Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Cyber Weekly Flash Briefing 01 May 2020 – 50% of users feel vulnerable WFH, yet many have had no infosec training in last year, spear-phishing compromises execs in 150+ companies, Sophos zero-day
Cyber Weekly Flash Briefing for 01 May 2020 – Half of users feel vulnerable WFH and many have had no infosec training in last year, spear-phishing compromises execs in 150+ companies, Chrome vulns, Sophos firewall zero-day exploited
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
If you’re pressed for time watch the 60 second video version:
Half of remote workers feel vulnerable to growing cyber attacks
New research has revealed that almost half (49%) of employees working remotely feel vulnerable online due to the insecurity of the company laptops and PCs they are using to connect to corporate networks.
1,550 UK employees working from home during the pandemic were surveyed to better understand the security issues they've faced while working remotely.
The survey found that 42 percent of respondents received suspicious emails while 18 percent have dealt with a security breach while working from home. Of those who suffered a cyberattack, over half (51%) believed it was because they clicked on a malicious link and 18 percent believed an infected attachment was responsible.
Additionally, 42 percent of respondents reported that someone else in their household had experienced a hack of their social media accounts during the lockdown.
Read more here: https://www.techradar.com/news/half-of-remote-workers-feel-vulnerable-to-growing-cyberattacks
Many remote workers given no cyber security training
Two in three remote workers have not received any cyber security training in the past 12 months, according to a new report.
Based on a poll of 2,000 remote workers in the UK, the report states that more than three quarters (77 percent) are unconcerned about cyber security. Further, more than six in ten said they use personal devices when working from home, which poses a distinct threat to business data.
The report highlights the dangers associated with working from home and the fact cyber criminals are capitalising on the coronavirus outbreak to infect unwitting victims with malware.
With most businesses transitioning to remote working in response to lockdown measures, IT and security teams have been left with a network of unsecured, often naive workers who are easy prey for various forms of attack - especially phishing.
Read the full article here: https://www.itproportal.com/news/many-remote-workers-given-no-cybersecurity-training/
Spear-phishing campaign compromises executives at 150+ companies
A cyber crime group operating since mid-2019 has breached the email accounts of high-ranking executives at more than 150 companies, cyber-security firm Group-IB reported today.
The group, codenamed PerSwaysion, appears to have targeted the financial sector primarily, which accounted for more than half of its victims; although, victims have been recorded at companies active across other verticals as well.
PerSwaysion operations were not sophisticated, but have been extremely successful, nonetheless. Group-IB says the hackers didn't use vulnerabilities or malware in their attacks but instead relied on a classic spear-phishing technique.
They sent boobytrapped emails to executives at targeted companies in the hope of tricking high-ranking executives into entering Office 365 credentials on fake login pages.
Read the full article here: https://www.zdnet.com/article/spear-phishing-campaign-compromises-executives-at-150-companies/
Microsoft: Ransomware gangs that don't threaten to leak your data steal it anyway
Just because ransomware attackers haven't threatened to leak your company's data, it doesn't mean they haven't stolen it, Microsoft warns.
And human-operated ransomware gangs – typically associated with multi-million dollar ransom demands – haven't halted activity during the global coronavirus pandemic.
In fact, they launched more of the file-encrypting malware on target networks in the first two weeks of April than in earlier periods, causing chaos at aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, according to Microsoft.
Google Confirms New Security Threat For 2 Billion Chrome Users
Google has warned of yet more security vulnerabilities in Chrome 81, which was only launched three weeks ago.
Google has confirmed two new high-rated security vulnerabilities affecting Chrome, prompting yet another update since the release of Chrome 81 on April 7. These new security threats could enable an attacker to take control of an exploited system, which is why the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has advised users to apply that update now.
These popular antivirus tools share a major security flaw
More than two dozen popular antivirus solutions contain a flaw that could enable hackers to delete files, trigger crashes and install malware, according to a new report.
Popular antivirus solutions such as Microsoft Defender, McAfee Endpoint Security and Malwarebytes all feature the bug, which is described as “trivial” to abuse.
The report refers to the shared vulnerability as “symlink race” – the use of symbolic links and directory junctions to link malicious files to legitimate counterparts. This all occurs in the short space of time between an antivirus scanning and deleting a file.
"Make no mistake about it, exploiting these flaws was pretty trivial and seasoned malware authors will have no problem weaponising the tactics outlined in this blog post," said the report.
