Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Nasty phishing scams aim to exploit coronavirus fears

Phoney emails about health advice and more are being used to steal login credentials and financial details.

Cyber criminals are aiming to take advantage of fears over coronavirus as a means of conducting phishing attacks and spreading malware, along with stealing login credentials and credit card details.

Cybersecurity companies have identified a number of campaigns by hackers who are attempting to exploit concerns about the COVID-19 outbreak for their own criminal ends. Crooks often use current affairs to make their scams more timely.

Researchers have identified a Trickbot banking trojan campaign specifically targeting Italian email addresses in an attempt to play on worries about the virus. The phishing email comes with a Word document which claims to contain advice on how to prevent infection – but this attachment is in fact a Visual Basic for Applications (VBA) script which drops a new variant of Trickbot onto the victim's machine.

The message text claims to offer advice from the World Health Organization (WHO) in a Word document which claims to be produced using an earlier version of Microsoft Word which means the user needs to enable macros in order to see the content. By doing this, it executes a chain of commands which installs Trickbot on the machine.

Read more here: https://www.zdnet.com/article/nasty-phishing-scams-aim-to-exploit-coronovirus-fears/

Backdoor malware is being spread through fake security certificate alerts

Victims of this new technique are invited to install a malicious "security certificate update" when they visit compromised websites.

Backdoor and Trojan malware variants are being distributed through a new phishing technique that attempts to lure victims into accepting an "update" to website security certificates.

Certificate Authorities (CAs) distribute SSL/TLS security certificates for improved security online by providing encryption for communication channels between a browser and server -- especially important for domains providing e-commerce services -- as well as identity validation, which is intended to instill trust in a domain.

Read the full article here: https://www.zdnet.com/article/backdoor-malware-is-being-spread-through-fake-security-certificate-alerts/

Boots Advantage and Tesco Clubcard both suffer data breaches in same week

Boots has blocked all Advantage card holders from ‘paying with points’ after 150,000 accounts were subjected to attempted hacks using stolen passwords.

The news comes just days after Tesco said it would issue replacement Clubcards to more than 620,000 customers after a similar security breach.

Read more here: https://www.which.co.uk/news/2020/03/boots-advantage-card-tesco-clubcard-both-suffer-data-breaches-in-same-week/

Academics find 30 file upload vulnerabilities in 23 web apps, CMSes, and forums

Through the use of an automated testing toolkit, a team of South Korean academics has discovered 30 vulnerabilities in the file upload mechanisms used by 23 open-source web applications, forums, store builders, and content management systems (CMSes).

When present in real-world web apps, these types of vulnerabilities allow hackers to exploit file upload forms and plant malicious files on a victim's servers.

These files could be used to execute code on a website, weaken existing security settings, or function as backdoors, allowing hackers full control over a server.

Read the full article here: https://www.zdnet.com/article/academics-find-30-file-upload-vulnerabilities-in-23-web-apps-cmses-and-forums/

UK Home Office breached GDPR 100 times through botched management of EU Settlement Scheme

ID cards sent to the wrong addresses, third party data disclosures, and lost passports are only some examples of mishandling.

The UK Home Office has breached European data protection regulations at least 100 times in its handling of the EU Settlement Scheme (EUSS).

IDs have been lost, documents misplaced, passports have gone missing, and applicant information has been disclosed to third parties without permission in some of the cases, according to a new report.

Read more here: https://www.zdnet.com/article/uk-home-office-breached-gdpr-100-times-through-botched-handling-of-eu-settlement-scheme/

Legal services giant Epiq Global offline after ransomware attack

The company, which provides legal counsel and administration that counts banks, credit giants, and governments as customers, confirmed the attack hit on February 29.

“As part of our comprehensive response plan, we immediately took our systems offline globally to contain the threat and began working with a third-party forensic firm to conduct an independent investigation,” a company statement read. “Our technical team is working closely with world class third-party experts to address this matter, and bring our systems back online in a secure manner, as quickly as possible.”

The company’s website, however, says it was “offline to perform maintenance.”

A source with knowledge of the incident but who was not authorized to speak to the media said the ransomware hit the organization’s entire fleet of computers across its 80 global offices.

Read more here: https://techcrunch.com/2020/03/02/epiq-global-ransomware/

Android Patch Finally Lands for Widespread “MediaTek-SU” Vulnerability

Android has quietly patched a critical security flaw affecting millions of devices containing chipsets from Taiwanese semiconductor MediaTek: a full year after the security vulnerability – which gives an attacker root privileges – was first reported.

More here: https://www.cbronline.com/news/android-patch-mediatek-su

5G and IoT security: Why cybersecurity experts are sounding an alarm

Without regulation and strong proactive measures, 5G networks remain vulnerable to cyberattacks, and the responsibility falls on businesses and governments.

Seemingly everywhere you turn these days there is some announcement about 5G and the benefits it will bring, like greater speeds, increased efficiencies, and support for up to one million device connections on a private 5G network. All of this leads to more innovations and a significant change in how we do business.

But 5G also creates new opportunities for hackers.

There are five ways in which 5G networks are more susceptible to cyberattacks than their predecessors, according to the 2019 Brookings report, Why 5G requires new approaches to cybersecurity. They are:

1. The network has moved from centralized, hardware-based switching to distributed, software-defined digital routing. Previous networks had "hardware choke points" where cyber hygiene could be implemented. Not so with 5G.

2. Higher-level network functions formerly performed by physical appliances are now being virtualized in software, increasing cyber vulnerability.

3. Even if software vulnerabilities within the network are locked down, the 5G network is now managed by software. That means an attacker that gains control of the software managing the network can also control the network.

4. The dramatic expansion of bandwidth in 5G creates additional avenues of attack.

5. Increased vulnerability by attaching tens of billions of hackable smart devices to an IoT network.

Read the full article here: https://www.techrepublic.com/article/5g-and-iot-security-why-cybersecurity-experts-are-sounding-an-alarm/

Virgin Media apologises after data breach affects 900,000 customers

Virgin Media has apologised after a data breach left the personal details of around 900,000 customers unsecured and accessible.

The company said that the breach occurred after one of its marketing databases was “incorrectly configured” which allowed unauthorised access.

It assured those affected by the breach that the database “did not include any passwords or financial details” but said it contained information such as names, home and email addresses, and phone numbers.

Virgin said that access to the database had been shut down immediately following the discovery but by that time the database was accessed “on at least one occasion”.

Read more here: https://www.itv.com/news/2020-03-05/virgin-media-apologises-after-data-breach-affects-900-000-customers/

Do these three things to protect your web security camera from hackers

NCSC issues advice on how to keep connected cameras, baby monitors and other live streaming security tools secure from cyberattacks.

Owners of smart cameras, baby monitors and other Internet of Things products have been urged to help keep their devices safe by following three simple steps to boost cybersecurity – and making it more difficult for hackers to compromise them.

The advice from the UK's National Cyber Security Centre (NCSC) – the cyber arm of the GCHQ intelligence agency – comes as IoT security cameras and other devices are gaining popularity in households and workplaces.

1. Change the default password

2. Apply updates regularly

3. Disable unnecessary alerts

For more refer to the original article here: https://www.zdnet.com/article/do-these-three-things-to-protect-your-web-security-camera-from-hackers/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week's Black Arrow Cyber Tip Tuesday, this week Tony is talking about how many users are not as good at spotting phishing emails as they think they are, and how that overconfidence can be dangerous.

It has been proven that users are not as good at spotting phishing emails as they think they are, and as many as 1 in 4 users will fall for fairly basic phishing attacks.

Traditional training and awareness around phishing is not working and firms need to take a different approach.

One of the things firms should be doing is simulating phishing attacks against their own staff and this is something will be very pleased to help your organisation to do.

We can administer and run campaigns on your behalf, including providing reports you can deliver to your Boards.

For regulated financial service firms we know this is something that the GFSC are expecting firms to be doing on a regular basis, at least quarterly.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Android malware can steal Google Authenticator 2FA codes

A new version of the "Cerberus" Android banking trojan will be able to steal one-time codes generated by the Google Authenticator app and bypass 2FA-protected accounts.

Security researchers say that an Android malware strain can now extract and steal one-time passcodes (OTP) generated through Google Authenticator, a mobile app that's used as a two-factor authentication (2FA) layer for many online accounts.

Google launched the Authenticator mobile app in 2010. The app works by generating six to eight-digits-long unique codes that users must enter in login forms while trying to access online accounts.

Google launched Authenticator as an alternative to SMS-based one-time passcodes. Because Google Authenticator codes are generated on a user's smartphone and never travel through insecure mobile networks, online accounts who use Authenticator codes as 2FA layers are considered more secure than those protected by SMS-based codes.

Read the full article here: https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/

Cisco patches incoming to address Kr00k vulnerability impacting routers, firewall products

Cisco is working on a set of patches to address a recently-disclosed vulnerability that can be exploited to intercept Wi-Fi network traffic.

The vulnerability, tracked as CVE-2019-15126, has been nicknamed "Kr00k" and was disclosed at the by researchers on Wednesday.

Kr00k is a vulnerability that permits attackers to force Wi-Fi systems into disassociative states, granting the opportunity to decrypt packets sent over WPA2 Personal/Enterprise Wi-Fi channels.

All Wi-Fi enabled devices operating on Broadcom or Cypress Wi-Fi chipsets are impacted

More here: https://www.zdnet.com/article/cisco-says-patches-incoming-to-address-new-kr00k-vulnerability-impacting-routers-firewall-products/

Google Patches Chrome Browser Zero-Day Bug, Under Attack

Google patches zero-day bug tied to memory corruptions found inside the Chrome browser’s open-source JavaScript and Web Assembly engine, called V8.

Google said Monday it has patched a Chrome web browser zero-day bug being actively exploited in the wild. The flaw affects versions of Chrome running on the Windows, macOS and Linux platforms.

