If you’re pressed for time watch the 60 second quick fire summary of the top cyber and infosec stories from the last week:

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Coronavirus: ‘Predatory’ cyber criminals and hostile states targeting UK citizens and institutions, Dominic Raab warns UK

Dominic Raab has warned that “predatory” cyber criminals and hostile states are seeking to exploit the coronavirus pandemic, saying that UK citizens, businesses and institutions will be targeted for weeks and months ahead.

His remarks follow a joint warning from cyber security agencies in Britain and the US, urging healthcare and medical research staff to improve their password security to prevent criminals exploiting the crisis further.

Speaking at No 10 earlier in the week, Mr Raab said that while the vast majority of people and countries had rallied together, “there will always be some who seek to exploit a crisis for their own criminal and hostile ends”.

The foreign secretary said he was aware that cyber criminals and “other malicious groups” are targeting individuals and organisations in the UK by deploying Covid-19 related scams and phishing emails.

“That includes groups that in the cyber security world are known as advanced persistent threat (APT) groups – sophisticated groups of hackers who try to breach computer systems,” he said.

“We have clear evidence now that these criminal gangs are actively targeting national and international organisations which are responding to the Covid-19 pandemic, which I have to say makes them particular dangers and venal at this time.”

Read the full article here: https://www.independent.co.uk/news/uk/politics/coronavirus-cyber-crime-hack-business-dominic-raab-a9500316.html

New phishing attack targeting Microsoft Teams users aims to steal Office 365 credentials

Microsoft Teams has seen a surge in usage owing to the increased need for collaboration services as more and more employees are working from home in the wake of the COVID-19 Coronavirus pandemic. With the increased adoption, the tool has also been receiving multiple improvements to help enhance functionality. While the communication of new features is a given, a new phishing attack that mimics notifications from the Redmond giant is being targeted at Teams users.

The specifics of the attack suggests that the goal is to steal users’ Teams/Office 365 credentials by serving messages that redirect to phishing websites. The report states that the email notifications impersonate automated notification emails from Teams that are convincing enough owing to the content and design. The sender email comes from the “sharepointonline-irs.com” domain, something that is misleading and one that is not owned by Microsoft.

Read more here: https://www.neowin.net/news/new-phishing-attack-targeting-microsoft-teams-users-aims-to-steal-office-365-credentials

Ransomware Payments Surge 33% as Attacks Target Remote Access

The average sum paid by enterprises to ransomware attackers surged by 33% quarter-on-quarter in the first three months of the year, as victim organisations struggled to mitigate remote working threats.

A security vendor analysed ransomware cases handled by its own incident response team during the period to compile its latest findings.

It revealed the average enterprise ransomware payment rose to over $111,000 in the quarter, although the median remained at around $44,000, reflecting the fact that most demands from online attackers are more modest.

Sodinokibi (27%), Ryuk (20%) and Phobos (8%) remained the top three most common variants in Q1 2020, although prevalence of Mamba ransomware, which features a boot-locker program and full disk encryption via commercial software, increased significantly.

Poorly secured RDP endpoints continued to be the number one vector for attacks, more popular than phishing emails or exploitation of software vulnerabilities.

Read the full article here: https://www.infosecurity-magazine.com/news/ransomware-payments-surge-33/

Millions of remote desktop accounts attacked every week

Since the start of the outbreak, we've seen cyber criminals target Zoom and spread coronavirus-related phishing campaigns, in a bid to take advantage of the increase in remote working.

Now, new research suggests criminals are also targeting employees reliant on Microsoft's proprietary Remote Desktop Protocol (RDP) with far greater regularity.

According to this new report, hundreds of thousands of employees use RDP as a way to remotely connect to their office computer with the same privileges they would have on site.

However, RDP is also an enticing target for criminals, who are reportedly bombarding the service with brute-force attacks in a bid to gain entry.

Prior to the coronavirus pandemic, researchers typically recorded around 100,000–150,000 attacks of this kind per day, but that number has shot up to almost a million.

Read more: https://www.itproportal.com/news/millions-of-remote-desktop-accounts-are-being-attacked-ever-week/

This phishing campaign targets executives with fake emails from their phone provider

A new spear-phishing campaign has targeted executives and others in attempt to steal login credentials and bank account details by posing as their smartphone provider.

Uncovered by researchers, the attacks come in the form of emails claiming to be from their mobile phone provider, and refer to a problem with their bill.

The security company said the spoof mail had been sent to "a few executives, including one at a leading financial firm".

The messages come with the vague subject 'View Bill – Error – Message' and are designed with branding that looks like they could come from EE. The message tells the victim that the company is working on fixing an unspecified problem and that the user should login to their account to update their details.

Users should be cautious about unexpected messages like this – especially, if like this one, they urge some sort of immediate action – but there's also some elements of the phishing email that should act as a warning that all is not right.

Read more here: https://www.zdnet.com/article/this-phishing-campaign-targets-executives-with-fake-emails-from-their-phone-provider/

This ransomware spreads across hundreds of devices in no time at all

The LockBit ransomware contains a feature that allows attackers to encrypt hundreds of devices in just a few hours once they've breached a corporate network.