Read more: https://www.itproportal.com/news/these-popular-antivirus-tools-could-have-major-security-flaws/
Hackers are exploiting a Sophos firewall zero-day
Cyber-security firm Sophos has published an emergency security update on Saturday to patch a zero-day vulnerability in its XG enterprise firewall product that was being abused in the wild by hackers.
Sophos said it first learned of the zero-day on late Wednesday, April 22, after it received a report from one of its customers. The customer reported seeing "a suspicious field value visible in the management interface."
After investigating the report, Sophos determined this was an active attack and not an error in its product.
Read more: https://www.zdnet.com/article/hackers-are-exploiting-a-sophos-firewall-zero-day/
This sophisticated new Android trojan threatens hundreds of financial apps
Researchers have discovered a sophisticated new Android trojan that bypasses security measures and scrapes data from financial applications.
First identified in March, the EventBot banking trojan abuses Android’s accessibility features to harvest financial data and intercept SMS messages, allowing the malware to circumvent two-factor authentication.
According to the firm responsible for the discovery, EventBot targets over 200 financial applications, spanning banking, money transfer and cryptocurrency wallet services.
Affected applications include those operated by major players such as HSBC, Barclays, Revolut, Paypal and TransferWise - but many more are thought to be at risk.
Microsoft Office 365: US issues security alert over rushed remote deployments
The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has published security advice for organizations that may have rushed out Office 365 deployments to support remote working during the coronavirus pandemic.
CISA warns that it continues to see organizations that have failed to implement security best practices for their Office 365 implementation. It is concerned that hurried deployments may have lead to important security configuration oversights that could be exploited by attackers.
"In recent weeks, organizations have been forced to change their collaboration methods to support a full 'work from home' workforce," CISA notes in the new alert.
Financial sector is seeing more credential stuffing than DDoS attacks
The financial sector has seen more brute-force attacks and credential stuffing incidents than DDoS attacks in the past three years according to a report published this week.
Statistics about attacks carried out against banks, credit unions, brokers, insurance, and the wide range of organizations that serve them, such as payment processors and financial Software as a Service (Saas).
The report's findings dispel the notion that DDoS attacks are one of today's most prevalent threats against the financial vertical.
The report states that brute force attacks, credential stuffing, and all the other account takeover (ATO) attacks have been a much bigger threat to the financial sector between 2017 and 2019. This includes all the ATO variations such as:
· Brute-force attacks - attackers try common or weak username/passwords pairs (from a preset list) to brute-force their way into an account
· Credential stuffing - attackers try username/password pairs leaked at other sites
· Password spraying - attackers try the same password, but against different usernames
Read more here: https://www.zdnet.com/article/financial-sector-has-been-seeing-more-credential-stuffing-than-ddos-attacks-in-recent-years/
This buggy WordPress plugin allows hackers to lace websites with malicious code
Security researchers have identified a flaw in the Real-Time Find and Replace WordPress plugin that could allow hackers to lace websites with malicious code.
The affected plugin affords WordPress users the ability to edit website code and text content in real-time, without having to go into the backend - and reportedly features on over 100,000 sites.
The exploit manipulates a Cross-Site Request Forgery (CSRF) flaw in the plugin, which the hacker can use to push infected content to the website and create new admin accounts.
Read more here: https://www.techradar.com/news/this-buggy-wordpress-plugin-allows-hackers-to-lace-websites-with-malicious-code
Zoom Gets Stuffed: Here’s How Hackers Got Hold Of 500,000 Passwords
At the start of April, the news broke that 500,000 stolen Zoom passwords were up for sale. Here's how the hackers got hold of them.
More than half a million Zoom account credentials, usernames and passwords were made available in dark web crime forums earlier this month. Some were given away for free while others were sold for as low as a penny each.
Researchers at a threat intelligence provider obtained multiple databases containing Zoom credentials and got to work analysing exactly how the hackers got hold of them in the first place.
Read more here: https://www.forbes.com/sites/daveywinder/2020/04/28/zoom-gets-stuffed-heres-how-hackers-got-hold-of-500000-passwords/#6586d7be5cdc
Sophisticated Android Spyware Attack Spreads via Google Play
The PhantomLance espionage campaign is targeting specific victims, mainly in Southeast Asia — and could be the work of the OceanLotus APT.
A sophisticated, ongoing espionage campaign aimed at Android users in Asia is likely the work of the OceanLotus advanced persistent threat (APT) actor, researchers said this week.
Dubbed PhantomLance by Kaspersky, the campaign is centered around a complex spyware that’s distributed via dozens of apps within the Google Play official market, as well as other outlets like the third-party marketplace known as APKpure.
