2020

Welcome to a special Christmas Eve 2019 Black Arrow Cyber Tip Tuesday.

Christmas is a time for giving so we thought it would be an ideal time to mention the services we give free of charge to help protect Guernsey and the local community.

1. Mentoring: if you are looking to start or progress your career in cyber security, you could be eligible for our mentoring program consisting of a rolling series of one to one meetings to see where our experience and guidance can help you.

2. Free 30 minute chats for Startups and Entrepreneurs: a free 30 minute consultation for new startups and entrepreneurs to help ensure they are getting the fundamentals of cyber security in place to protect their growing business.

3. Free pro bono advisory services for charities and non-profits: we are giving one day every month to support those that support our communities in Guernsey, to help them protect themselves, using where possible, or where appropriate, low or no cost solutions.

Black Arrow Cyber Consulting wishes everyone a Happy Christmas and a safe, secure and prosperous 2020

Black Arrow Cyber Consulting would like to wish everyone a very Happy Christmas! Whilst enjoying the festivities just bear in mind that the bag guys don’t stop and cyber attacks typically increase around this time of year.

Week in review 22 December 2019

Round up of the most significant open source stories of the last week

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Black Arrow Cyber Consulting would like to wish customers old and new a Very Happy Christmas and a happy, prosperous, and cyber safe, 2020

Christmas malware spreading fast: Protect yourself now

Holiday party invitations may infect your PC

It's time for ugly Christmas sweaters — and for ugly Christmas-themed malicious spam emails.

A new malspam campaign dumps an email in your inbox marked "Christmas Party," "Christmas Party next week," "Party menu," "Holiday schedule" or something similar. But the attached Word document delivers a lump of coal: the notorious Emotet Trojan malware.

"HAPPY HOLIDAYS," begins the email, as spotted by researchers. "I have attached the menu for the Christmas Party next week. If you would like bring something, look at the list and let me know.

"Don't forget to get your donations in for the money tree," the email adds. "Also, wear your tackiest/ugliest Christmas sweater to the party." Sometimes it adds, "Details in the attachment."

More here: https://www.tomsguide.com/news/ugly-christmas-emails-give-the-gift-of-malware

Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up

As if the scourge of ransomware wasn’t bad enough already: Several prominent purveyors of ransomware have signaled they plan to start publishing data stolen from victims who refuse to pay up. To make matters worse, one ransomware gang has now created a public Web site identifying recent victim companies that have chosen to rebuild their operations instead of quietly acquiescing to their tormentors.

The cyber criminals behind the Maze Ransomware strain erected a Web site on the public Internet, and it currently lists the company names and corresponding Web sites for eight victims of their malware that have declined to pay a ransom demand.

“Represented here companies dont wish to cooperate with us, and trying to hide our successful attack on their resources,” the site explains in broken English. “Wait for their databases and private papers here. Follow the news!”

Researchers were able to verify that at least one of the companies listed on the site indeed recently suffered from a Maze ransomware infestation that has not yet been reported in the news media.

The information disclosed for each Maze victim includes the initial date of infection, several stolen Microsoft Office, text and PDF files, the total volume of files allegedly exfiltrated from victims (measured in Gigabytes), as well as the IP addresses and machine names of the servers infected by Maze.

As shocking as this new development may be to some, it’s not like the bad guys haven’t warned us this was coming.

Read the full article here: https://securityboulevard.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/

Ransomware: The number of victims paying up is on the rise, and that's bad news

The number of organisations that are giving into the extortion demands of cyber criminals after falling victim to ransomware attacks has more than doubled this year.

A rise in the number of ransomware attacks in the past year has contributed to to the increased number of organisations opting to pay a ransom for the safe return of networks locked down by file-encrypting malware.

That's according to figures in the newly released 2019 CrowdStrike Global; Security Attitude Survey, which said the total number of organisations around the world that pay the ransom after falling victim to a supply-chain attack has more than doubled from 14% of victims to 39% of those affected.

In the UK specifically, the number of organisations that have experienced a ransomware attack and paid the demanded price for the decryption key stands at 28% – double the 14% figure of the previous year.

Read the full article here: https://www.zdnet.com/article/ransomware-the-number-of-victims-paying-up-is-on-the-rise-and-thats-bad-news/

Microsoft Office apps hit with more cyber attacks than ever

New reports have claimed Microsoft Office was the most commonly exploited application worldwide as of the the third quarter of this year.

Researchers found that Microsoft Office solutions and applications were the target of exactly 72.85 percent of cyber exploits this year according to the firm's research.

However, cyber criminals also targeted web browsers with 13.47 percent of the total number of exploits, Android (9.09 percent), Java (2.36 percent), and Adobe Flash (1.57 percent).

Read the full article here: https://www.techradar.com/uk/news/microsoft-office-apps-hit-with-more-cyberattacks-than-ever

Inconsistent password advice could increase risk of cyber attacks

New research suggests that ‘inconsistent and misleading’ password meters seen on various websites could increase the risk of cyber attacks.

The study, led by researchers at the University of Plymouth, investigated the effectiveness of 16 password meters that people are likely to use or encounter on a regular basis.

It tested 16 passwords against the various meters, with 10 of them being ranked among the world’s most commonly used passwords (including ‘password’ and ‘123456’).

Of the 10 explicitly weak passwords, only five of them were consistently scored as such by all the password meters, while ‘Password1!’ performed far better than it should do and was even rated strongly by three of the meters.

However, the team at Plymouth said one positive finding was that a browser-generated password was consistently rated strong, meaning users can seemingly trust these features to do a good job.

More here: https://eandt.theiet.org/content/articles/2019/12/inconsistent-password-advice-could-increase-risk-of-cyber-attacks/

Cyber security predictions for 2020: 45 industry experts have their say

Cyber security is a fast-moving industry, and with a new decade dawning, the next year promises new challenges for enterprises, security professionals and workers. But what predictions do experts have for cybersecurity in 2020?

Verdict.co.uk heard from 45 experts across the field of cybersecurity about their predictions for 2020, from new methods and targets to changing regulation and business practices.

Read the full list of predictions here: https://www.verdict.co.uk/cybersecurity-predictions-2020/

This ‘grab-bag’ hacking attack drops six different types of malware in one go

'Hornet's Nest' campaign delivers a variety of malware that could create a nightmare for organisations that fall victim to attacks, warn researchers.

A high-volume hacking campaign is targeting organisations around the world with attacks that deliver a 'grab-bag' of malware that includes information-stealing trojans, a remote backdoor, a cryptojacker and a cryptocurrency stealer.

Uncovered by researchers at Deep Instinct, the combination of the volume of attacks with the number of different malware families has led to the campaign being named 'Hornet's Nest'.

The attacks are suspected to be offered as part of a cybercrime-as-a-service operation with those behind the initial dropper, which researchers have dubbed Legion Loader, leasing out their services to other criminals.

Clues in the code point to the Legion Loader being written by a Russian-speaker – and researchers note that the malware is still being worked on and updated. Attacks using the loader appear to be focused on targets in the United States and Europe.

Read the full article here: https://www.zdnet.com/article/this-grab-bag-hacking-attack-drops-six-different-types-of-malware-in-one-go/

Tiny band of fraud police left to deal with third of all crime

Only one in 200 police officers is dedicated to investigating fraud despite it accounting for more than a third of all crimes, The Times revealed.

Most forces have less than half of 1 per cent of their officers allocated to fraud cases and some have none at all, according to figures disclosed under the Freedom of Information Act. In some areas the number of officers tackling fraud has fallen significantly.

Amid a surge in online and cold-calling scams, there were 3.8 million incidents of fraud last year, more than a third of all crimes in England and Wales. Victims are increasingly targeted online and can lose their life savings. However, as few as one in 50 fraud reports leads to a “judicial outcome” such as a suspect being charged.

Last night police bosses said the failure to investigate the cases was due to budget cuts and “poor government direction” and the situation had become a national emergency. Boris Johnson has pledged to “make the streets safer” by recruiting an extra 20,000 police officers but there are concerns that victims of fraud will continue to be failed.

Read the original article here: https://www.thetimes.co.uk/article/less-than-1-of-police-officers-target-fraud-kf6d37qfz

IT worker with a grudge jailed for cyber attack that shut down network for 12 hours

A contractor with a grudge over the handling of an incident in Benidrom has been jailed for carrying out a revenge cyber attack. Scott Burns, 27, was unhappy with the way a disciplinary matter against him by Jet2 was dealt with so decided to cause harm. The attack led to the company’s computer network being shut down for 12 hours and it was only thanks to a fast-thinking colleague that a ‘complete disaster’ was avoided. Burns’s attack cost the company £165,000 in lost business, Leeds Crown Court was told. Jailing Burns for 10 months, Judge Andrew Stubbs QC heard how the motive was revenge because Burns was unhappy about how Jet2 dealt with a disciplinary matter against him relating to an incident at a ‘roadshow in Benidorm’ in 2017. No further details of the incident were outlined in court.

Read more here: https://metro.co.uk/2019/12/20/worker-grudge-jailed-cyber-attack-shut-network-12-hours-11937687/

30 years of ransomware: How one bizarre attack laid the foundations for the malware taking over the world

In December 1989 the world was introduced to the first ever ransomware - and 30 years later ransomware attacks are now at crisis levels.

Ransomware has been one of the most prolific cyber threats facing the world throughout 2019, and it's unlikely to stop being a menace any time soon.

Organisations from businesses and schools to entire city administrations have fallen victim to network-encrypting malware attacks that are now demanding hundreds of thousands of dollars in bitcoin or other cryptocurrency for the safe return of the files.

While law enforcement recommends that victims don't give into the demands of cyber criminals and pay the ransom, many opt to pay hundreds of thousands of dollars because they view it as the quickest and easiest means of restoring their network. That means some of the criminal groups operating ransomware campaigns in 2019 are making millions of dollars.

But what is now one of the major cyber scourges in the world today started with much more humble origins in December 1989 with a campaign by one man that would ultimately influence some of the biggest cyber attacks in the world thirty years later.

The first instance of what we now know as ransomware was called the AIDS Trojan because of who it was targeting – delegates who'd attended the World Health Organization AIDS conference in Stockholm in 1989.

Attendees were sent floppy discs containing malicious code that installed itself onto MS-DOS systems and counted the number of the times the machine was booted. When the machine was booted for the 90th time, the trojan hid all the directories and encrypted the names of all the files on the drive, making it unusable.

Victims saw instead a note claiming to be from 'PC Cyborg Corporation' which said their software lease had expired and that they needed to send $189 by post to an address in Panama in order to regain access to their system.

It was a ransom demand for payment in order for the victim to regain access to their computer.

Read the full article here: https://www.zdnet.com/article/30-years-of-ransomware-how-one-bizarre-attack-laid-the-foundations-for-the-malware-taking-over-the-world/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our new regular ‘Cyber Tip Tuesday’ video blog, here and on our YouTube channel

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week's Black Arrow Cyber Tip Tuesday.

This week we are talking about the ways that ransomware attacks are changing and getting even more nasty, and how  firms and individuals will need to strengthen their approach to protecting themselves.

Traditionally the main defence against ransomware was having backups of your data, such that you could revert to a good copy of your data if you got infected, now though criminals are going after your backup data too, especially if these backups are stored on your networks, so it is now even more critical to have offline copies of your data that cannot themselves be infected.