The zero-day vulnerability, tracked as CVE-2020-6418, is a type of confusion bug and has a severity rating of high. Google said the flaw impacts versions of Chrome released before version 80.0.3987.122. The bug is tied to Chrome’s open-source JavaScript and Web Assembly engine, called V8.

Read the full article here: https://threatpost.com/google-patches-chrome-browser-zero-day-bug-under-attack/153216/

Ransomware victims thought their backups were safe. They were wrong

Ransomware victims are finding out too late that their vital backups are online and also getting encrypted by crooks, warns cyber security agency.

The UK's cyber security agency has updated its guidance on what to do after a ransomware attack, following a series of incidents where organisations were hit with ransomware, but also had their backups encrypted because they had left them connected to their networks.

Keeping a backup copy of vital data is a good way of reducing the damage of a ransomware attack: it allows companies to get systems up and running again without having to pay off the crooks. But that backup data isn't much good if it's also infected with ransomware -- and thus encrypted and unusable -- because it was still connected to the network when the attack took place.

The UK's National Cyber Security Centre (NCSC) said it has now updated its guidance by emphasising offline backups as a defence against ransomware.

Read the full article here: https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/

Data breach at City watchdog FCA exposes records of thousands of complainants

The records of 1,600 people who complained to the City watchdog have been exposed following a major data breach at the regulator.

The Financial Conduct Authority (FCA) mistakenly published the personal records of complainants on its website, where anyone could access the information.

The data was visible between November 2019 and February 2020 and included the records of people who made a complaint between January 2018 and July 2019.

This leaked information included the name of the complainant, the company they represent, the status of the complaint and other information. In some instances addresses and telephone numbers were also visible.

Certain media outlets disclosed that the list contained the names of several high-profile individuals.

Read more here: https://www.telegraph.co.uk/money/consumer-affairs/data-breach-city-watchdog-exposes-records-thousands-complainants/

Hackers are getting better at tricking people into handing over passwords — here's what to look out for, according to experts

Hackers don't break in, they log in.

That mantra, often repeated by security experts, represents a rule of thumb: The vast majority of breaches are the result of stolen passwords, not high-tech hacking tools.

These break-ins are on the rise. Phishing scams — in which attackers pose as a trustworthy party to trick people into handing over personal details or account information — were the most common type of internet crime last year, according to a recent FBI report. People lost more than $57.8 million in 2019 as the result of phishing, according to the report, with over 114,000 victims targeted in the US.

And as phishing becomes more profitable, hackers are becoming increasingly sophisticated in the methods they use to steal passwords, according to Microsoft's Security Research team.

Most of the attackers have now moved to phishing because it's easy

Read the full article here: https://www.businessinsider.com/phishing-scams-getting-more-sophisticated-what-to-look-out-for-2020-2?r=US&IR=T

Government authorities fail to train employees on ransomware detection, prevention

New research suggests that the majority of state and local governments are not rising to the challenge of mitigating ransomware threats. (and it’s not just Government)

The majority of state and local government agencies are failing to prepare their employees to spot cyber attacks or teach them how to handle ransomware incidents in the workplace, new research suggests.

On Thursday, IBM Security released the results of a new study, conducted on its behalf by The Harris Poll, containing responses from close to 700 US local and state employees in IT, education, emergency services, and security departments.

The research, taking place between January and February this year, reveals that only 38% of local and state employees have received any training in general ransomware prevention, which may include learning how to spot phishing attempts, the threat of social engineering, and basic security hygiene in the workplace.

More: https://www.zdnet.com/article/government-authorities-fail-to-train-employees-on-ransomware-detection-prevention/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week's Black Arrow Cyber Tip Tuesday, this week Tony is talking about users sending emails to the wrong recipient.

The majority of data breaches reported to the data commissioner, both locally and nationally, have involved users sending emails to the wrong recipients.

This is clearly a problem and many technical controls won't defend against this as this comes down to human error. Human error is the leading cause of data breaches today, because people make mistakes and break the rules. In many cases, people may not even realise they’re doing anything wrong.

If businesses want to keep their data safe, they need to start at the human level and create a people-centric approach to cyber security that focuses on educating and protecting their employees.

We can help provide controls that help to reinforce this human level and reduce instances of users send emails to the wrong recipients.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Adobe releases out-of-band patch for critical code execution vulnerabilities

Adobe has released an out-of-schedule fix to resolve two vulnerabilities that may expose user systems to code execution attacks.

On Wednesday, the software vendor released two separate security advisories describing the issues, warning that each bug is deemed critical, the highest severity score available. However, there is at present no evidence the vulnerabilities are being exploited in the wild.

The first vulnerability impacts Adobe Media Encoder versions 14.0 and earlier on the Microsoft Windows platform.  The second vulnerability impacts Adobe After Effects versions 16.1.2 and earlier also on Windows machines.

Read more on ZDnet here: https://www.zdnet.com/article/adobe-releases-out-of-schedule-fixes-for-critical-vulnerabilities/

Critical Cisco Bug Opens Software Licencing Manager to Remote Attack

A default password would let anyone access the Cisco Smart Software Manager On-Prem Base platform, even if it’s not directly connected to the internet.

A critical flaw in the High Availability (HA) service of Cisco Smart Software Manager On-Prem Base has been uncovered, which would open the door to remote attackers thanks to its use of a static, default password, even if the platform isn’t directly connected to the internet.

Cisco Smart Software Manager On-Prem Base is used to manage a customer or partner’s product licenses, providing near real-time visibility and reporting of the Cisco licenses that an organisation purchases and consumes. According to Cisco’s product literature, the platform is aimed at “customers who have strict security requirements and do not want their products to communicate with the central licensing database on Smart Software Manager over a direct Internet connection,” like financial institutions, utilities, service providers and government organisations.

Read the full article on ThreatPost here: https://threatpost.com/critical-cisco-bug-software-licencing-remote-attack/153086/

97% of IT leaders majorly concerned by insider data breaches

A study has found that 97% of IT leaders are concerned that data will be exposed by their own employees, leading to insider breaches

This findings from the survey spelled a lack of reassurance for decision makers regarding insider breaches over the past 12 months.

Also, 78% of IT leaders surveyed said that employees have put data at risk accidentally within the last year, while 75% say that intentional compromise of data security has occurred.

While the former statistic has remained stable since 2019, the latter saw a 14% jump.

In the UK, 63% declared intentional data security compromise, while 68% said this was accidental. This contrasted with leaders in the Benelux region, 89% of whom said that data was put at risk intentionally, and 91% accidentally.

Read more here: https://www.information-age.com/it-leaders-majorly-concerned-insider-data-breaches-123487769/

PayPal remains the most‑spoofed brand in phishing scams

PayPal, Facebook, Microsoft, Netflix, and WhatsApp were the most commonly impersonated brands in phishing campaigns in the fourth quarter of 2019.

The payment services provider retained its top spot from the previous quarter, according to data gleaned from the number of unique phishing URLs detected by the company. Thanks to the immediate financial payback and a pool of 305 million active users worldwide, PayPal’s continued popularity among phishers isn’t all that surprising.

PayPal-themed phishing campaigns usually target both consumers and SMB employees, with researchers pointing to an example of a recent fraudulent email that alerted users to an “unusual activity on your account”. A similar campaign was recently uncovered by researchers.

Social media phishing continues to grow with Facebook taking second place on the list. Meanwhile, WhatsApp jumped a whopping 63 spots to take fifth place and Instagram surged 16 places to take the 13th spot.

More: https://www.welivesecurity.com/2020/02/14/paypal-remains-most-spoofed-brand-phishing-scams/

Windows 10 update: Microsoft admits serious problem, here's how to fix it

It was recently discovered that the newest Windows 10 update was somehow deleting users’ files. The update has been live for over a week now, but fear not (or at least not too much) Windows fans, Microsoft has now said (unofficially) that it’s found a fix.

Thanks to Windows Latest (via TechRadar), we now know how Windows is responding to the problem. The site interviewed unnamed Microsoft support team staff, one of which was quoted  as saying: “Microsoft is aware of this known issue and our engineers are working diligently to find a solution for it.” In addition, it’s been reported that the Windows team have been able to replicate the bug and find one potential way of restoring any lost files.

Read the full article here: https://www.tomsguide.com/news/windows-10-update-microsoft-admits-serious-problem-heres-how-to-fix-it

Mitigating Risk in Supply Chain Attacks

In the last year, the number of global businesses falling victim to supply chain attacks more than doubled from 16 to 34 per cent – in the UK the picture is even worse with a staggering 42 per cent reporting they fell victim to these sorts of attacks.

This kind of attack is a powerful threat as it enables malicious code to slip into an organisation through trusted sources. What is worse is that it’s a tougher threat for traditional security approaches to account for.

Of even more concern though is that this particular attack vector doesn’t appear to be a top priority for businesses. The same survey found only 42 per cent of respondents have vetted all new and existing software suppliers in the past 12 months. While this has led to 30 per cent of respondents believing with absolute certainty that their organisation will become more resilient to supply chain attacks over the next 12 months, the increasing scale and frequency of these attacks demands a proportionate response.

The problem is that many businesses fail to understand how quickly adversaries can move laterally through the network via this sort of compromise and how much damage can be done in that short amount of time. There is an educational need for the cyber industry to broadcast the potential consequences of supply chain attacks, and to share best practices around their defence and mitigation.

Adversaries use supply chain attacks as a sneaky weak point through which to creep into the enterprise and attack software further up the supply chain rather than going straight for their final target: An organisation with funds or information they wish to pilfer, or whom they will ‘merely’ disrupt. Once an adversary successfully compromises the chain, their M.O. is to modify the trusted software to perform additional, malicious activities. If not discovered, compromised software can then be delivered throughout an organisation via software updates.

Read the original article here: https://www.cbronline.com/opinion/mitigating-risk-in-supply-chain-attacks

Russia’s GRU was behind cyber attacks on Georgian government and media, says NCSC

British security officials have identified a Russian military intelligence unit as the source of a series of “large-scale, disruptive cyber attacks” on Georgia last autumn.