The effort, though first spotted last year, stretches back to at least 2016, according to findings released at the SAS@home virtual security conference on Tuesday.
Read more here: https://threatpost.com/sophisticated-android-spyware-google-play/155202/
Skype phishing attack targets remote workers
Remote workers have been warned to take extra care when using video conferencing software after a new phishing scam was uncovered.
Researchers from a security firm have revealed hackers are using emails pretending to be from Skype, the popular Microsoft-owned video calling tool, in order to trick home workers into handing over their login details.
Criminals could then use these logins to access corporate networks to spread malware or steal valuable information.
Read more here: https://www.techradar.com/news/skype-phishing-attack-targets-remote-workers
Cyber Weekly Flash Briefing for 24 April 2020 – increase in data breaches with staff WFH, MS out of band patch for Office, hackers breach ad servers, 309m Facebooks users details compromised
Cyber Weekly Flash Briefing for 24 April 2020 – increase in data breaches with staff WFH, MS out of band patch for Office, hackers breach ad servers, 309m Facebooks users compromised
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
The week in 60 seconds - video flash briefing
Over half of organisations expect remote workers to increase the risk of a data breach
Apathy towards cyber security remains one of the biggest challenges for businesses.
The majority of UK’s IT decision-makers believe remote workers will expose their businesses to the risk of a data breach.
This is according to a new report which claims the awareness of the issue has been “steadily growing” over the last three years.
While the report does not offer definitive explanations for the rise, it cites increased remote working due to the coronavirus as a contributing factor.
The percentage of employees intentionally putting data at risk dropped slightly (from 47 to 44 percent), but apathy continues to be a “major problem”.
However, remote working appears to have forced IT decision-makers to pay closer attention to security.
Almost all (96 percent) respondents acknowledged risks associated with BYOD policies and a significant portion of those (42 percent) only allow the use of pre-approved gear (up from 11 percent last year).
This change is “crucial”, as lost and misplaced devices are now the second biggest data breach cause (24 percent), behind intentionally putting data at risk (33 percent) and ahead of mishandling corporate data.
Trickbot Named Most Prolific #COVID19 Malware
Notorious malware Trickbot has been linked to more COVID-19 phishing emails than any other, according to new data from Microsoft.
The Microsoft Security Intelligence Twitter account made the claim on Friday.
“Based on Office 365 ATP data, Trickbot is the most prolific malware operation using COVID-19 themed lures,” it said. “This week’s campaign uses several hundreds of unique macro-laced document attachments in emails that pose as messages from a non-profit offering a free COVID-19 test.”
Microsoft has been providing regular updates through the current crisis as organizations struggle to securely manage an explosion in home working while cyber-criminals step up efforts to exploit stretched IT security teams and distracted employees.
Read more: https://www.infosecurity-magazine.com/news/trickbot-named-most-prolific/
Microsoft Issues Out-Of-Band Security Update For Office, Paint 3D
Microsoft has released an out-of-band security update for Microsoft Office, Office 365 ProPlus and Paint 3D. The applications are affected by multiple Autodesk vulnerabilities that, if exploited, could enable remote code execution.
The flaws, all rated “important” in severity, are tied to six CVEs stemming from Autodesk’s library for FBX, a popular file format format that supports 3D models. This library is integrated into certain Microsoft applications
Read more: https://threatpost.com/microsoft-issues-out-of-band-security-update-for-office-paint-3d/155016/
1,000 may be hit by CISI website fraud attack
The CISI has launched an investigation after a website attack resulted in 1,000 customers and members being exposed to the risk of credit card fraud.
The professional body with 45,000 members says some members have reported “fraudulent activity” on their cards following a payment transaction on the CISI website.
The organisation, which provides the Certified Financial Planner and Chartered Wealth manager designations, has launched a probe with help from its insurers and KPMG.
The CISI has contacted 5,785 customers that processed a payment transaction through its website between 1 February 2020 and 15 April 2020.
It said not all of these have seen “fraudulent activity” but it anticipates about 1,000 have been exposed to a risk of fraud.
Here's a list of all the ransomware gangs who will steal and leak your data if you don't pay
Starting with late 2019 and early 2020, the operators of several ransomware strains have begun adopting a new tactic.
In an attempt to put additional pressure on hacked companies to pay ransom demands, several ransomware groups have also begun stealing data from their networks before encrypting it.