The other significant development seen recently is now not only are criminals holding your data to ransom they are also now threatening to release your confidential data to the public.

Many firms will not survive the damage caused to their reputation if customers and investors see their private and confidential data is available for the world to see.

The only way to defend against this is to avoid being a victim in the first place, and this includes the principle of defence in depth using multiple layers of protection and different controls.

Talk to us today to ensure you are doing all the things you should be doing to keen yourself safe from ransomware.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Ransomware: Cybercriminals are adding a new twist to their demands

Ransomware could be getting even nastier: a security firm is warning over a new trend among some ransomware attackers to not just encrypt data, but steal some of it and use it as leverage to ensure a target pays up.

In several recent cases it has been reported that the ransomware gang have not just encrypted data but also threatened to leak the data, too. These attacks elevate the ransomware threat "to crisis level" and organisations should work to immediately improve their security as resorting to backups, the usual best defence against ransomware, won’t protect firms.

https://www.zdnet.com/article/ransomware-cybercriminals-are-adding-a-new-twist-to-their-demands/

New ransomware attacks target your NAS devices, backup storage

Sticking with ransomware for a minute, the number of ransomware strains targeting NAS and backup storage devices is also growing, with users "unprepared" for the threat, researchers say.

Ransomware comes in many forms and guises. The malware variant is popular with cybercriminals and is used in attacks against the enterprise, critical services -- including hospitals and utilities -- and individuals.

Once deployed on a system, the malware will usually encrypt files or full drives, issue its victim with a ransom note, and demand payment in return for a way to decrypt and restore access to locked content.

If backup devices themselves are being specifically targeted in attacks then they cannot be relied upon to recover from. This emphasises the requirement to ensure firms have offline copies of backusp such that backup copies cannot themselves fall victim to ransomware.

If the only backups a firm has are connected to a network and backing up in real time is it increasingly unlikely firms will be able to depend on these backups to get their business back on its feet.

More here: https://www.zdnet.com/article/new-ransomware-attack-targets-your-nas-devices-backup-storage/

New Plundervolt attack impacts Intel CPUs

Academics from three universities across Europe have this week disclosed a new attack that impacts the integrity of data stored inside Intel SGX, a highly-secured area of Intel CPUs.

The attack, which researchers have named Plundervolt, exploits the interface through which an operating system can control an Intel processor's voltage and frequency -- the same interface that allows gamers to overclock their CPUs.

Academics say they discovered that by tinkering with the amount of voltage and frequency a CPU receives, they can alter bits inside SGX to cause errors that can be exploited at a later point after the data has left the security of the SGX enclave.

They say Plundervolt can be used to recover encryption keys or introduce bugs in previously secure software.

Intel desktop, server, and mobile CPUs are impacted. Including:

• Intel® 6th, 7th, 8 th, 9th & 10th generation CoreTM processors

• Intel® Xeon® Processor E3 v5 & v6

• Intel® Xeon® Processor E-2100 & E-2200 families

Intel has released microcode (CPU firmware) and BIOS updates to address the Plundervolt attack.

More here: https://www.zdnet.com/article/new-plundervolt-attack-impacts-intel-cpus/

The phishing tricks that break through standard email filters

Some phishing emails are easy to spot: the spelling is bad, the spoofed email is clearly a fake, and the images are too warped to have possibly been sent by a reputable brand. If you receive one of these low-quality phishing emails, you’re lucky. Today’s phishing emails are extremely sophisticated, and if you’re not well trained to spot one, you probably won’t.

Email filters have long relied on fingerprint and reputation-based threat detection to block phishing emails. A fingerprint is essentially all the evidence a phisher leaves behind -- a signature that, once identified, will be recognized on future phishing attempts and the phishing email or webpage blocked. Examples of a fingerprint include the header, subject line, and HTML.

Reputation refers to phishing URLs and IPs or domains where phishing emails and webpages originate. An IP or domain that is identified as a sender or host for phishing emails and webpages is, like the fingerprint example above, identified and then blacklisted. The same goes for the phishing URL.

Once a tried and true method to stop phishing, hackers have developed new techniques to get around these outdated methods.

Read more here: https://betanews.com/2019/12/12/phishing-tricks/

Malware variety sees major growth in 2019

New research from security firm Kaspersky has revealed that malware variety grew by 13.7 percent in 2019 and the cybersecurity firm attributes this growth to a rise in web skimmers.

According to the Kaspersky Security Bulletin 2019, the number of unique malicious objects detected by the company's web antivirus solution increased by an eighth compared to last year to reach over 24m due a 187 percent increase in web skimmer files.

Kaspersky also found that other threats such as backdoors and banking Trojans grew while the presence of cryptocurrency miners dropped by more than half.

These trends demonstrate a shift in the type of threats employed by cybercriminals who are constantly searching for more effective ways to target users online.

Read the original article here: https://www.techradar.com/uk/news/malware-variety-sees-major-growth-in-2019

Adobe patches 17 critical code execution bugs in Photoshop, Reader, Brackets

Adobe's December security release includes fixes for 17 critical vulnerabilities in software that could be exploited to trigger arbitrary code execution.

As part of the software vendor's standard security schedule, vulnerabilities have been patched in Photoshop, Reader, Brackets, and ColdFusion.

Firms using any of these products should update them as soon as possible to mitigate these newly announced vulnerabilities.

More info: https://www.zdnet.com/article/adobe-patches-17-critical-code-execution-bugs-in-photoshop-reader-brackets/

The Vulnerability used in Equifax breach is the top network attack in Q3 of 2019

Network security and intelligence company WatchGuard Technologies has released its internet security report for the third quarter of 2019 showing the most popular network attacks.

Apache Struts vulnerabilities -- including one used in the devastating Equifax data breach which tops the list -- appeared for the first time on WatchGuard's list. The report also highlights a major rise in zero day malware detections, increasing use of Microsoft Office exploits and legitimate penetration testing tools, and more.

More details here: https://betanews.com/2019/12/11/equifax-vulnerability-top-network-attack/

Why Ring Doorbells Perfectly Exemplify the IoT Security Crisis

There's been a lot of creepy and concerning news about how Amazon's Ring smart doorbells are bringing surveillance to suburbia and sparking data-sharing relationships between Amazon and law enforcement. News reports this week are raising a different issue: hackers are breaking into users' Ring accounts, which can also be connected to indoor Ring cameras, to take over the devices and get up to all sorts of invasive shenanigans.

More on Wired here: https://www.wired.com/story/ring-hacks-exemplify-iot-security-crisis/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our new regular ‘Cyber Tip Tuesday’ video blog, here and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

This week’s Tip Tuesday focuses on Charities and how cyber security affects them.

Charities can be an attractive target for cyber criminals who want to access charities' information or funds.

Unfortunately, charities often do not have the expertise to establish good cyber hygiene, but they still need to operate in the same connected world as commercial organisations with larger budgets.

If a charity experiences an attack, then ultimately it is the wider community that suffers.

That is why charities need to take appropriate steps to secure themselves against a cyber-attack.

Fortunately, many of the things that charities will benefit from doing can be achieved with little or no cost, and Black Arrow also provides pro bono advisory services to charities in Guernsey to show how this can be done.

Week in review 08 December 2019

Round up of the most significant open source stories of the last week

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

5,183 breaches in first nine months of 2019 exposed 7.9b data records

As many as 7.9 billion data records were leaked, stolen or exposed as a result of 5,183 data breaches that took place in the first nine months of 2019, making it the worst year ever for data breaches.

This alarming statistic was revealed by security firm Risk Based Security which observed that based on recent trends, the number of breached data records could touch 8.5 billion by the end of the year.

The firm also noted that the total number of data breaches worldwide rose by 33.3 percent compared to the mid-year of 2018 and the number of records breached also rose by 112 percent. As many as 3.1 million data records were breached as a result of six data breach incidents that took place between 1 July and 30 September.

The majority of data records were exposed or leaked as a result of accidental exposure of data on the internet by organisations. The fact that hackers are quite willing to take advantage of such data exposure has also led to a rise in the number of breached records.

https://www.teiss.co.uk/data-records-breached-2019/ 

44 million Microsoft customers found using compromised passwords

Microsoft's identity threat researchers have revealed that 44 million of its users are still using passwords that have previously been compromised in past data breaches.

The 44 million weak accounts comprised both Microsoft Services Accounts (regular users) and Azure AD accounts too, suggesting businesses are not adopting proper password hygiene.

A total of three billion user credentials were checked in a database populated from numerous sources including law enforcement and public databases.

Using the data set of three billion credentials, Microsoft was able to identify the number of users who were reusing credentials across multiple online services.

Microsoft forced a password reset for all of those users who were found to have leaked credentials during the scan which took place between January and March 2019.

https://www.itpro.co.uk/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using

Evil Corp: US charges Russians over hacking attacks

US authorities have filed charges against two Russian nationals alleged to be running a global cyber crime organisation named Evil Corp.

An indictment named Maksim Yakubets and Igor Turashev - who remain at large - as figures in a group which used malware to steal millions of dollars in more than 40 countries.

Those affected by the hacks include schools and religious organisations. It is also alleged that Mr Yakubets worked for Russian intelligence.

The attacks are said to be amongst the worst computer hacking and bank fraud schemes of the past decade. The $5m reward being offered for information leading to their arrest and prosecution is the largest yet for catching cyber criminals.

Thursday's indictment came after a multi-year investigation by the US and British law enforcement agencies.

Authorities allege that the group stole at least $100m (£76m) using Bugat malware - known as Dridex.

The malware was spread through so-called "phishing" campaigns, which encouraged victims to click on malicious links sent by email from supposedly trusted entities.

Once a computer was infected, the group stole personal banking information which was used to transfer funds.

A network of money launderers - targeted by the NCA and Britain's Metropolitan Police - were then utilised to funnel the criminal proceeds to members of Evil Corp. Eight members of this network have been sentenced to a total of over 40 years in prison.

https://www.bbc.co.uk/news/world-us-canada-50677512 

New ransomware attacks target your NAS devices, backup storage

New ransomware that targets Network Attached Storage devices and other backup devices has surged in recent months with many users unprepared for the increased level of threat.

As with all ransomware paying the ransom is no guarantee of getting data back and should only ever be an absolute last resort.

With networked and backup storage devices falling victim to ransomware infections that emphasises the need to ensure firms have offline copies of backups. Backups that are that are disconnected from systems cannot themselves be corrupted or fall victim to ransomware and would therefore be a firm’s best bet in being able to recover from such an attack.

https://www.zdnet.com/article/new-ransomware-attack-targets-your-nas-devices-backup-storage/ 

New vulnerability lets attackers sniff or hijack VPN connections

Academics have disclosed this week a security flaw impacting Linux, Android, macOS, and other Unix-based operating systems that allows an attacker to sniff, hijack, and tamper with VPN-tunneled connections. OpenVPN, WireGuard, and IKEv2/IPSec VPNs are all vulnerable to attacks.

The vulnerability -- tracked as CVE-2019-14899 -- resides in the networking stacks of multiple Unix-based operating systems, and more specifically, in how the operating systems reply to unexpected network packet probes.

According to the research team, attackers can use this vulnerability to probe devices and discover various details about the user's VPN connection status.

