Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Former Uber security executive charged with data breach cover-up

Uber’s former chief security officer has been charged with obstruction of justice over accusations that he attempted to cover up a 2016 hack of the company, which exposed the personal details of 57m users and drivers.

Prosecutors said Joseph Sullivan, 52, hid the breach from the relevant authorities, and instead paid a ransom to the hackers and had them sign non-disclosure agreements stating, falsely, that they had not stolen personal information.

“The agreements contained a false representation that the hackers did not take or store any data,” prosecutors said in a press release. “When an Uber employee asked Sullivan about this false promise, Sullivan insisted that the language stay in the non-disclosure agreements.”

Mr Sullivan, who worked at Facebook prior to Uber, is said to have authorised the payment to the hackers of $100,000 in bitcoin, disguising the fee as coming via the company’s legitimate “bug bounty” programme — normally used to pay well-intentioned cyber security experts for discovering flaws and vulnerabilities.

It was not until November 2017, almost a year after Mr Sullivan allegedly knew the attack took place, that Uber revealed its knowledge of the breach and Mr Sullivan was dismissed.

Why this matters?

Not only was a criminal act conducted against Uber but a further criminal act was then conducted within the firm to cover it up. This shows what is at stake, that people will go to lengths to cover things up and that strong governance is needed and appropriate controls, and rewards, need to be in place across the organisation to encourage good behaviours.

Read more: https://www.ft.com/content/aff1fe76-418e-4f93-ba27-5a3c888c4252

Half of anti-malware products fail to recognize notable threats

Many of the most popular, well-established cyber security solutions do not protect their users from all notable threats, according to new analysis from SE Labs.

The security firm tested 14 of the world’s most popular cyber security solutions and, while products from Microsoft and Kaspersky Lab scored 100 percent, more than half failed to identify all threats.

"While the numbers of 'misses' are not out of this world, it's disappointing to see big brand products miss well-known threats," said Simon Edwards, CEO at SE Labs.

"Although we do 'create' threats by using publicly available free hacking tools, we don't write unique malware so there is no technical reason why any vendor being tested should do poorly."

According to SE Labs, the firm used common threats that affect the general public to conduct the tests, as well as more targeted forms of attack.

"In some cases the bad guys actually help us out, by sending our own organization the same types of malware that they use to target other potential victims. The Emotet malware campaign that ran in July of this year was a notable example," Edwards added.

With the Covid-19 pandemic forcing employees to remain at home, it has never been more important to protect devices and data from cyberthreats. Businesses and consumers alike are advised to keep their operating systems, applications and cybersecurity solutions up to date.

Why this matters:

Many firms put too much faith in technical controls, yet reports like this prove the point that technical controls are not as good as many people believe.Technical controls, even the best technical controls, only go so far when information security is a whole of business risk and people controls are needed in addition to technical controls to keep a firm safe.

Read more: https://www.itproportal.com/news/half-of-anti-malware-products-fail-to-recognize-notable-threats/

Hundreds of millions of Instagram, TikTok, YouTube accounts compromised by data breach

Security researchers have discovered an exposed database online which contains scraped data from the social media profiles of nearly 235m Instagram, TikTok and YouTube users.

For those unfamiliar with the practice, web scraping is an automated technique used to gather data from websites that is often employed by analytics firms who use it to create large databases of user information. Although the practice is legal, it is strictly prohibited by social media companies as it puts the privacy of their users and their data at risk.

Researchers discovered three identical copies of the exposed database online at the beginning of August. After examining the database they learned that it belonged to a company called Deep Social which has shut down its operations.

Why this matters

Big beaches like these, where data has been taken from different sources, breaches and public databases, can give attackers an incredible amount of data on you, probably enough to then start attacking your home or your employer. Even as far as identity theft type attacks.

Read more: https://www.techradar.com/news/hundreds-of-millions-of-instagram-tiktok-youtube-accounts-compromised-by-data-breach

Working from home causes surge in security breaches, staff 'oblivious' to best practices

The COVID-19 pandemic shows little sign of slowing down, and for many businesses, employees are still working remotely and from home offices.

While some companies are gearing towards reopening their standard office spaces in the coming months -- and have all the challenges associated with how to do so safely to face -- they may also be facing repercussions of the rapid shift to remote working models in the cyber security space.

In the clamor to ensure employees could do their jobs from home, the enterprise needed to make sure members of staff had the right equipment as well as network and resource access.

However, according to Malwarebytes, the rushed response to COVID-19 in the business arena has created massive gaps in cyber security -- and security incidents have increased as a result.

On Thursday, the cyber security firm released a report (.PDF), "Enduring from Home: COVID-19's Impact on Business Security," examining the impact of the novel coronavirus in the security world.

Company telemetry and a survey conducted with 200 IT and cyber security professionals suggest that since the start of the pandemic, remote workers have caused a security breach in 20% of organisations.

As a result, 24% of survey respondents added that their organizations had to pay unexpected costs to address cyber security breaches or malware infections after shelter-in-place orders were imposed.

Why this matters:

Months into this pandemic and staff working from home many staff are still oblivious to what they should and should not be doing and some firms are not doing a good enough job of getting their staff to appreciate the role they playing in helping to keep their firm’s safe.

Read more: https://www.zdnet.com/article/working-from-home-trend-causes-surge-in-cybersecurity-costs-security-breaches/

Two-fifths of firms have sacked staff for cybersecurity breaches during Covid, poll shows

Almost two-fifths of business decision-makers (39 per cent) have dismissed employees because of a cyber security policy breach since the pandemic began, a survey has found.

The research polled 200 UK business decision-makers and found more than half (58 per cent) of firms believed that working from home made employees more likely to circumvent security protocols – including through the use of personal laptops and failing to change passwords.

To combat poor employee security practices, more than half (55 per cent) of those surveyed had banned, or planned to ban, staff from using personal devices to work from home.

Meanwhile, 57 per cent were implementing more measures to securely authenticate employees, including biometric data checks such as fingerprint and facial recognition technology, and multi-factor authentication steps to access certain files, applications and accounts.

The poll found that almost two-thirds (65 per cent) had made substantial changes to their cybersecurity policies in response to breaches and to Covid-19.

Why this matters:

It is imperative employers revisited their data security protocols in light of widespread home working. Employers need to communicate that the same principles of data protection apply at home as in the office, including that a breach could lead to severe disciplinary action. The importance of securing data and directing employees accordingly cannot be underestimated as the employer could find themselves responsible for significant data breaches if they have not taken appropriate steps to protect it.

Separately, a report by recruitment firm Robert Walters has found that up to 65,000 cyber attacks take place on UK SMEs every day, with 4,500 successful. The report, Cyber security: Building Business Resilience, found that almost half (48 per cent) of UK companies admitted to not having adequate cyber security provision to maintain a fully remote working model.

