Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

60 second video version of this week’s flash briefing

More top companies ban Zoom following security fears

As usage of Zoom rises amidst the global pandemic, more companies are telling their staff to stay off the video conferencing service due to security concerns.

Among the latest organisations to block the use of Zoom are German industrial giant Siemens, which sent out an internal circular urging its employees to not use the tool for video conferencing, with Standard Chartered Bank also issuing a similar note to its staff.

The latter has told employees to avoid Google Hangouts, which has also emerged as another popular teleconferencing application in recent weeks.

Read more here: https://www.techradar.com/uk/news/more-top-companies-ban-zoom-following-security-fears

Over 500,000 Zoom accounts sold on hacker forums, the dark web

Over 500,000 Zoom accounts are being sold on the dark web and hacker forums for less than a penny each, and in some cases, given away for free.

These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are then compiled into lists that are sold to other hackers.

Some of these Zoom accounts are offered for free on hacker forums so that hackers can use them in zoom-bombing pranks and malicious activities. Others are sold for less than a penny each.

Read more here: https://www.bleepingcomputer.com/news/security/over-500-000-zoom-accounts-sold-on-hacker-forums-the-dark-web/

Microsoft April 2020 Patch Tuesday fixes 3 zero-days – 2 of which being actively exploited, 15 critical flaws

Microsoft's April 2020 Patch Tuesday fell this week, and with everything going on, it is going to be particularly stressful for Windows administrators.

With the release of the April 2020 security updates, Microsoft has released fixes for 113 vulnerabilities in Microsoft products. Of these vulnerabilities, 15 are classified as Critical, 93 as Important, 3 as Moderate, and 2 as Low.

Of particular interest, Microsoft patched three zero-day vulnerabilities, with two of them being seen actively exploited in attacks.

Users should install these security updates as soon as possible to protect Windows from known security risks.

Read more here: https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2020-patch-tuesday-fixes-3-zero-days-15-critical-flaws/

Hackers Are Selling a Critical Zoom Zero-Day Exploit for £400,000

Hackers are selling two critical vulnerabilities for the video conferencing software Zoom, one for Windows and one for MacOS that would allow someone to hack users and spy on their calls.

The two flaws are so-called zero-days, and are currently present in Zoom’s Windows and MacOS clients, according to three sources who are knowledgeable about the market for these kinds of hacks. The sources have not seen the actual code for these vulnerabilities, but have been contacted by brokers offering them for sale.

Zero-day exploits or just zero-days or 0days are unknown vulnerabilities in software or hardware that hackers can take advantage of to hack targets. Depending on what software they’re in, they can be sold for thousands or even millions of dollars.

Read more: https://www.vice.com/en_uk/article/qjdqgv/hackers-are-selling-a-critical-zoom-zero-day-exploit-for-pound400000

Phishing kit prices skyrocketed in 2019 by 149%

The average price of a phishing kit sold on cybercrime markets has gone up in 2019 by 149% according to new findings released this week based on analysis of ads posted on known cybercrime markets and hacking forums.

The average price for phishing kits sold on the cybercrime underground in 2019 has skyrocketed to $304 on average last year, up from only $122 recorded in 2018.

Phishing kit prices rose despite an increase in the number of kit sellers (up by 120%) and the number of phishing kit ads (doubled in 2019).

Of the 16,200 phishing kits identified and tracked in 2019, the most targeted login pages were for Amazon, Google, Instagram, Office 365, and PayPal.

Amazon and PayPal are known targets of phishing operations, as access to both accounts can allow hackers to make fraudulent transactions with victims' funds.

More here: https://www.zdnet.com/article/phishing-kit-prices-skyrocketed-in-2019-by-149/

A Sinister New Botnet Could Prove Nearly Impossible To Stop

Security researchers have discovered an emerging threat that they fear could be nearly unstoppable. This growing botnet has already managed to enslave nearly 20,000 computers.

It is known as DDG, and it’s been lurking in the shadows for at least two years. DDG was first discovered in early 2018.

Back then the nascent botnet had control of just over 4,000 so-called zombies and used them to mine the Monero cryptocurrency. Much has changed since then.

Today’s incarnation of DDG isn’t just five times larger. It’s also much more sophisticated.

One of its distinguishing features is its command and control system. Most botnets are designed around a client/server model. Infected machines listen for instructions from the servers and then carry out their orders.

Read more: https://www.forbes.com/sites/leemathews/2020/04/10/a-sinister-new-botnet-could-prove-nearly-impossible-to-stop/#492de9c27c5c

MSC Data Centre Closes Following Suspected Cyber-Attack

A container shipping company has said malware could be to blame for the closure of one of its data centres last week.

The Mediterranean Shipping Company (MSC) took to Twitter on Good Friday to report a network outage issue affecting the website msc.com, which was still down at time of writing.

The incident, which is thought to have occurred on Thursday, April 9, also brought down the shipping company's myMSC portal.

A message posted from the Twitter account MSC Cargo on April 10 stated: "We are sorry to inform you that http://MSC.com and myMSC are currently not available as we've experienced a network outage in one of our data centers. We are working on fixing the issue."

As a result of the outage, self-service tools for making and managing bookings on MSC ships have ceased to be operational. Alternative booking platforms are available, and customers can still book via email and over the phone.

Read the original article here: https://www.infosecurity-magazine.com/news/msc-suffers-suspected-cyberattack/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

60 second video flash briefing

UK NCSC and US CISA issue joint Advisory: COVID-19 exploited by malicious cyber actors

A joint advisory was put out from the United Kingdom’s National Cyber Security Centre (NCSC) and the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) relating to information on exploitation by cyber criminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice.

Read more here: https://www.ncsc.gov.uk/news/covid-19-exploited-by-cyber-actors-advisory

Download the advisory notice here: https://www.ncsc.gov.uk/files/Final%20Joint%20Advisory%20COVID-19%20exploited%20by%20malicious%20cyber%20actors%20v3.pdf

Travelex paid $2.3M in Bitcoin to get its systems back from hackers

Travelex paid hackers $2.3 million worth of Bitcoin to regain access to its computer systems after a devastating ransomware attack on New Year’s Eve.

The London-based company said it decided to pay the 285 BTC based on the advice of experts, and had kept regulators and partners in the loop throughout the recovery process.

Although Travelex, which manages the world’s largest chain of money exchange shops and kiosks, did confirm the ransomware attack when it happened, it hadn’t yet disclosed a Bitcoin ransom had been paid to restore its systems.

Travelex previously blamed the attack on malware known as Sodinokibi, a ‘Ransomware-as-a-Service’ tool-kit that has recently begun publishing data stolen from companies that don’t pay up.

Travelex‘ operations were crippled for almost all of January, with its public-facing websites, app, and internal networks completely offline. It also reportedly interrupted cash deliveries to major banks in the UK, including Barclays and Lloyds.

At the time, BBC claimed that Travelex‘ attackers had demanded $6 million worth of Bitcoin to unlock its systems.

Read more: https://thenextweb.com/hardfork/2020/04/09/travelex-paid-2-3m-in-bitcoin-to-get-its-systems-back-from-hackers/

Zoom sets up CISO Council and hires ex-CSO of Facebook to clean up its privacy mess

The ongoing coronavirus pandemic has seen people relying on work collaboration apps like Teams and Slack to talk to others or conduct meetings. Zoom, in particular, has seen incredible growth over the past few weeks but it came at a cost. The company has been under a microscope after various researchers discovered a number of security flaws in the app. To Zoom’s credit, the company responded immediately and paused feature updates to focus on security issues.

The company announced that it’s taking help from CISOs to improve the security and patch the flaws in the app. Zoom will be taking help from CISOs from HSBC, NTT Data, Procore, and Ellie Mae, among others. Moreover, the company is also setting up an Advisory Board that will include security leaders from VMware, Netflix, Uber, Electronic Arts, and others. Lastly, the company has also asked Alex Stamos, ex-CSO of Facebook to join as an outside advisor. Alex is a well-known personality in the cybersecurity world who left Facebook after an alleged conflict of interest with other executives about how to address the Russian government’s use of its platform to spread disinformation during the 2016 U.S. presidential election.

Read more here: https://mspoweruser.com/zoom-ciso-hires-ex-facebook-cso-clean-its-mess/

Researchers discover IoT botnet capable of launching various DDoS attacks

Cyber security researchers have found a new botnet comprised of more than a thousand IoT devices, capable of launching distributed denial of service (DDoS) attacks.

According to a report, researchers have named the botnet Dark Nexus, and believe it was created by well-known malware developer greek.Helios - a group that has been selling DDoS services and botnet code for at least the past three years.

Analysing the botnet through a honeypot, the researchers found it is comprised of 1,372 bots, but believe it could grow extremely quickly.

Dark Nexus is based on Mirai and Qbot, but has seen some 40 iterations since December 2020, with improvements and new features added almost daily.

Read the original article here: https://www.itproportal.com/news/researchers-discover-iot-botnet-capable-of-launching-various-ddos-attacks/

Microsoft: Cyber-Criminals Are Targeting Businesses Through Vulnerable Employees

Microsoft has warned that cyber-criminals are preying on people’s vulnerable psychological states during the COVID-19 pandemic to attack businesses. During a virtual press briefing, the multinational technology company provided data showing how home working and employee stress during this period has precipitated a huge amount of COVID-19-related attacks, particularly phishing scams.

Working from home at this time is very distracting for a lot of people, particularly if they are looking after children. Additionally, many individuals are in a stressful state with the extra pressures and worries as a result of COVID-19. This environment is providing new opportunities for cyber-criminals to operate.

“We’re seeing a significant increase in COVID-related phishing lures for our customers,” confirmed Microsoft. “We’re blocking roughly 24,000 bad emails a day with COVID-19 lures and we’ve also been able to see and block through our smart screen 18,000 malicious COVID-themed URLs and IP addresses on a single day, so the volume of attacks is quite high.”