LockBit is a fairly new Ransomware-as-a-Service (RaaS) that was launched in September of last year. The developers of the ransomware are in charge of maintaining its payment site and updates while affiliates sign up to distribute the malware. LockBit's developers then earn around 25-40 percent of the ransom payments received while the affiliates earn a slightly larger share at 60-75 percent.

Researchers have published a report revealing how a LockBit ransomware affiliate hacked into a corporate network and encrypted 25 servers and 255 workstations in just three hours.

The hackers began their attack by brute-forcing an administrator account through an outdated VPN service. This gave them the administrative credentials they needed in order to deploy the LockBit ransomware on the network.

Read more: https://www.techradar.com/news/this-ransomware-spreads-across-hundreds-of-devices-in-no-time-at-all

Data security flaw exposes details of thousands of legal documents

A data security flaw has left more than 10,000 legal documents containing sensitive details of commercial property owners unsecured for years in an online database, potentially affecting the clients of about 190 law firms.

The cache of documents, which included Companies House property transaction forms containing authentication details such as email addresses and passwords, had been scanned and uploaded by legal firms — including three of the “magic circle” — using a product from Advanced Computer Software, Britain’s third-largest software company.

Advanced, said in a statement: “We discovered some exposed data on one of our historic software platforms and took immediate steps to address the issue, secure the data and make contact with the small number of affected customers.”

Leaving a security hole open for an extended period of time exposing authentication and other details was serious.

Though the exposure of legal documents is of a different scale to recent incidents — including at Virgin Media and British Airways — involving much larger customer databases, the inclusion of authentication information raised concerns about the potential impact if the exposed data fell into the wrong hands.

Read more here: https://www.ft.com/content/e0d6b6b7-825f-4102-b78f-204e1be205b6

Vulnerabilities in two VPNs opened door to fake, malicious updates

Hackers can exploit critical vulnerabilities in PrivateVPN and Betternet – since fixed – to push out fake updates and plant malicious programs or steal data.

Attackers can intercept VPN communications and force the apps to download fake updates according to the researchers who discovered the flaws.

The researchers stated they were very surprised because these are VPNs – important cybersecurity tools that are meant to keep users safe – have a lot of users trusting these tools to provide them with more security and privacy, not less.

Read more here: https://www.scmagazine.com/home/security-news/vulnerabilities-in-two-vpns-opened-door-to-fake-malicious-updates/

Samsung Confirms Critical Security Issue For Millions: Every Galaxy After 2014 Affected

The monthly security updates from Samsung have started rolling out. If you own a Samsung smartphone that was sold from late 2014 onward, you'd better hope that update hits your device soon. Why so? Only the small matter of a "perfect 10" critical security vulnerability that can enable arbitrary remote code execution (RCE) if exploited. Oh yes, and that arbitrary RCE can happen without any user interaction needed, as this is a "zero-click" vulnerability. And if you think that sounds pretty serious, and it is, there's more to come: the vulnerability affects every Galaxy smartphone that Samsung has made from late 2014 onward.

Read more here: https://www.forbes.com/sites/daveywinder/2020/05/07/samsung-confirms-critical-security-warning-for-millions-every-galaxy-after--2014-affected/#41959c3c3af7

A hacker group tried to hijack 900,000 WordPress sites over the last week

A hacker group has attempted to hijack nearly one million WordPress sites in the last seven days, according to a security alert issued this week.

Since April 28, this particular hacker group has engaged in a hacking campaign of massive proportions that caused a 30x uptick in the volume of attack traffic being tracked.

The group launched attacks from across more than 24,000 distinct IP addresses and attempted to break into more than 900,000 WordPress sites.

The attacks peaked on Sunday, May 3, when the group launched more than 20 million exploitation attempts against half a million domains.

Read the full article here: https://www.zdnet.com/article/a-hacker-group-tried-to-hijack-900000-wordpress-sites-over-the-last-week/

Popular adult streaming site just accidentally outed millions of users

Adult live streaming platform CAM4 has suffered a massive data breach, exposing the identity of millions of its users.

Discovered by security researchers, the breach was caused by a server configuration error that made 7TB of user data (comprising 10.88 billion records in total) easily discoverable online.

While the misconfigured ElasticSearch database did not betray users’ specific sexual preferences, it did include personally identifiable information including names, email addresses, payment details, chat logs and sexual orientation.

The popular adult platform is used primarily by amateur webcam models to stream explicit content to live audiences. To gain access to premium content or tip performers, users must first register with the site - parting ways with both personal and financial data.

Read more here: https://www.techradar.com/news/this-popular-adult-streaming-site-accidentally-outed-millions-of-users

Hacker Group Selling Databases With Millions Of User Credentials Busted In Poland And Switzerland

Polish and Swiss law enforcement authorities, supported by Europol and Eurojust, dismantled InfinityBlack, a hacking group involved in distributing stolen user credentials, creating and distributing malware and hacking tools, and fraud.