Read more: https://www.peoplemanagement.co.uk/news/articles/two-fifths-firms-sacked-staff-cybersecurity-breaches-during-covid-poll-finds

We are at the mercy of Google's cloud services – and it could cost us dearly

If the internet is our information superhighway, this week's mass outage of Google services represents the sudden and total closure of the M25.

Users up and down the country who rely on the system for their livelihoods found themselves confronted with the simple Gmail message: “Oops, something went wrong”. It was the digital equivalent of the Road Closed sign.

Such is the public and private sector’s dependence on software services provided by Google and its rivals Amazon, Microsoft and Alibaba that the five-hour outage will likely be felt at GDP level.

Never mind the frustration felt by hundreds of thousands of homeworkers, think of all the lost opportunities from meetings unattended, the lost confidence from work unsent and the lost productivity from reduced output.

It all adds up: a temporary internet shutdown costs an advanced economy like Britain’s £107m per day according to a report from Deloitte and Facebook into the economic impact of disruptions to connectivity.

That’s equivalent to 1.9 per cent of daily GDP. A big hit, especially in a recession when companies small and large are fighting for their lives and public services are stretched to the limit.

Why this matters

Firms are increasing reliant on a small number of providers and a loss of any one of those providers could have serious ramifications for any business operating online. It is always best to diversify your critical systems across different providers such that a loss of one does not have such wide reaching impact.

Read more: https://www.telegraph.co.uk/technology/2020/08/20/mass-outages-google-will-cost-country-dearly-must-do-better/

Four million Britons with Huawei phones risk their devices becoming obsolete

Up to four million British consumers could be stuck with increasingly useless and vulnerable Huawei mobiles after the Chinese firm was blocked from receiving future software updates due to US sanctions.

The crisis-hit company's phones are in danger of rapidly becoming obsolete following the expiry of a temporary licence allowing it to use apps and Android updates from Google - raising fears they could become increasingly slow and laden with bugs.

Huawei is at risk of being unable to renew the licence after being blacklisted by the Trump administration in May last year, with US companies barred from selling technology to it without explicit government approval.

As a result, Huawei phones using Google Mobile Services could stop getting new features and security updates from the US company.

The US claims that Huawei equipment can be used by the Chinese government for espionage – something which Huawei has repeatedly denied. Older Huawei phones, developed before May 2019, are still expected to have the support of critical security features.

Why this matters:

Security updates need to rolled out to keen devices and software secure once vulnerabilities have been found and fixed by vendors. If Huawei phones are no longer able to receive these security updates any vulnerabilities in the underlying operating system will be able to continue being exploited by cyber criminals or ironically nation state actors.

Read more: https://www.telegraph.co.uk/technology/2020/08/19/four-million-britons-huawei-phones-risk-devices-becoming-obsolete/

HMRC Investigating Over 10,000 COVID-Related Phishing Scams

More than 10,000 email, SMS, social media and phone scams exploiting the COVID-19 pandemic are being investigated by Her Majesty’s Revenue and Customs (HMRC) in the UK.

The official figures, published following a Freedom of Information (FOI) request highlight how the health and economic crisis has provided major scamming opportunities for cyber criminals.

The data showed that May was the month in which the highest number of phishing scams were reported by members of the public to HMRC, at 5152, representing a 337% rise compared to March when lockdown measures were first introduced in the UK. This was followed by 2558 reports in June, and 2105 in April. The total since March comes to 10,428.

Government programs introduced to support businesses and workers impacted by the lockdown have been a common target for scammers. Examples include an email purporting to be from HMRC regarding the government’s Coronavirus Job Retention Scheme, which attempted to get business owners to reveal their bank account information, while another offered a bogus tax rebate under the guise of the Self-Employment Income Support Scheme.

The FOI also showed that 106 COVID-related websites have been requested for removal since March, with April the highest month at 42, followed by 24 in May and 17 in March. In May, it was revealed that HMRC formally asked internet service providers (ISPs) to remove 292 scam web addresses exploiting the coronavirus outbreak.

Why this matters:

Cyber criminals will always take advantage of current events, crises and tragedies to exploit unsuspecting victims. This has never been so evident as with the current Coronavirus pandemic, especially with the shift to more staff working from home.

Read more: https://www.infosecurity-magazine.com/news/hmrc-investigating-covid-related/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Surely more security is always better right? Surely you can’t have too much? Maybe not - find out more

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Travelex Forced into Administration After Ransomware Attack

Ransomware victim Travelex has been forced into administration, with the loss of over 1000 jobs.

PwC announced late last week that it had been appointed joint administrators of the currency exchange business.

The Sodinokibi (REvil) ransomware variant is believed to have struck the firm on New Year’s Eve last year, forcing its website offline and impacting its bricks-and-mortar stores and banking services. It took until January 17 for the firm to get its first customer-facing systems live again in the UK.

Why this matters:

Firms of any size can call victim to ransomware and many firms will not survive a significant cyber event such as this. Unconfirmed reports at the time suggested that a critical unpatched vulnerability in a VPN (Virtual Private Network) may have allowed attackers to remotely execute malicious code. A security researcher said he reached out to the firm in September 2019 to flag the issue but was ignored. This again shows the importance of ensuring all security updates are applied quickly. Has this software had the security updates applied those vulnerabilities would not have been able to be used in this attack.

Read more: https://www.infosecurity-magazine.com/news/travelex-forced-administration/

Microsoft August 2020 Patch Tuesday fixes 120 vulnerabilities, two zero-days

Microsoft’s August 2020 Patch Tuesday security updates fell this week and this month the company has patched 120 vulnerabilities across 13 different products, from Edge to Windows, and from SQL Server to the .NET Framework.

Among these 120 vulnerabilities, 17 bugs have received the highest severity rating of "Critical," and there are also two zero-days — vulnerabilities that have been exploited by hackers before Microsoft was able to provide a fix.

Why this matters:

All security updates should be applied as soon as possible to prevent vulnerabilities from being exploited in attacks. When vulnerabilities are announced criminals will waste no time in weaponizing them (creating exploits to use in attacks) so the quicker the vulnerabilities are closed the safer you will be.

Read more: https://www.zdnet.com/article/microsoft-august-2020-patch-tuesday-fixes-120-vulnerabilities-two-zero-days/

More ransomware victims are paying up, even when data recovery is possible

The proportion of ransomware attack victims actually paying ransoms increased in the last quarter, even in instances where ransomed data could be recovered, new figures have revealed.

According to a commercial ransomware recovery service, data exfiltration attacks are becoming more common and blending with traditional ransomware hacks. Data exfiltration extortion involves an attacker taking possession of stolen data and putting it up for sale on forums or marketplaces. Once monetised, the hacker asks the victim to pay a ransom to prevent the information’s release.

The recover firm added that tools currently on the market vary wildly when it comes to data recovery success following a ransomware attack. What’s more, the company has noted an uptick in the number of companies experiencing operating system and registry corruption even after ransomed data is restored.