The former Soviet Union state suffered a spree of attacks on its government websites, national broadcasters and NGOs over several hours on 28 October 2019.

Analysts at the National Cyber Security Centre have concluded “with the highest level of probability” that the attacks, aimed at web hosting providers, were carried out by the GRU in a bid to destabilise the country.

Read more here: https://tech.newstatesman.com/security/russia-gru-cyber-attacks-georgia-ncsc

UK Google users could lose EU GDPR data protections

Google is to move the data and user accounts of its British users from the EU to the US, placing them outside the strong privacy protections offered by European regulators.

The shift, prompted by Britain’s exit from the EU, will leave the sensitive personal information of tens of millions not covered by Europe’s world-leading General Data Protection Regulation (GDPR) and therefore with less protection and within easier reach of British law enforcement.

Google intends to require its British users to acknowledge new terms of service including the new jurisdiction, according to people familiar with the plans.

Read more: https://www.theguardian.com/technology/2020/feb/20/uk-google-users-to-lose-eu-gdpr-data-protections-brexit

ISS World “malware attack” leaves employees offline

Global facilities company ISS World, headquartered in Denmark, has shuttered most of its computer systems worldwide after suffering what it describes as a “security incident impacting parts of the IT environment.”

The company’s website currently shows a holding page, with no clickable links on it.

Some media outlets – for example, the BBC – have mentioned ransomware prominently in their coverage of the issue, perhaps because of the suddenness of the story, but at the moment we simply don’t know what sort of malware was involved.

As you can imagine, facilities companies that provide services such as cleaning and catering rely heavily on IT systems for managing their operations.

Read the full article here: https://nakedsecurity.sophos.com/2020/02/20/iss-world-malware-attack-leaves-employees-offline/

Google is trying to scare Microsoft Edge users into switching to Chrome

Could Google be worried about the new Edge browser stealing away Chrome users? It seems that way, with the company now displaying a warning to people using Microsoft’s new web browser when they access the Chrome web store.

Originally, Microsoft’s Edge web browser was a deeply unpopular piece of software, despite it being the default web browser in Windows 10, which led Microsoft to overhaul the app, and it’s now based on the same Chromium engine as Chrome.

Edge users who visit the Chrome web store are seeing a warning message that says “Google recommends switching to Chrome to use extensions securely.”

Read more here: https://www.techradar.com/uk/news/google-is-trying-to-scare-microsoft-edge-users-into-switching-to-chrome

Your home PC is twice as likely to get infected as your work laptop

Outdated operating systems and poor security put consumer PCs at risk

Consumer PCs are twice as likely to get infected as business PCs, new research has revealed.

According to the findings, the reason consumer PCs are more susceptible to infections is due to the fact that many are running outdated operating systems such as Windows 7 and because consumers aren't employing the same security solutions used by businesses which offer greater protection.

Of the infected consumer devices, more than 35 percent were infected over three times and nearly 10 percent encountered six or more infections.

More: https://www.techradar.com/uk/news/consumer-pcs-are-twice-as-likely-to-get-infected-compared-to-business-pcs

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week's Cyber Tip Tuesday.

This week James is doing the first of a series looking at specific technical controls, this week Mobile Device Management, or MDM

You may have heard of MDM… but what is it?

Mobile Device Management is the technology used to administer mobile devices such as phones, tablets and laptops. Because these devices often run across platforms provided by different vendors, for example, Apple's iOS, Google's Android or Microsoft Windows they must be managed by a product that is compatible with all of them.

If your company's confidential data is stored or accessed on any of these devices then it is important that you extend your technical controls to encompass the unique security requirements and vulnerabilities that can be exploited to gain access to it.

If you'd like to know more about MDM or other technical controls, please contact us.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Microsoft Patch Tuesday fixes IE zero‑day and 98 other flaws

This month’s Patch Tuesday fell this week and it came with fixes for no fewer than 99 security vulnerabilities in Windows and other Microsoft software.

Twelve flaws have received the highest severity ranking of “critical”, while 5 security holes are listed as publicly known at the time of release.

In fact, one vulnerability ticks both boxes – an actively exploited zero-day in Internet Explorer (IE). Microsoft disclosed this flaw, indexed as CVE-2020-0674, three weeks ago but didn’t roll out a patch until now. Successful exploitation of this remote code execution (RCE) vulnerability enables remote attackers to run code of their choice on the vulnerable system.

Another 16 RCE holes are being plugged as part of this month’s bundle of security patches. This includes two severe vulnerabilities in the Windows Remote Desktop Client, CVE-2020-0681 and CVE-2020-0734, where exploitation is seen as likely by Microsoft.

Updates have been released for various flavours of Windows, as well as for Office, Edge, Exchange Server, SQL Server and a few more products. The number of fixes this month is unusually high; for example, last month’s Patch Tuesday rollout fixed 49 vulnerabilities.

Read more here: https://www.welivesecurity.com/2020/02/12/microsoft-patch-tuesday-fixes-99-vulnerabilities-ie-zero-day/

Nedbank says 1.7 million customers impacted by breach at third-party provider

Nedbank, one of the biggest banks in the South Africa region, has disclosed a security incident yesterday that impacted the personal details of 1.7 million users.

The bank says the breach occurred at Computer Facilities (Pty) Ltd, a South African company the bank was using to send out marketing and promotional campaigns.

In a security notice posted on its website, Nedbank said there was a vulnerability in the third-party provider's systems that allowed an attacker to infiltrate its systems.

The data of 1.7 million past and current customers is believed to have been affected. Details stored on the contractor's systems included things like names, ID numbers, home addresses, phone numbers, and email addresses.

The bank began notifying customers about the breach yesterday

More information here: https://www.zdnet.com/article/nedbank-says-1-7-million-customers-impacted-by-breach-at-third-party-provider/

Why you can’t bank on backups to fight ransomware anymore

Ransomware operators stealing data before they encrypt means backups are not enough.

The belief that no personally identifying information gets breached in ransomware attacks is common among victims of ransomware—and that's partially because ransomware operators had previously avoided claiming they had access to victims' data in order to maintain the "trust" required to extract a payment. Cyber insurance has made paying out an attractive option in cases where there's no need for an organisation to reveal a breach, so the economics had favoured ransomware attackers who provided good "customer service" and gave (usually believable) assurances that no data had been taken off the victims' networks.

Unfortunately, that sort of model is being blown up by the Maze and Sodinokibi (REvil) ransomware rings, which have adopted a model of using stolen data as leverage to ensure customers will make a payment. Even in cases where a victim can relatively quickly recover from a ransomware attack, they still will face demands for payment in order to avoid the publication or sale of information stolen by the attackers before the ransomware was triggered.

Read more here: https://arstechnica.com/information-technology/2020/02/why-you-cant-bank-on-backups-to-fight-ransomware-anymore/

Newly discovered PC malware version spreads through Wi-Fi networks

A new version of a highly sophisticated Trojan that can spread via Wifi networks has been discovered. The Emotet Trojan that also acts as a loader for other malware has found to now take advantage of the wlanAPI interface to spread to all PCs on a network through the Wi-fi. The Trojan was previously known to spread only through spam emails and infected networks.

The ability of this Trojan to brute force its way into networks through Wi-fi from the infected PC has supposedly gone undetected for at least two years. When the malicious software enters into a system, it begins listing and profiling wireless networks using the wlanAPI.dll calls so that it can spread to any networks that are accessible. This is because the wlanAPI.dll calls are used by Native Wi-Fi to manage wireless network profiles and wireless network connections.

Read more here: https://www.neowin.net/news/newly-discovered-pc-malware-version-spreads-through-wi-fi-networks/

Why the ransom is only a fraction of the cost of a ransomware attack

The expense of dealing with a ransomware attack is far in excess of what was previously thought, according to a report published on Tuesday.

Estimate for the total ransom payments demanded in 2019 was $25 billion. But this is only one seventh of the actual cost to the companies affected, which could be as much as $170 billion, according to estimates. Most of these costs arise from downtime and are associated with dealing with the attack, rather than the ransom itself, according to the report.

Read more here: https://decrypt.co/19084/why-ransom-fraction-cost-ransomware-attack

5 Critical Zero-day Vulnerabilities Affected Tens of Millions of Cisco Switches, Routers, IP Phones and Cameras

Researchers discovered 5 critical zero-day vulnerabilities (dubbed CDPwn)  in Cisco Discovery Protocol that are used in multiple Cisco products such as Routers, Switches, IP phones, Cameras and more.

Cisco Discovery Protocol is also known as CDP is the Cisco proprietary Layer 2 (Data Link Layer) network protocol and is virtually implemented in Cisco products including switches, routers, IP phones, and cameras to discover the information about the Cisco equipment.

Four of the five vulnerabilities are remote code execution (RCE) vulnerabilities that affected 10 of millions of users, and it allows attackers to completely take over the vulnerable devices without any sort of user interaction.

One vulnerability cause Denial of Service in Cisco FXOS, IOS XR and NX-OS Software Cisco Discovery Protocol implemented target routers, and in turn, completely disrupt target networks.

Read more here: https://gbhackers.com/zero-day-vulnerability-affected-cisco-cdp-devices/

Average tenure of a CISO is just 26 months due to high stress and burnout

Chief Information Security Officers (CISOs, or CSOs) across the industry are reporting high levels of stress.

Many say the heightened stress levels has led to mental and physical health issues, relationship problems, medication and alcohol abuse, and in some cases, an eventual burnout, resulting in an average 26-month tenure before CISOs find new employment.

The numbers, reported by Nominet, represent a growing issue that's been commonly acknowledged, but mostly ignored across the information security (infosec) community, but one that is slowly starting to rear its ugly head as once-ignored infosec roles are becoming more prominent inside today's companies.

Today, many companies are adopting CISO roles. The constant threat of hacks, ransomware, phishing, and online scams makes establishing a cyber-security department in any company a unavoidable decision.