If the victim -- usually a large company -- refuses to pay, the ransomware gangs threaten to leak the information online, on so-called "leak sites" and then tip journalists about the company's security incident.
Companies who may try to keep the incident under wraps, or who may not want intellectual property leaked online, where competitors could get, will usually cave in and pay the ransom demand.
While initially the tactic was pioneered by the Maze ransomware gang in December 2019, it is now becoming a widespread practice among other groups as well.
Clop, Doppenpaymer, Maze, Nefilim, Nemty, Ragnarlocker, Revil (Sodinokibi), Sekhmet, Snatch
Read the original article here for full details: https://www.zdnet.com/article/heres-a-list-of-all-the-ransomware-gangs-who-will-steal-and-leak-your-data-if-you-dont-pay/
Hackers have breached 60 ad servers to load their own malicious ads
A mysterious hacker group has been taking over ad servers for the past nine months in order to insert malicious ads into their ad inventory, ads that redirect users to malware download sites.
This clever hacking campaign was discovered last month and appears to have been running for at least nine months, since August 2019.
Hackers have targeted advertising networks running old versions of the Revive open-source ad server. Hackers breach outdated Revive servers and silently append malicious code to existing ads.
Once the tainted ads load on legitimate sites, the malicious code hijacks and redirects site visitors to websites offering malware-laced files -- usually disguised as Adobe Flash Player updates.
Read more: https://www.zdnet.com/article/hackers-have-breached-60-ad-servers-to-load-their-own-malicious-ads/
GCHQ calls on public to report coronavirus-related phishing emails
GCHQ is asking members of the public to report suspicious emails they have received amid a wave of scams and hacking attacks that seek to exploit fear of Covid-19 to enrich cybercriminals.
The National Cyber Security Centre, a branch of the intelligence agency, has launched the suspicious email reporting service with a simple request of the public: forward any dubious emails to report@phishing.gov.uk, and the NCSC’s automated scanning system will check for scam emails and immediately remove criminal sites.
Read more here: https://www.theguardian.com/technology/2020/apr/21/gchq-calls-public-report-coronavirus-phishing-emails
Hackers exploit bug to access iPhone users’ emails
Hackers have devised a way to install malicious software on iPhones without getting the victim to download an attachment or click on any links.
Cybersecurity researchers have discovered a bug in the phone’s email app that hackers may have been exploiting since January 2018. It enables hackers to access all emails on a phone, as well as remotely modify or delete them.
Typically, an attack on a phone requires a user to download the malware, such as clicking on a link in a message or on an attachment. Yet in this case, hackers send a blank email to the user. When the email is opened, a bug is triggered that causes the Mail app to crash, forcing the user to reboot it. During the reboot, hackers could access information on the device.
The hack is virtually undetectable by victims due to the sophisticated nature of the attack and Apple’s own security measures, which often make investigating the devices for potential vulnerabilities a challenge, experts claim.
More here: https://www.thetimes.co.uk/article/hackers-exploit-bug-to-access-iphone-users-emails-ssvvztrgf
FBI Sees Cybercrime Reports Increase Fourfold During COVID-19 Outbreak
Instances of cybercrime appear to have jumped by as much as 300 percent since the beginning of the coronavirus pandemic, according to the FBI. The bureau’s Internet Crime Complain Center (IC3) said last week that it’s now receiving between 3,000 and 4,000 cybersecurity complaints every day, up from the average 1,000 complaints per day the center saw before COVID-19 took hold.
While much of this jump can be attributed to America’s daily activities increasingly moving online — newly remote workers unaware of basic security measures or companies struggling to keep externally-accessed systems secure, for example — the FBI says a lot of the increased cybercrime is coming from nation states seeking out COVID-19-related research.
309 million Facebook users’ phone numbers found online
Last weekend, researchers came across a database with 267m Facebook user profiles being sold on the Dark Web.
Looking to verify the records and add them to the firm’s breach notification service, the researchers bought it, for the grand total of £500.
That works out to USD $540 — or about 0.0002 cents — per record. The records held Facebook users’ IDs, which are unique, public numbers associated with specific accounts that can be used to figure out an account’s username and other profile info. The records also included full names, email addresses, phone numbers, timestamps for last connection, relationship status and age.
Fortunately, there were no passwords exposed, but the breach still forms a perfect tool kit for an email or text phishing campaign that looks like it’s coming from Facebook itself. If enough users get fooled into clicking on spearphishers’ rigged links, it could lead to the exposure of even more, and more valuable, data.