Why this matters:

It used to be that backups were the best defence against ransomware attacks, but if your data is stolen a backup won’t help you avoid having to pay out to keep your sensitive or confidential data out of the public domain.

Read more: https://www.techradar.com/news/more-ransomware-victims-are-paying-up-even-when-data-recovery-is-possible

Intel, SAP, and Citrix release critical security updates

Intel released 18 advisories, including fixes for Denial of Service, Information Disclosure and Elevation of Privilege flaws affecting various products on Windows, Chrome OS and Linux OS.

SAP’s released 15 security notes and an update to a previously released one to address flaws in a variety of offerings, including SAP ERP, SAP Business Objects Business Intelligence Platform, SAP S/4 HANA and various SAP NetWeaver components.

Citrix’s has released patches for a set of vulnerabilities in certain on-premises instances of Citrix Endpoint Management (aka XenMobile Server).

Why this matters:

Security upgrades should always be applied as soon as possible. Whether announced vulnerabilities are already being exploited or not as they become known they likely will be exploited and patching them (applied the fixes made available) prevent them from being exploited.

Read more: https://www.helpnetsecurity.com/2020/08/12/intel-sap-citrix-security-updates-august-2020/

IT Pros Name Misconfiguration #1 Cloud Security Threat

Configuration errors are the number one threat to cloud security, according to a new poll of IT and security professionals.

A security vendor interviewed 653 industry professionals to compile its 2020 Cloud Security Report.

Three-quarters (75%) claimed to be “very” or “extremely” concerned about cloud security, with most (52%) believing that the risks are higher in the public cloud than on-premises.

The top four threats were cited as: misconfiguration (68%), unauthorized cloud access (58%), insecure interfaces (52%), and account hijacking (50%).

These security concerns have created multiple barriers to further adoption of cloud services. The top inhibitor of adoption was a lack of qualified staff (55%), up from fifth place last year.

This may go some way to explaining respondents’ concerns around configuration errors, especially as 68% of these organisations are using two or more public cloud providers — adding to the complexity.

Why this matters?

Organisations’ cloud migrations and deployments are racing ahead of their security teams’ abilities to defend them against attacks and breaches. Their existing security solutions only provide limited protections against cloud threats, and teams often lack the expertise needed to improve security and compliance processes

Read more: https://www.infosecurity-magazine.com/news/misconfiguration-error-cloud/

RedCurl cybercrime group has hacked companies for three years

Security researchers have uncovered a new Russian-speaking hacking group that they claim has been focusing on the past three years on corporate espionage, targeting companies across the world to steal documents that contain commercial secrets and employee personal data.

Named RedCurl, the activities of this new group have been detailed in a 57-page report released this week.

Researchers have been tracking the group since the summer of 2019 and have since identified 26 other RedCurl attacks, carried out against 14 organisations, going as far back as 2018.

Why this matters:

This Russian group have targeted victims across different countries and industry sectors, and included construction companies, retailers, travel agencies, insurance companies, banks, and law and consulting firms from countries like Russia, Ukraine, Canada, Germany, Norway, and the UK. Many firms could fall victim to cyber crime groups like this if their defences are not able to withstand such attackers.

Read more: https://www.zdnet.com/article/redcurl-cybercrime-group-has-hacked-companies-for-three-years/

Why You Must Beware What You Ask Amazon Alexa

The same cyber team that cracked open TikTok, WhatsApp, Microsoft’s cloud and even Philips lightbulbs has just turned its attention to Amazon’s Alexa. And, unsurprisingly, it hasn’t disappointed. After “speculating” that Amazon’s 200 million devices “could be a prime entry-point for hackers,” Check Point Research has just lifted the lid to unmask “serious security flaws in Alexa.” According to the team, “in just one click, a user could have given up their voice history, home address and control of their Amazon account.”

Why this matters:

Warnings about the dangers of smart speakers and their extended families of virtual assistants are not new. These are the same devices that causes such scandal last year, when it transpired humans were listening to conversations to better train the AI. The issue here is different, much more akin to the broader problem of IoT security. Every different gadget you connect to the internet becomes a potential vulnerability and the methods needed to crack Amazon’s devices were not particularly sophisticated.

Read more: https://www.forbes.com/sites/zakdoffman/2020/08/13/amazon-alexa-cyber-attack-check-point-report-smart-speaker-warning/#7d3d16a35008

Ex-Uber engineer sentenced to 18 months in prison for stealing driverless car secrets from Google

A star engineer who admitted stealing self-driving car secrets from Google has been sentenced to 18 months in prison.

Anthony Levandowski, who helped found Google's self-driving car project, now known as Waymo, pleaded guilty to downloading documents containing data about the company's work and accessing one of them after he had left to found his own trucking startup.

Sentencing him in a San Francisco court, the judge said he was imposing prison time as a deterrent.

An early star in the self-driving car scene, Mr Levandowski pushed for Google to develop the technology but later became disillusioned, leaving in early 2016 to start trucking company Otto, which was bought by Uber less than eight months later. 

Waymo sued Uber, a case which was settled in 2018, with Uber paying out $245m (£187m) in equity and agreeing not to use its technology.

Uber had signed an indemnification agreement with Mr Levandowski, forcing it to pay his legal fees, but has refused to pay a $179m debt he owes to the Google spin-out, a consequence of separate legal action relating to his departure. 

Why this matters:

Your staff present one of your biggest risks, and a disgruntled or disillusioned employee can be very dangerous. The theft of intellectual property for personal gain is a classic example of this kind of behaviour. Data Loss Prevention (DLP) systems can help to spot unusual behaviour in employees and detect sensitive data being extracted from corporate systems.

Read more: https://www.telegraph.co.uk/technology/2020/08/05/ex-uber-engineer-sentenced-18-months-prison-stealing-driverless/

Google and Amazon are now the most imitated brands for phishing

You may want to think twice about opening that email claiming to be from Google or Amazon, after new research found the tech giants were being used as lures for phishing scams.

Earlier this year, Check Point revealed that Apple was the most imitated brand for phishing, but over the course of the last few months, the iPhone maker has fallen to seventh place with Google and Amazon now taking the top spots.

Why this matters:

Phishing is estimated to be the starting point of over 90 percent of all cyberattacks and according to Verizon's 2019 Data Breach Investigations Report, nearly one third (32%) of all data breaches involved phishing activity. Additionally phishing was present in 78 percent of cyber espionage incidents and the installation and use of backdoors in company networks.

Read more: https://www.techradar.com/news/google-and-amazon-are-now-the-most-imitated-brands-for-phishing

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week's Black Arrow Cyber Tip Tuesday.

We have talked before about how the regulators like the Guernsey GFSC and the Jersey JFSC expect Boards to take Cyber and information security seriously by the Board just as they do with more established risks, and that Directors are required to understand and manage those risks.

So, how can a Board evidence this.

The clearest way is to schedule a regular review of a cyber security report at Board meetings. That report should contain a few sections with brief and focused content that is explained in terminology that all business leaders can understand. One of those sections is a dashboard with key indicators about the risks that the business faces, and the controls that are in place to mitigate those risks to match the organisation’s risk appetite.