On 29 April 2020, the Polish National Police (Policja) searched six locations in five Polish regions and arrested five individuals believed to be members of the hacking group InfinityBlack. Police seized electronic equipment, external hard drives and hardware cryptocurrency wallets, all worth around €100 000. Two platforms with databases containing over 170 million entries were closed down by the police.

The hacking group created online platforms to sell user login credentials known as ‘combos’. The group was efficiently organised into three defined teams. Developers created tools to test the quality of the stolen databases, while testers analysed the suitability of authorisation data. Project managers then distributed subscriptions against cryptocurrency payments.

The hacking group’s main source of revenue came from stealing loyalty scheme login credentials and selling them on to other, less technical criminal gangs. These gangs would then exchange the loyalty points for expensive electronic devices.

Read more here: https://www.europol.europa.eu/newsroom/news/hacker-group-selling-databases-millions-of-user-credentials-busted-in-poland-and-switzerland

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

The week in 60 seconds - video flash briefing

Over half of organisations expect remote workers to increase the risk of a data breach

Apathy towards cyber security remains one of the biggest challenges for businesses.

The majority of UK’s IT decision-makers believe remote workers will expose their businesses to the risk of a data breach.

This is according to a new report which claims the awareness of the issue has been “steadily growing” over the last three years.

While the report does not offer definitive explanations for the rise, it cites increased remote working due to the coronavirus as a contributing factor.

The percentage of employees intentionally putting data at risk dropped slightly (from 47 to 44 percent), but apathy continues to be a “major problem”.

However, remote working appears to have forced IT decision-makers to pay closer attention to security.

Almost all (96 percent) respondents acknowledged risks associated with BYOD policies and a significant portion of those (42 percent) only allow the use of pre-approved gear (up from 11 percent last year).

This change is “crucial”, as lost and misplaced devices are now the second biggest data breach cause (24 percent), behind intentionally putting data at risk (33 percent) and ahead of mishandling corporate data.

Read more: https://www.itproportal.com/news/over-half-of-organisations-expect-their-remote-workers-to-expose-them-to-the-risk-of-a-data-breach/

Trickbot Named Most Prolific #COVID19 Malware

Notorious malware Trickbot has been linked to more COVID-19 phishing emails than any other, according to new data from Microsoft.

The Microsoft Security Intelligence Twitter account made the claim on Friday.

“Based on Office 365 ATP data, Trickbot is the most prolific malware operation using COVID-19 themed lures,” it said. “This week’s campaign uses several hundreds of unique macro-laced document attachments in emails that pose as messages from a non-profit offering a free COVID-19 test.”

Microsoft has been providing regular updates through the current crisis as organizations struggle to securely manage an explosion in home working while cyber-criminals step up efforts to exploit stretched IT security teams and distracted employees.

Read more: https://www.infosecurity-magazine.com/news/trickbot-named-most-prolific/

Microsoft Issues Out-Of-Band Security Update For Office, Paint 3D

Microsoft has released an out-of-band security update for Microsoft Office, Office 365 ProPlus and Paint 3D. The applications are affected by multiple Autodesk vulnerabilities that, if exploited, could enable remote code execution.

The flaws, all rated “important” in severity, are tied to six CVEs stemming from Autodesk’s library for FBX, a popular file format format that supports 3D models. This library is integrated into certain Microsoft applications

Read more: https://threatpost.com/microsoft-issues-out-of-band-security-update-for-office-paint-3d/155016/

1,000 may be hit by CISI website fraud attack

The CISI has launched an investigation after a website attack resulted in 1,000 customers and members being exposed to the risk of credit card fraud.

The professional body with 45,000 members says some members have reported “fraudulent activity” on their cards following a payment transaction on the CISI website.

The organisation, which provides the Certified Financial Planner and Chartered Wealth manager designations, has launched a probe with help from its insurers and KPMG.

The CISI has contacted 5,785 customers that processed a payment transaction through its website between 1 February 2020 and 15 April 2020.

It said not all of these have seen “fraudulent activity” but it anticipates about 1,000 have been exposed to a risk of fraud.

Read more: https://www.financialplanningtoday.co.uk/news/item/11502-1-000-may-be-hit-by-cisi-website-fraud-attack

Here's a list of all the ransomware gangs who will steal and leak your data if you don't pay

Starting with late 2019 and early 2020, the operators of several ransomware strains have begun adopting a new tactic.

In an attempt to put additional pressure on hacked companies to pay ransom demands, several ransomware groups have also begun stealing data from their networks before encrypting it.

If the victim -- usually a large company -- refuses to pay, the ransomware gangs threaten to leak the information online, on so-called "leak sites" and then tip journalists about the company's security incident.

Companies who may try to keep the incident under wraps, or who may not want intellectual property leaked online, where competitors could get, will usually cave in and pay the ransom demand.

While initially the tactic was pioneered by the Maze ransomware gang in December 2019, it is now becoming a widespread practice among other groups as well.