Read the original article here: https://www.infosecurity-magazine.com/news/cybercriminals-targeting/

Stolen Zoom account credentials are freely available on the dark web

Loved, hated, trusted and feared in just about equal measure, Zoom has been all but unavoidable in recent weeks. Following on from a combination of privacy and security scandals, credentials for numerous Zoom account have been found on the dark web.

The credentials were hardly hidden -- aside from being on the dark web. Details were shared on a popular forum, including the email address, password, meeting ID, host key and host name associated with compromised accounts.

Read more: https://betanews.com/2020/04/08/zoom-account-credentials-dark-web/

Shadow IT Represents Major #COVID19 Home Working Threat

Rising threat levels and remote working challenges stemming from the COVID-19 pandemic are putting increased pressure on IT security professionals, according to new data.

A poll of over 400 respondents from global organisations with over 500 employees was conducted to better understand the current challenges facing security teams.

It revealed that 71% of security professionals had reported an increase in security threats or attacks since the start of the virus outbreak. Phishing (55%), malicious websites (32%), malware (28%) and ransomware (19%) were cited as the top threats.

These have been exacerbated by home working challenges, with 95% of respondents claiming to be under new pressures.

Top among these was providing secure remote access for employees (56%) and scalable remote access solutions (55%). However, nearly half (47%) of respondents complained that home workers using shadow IT solutions represented a major problem.

These challenges are only going to grow, according to the research.

Read more here: https://www.infosecurity-magazine.com/news/shadow-it-covid19-home-working/

'Unkillable' Android malware gives hackers full remote access to your phone

Security experts are warning Android users about a particularly nasty strain of malware that's almost impossible to remove.

A researcher has written a blog post explaining how the xHelper malware uses a system of nested programs, not unlike a Russian matryoshka doll, that makes it incredibly stubborn.

The xHelper malware was first discovered last year, but the researcher has only now established exactly how it gets its claws so deeply into your device, and reappears even after a system restore.

Although the Google Play Store isn't foolproof, unofficial third party app stores are much more likely to harbour malicious apps. App-screening service Google Play Protect blocked more than 1.9 million malware-laced app installs last year, including many side-loaded or installed from unofficial sources, but it's not foolproof.

xHelper is often distributed through third-party stores disguised as a popular cleanup or maintenance app to boost your phone's performance, and once there, is amazingly stubborn.

More here: https://www.techradar.com/uk/news/beware-the-unkillable-android-malware-lurking-on-third-party-app-stores

Decade of the RATs (Remote Access Trojan): Novel APT Attacks Targeting Linux, Windows and Android

BlackBerry researchers have released a new report that examines how five related APT groups operating in the interest of the Chinese government have systematically targeted Linux servers, Windows systems and Android mobile devices while remaining undetected for nearly a decade.

The report comes on the heels of the U.S. Department of Justice announcing several high-profile indictments from over 1,000 open FBI investigations into economic espionage as part of the DOJ’s China Initiative.

The BlackBerry report, titled Decade of the RATs: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android, examines how APTs have leveraged the “always on, always available” nature of Linux servers to establish a “beachhead” for operations. Given the profile of the five APT groups involved and the duration of the attacks, it is likely the number of impacted organisations is significant.

The cross-platform aspect of the attacks is also of particular concern in light of security challenges posed by the sudden increase in remote workers. The tools identified in these ongoing attack campaigns are already in place to take advantage of work-from-home mandates, and the diminished number of personnel onsite to maintain security of these critical systems compounds the risks. While the majority of the workforce has left the office as part of containment efforts in response to the Covid-19 outbreak, intellectual property remains in enterprise data centres, most of which run on Linux.

Most large organizations rely on Linux to run websites, proxy network traffic and store valuable data. While Linux may not have the visibility that other front-office operating systems have, it is arguably the most critical where the security of critical networks is concerned. Linux runs nearly all of the top 1 million websites, 75% of all web servers, 98% of the world’s supercomputers and 75% of major cloud service providers (Netcraft, 2019, Linux Foundation, 2020).

More here: https://blogs.blackberry.com/en/2020/04/decade-of-the-rats

Bot traffic fueling rise of fake news and cybercrime

The coronavirus pandemic has disrupted daily life around the world and the WHO recently warned that an overabundance of information about the virus makes it difficult for people to differentiate between legitimate news and misleading information.

At the same time, EU security services have warned that Russia is aggressively exploiting the coronavirus pandemic to push disinformation and weaken Western society through its bot army.

A cyber security firm has been using its bot manager to monitor internet traffic in an attempt to track the “infodemic” that both the WHO and EU security services have issued warnings on.

According to the data, bots have upped their game and organisations in the social media, ecommerce and digital publishing industries have experienced a surge in bad bot traffic following the coronavirus outbreak.

The bots have been found to be executing various insidious activities including spreading disinformation, spam commenting and more. In February, 58.1 percent of bots had the capability to mimic human behaviour. This means that they can disguise their identities, create fake accounts on social media sites and post their masters' propaganda while appearing as a genuine user.

Read more here: https://www.techradar.com/news/bot-traffic-fueling-rise-of-fake-news-and-cybercrime

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

In collaboration with the new Guernsey Startup Hub these are our top tips for small businesses to help keep them secure online at this difficult time

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

GFSC warns over increased risk of fraud and cyber crime

The GFSC has put out a warning to regulated firms on the Island around increased likelihood of fraud and other cyber crimes as a result of the COVID-19 pandemic.

The Commission has stated that they expect licensees to apply effective controls, including having suitable controls to prevent cybercrime.

Cyber-Attacks Up 37% Over Past Month as #COVID19 Bites

Online threats have risen by as much as six-times their usual levels over the past four weeks as the COVID-19 pandemic provides new ballast for cyber-attacks.

Analysis of UK traffic figures for the past four weeks compared to the previous month noted a sharp uptick in malicious activity.

Hacking and phishing attempts were up 37% month-on-month, while on some days, there were between four- and six-times the number of attacks it would usually see.

More here: https://www.infosecurity-magazine.com/news/cyberattacks-up-37-over-past-month/

Cybercrime spikes during coronavirus pandemic, says Europol

Just like everyone else in the face of a pandemic, criminals seem to be staying home — but they're just turning to different methods to make a buck.

That's the message from a new Europol report out this week, which reveals that criminals are adapting to exploit the global chaos.

While many police departments are reporting a lull in physical crime, other types of crime are having a heyday — and those numbers are only expected to increase.

Europol identified cybercrime, fraud, counterfeit goods and organised property crime as categories of particular concern.

Read more here: https://www.euronews.com/2020/03/27/cybercrime-spikes-during-coronavirus-pandemic-says-europol

Cybercriminal group mails malicious USB dongles to targeted companies

Security researchers have come across an attack where an USB dongle was mailed to a company under the guise of a Best Buy gift card. This technique has been used by security professionals during physical penetration testing engagements in the past, but it has very rarely been observed in the wild. This time it's a known sophisticated cybercriminal group who is likely behind it.

The attack was analysed after a US company in the hospitality sector received the USB sometime in mid-February.

The package contained an official-looking letter with Best Buy's logo and other branding elements informing the recipient that they've received a $50 gift card for being a regular customer. "You can spend it on any product from the list of items presented on an USB stick," the letter read. Fortunately, the USB dongle was never inserted into any computers and was passed along for analysis, because the person who received it had security training.

More here: https://www.csoonline.com/article/3534693/cybercriminal-group-mails-malicious-usb-dongles-to-targeted-companies.html

Top Email Protections Fail in Latest COVID-19 Phishing Campaign

Threat actors continue to capitalize on fears surrounding the spread of the COVID-19 virus through a surge in new phishing campaigns that use spoofing tactics to effectively evade Proofpoint and Microsoft Office 365 advanced threat protections (ATPs), researchers have found.

New phishing attacks were discovered that use socially engineered emails promising access to important information about cases of COVID-19 in the receiver’s local area.

The emails evade basic security checks and user common sense in a number of ways, to circumvent detection and steal the user’s Microsoft log-in credentials, he said. They also don’t include specific names or greetings in the body of the messages, suggesting they are being sent out to a broad target audience, according to the report.

More: https://threatpost.com/top-email-protections-fail-covid-19-phishing/154329/

Zoom Phishers Register 2000 Domains in a Month

Over 2000 new phishing domains have been set up over the past month to capitalise on the surging demand for Zoom from home workers, according to new data.

The report analysed data from a threat hunting system since the start of the year, and found 3300 new domains had been registered with the word “Zoom” in them.

The vast majority of these (67%) were created in March, as the COVID-19 pandemic forced lockdowns in multiple European countries and across parts of the US.

With surging levels of interest in Zoom and other video conferencing apps, comes renewed scrutiny from cyber-criminals.

Nearly a third (30%) of the new “Zoom” websites spotted activated an email server which indicates these domains are being used to facilitate phishing attacks.

More here: https://www.infosecurity-magazine.com/news/zoom-phishers-register-2000/

Across-the-board increase in DDoS attacks of all sizes

There has been a 168% increase in DDoS attacks in Q4 2019, compared with Q4 2018, and a 180% increase overall in 2019 vs. 2018, according to a report.

DDoS attacks grew across all size categories increase in 2019, with attacks sized 5 Gbps and below seeing the largest growth. These small-scale attacks made up more than three quarters of all attacks the company mitigated on behalf of its customers in 2019.

In 2019, the largest mitigated threat, at 587 gigabits per second (Gbps), was 31% larger than the largest attack of 2018, while the maximum attack intensity observed in 2019, 343 million packets per second (Mpps), was 252% higher than that of the most intense attack seen in 2018.

However, despite these higher peaks, the average attack size (12 Gbps) and intensity (3 Mpps) remained consistent year over year. The longest single, uninterrupted attack experienced in 2019 lasted three days, 13 hours and eight minutes.

