Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

If you’re pressed for time watch the 60 second quick fire video summary of the top Cyber and InfoSec stories from the last week:

Office 365 Phishing Campaign Exploits Samsung, Adobe and Oxford Servers

Over the last few years, the adoption of Office 365 in the corporate sector has significantly increased. Its popularity has attracted the attention of cyber criminals who launch phishing campaigns specifically to attack the platform. As 90% of cyber-attacks start with a phishing campaign, Office 365 is an attractive target for threat actors who work to evade the continuously introduced security solutions.

Recently, a seemingly unsophisticated Office 365 phishing campaign caught our attention. The attackers abused an Adobe Campaign redirection mechanism, using a Samsung domain to redirect victims to an O365 themed phishing website. The hackers took advantage of the fact that access to a reputable domain, such as Samsung’s, would not be blocked by security software.

To expand their campaign, the attackers also compromised several websites to inject a script that imitates the same mechanism offered by the Adobe redirection service. Further investigation revealed that the actors behind the campaign implemented a few other interesting tricks to hide the phishing kit and avoid detection at each stage of the attack.

Read more here: https://research.checkpoint.com/2020/phishing-campaign-exploits-samsung-adobe-and-oxford-servers/

Guernsey Police warn businesses in Guernsey using Office 365 also targeted by scammers

Guernsey Police are warning local businesses about an online scam targeting users of Office 365.

Officers have been in contact with several businesses using the service who have fallen victim to phishing scams which have allowed hackers access to their email inbox.

The hackers then distribute malicious links to their contacts.

Police say using multi-factor authentication can help keep personal data safe.

Anyone who receives an unexpected email from someone they trust containing a link should contact them directly to make sure they sent it.

Read more: https://www.itv.com/news/channel/2020-06-18/guernsey-businesses-using-office-365-targeted-by-scammers/

As Businesses Reopen, A New Storm Of Cybercrime Activity Looms

There is nothing ordinary about the amount of disruption that will impact our lives moving forward as countries and states reopen following the coronavirus pandemic. In the context of the cloud, disruptions caused by COVID-19 have opened the door to another type of virus: cybersecurity threats. Today we are witnessing a rapid rise of opportunistic cybercriminal activity taking advantage of the chaos created by COVID-19.

Focal concerns about economic recovery and a potential second wave of human infection are abounding. Still, the concern for many companies should also include heightened cybersecurity threats that can easily break companies before they have a chance to relaunch. For the many companies that are already fighting to remain afloat due to challenges faced during COVID-19, a cybersecurity breach could quickly mean the end. As businesses navigate this “new normal,” they must address weaknesses in their IT strategies exposed by COVID-19 and consider implementing a better preparedness plan to avoid long-term damage.

Read more: https://www.forbes.com/sites/emilsayegh/2020/06/18/as-businesses-reopen-a-new-storm-of-cybercrime-activity-looms/#44f38a9a1a4b

Microsoft: COVID-19 malware attacks were barely a blip in total malware volume

Microsoft says that despite all the media headlines over the past few months, malware attacks that abused the coronavirus (COVID-19) theme have barely been a blip in the total volume of threats the company sees each month.

These COVID-19 attacks included emails carrying malicious file attachments (also referred to as malspam) and emails containing malicious links that redirect users to phishing sites or malware downloads.

According to Microsoft's Threat Protection Intelligence Team, the first attacks abusing a COVID-19 lure started after the World Health Organization (WHO) declared COVID-19 a global pandemic on January 30.

As the world yearned to learn more about this new disease, attacks intensified, and they peaked in March when most of the world's countries enforced stay-at-home measures.

"The week following [the WHO] declaration saw these attacks increase eleven-fold," Microsoft said. "By the end of March, every country in the world had seen at least one COVID-19 themed attack."

Read more: https://www.zdnet.com/article/microsoft-covid-19-malware-attacks-were-barely-a-blip-in-total-malware-volume/

Cyber spies use LinkedIn to hack European defence firms

LONDON (Reuters) - Hackers posed as recruiters working for U.S. defence giants Collins Aerospace and General Dynamics (GD.N) on LinkedIn to break into the networks of military contractors in Europe, cyber security researchers said on Wednesday.

The cyber spies were able to compromise the systems of at least two defence and aerospace firms in Central Europe last year by approaching employees with pseudo job offers from the U.S. firms.

The attackers then used LinkedIn’s private messaging feature to send documents containing malicious code which the employees were tricked into opening.

The researcher declined to name the victims, citing client confidentiality, and said it was unclear if any information was stolen. General Dynamics and Collins Aerospace, which is owned by Raytheon Technologies RTX.N, declined immediate comment.

The researchers were unable to determine the identity of the hackers but said the attacks had some links to a North Korean group known as Lazarus, which has been accused by U.S. prosecutors of orchestrating a string of high-profile cyber heists on victims including Sony Pictures and the Central Bank of Bangladesh.

Read more here: https://uk.reuters.com/article/us-cyber-linkedin-hacks/cyber-spies-use-linkedin-to-hack-european-defence-firms-idUKKBN23O2L7

Australian PM says nation under serious state-run 'cyber attack' – Microsoft, Citrix, Telerik UI bugs 'exploited'

Australian Prime Minister Scott Morrison has called a snap press conference to reveal that the nation is under cyber-attack by a state-based actor, but the nation’s infosec advice agency says that while the attacker has gained access to some systems it has not conducted “any disruptive or destructive activities within victim environments.”

Morrison said the attack has targeted government, key infrastructure and the private sector, and was sufficiently serious that he took the courteous-in-a-crisis, but not-compulsory step, of informing the leader of the opposition about the incident. He also said that the primary purpose of the snap press conference was to inform and educate Australians about the incident.

But Morrison declined to state whether Australian defence agencies have identified the source of the attack and said evidence gathered to date does not meet the government’s threshold of certainty to name the attacker.

Read more here: https://www.theregister.com/2020/06/19/australia_state_cyberattack/

Google removes 106 Chrome extensions for collecting sensitive user data

Google has removed 106 malicious Chrome extensions that have been caught collecting sensitive user data.

The 106 extensions are part of a batch of 111 Chrome extensions that have been identified as malicious in a report published this week.

These extensions posed as tools to improve web searches, convert files between different formats, as security scanners, and more.

But in reality the extensions contained code to bypass Google's Chrome Web Store security scans, take screenshots, read the clipboard, harvest authentication cookies, or grab user keystrokes (such as passwords).

Read more here: https://www.zdnet.com/article/google-removes-106-chrome-extensions-for-collecting-sensitive-user-data/

AWS stops largest DDoS attack ever

Amazon has revealed that its AWS Shield service was able to mitigate the largest DDoS attack ever recorded at 2.3 Tbps back in February of this year.

The company's new AWS Shield Threat Landscape report provided details on this attack and others mitigated by its AWS Shield protection service.

While the report did not identify the AWS customer targeted in the DDoS attack, it did say that the attack itself was carried out using hijacked CLDAP (Connection-less Lightweight Directory Access Protocol) web servers and lasted for three days.

https://www.techradar.com/news/aws-stops-largest-ddos-attack-ever

Ripple20 Vulnerabilities Affect Hundreds of Millions of IoT Devices

Zero-day vulnerabilities have been discovered that could impact millions of IoT devices found in data centres, power grids, and elsewhere.

The flaws, dubbed Ripple20, includes multiple remote code execution vulnerabilities and affects "hundreds of millions of devices (or more)."

Researchers named the vulnerabilities Ripple20 to reflect the widespread impact they have had as a natural consequence of the supply chain "ripple-effect" that has seen the widespread dissemination of the software library and its internal flaws.

"A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people," wrote researchers.

Ripple20 reached critical IoT devices involving a diverse group of vendors from a wide range of industries. Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, and Baxter.

Read more: https://www.infosecurity-magazine.com/news/ripple20-vulnerabilities-discovered/

Unpatched vulnerability identified in 79 Netgear router models

A whopping 79 Netgear router models are vulnerable to a severe security flaw that can let hackers take over devices remotely.

The vulnerability has been discovered by two security researchers independently, namely Adam Nichols from cyber-security GRIMM and a security researcher going by the nickname of d4rkn3ss, working for Vietnamese internet service provider VNPT.

According to Nichols, the vulnerability impacts 758 different firmware versions that have been used on 79 Netgear routers across the years, with some firmware versions being first deployed on devices released as far back as 2007.

This lack of proper security protections opens the door for an attacker to craft malicious HTTP requests that can be used to take over the router.

More here: https://www.zdnet.com/article/unpatched-vulnerability-identified-in-79-netgear-router-models/

New Mac malware uses 'novel' tactic to bypass macOS Catalina security

Security researchers have discovered a new Mac malware in the wild that tricks users into bypassing modern macOS app security protections.

In macOS Catalina, Apple introduced new app notarization requirements. The features, baked in Gatekeeper, discourage users from opening unverified apps — requiring malware authors to get more creative with their tactics.

As an example, researchers have discovered a new Trojan horse malware actively spreading in the wild via poisoned Google search results that tricks users into bypassing those protections themselves.

The malware is delivered as a .dmg disk image masquerading as an Adobe Flash installer. But once it's mounted on a user's machine, it displays instructions guiding users through the malicious installation process.

Read more: https://appleinsider.com/articles/20/06/18/new-mac-malware-uses-novel-tactic-to-bypass-macos-catalina-security

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week's Black Arrow Cyber Tip Tuesday, this week Tony talks about the CIA, or AIC, triad

What is the CIA triad, or AIC triad to distinguish it from one of the US intelligence agencies?

C, I & A relate to Confidentiality, Integrity and Availability.

Confidentiality is the protection of IT assets and data from unauthorised users. Integrity is ensuring that data is accurate, able to be relied upon and has not been changed or modified in an unauthorised manner and availability is ensuring that IT assets, data and networks are available to authorised users when they need it to be.

A loss of any one of these could be catastrophic to your business so you need to make sure you have appropriate controls in place to protect and if necessary recover from any problems.