Clop, Doppenpaymer, Maze, Nefilim, Nemty, Ragnarlocker, Revil (Sodinokibi), Sekhmet, Snatch

Read the original article here for full details: https://www.zdnet.com/article/heres-a-list-of-all-the-ransomware-gangs-who-will-steal-and-leak-your-data-if-you-dont-pay/

Hackers have breached 60 ad servers to load their own malicious ads

A mysterious hacker group has been taking over ad servers for the past nine months in order to insert malicious ads into their ad inventory, ads that redirect users to malware download sites.

This clever hacking campaign was discovered last month and appears to have been running for at least nine months, since August 2019.

Hackers have targeted advertising networks running old versions of the Revive open-source ad server. Hackers breach outdated Revive servers and silently append malicious code to existing ads.

Once the tainted ads load on legitimate sites, the malicious code hijacks and redirects site visitors to websites offering malware-laced files -- usually disguised as Adobe Flash Player updates.

Read more: https://www.zdnet.com/article/hackers-have-breached-60-ad-servers-to-load-their-own-malicious-ads/

GCHQ calls on public to report coronavirus-related phishing emails

GCHQ is asking members of the public to report suspicious emails they have received amid a wave of scams and hacking attacks that seek to exploit fear of Covid-19 to enrich cybercriminals.

The National Cyber Security Centre, a branch of the intelligence agency, has launched the suspicious email reporting service with a simple request of the public: forward any dubious emails to report@phishing.gov.uk, and the NCSC’s automated scanning system will check for scam emails and immediately remove criminal sites.

Read more here: https://www.theguardian.com/technology/2020/apr/21/gchq-calls-public-report-coronavirus-phishing-emails

Hackers exploit bug to access iPhone users’ emails

Hackers have devised a way to install malicious software on iPhones without getting the victim to download an attachment or click on any links.

Cybersecurity researchers have discovered a bug in the phone’s email app that hackers may have been exploiting since January 2018. It enables hackers to access all emails on a phone, as well as remotely modify or delete them.

Typically, an attack on a phone requires a user to download the malware, such as clicking on a link in a message or on an attachment. Yet in this case, hackers send a blank email to the user. When the email is opened, a bug is triggered that causes the Mail app to crash, forcing the user to reboot it. During the reboot, hackers could access information on the device.

The hack is virtually undetectable by victims due to the sophisticated nature of the attack and Apple’s own security measures, which often make investigating the devices for potential vulnerabilities a challenge, experts claim.

More here: https://www.thetimes.co.uk/article/hackers-exploit-bug-to-access-iphone-users-emails-ssvvztrgf

FBI Sees Cybercrime Reports Increase Fourfold During COVID-19 Outbreak

Instances of cybercrime appear to have jumped by as much as 300 percent since the beginning of the coronavirus pandemic, according to the FBI. The bureau’s Internet Crime Complain Center (IC3) said last week that it’s now receiving between 3,000 and 4,000 cybersecurity complaints every day, up from the average 1,000 complaints per day the center saw before COVID-19 took hold.

While much of this jump can be attributed to America’s daily activities increasingly moving online — newly remote workers unaware of basic security measures or companies struggling to keep externally-accessed systems secure, for example — the FBI says a lot of the increased cybercrime is coming from nation states seeking out COVID-19-related research.

More: https://www.entrepreneur.com/article/349509

309 million Facebook users’ phone numbers found online

Last weekend, researchers came across a database with 267m Facebook user profiles being sold on the Dark Web.

Looking to verify the records and add them to the firm’s breach notification service, the researchers bought it, for the grand total of £500.

That works out to USD $540 — or about 0.0002 cents — per record. The records held Facebook users’ IDs, which are unique, public numbers associated with specific accounts that can be used to figure out an account’s username and other profile info. The records also included full names, email addresses, phone numbers, timestamps for last connection, relationship status and age.

Fortunately, there were no passwords exposed, but the breach still forms a perfect tool kit for an email or text phishing campaign that looks like it’s coming from Facebook itself. If enough users get fooled into clicking on spearphishers’ rigged links, it could lead to the exposure of even more, and more valuable, data.

Read more here: https://nakedsecurity.sophos.com/2020/04/22/309-million-facebook-users-phone-numbers-and-more-found-online/

Google Issues Warning For 2 Billion Chrome Users

Google just gave its two billion Chrome users a brilliant (if long overdue) upgrade, but it doesn’t mask all of the controversial changes, security problems and data concerns which have worried users about the browser recently. And now Google has issued a new critical warning you need to know about.

Chrome has a critical security flaw across Windows, Mac and Linux and it urges users to upgrade to the latest version of the browser (81.0.4044.113). Interestingly, at the time of publication, Google is also keeping the exact details of the exploit a mystery.

Read more: https://www.forbes.com/sites/gordonkelly/2020/04/18/google-chrome-81-critical-security-exploit-upgrade-warning-update-chrome-browser/#42a057f56bde

Zoom announces 5.0 update with tougher encryption and new security features

Zoom has today announced its new 5.0 update, bringing robust new security features including AES 256-bit GCM encryption.

Zoom says that AES 256-bit GCM encryption will "raise the bar for securing our users' data in transit", providing "confidentiality and integrity assurances on your Zoom Meeting, Zoom Video Webinar and Zoom Phone Data." The systemwide enablement of this new security standard will take place on May 30.