Read more here: https://nakedsecurity.sophos.com/2020/04/22/309-million-facebook-users-phone-numbers-and-more-found-online/
Google Issues Warning For 2 Billion Chrome Users
Google just gave its two billion Chrome users a brilliant (if long overdue) upgrade, but it doesn’t mask all of the controversial changes, security problems and data concerns which have worried users about the browser recently. And now Google has issued a new critical warning you need to know about.
Chrome has a critical security flaw across Windows, Mac and Linux and it urges users to upgrade to the latest version of the browser (81.0.4044.113). Interestingly, at the time of publication, Google is also keeping the exact details of the exploit a mystery.
Zoom announces 5.0 update with tougher encryption and new security features
Zoom has today announced its new 5.0 update, bringing robust new security features including AES 256-bit GCM encryption.
Zoom says that AES 256-bit GCM encryption will "raise the bar for securing our users' data in transit", providing "confidentiality and integrity assurances on your Zoom Meeting, Zoom Video Webinar and Zoom Phone Data." The systemwide enablement of this new security standard will take place on May 30.
Zoom has also introduced a new security icon, where it has grouped its security features in one place within Zoom's meeting menu bar. It has also introduced more robust host controls, including a 'report a user' feature. Waiting rooms now default to on, as do meeting passwords and cloud recording passwords. Zoom has also introduced a new data structure for linking contacts within larger organizations. Previously, a Zoom feature designed to group users by domain name had seen thousands of random users grouped together, sharing lots of information with strangers.
Read more: https://www.androidcentral.com/zoom-announces-50-update-tougher-encryption-and-new-security-features
Temporary coronavirus hospitals face growing cybersecurity risks
The coronavirus outbreak has led to a series of temporary medical facilities opening across the U.S., most of which will use remote-care devices without the proper protection against hackers. Because of their remoteness and the overall uncertainty that pandemic’s created, cybersecurity at these temporary hospitals has fallen to the wayside and risks are at an all-time high.
Further complicating matters, most of these temporary units are highly dependent on connected medical devices to facilitate remote care. This leaves these hospitals open to hackers stealing patients’ personal health information via these connected devices.
Fortunately, there are a number of steps health care organizations can take to protect their remote facilities. Not only should organizations ensure their software is up to date and fully patched, but they should also consider enabling two-factor authentication for every account that’s granted access to the remote center’s system.
To assist with securing these remote health care locations, Microsoft has expanded the availability of its AccountGuard security service program. Currently offered at no cost to health care providers on the front lines of the coronavirus outbreak, Microsoft’s AccountGuard service helps targeted organizations protect themselves from ongoing cybersecurity threats.
Cyber Weekly Flash Briefing for 17 April 2020 – More Top Companies Ban Zoom, Microsoft fixes 3 zero-days, 2 being actively exploited, 500,000 Zoom accounts sold online, Sinister new Botnet
Cyber Weekly Flash Briefing for 17 April 2020 – More Top Companies Ban Zoom, Microsoft fixes 3 zero-days, 2 being actively exploited, 500,000 Zoom accounts sold online, Sinister new Botnet
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
60 second video version of this week’s flash briefing
More top companies ban Zoom following security fears
As usage of Zoom rises amidst the global pandemic, more companies are telling their staff to stay off the video conferencing service due to security concerns.
Among the latest organisations to block the use of Zoom are German industrial giant Siemens, which sent out an internal circular urging its employees to not use the tool for video conferencing, with Standard Chartered Bank also issuing a similar note to its staff.
The latter has told employees to avoid Google Hangouts, which has also emerged as another popular teleconferencing application in recent weeks.
Read more here: https://www.techradar.com/uk/news/more-top-companies-ban-zoom-following-security-fears
Over 500,000 Zoom accounts sold on hacker forums, the dark web
Over 500,000 Zoom accounts are being sold on the dark web and hacker forums for less than a penny each, and in some cases, given away for free.
These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are then compiled into lists that are sold to other hackers.
Some of these Zoom accounts are offered for free on hacker forums so that hackers can use them in zoom-bombing pranks and malicious activities. Others are sold for less than a penny each.
Read more here: https://www.bleepingcomputer.com/news/security/over-500-000-zoom-accounts-sold-on-hacker-forums-the-dark-web/
Microsoft April 2020 Patch Tuesday fixes 3 zero-days – 2 of which being actively exploited, 15 critical flaws
Microsoft's April 2020 Patch Tuesday fell this week, and with everything going on, it is going to be particularly stressful for Windows administrators.