However, most companies are not ready to embed CISOs into their company culture and day-to-day operations.

Today, CISO jobs come with low budgets, long working hours, a lack of power on executive boards, a diminishing pool of trained professionals they can hire, but also a constant stress of not having done enough to secure the company's infrastructure against cyber-attacks, continuous pressure due to newly arising threats, and little thanks for the good work done, but all the blame if everything goes wrong.

Across the years, many CISOs have often pointed out the problems with their jobs and the stress and damage they inflict. However, there has been no conclusive study to support broad assertations.

Read the full article here: https://www.zdnet.com/article/average-tenure-of-a-ciso-is-just-26-months-due-to-high-stress-and-burnout/

Ex-GCHQ spy chief says scammers are running rings around Google

Bogus investment and savings adverts banned by Google are reappearing at the top of its search results because con artists can easily circumnavigate the internet giant’s systems, according to a former spy.

Scammers are able to dupe the world’s most powerful search engine simply by making slight alterations to the names of their fake firms.

For example, one website, info.bond-finder.co.uk, appeared at the top of Google’s search results when consumers typed in “best fixed rate Isa”. But the website had the same contact details as another site, bonds-finder.com, which was identified by the financial regulator, the Financial Conduct Authority (FCA), as a likely scam in January and deleted by Google.

Google launched an investigation after it was alerted to the matter by this newspaper and, after a connection between the two sites was confirmed, the advert was removed.

The company has been in talks with the FCA for almost a year about how to solve the problem of unregulated investment firms and fraudsters duping consumers by paying to appear first in search results through Google’s Ads service.

Read more here: https://www.telegraph.co.uk/money/consumer-affairs/ex-gchq-spy-chief-says-scammers-running-rings-around-google/

FBI: Cybercrime losses tripled over the last 5 years

In 2019, the United States’ Federal Bureau of Investigation (FBI) received more than 467,000 cybercrime complaints that caused an estimated US$3.5 billion in losses, according to the Bureau’s annual 2019 Internet Crime Report (IC3). Last year saw both the highest number of complaints and the highest dollar losses on record; in 2015, for example, annual losses totaled ‘only’ US$1.1 billion.

Business Email Compromise (BEC) fraud remains the costliest type of fraud on the list, accounting for more than half of the total losses and costing businesses almost US$1.8 billion. These schemes are constantly evolving, too. Back in 2013, scammers would typically hack or spoof the email account of a CEO or CFO to request a fraudulent transfer of funds to accounts under their control. Over the years the tactics have evolved to also include compromising personal or vendor emails as well as spoofing lawyers’ email accounts.

Payroll diversion emerged as a popular form of BEC fraud last year. Scammers target HR and payroll departments by acting as employees who want to update their direct deposit information for the current payment period. The updated information then usually directs the funds to a pre-paid card account.

Elder fraud is also an increasingly pressing issue. With 68,013 victims, this type of fraud had the highest number of victims; under-twenties claimed “just” 10,724 victims. The number of victims may not reflect the true extent of the problem since providing the age range is voluntary.

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week's Cyber Tuesday and hopefully you've all survived this storm unscathed.

This week we're talking about patching.

Installing updates as soon as possible after vendors make them available is a very good way to help keep your systems secure, and good patch management remediates, or prevents, a huge number of threats.

Having said that Microsoft in particular of late have had issues with some of their updates so make sure you either test the updates on a non production environment first, that is on systems that aren't critical to you running your business, such as a dedicated test environment, or for smaller businesses that don't have the luxury of a test environment maybe wait a few days or a week or so before updating. Contact us for more info.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Coronavirus Scams: Prepare for Phishing Emails, Fake Alerts and Cyberthreats

As new global stories emerge by the hour on the coronavirus, bad actors are (again) trying to confuse online updates with phishing scams and destructive malware. Here’s why action is required now.

Wherever you turn for news coverage online, coronavirus alarm bells are ringing louder.

But users should not trust all of those bells, as fake news, phishing scams and even malicious malware is actively being distributed under the coronavirus umbrella.  

Sadly, a perfect storm may be brewing. As government officials and health experts appeal louder for calm, the public is actually getting more worried and searching the Internet for answers.

Read the original article here: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/coronavirus-scams-prepare-for-a-deluge-of-phishing-emails-fake-alerts-and-cyberthreats.html

Metamorfo Returns with Keylogger Trick to Target Financial Firms

The malware uses a tactic to force victims to retype passwords into their systems – which it tracks via a keylogger.

Researchers have discovered a recent spate of phishing emails spreading a new variant of Metamorfo, a financial malware known for targeting Brazilian companies. Now, however, it’s expanding its geographic range and adding a new technique.

Metamorfo was first discovered in April 2018, in various campaigns that share key commonalities (like the use of “spray and pray” spam tactics). These campaigns however have small, “morphing” differences — which is the meaning behind its name.

This newest variant, which targets payment-card data and credentials at financial institutions with Windows platforms, packs a new trick up its sleeve. Once executed, the malware kills the auto-suggest data entry fields in browsers, forcing victims to write out their passwords – which it then tracks via a keylogger.

Read more here: https://threatpost.com/metamorfo-variant-keylogger-financial/152640/

What's in your network? Shadow IT and shadow IoT challenge technology sensibilities

A couple of years ago, a survey found most CIOs thought they had roughly 30 to 40 apps running within their enterprises, but researchers at Symantec estimated that the average enterprise actually had at least 1,516 applications -- a number that has doubled over a three-year period.

It's not that CIOs are naive. It's just that shadow IT is a difficult thing to measure, since employees pull down apps outside the official channels, and off budget sheets. To some degree, it's even purposely overlooked, condoned, or even encouraged, as employees need the right tools to do their jobs, and IT can't always be there.

Now, it appears CIOs are battling shadow IT on two fronts. There's the user-initiated apps and clouds, and there's something more insidious -- "shadow IoT."

More here: https://www.zdnet.com/article/shadow-it-and-now-shadow-iot-challenge-technology-leaders/

Remote workers prime targets for cyber attacks

According to a study into the future of work, more than half of CIOs expect a rise in employees working remotely, while 97% say that soon their workforce will be widely dispersed across geographies and time zones. Businesses are being forced to adapt to the rising demand for a dynamic working environment, which can manifest as anything from workers bringing their own devices to work to employees using corporate machines at home as part of a flexible work schedule. However, this increases the security burden through the need for better identity management.

Read the full article here: https://www.techradar.com/news/remote-workers-prime-targets-for-cyber-attacks

Critical Cisco vulnerabilities put millions of network devices at risk

Five different critical vulnerabilities, collectively known as CPDwn, have been discovered in Cisco’s Discovery Protocol, potentially putting tens of millions of enterprise network devices such as desk phones, cameras, and network switches, at risk.

Cisco Discovery Protocol (CDP) is a level 2 protocol that is used to discover information about Cisco equipment that are directly connected nearby.

According to researchers, this flaw could allow hackers to control the products deep within the network without any human intervention. This could be done remotely by just sending a malicious CDP packet to the target device.

Read more: https://www.techradar.com/news/critical-cisco-vulnerabilities-put-millions-of-network-devices-at-risk

This latest phishing scam is spreading fake invoices loaded with malware - campaigns are launched against financial institutions in the US and UK.

A notorious malware campaign is targeting banks and financial institutions in the US and the UK with cyberattacks that are not only destructive in their own right, but could also be used as the basis for future intrusions by other hackers.

Emotet started life as a banking trojan, but has also evolved into a botnet, with its criminal operators leasing out its capabilities to those who want to distribute their own malware to compromise machines.

Such is the power of Emotet that at one point last year it accounted for almost two-thirds of malicious payloads delivered in phishing attacks.

Emotet activity appeared to decline during December, but it sprung back to life in January – and it currently shows no signs of slowing down as researchers have detailed yet another campaign.

Read more here: https://www.zdnet.com/article/this-latest-phishing-scam-is-spreading-fake-invoices-loaded-with-malware/

90% of UK Data Breaches Due to Human Error in 2019

Human error caused 90% of cyber data breaches in 2019, according to a CybSafe analysis of data from the UK Information Commissioner’s Office (ICO).

According to the cybersecurity awareness and data analysis firm, nine out of 10 of the 2376 cyber-breaches reported to the ICO last year were caused by mistakes made by end-users. This marked an increase from the previous two years, when respectively, 61% and 87% of cyber-breaches were ascribed to user error.

CybSafe cited phishing as the primary cause of breaches in 2019, accounting for 45% of all reports to the ICO. ‘Unauthorized access’ was the next most common cause of cyber-breaches in 2019, with reports relating to malware or ransomware, hardware/software misconfiguration and brute force password attacks also noted.

Read the full article here: https://www.infosecurity-magazine.com/news/90-data-breaches-human-error/

Police Warning: Cyber Criminals Are Using Cleaners to Hack Your Business

Criminal gangs are planting “sleepers” in cleaning companies so that they can physically access IT infrastructure, a senior police officer with responsibility for cyber crime has warned, urging businesses to bolster their physical security processes in the face of the growing threat.

Shelton Newsham, who manages the Yorkshire and Humber Regional Cyber Crime Team, told an audience at the SINET security event that he was seeing a “much larger increase in physical breaches” as cyber crime groups diversify how they attack and move laterally inside institutions.

Read more here: https://www.cbronline.com/cybersecurity/threats/cyber-criminals-cleaners/

The Mirai IoT botnet holds strong in 2020

The Mirai botnet has been a constant IoT security threat since it emerged in fall 2016. The subsequent release of its source code only extended Mirai's reach and is one of the many reasons it has been labelled the "king of IoT malware."

Mirai continues to be successful for a well-known reason: Its targets are IoT devices with hardcoded credentials found in a simple web search. Such devices listen for inbound telnet access on certain ports and have backdoors through which Mirai can enter. Once a device is subsumed in the botnet it immediately scans for other victims.