Zoom has also introduced a new security icon, where it has grouped its security features in one place within Zoom's meeting menu bar. It has also introduced more robust host controls, including a 'report a user' feature. Waiting rooms now default to on, as do meeting passwords and cloud recording passwords. Zoom has also introduced a new data structure for linking contacts within larger organizations. Previously, a Zoom feature designed to group users by domain name had seen thousands of random users grouped together, sharing lots of information with strangers.

Read more: https://www.androidcentral.com/zoom-announces-50-update-tougher-encryption-and-new-security-features

Temporary coronavirus hospitals face growing cybersecurity risks

The coronavirus outbreak has led to a series of temporary medical facilities opening across the U.S., most of which will use remote-care devices without the proper protection against hackers. Because of their remoteness and the overall uncertainty that pandemic’s created, cybersecurity at these temporary hospitals has fallen to the wayside and risks are at an all-time high.

Further complicating matters, most of these temporary units are highly dependent on connected medical devices to facilitate remote care. This leaves these hospitals open to hackers stealing patients’ personal health information via these connected devices.

Fortunately, there are a number of steps health care organizations can take to protect their remote facilities. Not only should organizations ensure their software is up to date and fully patched, but they should also consider enabling two-factor authentication for every account that’s granted access to the remote center’s system.

To assist with securing these remote health care locations, Microsoft has expanded the availability of its AccountGuard security service program. Currently offered at no cost to health care providers on the front lines of the coronavirus outbreak, Microsoft’s AccountGuard service helps targeted organizations protect themselves from ongoing cybersecurity threats.

Read more: https://www.itpro.co.uk/security/cyber-security/355420/temporary-coronavirus-hospitals-facing-growing-cybersecurity-risks

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

GFSC warns over increased risk of fraud and cyber crime

The GFSC has put out a warning to regulated firms on the Island around increased likelihood of fraud and other cyber crimes as a result of the COVID-19 pandemic.

The Commission has stated that they expect licensees to apply effective controls, including having suitable controls to prevent cybercrime.

Cyber-Attacks Up 37% Over Past Month as #COVID19 Bites

Online threats have risen by as much as six-times their usual levels over the past four weeks as the COVID-19 pandemic provides new ballast for cyber-attacks.

Analysis of UK traffic figures for the past four weeks compared to the previous month noted a sharp uptick in malicious activity.

Hacking and phishing attempts were up 37% month-on-month, while on some days, there were between four- and six-times the number of attacks it would usually see.

More here: https://www.infosecurity-magazine.com/news/cyberattacks-up-37-over-past-month/

Cybercrime spikes during coronavirus pandemic, says Europol

Just like everyone else in the face of a pandemic, criminals seem to be staying home — but they're just turning to different methods to make a buck.

That's the message from a new Europol report out this week, which reveals that criminals are adapting to exploit the global chaos.

While many police departments are reporting a lull in physical crime, other types of crime are having a heyday — and those numbers are only expected to increase.

Europol identified cybercrime, fraud, counterfeit goods and organised property crime as categories of particular concern.

Read more here: https://www.euronews.com/2020/03/27/cybercrime-spikes-during-coronavirus-pandemic-says-europol

Cybercriminal group mails malicious USB dongles to targeted companies

Security researchers have come across an attack where an USB dongle was mailed to a company under the guise of a Best Buy gift card. This technique has been used by security professionals during physical penetration testing engagements in the past, but it has very rarely been observed in the wild. This time it's a known sophisticated cybercriminal group who is likely behind it.

The attack was analysed after a US company in the hospitality sector received the USB sometime in mid-February.

The package contained an official-looking letter with Best Buy's logo and other branding elements informing the recipient that they've received a $50 gift card for being a regular customer. "You can spend it on any product from the list of items presented on an USB stick," the letter read. Fortunately, the USB dongle was never inserted into any computers and was passed along for analysis, because the person who received it had security training.

More here: https://www.csoonline.com/article/3534693/cybercriminal-group-mails-malicious-usb-dongles-to-targeted-companies.html

Top Email Protections Fail in Latest COVID-19 Phishing Campaign

Threat actors continue to capitalize on fears surrounding the spread of the COVID-19 virus through a surge in new phishing campaigns that use spoofing tactics to effectively evade Proofpoint and Microsoft Office 365 advanced threat protections (ATPs), researchers have found.

New phishing attacks were discovered that use socially engineered emails promising access to important information about cases of COVID-19 in the receiver’s local area.

The emails evade basic security checks and user common sense in a number of ways, to circumvent detection and steal the user’s Microsoft log-in credentials, he said. They also don’t include specific names or greetings in the body of the messages, suggesting they are being sent out to a broad target audience, according to the report.

More: https://threatpost.com/top-email-protections-fail-covid-19-phishing/154329/

Zoom Phishers Register 2000 Domains in a Month

Over 2000 new phishing domains have been set up over the past month to capitalise on the surging demand for Zoom from home workers, according to new data.

The report analysed data from a threat hunting system since the start of the year, and found 3300 new domains had been registered with the word “Zoom” in them.