With the release of the April 2020 security updates, Microsoft has released fixes for 113 vulnerabilities in Microsoft products. Of these vulnerabilities, 15 are classified as Critical, 93 as Important, 3 as Moderate, and 2 as Low.
Of particular interest, Microsoft patched three zero-day vulnerabilities, with two of them being seen actively exploited in attacks.
Users should install these security updates as soon as possible to protect Windows from known security risks.
Read more here: https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2020-patch-tuesday-fixes-3-zero-days-15-critical-flaws/
Hackers Are Selling a Critical Zoom Zero-Day Exploit for £400,000
Hackers are selling two critical vulnerabilities for the video conferencing software Zoom, one for Windows and one for MacOS that would allow someone to hack users and spy on their calls.
The two flaws are so-called zero-days, and are currently present in Zoom’s Windows and MacOS clients, according to three sources who are knowledgeable about the market for these kinds of hacks. The sources have not seen the actual code for these vulnerabilities, but have been contacted by brokers offering them for sale.
Zero-day exploits or just zero-days or 0days are unknown vulnerabilities in software or hardware that hackers can take advantage of to hack targets. Depending on what software they’re in, they can be sold for thousands or even millions of dollars.
Phishing kit prices skyrocketed in 2019 by 149%
The average price of a phishing kit sold on cybercrime markets has gone up in 2019 by 149% according to new findings released this week based on analysis of ads posted on known cybercrime markets and hacking forums.
The average price for phishing kits sold on the cybercrime underground in 2019 has skyrocketed to $304 on average last year, up from only $122 recorded in 2018.
Phishing kit prices rose despite an increase in the number of kit sellers (up by 120%) and the number of phishing kit ads (doubled in 2019).
Of the 16,200 phishing kits identified and tracked in 2019, the most targeted login pages were for Amazon, Google, Instagram, Office 365, and PayPal.
Amazon and PayPal are known targets of phishing operations, as access to both accounts can allow hackers to make fraudulent transactions with victims' funds.
More here: https://www.zdnet.com/article/phishing-kit-prices-skyrocketed-in-2019-by-149/
A Sinister New Botnet Could Prove Nearly Impossible To Stop
Security researchers have discovered an emerging threat that they fear could be nearly unstoppable. This growing botnet has already managed to enslave nearly 20,000 computers.
It is known as DDG, and it’s been lurking in the shadows for at least two years. DDG was first discovered in early 2018.
Back then the nascent botnet had control of just over 4,000 so-called zombies and used them to mine the Monero cryptocurrency. Much has changed since then.
Today’s incarnation of DDG isn’t just five times larger. It’s also much more sophisticated.
One of its distinguishing features is its command and control system. Most botnets are designed around a client/server model. Infected machines listen for instructions from the servers and then carry out their orders.
MSC Data Centre Closes Following Suspected Cyber-Attack
A container shipping company has said malware could be to blame for the closure of one of its data centres last week.
The Mediterranean Shipping Company (MSC) took to Twitter on Good Friday to report a network outage issue affecting the website msc.com, which was still down at time of writing.
The incident, which is thought to have occurred on Thursday, April 9, also brought down the shipping company's myMSC portal.
A message posted from the Twitter account MSC Cargo on April 10 stated: "We are sorry to inform you that http://MSC.com and myMSC are currently not available as we've experienced a network outage in one of our data centers. We are working on fixing the issue."
As a result of the outage, self-service tools for making and managing bookings on MSC ships have ceased to be operational. Alternative booking platforms are available, and customers can still book via email and over the phone.
Read the original article here: https://www.infosecurity-magazine.com/news/msc-suffers-suspected-cyberattack/
Cyber Weekly Flash Briefing for 11 April 2020 – NCSC advisory on COVID activity, Travelex pays $2.3M ransom, Zoom tries to get better, Shadow IT risks, Unkillable Android malware, Bot traffic up
Cyber Weekly Flash Briefing for 11 April 2020 – NCSC advisory on COVID activity, Travelex pays $2.3M ransom, Zoom tries to get better, Shadow IT risks, Unkillable Android malware, Bot traffic up
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
60 second video flash briefing
UK NCSC and US CISA issue joint Advisory: COVID-19 exploited by malicious cyber actors
A joint advisory was put out from the United Kingdom’s National Cyber Security Centre (NCSC) and the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) relating to information on exploitation by cyber criminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice.