Talk to us to see how we can help you.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

If you’re pressed for time watch the 60 second quick fire video summary of the top Cyber and InfoSec stories from the last week:

Honda Hit by Ransomware: Attack Follows Major 2019 Data Breach

Honda has confirmed a cyber attack on its networks that is widely believed to have involved deployment of the “Snake” ransomware.

The £22 billion by market capitalisation automotive giant has admitted that production, sales and development activities are all hit.

Chatter on social networks suggests production globally has been stopped.

The attack comes after Honda last year left an Elasticsearch database exposed to the public, with upwards of 40GB of data relating to the firm’s internal systems and devices spotted by security researchers.

Read more here: https://www.cbronline.com/news/honda-hacked-data-breach

Crooks hijack “Black Lives Matter” to spread zombie malware

Community-focused cyber security website abuse.ch has warned of a malware spreading campaign that is using “Black Lives Matter” to draw victims in.

Sneakily, the crooks have broadened the reach of their attack by keeping their emails short and objective – the crooks very deliberately haven’t taken a social or political position, but have instead invited recipients to comment anonymously on the issue.

Samples seen have their subject, body text, attachment description and filename chosen randomly each time from a list of similar text strings.

Read more here: https://nakedsecurity.sophos.com/2020/06/11/crooks-hijack-black-lives-matter-to-spread-zombie-malware/

Hackers for hire ‘targeted hundreds of institutions’

A hackers-for-hire group dubbed “Dark Basin” has targeted thousands of individuals and hundreds of institutions around the world, including advocacy groups, journalists, elected officials, lawyers, hedge funds and companies, according to the internet watchdog Citizen Lab. 

Researchers discovered almost 28,000 web pages created by hackers for personalised “spear phishing” attacks designed to steal passwords, according to a report published on Tuesday by Citizen Lab, part of the University of Toronto’s Munk School. 

Read more: https://www.ft.com/content/315aceba-935a-4e70-83c4-1d1fd7cf939b

Is a ‘Cyber Pandemic’ Coming?

For more than a decade, security leaders predicted that a “Cyber Pearl Harbour” or “Cyber 9/11” was coming that would dramatically change society as we know it.

However, over the past few years, these bold predictions that the Internet sky is falling have largely dropped off the map — until this past week under a new name.

The main reason that most cyber prognosticators dropped these scary predictions seemed to be an overdose of Fear, Uncertainty and Doubt (FUD) was bad for business and seemed to be getting old. Like constantly predicting the stock market will crash, people were getting tired of these messages. Rather, most experts started to shift to more of a pragmatic approach to future cybersecurity predictions, with ample research backing up claims.

But this trend quietly changed this past week, under a new name inspired by COVID-19.

While the majority of people were focused this past week on peaceful protests against police brutality and the death of George Floyd, or rioting in some cities, or the surprisingly positive jobs numbers and stock market performance, several well-respected leaders and groups are now predicting that a “cyber pandemic” is coming soon.

Read more here: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/is-a-cyber-pandemic-coming.html

UPnP flaw exposes millions of network devices to attacks over the Internet

Millions of routers, printers, and other devices can be remotely commandeered by a new attack that exploits a security flaw in the Universal Plug and Play network protocol, a researcher said.

CallStranger, as the exploit has been named, is most useful for forcing large numbers of devices to participate in distributed denial of service—or DDoS—attacks that overwhelm third-party targets with junk traffic. CallStranger can also be used to exfiltrate data inside networks even when they’re protected by data loss prevention tools that are designed to prevent such attacks. The exploit also allows attackers to scan internal ports that would otherwise be invisible because they’re not exposed to the Internet.

Billions of routers and other so-called Internet-of-things devices are susceptible to to the attack, however, a vulnerable device must have UPnP, as the protocol is known, exposed on the Internet.

The 12-year-old UPnP protocol simplifies the task of connecting devices by allowing them to automatically find each other over a network.

Read more here: https://arstechnica.com/information-technology/2020/06/upnp-flaw-exposes-millions-of-network-devices-to-attacks-over-the-internet/

Unsecured databases bombarded by cyberattacks

Security researchers often report finding unsecured databases online, waiting to be discovered and exploited. Sometimes, these databases remain unprotected for only a few hours, and on other occasions could sit open for weeks.

New research from Comparitech show that hackers are able to identify and exploit these unprotected databases much faster than businesses might think.

The firm set up a fake user database, which it intentionally exposed via an Elasticsearch instance. Only eight hours later, the database received its first unauthorised request (Comparitech broadly refers to these requests as “attacks”).

Five days later, the database was indexed on Shodan.io (an IoT search engine) and incurred two new attacks within a minute of the event, and 22 in total that day.

Over the course of the 12-day experiment, the database was attacked 175 times.

Read more here: https://www.itproportal.com/news/unsecured-databases-bombarded-by-cyberattacks/

60 percent of organizations expect to suffer attacks by email

Email is still a favourite attack route for cyber criminals a new study reveals, 77 percent of respondents to a survey say they have or are actively rolling out a cyber resilience strategy, yet an astounding 60 percent of respondents believe it is inevitable or likely they will suffer from an email-borne attack in the coming year.

The same threats that organisations have faced for years continue to play out with tactics matched to world events to evade detection. The increases in remote working due to the global pandemic have only amplified the risks businesses face from these threats, making the need for effective cyber resilience essential.

Read more: https://betanews.com/2020/06/09/attacks-by-email/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

If you’re pressed for time watch the 60 second quick fire video summary of the top cyber and infosec stories from the last week:

Half of employees admit they are cutting corners when working from home

Half of employees are cutting corners with regards to cyber security while working from home – and could be putting their organisation at risk of cyber attacks or data breaches as a result.

The coronavirus pandemic has forced both employers and employees to quickly adjust to remote working – and, often without the watchful eyes of IT and information security teams, workers are taking more risks online and with data than they would at the office.

Analysis by researchers reveals that 52% of employees believe they can get away with riskier behaviour when working from home, such as sharing confidential files via email instead of more trusted mechanisms.

Some of the top reasons employees aren't completely following the same safe data practices as usual include working from their own device, rather than a company issued one, as well as feeling as if they can take additional risks because they're not being watched by IT and security.

In some cases, employees aren't purposefully ignoring security practices, but distractions while working from home are having an impact on how people operate.

Meanwhile, some employees say they're being forced to cut security corners because they're under pressure to get work done quickly.

Half of those surveyed said they've had to find workarounds for security policies in order to efficiently do the work they're required to do – suggesting that in some cases, security policies are too much of a barrier for employees working from home to adapt to.

Read more here: https://www.zdnet.com/article/cybersecurity-half-of-employees-admit-they-are-cutting-corners-when-working-from-home/

C-Level Executives the Weakest Link in Organisations’ Mobile Security

C-suite executives are the people most susceptible to mobile-based cyber-attacks in businesses, according to a new study. The report found that while these executives are highly targeted by cyber-criminals in attacks on organisations, they are also more likely than anyone else to have a relaxed attitude to mobile security.

In the analysis, research from 300 enterprise IT decision makers across Benelux, France, Germany, the UK and the US was combined with findings from 50 C-level executives from the UK and the US. It revealed that many C-level executives find mobile security protocols frustrating, with 68% feeling IT security compromises their personal privacy, 62% stating it limits the usability of their device and 58% finding it too complex to understand.

As a result of these issues, 76% of C-suite executives had asked to bypass one or more of their organisation’s security protocols last year. This included requests to: gain network access to an unsupported device (47%), bypass multi-factor authentication (45%) and obtain access to business data on an unsupported app (37%).

These findings are concerning because all of these C-suite exemptions drastically increase the risk of a data breach. Accessing business data on a personal device or app takes data outside of the protected environment, leaving critical business information exposed for malicious users to take advantage of. Meanwhile, multi-factor identification – designed to protect businesses from the leading cause of data breaches, stolen credentials – is being side-stepped by C-suite execs.

To exacerbate this issue, IT decision makers included in the study overwhelmingly stated that C-suite is the group most likely to both be targeted by (78%), and fall victim to (71%), phishing attacks.

These findings highlight a point of tension between business leaders and IT departments. IT views the C-suite as the weak link when it comes to cyber security, while execs often see themselves as above security protocols.

Read more: https://www.infosecurity-magazine.com/news/executives-weakest-link-mobile/

Majority of companies suffered a cloud data breach in the past 18 months

Nearly 80% of companies have experienced at least one cloud data breach in the past 18 months, and 43% reported 10 or more breaches, a new survey reveals.

According to the 300 CISOs that participated in the survey, security misconfiguration (67%), lack of adequate visibility into access settings and activities (64%) and identity and access management (IAM) permission errors (61%) were their top concerns associated with cloud production environments.

Meanwhile, 80% reported they are unable to identify excessive access to sensitive data in IaaS/PaaS environments. Only hacking ranked higher than misconfiguration errors as a source of data breaches.

Even though most of the companies surveyed are already using IAM, data loss prevention, data classification and privileged account management products, more than half claimed these were not adequate for protecting cloud environments.

Read the original article here: https://www.helpnetsecurity.com/2020/06/03/cloud-data-breach/

NSA and NCSC publicly warn of attacks by Kremlin hackers – so take this critical Exim flaw seriously

The NSA has raised the alarm over what it says is Russia's active exploitation of a remote-code execution flaw in Exim for which a patch exists.

The American surveillance agency said last week that the Kremlin's military intelligence hackers are actively targeting some systems vulnerable to CVE-2019-10149, a security hole in the widely used Exim mail transfer agent (MTA) that was fixed last June.

Because Exim is widely used on millions of Linux and Unix servers for mail, bugs in the MTA are by nature public-facing and pose an attractive target for hackers of all nations.

Read more here: https://www.theregister.com/2020/05/29/nsa_warns_of_gru/

Cisco's warning: Critical flaw in IOS routers allows 'complete system compromise’

Cisco has disclosed four critical security flaws affecting router equipment that uses its IOS XE and IOS software.

The four critical flaws are part of Cisco's June 3 semi-annual advisory bundle for IOS XE and IOS networking software, which includes 23 advisories describing 25 vulnerabilities.