We recommend that organisations structure their risks and controls based on one of the globally recognised frameworks, for example NIST or ISO 27001. In fact, the forthcoming regulations from the GFSC are based on the NIST framework. So, the dashboard would also be structured to match that same framework, to ensure everything this covered.

The Board members should be sufficiently knowledgeable about these topics to be able to question whether things are as good as the dashboard says they are, and whether the rating should be Amber instead of Green. Or, whether the RAG threshold is appropriate for their business. And that challenge in the Board room should be minuted for future reference.

You don’t need to be an expert, but you do need to have a good understanding of the basics, and your independent trusted advisors can support you on the details.

Contact us to see how we can help you achieve what the regulators require of you.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

INTERPOL: Cyber crime Growing at an “Alarming Pace” Due to #COVID19

Cyber crime is growing at an “alarming pace” as a result of the ongoing COVID-19 crisis and is expected to accelerate even further, a new report from INTERPOL has found.

It revealed the extent to which cyber-criminals are taking advantage of the increasing reliance on digital technology over recent months. This includes the rapid shift to home working undertaken by many organisations, which has involved the deployment of remote systems and networks, often insecurely.

Based on feedback from member countries, INTERPOL said that during the COVID-19 period, there has been a particularly large increase in malicious domains (22%), malware/ransomware (36%), phishing scams/fraud (59%) and fake news (14%).

Threat actors have revised their usual online scams and phishing schemes so that they are COVID-themed, playing on people’s economic and health fears.

Why this matters:

Increases in malicious activity is always a concern, especially when firms don’t realise how bad the situation is already and fail to grasp how much worse it is getting. Cyber criminals have gone through an industrial revolution and have built criminal organisations to rival some of the biggest legitimate business empires. Increases in threats require and increase in defensive capability, across IT, people and governance, to counter this rising tide.

Read more: https://www.infosecurity-magazine.com/news/cybercrime-growing-alarming-pace/

Capital One fined $80m for data breach

Capital One, one of the top five credit card issuers by balances in the US, has been fined $80m and ordered to improve internal controls after regulators identified a string of failings that allowed hackers to obtain the personal data of more than 106m customers and credit card applicants last year.

The bank was found to have failed to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud, as well as failing to quickly correct deficiencies.

The data breach exposed names, addresses, phone numbers, self-reported income, credit scores and payment history, as well as some people’s social security numbers.

It has become a cautionary tale for banks migrating their data from their own physical IT to the kind of virtual clouds that the Capital One data was hacked from.

Why this matters:

Moving to the cloud can open up new risks and misconfigurations can go undetected until they are exploited by malicious actors. It is important to make sure you know where the weaknesses and vulnerabilities are before someone else does, and this included cloud infrastructure.

Read more: https://www.ft.com/content/a730c6a0-c362-4664-a1ae-5faf84912f20

Canon confirms ransomware attack in internal memo

Canon appears to be latest in a number of large high profile firms in recent weeks to suffer a ransomware attack that has had an impact on numerous services, including Canon's email, Microsoft Teams, USA website, and other internal applications. In an internal alert sent to employees, Canon has disclosed the ransomware attack and working to address the issue.

Researchers were alerted by a suspicious outage on Canon's image.canon cloud photo and video storage service resulting in the loss of data for users of their free 10GB storage feature.

However, the final status update was strange as it mentions that while data was lost, "there was no leak of image data."  This led BleepingComputer to believe there was more to the story and that they suffered a cyberattack.

Why this matters:

Any firm of any size can fall victim to ransomware and recovering can be time consuming, expensive and cause significant reputational damage. These attacks invariably stem from users clicking on links in phishing emails, something that IT departments and technical controls aren’t capable of defending against on their own.

Read more: https://www.bleepingcomputer.com/news/security/canon-confirms-ransomware-attack-in-internal-memo/

Garmin reportedly paid multimillion-dollar ransom after suffering cyberattack

Following on from Canon being the latest high profile victim, reports indicate that fitness wearable and satellite navigation brand Garmin paid millions of dollars in ransom after an attack took many of its products and services offline last month. The payment was reportedly made through a ransomware negotiation company in order for Garmin to recover data held hostage as a result of the attack.

It was reported last week that Garmin had received a decryption key to access data encrypted by the virus, and that the initial ransom demand was for $10 million.

Why this matters:

If a company had to resort to paying the ransom then it can be inferred that they were unable to recover their data, had insufficient backups or had never tested recovering from backups and when they needed to for real found they were unable. It’s too late to find out when you need something that you don’t have it.

If no firm or individual paid ransoms this problem would go away. For as long as even a small number of firms and individuals pay this will continue to be a massive problem, affecting everyone.

Read more: https://www.theverge.com/2020/8/4/21353842/garmin-ransomware-attack-wearables-wastedlocker-evil-corp

Google: Eleven zero-days detected in the wild in the first half of 2020

According to data collected by Google's Project Zero security team, there have been 11 zero-day vulnerabilities exploited in the wild in the first half of the year.

The current number puts 2020 on track to have just as many zero-days as 2019 when Google security researchers said they tracked 20 zero-days all of last year.

Details about these zero-days have been obtained from a spreadsheet managed by Google security researchers, which the company made public available earlier this year. The spreadsheet contains Google's internal statistics about in-the-wild zero-day usage going as far back as 2014, when the company began tracking said stats.

Why this matters:

Zero-days are vulnerabilities for which fixes have not yet been made available and as such as difficult to defend against. Good security is all about having multiple layers of controls and if you have good procedural, people and governance controls in place this should still go a good way to helping to defend against zero-days.

As soon as security updates are made available they should ideally be tested and applied on all applicable devices as soon as possible to prevent vulnerabilities from being exploited.

Read more: https://www.zdnet.com/article/google-eleven-zero-days-detected-in-the-wild-in-the-first-half-of-2020/

TeamViewer flaw could be exploited to crack users’ password

A high-risk vulnerability (CVE-2020-13699) in TeamViewer for Windows could be exploited by remote attackers to crack users’ password and, consequently, lead to further system exploitation.

TeamViewer is an application that is used primarily for remote access to and control of various types of computer systems and mobile devices, but also offers collaboration and presentation features (e.g., desktop sharing, web conferencing, file transfer, etc.)

Since the advent of COVID-19, enterprise use of the software has increased due to many employees being forced to work from home.

Why this matters:

Credentials stolen from any successful breach are likely to be used in credential stuffing attacks (where the same usernames and passwords are reused) against other sites and services.

Read more: https://www.helpnetsecurity.com/2020/08/06/cve-2020-13699/

Qualcomm chip vulnerability puts millions of phones at risk

Smartphone devices from the likes of Google, LG, OnePlus, Samsung and Xiaomi are in danger of compromise by cyber criminals after 400 vulnerable code sections were uncovered on Qualcomm’s Snapdragon digital signal processor (DSP) chip, which runs on over 40% of the global Android estate.