Whilst this vulnerability affects Linux, Android, Mac and other Unix-based operating systems this vulnerability is not currently believed to affect Windows based systems.

https://www.zdnet.com/article/new-vulnerability-lets-attackers-sniff-or-hijack-vpn-connections/  

Newly discovered Mac malware uses “fileless” technique to remain stealthy

Hackers believed to be working for the North Korean government have upped their game with a recently discovered Mac trojan that uses in-memory execution to remain stealthy.

In-memory execution, also known as fileless infection, never writes anything to a computer hard drive. Instead, it loads malicious code directly into memory and executes it from there. The technique is an effective way to evade antivirus protection because there’s no file to be analyzed or flagged as suspicious.

In-memory infections were once the sole province of state-sponsored attackers. By 2017, more advanced financially motivated hackers had adopted the technique. It has become increasingly common since then.

https://arstechnica.com/information-technology/2019/12/north-koreas-lazarus-hackers-up-their-game-with-fileless-mac-malware/ 

Europol seizes more than 30,000 counterfeit sites on Cyber Monday

Europol has taken down more than 30,000 different web domains which allowed cyber criminals to sell counterfeit and pirated items online.

The joint operation between 18 member states and the US National Intellectual Property Rights Coordination Centre, with help Eurojust and INTERPOL, included the seizure of articles such as fake medicines, pirated movies, music, software and counterfeit electronics.

In addition, officials identified and froze more than €150 000 (£128,000) in several bank accounts and online payment platforms.

As a result of the coordinated operation, codenamed IOS X (In Our Sites), three arrests have been made and 26,000 "luxury products" have been seized along with the swathe of illicit websites.

The IOS campaign launched in 2014, one that Europol has gained in strength year-on-year, and aims to "make the internet a safer place for consumers by recruiting more countries and private sector partners to participate in the operation and providing referrals".

You can contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our regular ‘Cyber Tip Tuesday’ video blog here and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week's Black Arrow cyber tip Tuesday, this week we are talking about lessons we can learn from the Titanic.

Cyber security is a lot like the titanic, people often ignore warnings until it's too late. The day the Titanic sank the crew received seven iceberg warnings, yet such was the competition to make the crossing in six days, orders were given to maintain the speed of the ship.

They thought they could ignore the warnings and steamed on ahead in the mistaken belief they would be unaffected.

Now, if they'd heeded the warnings and slowed down they would have stood a better chance of avoiding the icebergs, and in particular the iceberg that led to their sinking.

That's not to say good security means you need to slow down, not wishing to mix my metaphors but brakes were not added to cars to make them go slower, brakes were a necessity to be added to cars to allow them to go faster.

So don't slow down necessarily, just maybe don't avoid the warnings and don't believe that somehow you will remain safe as you steer your own ships through a see unfortunately filled with icebergs.

A summary of the top cyber news events from the last week and how they relate to business and individuals in Guernsey and the wider Channel Islands.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Nearly half of workers have clicked on a phishing email

New research released this week has revealed that almost a quarter of businesses have fallen victim to a phishing attack.

A survey of 714 people working in businesses across the US discovered that many organizations are not taking the proper measures to protect themselves from phishing attacks including employee training and the implementation of two-factor authentication.

Of those surveyed, only 64 percent said they currently use a two-factor authentication system to help protect their organization's data. This means that over one third of organizations are potentially leaving themselves exposed to phishing attacks.

Some phishing schemes, such as spear phishing, target specific members of staff within an organisation and this is typically accomplished through social engineering.

In order to combat these phishing scams firms should ensure the provide staff with suitable social engineering training.

https://www.techradar.com/news/nearly-half-of-workers-have-clicked-on-a-phishing-email

Phishing emails are still managing to catch everyone out

Staying with Phishing, another article this week points out that workers are still finding it too hard to spot phishing emails, with nearly three-quarters of companies seeing staff hand over passwords when tested by a security company.

A security consultancy tested 525 businesses for their susceptibility to a range of different hacking techniques and security vulnerabilities. It found that employees at 71% of these businesses handed over access credentials when targeted with phishing attacks by penetration testers -- up from 63% last year.

In 20% of cases, login details were shared by more than half of employees, compared to just 10% last year.

The firm doing the research carried out 623 penetration tests across the US, Europe and the UK, aiming to simulate a range of cyberattacks to assess how well companies were able to cope with them.

Weak passwords and insecure internal procedures, such as improper file-access restrictions and a lack of staff training, along with using out-of-date software, were the three most common vulnerabilities discovered during the tests.

The original article can be found here: https://www.zdnet.com/article/phishing-emails-are-still-managing-to-catch-everyone-out/

Many UK businesses have no IT disaster recovery plan

Disaster recovery plan, a set of steps designed to help businesses get back on their feet after an incident as soon as possible, is not something many UK businesses have.

A Survey of 1,125 IT workers came to the conclusion that a quarter of SMEs don’t have such a plan set up and this equates to “gambling with the continuity of business”.

In the report, it stresses that four fifths of all businesses who suffered a major incident failed within a year and a half.

Among businesses that do have a disaster recovery plan created – more than half (54 per cent) don’t regularly test it. A third has never tested it, at all. A small portion of the firms don’t have automated backups set up, either.

“The message to business leaders is get a DR plan in place and test, test, test!”

https://www.itproportal.com/news/many-uk-businesses-have-no-it-disaster-recovery-plan/

 Ransomware: Big paydays and little chance of getting caught means boom time for crooks

Ransomware will continue to plague organisations in 2020 because there's little risk of the cyber criminals behind the network-encrypting malware attacks getting caught; so for them there's only a small amount of risk, but a potentially large reward.

During the last year, there's been many examples of ransomware attacks where victims have given into the extortion demands of the attackers, often paying hundreds of thousands of dollars in bitcoin in exchange for the safe return of their networks.

In many cases, the victims will pay the ransom because it's seen as the quickest – and cheapest – means of restoring the network.

The full article can be found here: https://www.zdnet.com/article/ransomware-big-paydays-and-little-chance-of-getting-caught-means-boom-time-for-crooks/

A decade of hacking: The most notable cyber-security events of the 2010s

The 2010s decade is drawing to a close and ZDNet have taken a look back at the most important cyber-security events that have taken place during the past ten years.

There have been monstrous data breaches, years of prolific hacktivism, plenty of nation-state cyber-espionage operations, almost non-stop financially-motivated cybercrime, and destructive malware that has rendered systems unusable.

Read the full article for the full list here:

https://www.zdnet.com/article/a-decade-of-hacking-the-most-notable-cyber-security-events-of-the-2010s/ 

Authorities take down 'Imminent Monitor' RAT malware operation

Law enforcement agencies from all over the world announced this week that they took down the infrastructure of the Imminent Monitor remote access trojan (IM-RAT), a hacking tool that has been on sale online for the past six years.

According to a press release from Europol, the operation had two stages. The first occurred in June 2019, when Australian and Belgian police forces searched the homes of the IM-RAT author and one of his employees.

The second stage took place earlier this week, when authorities took down the IM-RAT website, its backend servers, and arrested the malware's author and 13 of the tool's most prolific users.

Europol reported arrests in Australia, Colombia, Czechia, the Netherlands, Poland, Spain, Sweden, and the United Kingdom.

Authorities also served search warrants at 85 locations and seized 430 devices they believed were used to spread the malware.

The UK National Crime Agency (NCA) took credit for a good chunk of the bounty, with 21 search warrants, nine arrests, and more than 100 seized devices.

More here: https://www.zdnet.com/article/authorities-take-down-imminent-monitor-rat-malware-operation/

Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our new regular ‘Cyber Tip Tuesday’ video blog, here and on our YouTube channel.

You can also follow us on Facebook and Twitter

In today's 'Tip Tuesday' we're talking about firms being in a defensible vs an indefensible positions in the event they suffered a significant breach. A firm that has taken cyber security seriously and has done all it could and yet still ended up the victim of a breach, possibly at the hands of sophisticated and well resourced nation state level attacker, is in a far more defensible position than a firm that has not done all it could, or all that could reasonably be expected of a diligent firm. A firm that has been breached by an unsophisticated attacker or otherwise left itself open to attack will have a much harder time defending their actions to affected customers, shareholders, authorities and regulators. Talk to us today to see how we can help you ensure you will be in a more defensible position

Round up of the most significant open source stories of the last week

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Leaker Claims to Have Published 2TB of Data From Cayman National Bank

The biggest story this week affecting the offshore finance world is news that 2TB of data (equivalent to 620,000 photographs, and photos are normally much larger than Word documents, so conceivably millions of Word documents) from the Isle of Man branches of the Cayman National Bank and Cayman National Trust.

A pseudonymous Twitter account called Distributed Denial of Secrets--a play on the distributed-denial of service attacks that can bring down even the largest websites-- said that it was releasing "copies of the servers of Cayman National Bank and Trust." The account has also claimed to have released more information over the last few days and to have upgraded its servers to cope with traffic spikes.

https://www.tomshardware.com/news/cayman-islands-national-bank-hack-2tb

Whatsapp Users Urged To Update App Immediately Over Spying Fears

Users of WhatsApp, the popular cross-platform messaging app, have been urged this week to address fears that their devices could be used to spy on them thanks to a major security vulnerability:

https://www.independent.co.uk/life-style/gadgets-and-tech/news/whatsapp-update-latest-spying-security-spyware-india-cert-nso-a9210236.html

Social Engineering: The Insider Threat to Cybersecurity

SecurityBoulevard has an interesting piece this week with a useful explainer on Social Engineering and Social Engineering Prevention that is worth a read if this not an area you are familiar with.

https://securityboulevard.com/2019/11/social-engineering-the-insider-threat-to-cybersecurity/

These are the tricks hackers are using to hijack your email

TechRadar have a piece on Business Email Compromise (BEC) something that is a significant risk to all firms but especially to financial services firms and something that has affected firms in the offshore finance world with some firms locally having experienced losses running to hundreds of thousands.

Most BEC attacks take place on weekdays and during business hours to maximise effectiveness and normally only target small numbers of users.

Read the full article here: https://www.techradar.com/uk/news/these-are-the-tricks-hackers-are-using-to-hijack-your-email

Cyber security becoming top priority in the boardroom, say industry leaders

It looks like cyber is becoming more of a priority in Boardrooms according to a report from the London Business summit by PortSwigger.net. 

https://portswigger.net/daily-swig/cybersecurity-becoming-top-priority-in-the-boardroom-say-industry-leaders

In Guernsey cyber is getting a lot more focus with the recent Cyber Thematic review carried out by the GFSC and the findings presented to industry in the last couple of weeks, and new regulations coming into effect last year. The GFSC have made it clear to firms that this is Board level issue and Boards need to start being able to take an educated and informed approach to cyber and what their firms are doing to protect themselves against the risks the firm faces.

 Mystery surrounds leak of four billion user records

Threat researchers recently uncovered four billion user records on a wide-open Elasticsearch server, but who left them there is a mystery.

Different datasets contained, among other things, data on 1.5 billion unique individuals, a billion personal email addresses including work emails for millions of decision makers in Canada, the UK and the US, 420 million LinkedIn URLs, a billion Facebook URLs and IDs, over 400 million phone numbers and 200 million valid US mobile phone numbers. The second dataset contained scraped data from LinkedIn profiles, including information on recruiters.