Though the number of attacks increased significantly across all size categories, small-scale attacks (5 Gbps and below) again saw the largest growth in 2019, continuing the trend from the previous year.

More here: https://www.helpnetsecurity.com/2020/03/27/ddos-attacks-increase-2020/

Cybersecurity insurance firm Chubb investigates its own ransomware attack

A notorious ransomware gang claims to have successfully compromised the infrastructure of a company selling cyber insurance.

The Maze ransomware group says it has encrypted data belonging to Chubb, which claims to be one of the world’s largest insurance companies, and is threatening to publicly release data unless a ransom is paid.

The announcement by the cybercrime gang was published on Maze’s website, where it lists what it euphemistically describes as its “new clients”.

Maze’s normal modus operandi is to compromise an organisation, steal its data, infect the network with its ransomware, and post a pre-announcement on its website as a warning to the corporate victim that if they do not pay a ransom their stolen data will be published on the internet.

Read the full article here: https://hotforsecurity.bitdefender.com/blog/cybersecurity-insurance-firm-chubb-investigates-its-own-ransomware-attack-22753.html

Ransomware Payments on the Rise

More ransomware victims than ever before are complying with the demands of their cyber-attackers by handing over cash to retrieve encrypted files.

New research published this week shows that both the number of ransomware attacks and the percentage of attacks that result in payment have increased every year since 2017.

The report states 62% of organisations were victimised by ransomware in 2019, up from 56% in 2018 and 55% in 2017.

In 2017, just 39% of organizations hit by ransomware paid to retrieve their encrypted data. That figure rose to 45% in 2018, then shot up to 58% in 2019.

Read the full article here: https://www.infosecurity-magazine.com/news/rise-in-ransomware-payments/

Marriott hit by second data breach exposing “up to” 5.2 million people

Hotel chain Marriott International this week announced that it has been hit by a second data breach exposing the personal details of “up to approximately 5.2 million guests”.

The breach, which began in mid-January 2020 and was discovered at the end of February 2020, saw contact details, including names, addresses, birth dates, gender, email addresses and telephone numbers exposed. Employer name, gender, room stay preferences and loyalty account numbers were also exposed.

The hotel company has stressed that not all data was exposed for each person.

Marriott has also said that at present it does not believe passports, payment details or passwords were exposed in the data breach.

The data is believed to have been accessed by an unknown third party using the login credentials of two employees at a group hotel operated as a franchise. Marriott has said that it has notified relevant authorities, and has begun notifying those whose data was exposed in the breach. It has also set up a dedicated website to help those impacted by the breach.

More here: https://www.verdict.co.uk/marriott-second-data-breach/

Lawyers urged to switch off Alexa when working from home

Law firms are warning their employees to turn off their smart speakers while working from home due to security concerns.

Smart speakers such as Amazon’s Echo series and Google’s Nest range have become wildly popular in Britain with an estimated 34pc of households now using them.

But privacy and security experts have repeatedly said the devices may pose a security threat and now law firms have advised staff not to disclose sensitive details when they are in use nearby.

A spokesman from one firm of solicitors said that that hackers could access sensitive details through the speakers, telling their staff to check the default settings on the speaker and to the extent that you can, switch them off during the working day.

More here: https://www.telegraph.co.uk/technology/2020/03/30/lawyers-urged-switch-alexa-working-home/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week's cyber tip Tuesday, this week James is talking about vulnerability management.

Vulnerability Management is much more than just the act of applying patches to vulnerable computers.

It's the process of identifying, eliminating or mitigating technical vulnerabilities within an organisation and it includes the ability to track and report on progress and trends.

Vulnerability Management is not a one-time project where you identify and fix all of the vulnerabilities within your organisation.

It's an ongoing method of managing and reducing the risks associated with modern business practices and the use of technology.

If you'd like to know more about Vulnerability Management or how you can better secure your business, get in touch.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Cyber Flash Briefing 60 second video version

The Importance of Maintaining Good Cyber Hygiene During the Coronavirus Crisis

Businesses are making significant changes in response to the virus, including asking employees to work from home for the first time. These new practices have often been implemented as quickly as possible, with a priority on keeping the business operations going.

At the same time, the cyber and information security consultants at Black Arrow are seeing reports from specialist intelligence and the wider media which show cyber criminals are feasting on the current chaos as they target employees and companies who let their guard down.

‘Cyber criminals usually target people, not technology, to get into their employer’s systems. Companies need to ensure they consider all the basic risks to prevent this, and implement layers of defence that start with the user.

Read more here: https://guernseypress.com/news/2020/03/24/maintaining-good-cyber-hygiene/

Half of all UK Firms and Three-Quarters of Large Firms Suffered Security Breach Last Year

Nearly half (46%) of UK firms reported suffering a security breach or cyber-attack over the past year, an increase on previous years, but they are getting better at recovering from and deflecting such blows, according to the government.

The annual Cyber Security Breaches Survey revealed an increase in the overall volume of businesses reporting incidents, up from 32%. The number of medium (68%) and large (75%) businesses reporting breaches or attacks also jumped, from 60% and 61% respectively.

This puts the 2020 report’s findings in line with the first government analysis in 2017, it claimed.

Of those businesses that reported incidents, more are experiencing these at least three times a week than in 2017 (32% versus 22%).

The government also claimed that organisations are experiencing more phishing attacks (from 72% to 86%) whilst fewer are seeing malware (from 33% to 16%) than three years ago.

More here: https://www.infosecurity-magazine.com/news/threequarters-firms-security/

#COVID19 Drives Phishing Emails Up 667% in Under a Month

Phishing emails have spiked by over 600% since the end of February as cyber-criminals look to capitalize on the fear and uncertainty generated by the COVID-19 pandemic.

A security vendor observed just 137 incidents in January, rising to 1188 in February and 9116 so far in March. Around 2% of the 468,000 global email attacks detected by the firm were classified as COVID-19-themed.

As is usually the case, the attacks used widespread awareness of the subject to trick users into handing over their log-ins and financial information, and/or unwittingly downloading malware to their computers

Of the COVID-19 phishing attacks, 54% were classified as scams, 34% as brand impersonation attacks, 11% blackmail and 1% as business email compromise (BEC).

As well as the usual lures to click through for more information on the pandemic, some scammers are claiming to sell cures and/or face-masks, while others try to elicit investment in companies producing vaccines, or donations to fight the virus and provide support to victims.

This is a new low for cyber-criminals, who are acting like piranha fish, cowardly attacking people on mass when they are at their most vulnerable. It’s vital that the public remain vigilant against scam emails during this challenging time.

More here: https://www.infosecurity-magazine.com/news/covid19-drive-phishing-emails-667/

Attackers exploiting critical zero-day Windows flaw

Microsoft has discovered a severe vulnerability in all supported versions of Windows, which enables criminals to remotely run malware – including ransomware – on a target machine.

According to the report, the security vulnerability has not been previously disclosed and there is currently no fix.

The “critical” vulnerability revolves around how the operating system handles and renders fonts. All it takes is for the victim to open or preview a malicious document, and the attacker can remotely run different forms of malware.

Microsoft said the vulnerability is being exploited in the wild, and different hacking groups are initiating “limited, targeted attacks”.

Although there is as yet no patch, the company announced a temporary workaround for affected Windows users, which involves disabling the Preview and Details panes in Windows explorers.

Read more here: https://www.itproportal.com/news/attackers-exploiting-critical-zero-day-windows-flaw/

WHO Targeted in Espionage Attempt, COVID-19 Cyberattacks Spike

The DarkHotel group could have been looking for information on tests, vaccines or trial cures.

The World Health Organization (WHO) has attracted the notice of cybercriminals as the worldwide COVID-19 pandemic continues to play out, with a doubling of attacks recently, according to officials there. Problematically, evidence has also now apparently surfaced that the DarkHotel APT group has tried to infiltrate its networks to steal information.

A cyber security researcher told Reuters that he personally observed a malicious site being set up on March 13 that mimicked the WHO’s internal email system. Its purpose was to steal passwords from multiple agency staffers, and noted that he realised “quite quickly that this was a live attack on the World Health Organization in the midst of a pandemic.”

The attack appeared to be aimed at achieving a foothold at the agency rather than being an end unto itself. The targeting infrastructure seems to focus on certain types of healthcare and humanitarian organisations that are uncommon for cybercriminals and this could suggest the actor or actors behind the attacks are more interested in gathering intelligence, rather than being financially motivated.

Read the full article here: https://threatpost.com/who-attacked-possible-apt-covid-19-cyberattacks-double/154083/

Stolen data of company that refused REvil ransom payment now on sale

Operators of the Sodinokibi (aka Sodin or REvil) Ransomware as a Service (RaaS) recently published over 12GB of data that allegedly belongs to one of its victims – Brooks International – that refused to pay ransom.

RaaS is the malware for lazy crooks who just want to launch attacks at the press of a button: it enables novice cybercriminals to build automated campaigns using third-party kits sold on the dark web. They don’t have to break a sweat by learning about malware, teaching themselves how encryption works, writing ransomware code, running an anonymous webserver on Tor to collect the loot, distributing decryption keys, or otherwise getting their hands dirty with technical details.

Sodinokibi – a GandCrab derivative blamed for numerous attacks that took place last year – is a prime example of RaaS.

More here: https://nakedsecurity.sophos.com/2020/03/23/stolen-data-of-company-that-refused-revil-ransom-payment-now-on-sale/

IT security report finds 97% of enterprise networks have suspicious network activity

A study using advanced network traffic analysis tools, found that 97% of the surveyed companies show evidence of suspicious activity in their network traffic and that 81% of the companies were being subject to malicious activity.

More here: https://www.techrepublic.com/article/it-security-report-finds-97-have-suspicious-network-activity/

Concern over Zoom video conferencing after MoD bans it over security fears

Concerns have been raised over the security of video conferencing service Zoom after the Ministry of Defence banned staff from using it.