To exploit the vulnerabilities, a malicious actor would merely need to convince their target to install a simple, benign application with no permissions at all.

Why this matters:

The vulnerabilities leave affected smartphones at risk of being taken over and used to spy on and track their users, having malware and other malicious code installed and hidden, or even being bricked outright. Hopefully a fix will be forthcoming but it looks like it might be months before this fix is widely available.

Read more here: https://www.computerweekly.com/news/252487274/Qualcomm-chip-vulnerability-puts-millions-of-phones-at-risk

Over-75s warned of rise in TV Licence 'phishing' fraud

Over-75s awaiting letters about their new licence fee payments are falling victim to fraudsters, it has emerged.

The BBC has told 4.5 million pensioners to expect a letter from TV Licensing advising them on how to set up payment, as the free scheme for over-75s ended on July 31.

But the corporation has not given an indication of when the communication will arrive or what the wording will be, and in the meantime pensioners are being duped by scam emails which purport to be official.

The National Cyber Security Centre, part of GCHQ, said the number of licence fee “phishing” emails had risen in July, compared to previous months, and it was working hard to block them.

A spokesman said: “It is despicable that criminals are targeting over-75s in this way. TV Licensing would never ask for payment details over an email, so as soon as we were alerted to the scam messages sent in this callous campaign, they were immediately blocked.

Why this matters:

Cyber criminals are unscrupulous and will happily target the most vulnerable members of our society. If you have elderly relatives make them aware of these scams and encourage them not to respond for requests sent via email.

Read more: https://www.telegraph.co.uk/news/2020/08/03/over-75s-warned-rise-tv-licence-phishing-fraud/

Netgear Won’t Patch 45 Router Models Vulnerable to Serious Flaw

Netgear will not patch 45 router models that are vulnerable to a high-severity remote code execution flaw, the router company revealed last week. However, the company says that routers that won’t receive updates are outdated or have reached EOL (End of Life).

The remote code execution vulnerability in question, which was disclosed June 15, allows network-adjacent attackers to bypass authentication on vulnerable Netgear routers – sans authentication. The high-severity flaw affects 79 Netgear Wi-Fi routers and home gateway models – but Netgear says that 45 of those router models are outside of its “security support period.”

Why this matters:

If you are using a Netgear device ensure that it is not in the list of devices that are no longer supported and if necessary replace it with a different router that is supported. If the device you own is still supported you should log into the web interface and ensure that it is updated to the most recent version of firmware to include any security updates.

Many people never update the firmware on their networking devices at home and this means that there can be a significant number of significant security vulnerabilities that have gone unfixed jeopardising the security of any devices connected to that router. If you don’t know how to update home networking devices contact someone who can help you to do this.

Read more: https://threatpost.com/netgear-wont-patch-45-router-models-vulnerable-to-serious-flaw/157977/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week's Black Arrow Cyber Tip Tuesday, this week Tony talks about free advisory sessions for startups and entrepreneurs to help them think about security as they take their first steps with their new businesses.

When setting up a new business there are lots and lots of things to think about, and probably many things will come up that you never knew to think about, but security is not something that should be bolted on afterwards but rather something that should be thought about from the start.

Thinking about security from the start will always put you in a better position after all no business can afford a data breach or significant cyber event and most new businesses and startups won’t survive if they are attacked. A mistake small businesses make is thinking they don’t need to worry about cyber security but nearly half of all attacks hit small businesses so this is not something only larger firms need to think about.

The controls that startups and small business should put in place are often fairly basic and most come with no or little cost attached so are within the reach of all firms no matter how small – and these controls help to protect against the vast majority of attacks. If you’re a new startup or entrepreneur contact us today to arrange a free chat to you on the right track to defending your new business.

Welcome to this week's Black Arrow Cyber Tip Tuesday, this week James is talking about risks posed by home routers.

A recent study in Germany of 127 home routers from 7 different brands including D-Link, Linksys, TP-Link and Zyxel found that almost 60 percent of models hadn't had a security update in over a year and most were affected by hundreds of known vulnerabilities. On top of that, they found that vendors were shipping updates with no fixes for critical vulnerabilities that have been known about for many years, some are even observed as being actively exploited.

Most routers are based on a Linux operating system which is patched and maintained regularly but the home router manufacturers are choosing to use old and known vulnerable versions of the operating system without sending updates to customers devices.

The lesser of the evils seemed to be Asus and Netgear who both applied more security fixes more frequently but another recent study found that 79 of Netgear's routers have a critical security vulnerability that would allow a remote attacker to take complete control of the device and the network behind which has been present since 2007.

With the increasing popularity of home working it is essential that both individuals and firms take in to account this increase in attack surface and apply appropriate controls and mitigations to prevent their data and their clients data from being captured by malicious third parties.

When approached correctly, home working can provide significant benefits to productivity without compromising security. Speak to us today to find out how you can achieve this.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Major US Twitter accounts hacked in Bitcoin scam

Billionaires Elon Musk, Jeff Bezos and Bill Gates are among many prominent US figures targeted by hackers on Twitter in an apparent Bitcoin scam.

The official accounts of Barack Obama, Joe Biden and Kanye West also requested donations in the cryptocurrency.

"Everyone is asking me to give back," a tweet from Mr Gates' account said. "You send $1,000, I send you back $2,000."

The US Senate Commerce committee has demanded Twitter brief it about the incident next week.

Twitter said it was a "co-ordinated" attack targeting its employees "with access to internal systems and tools".

"We know they [the hackers] used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf," the company said in a series of tweets.

It added that "significant steps" had been taken to limit access to such internal systems and tools while the company's investigation was ongoing.

The firm has also blocked users from being able to tweet Bitcoin wallet addresses for the time being.

Read more here: https://www.bbc.co.uk/news/technology-53425822

More Malware Found Hidden in Chinese Tax Software

A malware campaign hiding backdoors in mandatory Chinese corporate tax software is far more extensive than at first thought, according to researchers from Trustwave.

The vendor warned last month that it discovered several clients had unwittingly installed the GoldenSpy backdoor after agreeing to download the Intelligent Tax software product, produced by Aisino Corporation.

China’s banks require all companies to download software from either Aisino or Baiwang to comply with its Golden Tax VAT scheme, indicating that the malware campaign has either direct sponsorship from the government, or is happening with its blessing.

Soon after Trustwave reported on the powerful GoldenSpy backdoor, which it said could not be removed, an uninstaller appeared out of the blue which directly negates the threat.

Now the vendor has discovered a second piece of malware, dubbed GoldenHelper, which dates back to before GoldenSpy. It’s found in the Golden Tax Invoicing Software (Baiwang edition), which is digitally signed by a subsidiary of Aisino, Nou Nou Technologies.