Read more: https://www.zdnet.com/article/ciscos-warning-critical-flaw-in-ios-routers-allows-complete-system-compromise/

Malware-laced CVs steal banking credentials from users' PCs

If you work for a financial institution that happens to be hiring, be extra careful when downloading and opening CVs - many could be carrying a password-stealing banking malware.

This is according to a new report which identified the new malware distribution campaign in the wild.

According to the report, criminals are sending out emails with the subject lines “applying for a job” and “regarding job”, containing an Excel attachment with a malicious macro. Once the file is opened, the victim is prompted to “enable content”, which triggers the download of ZLoader malware.

ZLoader is capable of stealing credentials from the infected PC, as well as passwords and cookies stored in the target’s browser. With the stolen intel, the attacker could also use the victim’s device to make illicit financial transactions.

Read more: https://www.itproportal.com/news/malware-laced-cvs-steal-banking-credentials-from-users-pcs/

Hackers are targeting your smartphone as way into the company network, mobile phishing up a third in a few months

The number of phishing attacks targeting smartphones as the entry point for attempting to compromise enterprise networks has risen by more than a third over the course of just a few months.

Analysis by cyber security company Lookout found that there's been a 37% increase in mobile phishing attacks worldwide between the last three months of 2019 and the first few months of 2020 alone.

Phishing emails have long been a problem for desktop and laptop users, but the increased use of mobile devices – especially as more people are working remotely – has created an additional attack vector for cyber criminals who are targeting both Android and IOS phones.

Attacks targeting desktop email applications can leave tell-tale signs that something might not be quite right, such as being able to preview links and attachments, or see email addresses and URLs that might look suspicious.

However, this is harder to spot on mobile email, social media and messaging applications because the way they're designed for smaller screens.

Read more here: https://www.zdnet.com/article/cybersecurity-warning-hackers-are-targeting-your-smartphone-as-way-into-the-company-network/

Tens of thousands of malicious Android apps flooding user devices

Tens of thousands of dangerous Android apps are putting mobile users at heightened risk of fraud and cyber attack, a report has claimed.

A mobile security firm identified over 29,000 malicious Android apps in active use during Q1 2020, double the number logged in the same quarter last year (just over 14,500).

The investigation also showed that almost all (90%) of the ten most malicious apps were - or are still - present on the official Google Play Store. This suggests that hackers consistently found ways to dance their way through Google’s vetting system.

In line with this trend, this time period also saw a 55% rise in fraudulent transactions on Android platforms, as well as a spike in the number of malware-infected devices.

Read more here: https://www.techradar.com/news/tens-of-thousands-of-malicious-android-apps-flooding-google-play-store

George Floyd: Anonymous hackers re-emerge amid US unrest

As the United States deals with widespread civil unrest across dozens of cities, "hacktivist" group Anonymous has returned from the shadows.

The hacker collective was once a regular fixture in the news, targeting those it accused of injustice with cyber-attacks.

After years of relative quiet, it appears to have re-emerged in the wake of violent protests in Minneapolis over the death of George Floyd, promising to expose the "many crimes" of the city's police to the world.

However, it's not easy to pin down what, if anything, is genuinely the mysterious group's work.

The "hacktivist" collective has no face, and no leadership. Its tagline is simply "we are legion", referring to its allegedly large numbers of individuals.

Without any central command structure, anyone can claim to be a part of the group.

This also means that members can have wildly different priorities, and there is no single agenda.

But generally, they are activists, taking aim at those they accuse of misusing power. They do so in very public ways, such as hijacking websites or forcing them offline.

Their symbol is a Guy Fawkes mask, made famous by Alan Moore's graphic novel V for Vendetta, in which an anarchist revolutionary dons the mask to topple a corrupt fascist government.

Read the original article: https://www.bbc.co.uk/news/technology-52879000

EasyJet Cyber Attack Likely the Work of Chinese Hackers

The recent high-profile cyber attack that struck British budget airline easyJet may have been carried out by Chinese hackers, new research and multiple sources have suggested.

The cyber attack, which saw the email addresses and travel details of millions of passengers being robbed—as well as the credit card details of some 2,000—was reportedly conducted by the very same group of Chinese hackers responsible for other attacks on a number of airlines in recent months.

Read more: https://www.cpomagazine.com/cyber-security/easyjet-cyber-attack-likely-the-work-of-chinese-hackers/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

In this week's Tip Tuesday, Bruce looks at the role of HR in Cyber Security.

Cyber Security, and the wider field of Information Security, require a combination of technical controls and people controls to reduce risk. HR has a major role in both.

This is more than education and awareness programmes.

It's about ensuring the leadership team demonstrate consistently good practices, because employees watch what their leaders do and will follow their behaviours more than their words.

HR should also work with managers to drive an appropriate conduct management for employees who deliberately circumvent or disregard cyber security controls.

It am not talking about punishing honest mistakes, because it is important to foster a culture where employees quickly admit mistakes.

I am talking here about employees who do things like repeatedly sharing passwords, or leaving their computer screen unlocked, or leaving confidential papers on their desk overnight. Or worse, an employee who abuses their system access privileges or makes fraudulent transactions.

Contact us to see how people controls and technical controls fit together as part of your defence in depth.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

60ish second video roundup

Cyber-Criminals Impersonating Google to Target Remote Workers

Remote workers have been targeted by up to 65,000 Google-branded cyber-attacks during the first four months of 2020, according to a new report. The study found that Google file sharing and storage websites were used in 65% of nearly 100,000 form-based attacks the security firm detected in this period.

According to the analysis, a number of Google-branded sites, such as storage.googleapis.com, docs.google.com, storage.cloud.google.com and drive.google.com, were used to try and trick victims into sharing login credentials. Google-branded attacks were far in excess of those impersonating Microsoft, with the sites onedrive.live.com, sway.office.com and forms.office.com making up 13% of attacks.

Other form-based sites used by attackers included sendgrid.net (10%), mailchimp.com (4%) and formcrafts.com (2%).

Read the full article here: https://www.infosecurity-magazine.com/news/cyber-criminals-impersonating/

Ransomware Demands Soared 950% in 2019

Ransomware operators had another standout year in 2019, with attacks and ransom demands soaring according to new data.

A new report claimed that, after a relatively quiet 2018, ransomware was back with a vengeance last year, as attack volumes climbed by 40%.

As large enterprises became an increasing focus for attacks, ransom demands also soared: from $8,000 in 2018 to $84,000 last year. That’s a 950% increase.

The “greediest ransomware families with highest pay-off” were apparently Ryuk, DoppelPaymer and REvil, the latter on occasion demanding $800,000.

Read more: https://www.infosecurity-magazine.com/news/ransomware-demands-soared-950-in/

Use of cloud collaboration tools surges and so do attacks

The COVID-19 pandemic has pushed companies to adapt to new government-mandated restrictions on workforce movement around the world. The immediate response has been rapid adoption and integration of cloud services, particularly cloud-based collaboration tools such Microsoft Office 365, Slack and videoconferencing platforms. A new report shows that hackers are responding to this with increased focus on abusing cloud account credentials.

Analysis of cloud usage data that was collected between January and April from over 30 million enterprise indicated a 50% growth in the adoption of cloud services across all industries. Some industries, however, saw a much bigger spike--for example manufacturing with 144% and education with 114%.

The use rate of certain collaboration and videoconferencing tools has been particularly high. Cisco Webex usage has increased by 600%, Zoom by 350%, Microsoft Teams by 300% and Slack by 200%. Again, manufacturing and education ranked at the top.

More here: https://www.csoonline.com/article/3545775/use-of-cloud-collaboration-tools-surges-and-so-do-the-attacks-report-shows.html

Huge rise in hacking attacks on home workers during lockdown

Hackers have launched a wave of cyber-attacks trying to exploit British people working from home, as the coronavirus lockdown forces people to use often unfamiliar computer systems.

The proportion of attacks targeting home workers increased from 12% of malicious email traffic before the UK’s lockdown began in March to more than 60% six weeks later, according to new data.

Attacks specifically aimed at exploiting the chaos wrought by Sars-CoV-2 have been evident since January, when the outbreak started to garner international news headlines.

The attacks have increased in sophistication, specifically targeting coronavirus-related anxieties rather than the more usual attempts at financial fraud or extortion.

In early May “a large malicious email campaign” was detected against UK businesses that told employees they could choose to be furloughed if they signed up to a specific website.

Read more here: https://www.theguardian.com/technology/2020/may/24/hacking-attacks-on-home-workers-see-huge-rise-during-lockdown?CMP=share_btn_tw

EasyJet faces £18 billion class-action lawsuit over data breach

UK budget airline easyJet is facing an £18 billion class-action lawsuit filed on behalf of customers impacted by a recently-disclosed data breach.

Made public on May 19, easyJet said that information belonging to nine million customers may have been exposed in a cyber attack, including over 2,200 credit card records.

The "highly sophisticated" attacker to blame for the security incident managed to access this financial information, as well as email addresses and travel details. EasyJet is still contacting impacted travelers.

The carrier did not explain how or exactly when the data breach took place, beyond that "unauthorized access" has been "closed off."

The National Cyber Security Centre (NCSC) and the UK's Information Commissioner's Office (ICO) have been notified, of which the latter has the power to impose heavy fines under GDPR if an investigation finds the carrier has been lax in data protection and security.

Last year, British Airways faced a "notice of intent" filed by the ICO to fine the airline £183.4 million for failing to protect the data of 500,000 customers in a data breach during 2018.

Read the full article here: https://www.zdnet.com/article/easyjet-faces-18-billion-class-action-lawsuit-over-data-breach/

Data Breach at Bank of America

Bank of America Corporation has disclosed a data breach affecting clients who have applied for the Paycheck Protection Program (PPP).

Client information was exposed on April 22 when the bank uploaded PPP applicants' details onto the US Small Business Administration's test platform. The platform was designed to give lenders the opportunity to test the PPP submissions before the second round of applications kicked off.