Downing Street published pictures of Prime Minister Boris Johnson using the app to continue holding Cabinet meetings with senior MPs – where sensitive information like matters of national security are discussed – while observing rules on social distancing to curb the coronavirus outbreak.

But MoD staff were told this week that use of the software was being suspended with immediate effect while ‘security implications’ were investigated, with users reminded of the need to be ‘cautious about cyber resilience’ in ‘these exceptional times’.

One source commented that ‘it is astounding that thousands of MoD staff have been banned from using Zoom only to find a sensitive Government meeting like that of the Prime Minister’s Cabinet is being conducted over it’.

A message to MoD staff said: ‘We are pausing the use of Zoom, an internet-based video conferencing service, with immediate effect whilst we investigate security implications that come with it.’ The email added that a decision will then be made about whether to continue using the programme.

More here: https://metro.co.uk/2020/03/25/concern-zoom-video-conferencing-mod-bans-security-fears-12455327/

Adobe issues emergency fix for file-munching bug

Adobe has released another security patch outside of its usual routine this month to deal with a strange bug that can allow attackers to delete victims’ files.

The file-deleting bug stems from a time-of-check to time-of-use race condition vulnerability, which happens when two system operations try to access shared data at the same time. That allows an attacker to manipulate files on the victim’s system. The company warned that successful exploitation could lead to arbitrary file deletion.

To successfully exploit the flaw, an attacker would need to convince a victim to open a malicious file, Adobe has said.

More here: https://nakedsecurity.sophos.com/2020/03/26/adobe-issues-emergency-fix-for-file-munching-bug/

Emerging Chinese APT Group ‘TwoSail Junk’ Mounts Mass iPhone Surveillance Campaign

The malware, the work of a new APT called TwoSail Junk, allows deep surveillance and total control over iOS devices.

A recently discovered, mass-targeted watering-hole campaign has been aiming at Apple iPhone users in Hong Kong – infecting website visitors with a newly developed custom surveillance malware. The bad code – the work of a new APT called “TwoSail Junk” – is delivered via a multistage exploit chain that targets iOS vulnerabilities in versions 12.1 and 12.2 of Apple’s operating system, according to researchers.

Watering-hole campaigns make use of malicious websites that lure visitors in with targeted content – cyberattackers often post links to that content on discussion boards and on social media to cast a wide net. When visitors click through to a malicious website, background code will then infect them with malware.

Read the full article here: https://threatpost.com/emerging-apt-mounts-mass-iphone-surveillance-campaign/154192/

New attack on home routers sends users to spoofed sites that push malware

A recently discovered hack of home and small-office routers is redirecting users to malicious sites that pose as COVID-19 informational resources in an attempt to install malware that steals passwords and cryptocurrency credentials, researchers said on Wednesday.

The compromises are hitting Linksys routers and D-Link devices.

It remains unclear how attackers are compromising the routers. The researchers suspect that the hackers are guessing passwords used to secure routers’ remote management console when that feature is turned on. It was also hypothesized that compromises may be carried out by guessing credentials for users’ Linksys cloud accounts.

More here: https://arstechnica.com/information-technology/2020/03/new-attack-on-home-routers-sends-users-to-spoofed-sites-that-push-malware/

Russia’s FSB wanted its own IoT botnet

If you thought the Mirai botnet was bad, what about a version under the control of Russia’s military that it could point like an electronic cannon at people it didn’t like? That’s the prospect we could face after the reported emergence of secret Russian project documents online last week.

The documents, which come from hacking group Digital Revolution but haven’t been verified, suggest that Russia’s Federal Security Service (in Russian, the FSB), has been working on an internet of things (IoT) botnet of its own called Fronton.

Mirai was a botnet that infected IoT devices by the million, taking advantage of default login credentials to co-opt them for attackers. They then pointed it at DNS service provider Dyn, mounting a DDoS attack that took down large internet services for hours.

More here: https://nakedsecurity.sophos.com/2020/03/24/russias-fsb-wanted-its-own-iot-botnet/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

With more of us working from home in the Coronavirus crisis, employees need to maintain good cyber hygiene. People behave differently at home, often less alert to information security risks.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Working from Home: COVID-19’s Constellation of Security Challenges

Organisations are sending employees and students home to work and learn — but implementing the plan opens the door to more attacks, IT headaches and brand-new security challenges.

As the threat of coronavirus continues to spread, businesses are sending employees home to work remotely, and students are moving to online classes. But with the social distancing comes a new threat – a cyber-related one.

As organisations rush to shift their businesses and classes online, cybercriminals are ramping up their tactics to take advantage of those who may have inadequate or naive security postures as a result. Given the challenges in securing work- and learn-from-home environments, the attack surface represents an attractive opportunity for threat actors

Read more here: https://threatpost.com/working-from-home-covid-19s-constellation-of-security-challenges/153720/

Thousands of COVID-19 scam and malware sites are being created on a daily basis

Malware authors and fraudsters aren't letting a tragedy go to waste.

In the midst of a global coronavirus (COVID-19) pandemic, hackers are not letting a disaster go to waste and have now automated their coronavirus-related scams to industrial levels.

According to multiple reports, cybercriminals are now creating and putting out thousands of coronavirus-related websites on a daily basis.

Most of these sites are being used to host phishing attacks, distribute malware-laced files, or for financial fraud, for tricking users into paying for fake COVID-19 cures, supplements, or vaccines.

More here: https://www.zdnet.com/article/thousands-of-covid-19-scam-and-malware-sites-are-being-created-on-a-daily-basis/

EU warns of broadband strain as millions work from home

The EU has called on streaming services such as Netflix and YouTube to limit their services in order to prevent the continent’s broadband networks from crashing as tens of millions of people start working from home. 

Until now, telecoms companies have been bullish that internet infrastructure can withstand the drastic change in online behaviour brought about by the coronavirus outbreak. 

But on Wednesday evening, Thierry Breton, one of the European commissioners in charge of digital policy, said streaming platforms and telecoms companies had a “joint responsibility to take steps to ensure the smooth functioning of the internet” during the crisis.

Read more on the FT here: https://www.ft.com/content/b4ab03db-de1f-4f98-bcc2-b09007427e1b

COVID-19: With everyone working from home, VPN security has now become paramount

With most employees working from home amid today's COVID-19 (coronavirus) outbreak, enterprise VPN servers have now become paramount to a company's backbone, and their security and availability must be the focus going forward for IT teams.

It is critical that the VPN service is patched and up to date because there will be more scanning against these services.

It is also critical that multi factor authentication (MFA or 2FA) is used to protect connections over VPN.

More: https://www.zdnet.com/article/covid-19-with-everyone-working-from-home-vpn-security-has-now-become-paramount/

What do you not want right now? A bunch of Cisco SD-WAN, Webex vulnerabilities? Here are a bunch of them

Cisco has issued a series of security updates for its SD-WAN and Webex software, just when they're most needed.

SD-WAN is host to five vulnerabilities ranging from privilege escalation to remote code injection.

Meanwhile, the Webex video-conferencing software also needs some sorting out right when everyone's working from home amid the coronavirus pandemic.

The patch bundle includes a fix for Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows. A hacker can send a suitably crafted file in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF), and if the recipient clicks on it on a vulnerable computer, they get pwned. iOS users also need to patch an information-disclosure bug.

The other fixes mention SQL injection and cross-site scripting flaws.

More on The Register here: https://www.theregister.co.uk/2020/03/19/cisco_sdwan_bugs/

Windows 10 or Mac user? Patch Adobe Reader and Acrobat now to fix 9 critical security flaws

Adobe has released an important security update for its popular PDF products, Adobe Acrobat and Reader after missing its usual release aligned with Microsoft Patch Tuesday.

The company has released an update for the PDF software for Windows and macOS machines. The update addresses nine critical flaws and four vulnerabilities rated as important.

The critical flaws include an out-of-bounds write, a stack-based overflow flaw, a use-after-free, buffer overflow, and memory corruption bug.

All the critical flaws allow for arbitrary code execution, meaning attackers could use them to rig a PDF to install malware on a computer running a vulnerable version of the software.

More here: https://www.zdnet.com/article/windows-10-or-mac-user-patch-adobe-reader-and-acrobat-now-to-fix-9-critical-security-flaws/

WordPress and Apache Struts account for 55% of all weaponized vulnerabilities

Comprehensive study looks at the most attacked web technologies of the last decade.

A study that analysed all the vulnerability disclosures between 2010 and 2019 found that around 55% of all the security bugs that have been weaponized and exploited in the wild were for two major application frameworks, namely WordPress and Apache Struts.

The Drupal content management system ranked third, followed by Ruby on Rails and Laravel, according to a report published this week.

In terms of programming languages, vulnerabilities in PHP and Java apps were the most weaponized bugs of the last decade.

Read the full article here: https://www.zdnet.com/article/wordpress-and-apache-struts-account-for-55-of-all-weaponized-vulnerabilities/

Trickbot malware adds new feature to target telecoms, universities and finance companies

Researchers uncover a Trickbot campaign with new abilities that looks like it's being used in an effort to steal intellectual property, financial data - and potentially for espionage.

The new form of the infamous Trickbot malware is using never-before-seen behaviour in attacks targeting telecommunications providers, universities and financial services in a campaign that looks to be going after intellectual property and financial data.

Trickbot has been in operation since 2016 and, while it started life as a banking trojan, the modular nature of the malware means it can be easily re-purposed for other means, which has led to it becoming one of the most advanced and capable forms of malware attack delivery in the world today.

And now it has been updated with yet another new capability, with a module that uses brute force attacks against targets mostly in telecoms, education, and financial services in the US and Hong Kong. These targets are pre-selected based on IP addresses, indicating that the attackers are going after them specifically.