Read the original article here: https://searchsecurity.techtarget.com/feature/The-Mirai-IoT-botnet-holds-strong-in-2020

Governments Are Soft Targets for Cyber-criminals

New research has found that governments are more vulnerable to cyber-attacks than other organisations.

A report on the security of municipal governments and agencies identified three key factors that made governments particularly soft targets. Researchers found that governments had larger attack surfaces, lower usage rates of even the most basic email authentication schemes, and much higher rates of internal hosting than other organisations.

Government attack surfaces, consisting of open ports and applications, were found to be on average 33% larger than those risked by other organisations.

Read more here: https://www.infosecurity-magazine.com/news/governments-are-soft-targets-for/

BYO Hardware Driver: New Ransomware Attacks Kernel Memory and brings its own vulnerability

A ransomware strain dubbed “RobbinHood” is using a vulnerability in a “legitimate” and signed hardware driver to delete security products from targeted computers before encrypting users files, according to security researchers.

The ransomware exploits a known vulnerability in the driver from Taiwan’s GIGABYTE to subvert a setting in kernel memory in Windows 10, 8 and 7, meaning it “brings its own vulnerability” and can attack otherwise patched systems.

Read more here: https://www.cbronline.com/cybersecurity/threats/robbinhood-ransomware-gigabyte-driver/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Phishing: You're not as good at spotting scams as you think you are

Most people say they know about phishing and what it involves yet just 5% were able to correctly identify all types of scams according to a survey of nearly 1,000 people from Security.org.

Nearly everyone (96%) knew about phishing and 88% said they could accurately define it. Yet nearly half (47%) didn't know that phishing can happen through software, 43% thought that advertisements are safe; and nearly one-third (30%) didn't know that social media platforms can be sources of phishing.

Phishing has grown in terms of the number of people affected, expanding by 59% over a four-year period. The FBI counted more than 26,300 victims in 2018. It is in the FBI's top four cybercrimes, which includes extortion, non-delivery and identity theft.

More here: https://www.zdnet.com/article/phishing-is-becoming-more-sophisticated-only-5-can-spot-all-scams/

68% of organizations were victims of endpoint attacks in 2019, 80% as a result of zero-days

Organisations are not making progress in reducing their endpoint security risk, especially against new and unknown threats, a Ponemon Institute study reveals.

68% IT security professionals say their company experienced one or more endpoint attacks that compromised data assets or IT infrastructure in 2019, an increase from 54% of respondents in 2017.

Of those incidents that were successful, researchers say that 80% were new or unknown, they define them as “zero-day attacks.” These attacks either involved the exploitation of undisclosed vulnerabilities or the use of new malware variants that signature-based, detection solutions do not recognise.

Read the full article here: https://www.helpnetsecurity.com/2020/01/31/endpoint-security-risk/

Cisco Webex Flaw Lets Unauthenticated Users Join Private Online Meetings

Cisco Systems has fixed a high-severity vulnerability in its popular Webex video conferencing platform, which could let strangers barge in on password-protected meetings – no authentication necessary.

A remote attacker would not need to be authenticated to exploit the flaw, according to Cisco. All an attacker would need is the meeting ID and a Webex mobile application for either iOS or Android.

Read the full article here: https://threatpost.com/cisco-webex-flaw-lets-unauthenticated-users-join-private-online-meetings/152191/

Average cost to Recover from Ransomware Skyrockets to over £64,000

It’s getting more and more expensive for victims of ransomware attacks to recover. The average cost more than doubled in the final quarter of 2019.

According to a new report, a typical total now stands at £63,757. That’s a little over double the previous figure of £31,227.

It’s not just the result of cybercriminals demanding steeper ransoms, though that’s certainly one factor. Others include hardware replacement and repair costs, lost revenues, and, in some incidents, damage to the victim’s brand.

Generally speaking, these costs all increase sharply in relation to the sophistication and duration of the attack.

Read the full article here: https://www.forbes.com/sites/leemathews/2020/01/26/average-cost-to-recover-from-ransomware-skyrockets-to-over-84000/#3c54c7c713a2

CEOs are deleting their social media accounts to protect against hackers

Cyberattacks are the biggest risk to businesses, with the prospect of falling victim to hacking and other cybercrime the threats that the majority of CEOs are most worried about, according to a new report on the views from the boardroom.

A professional services firm surveyed over 1,600 CEOs from around the world and found that cyberattacks have become the most feared threat for large organisations – and that many have taken actions around their personal use of technology to help protect against hackers.

A total of 80% of those surveyed listed cyber threats as the biggest risk to their business, making it the thing that most CEOs are worried about, ranking ahead of skills (79%) and the speed of technological change (75%).

Read more here: https://www.zdnet.com/article/ceos-are-deleting-their-social-media-accounts-to-protect-against-hackers/

UN hacked via unpatched SharePoint server

The UN suffered a major data breach last year after it failed to patch a Microsoft SharePoint server, it emerged this week. Then it failed to tell anyone, even though it produced a damning internal report.

The news emerged after an anonymous IT employee leaked the information to The New Humanitarian, which is a UN-founded publication that became independent in 2015 to report on the global aid community. According to the outlet, internal UN staffers announced the compromise on 30 August 2019, explaining that the “entire domain” was probably compromised by an attacker who was lurking on the UN’s networks.

Read more here: https://nakedsecurity.sophos.com/2020/01/31/un-hacked-via-unpatched-sharepoint-server/

UK proposes tougher security for smart home devices

The UK government plans to introduce a new law designed to improve the security standards of household products connected to the Internet of Things (IoT). The legislation stipulates that all consumer smart devices sold in the UK -- such as smart cameras and TVs, wearable health trackers and connected appliances -- adhere to three specific requirements.

Firstly, all IoT device passwords must be unique and unable to be reset to universal factory settings. Secondly, manufacturers must clearly provide a point of contact so anyone can get in touch to report a vulnerability, and finally, manufacturers must make it crystal clear how long their devices will receive security updates for, at the point of sale.

The proposed rules -- which are relatively straightforward from a manufacturers' point of view -- come after a long consultation period, whereby officials explored the potential impact of the growing popularity of connected devices: government research indicates there will be some 75 billion internet connected devices in homes around the world by the end of 2025. It's hoped such legislation will help prevent attacks that have, in the past, had widespread consequences. In 2016, for example, a Mirai botnet hacked into connected home devices and took down large chunks of the internet.

More here: https://www.engadget.com/2020/01/28/uk-proposes-tougher-security-for-smart-home-devices/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week's Black Arrow Cyber Tip Tuesday.

This week we are talking about why it is important to us to be independent and how our independence helps us and helps our customers.

As an independently owned and operated business we are able to be completely impartial and objective, we are not tied to any vendor, product, service provider or supplier, and this means we can objective and transparent in our approach.

We offer true independence and can advise on a range of different solutions to meet all budgets.

We can work with you whether you have IT in house or whether you outsource your IT to an external third party provider, and remember anyway that information security goes far beyond just being an IT problem.

Talk to us to see how we can help you to evaluate the efficacy of the controls you have in place or where you might benefit from new ones.

Week in review 25 January 2020 – Phishing dominates UK, Ransomware payments doubled, 160,000 breaches reported under GDPR, Citrix vulns exploited, IE 0-day

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Phishing dominates UK cybercrime landscape

If there’s one thing General Data Protection Regulation (GDPR) did for sure, it gave us a clearer picture of the UK cyber security landscape.

A new report says that more security breaches were reported to the Information Commissioner’s Office (ICO) in 2019 than in any previous year. A total of 2,376 reports were made, compared with 1,854 in 2018, and 540 in 2017.

The report shows that there was a 28 per cent increase in the number of reported incidents between 2018 and 2019.

In particular, reports of phishing skyrocketed, rising from 16 reports in 2017, to 877 in 2018, to 1,080 in 2019. Of all of the incidents reported to the ICO in 2019, 45 per cent were related to phishing.

Other notable methods included unauthorised access (791 reported incidents), malware/ransomware (243), hardware and software misconfiguration (64), and brute force password attacks (34).

Read more here: https://www.itproportal.com/news/phishing-dominates-uk-cyber-threat-landscape/

Ransomware Payments Doubled and Downtime Grew in Q4

The average ransomware payment more than doubled quarter-on-quarter in the final three months of 2019, while average downtime grew by several days, according to the latest figures from a security firm.

The security vendor analysed anonymised data from cases handled by its incident response team and partners to compile its Q4 Ransomware Marketplace report.

It revealed that the average payment in the quarter was $84,116, up 104% from the previous three months. The belief being the jump highlights the diversity of hackers utilising ransomware today.

Some variants such as Ryuk and Sodinokibi have moved into the large enterprise space and are focusing their attacks on large companies, where they can attempt to extort the organization for a seven-figure payout. Ryuk ransom payments reached a new high of $780,000 for impacted enterprises.

At the other end of the spectrum, smaller ransomware-as-a-service variants such as Dharma, Snatch, and Netwalker continue to blanket the small business space with a high number of attacks, but with demands as low as $1500.

Sodinokibi (29%) and Ryuk (22%) accounted for the majority of cases spotted in Q4 2019. Attackers using the former variant began during the quarter to use data theft to force firms to pay-up, which may have increased the figure for total losses.

During the quarter, the amount of downtime experienced by victim organizations increased from the previous three months — from 12.1 to 16.2 days. This increase was driven by the larger number of attacks targeting major enterprises with more complex network architectures, which can therefore take weeks to restore and remediate.

Phishing, RDP targeting and vulnerability exploitation remain the most popular attack methods, it added. Professional services (20%), healthcare (19%) and software services (12%) were the top three sectors targeted.

According to the data, 98% of organizations that paid a ransom received a decryption key, and those victims successfully decrypted 97% of their data. However, with multi-million-dollar ransoms now commonplace, the official advice is still not to give in to the hackers’ demands, especially as it will lead to continued attacks.