The breach was revealed in a filing made by Bank of America with the California Attorney General's Office. As a result of the incident, other SBA-authorized lenders and their vendors were able to view clients' information.

Data exposed in the breach consisted of details relating not only to individual businesses, but also to their owners. Compromised data may have included the business address and tax identification number along with the owner's name, address, Social Security number, phone number, email address, and citizenship status.

More Here: https://www.infosecurity-magazine.com/news/data-breach-at-bank-of-america/

Apple sends out 11 security alerts – get your fixes now!

Apple has just blasted out 11 email advisories detailing its most recent raft of security fixes.

There were 63 distinct CVE-tagged vulnerabilities in the 11 advisory emails.

11 of these vulnerabilities affected software right across Apple’s mobile, Mac and Windows products.

Read more: https://nakedsecurity.sophos.com/2020/05/27/apple-sends-out-11-security-alerts-get-your-fixes-now/

NSA warns of new Sandworm attacks on email servers

The US National Security Agency (NSA) has published a security alert warning of a new wave of cyber attacks against email servers conducted by one of Russia's most advanced cyber-espionage units.

The NSA says that members of Unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service, have been attacking email servers running the Exim mail transfer agent (MTA).

Also known as "Sandworm," this group has been hacking Exim servers since August 2019 by exploiting a critical vulnerability.

Read more: https://www.zdnet.com/article/nsa-warns-of-new-sandworm-attacks-on-email-servers/

DoubleGun Group Builds Massive Botnet Using Cloud Services

An operation from the China-based cybercrime gang known as DoubleGun Group has been disrupted, which had amassed hundreds of thousands of bots that were controlled via public cloud services, including Alibaba and Baidu Tieba.

Researchers in a recent post said that they noticed DNS activity in its telemetry that traced back to a suspicious domain controlling mass amounts of infected Windows devices. Analysis of the command-and-control (C2) infrastructure of the operation and the malware used to build the botnet showed that the effort could be attributed to a known threat group – DoubleGun, a.k.a. ShuangQiang.

Read more: https://threatpost.com/doublegun-massive-botnet-cloud-services/156075/

Malicious actor holds at least 31 stolen SQL databases for ransom

A malicious cyber actor or hacking collective has reportedly been sweeping the internet for online stores’ unsecured SQL databases, copying their contents, and threatening to publish the information if the rightful owners don’t pay up.

The perpetrator has stolen the copied versions of at least 31 SQL databases, which have been put up for sale on an unnamed website. These databases constitute roughly 1.620 million rows of information, including e-commerce customers’ names, usernames, email addresses, MD5-hashed passwords, birth dates, addresses, genders, account statuses, histories and more

Read more: https://www.scmagazine.com/home/security-news/data-breach/malicious-actor-holds-at-least-31-stolen-sql-databases-for-ransom/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week's cyber tip Tuesday. This week James is talking about diffusion of responsibility and the problems it can cause.

Security is often a casualty of diffusion of responsibility.

This is characterised as the decreased responsibility of action and consequence that individuals feel, when they are part of a group.

As information security is, by definition, the responsibility of everybody within an organisation, the conditions offer a perfect environment for this well-documented psychological phenomenon to emerge.

You can mitigate this by introducing tighter technical controls to support your existing policies but a more effective approach is to work with your people to re-introduce individual responsibility for security.

This can be through frequent training and awareness programs or by incentivising positive behaviours.

If you'd like to know more about how your organisation can protect itself better, please get in touch.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Cyber-Attacks on UK Organisations Up 30% in Q1 2020

New research has revealed that the volume of cyber-attacks on UK businesses increased by almost a third in the first three months of 2020.

Analysts identified 394,000 unique IP addresses used to attack UK businesses in the first quarter of 2020, discovering that companies with internet connections experienced 157,000 attacks each, on average – the equivalent of more than one a minute.

This rate of attack was 30% higher than the same period in 2019 when UK businesses received 120,000 internet-borne attempts to breach their systems each.

IoT applications were cited as the most common targets for cyber-criminals in the first quarter, attracting almost 19,000 online attacks per company. Company databases and file-sharing systems were also targeted frequently, with companies experiencing approximately 5000 attacks for each application, on average.

Read more here: https://www.infosecurity-magazine.com/news/cyberattacks-uk-orgs-up-30-q1/

COVID-19 blamed for 238% surge in cyber attacks against banks

The coronavirus pandemic has been connected to a 238% surge in cyber attacks against banks, new research claims.

On Thursday, VMware Carbon Black released the third edition of the Modern Bank Heists report, which says that financial organizations experienced a massive uptick in cyber attack attempts between February and April this year -- the same months in which COVID-19 began to spread rapidly across the globe.  

The cyber security firm's research, which includes input from 25 CIOS at major financial institutions, adds that 80% of firms surveyed have experienced more cyber attacks over the past 12 months, an increase of 13% year-over-year.

VMware Carbon Black data already indicates that close to a third -- 27% -- of all cyber attacks target either banks or the healthcare sector.

An interesting point in the report is how there appears to have been an uptick in financially-motivated attacks around pinnacles in the news cycle, such as when the US confirmed its first case of COVID-19.

In total, 82% of chief information officers contributing to the report said that alongside a spike in attacks, techniques also appear to be improving -- including the use of social engineering and more advanced tactics to exploit not only the human factor but also weak links caused by processes and technologies in use by the supply chain.

Read more here: https://www.zdnet.com/article/covid-19-blamed-for-238-surge-in-cyberattacks-against-banks/

May 2020 Patch Tuesday: Microsoft fixes 111 vulnerabilities, 13 Critical

Microsoft's May 2020 Patch Tuesday fell this week, and Microsoft have released fixes for 111 vulnerabilities in Microsoft products. Of these vulnerabilities, 13 are classified as Critical, 91 as Important, 3 as Moderate, and 4 as Low.

This month there are no zero-day or unpatched vulnerabilities.

Users should install these security updates as soon as possible to protect Windows from known security risks.

Read more here: https://www.bleepingcomputer.com/news/microsoft/may-2020-patch-tuesday-microsoft-fixes-111-vulnerabilities-13-critical/

Adobe issues patches for 36 vulnerabilities in DNG, Reader, Acrobat

Adobe has released security patches to resolve 36 vulnerabilities present in DNG, Reader, and Acrobat software.

On Tuesday, the software giant issued two security advisories (1, 2) detailing the bugs, the worst of which can be exploited by attackers to trigger remote code execution attacks and information leaks.

The first set of patches relate to Adobe Acrobat and Reader for Windows and macOS, including  Acrobat / Acrobat Reader versions 2015 and 2017, as well as Acrobat and Acrobat Reader DC.

In total, 12 critical security flaws have been resolved. Six of the bugs, a single heap overflow problem, two out-of-bounds write errors, two buffer overflow issues, and two use-after-free vulnerabilities can all lead to arbitrary code execution in the context of the current user.

Read more here: https://www.zdnet.com/article/adobe-issues-patches-for-36-vulnerabilities-in-dng-reader-acrobat/

Thunderbolt flaw ‘Thunderspy’ allows access to a PC’s data in minutes

Vulnerabilities discovered in the Thunderbolt connection standard could allow hackers to access the contents of a locked laptop’s hard drive within minutes, a security researcher from the Eindhoven University of Technology has announced. Reports state that the vulnerabilities affect all Thunderbolt-enabled PCs manufactured before 2019.

Although hackers need physical access to a Windows or Linux computer to exploit the flaws, they could theoretically gain access to all data in about five minutes even if the laptop is locked, password protected, and has an encrypted hard drive. The entire process can reportedly be completed with a series of off-the-shelf components costing just a few hundred dollars. Perhaps most worryingly, the researcher says the flaws cannot be patched in software, and that a hardware redesign will be needed to completely fix the issues.

Read more here: https://www.theverge.com/2020/5/11/21254290/thunderbolt-security-vulnerability-thunderspy-encryption-access-intel-laptops

A hacker group is selling more than 73 million user records on the dark web

A hacker group going by the name of ShinyHunters claims to have breached ten companies and is currently selling their respective user databases on a dark web marketplace for illegal products.

The hackers are the same group who breached last week Tokopedia, Indonesia's largest online store. Hackers initially leaked 15 million user records online, for free, but later put the company's entire database of 91 million user records on sale for $5,000.

Encouraged and emboldened by the profits from the Tokopedia sale, the same group has, over the course of the current week, listed the databases of 10 more companies.

This includes user databases allegedly stolen from organizations such as:

·         Online dating app Zoosk (30 million user records)

·         Printing service Chatbooks (15 million user records)

·         South Korean fashion platform SocialShare (6 million user records)

·         Food delivery service Home Chef (8 million user records)

·         Online marketplace Minted (5 million user records)

·         Online newspaper Chronicle of Higher Education (3 million user records)

·         South Korean furniture magazine GGuMim (2 million user records)

·         Health magazine Mindful (2 million user records)

·         Indonesia online store Bhinneka (1.2 million user records)

·         US newspaper StarTribune (1 million user records)

The listed databases total for 73.2 million user records, which the hacker is selling for around $18,000, with each database sold separately.

Read more here: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/

A cybercrime store is selling access to more than 43,000 hacked servers

MagBo, a shadowy online marketplace where hackers sell and buy hacked servers, is doing better than ever and has soared in popularity to become the largest criminal marketplace of its kind since its launch in the summer of 2018.

Two years later, the MagBo portal has grown more than 14 times in size and is currently selling access to more than 43,000 hacked websites, up from the 3,000 sites listed in September 2018.

Today, MagBo has become the de-facto go-to marketplace for many cybercrime operations. Some groups register on the MagBo platform to sell hacked servers, while others are there just to buy.

Those who buy, do it either in bulk (for black-hat SEO or for malware distribution) or selectively, for intrusions at high-value target (e-commerce stores for web skimming, intranets for ransomware).

All in all, the MagBo platform cannot be ignored anymore, as it appears to be here to stay, and is placing itself at the heart of many of today's cybercrime operations.