The malware, while functionally different to GoldenSpy, has a similar delivery mechanism and it utilises three DLL files to: interface with the Golden Tax software; bypass Windows security and escalate privileges; and download and execute arbitrary code with system-level privileges.

It also uses multiple techniques to hide its presence and activity, including randomization of name whilst in transit and of file system location, timestomping, IP-based Domain Generation Algorithm (DGA), and UAC bypass and privilege escalation.

Read more here: https://www.infosecurity-magazine.com/news/more-malware-hidden/

How North Korea’s army of hackers stole $2bn through cyber bank heists

Towards the end of last year, a series of seemingly innocuous LinkedIn messages were sent to employees of aerospace and military companies in the UK, Europe and the Middle East. Curious engineers who replied to the job offers were sent further messages urging them to download files to find out more about the opportunities.

The file contained a list of available jobs and the salaries for each role. While recipients read through the list of highly paid positions, their computers were silently taken over by hackers who implanted software that allowed them to peer through all of their files and emails.

The lucrative jobs weren’t real, and neither were the recruiters. Instead the messages were sent by Lazarus, a notorious North Korean hacking group, which in 2014 had managed to break into the servers of Sony Pictures and in 2017 brought parts of the NHS to a standstill during the WannaCry ransomware attack.

Once the hackers had gained access to their target’s computer, the fake LinkedIn profiles vanished.

One hacker then used his access to a victim’s email account to find an outstanding invoice. He sent an email to another business demanding payment, but asked for the money to be sent to a new bank account controlled by the hacking group.

This cyber attack is a typical example of North Korea’s unique approach to hacking. As well as attacks to make political statements, the country uses its legions of hackers to generate billions of dollars for the regime through a series of audacious cyber bank heists.

A United Nations report published last year estimated that North Korean hackers have stolen more than $2bn (£1.5bn) and said the money was being funneled into the regime’s missile development programmes.

Cut off from almost all of the world’s financial systems, North Korea has for years relied on a series of illegal activities to bolster its income. As well as thriving drug trafficking and counterfeiting schemes, the regime has also funded hundreds of its own digital bank heists.

Read more here: https://www.telegraph.co.uk/technology/2020/07/12/north-koreas-army-hackers-stole-2bn-cyber-bank-heists/

UK ‘on alert for China cyber attack’ in retaliation for Hong Kong

The government must be alert to potential cyber attacks from countries such as China, ministers have said as tensions increase between London and Beijing.

Last month relations between the UK and China soured after Boris Johnson pledged to offer refuge to millions of Hong Kong citizens if the country implements its planned national security law. The government is also reported to have ‘changed its view’ on plans for Chinese tech company Huawei to play a role in developing the UK’s 5G network due to growing unease over security risks.

Now senior sources claim the worsening ties could see Britain be targeted by Chinese-backed hackers in a so-called ‘cyber 9/11’. This could damage computer networks, cause power and phone blackouts and bring hospitals, government and businesses to a standstill.

Britain’s National Cyber Security Centre says it is not ‘expecting’ a rise in attacks. However, one senior minister said the threat was ‘obviously part of conversations’, but added that ‘all risk must be looked at in the round’.

Read more: https://metro.co.uk/2020/07/12/ministers-fear-cyber-attack-uk-relations-worsen-china-12978970/

Ransomware warning: Now attacks are stealing data as well as encrypting it

There's now an increasing chance of getting your data stolen, in addition to your network being encrypted, when you are hit with a ransomware attack – which means falling victim to this kind of malware is now even more dangerous.

The prospect of being locked out of the network by cyber criminals is damaging enough, but by leaking stolen data, hackers are creating additional problems. Crooks use the stolen data as leverage, effectively trying to bully organisations who've become infected with ransomware into paying up – rather than trying to restore the network themselves – on the basis that if no ransom is paid, private information will be leaked.

Ransomware groups like those behind Maze and Sodinokibi have already shown they'll go ahead and publish private information if they're not paid and now the tactic is becoming increasingly common, with over one in ten attacks now coming with blackmail in addition to extortion.

Organisations in the legal, healthcare and financial sectors are among the most targeted by these campaigns, based on the assumption that they hold the most sensitive data.

Read more here: https://www.zdnet.com/article/ransomware-warning-now-attacks-are-stealing-data-as-well-as-encrypting-it/

Stop Ignoring Two-Factor Authentication Just Because You’re Lazy

A large number of people and businesses are missing out on a simple, effective online security solution by ignoring two-factor authentication (2FA), also called multi-factor authentication (MFA). The only requirement is to enter a code or press a button on a separate device from the one being used, yet for many, that effort seems too great. Laziness literally becomes the weakest point in their data protection systems.

If this sounds familiar, it’s time to change, as 2FA strengthens the security of all-important apps, including those where you share financial details such as banking and shopping apps – but to work, it has to be used.

Read more here: https://www.infosecurity-magazine.com/opinions/authentication-lazy/

Russian hackers ‘try to steal vaccine research’ in cyber attack on labs

Hackers linked to Russian intelligence agencies are targeting British scientists seeking to develop a coronavirus vaccine, spooks in the US, UK and Canada have warned.

In a joint statement Britain’s National Cyber Security Centre (NCSC), the US National Security Agency and the Canadian Communication Security Establishment, said that the APT29 hacking group, also known as the ‘Dukes’ or ‘Cozy Bear’ has been hitting medical organisations and universities with cyber attacks which they believe have had the Kremlin’s blessing.

These attacks are part of a global campaign to steal research secrets of research. While the institutions targeted have not been revealed, the UK is home to two of the world’s leading coronavirus vaccine development programmes based at Oxford University and Imperial College London.

Read more: https://metro.co.uk/2020/07/16/russian-hackers-launch-cyber-attack-uk-vaccine-researchers-12998769/

Counterfeit Cisco switches raise network security alarms

In a disconcerting event for IT security professionals, counterfeit versions of Cisco Catalyst 2960-X Series switches were discovered on an unnamed business network, and the fake gear was found to be designed to circumvent typical authentication procedures, according to a report.

researcher say their investigators found that while the counterfeit Cisco 2960-X units did not have any backdoor-like features, they did employ various measures to fool security controls. For example, one of the units exploited what F-Secure believes to be a previously undiscovered software vulnerability to undermine secure boot processes that provide protection against firmware tampering.

Read more: https://www.networkworld.com/article/3566705/counterfeit-cisco-switches-raise-network-security-alarms.html

Vulnerability in Windows DNS servers

Microsoft has reported a critical vulnerability in Windows DNS server under CVE-2020-1350.

Bad news: The vulnerability scored 10 on the CVSS scale, which means it’s critical. Good news: Cyber criminals can exploit it only if the system is running in DNS server mode; in other words, the number of potentially vulnerable computers is relatively small. Moreover, the company has already released patches and a workaround.

The vulnerability lets a malefactor force DNS servers running Windows Server to execute malicious code remotely. In other words, the vulnerability belongs to the RCE class. To exploit CVE-2020-1350, one just has to send a specially generated request to the DNS server.