More here: https://www.zdnet.com/article/trickbot-malware-adds-new-feature-to-target-telecoms-universities-and-finance-companies/

Most organizations have yet to fix CVE-2020-0688 Microsoft Exchange flaw

Organisations are delaying in patching Microsoft Exchange Server flaw (CVE-2020-0688) that Microsoft fixed with February 2020 Patch Day updates.

The CVE-2020-0688 flaw resides in the Exchange Control Panel (ECP) component, the root cause of the problem is that Exchange servers fail to properly create unique keys at install time.

A remote, authenticated attacker could exploit the CVE-2020-0688 vulnerability to execute arbitrary code with SYSTEM privileges on a server and take full control.

More here: https://securityaffairs.co/wordpress/99752/hacking/companies-cve-2020-0688-fixed.html

Two Trend Micro zero-days exploited in the wild by hackers

Hackers tried to exploit two zero-days in Trend Micro antivirus products, the company said in a security alert this week.

The Japanese antivirus maker has released patches on Monday to address the two zero-days, along with three other similarly critical issues (although, not exploited in the wild).

According to the alert, the two zero-days impact the company's Apex One and OfficeScan XG enterprise security products.

Trend Micro did not release any details about the attacks.

These two zero-days mark the second and third Trend Micro antivirus bugs exploited in the wild in the last year.

Read more here: https://www.zdnet.com/article/two-trend-micro-zero-days-exploited-in-the-wild-by-hackers/

Most ransomware attacks take place during the night or over the weekend

27% of all ransomware attacks take place during the weekend, 49% after working hours during weekdays

The vast majority of ransomware attacks targeting the enterprise sector occur outside normal working hours, during the night or over the weekend.

According to a report published this week, 76% of all ransomware infections in the enterprise sector occur outside working hours, with 49% taking place during night-time over the weekdays, and 27% taking place over the weekend.

The numbers were compiled from dozens of ransomware incident response investigations from 2017 to 2019.

The reason why attackers are choosing to trigger the ransomware encryption process during the night or weekend is because most companies don't have IT staff working those shifts, and if they do, they are most likely short-handed.

If a ransomware attack does trigger a security alert within the company, then there would be nobody to react right away and shut down a network, or the short-handed staff would have a hard time figuring what's actually happening before the ransomware encryption process ends and the company's network is down & ransomed.

Read more here: https://www.zdnet.com/article/most-ransomware-attacks-take-place-during-the-night-or-the-weekend/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Some small and medium-sized businesses (SMBs) consider cyber security either a luxury or an issue to be dealt with once their budget is a bit larger. 

Unfortunately, it is these businesses that are most likely to be targeted for cybercrime. 

In fact, 43 percent of cyberattacks target small businesses. Criminals know larger corporations have strong security systems, but smaller businesses frequently leave themselves vulnerable. 

If you run an SMB and cyber security is not yet a priority, it's time to change that. 

Luckily, there are things you can do to protect yourself, even when resources are limited, and we can help you ensure you spend your money wisely and get the best value from your spend to protect you where it matters. 

There are a lot of other things to worry about right now, for businesses of all sizes, but cyber security is more critical now than it ever have been. 

A breach now on top of everything else that is going on would likely be catastrophic to any business.

Talk to us today to find out the very real ways we can help you.

Welcome to this week's Black Arrow Cyber Tip Tuesday, this week I'm talking about firms thinking about how dependent they are on technology to operate.

Have you ever stopped to think how dependent your business is on IT and thought about how long you would be able to continue if you lost access to your data or systems for any period of time?

Thinking about email alone, how long could your business operate without being able to access email?

All firms are technology firms now to one extent or the other and many do not appreciate just how dependent their operations are on IT.

A loss of your IT systems could be catastrophic to a business and making sure you have plans in place so you know what to do and how you will be able to recover are critically important.

Talk to us to see how we can help with planning and preparedness to help ensure your business can survive.

While you're thinking about how you work during this crisis, the criminals are thinking about how they can take advantage of the crisis and exploit the situation to attack you.

This is what is going while firms are distracted:

Coronavirus: Banks urged to prepare for surge in cyber attacks as hackers look to exploit crisis

-Independent

Chinese Hackers ‘Weaponize’ Coronavirus Data For New Cyber Attack

-Forbes

Banks Told to Prepare for Cybercrime Jump in Coronavirus Fallout

-Bloomberg

Coronavirus Work-from-Home Response A Boon for Cybercriminal Exploitation

-Law.com

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

More coronavirus phishing campaigns detected

Caution required when accessing coronavirus-related emails.

Cybercriminals often use major global events to spread malware and steal data, and the recent coronavirus outbreak is no different.

Security experts have identified two phishing campaigns that take advantage of coronavirus concerns to infect devices with the Agent Tesla keylogger.

According to the report, cybercriminals are distributing emails that appear to originate from The Centre for Disease Control (CDC) or the World Health Organisation (WHO). The emails claim the virus is now airborne and that new cases have been confirmed in the victim’s vicinity.

Attached to the messages is a file named "SAFETY PRECAUTIONS", which looks like an Excel document, but is in fact an executable file (.exe) capable of sowing the trojan.

More here: https://www.itproportal.com/news/more-coronavirus-phishing-campaigns-detected/

How coronavirus COVID-19 is accelerating the future of work

The coronavirus is forcing enterprises to rethink the way they do business and dust off policies for security, business continuity, and remote workers. Chances are that some of these efforts will stick

The coronavirus outbreak may speed up the evolution of work and ultimately retool multiple industries as everything from conferences to collaboration to sales and commercial real estate are rethought.

Read the original article here: https://www.zdnet.com/article/how-coronavirus-may-accelerate-the-future-of-work/

Millions of UK businesses experience data breaches due to employee error

Employees often click on fraudulent links and can't spot a phishing email.

Employee error is the cause of 60 percent of all data breaches among UK businesses according to a new report from insurance broker Gallagher.

Polling 1,000 UK business leaders, Gallagher found the most common cause (39 percent) of employee-related breaches was malware downloaded accidentally via fraudulent links.

Phishing is also a major risk factor, responsible for 35 percent of infections. While employees pushing sensitive data outside company systems accounted for a further 28 percent.

The report also claims that almost a third of affected businesses (30 percent) have had their operations knocked out for four to five days as a result of employee error.

Respondents also reported reputational damage (14 percent) and financial consequences (12 percent), which included fines issued by data privacy regulators.

Most executives (71 percent) are aware of the problem and almost two thirds (64 percent) said they regularly remind employees about the risk of cyber crime.

Virtually all businesses are at risk of a cyber attack and as this research shows, it is often an employee mistake which causes the problem.

More: https://www.itproportal.com/news/millions-of-uk-businesses-experience-data-breaches-due-to-employee-error/

AMD processors going back to 2011 suffer from worrying security holes

Pair of freshly revealed attacks have not yet been patched

AMD’s processors from as early as 2011 through to 2019 are carrying vulnerabilities that are as yet unpatched, according to some freshly published research.

Known as ‘Take A Way’ (every security problem needs a snappy name, of course), security researchers said that they reverse-engineered the L1D cache way predictor in AMD silicon in order to discover two new potential attack vectors.

Given all the attention which has been focused on the flaws in Intel’s CPUs in recent times – vulnerabilities which haven’t affected AMD chips in a number of cases – this might just serve as a reminder that no one’s silicon is bulletproof.

More here: https://www.techradar.com/news/amd-processors-going-back-to-2011-suffer-from-worrying-security-holes

F-Secure reports a steep rise in hacking attempts

The latest Attack landscape H2 2019 report from F-Secure has found that there has been a jump in the volume of cyber attacks targeting internet users

In the report, F-Secure said that in the first half of 2019, the company’s global network of honeypots experienced a jump in cyber attack traffic.

The volume of such attacks rose from 246 million in H1 2017 to 2.9 billion in H1 2019. In the second half of the year, according to F-Secure, the pace of attack traffic continued but at a slightly reduced rate. F-Secure said there were 2.8 billion hits to its honeypot servers in H2 2019. Distributed Denial of Service (DDos) attacks drove this deluge, accounting for two-thirds of the traffic.

Its research found that the US is the country whose IP space played host to the greatest number of attacks, followed by China and Russia.

https://www.computerweekly.com/news/252479470/F-secure-reports-a-steep-rise-in-hacking-attempts

This ransomware campaign has just returned with a new trick

Paradise ransomware is back again - and the criminals behind it appear to be testing out new tactics ahead of what could be a more prolific campaign.

A ransomware campaign has returned with a new trick to fool the unwary into compromising their network with file-encrypting malware. And it's an attack that many Windows machines won't even recognise as potentially malicious.

The new variant of Paradise ransomware, which has been active in one form or another since 2017, spreads via phishing emails, but it's different from other ransomware campaigns because it uses an uncommon – but effective – file type to infiltrate the network.

This campaign leverages Internet Query files (IQY), which are text files read by Microsoft Excel to download data from the internet. IQY is a legitimate file type, so many organisations won't block it.

More here: https://www.zdnet.com/article/this-ransomware-campaign-has-just-returned-with-a-new-trick/

Ransomware Threatens to Reveal Company's 'Dirty' Secrets

Sticking with ransomware, the operators of the Sodinokibi Ransomware are threatening to publicly share a company's "dirty" financial secrets because they refused to pay the demanded ransom.

As organizations decide to restore their data manually or via backups instead of paying ransoms, ransomware operators are escalating their attacks.

In a new post by the Sodinokibi operators to their data leak site, we can see that attackers are not only publishing victim's data but also sifting through it to find damaging information that can be used against the victim.

In the above post, the attackers are threatening to sell the Social Security Numbers and date of births for people in the data to other hackers on the dark web.

They also intimate that they found "dirty" financial secrets in the data and threaten to disclose it.