The actual source of this data is shrouded in mystery but so much data on so many people means it is highly likely there will be records leaked relating to individuals and businesses in Guernsey and the other Channel Islands.

https://www.computerweekly.com/news/252474411/Mystery-surrounds-leak-of-four-billion-user-records

 110 Nursing Homes Cut Off from Health Records in Ransomware Attack

Looking at healthcare but showing the impact ransomware can have on any and all sectors, a ransomware outbreak in the US has affected an IT company that provides cloud data hosting, security and access management to more than 100 nursing homes over there. The ongoing attack is preventing these care centres from accessing crucial patient medical records, and the IT company’s owner says she fears this incident could soon lead not only to the closure of her business, but also to the untimely demise of some patients.

https://securityboulevard.com/2019/11/110-nursing-homes-cut-off-from-health-records-in-ransomware-attack/

Anyone in the Bailiwick who has recently purchased a device from OnePlus should be alert to anyone impersonating OnePlus in trying to obtain further information or trying to sell products or services.

https://www.trustedreviews.com/news/oneplus-data-breach-what-you-need-to-know-about-customer-hack-3957273

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our new regular ‘Cyber Tip Tuesday’ video blog, here and on our YouTube channel.

You can also follow us on Facebook and on Twitter

All firms need to take cyber security seriously and often the things that cost the least can be the things that do the most to protect you and your business. Contact us for more details.

Round up of the most significant open source stories of the last week

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Phishing Increasingly Targets SaaS, Webmail

How can companies protect their sensitive data and prevent employees from falling prey to phishing attacks?

In today’s digital age, virtually every organisation must wage a cybersecurity battle to protect its data. Winning this battle requires engaging security experts, securing assets, strengthening authentication and educating users.

According to the Anti-Phishing Working Group’s (APWG) Phishing Activity Trends Report, 1st Quarter 2019, phishing of software-as-a-service (SaaS) and webmail services has surpassed phishing of payment services for the first time. SaaS and webmail are now the most-targeted sectors, suffering 36% of phishing attacks (compared to 27% for payment services). The report emphasizes that usernames and passwords are not enough to protect against phishing and underscores the need for strong authentication.

Phishing, one of the most prevalent types of cybersecurity attacks, attempts to steal user credentials and corporate data via users’ email inboxes. Hackers posing as legitimate businesses send e-mails with links that lead unsuspecting users to bogus websites. The hackers’ goal is to deceive recipients into revealing usernames and passwords, which allow them to gain access to private company data.

Read the full article here: https://securityboulevard.com/2019/11/phishing-increasingly-targets-saas-webmail/

Insider Threats, a Cybercriminal Favourite, Not Easy to Mitigate

Rogue employees — not just external threat groups — pose a formidable threat to incident response teams.

Insider threats are an ongoing top danger for companies — but when it comes to mitigation efforts, incident-response teams face an array of challenges.

Discussions with various incident-response teams revealed that between 25 to 30 percent of data breaches involved an external actor working with an internal person in an organisation, according to a senior security architect with OpenText.

We used to focus on external threat actors, but now, when compromising the network, many have someone on the inside, whether it’s because they bribed them or blackmailed them

Read the full article here: https://threatpost.com/insider-threats-cybercriminal-favorite/150128/

 How ransomware attacks

As the growing number of high-profile ransomware attacks reminds us, sugar coating the issue would be deluded – ransomware has grown as an industry because it works for the people who use it, which means it beats the defences of victims often enough to deliver a significant revenue stream.

For the full article click here: https://nakedsecurity.sophos.com/2019/11/15/how-ransomware-attacks/

To go straight to the Sophos report click here: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-ransomware-behavior-report.pdf

 Cybersecurity Skills Shortage Tops Four Million

Global IT security skills shortages have now surpassed four million, according to (ISC)2.

The certifications organization compiled its latest Cybersecurity Workforce Study from interviews with over 3200 security professionals around the world.

The number of unfilled positions now stands at 4.07 million professionals, up from 2.93 million this time last year. This includes 561,000 in North America and a staggering 2.6 million shortfall in APAC.

The shortage of skilled workers in the industry in Europe has soared by more than 100% over the same period, from 142,000 to 291,000.

The report estimated the current global workforce at 2.93 million, including 289,000 in the UK and 805,000 in the US.

Nearly two-thirds (65%) of responding organizations reported a shortage of cybersecurity staff, with a lack of skilled or experienced security personnel their number one workplace concern (36%).

Read the full article here: https://www.infosecurity-magazine.com/news/cybersecurity-skills-shortage-tops/

Round up of the most significant open source stories of the last week

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Under half of organisations are fully prepared to deal with cyberattacks

Only 49% of CISOs and other senior executives are fully confident that their organisation could deal with the fallout of a hacking incident or data breach right now, and most think the threat from cyberattacks will get worse.

Under half of organisations believe they're fully ready to respond to a cyberattack or data breach -- despite most senior executives and chief information security officers (CISOs) believing that the threats posed by hacking and other malicious cyber incidents will escalate in 2020 and beyond.

The Cyber Trendscape 2020 report from cybersecurity company FireEye sheds light on how CISOs across the world are feeling about the current cyber threat landscape. The study found that just under half (49%) believe their organisation is fully ready to face a cyberattack or a data breach.

Read the full article from xdnet here: https://www.zdnet.com/article/cybersecurity-under-half-of-organisations-believe-theyre-fully-prepared-to-deal-with-cyber-attacks/

Ransomware authors seeking new ways to avoid being spotted

Sector analysis from Sophos has revealed some insight into how malware authors are adapting to thwart cyber security controls.

With ransomware now hitting huge numbers of targets every day, the potential for its authors to get rich quick has never been higher.

However ransomware has one Achilles heel – encrypting data is a time-consuming process limited by the processing power of the victim’s CPU, and this means ransomware authors must be awake to the importance of optimising their attacks and avoiding detection for as long as possible.

In recent months cyber criminals appear to be taking a keen interest in how network and endpoint security products detect and block malicious activity.

Many have also found it is much easier to change a ransomware strain’s appearance by obfuscating its code, than to change its overall behaviour, as they seek to find ways to elude defences.

Read the full article on ComputerWeekly here: https://www.computerweekly.com/news/252473457/Ransomware-authors-seeking-new-ways-to-avoid-being-spotted

 Why The Reluctance In Adopting MFA?

Many organisations are sadly still not using multi-factor authentication (MFA) to protect against password based attacks.

An article on informationsecuritybuzz seeks to explain the reluctance in firms adopting this measure.

Read the full article here:

https://www.informationsecuritybuzz.com/articles/why-the-reluctance-in-adopting-mfa/

Morrisons will face 'big number' over data breach

The final stage of group action against Morrisons was being held in the UK Supreme Court on Thursday last week, on behalf of 9,000 claimants seeking compensation over a massive data breach.

Barristers acting on behalf of the claimants stated that Morrisons would face a ‘big number’ if it is found vicariously liable for the data breach, but damages would not be ‘disproportionate’.

More details on the case and the events leading up to the jail sentence for the internal auditor at Morrisons who leaked the data in the first place can be found here: https://www.lawgazette.co.uk/news/morrisons-will-face-big-number-over-data-breach/5102095.article

What are 3 cloud backup security guidelines against cyberattacks?

Cloud security is a top concern for IT. As a result, keeping cloud backups secure should be a priority. Here are three straightforward guidelines to help.

Cloud backup security best practices aren't too different from those of on-premises backups. Especially with cyber threats a constant presence in IT, it is important to practice defence in depth, just as you would for backups residing on premises.

For the full list of different cloud backup strategies read the original article here: https://searchdatabackup.techtarget.com/answer/What-are-3-cloud-backup-security-guidelines-against-cyberattacks

Ring Flaw Underscores Impact of IoT Vulnerabilities

A vulnerability in Amazon’s Ring Video Doorbell Pro IoT device could have allowed a nearby attacker to imitate a disconnected device and then sniff the credentials of the wireless networks when the owner reconfigured the device, according to a report issued by security firm Bitdefender.

The issue, which was fixed by Amazon in September, underscores the impact of a single insecure Internet-of-Things device on the organization in which it is deployed. While the vulnerability may only occur in a single network device, the result of the flaw could be leaked information — the wireless network password, for example — which would have far more serious repercussions.

"IoT is a security disaster, any way you look at it," according to Bitdefender's chief security researcher. "Security is not the strong suit of IoT vendors — only rarely, do we see vendors who take security seriously."

The discovery of a serious vulnerability in a popular IoT product comes as businesses and consumers increasingly worry about the impact that such devices may have on their own security. Only about half of security teams have a response plan in place to deal with attacks on connected devices. Even critical-infrastructure firms, such as utilities that have to deal with connected operational technology, a widespread class of Internet-of-Things devices, are ill-prepared to deal with vulnerabilities and attacks, the report says.

Vulnerabilities in IoT devices can have serious repercussions. In July, a team of researchers found widespread flaws in the networking software deployed in as many as 200 million embedded devices and found millions more that could be impacted by a variant of the issue in other real-time operating systems.

You can find the original article here: https://www.darkreading.com/iot/ring-flaw-underscores-impact-of-iot-vulnerabilities/d/d-id/1336304

Cisco fixes small business routers, kills eavesdropping vulnerability in conferencing devices

Cisco has released security updates for a variety of its products – owners of Small Business RV Series Routers, Web Security Appliances and TelePresence devices should pay extra attention.

Several series of Cisco Small Business RV Series Routers are vulnerable to remote code execution and command injection.

Owners of Cisco Web Security Appliances (WSA) should also check whether they should implement an update. A vulnerability in the appliance’s web management interface could allow an authenticated, remote attacker to perform an unauthorised system reset.

Cisco TelePresence Collaboration Endpoint and RoomOS Audio have several flaws, including a medium-risk eavesdropping vulnerability that could allow an authenticated, local attacker to enable the microphone of an affected voice and video conferencing device to record audio without notifying users.

More here: https://www.helpnetsecurity.com/2019/11/08/cisco-fixes-small-business-routers/

Scammers favour malicious URLs over attachments in email phishing attacks

Emails containing malicious URLs made up 88 percent of all messages with malware-infested links and attachments, underscoring the dominance of URL-based email threats.

The findings — disclosed in cybersecurity firm Proofpoint’s quarterly threat report for the month ending September — reveal the evolving sophistication of social engineering attacks targeting users and organizations.

Email-based threats are among the oldest, most pervasive, and widespread cybersecurity threats hitting organizations worldwide. From massive malware campaigns targeting millions of recipients with banking Trojans to carefully crafted email fraud, the email threat landscape is extremely diverse, creating a wide range of opportunities for threat actors to attack organisations.

Some other key trends to note are the prevalence of sextortion campaigns, and the notable absence of Emotet botnet spam and ransomware attacks propagated via malicious emails.

Ransomware is still a threat but with rapidly dropping cryptocurrency valuations, threat actors are having a harder time monetizing their ransomware campaigns. Instead they are turning to ‘quieter’ infections with banking Trojans and downloaders that can potentially sit on infected machines for extended periods, collecting data, mining cryptocurrency, sending spam, and more.

Read the original article here: https://thenextweb.com/security/2019/11/08/scammers-favor-malicious-urls-over-attachments-in-email-phishing/

PayPal Surpasses Microsoft as Favourite Target of Phishing Attacks

PayPal has now overtaken Microsoft to become the favourite target of phishing campaigns, according to a recent report.