Read more: https://www.zdnet.com/article/a-cybercrime-store-is-selling-access-to-more-than-43000-hacked-servers/

Ransomware: Why paying the crooks can actually cost you more in the long run

Ransomware is so dangerous because in many cases the victim doesn't feel like they have any other option other than to pay up – especially if the alternative is the whole organisation being out of operation for weeks, or even months, as it attempts to rebuild the network from scratch.

But handing over a bitcoin ransom to cyber criminals can actually double the cost of recovery according to analysis by researchers at Sophos, published in the new State of Ransomware 2020 report, which has been released three years to the day from the start of the global WannaCry ransomware outbreak.

A survey of organisations affected by ransomware attacks found that the average total cost of a ransomware attack for organisations that paid the ransom is almost $1.4m, while for those who didn't give into ransom demands, the average cost is half of that, coming in at $732,000.

Often, this is because retrieving the encryption key from the attackers isn't a simple fix for the mess they created, meaning that not only does the organisation pay out a ransom, they also have additional costs around restoring the network when some portions of it are still locked down after the cyber criminals have taken their money.

According to the report, one in four organisations said they paid the ransom in order to get their files back. It's one of the key reasons why ransomware remains a successful tactic for crooks, because victims pay up – often sums of six-figures or more – and are therefore encouraging cyber criminals to continue with attacks that often can't be traced back to a culprit.

Read the full article here: https://www.zdnet.com/article/ransomware-why-paying-the-crooks-can-actually-cost-you-more-in-the-long-run/

This powerful Android malware stayed hidden for years, infecting tens of thousands of smartphones

A carefully managed hacking and espionage campaign is infecting smartphones with a potent form of Android malware, providing those behind it with total control of the device, while also remaining completely hidden from the user.

Mandrake spyware abuses legitimate Android functions to help gain access to everything on the compromised device in attacks that can gather almost any information about the user.

The attacker can browse and collect all data on the device, steal account credentials for accounts including banking applications. secretly take recordings of activity on the screen, track the GPS location of the user and more, all while continuously covering their tracks.

The full capabilities of Mandrake – which has been observed targeting users across Europe and the Americas – are detailed in a paper released by cybersecurity researchers this week. Mandrake has been active since 2016 and researchers previously detailed how the spyware operation was specifically targeting Australian users – but now it's targeting victims around the world.

Read more: https://www.zdnet.com/article/this-powerful-android-malware-stayed-hidden-years-infected-tens-of-thousands-of-smartphones/

Companies wrestle with growing cyber security threat: their own employees

Businesses deploy analytic tools to monitor staff as remote working increases data breach risk

As cyber criminals and hackers ramp up their attacks on businesses amid coronavirus-related disruption, companies are also facing another equally grave security threat: their own employees. 

Companies are increasingly turning to Big Brother-style surveillance tools to stop staff from leaking or stealing sensitive data, as millions work away from the watchful eyes of their bosses and waves of job cuts leave some workers disgruntled.

In particular, a brisk market has sprung up for cyber security groups that wield machine learning and analytics to crunch data on employees’ activity and proactively flag worrying behaviours.

Read more here: https://www.ft.com/content/cae7905e-ced7-4562-b093-1ab58a557ff4

Cognizant: Ransomware Costs Could Reach $70m

IT services giant Cognizant has admitted that a ransomware attack it suffered back in April may end up costing the company as much as $70m.

The firm announced revenue of $4.2bn for the first quarter of 2020, an increase of 2.8% year-on-year. In this context, the $50-70m hit it expects to take in Q2 from the ransomware attack will not make a huge impact on the company.

However, the big numbers involved are illustrative of the persistent financial threat posed by ransomware, not to mention the reputational impact on customers.

The firm claimed on an earnings call that the company responded immediately to the threat, proactively taking systems offline after some internal assets were compromised. However, the resulting downtime and suspension of some customer accounts took their toll financially.

“Some clients opted to suspend our access to their networks,” they explained. “Billing was therefore impacted for a period of time, yet the cost of staffing these projects remained on our books.”

Remote workers were also affected as the attack hit the firm’s system for supporting its distributed workforce during the current pandemic.

Read more: https://www.infosecurity-magazine.com/news/cognizant-ransomware-costs-could/

Package delivery giant Pitney Bowes confirms second ransomware attack in 7 months

Package and mail delivery giant Pitney Bowes has suffered a second ransomware attack in the past seven months, ZDNet has learned.

The incident came to light earlier in the week after a ransomware gang known as Maze published a blog post claiming to have breached and encrypted the company's network.

The Maze crew provided proof of access in the form of 11 screenshots portraying directory listings from inside the company's computer network.

Pitney Bowes confirmed the incident stating they had detected a security incident related to Maze ransomware.

The company said it worked with third-party security consultants to take steps to stop the attack before any of its data was encrypted.

This is the second ransomware incident for Pitney Bowes in seven months.

In October 2019, Pitney Bowes disclosed a first ransomware attack. At the time, the company said it had some critical systems infected and encrypted by the Ryuk ransomware gang. The incident caused limited downtime to some package tracking systems.

Both the Ryuk and Maze ransomware gangs are what experts call "human-operated" ransomware strains. These types of ransomware infections take place after hackers breach a company's network, and take manual control of the malware to expand access to as many internal systems as possible before executing the actual ransomware to encrypt data and demand a ransom.

Read more here: https://www.zdnet.com/article/package-delivery-giant-pitney-bowes-confirms-second-ransomware-attack-in-7-months/

Law Firm Representing Drake, Lady Gaga, Madonna And More Hit By Cyber Attack As Hackers Claim To Have Stolen Personal Information And Contracts

A law firm representing many of the world's most famous celebrities has been hacked.

The website of Grubman Shire Meiselas & Sacks has been taken offline, and hackers claim to have stolen some 756GB of data relating to its clients.

Singers, actors and other stars have worked with the law firm, according to old versions of its website, with more than 200 very high-profile celebrities and companies said to have used its services.

They include Madonna, Lady Gaga, Elton John and Drake.

The hackers behind the attack claim to have person information on celebrities including letters, as well as official contracts.

Hackers have already released a purported screenshot of a Madonna contract in an attempt to prove they have access to personal files.

It is not known what the hackers are demanding in return for the files, or whether negotiations are ongoing.

"We can confirm that we've been victimised by a cyber-attack," the firm said in a media statement. "We have notified our clients and our staff.

"We have hired the world's experts who specialise in this area, and we are working around the clock to address these matters."

The hack used a piece of software known as REvil or Sodinokibi. Similar software took foreign exchange company Travelex offline in January, as part of a major hack.

Traditionally, such ransomware has been used to lock down computers and demand money from their owners to unlock them again, and grant access to files.

Increasingly, hackers threaten to release those files to the public if their demands are not met.

Read the original article: https://www.independent.co.uk/life-style/gadgets-and-tech/news/celebrity-hack-law-firm-cyber-attack-drake-madonna-lady-gaga-a9511976.html

Lights stay on despite cyber-attack on UK's electricity system

Britain’s energy system has fallen victim to a cyber-attack targeting the IT infrastructure used to run the electricity market.

The electricity system’s administrator, Elexon, confirmed that it was affected by a cyber-attack on Thursday afternoon but that the key systems used to govern the electricity market were not affected.

National Grid is investigating whether the attack could affect the part of its business tasked with keeping the lights on.

A spokesman for the energy system operator said electricity supplies had not been affected, and there were “robust cybersecurity measures in place” to make sure the UK continues to receive reliable electricity.

“We’re aware of a cyber intrusion on Elexon’s internal IT systems. We’re investigating the matter and any potential impact on our own IT networks,” he said.

Elexon is a vital part of the UK electricity market because it carefully monitors the electricity generated by energy companies to match this with what National Grid expects to receive, and to make sure that generators are paid the correct amount for the energy they generate.

Read more: https://www.theguardian.com/business/2020/may/14/lights-stay-on-despite-cyber-attack-on-uks-electricity-system

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

If you’re pressed for time watch the 60 second quick fire summary of the top cyber and infosec stories from the last week:

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Coronavirus: ‘Predatory’ cyber criminals and hostile states targeting UK citizens and institutions, Dominic Raab warns UK

Dominic Raab has warned that “predatory” cyber criminals and hostile states are seeking to exploit the coronavirus pandemic, saying that UK citizens, businesses and institutions will be targeted for weeks and months ahead.

His remarks follow a joint warning from cyber security agencies in Britain and the US, urging healthcare and medical research staff to improve their password security to prevent criminals exploiting the crisis further.

Speaking at No 10 earlier in the week, Mr Raab said that while the vast majority of people and countries had rallied together, “there will always be some who seek to exploit a crisis for their own criminal and hostile ends”.

The foreign secretary said he was aware that cyber criminals and “other malicious groups” are targeting individuals and organisations in the UK by deploying Covid-19 related scams and phishing emails.

“That includes groups that in the cyber security world are known as advanced persistent threat (APT) groups – sophisticated groups of hackers who try to breach computer systems,” he said.

“We have clear evidence now that these criminal gangs are actively targeting national and international organisations which are responding to the Covid-19 pandemic, which I have to say makes them particular dangers and venal at this time.”

Read the full article here: https://www.independent.co.uk/news/uk/politics/coronavirus-cyber-crime-hack-business-dominic-raab-a9500316.html

New phishing attack targeting Microsoft Teams users aims to steal Office 365 credentials

Microsoft Teams has seen a surge in usage owing to the increased need for collaboration services as more and more employees are working from home in the wake of the COVID-19 Coronavirus pandemic. With the increased adoption, the tool has also been receiving multiple improvements to help enhance functionality. While the communication of new features is a given, a new phishing attack that mimics notifications from the Redmond giant is being targeted at Teams users.

The specifics of the attack suggests that the goal is to steal users’ Teams/Office 365 credentials by serving messages that redirect to phishing websites. The report states that the email notifications impersonate automated notification emails from Teams that are convincing enough owing to the content and design. The sender email comes from the “sharepointonline-irs.com” domain, something that is misleading and one that is not owned by Microsoft.