Read more here: https://www.ncsc.gov.uk/news/covid-19-exploited-by-cyber-actors-advisory
Download the advisory notice here: https://www.ncsc.gov.uk/files/Final%20Joint%20Advisory%20COVID-19%20exploited%20by%20malicious%20cyber%20actors%20v3.pdf
Travelex paid $2.3M in Bitcoin to get its systems back from hackers
Travelex paid hackers $2.3 million worth of Bitcoin to regain access to its computer systems after a devastating ransomware attack on New Year’s Eve.
The London-based company said it decided to pay the 285 BTC based on the advice of experts, and had kept regulators and partners in the loop throughout the recovery process.
Although Travelex, which manages the world’s largest chain of money exchange shops and kiosks, did confirm the ransomware attack when it happened, it hadn’t yet disclosed a Bitcoin ransom had been paid to restore its systems.
Travelex previously blamed the attack on malware known as Sodinokibi, a ‘Ransomware-as-a-Service’ tool-kit that has recently begun publishing data stolen from companies that don’t pay up.
Travelex‘ operations were crippled for almost all of January, with its public-facing websites, app, and internal networks completely offline. It also reportedly interrupted cash deliveries to major banks in the UK, including Barclays and Lloyds.
At the time, BBC claimed that Travelex‘ attackers had demanded $6 million worth of Bitcoin to unlock its systems.
Zoom sets up CISO Council and hires ex-CSO of Facebook to clean up its privacy mess
The ongoing coronavirus pandemic has seen people relying on work collaboration apps like Teams and Slack to talk to others or conduct meetings. Zoom, in particular, has seen incredible growth over the past few weeks but it came at a cost. The company has been under a microscope after various researchers discovered a number of security flaws in the app. To Zoom’s credit, the company responded immediately and paused feature updates to focus on security issues.
The company announced that it’s taking help from CISOs to improve the security and patch the flaws in the app. Zoom will be taking help from CISOs from HSBC, NTT Data, Procore, and Ellie Mae, among others. Moreover, the company is also setting up an Advisory Board that will include security leaders from VMware, Netflix, Uber, Electronic Arts, and others. Lastly, the company has also asked Alex Stamos, ex-CSO of Facebook to join as an outside advisor. Alex is a well-known personality in the cybersecurity world who left Facebook after an alleged conflict of interest with other executives about how to address the Russian government’s use of its platform to spread disinformation during the 2016 U.S. presidential election.
Read more here: https://mspoweruser.com/zoom-ciso-hires-ex-facebook-cso-clean-its-mess/
Researchers discover IoT botnet capable of launching various DDoS attacks
Cyber security researchers have found a new botnet comprised of more than a thousand IoT devices, capable of launching distributed denial of service (DDoS) attacks.
According to a report, researchers have named the botnet Dark Nexus, and believe it was created by well-known malware developer greek.Helios - a group that has been selling DDoS services and botnet code for at least the past three years.
Analysing the botnet through a honeypot, the researchers found it is comprised of 1,372 bots, but believe it could grow extremely quickly.
Dark Nexus is based on Mirai and Qbot, but has seen some 40 iterations since December 2020, with improvements and new features added almost daily.
Read the original article here: https://www.itproportal.com/news/researchers-discover-iot-botnet-capable-of-launching-various-ddos-attacks/
Microsoft: Cyber-Criminals Are Targeting Businesses Through Vulnerable Employees
Microsoft has warned that cyber-criminals are preying on people’s vulnerable psychological states during the COVID-19 pandemic to attack businesses. During a virtual press briefing, the multinational technology company provided data showing how home working and employee stress during this period has precipitated a huge amount of COVID-19-related attacks, particularly phishing scams.
Working from home at this time is very distracting for a lot of people, particularly if they are looking after children. Additionally, many individuals are in a stressful state with the extra pressures and worries as a result of COVID-19. This environment is providing new opportunities for cyber-criminals to operate.
“We’re seeing a significant increase in COVID-related phishing lures for our customers,” confirmed Microsoft. “We’re blocking roughly 24,000 bad emails a day with COVID-19 lures and we’ve also been able to see and block through our smart screen 18,000 malicious COVID-themed URLs and IP addresses on a single day, so the volume of attacks is quite high.”
Read the original article here: https://www.infosecurity-magazine.com/news/cybercriminals-targeting/
Stolen Zoom account credentials are freely available on the dark web
Loved, hated, trusted and feared in just about equal measure, Zoom has been all but unavoidable in recent weeks. Following on from a combination of privacy and security scandals, credentials for numerous Zoom account have been found on the dark web.