Read the full article here: https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/

Microsoft Releases Emergency Patch for Wormable Bug That Threatens Corporate LANs

Microsoft released an emergency out-of-band patch to fix a SMBv3 wormable bug on Thursday that leaked earlier this week. The patch for the vulnerability is now rolling out to Windows 10 and Windows Server 2019 systems worldwide, according to Microsoft.

On Wednesday Microsoft warned of a wormable, unpatched remote code-execution vulnerability in the Microsoft Server Message Block protocol – the same protocol that was targeted by the infamous WannaCry ransomware in 2017.

The critical bug affects Windows 10 and Windows Server 2019, and was not included in Microsoft’s Patch Tuesday release this week.

Read more here: https://threatpost.com/wormable-unpatched-microsoft-bug/153632/

Nearly all IoT traffic is unencrypted

IoT devices are considered "low-hanging fruit" among cybercriminals.

Practically all of the traffic flowing from Internet of Things (IoT) devices is not encrypted, consequently putting both businesses and their customers at unnecessary risk of data theft and all others that follow.

This is according to a new report which analysed 1.2 million IoT devices in thousands of physical locations across enterprise IT and healthcare organisations, finding that 98 per cent of all IoT device traffic is unencrypted.

That basically means that if intercepted, the data could be easily read and used.

So the question arises – how easy is it to eavesdrop on the data exchange between IoT devices and their respective servers? The report claims 57 per cent of IoT devices are vulnerable to either medium or high-severity attacks. IoT is perceived as “low-hanging fruit” for cybercriminals.

Read more here: https://www.itproportal.com/news/nearly-all-iot-traffic-is-unencrypted/

Microsoft takes down global zombie bot network

Microsoft has said it was part of a team that dismantled an international network of zombie bots.

The network call Necurs infected over nine million computers and one of the world's largest botnets.

Necurs was responsible for multiple criminal scams including stealing personal information and sending fake pharmaceutical emails.

Cyber-criminals use botnets to remotely take over internet-connected devices and install malicious software.

The software can be used to send spam, collect information about what activity the computer is used for or delete information without notifying the owner.

Tom Burt, Microsoft's vice-president for customer security and trust, said in a blog post that the takedown of Necurs was the result of eight years of planning and co-ordination with partners in 35 countries.

More here: https://www.bbc.co.uk/news/technology-51828781

Watch out for Office 365 and G Suite scams, FBI warns businesses

The menace of Business Email Compromise (BEC) is often overshadowed by ransomware but it’s something small and medium-sized businesses shouldn’t lose sight of.

Bang on cue, the FBI Internet Crime Complaint Center (IC3) has alerted US businesses to ongoing attacks targeting organisations using Microsoft Office 365 and Google G Suite.

Warnings about BEC are ten-a-penny but this one refers specifically to those carried out against the two largest hosted email services, and the FBI believes that SMEs, with their limited IT resources, are most at risk of these types of scams:

Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses from BEC scams targeting Microsoft Office 365 and Google G Suite.

As organisations move to hosted email, criminals migrate to follow them.

As with all types of BEC, after breaking into the account, criminals look for evidence of financial transactions, later impersonating employees to redirect payments to themselves.

For good measure, they’ll often also launch phishing attacks on contacts to grab even more credentials, and so the crime feeds itself a steady supply of new victims.

The deeper question is why BEC scams continue to be such a problem when it’s well understood that they can be defended against using technologies such as multi-factor authentication (MFA).

More here: https://nakedsecurity.sophos.com/2020/03/10/watch-out-for-office-365-and-g-suite-scams-fbi-warns-businesses/

Microsoft Exchange Server Flaw Exploited by multiple nation state (APT) groups

A vulnerability in Microsoft Exchange servers is being actively exploited by multiple APT groups, researchers warn.

Multiple threat groups are actively exploiting a vulnerability in Microsoft Exchange servers, researchers warn. If left unpatched, the flaw allows authenticated attackers to execute code remotely with system privileges.

The vulnerability in question (CVE-2020-0688) exists in the control panel of Exchange, Microsoft’s mail server and calendaring server, and was fixed as part of Microsoft’s February Patch Tuesday updates. However, researchers in a Friday advisory said that unpatched servers are being exploited in the wild by unnamed advanced persistent threat (APT) actors.

More: https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/

Cyberattackers are delivering malware by using links from whitelisted sites

Legitimate-looking links from OneDrive, Google Drive, iCloud, and Dropbox slip by standard security measures.

Bad actors have added a new snare to their bag of social engineering tricks— malicious OneDrive, Google Drive, iCloud, and Dropbox links. A new whitepaper asking "Is SaaS the New Trojan Horse in the Age of the Cloud?" describes this latest attack vector.

Links to these legitimate sites can often slip by standard security measures that stop malware and block access to suspicious sites. Many of these services are whitelisted by security products because they are approved services, meaning that an enterprise has few or no defences against these advanced attacks. These services are the latest tactic designed to dupe users into divulging their credentials or unknowingly download and install malware.

More here: https://www.techrepublic.com/article/cyberattackers-are-delivering-malware-by-using-links-from-whitelisted-sites/

Tech Firms Offer Free Remote Working Tools, as Coronavirus Cases Surge

Move comes as companies scramble to polish remote working processes

Six technology companies are rolling out free or upgraded enterprise collaboration tools under a new “Open for Business” hub, in a bid to capture new users – and support enterprises scrambling to implement remote working protocols as coronavirus cases surge.

In the US, Amazon, Microsoft and Facebook have advised Seattle-area employees to work from home for the next few weeks. In the UK most companies are holding fire for now, but are most are rapidly updating policies and assessing tools.

Large organisations might be able to work through some of the emerging provisioning issues that come with a surge of remote workers — i.e. by increasing the number of licenses for their firewalls and VPNs — many small businesses don’t have the ability to quickly provision the resources they need to support their employees when working remotely.

More here: https://www.cbronline.com/news/free-remote-working-tools

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week's Tip Tuesday, this week Bruce explains the difference between Information Security and Cyber Security.

The two terms are often used interchangeably, and in many situations that is ok, but the difference is important when you are looking at controls to reduce your risk.

Information Security is the larger topic of keeping all your information secure.

This includes things like a clear desk policy to ensure confidential papers are not left on your desk overnight, or ensuring employees don't read confidential documents on a train with other passengers, or worse still throwing away documents in a public bin when instead they should be shredded.

Cyber Security is the subsection of Information Security that refers to being connected to the Internet and online systems.

It includes storing documents on your computer or cloud server, or sending documents by email, or accessing online payments systems.

All these require strong controls to prevent unauthorised access.

Your objective is to protect the confidentiality, integrity and the availability of the information.

Contact us to talk about the controls you can put in place for your Cyber Security and wider Information Security.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Nasty phishing scams aim to exploit coronavirus fears

Phoney emails about health advice and more are being used to steal login credentials and financial details.

Cyber criminals are aiming to take advantage of fears over coronavirus as a means of conducting phishing attacks and spreading malware, along with stealing login credentials and credit card details.

Cybersecurity companies have identified a number of campaigns by hackers who are attempting to exploit concerns about the COVID-19 outbreak for their own criminal ends. Crooks often use current affairs to make their scams more timely.

Researchers have identified a Trickbot banking trojan campaign specifically targeting Italian email addresses in an attempt to play on worries about the virus. The phishing email comes with a Word document which claims to contain advice on how to prevent infection – but this attachment is in fact a Visual Basic for Applications (VBA) script which drops a new variant of Trickbot onto the victim's machine.

The message text claims to offer advice from the World Health Organization (WHO) in a Word document which claims to be produced using an earlier version of Microsoft Word which means the user needs to enable macros in order to see the content. By doing this, it executes a chain of commands which installs Trickbot on the machine.

Read more here: https://www.zdnet.com/article/nasty-phishing-scams-aim-to-exploit-coronovirus-fears/

Backdoor malware is being spread through fake security certificate alerts

Victims of this new technique are invited to install a malicious "security certificate update" when they visit compromised websites.

Backdoor and Trojan malware variants are being distributed through a new phishing technique that attempts to lure victims into accepting an "update" to website security certificates.

Certificate Authorities (CAs) distribute SSL/TLS security certificates for improved security online by providing encryption for communication channels between a browser and server -- especially important for domains providing e-commerce services -- as well as identity validation, which is intended to instill trust in a domain.

Read the full article here: https://www.zdnet.com/article/backdoor-malware-is-being-spread-through-fake-security-certificate-alerts/

Boots Advantage and Tesco Clubcard both suffer data breaches in same week

Boots has blocked all Advantage card holders from ‘paying with points’ after 150,000 accounts were subjected to attempted hacks using stolen passwords.

The news comes just days after Tesco said it would issue replacement Clubcards to more than 620,000 customers after a similar security breach.

Read more here: https://www.which.co.uk/news/2020/03/boots-advantage-card-tesco-clubcard-both-suffer-data-breaches-in-same-week/

Academics find 30 file upload vulnerabilities in 23 web apps, CMSes, and forums

Through the use of an automated testing toolkit, a team of South Korean academics has discovered 30 vulnerabilities in the file upload mechanisms used by 23 open-source web applications, forums, store builders, and content management systems (CMSes).

When present in real-world web apps, these types of vulnerabilities allow hackers to exploit file upload forms and plant malicious files on a victim's servers.

These files could be used to execute code on a website, weaken existing security settings, or function as backdoors, allowing hackers full control over a server.

Read the full article here: https://www.zdnet.com/article/academics-find-30-file-upload-vulnerabilities-in-23-web-apps-cmses-and-forums/

UK Home Office breached GDPR 100 times through botched management of EU Settlement Scheme

ID cards sent to the wrong addresses, third party data disclosures, and lost passports are only some examples of mishandling.

The UK Home Office has breached European data protection regulations at least 100 times in its handling of the EU Settlement Scheme (EUSS).

IDs have been lost, documents misplaced, passports have gone missing, and applicant information has been disclosed to third parties without permission in some of the cases, according to a new report.