Read more here: https://www.neowin.net/news/new-phishing-attack-targeting-microsoft-teams-users-aims-to-steal-office-365-credentials

Ransomware Payments Surge 33% as Attacks Target Remote Access

The average sum paid by enterprises to ransomware attackers surged by 33% quarter-on-quarter in the first three months of the year, as victim organisations struggled to mitigate remote working threats.

A security vendor analysed ransomware cases handled by its own incident response team during the period to compile its latest findings.

It revealed the average enterprise ransomware payment rose to over $111,000 in the quarter, although the median remained at around $44,000, reflecting the fact that most demands from online attackers are more modest.

Sodinokibi (27%), Ryuk (20%) and Phobos (8%) remained the top three most common variants in Q1 2020, although prevalence of Mamba ransomware, which features a boot-locker program and full disk encryption via commercial software, increased significantly.

Poorly secured RDP endpoints continued to be the number one vector for attacks, more popular than phishing emails or exploitation of software vulnerabilities.

Read the full article here: https://www.infosecurity-magazine.com/news/ransomware-payments-surge-33/

Millions of remote desktop accounts attacked every week

Since the start of the outbreak, we've seen cyber criminals target Zoom and spread coronavirus-related phishing campaigns, in a bid to take advantage of the increase in remote working.

Now, new research suggests criminals are also targeting employees reliant on Microsoft's proprietary Remote Desktop Protocol (RDP) with far greater regularity.

According to this new report, hundreds of thousands of employees use RDP as a way to remotely connect to their office computer with the same privileges they would have on site.

However, RDP is also an enticing target for criminals, who are reportedly bombarding the service with brute-force attacks in a bid to gain entry.

Prior to the coronavirus pandemic, researchers typically recorded around 100,000–150,000 attacks of this kind per day, but that number has shot up to almost a million.

Read more: https://www.itproportal.com/news/millions-of-remote-desktop-accounts-are-being-attacked-ever-week/

This phishing campaign targets executives with fake emails from their phone provider

A new spear-phishing campaign has targeted executives and others in attempt to steal login credentials and bank account details by posing as their smartphone provider.

Uncovered by researchers, the attacks come in the form of emails claiming to be from their mobile phone provider, and refer to a problem with their bill.

The security company said the spoof mail had been sent to "a few executives, including one at a leading financial firm".

The messages come with the vague subject 'View Bill – Error – Message' and are designed with branding that looks like they could come from EE. The message tells the victim that the company is working on fixing an unspecified problem and that the user should login to their account to update their details.

Users should be cautious about unexpected messages like this – especially, if like this one, they urge some sort of immediate action – but there's also some elements of the phishing email that should act as a warning that all is not right.

Read more here: https://www.zdnet.com/article/this-phishing-campaign-targets-executives-with-fake-emails-from-their-phone-provider/

This ransomware spreads across hundreds of devices in no time at all

The LockBit ransomware contains a feature that allows attackers to encrypt hundreds of devices in just a few hours once they've breached a corporate network.

LockBit is a fairly new Ransomware-as-a-Service (RaaS) that was launched in September of last year. The developers of the ransomware are in charge of maintaining its payment site and updates while affiliates sign up to distribute the malware. LockBit's developers then earn around 25-40 percent of the ransom payments received while the affiliates earn a slightly larger share at 60-75 percent.

Researchers have published a report revealing how a LockBit ransomware affiliate hacked into a corporate network and encrypted 25 servers and 255 workstations in just three hours.

The hackers began their attack by brute-forcing an administrator account through an outdated VPN service. This gave them the administrative credentials they needed in order to deploy the LockBit ransomware on the network.

Read more: https://www.techradar.com/news/this-ransomware-spreads-across-hundreds-of-devices-in-no-time-at-all

Data security flaw exposes details of thousands of legal documents

A data security flaw has left more than 10,000 legal documents containing sensitive details of commercial property owners unsecured for years in an online database, potentially affecting the clients of about 190 law firms.

The cache of documents, which included Companies House property transaction forms containing authentication details such as email addresses and passwords, had been scanned and uploaded by legal firms — including three of the “magic circle” — using a product from Advanced Computer Software, Britain’s third-largest software company.

Advanced, said in a statement: “We discovered some exposed data on one of our historic software platforms and took immediate steps to address the issue, secure the data and make contact with the small number of affected customers.”

Leaving a security hole open for an extended period of time exposing authentication and other details was serious.

Though the exposure of legal documents is of a different scale to recent incidents — including at Virgin Media and British Airways — involving much larger customer databases, the inclusion of authentication information raised concerns about the potential impact if the exposed data fell into the wrong hands.

Read more here: https://www.ft.com/content/e0d6b6b7-825f-4102-b78f-204e1be205b6

Vulnerabilities in two VPNs opened door to fake, malicious updates

Hackers can exploit critical vulnerabilities in PrivateVPN and Betternet – since fixed – to push out fake updates and plant malicious programs or steal data.

Attackers can intercept VPN communications and force the apps to download fake updates according to the researchers who discovered the flaws.

The researchers stated they were very surprised because these are VPNs – important cybersecurity tools that are meant to keep users safe – have a lot of users trusting these tools to provide them with more security and privacy, not less.

Read more here: https://www.scmagazine.com/home/security-news/vulnerabilities-in-two-vpns-opened-door-to-fake-malicious-updates/

Samsung Confirms Critical Security Issue For Millions: Every Galaxy After 2014 Affected

The monthly security updates from Samsung have started rolling out. If you own a Samsung smartphone that was sold from late 2014 onward, you'd better hope that update hits your device soon. Why so? Only the small matter of a "perfect 10" critical security vulnerability that can enable arbitrary remote code execution (RCE) if exploited. Oh yes, and that arbitrary RCE can happen without any user interaction needed, as this is a "zero-click" vulnerability. And if you think that sounds pretty serious, and it is, there's more to come: the vulnerability affects every Galaxy smartphone that Samsung has made from late 2014 onward.

Read more here: https://www.forbes.com/sites/daveywinder/2020/05/07/samsung-confirms-critical-security-warning-for-millions-every-galaxy-after--2014-affected/#41959c3c3af7

A hacker group tried to hijack 900,000 WordPress sites over the last week

A hacker group has attempted to hijack nearly one million WordPress sites in the last seven days, according to a security alert issued this week.

Since April 28, this particular hacker group has engaged in a hacking campaign of massive proportions that caused a 30x uptick in the volume of attack traffic being tracked.

The group launched attacks from across more than 24,000 distinct IP addresses and attempted to break into more than 900,000 WordPress sites.

The attacks peaked on Sunday, May 3, when the group launched more than 20 million exploitation attempts against half a million domains.

Read the full article here: https://www.zdnet.com/article/a-hacker-group-tried-to-hijack-900000-wordpress-sites-over-the-last-week/

Popular adult streaming site just accidentally outed millions of users

Adult live streaming platform CAM4 has suffered a massive data breach, exposing the identity of millions of its users.

Discovered by security researchers, the breach was caused by a server configuration error that made 7TB of user data (comprising 10.88 billion records in total) easily discoverable online.

While the misconfigured ElasticSearch database did not betray users’ specific sexual preferences, it did include personally identifiable information including names, email addresses, payment details, chat logs and sexual orientation.

The popular adult platform is used primarily by amateur webcam models to stream explicit content to live audiences. To gain access to premium content or tip performers, users must first register with the site - parting ways with both personal and financial data.

Read more here: https://www.techradar.com/news/this-popular-adult-streaming-site-accidentally-outed-millions-of-users

Hacker Group Selling Databases With Millions Of User Credentials Busted In Poland And Switzerland

Polish and Swiss law enforcement authorities, supported by Europol and Eurojust, dismantled InfinityBlack, a hacking group involved in distributing stolen user credentials, creating and distributing malware and hacking tools, and fraud.

On 29 April 2020, the Polish National Police (Policja) searched six locations in five Polish regions and arrested five individuals believed to be members of the hacking group InfinityBlack. Police seized electronic equipment, external hard drives and hardware cryptocurrency wallets, all worth around €100 000. Two platforms with databases containing over 170 million entries were closed down by the police.

The hacking group created online platforms to sell user login credentials known as ‘combos’. The group was efficiently organised into three defined teams. Developers created tools to test the quality of the stolen databases, while testers analysed the suitability of authorisation data. Project managers then distributed subscriptions against cryptocurrency payments.

The hacking group’s main source of revenue came from stealing loyalty scheme login credentials and selling them on to other, less technical criminal gangs. These gangs would then exchange the loyalty points for expensive electronic devices.

Read more here: https://www.europol.europa.eu/newsroom/news/hacker-group-selling-databases-millions-of-user-credentials-busted-in-poland-and-switzerland

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

If you’re pressed for time watch the 60 second video version:

Half of remote workers feel vulnerable to growing cyber attacks

New research has revealed that almost half (49%) of employees working remotely feel vulnerable online due to the insecurity of the company laptops and PCs they are using to connect to corporate networks.

1,550 UK employees working from home during the pandemic were surveyed to better understand the security issues they've faced while working remotely.

The survey found that 42 percent of respondents received suspicious emails while 18 percent have dealt with a security breach while working from home. Of those who suffered a cyberattack, over half (51%) believed it was because they clicked on a malicious link and 18 percent believed an infected attachment was responsible.

Additionally, 42 percent of respondents reported that someone else in their household had experienced a hack of their social media accounts during the lockdown.

Read more here: https://www.techradar.com/news/half-of-remote-workers-feel-vulnerable-to-growing-cyberattacks

Many remote workers given no cyber security training

Two in three remote workers have not received any cyber security training in the past 12 months, according to a new report.

Based on a poll of 2,000 remote workers in the UK, the report states that more than three quarters (77 percent) are unconcerned about cyber security. Further, more than six in ten said they use personal devices when working from home, which poses a distinct threat to business data.

The report highlights the dangers associated with working from home and the fact cyber criminals are capitalising on the coronavirus outbreak to infect unwitting victims with malware.