The vast majority of these (67%) were created in March, as the COVID-19 pandemic forced lockdowns in multiple European countries and across parts of the US.

With surging levels of interest in Zoom and other video conferencing apps, comes renewed scrutiny from cyber-criminals.

Nearly a third (30%) of the new “Zoom” websites spotted activated an email server which indicates these domains are being used to facilitate phishing attacks.

More here: https://www.infosecurity-magazine.com/news/zoom-phishers-register-2000/

Across-the-board increase in DDoS attacks of all sizes

There has been a 168% increase in DDoS attacks in Q4 2019, compared with Q4 2018, and a 180% increase overall in 2019 vs. 2018, according to a report.

DDoS attacks grew across all size categories increase in 2019, with attacks sized 5 Gbps and below seeing the largest growth. These small-scale attacks made up more than three quarters of all attacks the company mitigated on behalf of its customers in 2019.

In 2019, the largest mitigated threat, at 587 gigabits per second (Gbps), was 31% larger than the largest attack of 2018, while the maximum attack intensity observed in 2019, 343 million packets per second (Mpps), was 252% higher than that of the most intense attack seen in 2018.

However, despite these higher peaks, the average attack size (12 Gbps) and intensity (3 Mpps) remained consistent year over year. The longest single, uninterrupted attack experienced in 2019 lasted three days, 13 hours and eight minutes.

Though the number of attacks increased significantly across all size categories, small-scale attacks (5 Gbps and below) again saw the largest growth in 2019, continuing the trend from the previous year.

More here: https://www.helpnetsecurity.com/2020/03/27/ddos-attacks-increase-2020/

Cybersecurity insurance firm Chubb investigates its own ransomware attack

A notorious ransomware gang claims to have successfully compromised the infrastructure of a company selling cyber insurance.

The Maze ransomware group says it has encrypted data belonging to Chubb, which claims to be one of the world’s largest insurance companies, and is threatening to publicly release data unless a ransom is paid.

The announcement by the cybercrime gang was published on Maze’s website, where it lists what it euphemistically describes as its “new clients”.

Maze’s normal modus operandi is to compromise an organisation, steal its data, infect the network with its ransomware, and post a pre-announcement on its website as a warning to the corporate victim that if they do not pay a ransom their stolen data will be published on the internet.

Read the full article here: https://hotforsecurity.bitdefender.com/blog/cybersecurity-insurance-firm-chubb-investigates-its-own-ransomware-attack-22753.html

Ransomware Payments on the Rise

More ransomware victims than ever before are complying with the demands of their cyber-attackers by handing over cash to retrieve encrypted files.

New research published this week shows that both the number of ransomware attacks and the percentage of attacks that result in payment have increased every year since 2017.

The report states 62% of organisations were victimised by ransomware in 2019, up from 56% in 2018 and 55% in 2017.

In 2017, just 39% of organizations hit by ransomware paid to retrieve their encrypted data. That figure rose to 45% in 2018, then shot up to 58% in 2019.

Read the full article here: https://www.infosecurity-magazine.com/news/rise-in-ransomware-payments/

Marriott hit by second data breach exposing “up to” 5.2 million people

Hotel chain Marriott International this week announced that it has been hit by a second data breach exposing the personal details of “up to approximately 5.2 million guests”.

The breach, which began in mid-January 2020 and was discovered at the end of February 2020, saw contact details, including names, addresses, birth dates, gender, email addresses and telephone numbers exposed. Employer name, gender, room stay preferences and loyalty account numbers were also exposed.

The hotel company has stressed that not all data was exposed for each person.

Marriott has also said that at present it does not believe passports, payment details or passwords were exposed in the data breach.

The data is believed to have been accessed by an unknown third party using the login credentials of two employees at a group hotel operated as a franchise. Marriott has said that it has notified relevant authorities, and has begun notifying those whose data was exposed in the breach. It has also set up a dedicated website to help those impacted by the breach.

More here: https://www.verdict.co.uk/marriott-second-data-breach/

Lawyers urged to switch off Alexa when working from home

Law firms are warning their employees to turn off their smart speakers while working from home due to security concerns.

Smart speakers such as Amazon’s Echo series and Google’s Nest range have become wildly popular in Britain with an estimated 34pc of households now using them.

But privacy and security experts have repeatedly said the devices may pose a security threat and now law firms have advised staff not to disclose sensitive details when they are in use nearby.

A spokesman from one firm of solicitors said that that hackers could access sensitive details through the speakers, telling their staff to check the default settings on the speaker and to the extent that you can, switch them off during the working day.

More here: https://www.telegraph.co.uk/technology/2020/03/30/lawyers-urged-switch-alexa-working-home/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Android malware can steal Google Authenticator 2FA codes

A new version of the "Cerberus" Android banking trojan will be able to steal one-time codes generated by the Google Authenticator app and bypass 2FA-protected accounts.

Security researchers say that an Android malware strain can now extract and steal one-time passcodes (OTP) generated through Google Authenticator, a mobile app that's used as a two-factor authentication (2FA) layer for many online accounts.