While phishers still target Microsoft and its Office 365, the number of campaigns against PayPal jumped almost 70% in the year up to the third quarter while campaigns against Microsoft increased at a slower pace.

The interest in PayPal, which has 286 million active user accounts, is easy to understand, as compromising credentials usually pays off quickly. Most people have attached credit cards or at least have cards linked to the PayPal account, so a thief can transfer funds quickly.

The full article can be found here: https://securityboulevard.com/2019/11/paypal-surpasses-microsoft-as-favorite-target-of-phishing-attacks/

This is the impact of a data breach on enterprise share prices

NB This article is US centric but includes some useful research and figures and fallout from breach in terms of stick prices will be very similar for listed firms in the UK.

When news of a data breach breaks at a major organization, the aftermath can be chaotic.

Executives will offer their apologies and the promise of free credit monitoring to those impacted; staff may be issued their marching orders; cybersecurity teams need to be pulled in and systems repaired, law enforcement must be notified, and questions posed potentially by both regulators and consumers must be answered.

It is often the case that lawsuits will also be filed. These may come from regulators such as the US Federal Trade Commission (FTC) or they may be class-action complaints brought forward on behalf of impacted consumers.

Marriot was sued hours after disclosing a data breach in a class-action lawsuit seeking $12.5 billion. A seven-year class-action complaint was recently settled concerning Zappos, in which lawyers claimed $1.6 million -- and impacted customers were promised 10 percent discounts.

Individuals who had their data stolen due to Yahoo's data breach can claim $358 or more, and in the case of Equifax, a fund has been set up to compensate consumers.

IBM research suggests that the average cost of a data breach to the enterprise is up to $3.29 million, which has risen by 12 percent over the past five years.

Penalties, compensation claims, the cost of cyberforensics and system overhauls all contribute. However, businesses can also experience a swift and brutal shock caused by the impact of a data breach on their share price.

A drop in stock value can indicate broken investor trust and be caused by cybersecurity incidents, especially when they reveal a lack of adequate care or security practices.

On Wednesday, Comparitech published the results of an updated study into how Wall Street can react to an enterprise company that suffers a data breach.

The organization compared the closing prices of 28 companies listed on the New York Stock Exchange (NYSE) starting the day prior to disclosing a data breach, and what happened afterward.

Many of the enterprise players included in the study involved breaches of at least one million records, and some were breached more than once. In total, 33 separate security incidents were analyzed.

According to the team, the average share price of a company disclosing a data breach falls by 7.27 percent, but the full impact may not be felt until 14 market days or more have passed. The NASDAQ underperforms by roughly -4.18 percent.

Breached companies continue to underperform 12 months after disclosure. While share prices grew by 8.38 percent on average, they would underperform on the NASDAQ by -6.49 percent. Two years later, stock price rises by approximately 12.78 percent, but underperforming continues by -13.27 percent.

Read the full article on zdnet here: https://www.zdnet.com/article/this-is-how-a-data-breach-at-your-company-can-hit-share-prices/

Round up of the most significant open source stories of the last week

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Insurance Pays Out a Sliver of Norsk Hydro’s Cyberattack Damages

The company received $3.6 million in cyber insurance – out of $71 million incurred in damages after a massive March cyberattack.

On the heels of a severe cyberattack, aluminum giant Norsk Hydro has received only $3.6 million in cyber-insurance – just a fraction of the total costs in damage.

Overall, the Oslo, Norway-based company incurred between $60 million to $71 million in damages from the incident, which forced it to shut down or isolate several plants and send several more into manual mode. While Norsk Hydro said it expects more future compensation from its lead cyberinsurer, AIG, the payment received so far covers only 6 percent of the total damages.

“The cyberattack on Hydro on March 19 affected the entire global organization, with Extruded Solutions having suffered the most significant operational challenges and financial losses,” according to Norsk Hydro’s 2019 third-quarter report. “The financial impact of the cyberattack is estimated to around NOK 550-650 million [$60 to 70 million USD] in the first half year with limited financial effects for the third quarter. Hydro has a robust cyber-insurance in place with recognized insurers. Hydro has recognized NOK 33 million [$3.6 million USD] insurance compensation in the third quarter.”

Full article on ThreatPost here: https://threatpost.com/insurance-pays-norsk-hydro-cyberattack-damages/149707/

List of data breaches and cyber attacks in October 2019 – 421 million records breached

In a month where security experts across Europe were boosting awareness of cyber security, organisations had mixed results in their own data protection practices.

On the one hand, the 421,103,896 data records that were confirmed to have been breached in October represents about 50% of the monthly average.

But on the other hand, there were a staggering 111 incidents, including several in which sensitive and financial information was compromised.

It was also a particularly bad month for the UK, with 9 confirmed breaches.

Full list here: https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-october-2019

Businesses stung by highly convincing Office 365 voicemail scam

Cyber criminals are stealing the login credentials of Microsoft Office 365 users using a phishing campaign that tricks victims into believing they've been left voicemail messages.

In the last few weeks, there's been a surge in the number of employees being sent malicious emails that allege they have a missed call and voicemail message, along with a request to login to their Microsoft accounts.

The phishing emails also contain an HTML file, which varies slightly from victim to victim, but the most recent messages observed include a genuine audio recording, researchers with McAfee Labs have discovered.

Full article on ITPro here: https://www.itpro.co.uk/phishing/34723/businesses-stung-by-highly-convincing-office-365-voicemail-scam

Phishing is no longer limited to email only.

Phishing is a much wider issue than originally thought, Akamai claims in its latest report. In it, it also details which companies are most at risk of phishing attacks, as well as the various techniques that hackers use to try and breach these companies’ security systems.

Phishing, but also phishing as a service (PaaS) is a hacking method in which a hacker impersonates a legitimate person/company, and asks for personal information. Usually, it is done through email, but Akamai claims that hackers are also leveraging social media and SMS channels, as well.

Hackers were mostly targeting the high technology industry, Akamai claims, saying it analysed 6,035 domains and identified 120 kit variations in the industry. The second most-targeted industry was financial services, with 3,658 domains and 83 kit variants used, followed by e-commerce as third.

Microsoft, PayPal, DHL, and Dropbox were the top targeted brands. Microsoft took up 21.88 per cent of total domains, followed by PayPal with 9.37 per cent, DHL with 8.79 per cent and Dropbox with 2.59 per cent.

Phishing is a long-term problem that will have adversaries continuously going after consumers and businesses alike until personalised awareness training programs and layered defence techniques are put in place.

As businesses improve their defences, hackers look to new and creative solutions. Thus, Akamai says, most of the phishing kits were active 20 days or less, in order to avoid being spotted.

Via: https://www.itproportal.com/news/these-are-the-companies-most-at-risk-of-phishing-attacks/

More info here: https://www.akamai.com/us/en/about/news/press/2019-press/state-of-the-internet-security-phishing-baiting-the-hook.jsp

Google Discloses Chrome Flaw Exploited in the Wild

Google is warning users of a high-severity vulnerability in its Chrome browser that is currently being exploited by attackers to hijack computers.

The flaw (CVE-2019-13720), discovered by security researchers at Kaspersky, exists in Google Chrome’s audio component. Google is urging users to update to the latest version of Chrome, 78.0.3904.87 (for Windows, Mac, and Linux) as soon as possible.

This updated version addresses vulnerabilities that an attacker could exploit to take control of an affected system according to the alert. The vulnerability was detected in exploits in the wild.”

More from ThreatPost here: https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/

Keeping up with the evolving ransomware security landscape

Cybercrime is ever-evolving, and is consistently becoming more effective and damaging. While the range of attack vectors available to malicious actors are vast, ransomware remains one of the most prolific forms of cybercrime and has held on to its top spot as leading cyber threat this year.

Hardly a day goes by without reports of another high-profile incident, with large companies and government organisations (particularly in education and healthcare) often at the receiving end – due to weak, legacy infrastructure and poor operational security. Of course, it was also responsible for some of the most damaging attacks ever – with the infamous WannaCry and NotPetya strains that hit headlines in 2017.

As ransomware attacks continue to become more sophisticated, it has never been more important for businesses of all sizes to take a proactive approach to cybersecurity. While this can feel like a seemingly impossible task when you take into consideration the variety of forms and methods of entry that ransomware can take, businesses can ensure they’re adequately protected by reviewing their existing security strategy and ensuring they have adopted a layered approach.

Read the full article on HelpNetSecurity here: https://www.helpnetsecurity.com/2019/11/01/ransomware-security-landscape/

The nastiest ransomware, phishing and botnets of 2019

Vendor Webroot released its annual Nastiest Malware list, shedding light on 2019’s worst cybersecurity threats. From ransomware strains and cryptomining campaigns that delivered the most attack payloads to phishing attacks that wreaked the most havoc, it’s clear that cyber threats across the board are becoming more advanced and difficult to detect.

Full article here: https://www.helpnetsecurity.com/2019/10/30/nastiest-malware-2019/

The scariest hacks and vulnerabilities of 2019

Yes, this is one of those end-of-year summaries. And it's a long one, since 2019 has been a disaster in terms of cyber-security news, with one or more major stories breaking on a weekly basis.

See the full summary for the past 10 months of security disasters, organized by month here: https://www.zdnet.com/article/the-scariest-hacks-and-vulnerabilities-of-2019/

One in five IT workers doesn't know what a cyberattack is

A survey of over 1,000 IT workers, carried out by technology services provider Probrand reveals that more than one in five (21 percent) don't actually know what constitutes a 'cyberattack'.

Used as a catch-all term, cyberattack can cover everything from a simple phishing email, right across to a large-scale server attack, however, many IT workers have never seen, or don't understand, what the real detail of an attack actually looks like.

Almost half (43 percent) of those surveyed admit to being unaware of how to defend their company from a cyberattack, with one in three (32 percent) relying on external agencies for crisis support.

"The term, 'cyberattack' is firmly set in business vocabulary, and rightly so as cyber threats present the greatest risk of crisis to most organizations," Matt Royle, marketing director at Probrand says. "However, it is worrying to discover many do not know the details of what a threat looks like, so have little chance of protecting themselves from it."

In addition the study finds that only just over one in ten (12 percent) of respondents say they know what their company's business continuity plan fully constitutes.

"Where no IT team exists, business leaders are exposed to threats without knowledge of how to protect themselves. Where IT teams do exist, managers are hampered by end user issues, lack of budget or time to truly focus on IT strategy, which includes security," adds Royle. "Business leaders need to take another look at prioritizing investment in people, technology and employee training to combat cyber security and protect the continuity of their business."

This article originally appeared on BetaNews: https://betanews.com/2019/11/01/workers-lack-cyberattack-knowledge/

Round up of the most significant open source stories of the last week

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

A criminal gang posing as Russian Government hackers are extorting companies in the financial services sector

Fake "Fancy Bear" group is demanding money from companies in the financial sector, threatening DDoS attacks

For the past week, a group of criminals has been launching DDoS attacks against companies in the financial sector and demanding ransom payments while posing as "Fancy Bear," the infamous hacking group associated with the Russian government, known for hacking the White House in 2014 and the DNC in 2016.