Read the original article here: https://www.infosecurity-magazine.com/news/ransomware-payments-doubled/

GDPR: 160,000 data breaches reported already, so expect the big fines to follow

Over 160,000 data-breach notifications have been made to authorities in the 18 months since Europe's new digital privacy regulation came into force, and the number of breaches and other security incidents being reported is on the rise.

Analysis by a UK law firm found that after the General Data Protection Regulation (GDPR) came into force on 25 May 2018, the first eight months saw an average of 247 breach notifications per day. In the time since, that has risen to an average of 278 notifications a day.

"GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year's report and regulators have been busy road-testing their new powers to sanction and fine organisations," according to a partner at the firm who specialises in cyber and data protection.

Read the full article on ZDNet here: https://www.zdnet.com/article/gdpr-160000-data-breaches-reported-already-so-expect-the-big-fines-to-follow/

Hackers target unpatched Citrix servers to deploy ransomware

Companies still running unpatched Citrix servers are in danger of having their networks infected with ransomware.

Multiple sources in the infosec community are reporting about hacker groups using the CVE-2019-19781 vulnerability in Citrix appliances to breach corporate networks and then install ransomware.

Ransomware infections traced back to hacked Citrix servers have been confirmed by security researchers at FireEye and Under the Breach.

The REvil (Sodinokibi) ransomware gang has been identified as one of the groups attacking Citrix servers to gain a foothold on corporate networks and later install their custom ransomware strain.

Read more here: https://www.zdnet.com/article/hackers-target-unpatched-citrix-servers-to-deploy-ransomware/

Why the Jeff Bezos phone hack is a wake-up call for the powerful

When deeply personal information about one of the world’s most powerful businessmen is exposed through an attack apparently coming from the WhatsApp account of a future head of state, then who can truly feel safe?

This week’s assertion that Jeff Bezos’s iPhone X was probably hacked by the personal account of Mohammed bin Salman, crown prince of Saudi Arabia, had plenty of shock value. For anyone operating at a senior level of business or government, it is a clear wake-up call.

Read more on the FT here: https://www.ft.com/content/b5f6f3d0-3e05-11ea-a01a-bae547046735

Top UK law firms falling victim to human error

Nearly half (48%) of the top 150 law firms have reported data breaches since the GDPR came into force in May 2018. And, of those breaches, 41% were a result of emailing the wrong person.

Read more on LegalFutures here: https://www.legalfutures.co.uk/blog/gdpr-top-uk-law-firms-falling-victim-to-human-error

Regus data breach sees staff performance data published online

A spreadsheet with names, addresses and job performance data was easily found via Google, the media claim.

Personal details, as well as professional performance, of more than 900 employees of Regus have been published online after a mishap following staff review.

The media are reporting that the major office space provider had been recording its staff, with the help of mystery shopping firm Applause, for the sake of training and improving the performance of the employees. The details were subsequently published online.

Reports state that a spreadsheet with names, addresses and job performance data was easily found via Google.

Read the full article here: https://www.itproportal.com/news/regus-data-breach-sees-staff-performance-data-published-online/

Cisco Warns of Critical Network Security Tool Flaw

The critical flaw exists in Cisco’s administrative management tool, used with network security solutions like firewalls.

A critical Cisco vulnerability exists in its administrative management tool for Cisco network security solutions. The flaw could allow an unauthenticated, remote attacker to gain administrative privileges on impacted devices.

The flaw exists in the web-based management interface of the Cisco Firepower Management Center (FMC), which is its platform for managing Cisco network security solutions, like firewalls or its advanced malware protection service. Cisco has released patches for the vulnerability (CVE-2019-16028), which has a score of 9.8 out of 10 on the CVSS scale, making it critical in severity.

Read more on ThreatPost here: https://threatpost.com/cisco-critical-network-security-tool-flaw/152131/

Microsoft Zero-Day Actively Exploited, Patch Forthcoming

An unpatched remote code-execution vulnerability in Internet Explorer is being actively exploited in the wild, Microsoft has announced. It’s working on a patch. In the meantime, workarounds are available.

The bug (CVE-2020-0674) which is listed as critical in severity for IE 11, and moderate for IE 9 and IE 10, exists in the way that the jscript.dll scripting engine handles objects in memory in the browser, according to Microsoft’s advisory, issued Friday.

The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user – meaning that an adversary could gain the same user rights as the current user.

Read more here: https://threatpost.com/microsoft-zero-day-actively-exploited-patch/152018/

Big Microsoft data breach – 250 million records exposed

Microsoft on Wednesday announced a data breach that affected one of its customer databases.

The blog article, entitled Access Misconfiguration for Customer Support Databases, admits that between 05 December 2019 and 31 December 2019, a database used for “support case analytics” was effectively visible from the cloud to the world.

Microsoft didn’t give details of how big the database was. However, consumer the firm that says it discovered the unsecured data online, claims it was to the order of 250 million records containing:

…logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019.

According to the company that found the records, that same data was accessible on five different servers.

The company informed Microsoft, and Microsoft quickly secured the data.

Read more here: https://nakedsecurity.sophos.com/2020/01/22/big-microsoft-data-breach-250-million-records-exposed/

Exposed AWS buckets again implicated in multiple data leaks

The lack of care being taken to correctly configure cloud environments has once again been highlighted by two serious data leaks in the UK caused by leaking Amazon Simple Storage Service (S3) bucket databases.

As a default setting, Amazon S3 buckets are private and can only be accessed by individuals who have explicitly been granted access to their contents, so their continued exposure points to the concerning fact that consistent messaging around cloud security policy, implementation and configuration is failing to get through to many IT professionals.

Read the full article on ComputerWeekly: https://www.computerweekly.com/news/252476870/Exposed-AWS-buckets-again-implicated-in-multiple-data-leaks

What Is Smishing, and How Do You Protect Yourself?

You’re probably familiar with email-based phishing, where a scammer emails you and tries to extract sensitive information like your credit card details or social security number. “Smishing” is SMS-based phishing—scam text messages designed to trick you.

How-To Geek have a useful guide explaining what Smishing is and how best to protect yourselves. Read the guide here: https://www.howtogeek.com/526115/what-is-smishing-and-how-do-you-protect-yourself/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week's Black Arrow Cyber Tip Tuesday. This week James is talking about dangers from Internet of Things (IoT) and Shadow IT devices that may have crept onto your corporate networks. Do you know all the devices on your network? Do they introduce security risks to your business?

In an increasingly connected world, the security umbrella with which you protect your organisation’s information assets is constantly expanding. At the fringes and often overlooked by businesses, are the Internet of Things (or IoT) and Shadow IT.

The Internet of Things consists of an ever-increasing number of physical devices with network connectivity features. Often people associate IoT with smart consumer devices. However, there are many IoT devices which also exist in a corporate environment and they’re are often overlooked when a company evaluates its information assets. As such they remain invisible to your Vulnerability Management strategy and can seriously compromise your security posture.

Conversely, Shadow IT refers to software and applications that aren’t sanctioned by your company but have instead been installed by users (often to fulfill a single task and then they’re forgotten). This isn’t always a bad thing, except when these applications have access to company information but lack the controls and governance surrounding sanctioned applications. In which case they pose a significant risk to the security of your data and your business.

Contact us to discuss how you can decrease risk by increasing visibility.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices

A hacker has published this week a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT (Internet of Things) "smart" devices.

The list, which was published on a popular hacking forum, includes each device's IP address, along with a username and password for the Telnet service, a remote access protocol that can be used to control devices over the internet.

According to experts, and a statement from the leaker himself, the list was compiled by scanning the entire internet for devices that were exposing their Telnet port. The hacker than tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations.

Read more here: https://www.zdnet.com/article/hacker-leaks-passwords-for-more-than-500000-servers-routers-and-iot-devices/

Equifax Breach Settlement Could Cost Firm Billions

Equifax could end up paying as much as $9.5bn following a data breach settlement branded one of the largest in history by its presiding judge.

The credit reporting giant suffered a major cyber-attack in 2017 after hackers exploited an unpatched Apache Struts vulnerability, compromising highly sensitive personal and financial information on around 148 million customers.

Over two-fifths (44%) of the population of the US are thought to have been affected.

This week, a court in Georgia finally approved a settlement in the long-running class action case that followed the breach, which will require Equifax to pay $380.5m, plus potentially an extra $125m, to satisfy claims of out-of-pocket losses.

Read more here: https://www.infosecurity-magazine.com/news/equifax-breach-settlement-could/

WordPress plugin vulnerability can be exploited for total website takeover

A WordPress plugin has been found to contain "easily exploitable" security issues that can be exploited to completely take over vulnerable websites.

The plugin at the heart of the matter, WP Database Reset, is used to reset databases -- either fully or based on specific tables -- without the need to go through the standard WordPress installation process.

According to the WordPress library, the plugin is active on over 80,000 websites.

The two severe vulnerabilities were found on January 7 and either of the vulnerabilities can be used to force a full website reset or takeover.

Tracked as CVE-2020-7048, the first critical security flaw has been issued a CVSS score of 9.1. As none of the database reset functions were secured through any checks or security nonces, any user was able to reset any database tables they wished without authentication.

More here: https://www.zdnet.com/article/wordpress-plugin-vulnerability-can-be-exploited-for-full-website-hijacking/

Oracle Issues Record Critical Patch Update cycle with 334 Patches

Oracle has hit an all-time record for number of security fixes issued in a critical patch update (CPU), providing sysadmins with over 330 in its first quarterly release of the decade.

The enterprise software giant issued 334 patches in total across more than 90 products this week. As such, January 2020 easily beats the previous largest CPU, consisting of 308 fixes in July 2017.

Oracle strongly urged firms to apply the patches as soon as possible, claiming that attacks have had success in compromising customers that failed to update their systems promptly.