Read more here: https://www.zdnet.com/article/uk-home-office-breached-gdpr-100-times-through-botched-handling-of-eu-settlement-scheme/

Legal services giant Epiq Global offline after ransomware attack

The company, which provides legal counsel and administration that counts banks, credit giants, and governments as customers, confirmed the attack hit on February 29.

“As part of our comprehensive response plan, we immediately took our systems offline globally to contain the threat and began working with a third-party forensic firm to conduct an independent investigation,” a company statement read. “Our technical team is working closely with world class third-party experts to address this matter, and bring our systems back online in a secure manner, as quickly as possible.”

The company’s website, however, says it was “offline to perform maintenance.”

A source with knowledge of the incident but who was not authorized to speak to the media said the ransomware hit the organization’s entire fleet of computers across its 80 global offices.

Read more here: https://techcrunch.com/2020/03/02/epiq-global-ransomware/

Android Patch Finally Lands for Widespread “MediaTek-SU” Vulnerability

Android has quietly patched a critical security flaw affecting millions of devices containing chipsets from Taiwanese semiconductor MediaTek: a full year after the security vulnerability – which gives an attacker root privileges – was first reported.

More here: https://www.cbronline.com/news/android-patch-mediatek-su

5G and IoT security: Why cybersecurity experts are sounding an alarm

Without regulation and strong proactive measures, 5G networks remain vulnerable to cyberattacks, and the responsibility falls on businesses and governments.

Seemingly everywhere you turn these days there is some announcement about 5G and the benefits it will bring, like greater speeds, increased efficiencies, and support for up to one million device connections on a private 5G network. All of this leads to more innovations and a significant change in how we do business.

But 5G also creates new opportunities for hackers.

There are five ways in which 5G networks are more susceptible to cyberattacks than their predecessors, according to the 2019 Brookings report, Why 5G requires new approaches to cybersecurity. They are:

1. The network has moved from centralized, hardware-based switching to distributed, software-defined digital routing. Previous networks had "hardware choke points" where cyber hygiene could be implemented. Not so with 5G.

2. Higher-level network functions formerly performed by physical appliances are now being virtualized in software, increasing cyber vulnerability.

3. Even if software vulnerabilities within the network are locked down, the 5G network is now managed by software. That means an attacker that gains control of the software managing the network can also control the network.

4. The dramatic expansion of bandwidth in 5G creates additional avenues of attack.

5. Increased vulnerability by attaching tens of billions of hackable smart devices to an IoT network.

Read the full article here: https://www.techrepublic.com/article/5g-and-iot-security-why-cybersecurity-experts-are-sounding-an-alarm/

Virgin Media apologises after data breach affects 900,000 customers

Virgin Media has apologised after a data breach left the personal details of around 900,000 customers unsecured and accessible.

The company said that the breach occurred after one of its marketing databases was “incorrectly configured” which allowed unauthorised access.

It assured those affected by the breach that the database “did not include any passwords or financial details” but said it contained information such as names, home and email addresses, and phone numbers.

Virgin said that access to the database had been shut down immediately following the discovery but by that time the database was accessed “on at least one occasion”.

Read more here: https://www.itv.com/news/2020-03-05/virgin-media-apologises-after-data-breach-affects-900-000-customers/

Do these three things to protect your web security camera from hackers

NCSC issues advice on how to keep connected cameras, baby monitors and other live streaming security tools secure from cyberattacks.

Owners of smart cameras, baby monitors and other Internet of Things products have been urged to help keep their devices safe by following three simple steps to boost cybersecurity – and making it more difficult for hackers to compromise them.

The advice from the UK's National Cyber Security Centre (NCSC) – the cyber arm of the GCHQ intelligence agency – comes as IoT security cameras and other devices are gaining popularity in households and workplaces.

1. Change the default password

2. Apply updates regularly

3. Disable unnecessary alerts

For more refer to the original article here: https://www.zdnet.com/article/do-these-three-things-to-protect-your-web-security-camera-from-hackers/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week's Black Arrow Cyber Tip Tuesday, this week Tony is talking about how many users are not as good at spotting phishing emails as they think they are, and how that overconfidence can be dangerous.

It has been proven that users are not as good at spotting phishing emails as they think they are, and as many as 1 in 4 users will fall for fairly basic phishing attacks.

Traditional training and awareness around phishing is not working and firms need to take a different approach.

One of the things firms should be doing is simulating phishing attacks against their own staff and this is something will be very pleased to help your organisation to do.

We can administer and run campaigns on your behalf, including providing reports you can deliver to your Boards.

For regulated financial service firms we know this is something that the GFSC are expecting firms to be doing on a regular basis, at least quarterly.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Android malware can steal Google Authenticator 2FA codes

A new version of the "Cerberus" Android banking trojan will be able to steal one-time codes generated by the Google Authenticator app and bypass 2FA-protected accounts.

Security researchers say that an Android malware strain can now extract and steal one-time passcodes (OTP) generated through Google Authenticator, a mobile app that's used as a two-factor authentication (2FA) layer for many online accounts.

Google launched the Authenticator mobile app in 2010. The app works by generating six to eight-digits-long unique codes that users must enter in login forms while trying to access online accounts.

Google launched Authenticator as an alternative to SMS-based one-time passcodes. Because Google Authenticator codes are generated on a user's smartphone and never travel through insecure mobile networks, online accounts who use Authenticator codes as 2FA layers are considered more secure than those protected by SMS-based codes.

Read the full article here: https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/

Cisco patches incoming to address Kr00k vulnerability impacting routers, firewall products

Cisco is working on a set of patches to address a recently-disclosed vulnerability that can be exploited to intercept Wi-Fi network traffic.

The vulnerability, tracked as CVE-2019-15126, has been nicknamed "Kr00k" and was disclosed at the by researchers on Wednesday.

Kr00k is a vulnerability that permits attackers to force Wi-Fi systems into disassociative states, granting the opportunity to decrypt packets sent over WPA2 Personal/Enterprise Wi-Fi channels.

All Wi-Fi enabled devices operating on Broadcom or Cypress Wi-Fi chipsets are impacted

More here: https://www.zdnet.com/article/cisco-says-patches-incoming-to-address-new-kr00k-vulnerability-impacting-routers-firewall-products/

Google Patches Chrome Browser Zero-Day Bug, Under Attack

Google patches zero-day bug tied to memory corruptions found inside the Chrome browser’s open-source JavaScript and Web Assembly engine, called V8.

Google said Monday it has patched a Chrome web browser zero-day bug being actively exploited in the wild. The flaw affects versions of Chrome running on the Windows, macOS and Linux platforms.

The zero-day vulnerability, tracked as CVE-2020-6418, is a type of confusion bug and has a severity rating of high. Google said the flaw impacts versions of Chrome released before version 80.0.3987.122. The bug is tied to Chrome’s open-source JavaScript and Web Assembly engine, called V8.

Read the full article here: https://threatpost.com/google-patches-chrome-browser-zero-day-bug-under-attack/153216/

Ransomware victims thought their backups were safe. They were wrong

Ransomware victims are finding out too late that their vital backups are online and also getting encrypted by crooks, warns cyber security agency.

The UK's cyber security agency has updated its guidance on what to do after a ransomware attack, following a series of incidents where organisations were hit with ransomware, but also had their backups encrypted because they had left them connected to their networks.

Keeping a backup copy of vital data is a good way of reducing the damage of a ransomware attack: it allows companies to get systems up and running again without having to pay off the crooks. But that backup data isn't much good if it's also infected with ransomware -- and thus encrypted and unusable -- because it was still connected to the network when the attack took place.

The UK's National Cyber Security Centre (NCSC) said it has now updated its guidance by emphasising offline backups as a defence against ransomware.

Read the full article here: https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/

Data breach at City watchdog FCA exposes records of thousands of complainants

The records of 1,600 people who complained to the City watchdog have been exposed following a major data breach at the regulator.

The Financial Conduct Authority (FCA) mistakenly published the personal records of complainants on its website, where anyone could access the information.

The data was visible between November 2019 and February 2020 and included the records of people who made a complaint between January 2018 and July 2019.

This leaked information included the name of the complainant, the company they represent, the status of the complaint and other information. In some instances addresses and telephone numbers were also visible.

Certain media outlets disclosed that the list contained the names of several high-profile individuals.

Read more here: https://www.telegraph.co.uk/money/consumer-affairs/data-breach-city-watchdog-exposes-records-thousands-complainants/

Hackers are getting better at tricking people into handing over passwords — here's what to look out for, according to experts

Hackers don't break in, they log in.

That mantra, often repeated by security experts, represents a rule of thumb: The vast majority of breaches are the result of stolen passwords, not high-tech hacking tools.

These break-ins are on the rise. Phishing scams — in which attackers pose as a trustworthy party to trick people into handing over personal details or account information — were the most common type of internet crime last year, according to a recent FBI report. People lost more than $57.8 million in 2019 as the result of phishing, according to the report, with over 114,000 victims targeted in the US.

And as phishing becomes more profitable, hackers are becoming increasingly sophisticated in the methods they use to steal passwords, according to Microsoft's Security Research team.

Most of the attackers have now moved to phishing because it's easy

Read the full article here: https://www.businessinsider.com/phishing-scams-getting-more-sophisticated-what-to-look-out-for-2020-2?r=US&IR=T

Government authorities fail to train employees on ransomware detection, prevention

New research suggests that the majority of state and local governments are not rising to the challenge of mitigating ransomware threats. (and it’s not just Government)

The majority of state and local government agencies are failing to prepare their employees to spot cyber attacks or teach them how to handle ransomware incidents in the workplace, new research suggests.

On Thursday, IBM Security released the results of a new study, conducted on its behalf by The Harris Poll, containing responses from close to 700 US local and state employees in IT, education, emergency services, and security departments.