Installing the Microsoft patch modifies the method of handling requests by DNS servers. The patch is available for Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server version 1903, Windows Server version 1909, and Windows Server version 2004.

Read more here: https://www.kaspersky.com/blog/cve-2020-1350-dns-rce/36366/

Threat actors are scanning the Internet for Citrix systems affected by the recently disclosed vulnerabilities.

This week Citrix has addressed 11 vulnerabilities affecting the ADC, Gateway, and SD-WAN WANOP networking products. The vulnerabilities could be exploited by attackers for local privilege escalation, to trigger a DoS condition, to bypass authorization, to get code injection, and to launch XSS attacks.

Some of the addressed flaws could be exploited only if the attackers have access to the targeted system and request user interaction, or other conditions must be verified. For this reason, Citrix believes the flaws are less likely to be exploited.

Now, hackers are scanning the web for systems affected by the recently disclosed Citrix vulnerabilities.

Read more here: https://securityaffairs.co/wordpress/105776/hacking/vulnerable-citrix-systems-scan.html

Iranian Spies Accidentally Leaked Videos of Themselves Hacking

A security team obtained five hours of Iranian state actor group APT35 hacking operations, showing exactly how the group steals data from email accounts—and who it’s targeting.

Normally security researchers need to painstakingly piece together the blow-by-blow of a state-sponsored hacking operation, they're usually following a thin trail of malicious code samples, network logs, and connections to faraway servers. That detective work gets significantly easier when hackers record what they’re doing and upload the video to an unprotected server on the open internet. Which is precisely what a group of Iranian hackers may have unwittingly done.

Read more here: https://www.wired.com/story/iran-apt35-hacking-video/

Amazon-Themed Phishing Campaigns Swim Past Security Checks

A pair of recent campaigns aim to lift credentials and other personal information under the guise of Amazon package-delivery notices.

Amazon in the era of COVID-19 has become a staple of many people’s lives, as they order everything from sourdough starter to exercise equipment. Cybercrooks have latched onto the delivery behemoth as a lure for phishing emails, knowing that plenty of legitimate delivery messages are also making it into people’s inboxes and offering cover.

Researchers recently spotted a pair of savvy campaigns leveraging Amazon: A credential-phishing attempt using a purported Amazon delivery order failure notice; and a voice phishing (vishing) attempt also using Amazon delivery order. Both are examples of the ever-more sophisticated phishing efforts being developed by fraudsters that are aimed at gaming traditional email security efforts, researchers said.

Read more here: https://threatpost.com/amazon-phishing-campaigns-security-checks/157495/

Malicious Router Log-Ins Soar Tenfold in Botnet Battle

Home users are being urged to ensure their routers are adequately protected after experts revealed a tenfold spike in brute force log-in attempts.

According to the latest research from Trend Micro “Worm War: The Botnet Battle for IoT Territory”, describes a threat landscape in which rival cyber-criminals are competing against each other in a race to compromise as many devices as possible, to conscript into botnets.

The vendor claimed that automated log-in attempts against routers rose from 23 million in September to nearly 249 million attempts in December 2019. As recently as March this year, it detected almost 194 million brute force logins.

The report also revealed an uptick in routers attempting to open telnet sessions with other devices. As telnet is unencrypted it’s a favorite way for hackers or their botnets to sniff user credentials and therefore infect more routers or IoT devices.

Nearly 16,000 devices attempted to open telnet sessions with other IoT devices in a single week in mid-March, according to the data.

The report warned that these mass compromises could cause serious disruption for home networks at a time when many global users are being forced to work and study from home.

Read more here: https://www.infosecurity-magazine.com/news/malicious-router-logins-soar/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

If you’re pressed for time watch the 60 second quick fire video summary of the top Cyber and InfoSec stories from the last week:

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Businesses believe the pandemic will change the security landscape forever

After Covid-19, nothing will ever be the same again, at least in terms of how businesses approach cyber security. This is according to a new report based on a poll of 6,700 infosec professionals around the world.

The report states that 81 percent expect long-term changes to the way their business operates, mostly because of remote working.

With this in mind, examining how remote employees approach cyber security will become paramount if an organisation is to maintain a strong security posture.

A third of respondents said they worry employees may feel more relaxed about cyber security than when they are working out of the office. Employees may also be less likely to follow protocol at home, particularly when it comes to identifying and flagging suspicious activity.

Further, almost a third (31 percent) fear employees might unintentionally leak sensitive data or fall prey to a phishing scam and a quarter are afraid staff might fall victim to malware attacks.

Of the largest risks associated with remote working, respondents singled out “using untrusted networks” as the most significant. Other people accessing employees' company devices, the use of personal messaging services for work, and the unintentional sharing of company data are also high on the list of risks.

Read more: https://www.itproportal.com/news/businesses-believe-the-pandemic-will-change-the-security-landscape-forever/

Ransomware operators lurk on your network after their attack

When a company suffers a ransomware attack, many victims feel that the attackers quickly deploy the ransomware and leave so they won't get caught. Unfortunately, the reality is much different as threat actors are not so quick to give up a resource that they worked so hard to control.

Instead, ransomware attacks are conducted over time, ranging from a day to even a month, starting with a ransomware operator breaching a network.

This breach is through exposed remote desktop services, vulnerabilities in VPN software, or via remote access given by malware such as TrickBot, Dridex, and QakBot.

Once they gain access, they use tools such as Mimikatz, PowerShell Empire, PSExec, and others to gather login credentials and spread laterally throughout the network.

As they gain access to computers on the network, they use these credentials to steal unencrypted files from backup devices and servers before deploying the ransomware attack.

Once the ransomware is deployed, many victims believe that while their network is still compromised, they think the ransomware operators are now gone from the system.

This belief is far from the truth, as illustrated by a recent attack by the Maze Ransomware operators.

Read the full article here: https://www.bleepingcomputer.com/news/security/ransomware-operators-lurk-on-your-network-after-their-attack/

Prolific Hacker Made Millions Selling Network Access

A notorious Russian cyber-criminal made over $1.5m in just the past three years selling access to corporate networks around the world, according to a new report.

The study profiles the work of “Fxmsp” on underground forums where he published his first ad selling access to business networks in 2017.

Over the following years he would compromise banks, hotels, utilities, retailers, tech companies and organisations in many more verticals.

In just three years he claimed to have compromised over 130 targets in 44 countries, including four Fortune 500 firms. Some 9% of his victims were governments.

The report calculated the $1.5m figure purely from publicised sales, although 20% of those Fxmsp compromised were made through private sales, meaning the hacker’s trawl is likely to be even bigger.

Fxmsp even hired a sales manager in early 2018.

Read more here: https://www.infosecurity-magazine.com/news/infamous-hacker-millions-selling/

Rogue Postbank employees steal master encryption key; make off with $3.2 million

South Africa's Postbank has been forced to replace 12 million bank cards after a calamitous security breach that saw the bank's master encryption key printed off in plain, unencrypted language.