Among the products affected by this quarter’s CPU are popular platforms including: Oracle Database Server, which featured 12 new patches including three remotely exploitable; Oracle Communications Applications (25 patches, 23 of which are remotely exploitable); Oracle E-Business Suite (23, 21); Oracle Enterprise Manager (50, 10); Fusion Middleware (38, 30); Java SE (12); JD Edwards (9); MySQL (19, 6); Siebel CRM (5); Oracle Virtualization (22, 3); and PeopleSoft (15, 12).

It’s a busy time of the year for IT administrators. Earlier this week, Microsoft released fixes for scores of vulnerabilities in the last regular Patch Tuesday for Windows 7 and Server 2008.

Read the original article here: https://www.infosecurity-magazine.com/news/oracle-issues-record-cpu-with-334/

Giant botnet has just sprung back to life pushing a big phishing campaign

One of the world's most prolific botnets has returned and is once again attempting to deliver malware to victims via phishing attacks.

Emotet started life as a banking trojan before evolving into a botnet, which its criminal operators leased out to other hackers as a means of delivering their own malware to previously compromised machines.

Such was the power of the botnet that at one point last year it accounted for almost two-thirds of of malicious payloads delivered in phishing attacks.

But after seemingly disappearing towards the end of 2019, Emotet has now returned with a giant email-spamming campaign, as detailed by researchers at cybersecurity company Proofpoint.

Read more here: https://www.zdnet.com/article/this-giant-botnet-has-just-sprung-back-into-life-pushing-a-big-phishing-campaign/

A quarter of users will fall for basic phishing attacks

Slightly more than a quarter of people will fall for a phishing scam that claims to be an urgent message prompting them to change a password, according to statistics gathered by a cyber security testing and training firm.

The security firm studied tens of thousands of email subject lines both from simulated phishing tests and those found in the wild, and found many of the most-clicked emails related either to security or urgent work-related matters.

It revealed its top 10 most effective simulated subject lines to be: Change of Password Required Immediately (26% opened); Microsoft/Office 365: De-activation of Email in Process (14% opened); Password Check Required Immediately (13% opened); HR: Employees Raises (8% opened); Dropbox: Document Shared With You (8% opened); IT: Scheduled Server Maintenance – No Internet Access (7% opened); Office 365: Change Your Password Immediately (6% opened); Avertissement des RH au sujet de l’usage des ordinateurs personnels (6% opened); Airbnb: New device login (6% opened); and Slack: Password Reset for Account (6% opened).

In the wild, subject lines often tended to relate to Microsoft, with emails about SharePoint and Office 365 particularly likely to be opened, as well as notifications about Google and Twitter accounts. People were also likely to fall for emails pretending to be related to problems with a shipping company, with FedEx the most widely impersonated, as well as the US Postal Service.

Read the full article here: https://www.computerweekly.com/news/252476845/A-quarter-of-users-will-fall-for-basic-phishing-attacks

Business Disruption Attacks Most Prevalent in Last 12 Months

Business disruption was the main objective of attackers in the last year, with ransomware, DDoS and malware commonly used.

According to the CrowdStrike Services Cyber Front Lines Report, which offers observations from its incident response and proactive services, a third (36%) of incidents often involved ransomware, destructive malware or denial of service attacks. Crowdstrike determined that these three factors to be focused on “business disruption,” and while an adversary’s main goal in a ransomware attack is financial gain, the impact of disruption to a business can often outweigh the loss incurred by paying the ransom.

Also observed in 25% of the investigated incidents was data theft, including the theft of intellectual property, personally identifiable information and personal health information. IP theft has been linked to numerous nation state adversaries that specialize in targeted intrusion attacks, while PII and PHI data theft can enable both espionage and criminally-motivated operations.

Read more here: https://www.infosecurity-magazine.com/news/business-disruption-attacks/

Quarter of PCs could now be more at risk from ransomware

Last week saw the day when Windows 7 reached end of life. That means that Microsoft will no longer issue regular patches or updates for the famed operating system. From now on, any flaw or vulnerability discovered will remain unpatched, and the machines running the old system will remain at risk.

Any businesses or individuals running legacy and unsupported operating systems will be at a greater risk of ransomware than before.

WannaCry, one of the most devastating ransomwares of all time, was successful mostly because of unpatched systems. Roughly 200,000 devices in 150 countries around the world will be vulnerable to similar malware, now that Windows 7 is no longer receiving security updates from Microsoft.

From this month, a quarter of all PCs are going to fall into this unsupported category so it is vital that any organisations that rely on Windows 7 are aware of the risks and what they need to mitigate them.

Read the original article here: https://www.itproportal.com/news/quarter-of-pcs-could-now-be-more-at-risk-from-ransomware/

5 tips to avoid spear-phishing attacks

Phishing, very briefly defined, is where a cybercriminal tricks you into revealing something electronically that you ought to have kept to yourself.

The good news is that most of us have learned to spot obvious phishing attacks these days.

The bad news is that you can’t reliably spot phishing attacks just by watching out for obvious mistakes, or by relying on the crooks saying “Dear Customer” rather than using your name.

You need to watch out for targeted phishing, often rather pointedly called spear-phishing, where the crooks make a genuine effort to tailor each phishing email, for example by customising it both to you and to your company.

Spear-phishing, where the fake emails really are believable, isn’t just an issue for high-profile victims such as the Burismas of the world.

Acquiring the specific data needed to come up with personalised phishing emails is easier than you might think, and much of the data gathering can be automated.

So here are Sophos’ 5 tips for dealing with phishing attacks, especially if you’re facing a crook who’s willing to put in the time and effort to win your trust instead of just hammering you with those “Dear Customer” emails:

1. Don’t be swayed just because a correspondent seems to know a lot about you

2. Don’t rush to send out data just because the other person tells you it’s urgent

3. Don’t rely on details provided by the sender when you check up on them

4. Don’t follow instructions on how to view an email that appear inside the email itself

5. Don’t be afraid to get a second opinion

Read the full article here: https://nakedsecurity.sophos.com/2020/01/17/5-tips-to-avoid-spear-phishing-attacks/

Organized cybercrime -- not your average mafia

Does the common stereotype for "organised crime" hold up for organisations of hackers? Research from a University in US is one of the first to identify common attributes of cybercrime networks, revealing how these groups function and work together to cause an estimated $445-600 billion of harm globally per year.

"It's not the 'Tony Soprano mob boss type' who's ordering cybercrime against financial institutions," said Thomas Holt, MSU professor of criminal justice and co-author of the study. "Certainly, there are different nation states and groups engaging in cybercrime, but the ones causing the most damage are loose groups of individuals who come together to do one thing, do it really well - and even for a period of time - then disappear."

In cases like New York City's "Five Families," organised crime networks have historic validity, and are documented and traceable. In the online space, however, it's a very difficult trail to follow, Holt said.

Read more here: https://eurekalert.org/pub_releases/2020-01/msu-oc-011620.php

Cybercrime Statistics in 2019

It doesn’t make for cheery reading but a researcher has compiled a list of statistics for cyber crime, here are few choice headlines:

• Cybercrime will cost as much as $6 trillion annually by 2021

• Financial losses reached $2.7 billion in 2018

• The total cost of cybercrime for each company in 2019 reached US$13M

• The total annual cost of all types of cyberattacks is increasing

Read the full article here: https://securityaffairs.co/wordpress/96531/cyber-crime/cybercrime-statistics-in-2019.html

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Today we are talking about tools, as no tool, or suite of tools, can offer one hundred percent protection, after all anything man made can be man broken!

Even if a tool did offer complete protection today there will be teams of people around the world working around the clock to break it.

Anyone who says they rest easy or who says they sleep well at night because they have a particular tool is likely overconfident in that tool's ability to keep them safe.

Multiple layers of protection are needed and any technical solution still needs to be backed up with robust people and governance controls.

We can analyse your protections to see where your weaknesses might exist, and we can help shore up people and governance controls too.

Week in review 12 January 2020 – Office 365 Phishing Attacks, Firms Hit Once Per Minute in 2019, Dixons Carphone Fined for Breach, Travelex hackers threaten to sell credit card data, Mozilla patches actively exploited Firefox zero-day, Hackers probe Citrix servers for remote code execution vulnerability

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Office 365 users: Beware of phishing emails pointing to Office Sway

One of phishers’ preferred methods for fooling both targets and email filters is to use legitimate services to host phishing pages. The latest example of this involves Office 365 users being directed to phishing and malicious pages hosted on Office Sway, a web application for content creation that’s part of Microsoft Office.

The email that tries to trick recipients into visiting the phishing page isn’t stopped by Microsoft’s filters, likely because either it was sent from an onmicrosoft.com email address or it includes links in the email that point to sway.office.com and other trusted sites (e.g., LinkedIn). The email pretends to be a fax receipt notice, shows a small image of the supposedly received fax, and asks the user to open the attachment to view it.

Read more here: https://www.helpnetsecurity.com/2020/01/10/phishing-office-sway/

Cyber-Attacks Hit UK Firms Once Per Minute in 2019

UK businesses were deluged with cyber-attacks in 2019, with the average firm hit by over half a million attempts to compromise systems, according to new report.

A UK-based business Internet Service Provider (ISP) extrapolated the findings from data on its own corporate customers across the country.

It calculated the average number of attacks aimed at a single business last year was 576,575, around 152% higher than the 281,094 recorded in 2018 and the highest since the ISP began analyzing this kind of data in 2016.

That means UK businesses were forced to repel 66 attacks per hour on average in 2019.

The firm identified 1.8 million unique IP addresses responsible for the attacks last year, just under a fifth (18%) of which were located in China. However, this is more an indication of the sheer number of potentially hijacked machines based in the country rather than the origin of the attackers.

There was a fairly big drop to second placed Brazil (7%), which was followed by Taiwan (6%) and Russia (5%) in terms of originating IP addresses for attacks.

Attackers most commonly targeted network device admin tools and IoT endpoints like connected security cameras and building control systems, according to Beaming. These suffered 92,448 attacks in total last year, while 35,807 were targeted at file sharing applications.