The research, taking place between January and February this year, reveals that only 38% of local and state employees have received any training in general ransomware prevention, which may include learning how to spot phishing attempts, the threat of social engineering, and basic security hygiene in the workplace.

More: https://www.zdnet.com/article/government-authorities-fail-to-train-employees-on-ransomware-detection-prevention/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week's Black Arrow Cyber Tip Tuesday, this week Tony is talking about users sending emails to the wrong recipient.

The majority of data breaches reported to the data commissioner, both locally and nationally, have involved users sending emails to the wrong recipients.

This is clearly a problem and many technical controls won't defend against this as this comes down to human error. Human error is the leading cause of data breaches today, because people make mistakes and break the rules. In many cases, people may not even realise they’re doing anything wrong.

If businesses want to keep their data safe, they need to start at the human level and create a people-centric approach to cyber security that focuses on educating and protecting their employees.

We can help provide controls that help to reinforce this human level and reduce instances of users send emails to the wrong recipients.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Adobe releases out-of-band patch for critical code execution vulnerabilities

Adobe has released an out-of-schedule fix to resolve two vulnerabilities that may expose user systems to code execution attacks.

On Wednesday, the software vendor released two separate security advisories describing the issues, warning that each bug is deemed critical, the highest severity score available. However, there is at present no evidence the vulnerabilities are being exploited in the wild.

The first vulnerability impacts Adobe Media Encoder versions 14.0 and earlier on the Microsoft Windows platform.  The second vulnerability impacts Adobe After Effects versions 16.1.2 and earlier also on Windows machines.

Read more on ZDnet here: https://www.zdnet.com/article/adobe-releases-out-of-schedule-fixes-for-critical-vulnerabilities/

Critical Cisco Bug Opens Software Licencing Manager to Remote Attack

A default password would let anyone access the Cisco Smart Software Manager On-Prem Base platform, even if it’s not directly connected to the internet.

A critical flaw in the High Availability (HA) service of Cisco Smart Software Manager On-Prem Base has been uncovered, which would open the door to remote attackers thanks to its use of a static, default password, even if the platform isn’t directly connected to the internet.

Cisco Smart Software Manager On-Prem Base is used to manage a customer or partner’s product licenses, providing near real-time visibility and reporting of the Cisco licenses that an organisation purchases and consumes. According to Cisco’s product literature, the platform is aimed at “customers who have strict security requirements and do not want their products to communicate with the central licensing database on Smart Software Manager over a direct Internet connection,” like financial institutions, utilities, service providers and government organisations.

Read the full article on ThreatPost here: https://threatpost.com/critical-cisco-bug-software-licencing-remote-attack/153086/

97% of IT leaders majorly concerned by insider data breaches

A study has found that 97% of IT leaders are concerned that data will be exposed by their own employees, leading to insider breaches

This findings from the survey spelled a lack of reassurance for decision makers regarding insider breaches over the past 12 months.

Also, 78% of IT leaders surveyed said that employees have put data at risk accidentally within the last year, while 75% say that intentional compromise of data security has occurred.

While the former statistic has remained stable since 2019, the latter saw a 14% jump.

In the UK, 63% declared intentional data security compromise, while 68% said this was accidental. This contrasted with leaders in the Benelux region, 89% of whom said that data was put at risk intentionally, and 91% accidentally.

Read more here: https://www.information-age.com/it-leaders-majorly-concerned-insider-data-breaches-123487769/

PayPal remains the most‑spoofed brand in phishing scams

PayPal, Facebook, Microsoft, Netflix, and WhatsApp were the most commonly impersonated brands in phishing campaigns in the fourth quarter of 2019.

The payment services provider retained its top spot from the previous quarter, according to data gleaned from the number of unique phishing URLs detected by the company. Thanks to the immediate financial payback and a pool of 305 million active users worldwide, PayPal’s continued popularity among phishers isn’t all that surprising.

PayPal-themed phishing campaigns usually target both consumers and SMB employees, with researchers pointing to an example of a recent fraudulent email that alerted users to an “unusual activity on your account”. A similar campaign was recently uncovered by researchers.

Social media phishing continues to grow with Facebook taking second place on the list. Meanwhile, WhatsApp jumped a whopping 63 spots to take fifth place and Instagram surged 16 places to take the 13th spot.

More: https://www.welivesecurity.com/2020/02/14/paypal-remains-most-spoofed-brand-phishing-scams/

Windows 10 update: Microsoft admits serious problem, here's how to fix it

It was recently discovered that the newest Windows 10 update was somehow deleting users’ files. The update has been live for over a week now, but fear not (or at least not too much) Windows fans, Microsoft has now said (unofficially) that it’s found a fix.

Thanks to Windows Latest (via TechRadar), we now know how Windows is responding to the problem. The site interviewed unnamed Microsoft support team staff, one of which was quoted  as saying: “Microsoft is aware of this known issue and our engineers are working diligently to find a solution for it.” In addition, it’s been reported that the Windows team have been able to replicate the bug and find one potential way of restoring any lost files.

Read the full article here: https://www.tomsguide.com/news/windows-10-update-microsoft-admits-serious-problem-heres-how-to-fix-it

Mitigating Risk in Supply Chain Attacks

In the last year, the number of global businesses falling victim to supply chain attacks more than doubled from 16 to 34 per cent – in the UK the picture is even worse with a staggering 42 per cent reporting they fell victim to these sorts of attacks.

This kind of attack is a powerful threat as it enables malicious code to slip into an organisation through trusted sources. What is worse is that it’s a tougher threat for traditional security approaches to account for.

Of even more concern though is that this particular attack vector doesn’t appear to be a top priority for businesses. The same survey found only 42 per cent of respondents have vetted all new and existing software suppliers in the past 12 months. While this has led to 30 per cent of respondents believing with absolute certainty that their organisation will become more resilient to supply chain attacks over the next 12 months, the increasing scale and frequency of these attacks demands a proportionate response.

The problem is that many businesses fail to understand how quickly adversaries can move laterally through the network via this sort of compromise and how much damage can be done in that short amount of time. There is an educational need for the cyber industry to broadcast the potential consequences of supply chain attacks, and to share best practices around their defence and mitigation.

Adversaries use supply chain attacks as a sneaky weak point through which to creep into the enterprise and attack software further up the supply chain rather than going straight for their final target: An organisation with funds or information they wish to pilfer, or whom they will ‘merely’ disrupt. Once an adversary successfully compromises the chain, their M.O. is to modify the trusted software to perform additional, malicious activities. If not discovered, compromised software can then be delivered throughout an organisation via software updates.

Read the original article here: https://www.cbronline.com/opinion/mitigating-risk-in-supply-chain-attacks

Russia’s GRU was behind cyber attacks on Georgian government and media, says NCSC

British security officials have identified a Russian military intelligence unit as the source of a series of “large-scale, disruptive cyber attacks” on Georgia last autumn.

The former Soviet Union state suffered a spree of attacks on its government websites, national broadcasters and NGOs over several hours on 28 October 2019.

Analysts at the National Cyber Security Centre have concluded “with the highest level of probability” that the attacks, aimed at web hosting providers, were carried out by the GRU in a bid to destabilise the country.

Read more here: https://tech.newstatesman.com/security/russia-gru-cyber-attacks-georgia-ncsc

UK Google users could lose EU GDPR data protections

Google is to move the data and user accounts of its British users from the EU to the US, placing them outside the strong privacy protections offered by European regulators.

The shift, prompted by Britain’s exit from the EU, will leave the sensitive personal information of tens of millions not covered by Europe’s world-leading General Data Protection Regulation (GDPR) and therefore with less protection and within easier reach of British law enforcement.

Google intends to require its British users to acknowledge new terms of service including the new jurisdiction, according to people familiar with the plans.

Read more: https://www.theguardian.com/technology/2020/feb/20/uk-google-users-to-lose-eu-gdpr-data-protections-brexit

ISS World “malware attack” leaves employees offline

Global facilities company ISS World, headquartered in Denmark, has shuttered most of its computer systems worldwide after suffering what it describes as a “security incident impacting parts of the IT environment.”

The company’s website currently shows a holding page, with no clickable links on it.

Some media outlets – for example, the BBC – have mentioned ransomware prominently in their coverage of the issue, perhaps because of the suddenness of the story, but at the moment we simply don’t know what sort of malware was involved.

As you can imagine, facilities companies that provide services such as cleaning and catering rely heavily on IT systems for managing their operations.

Read the full article here: https://nakedsecurity.sophos.com/2020/02/20/iss-world-malware-attack-leaves-employees-offline/

Google is trying to scare Microsoft Edge users into switching to Chrome

Could Google be worried about the new Edge browser stealing away Chrome users? It seems that way, with the company now displaying a warning to people using Microsoft’s new web browser when they access the Chrome web store.

Originally, Microsoft’s Edge web browser was a deeply unpopular piece of software, despite it being the default web browser in Windows 10, which led Microsoft to overhaul the app, and it’s now based on the same Chromium engine as Chrome.

Edge users who visit the Chrome web store are seeing a warning message that says “Google recommends switching to Chrome to use extensions securely.”

Read more here: https://www.techradar.com/uk/news/google-is-trying-to-scare-microsoft-edge-users-into-switching-to-chrome

Your home PC is twice as likely to get infected as your work laptop

Outdated operating systems and poor security put consumer PCs at risk

Consumer PCs are twice as likely to get infected as business PCs, new research has revealed.

According to the findings, the reason consumer PCs are more susceptible to infections is due to the fact that many are running outdated operating systems such as Windows 7 and because consumers aren't employing the same security solutions used by businesses which offer greater protection.

Of the infected consumer devices, more than 35 percent were infected over three times and nearly 10 percent encountered six or more infections.

More: https://www.techradar.com/uk/news/consumer-pcs-are-twice-as-likely-to-get-infected-compared-to-business-pcs

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.