Google launched the Authenticator mobile app in 2010. The app works by generating six to eight-digits-long unique codes that users must enter in login forms while trying to access online accounts.

Google launched Authenticator as an alternative to SMS-based one-time passcodes. Because Google Authenticator codes are generated on a user's smartphone and never travel through insecure mobile networks, online accounts who use Authenticator codes as 2FA layers are considered more secure than those protected by SMS-based codes.

Read the full article here: https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/

Cisco patches incoming to address Kr00k vulnerability impacting routers, firewall products

Cisco is working on a set of patches to address a recently-disclosed vulnerability that can be exploited to intercept Wi-Fi network traffic.

The vulnerability, tracked as CVE-2019-15126, has been nicknamed "Kr00k" and was disclosed at the by researchers on Wednesday.

Kr00k is a vulnerability that permits attackers to force Wi-Fi systems into disassociative states, granting the opportunity to decrypt packets sent over WPA2 Personal/Enterprise Wi-Fi channels.

All Wi-Fi enabled devices operating on Broadcom or Cypress Wi-Fi chipsets are impacted

More here: https://www.zdnet.com/article/cisco-says-patches-incoming-to-address-new-kr00k-vulnerability-impacting-routers-firewall-products/

Google Patches Chrome Browser Zero-Day Bug, Under Attack

Google patches zero-day bug tied to memory corruptions found inside the Chrome browser’s open-source JavaScript and Web Assembly engine, called V8.

Google said Monday it has patched a Chrome web browser zero-day bug being actively exploited in the wild. The flaw affects versions of Chrome running on the Windows, macOS and Linux platforms.

The zero-day vulnerability, tracked as CVE-2020-6418, is a type of confusion bug and has a severity rating of high. Google said the flaw impacts versions of Chrome released before version 80.0.3987.122. The bug is tied to Chrome’s open-source JavaScript and Web Assembly engine, called V8.

Read the full article here: https://threatpost.com/google-patches-chrome-browser-zero-day-bug-under-attack/153216/

Ransomware victims thought their backups were safe. They were wrong

Ransomware victims are finding out too late that their vital backups are online and also getting encrypted by crooks, warns cyber security agency.

The UK's cyber security agency has updated its guidance on what to do after a ransomware attack, following a series of incidents where organisations were hit with ransomware, but also had their backups encrypted because they had left them connected to their networks.

Keeping a backup copy of vital data is a good way of reducing the damage of a ransomware attack: it allows companies to get systems up and running again without having to pay off the crooks. But that backup data isn't much good if it's also infected with ransomware -- and thus encrypted and unusable -- because it was still connected to the network when the attack took place.

The UK's National Cyber Security Centre (NCSC) said it has now updated its guidance by emphasising offline backups as a defence against ransomware.

Read the full article here: https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/

Data breach at City watchdog FCA exposes records of thousands of complainants

The records of 1,600 people who complained to the City watchdog have been exposed following a major data breach at the regulator.

The Financial Conduct Authority (FCA) mistakenly published the personal records of complainants on its website, where anyone could access the information.

The data was visible between November 2019 and February 2020 and included the records of people who made a complaint between January 2018 and July 2019.

This leaked information included the name of the complainant, the company they represent, the status of the complaint and other information. In some instances addresses and telephone numbers were also visible.

Certain media outlets disclosed that the list contained the names of several high-profile individuals.

Read more here: https://www.telegraph.co.uk/money/consumer-affairs/data-breach-city-watchdog-exposes-records-thousands-complainants/

Hackers are getting better at tricking people into handing over passwords — here's what to look out for, according to experts

Hackers don't break in, they log in.

That mantra, often repeated by security experts, represents a rule of thumb: The vast majority of breaches are the result of stolen passwords, not high-tech hacking tools.

These break-ins are on the rise. Phishing scams — in which attackers pose as a trustworthy party to trick people into handing over personal details or account information — were the most common type of internet crime last year, according to a recent FBI report. People lost more than $57.8 million in 2019 as the result of phishing, according to the report, with over 114,000 victims targeted in the US.

And as phishing becomes more profitable, hackers are becoming increasingly sophisticated in the methods they use to steal passwords, according to Microsoft's Security Research team.

Most of the attackers have now moved to phishing because it's easy

Read the full article here: https://www.businessinsider.com/phishing-scams-getting-more-sophisticated-what-to-look-out-for-2020-2?r=US&IR=T

Government authorities fail to train employees on ransomware detection, prevention

New research suggests that the majority of state and local governments are not rising to the challenge of mitigating ransomware threats. (and it’s not just Government)

The majority of state and local government agencies are failing to prepare their employees to spot cyber attacks or teach them how to handle ransomware incidents in the workplace, new research suggests.

On Thursday, IBM Security released the results of a new study, conducted on its behalf by The Harris Poll, containing responses from close to 700 US local and state employees in IT, education, emergency services, and security departments.

The research, taking place between January and February this year, reveals that only 38% of local and state employees have received any training in general ransomware prevention, which may include learning how to spot phishing attempts, the threat of social engineering, and basic security hygiene in the workplace.