According to internal documents acquired by the Sunday Times of South Africa, the 36-digit code security key “allows anyone who has it to gain unfettered access to the bank’s systems, and allows them to read and rewrite account balances, and change information and data on any of the bank’s 12-million cards".

The master key was apparently printed out on plain paper in a data centre in Pretoria in 2018, enabling the fraudsters to make over 25,000 fraudulent transactions, mostly from cards used by people receiving social benefits from the government.

The crime, which is being pinned on a number of rogue bank employees, went unnoticed for months. More than $3.2 million was stolen in the raid.

The cost to the bank of replacing all the compromised cards is expected to reach $58 million.

Read more here: https://www.finextra.com/newsarticle/36059/rogue-postbank-employees-steal-master-encryption-key-make-off-with-32-million

Massive Distributed Denial of Service (DDoS) attack launched against European bank

This week, security firm Akamai mitigated what it claims to be the “largest ever packet per second (pps) DDoS attack”, launched against an unnamed European bank.

The attack reportedly generated 809 million packets per second (Mpps) - a new high for pps-focused attacks, and well over double the size of the previous record attack identified by the Akamai platform.

What also makes this DDoS attack unique is the “massive increase” in the quantity of source IP addresses observed. During the attack, Akamai identified more than 600 times average number of source IP addresses per minute, suggesting the attack was highly distributed in nature.

Further, most of the traffic came from previously unknown IP addresses (96.2 percent), which could indicate the assault was driven by an emerging botnet. Given that most of the source IP addresses could be identified within large ISPs via AS lookups, Akamai believes most of the devices used were compromised end user machines.

The speed at which the attack reached its peak was also remarkable. The company claims it grew from normal traffic levels to 418 Gbps in seconds, and took roughly two minutes to hit 809 Mpps. The attack lasted for a total of 10 minutes and was fully mitigated.

Read more here: https://www.itproportal.com/news/massive-ddos-attack-launched-against-european-bank/

'Unstoppable' Malware Uses Bitcoin To Retrieve Secret Messages - Report

Glupteba, a sneaky malware that can be controlled from afar includes a range of components to cover its tracks, and it updates itself using encrypted messages hidden in the Bitcoin blockchain.

The Glupteba bot is a malware campaign that creates backdoors with full access to contaminated devices, which are added to its growing botnet. The analysis describes it as a “highly self-defending malware” with “enhancing features that enable the malware to evade detection.”

The most interesting aspect of Glupteba is that it uses the Bitcoin blockchain as a communication channel for receiving updated configuration information, given that bitcoin transactions can also include a comment of up to 80 characters.

Glupteba uses this messaging space for encrypted messages. These messages contain secrets, such as command-and-control server names, thus cleverly hiding them in the public blockchain - in plane sight.

Read more: https://cryptonews.com/news/unstoppable-malware-uses-bitcoin-to-retrieve-secret-messages-6947.htm

Woman who deliberately deleted firm’s Dropbox is sentenced

58-year-old Danielle Bulley may not look like your typical cyber criminal, but the act of revenge she committed against a company had just as much impact as a conventional hacker breaking into a business’s servers and causing havoc.

Bulley has been successfully prosecuted under the UK’s Computer Misuse Act after deleting thousands of important files from a company that went on to collapse.

She was a director of a business called Property Press that produced a weekly property newspaper focused on south east Devon. Things turned sour, and Bulley resigned her position at the firm in 2018 before the company went into liquidation. However, fellow director Alan Marriott started a new business venture – without Bulley’s involvement – using the assets of the old firm.

Things clearly didn’t sit well with Bulley after her departure from the business, and several months after her resignation she managed to gain unauthorised access to the new company’s Dropbox account.

More than 5,000 documents were permanently erased, and the company claimed that the damage to business was so great that it could no longer operate, with people losing their jobs and a loss of almost £100,000.

The Police warned other companies of the threat which can be posed by former employees:

Ex-employees can pose a serious risk to a business because they are familiar with the company’s IT infrastructure and procedures. This can make it easier for them to carry out cyber crimes against their former organisation.

If someone is leaving your company, especially if they are quitting your firm under something of a cloud, you would be wise to check that they don’t know your business’s passwords or have retained access to sensitive information.

Passwords should be changed, and additional authentication methods should be in place to prevent unauthorised access. Dropbox, for instance, provides a two-step verification feature which all users would be wise to enable.

Read more: https://hotforsecurity.bitdefender.com/blog/woman-who-deliberately-deleted-firms-dropbox-is-sentenced-23552.html

EasyJet Lawsuit Over Data Breach Attracts 10,000 Passengers

EasyJet Plc faces a lawsuit over a data breach disclosed last month that potentially exposed private details of 9 million passengers.

More than 10,000 people have joined the suit since it was filed last month, according to the law firm handling the lawsuit. Victims are entitled to as much as £2,000 in compensation, meaning the case could be worth as much as £18 billion.

EasyJet said last month that the email addresses and travel data of about 9 million customers were taken by hackers in one of the biggest privacy breaches to hit the airline industry. The credit card details of roughly 2,200 people was also accessed.

“This is a monumental data breach and a terrible failure of responsibility that has a serious impact on EasyJet’s customers, who are coming forward in their thousands,” the law firm said in a statement. “This is personal information that we trust companies with, and customers should expect that every effort is made to protect their privacy.”

Read more here: https://www.bloomberg.com/news/articles/2020-06-24/easyjet-lawsuit-over-data-breach-attracts-10-000-passengers

Twitter apologises for business data breach

Twitter has emailed its business clients to tell them that personal information may have been compromised.

Unbeknownst to users, billing information of some clients was stored in the browser's cache, it said.

In an email to its clients, Twitter said it was "possible" others could have accessed personal information.

The personal data includes email addresses, phone numbers and the last four digits of clients' credit card numbers.

The tech company says that there is no evidence that clients' billing information was compromised.

Read more here: https://www.bbc.co.uk/news/technology-53150157

Huge Data Dump of Police Files Dubbed “Blue Leaks” Leaked Online

Nearly 270 gigabytes worth of sensitive files including FBI, “fusion center” and police department data from across the US dubbed “Blue Leaks” has been stolen and leaked online on June 19 by a collective called DDoSecrets.

Fusion centres are hubs for threat and intelligence sharing. The concept was created after September 11, in a bid by the Department of Homeland Security to improve cooperation between state, local, and territorial law enforcement

The National Fusion Centre Association (NFCA) says that the data was taken after a security breach at web development firm Netsential in Houston, Texas. It includes 490 documents pertaining to the UK. Computer Business Review was not immediately able to open these to assess the contents.

DDoSecrets stated that the Blue Leaks archive spans “ten years of data from over 200 police departments, fusion centres and other law enforcement training and support resources […] among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more”.

Read more here: https://www.cbronline.com/news/blue-leaks-data-dump

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.