With most businesses transitioning to remote working in response to lockdown measures, IT and security teams have been left with a network of unsecured, often naive workers who are easy prey for various forms of attack - especially phishing.

Read the full article here: https://www.itproportal.com/news/many-remote-workers-given-no-cybersecurity-training/

Spear-phishing campaign compromises executives at 150+ companies

A cyber crime group operating since mid-2019 has breached the email accounts of high-ranking executives at more than 150 companies, cyber-security firm Group-IB reported today.

The group, codenamed PerSwaysion, appears to have targeted the financial sector primarily, which accounted for more than half of its victims; although, victims have been recorded at companies active across other verticals as well.

PerSwaysion operations were not sophisticated, but have been extremely successful, nonetheless. Group-IB says the hackers didn't use vulnerabilities or malware in their attacks but instead relied on a classic spear-phishing technique.

They sent boobytrapped emails to executives at targeted companies in the hope of tricking high-ranking executives into entering Office 365 credentials on fake login pages.

Read the full article here: https://www.zdnet.com/article/spear-phishing-campaign-compromises-executives-at-150-companies/

Microsoft: Ransomware gangs that don't threaten to leak your data steal it anyway

Just because ransomware attackers haven't threatened to leak your company's data, it doesn't mean they haven't stolen it, Microsoft warns. 

And human-operated ransomware gangs – typically associated with multi-million dollar ransom demands – haven't halted activity during the global coronavirus pandemic.

In fact, they launched more of the file-encrypting malware on target networks in the first two weeks of April than in earlier periods, causing chaos at aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, according to Microsoft.

Read More: https://www.zdnet.com/article/microsoft-ransomware-gangs-that-dont-threaten-to-leak-your-data-steal-it-anyway/

Google Confirms New Security Threat For 2 Billion Chrome Users

Google has warned of yet more security vulnerabilities in Chrome 81, which was only launched three weeks ago.

Google has confirmed two new high-rated security vulnerabilities affecting Chrome, prompting yet another update since the release of Chrome 81 on April 7. These new security threats could enable an attacker to take control of an exploited system, which is why the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has advised users to apply that update now.

More here: https://www.forbes.com/sites/daveywinder/2020/04/29/google-confirms-new-security-threats-for-2-billion-chrome-users/#7a3dc3cc39bc

These popular antivirus tools share a major security flaw

More than two dozen popular antivirus solutions contain a flaw that could enable hackers to delete files, trigger crashes and install malware, according to a new report.

Popular antivirus solutions such as Microsoft Defender, McAfee Endpoint Security and Malwarebytes all feature the bug, which is described as “trivial” to abuse.

The report refers to the shared vulnerability as “symlink race” – the use of symbolic links and directory junctions to link malicious files to legitimate counterparts. This all occurs in the short space of time between an antivirus scanning and deleting a file.

"Make no mistake about it, exploiting these flaws was pretty trivial and seasoned malware authors will have no problem weaponising the tactics outlined in this blog post," said the report.

Read more: https://www.itproportal.com/news/these-popular-antivirus-tools-could-have-major-security-flaws/

Hackers are exploiting a Sophos firewall zero-day

Cyber-security firm Sophos has published an emergency security update on Saturday to patch a zero-day vulnerability in its XG enterprise firewall product that was being abused in the wild by hackers.

Sophos said it first learned of the zero-day on late Wednesday, April 22, after it received a report from one of its customers. The customer reported seeing "a suspicious field value visible in the management interface."

After investigating the report, Sophos determined this was an active attack and not an error in its product.

Read more: https://www.zdnet.com/article/hackers-are-exploiting-a-sophos-firewall-zero-day/

This sophisticated new Android trojan threatens hundreds of financial apps

Researchers have discovered a sophisticated new Android trojan that bypasses security measures and scrapes data from financial applications.

First identified in March, the EventBot banking trojan abuses Android’s accessibility features to harvest financial data and intercept SMS messages, allowing the malware to circumvent two-factor authentication.

According to the firm responsible for the discovery, EventBot targets over 200 financial applications, spanning banking, money transfer and cryptocurrency wallet services.

Affected applications include those operated by major players such as HSBC, Barclays, Revolut, Paypal and TransferWise - but many more are thought to be at risk.

More: https://www.techradar.com/uk/news/this-sophisticated-new-android-trojan-threatens-hundreds-of-financial-apps

Microsoft Office 365: US issues security alert over rushed remote deployments

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has published security advice for organizations that may have rushed out Office 365 deployments to support remote working during the coronavirus pandemic.

CISA warns that it continues to see organizations that have failed to implement security best practices for their Office 365 implementation. It is concerned that hurried deployments may have lead to important security configuration oversights that could be exploited by attackers.

"In recent weeks, organizations have been forced to change their collaboration methods to support a full 'work from home' workforce," CISA notes in the new alert. 

Read more: https://www.zdnet.com/article/microsoft-office-365-us-issues-security-alert-over-rushed-remote-deployments/

Financial sector is seeing more credential stuffing than DDoS attacks

The financial sector has seen more brute-force attacks and credential stuffing incidents than DDoS attacks in the past three years according to a report published this week.

Statistics about attacks carried out against banks, credit unions, brokers, insurance, and the wide range of organizations that serve them, such as payment processors and financial Software as a Service (Saas).

The report's findings dispel the notion that DDoS attacks are one of today's most prevalent threats against the financial vertical.

The report states that brute force attacks, credential stuffing, and all the other account takeover (ATO) attacks have been a much bigger threat to the financial sector between 2017 and 2019. This includes all the ATO variations such as:

·         Brute-force attacks - attackers try common or weak username/passwords pairs (from a preset list) to brute-force their way into an account

·         Credential stuffing - attackers try username/password pairs leaked at other sites

·         Password spraying - attackers try the same password, but against different usernames

Read more here: https://www.zdnet.com/article/financial-sector-has-been-seeing-more-credential-stuffing-than-ddos-attacks-in-recent-years/

This buggy WordPress plugin allows hackers to lace websites with malicious code

Security researchers have identified a flaw in the Real-Time Find and Replace WordPress plugin that could allow hackers to lace websites with malicious code.

The affected plugin affords WordPress users the ability to edit website code and text content in real-time, without having to go into the backend - and reportedly features on over 100,000 sites.

The exploit manipulates a Cross-Site Request Forgery (CSRF) flaw in the plugin, which the hacker can use to push infected content to the website and create new admin accounts.

Read more here: https://www.techradar.com/news/this-buggy-wordpress-plugin-allows-hackers-to-lace-websites-with-malicious-code

Zoom Gets Stuffed: Here’s How Hackers Got Hold Of 500,000 Passwords

At the start of April, the news broke that 500,000 stolen Zoom passwords were up for sale. Here's how the hackers got hold of them.

More than half a million Zoom account credentials, usernames and passwords were made available in dark web crime forums earlier this month. Some were given away for free while others were sold for as low as a penny each.

Researchers at a threat intelligence provider obtained multiple databases containing Zoom credentials and got to work analysing exactly how the hackers got hold of them in the first place.

Read more here: https://www.forbes.com/sites/daveywinder/2020/04/28/zoom-gets-stuffed-heres-how-hackers-got-hold-of-500000-passwords/#6586d7be5cdc

Sophisticated Android Spyware Attack Spreads via Google Play

The PhantomLance espionage campaign is targeting specific victims, mainly in Southeast Asia — and could be the work of the OceanLotus APT.

A sophisticated, ongoing espionage campaign aimed at Android users in Asia is likely the work of the OceanLotus advanced persistent threat (APT) actor, researchers said this week.

Dubbed PhantomLance by Kaspersky, the campaign is centered around a complex spyware that’s distributed via dozens of apps within the Google Play official market, as well as other outlets like the third-party marketplace known as APKpure.

The effort, though first spotted last year, stretches back to at least 2016, according to findings released at the SAS@home virtual security conference on Tuesday.

Read more here: https://threatpost.com/sophisticated-android-spyware-google-play/155202/

Skype phishing attack targets remote workers

Remote workers have been warned to take extra care when using video conferencing software after a new phishing scam was uncovered.

Researchers from a security firm have revealed hackers are using emails pretending to be from Skype, the popular Microsoft-owned video calling tool, in order to trick home workers into handing over their login details.

Criminals could then use these logins to access corporate networks to spread malware or steal valuable information.

Read more here: https://www.techradar.com/news/skype-phishing-attack-targets-remote-workers

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

How much security is enough security?
You can never have too much security - right…?!
Maybe not - watch to find out

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

The week in 60 seconds - video flash briefing

Over half of organisations expect remote workers to increase the risk of a data breach

Apathy towards cyber security remains one of the biggest challenges for businesses.

The majority of UK’s IT decision-makers believe remote workers will expose their businesses to the risk of a data breach.

This is according to a new report which claims the awareness of the issue has been “steadily growing” over the last three years.

While the report does not offer definitive explanations for the rise, it cites increased remote working due to the coronavirus as a contributing factor.

The percentage of employees intentionally putting data at risk dropped slightly (from 47 to 44 percent), but apathy continues to be a “major problem”.

However, remote working appears to have forced IT decision-makers to pay closer attention to security.

Almost all (96 percent) respondents acknowledged risks associated with BYOD policies and a significant portion of those (42 percent) only allow the use of pre-approved gear (up from 11 percent last year).

This change is “crucial”, as lost and misplaced devices are now the second biggest data breach cause (24 percent), behind intentionally putting data at risk (33 percent) and ahead of mishandling corporate data.

Read more: https://www.itproportal.com/news/over-half-of-organisations-expect-their-remote-workers-to-expose-them-to-the-risk-of-a-data-breach/

Trickbot Named Most Prolific #COVID19 Malware

Notorious malware Trickbot has been linked to more COVID-19 phishing emails than any other, according to new data from Microsoft.

The Microsoft Security Intelligence Twitter account made the claim on Friday.

“Based on Office 365 ATP data, Trickbot is the most prolific malware operation using COVID-19 themed lures,” it said. “This week’s campaign uses several hundreds of unique macro-laced document attachments in emails that pose as messages from a non-profit offering a free COVID-19 test.”