The group is launching large scale, multi-vector demo DDoS attacks when sending victims the ransom letter and demanding ransom payments of 2 bitcoin, which is about $15,000 at today's exchange rate.

Full article here: https://www.zdnet.com/article/a-ddos-gang-is-extorting-businesses-posing-as-russian-government-hackers/

Ransomware, Mobile Malware Attacks to Surge in 2020

Targeted ransomware, mobile malware and other attacks will surge, while companies will adopt AI, better cloud security and cyber insurance to help defend and protect against them.

Cyber threats like targeted ransomware, mobile malware and sophisticated phishing attacks will escalate in 2020, researchers warn.

However, defences like artificial intelligence (AI), cyber insurance and faster security response will also increase, helping defend companies against imminent threats, according to new predictions by Check Point Software.

Check Point outlined “key security and related trends” it expects to see in 2020 in a blog post Wednesday, including a series of technology trends that can both be used to attack systems and mitigate against threats. Some of the predictions are for technologies that have already both surged in popularity and increased in sophistication this year, including targeted ransomware and phishing attacks that go beyond email.

Read the full article on ThreatPost here: https://threatpost.com/ransomware-mobile-malware-attacks-to-surge-in-2020/149539/

Mobile malware may be the greatest security threat around

BlackBerry uncovers new mobile threats and actors targeting various industries

Mobile malware is more prevalent and popular that first thought and researchers are only now learning just how much it is in use for surveillance and espionage campaigns. In reality, there are many active actors and advanced persistent threats we never knew existed.

Blackberry’s new report, called Mobile Malware and APT Espionage: Prolific, Pervasive, and Cross-Platform, says the company’s researchers identified three new advanced persistent threat campaigns, originating mostly in China, Iran, North Korea and Vietnam, which leveraged mobile malware, in combination with desktop malware.

The end goal is cyber-espionage and intelligence gathering, mostly for economic and political objectives.

Full article here: https://www.itproportal.com/news/mobile-malware-may-be-the-greatest-security-threat-around/

Phishing attacks are a complex problem that requires layered solutions

Most cyber attacks start with a social engineering attempt and, more often than not, it takes the form of a phishing email.

It’s easy to understand the popularity of phishing as an attack vector of choice: phishing campaigns are relatively inexpensive (money and time-wise), yet are often very successful. Attackers don’t need to create or buy technical exploits that may or may not work – instead, they exploit what they can always count on: users’ emotions, fears, desires, and the fact that, despite knowing better, it only takes a moment of inattention to make a mistake.

Cybercriminals play on users’ expectations of trust in email communications, and the human instinct – despite training and warnings to the contrary – to click on malicious links, give away credentials or even install malware and ransomware on endpoint devices. The reality is that people are always soft targets, and social engineering and phishing attacks are outpacing legacy technologies and training-only solutions.

More info here: https://www.helpnetsecurity.com/2019/10/24/phishing-attacks-solutions/

Younger workers could be putting your security at risk

They're bigger risk takers and aren't as security-conscious as their older colleagues.

One might think that the younger generation, those that have grown up surrounded by technology, would be more conscious about the dangers lurking in the internet's depths, and would have adopted cybersecurity best practices from an early age.

The truth is quite different, at least according to NTT's new report about cybersecurity in the workplace. The report says that employees over the age of 30 generally score better when it comes to securing their data and services, compared to those below the age of 30.

The argument is that the older generation has spent more time at the office and has thus acquired “digital DNA”.

Read the full article here: https://www.itproportal.com/news/younger-workers-could-be-putting-your-security-at-risk/

More Companies Adopt Multi Factor Authentication (MFA), but It’s Still Not Enough

Organisations face ever-increasing threats, and password security is paramount. But employees don’t usually use robust password protocols or multi-factor authentication to secure valuable information.

A survey from LogMeIn, which makes the LastPass password manager, shows that the number of companies adopting a multi-factor authentication (MFA) solution is on the rise, with 57% of businesses choosing MFA in 2018, compared with 45% in 2017.

94% of employees chose a smartphone for MFA, while only 4% opted for a hardware-based solution and just 1% wanted biometrics. The trend is set by the abundant availability of smartphones, as opposed to the rest of the options.

Although MFA is used widely, it’s not uniformly distributed across the globe, with some countries leading the change, a few of them by considerable margins. First place is occupied by Denmark, with a 46% adoption rate, followed by the Netherlands with 41% and Switzerland with 38%. The United States is somewhere in the middle, with 28% adoption. Last place is taken by Italy, with only 20%.

More here: https://securityboulevard.com/2019/10/more-companies-adopt-mfa-but-its-still-not-enough/

Amazon’s AWS Hit by DDoS Attack – Google Cloud Issues Unrelated

Google Cloud also faced issues in a separate incident

AWS was hit by a sustained DDoS attack earlier this week, which appears to have lasted some eight hours. The incident hit several different services and raises many questions about the nature of the attack and about AWS’s own DDoS mitigation service, “Shield Advanced”.

Google Cloud Platform (GCP) had a range of issues at a similar time. The two are not understood to be linked. In a status update GCP cited interruptions to multiple different Google cloud services at a similar time although a Google spokesperson stated the service disruptions were unrelated to any kind of DDoS attempt.

https://www.cbronline.com/news/aws-ddos-attack

Motive doesn't matter: The three types of insider threats

In information security, outside threats can get the lion's share of attention. Insider threats to data security, though, can be more dangerous and harder to detect because they are strengthened by enhanced knowledge and/or access.

Not only is it vital, therefore, to distinguish and prepare for insider threats, but it is just as vital to distinguish between different types of insider threats. A lot has been written about the different profiles for insider threats and inside attackers, but most pundits in this area focus on insider motive. Motive, however, doesn't matter. A threat is a threat, a breach is a breach. A vulnerability that can be exploited by one party for profit can be exploited by another for pleasure, by another for country, and so on. Instead of analyzing motives and reasons, it is far more useful to compare insider threats by action and intent.

Insider threats come in three flavors:

• Compromised users,

• Malicious users, and

• Careless users.

 Get the full breakdown of the three types here: https://betanews.com/2019/10/21/3-types-of-insider-threats/

Round up of the most significant open source stories of the last week

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

The top ten password-cracking techniques used by hackers

Think your passwords are secure? Think again

Understanding the password-cracking techniques hackers use to blow your online accounts wide open is a great way to ensure it never happens to you.

You will certainly always need to change your password, and sometimes more urgently than you think, but mitigating against theft is a great way to stay on top of your account security. You can always head to www.haveibeenpwned.com to check if you're at risk but simply thinking your password is secure enough to not be hacked into, is a bad mindset to have.

So, to help you understand just how hackers get your passwords – secure or otherwise – we've put together a list of the top ten password-cracking techniques used by hackers. Some of the below methods are certainly outdated, but that doesn't mean they aren't still being used. Read carefully and learn what to mitigate against.

More here: https://www.itpro.co.uk/security/34616/the-top-ten-password-cracking-techniques-used-by-hackers

Lack of IT security training leaving businesses open to data breaches

Even security departments could use extra classes, new report suggests.

When it comes to the workforce – everyone needs a little extra IT education, even those working in IT departments. This is according to a new report, which concludes that there’s still a lot to do to eliminate the ever-present skills shortage. It also says that there is a sea of difference between the faith businesses have in their cybersecurity solutions, and the general awareness of how secure they really are.

The report says that 61 per cent of organisations would love to see their workforce trained more in cybersecurity awareness, but also – two fifths would love to get some of that training for their software development teams, as well. Just less than a third (29 per cent) believe the same is required – for their IT operations team.

Full article here https://www.itproportal.com/news/lack-of-it-security-training-leaving-businesses-open-to-data-breaches/

Ransomware predicted to continue to dominate cybercrime in 2020

Security teams acting as ‘first responders’ for cyberattacks, get an interesting perspective on cybersecurity – in terms of exactly what attacks are really hitting organisations and how they affect them, and in terms of understanding the motivations of those launching the attacks. Overwhelmingly, the attacks these teams see are intended to extort or steal money. These teams believe that the threats we will see in 2020 will not be very different to those threats already know all too well. While these teams occasionally deals with some advanced new threats, these are always massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.

Full article: https://www.techradar.com/uk/news/ransomware-to-dominate-cybercrime-in-2020

The Top 10 Ransomware Types Hitting Businesses in 2019

The ransomware landscape in 2019 has remained alarmingly lively, with hackers continuing to see value in targeting enterprises, public bodies and governments – sometimes with targeted, sometimes spray-and-pray approaches. Now, analysis by Zealand-based anti-malware firm Emisoft has revealed of 230,000 incidents between April 1 and September 30, 2019 reveals the top 10 ransomware strains to look out for.

1 STOP (DJVU)

The STOP ransomware strain, also known as DJVU, has been submitted to the ID Ransomware tool over 75,000 times, which only represent a sliver of the systems it may have affected worldwide.

STOP affects the systems of home users and can be easily picked up by downloading unsecure files from torrent sites. Once the infection begins the STOP malware will use the AES-256 encryption to lock the system files, followed by a payment demand issued to the user. It is by far the most common submission to ID Ransomware as it accounts for 56 percent of all submissions.

2 Dharma

The Dharma variant not only will lock a system, but it will instruct the victim to contact a specific email where they are expected to negotiate the release of their files. Dharma is a cryptovirus which is pushed onto system via malicious download links and email hyperlinks.

Operating in the threat landscape since 2016, Dharma is part of the .cezar family. It mainly targets enterprise targets. Dharma accounted for 12 percent of submissions.

3 Phobos

Credit: Luca Ruegg via Unsplash

Phobos, either named after the Martian moon or its namesake the Greek god of fear, is a ransomware variant that makes up 8.9 percent of all submissions.

It is mainly spread via exploits of insufficiently secured Remote Desktop Protocol ports. Phobos has been seen in the wild attacking corporations and public bodies indiscriminately. In a similar manner to Dharma this ransomware locks your files and then request you contact the attacker directly to negotiate their release.

4 GlobeImposter

GlobeImposter makes up 6.5 percent of all submissions to the ID Ransomware tool. GlobeImposter is the next evolution on pervious strains of the variant. What makes it different is it uses AES-256 cryptography to encrypt a victim’s files before it issues a bitcoin payment demand.

5 REvil

REvil also known as Sodinokibi was first discovered in 2019 and security research believe that it was developed by the same threat actors who created GandCrab.

Emsisoft notes that Sodinokibi is seen as a “Ransomware-as-a-service that relies on affiliates to distribute and market the ransomware. It is extremely evasive and uses advanced techniques to avoid being detected by security software.”

The attack vectors for this variant include exploiting a vulnerability in Oracle WebLogic and more traditional methods such as phishing campaigns. It makes up 4.5 percent of submissions.

Countries most affected by ransomware Credit: Emsisoft

6 GandCrab

According to Europol the GandCrab ransomware variant has infected nearly half a million victim systems since it was first detected at the start of 2018. It accounts for 3.6 percent of submissions.

The GandCrab virus infects and encrypts all the files within a user’s systems. Originally the ransomware was distributed via exploit kits such as RIG EK and GrandSoft EK. Cybersecurity company Bitdefender has created a useful decrypting tool to help mitigate GandCarb lock-outs.

7 Magniber

Magniber has been around in one form or another since 2013, but it still accounts for 3.3 percent of submissions.