More: https://www.zdnet.com/article/government-authorities-fail-to-train-employees-on-ransomware-detection-prevention/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week's Black Arrow Cyber Tip Tuesday, this week Tony is talking about users sending emails to the wrong recipient.

The majority of data breaches reported to the data commissioner, both locally and nationally, have involved users sending emails to the wrong recipients.

This is clearly a problem and many technical controls won't defend against this as this comes down to human error. Human error is the leading cause of data breaches today, because people make mistakes and break the rules. In many cases, people may not even realise they’re doing anything wrong.

If businesses want to keep their data safe, they need to start at the human level and create a people-centric approach to cyber security that focuses on educating and protecting their employees.

We can help provide controls that help to reinforce this human level and reduce instances of users send emails to the wrong recipients.

Round up of the most significant open source stories of the last week

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Leaker Claims to Have Published 2TB of Data From Cayman National Bank

The biggest story this week affecting the offshore finance world is news that 2TB of data (equivalent to 620,000 photographs, and photos are normally much larger than Word documents, so conceivably millions of Word documents) from the Isle of Man branches of the Cayman National Bank and Cayman National Trust.

A pseudonymous Twitter account called Distributed Denial of Secrets--a play on the distributed-denial of service attacks that can bring down even the largest websites-- said that it was releasing "copies of the servers of Cayman National Bank and Trust." The account has also claimed to have released more information over the last few days and to have upgraded its servers to cope with traffic spikes.

https://www.tomshardware.com/news/cayman-islands-national-bank-hack-2tb

Whatsapp Users Urged To Update App Immediately Over Spying Fears

Users of WhatsApp, the popular cross-platform messaging app, have been urged this week to address fears that their devices could be used to spy on them thanks to a major security vulnerability:

https://www.independent.co.uk/life-style/gadgets-and-tech/news/whatsapp-update-latest-spying-security-spyware-india-cert-nso-a9210236.html

Social Engineering: The Insider Threat to Cybersecurity

SecurityBoulevard has an interesting piece this week with a useful explainer on Social Engineering and Social Engineering Prevention that is worth a read if this not an area you are familiar with.

https://securityboulevard.com/2019/11/social-engineering-the-insider-threat-to-cybersecurity/

These are the tricks hackers are using to hijack your email

TechRadar have a piece on Business Email Compromise (BEC) something that is a significant risk to all firms but especially to financial services firms and something that has affected firms in the offshore finance world with some firms locally having experienced losses running to hundreds of thousands.

Most BEC attacks take place on weekdays and during business hours to maximise effectiveness and normally only target small numbers of users.

Read the full article here: https://www.techradar.com/uk/news/these-are-the-tricks-hackers-are-using-to-hijack-your-email

Cyber security becoming top priority in the boardroom, say industry leaders

It looks like cyber is becoming more of a priority in Boardrooms according to a report from the London Business summit by PortSwigger.net. 

https://portswigger.net/daily-swig/cybersecurity-becoming-top-priority-in-the-boardroom-say-industry-leaders

In Guernsey cyber is getting a lot more focus with the recent Cyber Thematic review carried out by the GFSC and the findings presented to industry in the last couple of weeks, and new regulations coming into effect last year. The GFSC have made it clear to firms that this is Board level issue and Boards need to start being able to take an educated and informed approach to cyber and what their firms are doing to protect themselves against the risks the firm faces.

 Mystery surrounds leak of four billion user records

Threat researchers recently uncovered four billion user records on a wide-open Elasticsearch server, but who left them there is a mystery.

Different datasets contained, among other things, data on 1.5 billion unique individuals, a billion personal email addresses including work emails for millions of decision makers in Canada, the UK and the US, 420 million LinkedIn URLs, a billion Facebook URLs and IDs, over 400 million phone numbers and 200 million valid US mobile phone numbers. The second dataset contained scraped data from LinkedIn profiles, including information on recruiters.

The actual source of this data is shrouded in mystery but so much data on so many people means it is highly likely there will be records leaked relating to individuals and businesses in Guernsey and the other Channel Islands.

https://www.computerweekly.com/news/252474411/Mystery-surrounds-leak-of-four-billion-user-records

 110 Nursing Homes Cut Off from Health Records in Ransomware Attack

Looking at healthcare but showing the impact ransomware can have on any and all sectors, a ransomware outbreak in the US has affected an IT company that provides cloud data hosting, security and access management to more than 100 nursing homes over there. The ongoing attack is preventing these care centres from accessing crucial patient medical records, and the IT company’s owner says she fears this incident could soon lead not only to the closure of her business, but also to the untimely demise of some patients.

https://securityboulevard.com/2019/11/110-nursing-homes-cut-off-from-health-records-in-ransomware-attack/

Anyone in the Bailiwick who has recently purchased a device from OnePlus should be alert to anyone impersonating OnePlus in trying to obtain further information or trying to sell products or services.

https://www.trustedreviews.com/news/oneplus-data-breach-what-you-need-to-know-about-customer-hack-3957273

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our new regular ‘Cyber Tip Tuesday’ video blog, here and on our YouTube channel.

You can also follow us on Facebook and on Twitter