Read the full article here: https://www.infosecurity-magazine.com/news/cyberattacks-uk-firms-once-per/

Dixons Carphone Receives Maximum Fine for Major Breach

A major UK high street retailer has been fined the maximum amount under the pre-GDPR data protection regime for deficiencies which led to a breach affecting 14 million customers.

Privacy regulator the Information Commissioner’s Office (ICO) fined DSG Retail £500,000 under the 1998 Data Protection Act after Point of Sale (POS) malware was installed on 5390 tills.

The incident affected Currys PC World and Dixons Travel stores between July 2017 and April 2018, allowing hackers to harvest data including customer names, postcodes, email addresses and failed credit checks from internal servers, over a nine-month period.

The “poor security arrangements” highlighted by the ICO included ineffective software patching, the absence of a local firewall, and lack of network segregation and routine security testing.

More information here: https://www.infosecurity-magazine.com/news/dixons-carphone-receives-maxi-fine/

Travelex hackers threaten to sell credit card data on dark web

Cyber gangsters have stepped up the pressure on Travelex to pay a $6m ransom to decrypt the company’s data by issuing a new threat to sell personal data about its customers on the dark web.

The threat comes after a cyber crime group used sophisticated malware, known as Sodinokibi or REvil, to encrypt the currency exchange’s computer files, forcing the company to switch off its worldwide computer network.

Travelex, which has hired computer experts to investigate the incident, said on 9 January that it was making progress in bringing its systems back online and that there was “still no evidence to date that any data has been exfiltrated”.

The attack has disrupted Travelex operations for 10 days, leaving the firm’s customers unable to collect foreign currency orders, use the Travelex app, or pay for currency using credit cards. This has led to widespread complaints from customers.

Over a dozen banks, including the Royal Bank of Scotland, NatWest, First Direct, Barclays and Lloyds, which rely on Travelex to provide services, have also told customers they are unable to take orders for foreign currency.

The crime group has stepped up pressure on Travelex, which has operations in 70 countries, by threatening to sell personal data collected from the company, including credit card details, on a Russian cyber crime forum.

Read the full article here: https://www.computerweekly.com/news/252476526/Travelex-hackers-threaten-to-sell-credit-card-data-on-dark-web

PayPal Confirms ‘High-Severity’ Password Security Vulnerability

PayPal has confirmed that a researcher found a high-severity security vulnerability that could expose user passwords to an attacker. The problem, which was disclosed on January 8 was patched by PayPal on December 11, 2019.

Read more here: https://www.forbes.com/sites/daveywinder/2020/01/10/paypal-confirms-high-severity-password-security-vulnerability/#42f496561b50

Mozilla patches actively exploited Firefox zero-day

Mozilla has patched a Firefox zero-day vulnerability (CVE-2019-17026) that is being exploited in attacks in the wild and is urging Firefox and Firefox ESR users to update their installations as soon as possible.

Read more here: https://www.helpnetsecurity.com/2020/01/09/cve-2019-17026/

Hackers probe Citrix servers for weakness to remote code execution vulnerability

Cyberattackers are performing scans to find Citrix servers vulnerable to a critical security flaw.

Disclosed in December, the severe vulnerability, tracked as CVE-2019-19781, impacts the Citrix Application Delivery Controller (ADC) -- also known as NetScaler ADC -- alongside Citrix Gateway, formerly known as NetScaler Gateway. The critical vulnerability permits directory traversal and if exploited permits threat actors to conduct Remote Code Execution (RCE) attacks.

Researchers have estimated that at least 80,000 organizations in 158 countries are users of ADC and could, therefore, be at risk. Companies in the firing line are predominantly based in the US -- roughly 38 percent -- as well as the UK, Germany, the Netherlands, and Australia.

Read more here: https://www.zdnet.com/article/hackers-probe-unsecured-citrix-servers-for-netscaler-vulnerability/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to our first Black Arrow Cyber Tip Tuesday for 2020 a chance for us to have a think about what's coming up over the next couple of months.

Firstly, we know the new GFSC rules on cyber security will be going out to consultation and we know that the GFSC will be putting a lot more focus on cyber security, both in terms of operational and governance risk, and regulated firms need to think about how they are going to demonstrate compliance with these new regulations.

Secondly, we will be holding our first workshop for charities later in Q1, once we have completed a number of case studies with local charities to ensure the workshop hits the right note with the charities we are trying to help. More info on this will follow in the next month or so.

Whether you're a regulated financial services firm, any other kind of business, large or small, or a charity, contact us today to see how we can help make security easier for you to understand and protect yourselves against attacks.

Contact us for more

There has been extensive coverage in both tech and mainstream media warning about the possibility of revenge cyber attacks by Iran following the targeted killing of Iranian General Qasem Soleimani by the United States last week.

Whilst there is a chance that Iran will attack the US and her allies, firms in the West need to consider their threat models and whether or not Iranian interests intersect with their business operations.

Unless a local Channel Islands firm is providing high profile services directly to the US, or otherwise would have operations significant enough to be directly targeted by Iran, it is unlikely there is much danger to Channel Islands firms specifically from the Iranians as a result of this assassination.

Nation State actors do pose an ongoing threat to businesses across the Channel Islands and good cyber hygiene should be followed to guard against by Nation States, and any other malicious actors wanting to cause you harm.

If you have any specific concerns or if you want to discuss your existing defensive capabilities please contact us.

Week in review 05 January 2020 - Round up of the most significant open source stories of the last week, December breaches, worst passwords, Travelex taken offline, IoT security stinks, Iran revenge attacks expected on US

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to our first blog post of 2020:

List of data breaches and cyber attacks in December 2019 – 627 million records breached

The new year – and new decade – is underway, but before saying goodbye to 2019, ITGovernance had one more monthly round-up to get to.

December saw 90 disclosed data breaches and cyber attacks, with 627,486,696 records being compromised. That’s about a third of the average monthly total, although the number of incidents has climbed steadily throughout the year.

Refer to the original article for the full list of December’s incidents: https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-december-2019

These are officially the worst passwords of 2019

SplashData has released its annual list of the most commonly-used passwords across the world, uncovering that old security habits really do die hard.

The security firm investigated over five million leaked passwords over the past twelve months, and found that many of the most common logins would be easy to guess for even the most incompetent hackers.

In perhaps the most surprising news, "password" has for the first time been knocked out of the top two spots, being replaced by the painfully simple "123456" and "123456789".

SplashData estimates almost 10 percent of people have used at least one of the 25 worst passwords on this year’s list, with nearly three percent using "123456".

Here are the so-called "worst passwords of 2019"

• 123456

• 123456789

• qwerty

• password

• 1234567

• 12345678

• 12345

• iloveyou

• 111111

• 123123

Read the original article here: https://www.techradar.com/uk/news/these-are-officially-the-worst-passwords-of-2019

Hacks and Breaches of 2019: A Year in Review

SecurityBoulevard have a review of the biggest hacks and breaches from 2019, including Fortnite in January, WhatsApp from May, Facebook from April, Amazon Web Services from July and Zynga from September.

Read the full article here: https://securityboulevard.com/2020/01/hacks-and-breaches-of-2019-a-year-in-review/

US based Company shuts down because of ransomware, leaves 300 without jobs just before holidays

An Arkansas-based telemarketing firm sent home more than 300 employees and told them to find new jobs after IT recovery efforts didn't go according to plan following a ransomware incident that took place at the start of October 2019.

Employees of Sherwood-based telemarketing firm The Heritage Company were notified of the decision just days before Christmas, via a letter sent by the company's CEO.

Speaking with local media, employees said they had no idea the company had even suffered a ransomware attack, and the layoffs were unexpected, catching many off guard.

This shows how devastating ransomware attacks can be on businesses of all sizes.

Read the original article here: https://www.zdnet.com/article/company-shuts-down-because-of-ransomware-leaves-300-without-jobs-just-before-holidays/

Travelex site taken offline after cyber attack

The foreign-currency seller Travelex had to suspend some of its services to protect data since the firm suffered from a ‘software virus attack’ on New Year's Eve.

The company has resorted to carrying out transactions manually, providing foreign-exchange services over the counter in its branches.

A spokesman stated the firm is doing all it can to restore full services as soon as possible

More from the BBC here: https://www.bbc.com/news/business-50977582

After latest hack, experts say smart home security systems stink at securing data

Another day, another smart home camera system security hack, this one affecting the Seattle-based company Wyze. First reported by a Texas-based cybersecurity firm and confirmed by Wyze, the hack is estimated to have affected 2.4 million customers who had their email addresses, the emails of anyone they ever shared camera access with, a list of their cameras, the last time they were on, and much more information exposed. Some customers even had their health data leaked.

Wyze is a home camera system similar to Amazon’s Ring that’s more economical: Wyze’s products are about a third of Amazon’s Ring. Both companies have now experienced at least one kind of major breach — either a hack or a leak — that should raise the eyebrows of anyone considering purchasing this type of home security.

Read the full article here: https://www.digitaltrends.com/news/wyze-data-hack-protection/

Iran 'revenge' could come in the form of cyber-attacks, experts warn

The US assassination of Qassem Suleimani has increased the likelihood of protracted cyber-hostilities between the US and Iran could escalate into true cyberwarfare.

With tensions mounting and Iran threatening “severe revenge” over the killing, concerns have arisen that blowback could come in the form of hacking attacks on critical infrastructure sectors, which include the power grid, healthcare facilities, banks and communications networks.

Iran has invested heavily in its cyber-attack forces since the Stuxnet attack in 2010 – which saw the US and Israel degrade Iran’s nuclear capabilities by means of a computer virus. It has demonstrated its capabilities with attacks on US banks and a small dam, and the US has countered with attacks on an Iranian intelligence group and missile launchers.

There is a danger attacks by Iran against the US spread to other targets in the West and we will continue to monitor any developments.

Read the original article here: https://www.theguardian.com/world/2020/jan/03/iran-cyberattacks-experts-us-suleimani

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our new regular ‘Cyber Tip Tuesday’ video blog, here and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.