Cybersecurity firm Malwarebytes have been tracking this variant for some time and noticed that it is continually evolving. In one of the latest version they state that: “Each file is encrypted with a unique key—the same plaintext gives a different ciphertext. The encrypted content has no patterns visible. That suggests that a stream cipher or a cipher with chained blocks was used (probably AES in CBC mode).”

8 Scarab

Credit: Timothy Dykes via Unsplash

The Scarab ransomware was first discovered in June 2017. The malicious software uses the encryption algorithms AES-256 and RSA-2048 to lock the files on a targeted system. It makes up 2.0 percent of submissions.

Cyber security firm Symantec notes that: “Many of Scarab’s campaigns focus on distributing the group’s custom malware (Trojan.Scieron and Trojan.Scieron.B) through emails with malicious attachments. These files contain exploits that take advantage of older vulnerabilities that are already patched by vendors. If the attackers successfully compromise the victims’ computers, then they use a basic back door threat called Trojan.Scieron to drop Trojan.Scieron.B onto the computer.”

9 Rapid

Rapid accounts for 1.8 percent of submissions. It is a ransomware that acts as a trojan horse to encrypted files and then demand a ransom.

Rapid busted onto the scene in 2018. When it infects a systems it will remove all of the Windows shadow volume copies stop all database processes and take automatic repair offline. Once files are encrypted like the others it will issues a ransom demand.

10 Troldesh

Troldesh also known as Shade accounts for 1.4 percent of submissions. Troldesh is a Trojan horse that locks files in a system via an encryption method. The malware has been around since 2014, but is still used in many active ransomware campaigns.

Malwarebytes followed one such campaign and noted that: “Spread by malspam—specifically malicious email attachments. The attachments are usually zip files presented to the receiver as something he “has to” open quickly. The extracted zip is a Javascript that downloads the malicious payload (aka the ransomware itself). The payload is often hosted on sites with a compromised Content Management System (CMS).”

Original article here: https://www.cbronline.com/news/ransomware-2019

Interpol new campaign to raise awareness of Business Email Compromise (BEC) urges public #BECareful of BEC Fraud

THE HAGUE, The Netherlands – What would you do if you received an email from your company’s CEO asking you to make an urgent payment?

What if a long-time supplier asked you to send all future payments to a new account at a different bank?

Would you immediately make the payment or change the banking details? Or would you first double-check through a different channel that the requests were genuine?

If you would make the payment, you just might become the next victim of a growing type of fraud – business email compromise, or BEC fraud.

Through a new public awareness campaign launched today, INTERPOL is encouraging the public to #BECareful about BEC fraud and know the warning signs to avoid falling into the criminals’ trap.

Full article here: https://www.interpol.int/News-and-Events/News/2019/INTERPOL-urges-public-to-BECareful-of-BEC-fraud

'Sextortion botnet spreads 30,000 emails an hour’

A large-scale “sextortion” campaign is making use of a network of more than 450,000 hijacked computers to send aggressive emails, researchers have warned.

The emails threaten to release compromising photographs of the recipient unless $800 (£628) is paid in Bitcoin.

And they contain personal information - such as the recipient’s password - probably gathered from existing data breaches, to specifically target more than 27 million potential victims at a rate of 30,000 per hour.

While analysis suggests a small fraction of targets have fallen for the ploy, one expert said such botnets still offered a great “return on investment” for cyber-criminals.

Read more here: https://www.bbc.co.uk/news/technology-50065713

Fraud attacks see huge rise in 2019

In just half a year, fraud attacks against business-to-consumer (B2C) organisations have increased 63 per cent, according to a new global report by RSA.

The digital risk management experts claim that in the first half of 2019, we’ve had 140,344 fraud attempts made against B2C organisations of all sizes. Just half a year ago, in the second half of 2018, that number stood at 86,344.

The newest trend among fraudsters are mobile apps, it seems, as the report claims that fraud attacks originating from mobile apps rose by 191 per cent, hitting a total of 57,000.

Most of the malicious actors try to evade getting detected by using “new” devices. The number of these devices (known to RSA for less than 90 days) increased from 20 per cent, to 80 per cent.

Financial malware also rose significantly in the same time period, growing 80 per cent in the first half of the year. Most of the time, fraudsters are using a modified version of the old Ramnit Banking Trojan, RSA says. It is used mostly to circumvent defences, as they distribute it via executable files downloaded and opened by unsuspecting victims.

Read the original article on ITProPortal here: https://www.itproportal.com/news/fraud-attacks-see-huge-rise-in-2019/

Smart home devices are being hit with millions of attacks

Hackers aim to build a botnet of smart devices, and poor security practices are allowing this.

Hackers want to hijack smart home devices to create large botnets and use them, for example, to launch powerful DDoS attacks. I

According to a new report by Kaspersky, the number of attacks against smart home devices increased sevenfold compared to the same period last year.

In the first half of 2018, Kaspersky tracked 12 million attacks, originating from 69,000 unique IP addresses. A year later, the same company tracked 105 million attacks, coming from 276,000 IP addresses.

Kaspersky claims the attacks aren’t sophisticated, and they’re rarely done to destroy the device. Instead, hackers are trying extra hard not to be noticed, so the users may not even realise their devices are being exploited. Most of the times, hackers employ Mirai to build the botnet. Other notable mentions are Nyadrop and Gafgyt.

Sources of infection mostly originate from China, but Brazil, Egypt and Japan are also on the list.

https://www.itproportal.com/news/smart-home-devices-are-being-hit-with-millions-of-attacks/

The Security Risks of Cloud Computing Start With You

Do you know where your data is….

Cloud computing has quickly become a key part of the business model for many organisations, but it would be wise not to ignore the security risks of cloud computing, as doing so can incur major penalties.

The cloud comes with many key advantages like lowering the cost for smaller firms to run compute-intensive business analytics, or as the case with UK challenger bank Monzo, it can allow you to build a completely new business model that is powered by cloud computing.

Yet for all the myriad useful security tools that the leading cloud providers offer, which are typically — configured right — more than the match for on-premises systems, typically the security and maintenance of the data being stored or processed in the cloud is still the sole responsibility of the firms it belongs to, and errors start with misconfigurations.

Many simple mistakes from poor account management, which is why 29 percent of organizations experienced potential account compromises, 32 percent had simple configuration issues and 23 percent found critical patches missing.

https://www.cbronline.com/feature/security-risks-of-cloud-computin

Three quarters of IT execs surveyed do not use full vulnerability management solution

ManageEngine announced the findings of its “State of IT in the UK—2019” survey. Conducted by an independent research consultancy, the study of 400 IT decision-makers working in organisations of all sizes explores their experiences dealing with IT security, GDPR compliance and cloud migration, and investigates what technologies they see having a real impact in the future.

In 2017, ManageEngine launched a survey to evaluate the IT landscape in small and medium-sized enterprises (SMEs). The latest survey has been extended to include large organisations and enterprises. It has found that businesses of all sizes lack the ability to detect anomalous activity in their IT networks. While only 12% of respondents working in enterprises believe that their organisation has that capability, the corresponding figure in SMEs and large organisations fared slightly better (21%).

Other key findings include:

IT security concerns

• 72% of all respondents don’t use a comprehensive vulnerability management solution to detect, assess, prioritise, patch and mitigate zero-day vulnerabilities in their network.

• Only 21% of all respondents say they are capable of detecting complex attack patterns by correlating event information across devices and through user behaviour analytics (UBA).

• In terms of using preventive practices to mitigate zero-day vulnerabilities, IT professionals in SMEs and large organisations state they do this more (24%) than their counterparts in enterprises (14%).

• 31% of all respondents cite cost as the main barrier to securing additional resources for better IT security, while a lack of understanding of how poor their security is (22%) turns out to be the second biggest barrier.

Cloud adoption

• 96% of SMEs use some form of cloud technology, a significant increase from 87% recorded in ManageEngine’s 2017 UK survey. The breakdown for SMEs is 39% private (vs. 21% in 2017), 37% hybrid (vs. 40% in 2017) and 20% public (vs. 26% in 2017).

• The main reasons why SMEs are investing in cloud technology are security (55%), CRM tools (39%), business productivity (38%) and analytics and reporting (38%).

• 79% of all respondents plan to increase their spending on cloud computing within the next 12 months.

GDPR compliance

• Just over half (54%) of SMEs believe they are fully GDPR-compliant. In 2017, 81% of SMEs said they were prepared to meet GDPR requirements.

• The reasons given by SMEs, large organisations and enterprises for not being compliant include working with legacy systems (48%), lack of awareness (43%) and lack of financial investment (42%).

• The majority of enterprise respondents (70%) believe they are fully GDPR-compliant.

The way forward

• The technologies deemed to have the most impact in the coming years for all respondents are artificial intelligence (43%), the Internet of Everything (37%) and machine learning (29%).

• AI is more likely to play a big part in the business operations of enterprises (52%) than in the business operations of SMEs and large organisations (35%).

• Companies of all sizes agree that all three technologies above will help reduce time spent on manual processes (59%), provide additional time to work more strategically with other business units (53%), help detect user and network anomalies (48%) and provide greater visibility into network issues (46%).

Original article here: https://www.vanillaplus.com/2019/10/03/48755-three-quarters-execs-surveyed-not-use-full-vulnerability-management-solution-mitigate-zero-day-weaknesses/

What Is a DDoS Attack? (Hint: It Involves Zombies & Traffic Jams)

A distributed denial of service (DDoS) attack is kind of like a traffic jam on a website

What is a DDoS attack and what does it mean for your website? Instead of jumping deep into technical details, let’s start with a real-world analogy that makes it really easy to visualize what a DDoS attack is…

Imagine, for a moment, that it’s a Sunday afternoon and you’re driving down the highway with your family, headed to your favorite picnic spot. You’re cruising down the highway at 70 miles an hour – it won’t be long before you’re at the park enjoying a lovely autumn day!

…That is, until you go around a curve and see this in front of you: It’s a traffic jam — going as far as the eye can see!

You check your GPS traffic report, only to see that the jam extends for miles and there’s no way around it. There’s no way you’ll make it to the park in time for your picnic.

That’s basically what a distributed denial of service (DDoS) attack is – lots of users (in this case, cars) that are jamming up a system (the highway) to deny you from accessing a service (the park).

Usually when we talk about DDoS attacks, the resource being denied is a website and the “traffic jam” was maliciously caused by a hacker. But the concept is the same as a traffic jam on the highway. Let’s dive into what DDoS means, the types of DDoS attacks, and methods of DDoS prevention.

Let’s hash it out.

What is a DDoS Attack? A Simple Definition

Since we’re all about making technical topics simple, let’s start with a basic answer to the question: What does DDoS mean (a.k.a. “What is a distributed denial of service attack”)?

As mentioned above, a DDoS attack is a bit like a traffic jam on a website (but it’s intentionally caused by a hacker).

Here’s a simple definition for the meaning of DDoS:

A DDoS (distributed-denial-of-service) attack is when a hacker makes a website or other service inaccessible by flooding it with requests from many different devices.

If you’ve also heard the term “DoS attack,” don’t let that confuse you. A DDoS attack is just a specific type of DoS (denial-of-service) attack — one that uses multiple computers/devices to attack with.

How Does a DDoS Attack Work? (Hint: It Involves Zombies!)