Microsoft has been providing regular updates through the current crisis as organizations struggle to securely manage an explosion in home working while cyber-criminals step up efforts to exploit stretched IT security teams and distracted employees.

Read more: https://www.infosecurity-magazine.com/news/trickbot-named-most-prolific/

Microsoft Issues Out-Of-Band Security Update For Office, Paint 3D

Microsoft has released an out-of-band security update for Microsoft Office, Office 365 ProPlus and Paint 3D. The applications are affected by multiple Autodesk vulnerabilities that, if exploited, could enable remote code execution.

The flaws, all rated “important” in severity, are tied to six CVEs stemming from Autodesk’s library for FBX, a popular file format format that supports 3D models. This library is integrated into certain Microsoft applications

Read more: https://threatpost.com/microsoft-issues-out-of-band-security-update-for-office-paint-3d/155016/

1,000 may be hit by CISI website fraud attack

The CISI has launched an investigation after a website attack resulted in 1,000 customers and members being exposed to the risk of credit card fraud.

The professional body with 45,000 members says some members have reported “fraudulent activity” on their cards following a payment transaction on the CISI website.

The organisation, which provides the Certified Financial Planner and Chartered Wealth manager designations, has launched a probe with help from its insurers and KPMG.

The CISI has contacted 5,785 customers that processed a payment transaction through its website between 1 February 2020 and 15 April 2020.

It said not all of these have seen “fraudulent activity” but it anticipates about 1,000 have been exposed to a risk of fraud.

Read more: https://www.financialplanningtoday.co.uk/news/item/11502-1-000-may-be-hit-by-cisi-website-fraud-attack

Here's a list of all the ransomware gangs who will steal and leak your data if you don't pay

Starting with late 2019 and early 2020, the operators of several ransomware strains have begun adopting a new tactic.

In an attempt to put additional pressure on hacked companies to pay ransom demands, several ransomware groups have also begun stealing data from their networks before encrypting it.

If the victim -- usually a large company -- refuses to pay, the ransomware gangs threaten to leak the information online, on so-called "leak sites" and then tip journalists about the company's security incident.

Companies who may try to keep the incident under wraps, or who may not want intellectual property leaked online, where competitors could get, will usually cave in and pay the ransom demand.

While initially the tactic was pioneered by the Maze ransomware gang in December 2019, it is now becoming a widespread practice among other groups as well.

Clop, Doppenpaymer, Maze, Nefilim, Nemty, Ragnarlocker, Revil (Sodinokibi), Sekhmet, Snatch

Read the original article here for full details: https://www.zdnet.com/article/heres-a-list-of-all-the-ransomware-gangs-who-will-steal-and-leak-your-data-if-you-dont-pay/

Hackers have breached 60 ad servers to load their own malicious ads

A mysterious hacker group has been taking over ad servers for the past nine months in order to insert malicious ads into their ad inventory, ads that redirect users to malware download sites.

This clever hacking campaign was discovered last month and appears to have been running for at least nine months, since August 2019.

Hackers have targeted advertising networks running old versions of the Revive open-source ad server. Hackers breach outdated Revive servers and silently append malicious code to existing ads.

Once the tainted ads load on legitimate sites, the malicious code hijacks and redirects site visitors to websites offering malware-laced files -- usually disguised as Adobe Flash Player updates.

Read more: https://www.zdnet.com/article/hackers-have-breached-60-ad-servers-to-load-their-own-malicious-ads/

GCHQ calls on public to report coronavirus-related phishing emails

GCHQ is asking members of the public to report suspicious emails they have received amid a wave of scams and hacking attacks that seek to exploit fear of Covid-19 to enrich cybercriminals.

The National Cyber Security Centre, a branch of the intelligence agency, has launched the suspicious email reporting service with a simple request of the public: forward any dubious emails to report@phishing.gov.uk, and the NCSC’s automated scanning system will check for scam emails and immediately remove criminal sites.

Read more here: https://www.theguardian.com/technology/2020/apr/21/gchq-calls-public-report-coronavirus-phishing-emails

Hackers exploit bug to access iPhone users’ emails

Hackers have devised a way to install malicious software on iPhones without getting the victim to download an attachment or click on any links.

Cybersecurity researchers have discovered a bug in the phone’s email app that hackers may have been exploiting since January 2018. It enables hackers to access all emails on a phone, as well as remotely modify or delete them.

Typically, an attack on a phone requires a user to download the malware, such as clicking on a link in a message or on an attachment. Yet in this case, hackers send a blank email to the user. When the email is opened, a bug is triggered that causes the Mail app to crash, forcing the user to reboot it. During the reboot, hackers could access information on the device.

The hack is virtually undetectable by victims due to the sophisticated nature of the attack and Apple’s own security measures, which often make investigating the devices for potential vulnerabilities a challenge, experts claim.

More here: https://www.thetimes.co.uk/article/hackers-exploit-bug-to-access-iphone-users-emails-ssvvztrgf

FBI Sees Cybercrime Reports Increase Fourfold During COVID-19 Outbreak

Instances of cybercrime appear to have jumped by as much as 300 percent since the beginning of the coronavirus pandemic, according to the FBI. The bureau’s Internet Crime Complain Center (IC3) said last week that it’s now receiving between 3,000 and 4,000 cybersecurity complaints every day, up from the average 1,000 complaints per day the center saw before COVID-19 took hold.

While much of this jump can be attributed to America’s daily activities increasingly moving online — newly remote workers unaware of basic security measures or companies struggling to keep externally-accessed systems secure, for example — the FBI says a lot of the increased cybercrime is coming from nation states seeking out COVID-19-related research.

More: https://www.entrepreneur.com/article/349509

309 million Facebook users’ phone numbers found online

Last weekend, researchers came across a database with 267m Facebook user profiles being sold on the Dark Web.

Looking to verify the records and add them to the firm’s breach notification service, the researchers bought it, for the grand total of £500.

That works out to USD $540 — or about 0.0002 cents — per record. The records held Facebook users’ IDs, which are unique, public numbers associated with specific accounts that can be used to figure out an account’s username and other profile info. The records also included full names, email addresses, phone numbers, timestamps for last connection, relationship status and age.

Fortunately, there were no passwords exposed, but the breach still forms a perfect tool kit for an email or text phishing campaign that looks like it’s coming from Facebook itself. If enough users get fooled into clicking on spearphishers’ rigged links, it could lead to the exposure of even more, and more valuable, data.

Read more here: https://nakedsecurity.sophos.com/2020/04/22/309-million-facebook-users-phone-numbers-and-more-found-online/

Google Issues Warning For 2 Billion Chrome Users

Google just gave its two billion Chrome users a brilliant (if long overdue) upgrade, but it doesn’t mask all of the controversial changes, security problems and data concerns which have worried users about the browser recently. And now Google has issued a new critical warning you need to know about.

Chrome has a critical security flaw across Windows, Mac and Linux and it urges users to upgrade to the latest version of the browser (81.0.4044.113). Interestingly, at the time of publication, Google is also keeping the exact details of the exploit a mystery.

Read more: https://www.forbes.com/sites/gordonkelly/2020/04/18/google-chrome-81-critical-security-exploit-upgrade-warning-update-chrome-browser/#42a057f56bde

Zoom announces 5.0 update with tougher encryption and new security features

Zoom has today announced its new 5.0 update, bringing robust new security features including AES 256-bit GCM encryption.

Zoom says that AES 256-bit GCM encryption will "raise the bar for securing our users' data in transit", providing "confidentiality and integrity assurances on your Zoom Meeting, Zoom Video Webinar and Zoom Phone Data." The systemwide enablement of this new security standard will take place on May 30.

Zoom has also introduced a new security icon, where it has grouped its security features in one place within Zoom's meeting menu bar. It has also introduced more robust host controls, including a 'report a user' feature. Waiting rooms now default to on, as do meeting passwords and cloud recording passwords. Zoom has also introduced a new data structure for linking contacts within larger organizations. Previously, a Zoom feature designed to group users by domain name had seen thousands of random users grouped together, sharing lots of information with strangers.

Read more: https://www.androidcentral.com/zoom-announces-50-update-tougher-encryption-and-new-security-features

Temporary coronavirus hospitals face growing cybersecurity risks

The coronavirus outbreak has led to a series of temporary medical facilities opening across the U.S., most of which will use remote-care devices without the proper protection against hackers. Because of their remoteness and the overall uncertainty that pandemic’s created, cybersecurity at these temporary hospitals has fallen to the wayside and risks are at an all-time high.

Further complicating matters, most of these temporary units are highly dependent on connected medical devices to facilitate remote care. This leaves these hospitals open to hackers stealing patients’ personal health information via these connected devices.

Fortunately, there are a number of steps health care organizations can take to protect their remote facilities. Not only should organizations ensure their software is up to date and fully patched, but they should also consider enabling two-factor authentication for every account that’s granted access to the remote center’s system.

To assist with securing these remote health care locations, Microsoft has expanded the availability of its AccountGuard security service program. Currently offered at no cost to health care providers on the front lines of the coronavirus outbreak, Microsoft’s AccountGuard service helps targeted organizations protect themselves from ongoing cybersecurity threats.

Read more: https://www.itpro.co.uk/security/cyber-security/355420/temporary-coronavirus-hospitals-facing-growing-cybersecurity-risks

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week's Tip Tuesday, this week Bruce talks about the basics of Ransomware.

Ransomware is malicious software, or malware, that criminals install on your computer to encrypt your data and lock down your computers. The criminal then demands payment in exchange for giving you back your information.

This usually starts with your employee clicking on a link in an email or an attachment. The malware then spreads across your network and corrupts your computers. In some cases, it will also take a copy of your data and send it to the criminal.

One of the classic ways to reduce the risk of successful ransomware is to take a regular back up of your information, so that you can revert to that copy and continue with your business. But now criminals are threatening to publish your confidential information online if you don't pay, which can severally damage your reputation and potentially destroy your business.

So the best thing is to avoid being a victim by implementing a range of controls, including stopping the criminal entering your system.