Just like a traffic jam floods a highway with more cars than it can handle, a DDoS attack floods a website with more requests (i.e. visitors) than the web server or other related systems can handle.

Many hackers use botnets (a.k.a. zombie computers) to execute DDoS attacks. A botnet is a way for a single person (hacker) to control thousands of devices at once.

Here’s how a botnet works to execute a DDoS attack:

Step 1: Building the Botnet

To create a botnet, a hacker needs a way to take control of thousands of devices — these could be computers, mobile phones, or IoT devices such as webcams or smart refrigerators.

There are quite a few ways the hacker could find and take control of these devices. For example, they might write a virus that propagates and gradually takes over more and more computers. Or, they might find a specific IoT device with a known vulnerability (for example, poor default login security) and build a bot to scan the internet and hack as many of those devices as possible.

If you want to read more about how hackers do this, check out our post on Hacking IoT Devices: How to Create a Botnet of Refrigerators.

Step 2: Controlling the Botnet

As the hacker takes control of each device, they’ll do something so it will obey any instructions the hacker sends to the device. (For example, installing a small program on it.)

There are a few different approaches the hacker can use (client-server model, P2P model based on digital certificates, etc.), but the end result is the same — the hacker can issue a command and all the devices in the botnet will do whatever the hacker instructed them to do.

Step 3: Executing the Attack

Once the hacker has thousands of devices at his beck and call, he can execute the DDoS attack. There are a few different types of DDoS attacks (more on that later), but the basic idea is the same: flood a web server with more requests than it can handle.

The attacker will typically research the target website carefully to identify a weakness to exploit, then craft a request that will target that vulnerability. Finally, the attacker will instruct their zombie computers to execute that request (repeatedly).

Here’s an example: Let’s say Bob’s botnet has 100,000 devices in it. He issues a command to the botnet to send an HTTP request to example.com once per second. That’s 60 visits per minute times 100,000 devices. That adds up to 360 million visits per hour, or 8.6 billion visits per day. That’s far more than most web servers are designed to handle. If the attack was planned well, the web server will be overloaded and any real people who try to visit the site will get an error message. DDoS attack success!

DDoS the Lazy Way: Rent a Botnet!

If it sounds like a lot of work to build a botnet and execute a DDoS attack, you’d be right. But (unfortunately) there’s an easier way — lazy attackers can just go on the dark web and rent a botnet for as little as $10 per hour! Cybercrime is a booming industry, and services such as DDoS botnet rentals and phishing as a service solutions are just a few of the options available for purchase.

Types of DDoS Attacks

Our simplified definition of what DDoS is left out one detail: there are many different types of DDoS attacks that attackers can use depending on what specific server resource they’re trying to overload. Since we’re trying to keep things simple, we’ll just briefly highlight the broad types of DDoS attacks commonly used.

As mentioned previously, DDoS attacks are designed to jam up a website, usually by overloading a specific aspect of the site. For example, an attack could target the following to overload them:

• Web server resources such as CPU or RAM

• Database servers

• Network bandwidth

• DNS servers

• Etc.

Original article here: https://securityboulevard.com/2019/10/what-is-a-ddos-attack-hint-it-involves-zombies-traffic-jams/

Round up of the most significant open source stories of the last week

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Ransomware still dominates the cyber threat landscape in 2019 – Europol report

Despite ransomware attack rates waning, Europol says a shift in tailored campaigns against business targets has ensured the malware holds the top spot in this year’s Internet Organised Crime Threat Assessment (IOCTA) report.

According to the European law enforcement body's annual report, published today (Wednesday), attacks utilising ransomware are now “more targeted, more profitable and cause greater economic damage”.

The 63-page IOCTA report says that since ransomware entered the spotlight in 2016 with global attacks like WannaCry and NotPetya, the malware has remained a “relatively easy income” for cybercriminals – offering a more stable return than banking trojans.

Ransomware notably locks and encrypts infected systems and files with the promise of returning functionality once a fee is paid.

https://portswigger.net/daily-swig/ransomware-still-dominates-the-cyber-threat-landscape-in-2019-europol-report

11 Ways Employees Can Be Your Weak Link for Cybersecurity

Each year, incidences of cyberattacks on companies are increasing with the intent to steal sensitive information. There are cybersecurity tools made to protect organisations, but many of these tools focus on external attacks, not internal weaknesses. Many security systems do not focus on the possibility of employees unknowingly becoming a security threat and do nothing to mitigate accidental internal threats. Employee cybersecurity is an important issue.

The 2018 Insider Threat Report asserted that 90% of organisations are likely to be attacked or exposed to attacks through an insider, and more than 50% experienced an attack through an insider. Furthermore, about 44% of top companies are exposed to potential threats as a result of exposure of passwords on the internet by their employees or theft of login details.

Read the full article for the full list here:

https://www.enzoic.com/employee-cybersecurity-weak-link/

11 steps organisations should take to improve their incident response strategy

As the year draws to a close, it is time for businesses across all industries and sectors to reflect and prepare for the upcoming new year. With this in mind, FIRST has produced 11 vital steps that organisations should take to improve their incident response strategy.

It is highly likely that an organisation will face a cybersecurity incident of some sort at some point in its lifetime, regardless of the level of cybersecurity defence in place.

According to a global survey undertaken by Marsh in partnership with Microsoft, two-thirds of respondents ranked cybersecurity as a top five risk management priority, but only 19% expressed high confidence in their organisation’s ability to manage and respond to a cyber event, and only 30% have developed a plan to do so.

More info and the full list of steps organisations can take here:

https://www.helpnetsecurity.com/2019/10/11/organizations-incident-response-strategy/

APT Actors Hitting UK Organisations via Trio of VPN Vulnerabilities: NCSC

Hundreds of British organisations are vulnerable to VPN attacks being launched by sophisticated Advanced Persistent Threat (APT) actors, who are actively exploiting vulnerabilities in a trio of commercial VPN products, the NCSC has warned.

The organisation, overseen by GCHQ, warned: “This activity is ongoing, targeting both UK and international organisations. Affected sectors include government, military, academic, business and healthcare. These vulnerabilities are well documented in open source, and industry data indicates that hundreds of UK hosts may be vulnerable.”

https://www.cbronline.com/news/vpn-attacks-ncsc

Phishing attempts increase 400%

1 in 50 URLs are malicious, nearly one-third of phishing sites use HTTPS and Windows 7 exploits have grown 75% since January.

A new report also highlights the importance of user education, as phishing lures have become more personalized as hackers use stolen data for more than just account takeover.

Hackers are using trusted domains and HTTPS to trick victims, with nearly a quarter (24%) of malicious URLs found to be hosted on trusted domains, as hackers know trusted domain URLs raise less suspicion among users and are more difficult for security measures to block. Nearly a third (29%) of detected phishing web pages use HTTPS as a method to trick users into believing they’re on a trusted site via the padlock symbol.

Phishing grew rapidly, with a 400% increase in URLs discovered from January to July 2019.

The top industries impersonated by phishing include:

·         25% are SaaS/Webmail providers

·         19% are financial institutions

·         16% social media

·         14% retail

·         11% file hosting

·         8% payment services companies

Phishing lures are also becoming more personalised and users still using Windows 7 face more risks with infections increasing by 71%

https://www.helpnetsecurity.com/2019/10/09/phishing-increase-2019/

Email Threat Report Summary

FireEye at Cyber Defense Summit announced the release of its latest email threat update. The analysis of more than two billion emails is visually depicted within their new infographic (these findings are the result of FireEye analysis against a sample set of more than two billion emails from April through June 2019).  

To summarise, FireEye has identified several significant themes:

• Attackers Are Getting Ahead in the Cloud: As companies continue migrating to the cloud, bad actors are abusing cloud services to deploy phishing attacks. Some of the most common tactics include hosting Microsoft-themed phishing pages with Microsoft Azure, nesting embedded phish URLs in documents hosted on popular file sharing services, and establishing phishing URL redirects on popular email delivery platforms.

• Microsoft Continues to Be the Most Popular Brand Used in Phishing Lures: A typical phishing email impersonates a well-known contact or trusted company to induce the recipient to click on an embedded link, with the ultimate goal of credential or credit card harvesting. During the evaluated period, FireEye saw Microsoft- and Office 365-themed phishing attacks increase by 12 percent quarter over quarter, as Microsoft continues to be the most popular brand utilised in phishing attacks, with 68 percent of all phishing detections.

• Entertainment/Media/Hospitality Most Targeted Vertical: Q2 saw a shakeup in the most targeted vertical industries. Entertainment/Media/Hospitality has stolen the number one spot from Financial Services, which dropped to number two. Other highly targeted verticals for email-based attacks include Manufacturing, Service Providers, Telecom, State & Local Government, Services/Consulting, and Insurance.

Insider threats are security’s new reality - the biggest danger to data security yet prevention solutions aren’t working

Insider threats expose companies to breaches and put corporate data at risk. New research questions whether the right data security solutions are being funded and deployed to stop insider threats and asserts that legacy data loss prevention solutions fall short in getting the job done.

79% of information security leaders believe that employees are an effective frontline of defence against data breaches. However, this year’s report disputes that notion.

Recognising that employees are the power behind any organisation, companies are increasingly implementing strategies for collaboration to make information sharing easier than ever.

69% of organisations that were breached due to insider threats already had a prevention solution in place at the time of the breach that did little to prevent it.

Unfortunately, some organizations have not put in appropriate detection and response data security controls, and instead simply trust employees to keep data safe. However, this trust is frequently abused.

The study showed that employees take more risks with data than employers think, which leaves organizations open to insider threat.

https://www.helpnetsecurity.com/2019/10/07/insider-threat-risk/

Many companies are failing to secure their data in the cloud

A large proportion of businesses are failing to secure the data they have stored in the cloud, a new report has claimed.

The report argues that almost half (48 per cent) of all corporate data is stored in the cloud nowadays, however just a third of organisations (32 per cent) go for a security-first approach with this data. Further on, the report uncovers that less than a third of organisations (31 per cent) believe it’s their responsibility to keep data safe, at all.

To make matters worse, companies are planning on using the cloud even more. Almost half (48 per cent) have a multi-cloud strategy, opting for the likes of Amazon Web Services (AWS), Microsoft Azure and IBM. On average, organisations use three different cloud service providers, with a quarter (28 per cent) using four or more.

Despite having its sights locked onto the cloud, almost half of organisations still see it as a security risk, particularly when saving consumer data. In most cases, they also see it as a compliance risk. However, not everyone believes that it’s entirely their obligation to keep the data safe – a third believes they should share this responsibility with the cloud providers, and another third believes this is entirely the cloud provider’s job.

https://www.itproportal.com/news/many-companies-are-failing-to-secure-their-data-in-the-cloud/

 Cyber Attacks Are North Korea's New Weapon of Choice

According to The Associated Press, North Korea has reportedly generated nearly two billion dollars to fund its nuclear weapons programs with unprecedented cyber activities against financial institutions and cryptocurrency exchanges all around the world. As a result, United Nations experts are currently investigating at least thirty-five instances in seventeen victim countries, including Costa Rica, Gambia, Guatemala, Kuwait, and Liberia. Of the many targets for cyberattacks, South Korea is often the hardest-hit.

https://nationalinterest.org/blog/korea-watch/cyber-attacks-are-north-koreas-new-weapon-choice-87526