The credentials were hardly hidden -- aside from being on the dark web. Details were shared on a popular forum, including the email address, password, meeting ID, host key and host name associated with compromised accounts.
Read more: https://betanews.com/2020/04/08/zoom-account-credentials-dark-web/
Shadow IT Represents Major #COVID19 Home Working Threat
Rising threat levels and remote working challenges stemming from the COVID-19 pandemic are putting increased pressure on IT security professionals, according to new data.
A poll of over 400 respondents from global organisations with over 500 employees was conducted to better understand the current challenges facing security teams.
It revealed that 71% of security professionals had reported an increase in security threats or attacks since the start of the virus outbreak. Phishing (55%), malicious websites (32%), malware (28%) and ransomware (19%) were cited as the top threats.
These have been exacerbated by home working challenges, with 95% of respondents claiming to be under new pressures.
Top among these was providing secure remote access for employees (56%) and scalable remote access solutions (55%). However, nearly half (47%) of respondents complained that home workers using shadow IT solutions represented a major problem.
These challenges are only going to grow, according to the research.
Read more here: https://www.infosecurity-magazine.com/news/shadow-it-covid19-home-working/
'Unkillable' Android malware gives hackers full remote access to your phone
Security experts are warning Android users about a particularly nasty strain of malware that's almost impossible to remove.
A researcher has written a blog post explaining how the xHelper malware uses a system of nested programs, not unlike a Russian matryoshka doll, that makes it incredibly stubborn.
The xHelper malware was first discovered last year, but the researcher has only now established exactly how it gets its claws so deeply into your device, and reappears even after a system restore.
Although the Google Play Store isn't foolproof, unofficial third party app stores are much more likely to harbour malicious apps. App-screening service Google Play Protect blocked more than 1.9 million malware-laced app installs last year, including many side-loaded or installed from unofficial sources, but it's not foolproof.
xHelper is often distributed through third-party stores disguised as a popular cleanup or maintenance app to boost your phone's performance, and once there, is amazingly stubborn.
Decade of the RATs (Remote Access Trojan): Novel APT Attacks Targeting Linux, Windows and Android
BlackBerry researchers have released a new report that examines how five related APT groups operating in the interest of the Chinese government have systematically targeted Linux servers, Windows systems and Android mobile devices while remaining undetected for nearly a decade.
The report comes on the heels of the U.S. Department of Justice announcing several high-profile indictments from over 1,000 open FBI investigations into economic espionage as part of the DOJ’s China Initiative.
The BlackBerry report, titled Decade of the RATs: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android, examines how APTs have leveraged the “always on, always available” nature of Linux servers to establish a “beachhead” for operations. Given the profile of the five APT groups involved and the duration of the attacks, it is likely the number of impacted organisations is significant.
The cross-platform aspect of the attacks is also of particular concern in light of security challenges posed by the sudden increase in remote workers. The tools identified in these ongoing attack campaigns are already in place to take advantage of work-from-home mandates, and the diminished number of personnel onsite to maintain security of these critical systems compounds the risks. While the majority of the workforce has left the office as part of containment efforts in response to the Covid-19 outbreak, intellectual property remains in enterprise data centres, most of which run on Linux.
Most large organizations rely on Linux to run websites, proxy network traffic and store valuable data. While Linux may not have the visibility that other front-office operating systems have, it is arguably the most critical where the security of critical networks is concerned. Linux runs nearly all of the top 1 million websites, 75% of all web servers, 98% of the world’s supercomputers and 75% of major cloud service providers (Netcraft, 2019, Linux Foundation, 2020).
More here: https://blogs.blackberry.com/en/2020/04/decade-of-the-rats
Bot traffic fueling rise of fake news and cybercrime
The coronavirus pandemic has disrupted daily life around the world and the WHO recently warned that an overabundance of information about the virus makes it difficult for people to differentiate between legitimate news and misleading information.
At the same time, EU security services have warned that Russia is aggressively exploiting the coronavirus pandemic to push disinformation and weaken Western society through its bot army.
A cyber security firm has been using its bot manager to monitor internet traffic in an attempt to track the “infodemic” that both the WHO and EU security services have issued warnings on.
According to the data, bots have upped their game and organisations in the social media, ecommerce and digital publishing industries have experienced a surge in bad bot traffic following the coronavirus outbreak.
The bots have been found to be executing various insidious activities including spreading disinformation, spam commenting and more. In February, 58.1 percent of bots had the capability to mimic human behaviour. This means that they can disguise their identities, create fake accounts on social media sites and post their masters' propaganda while appearing as a genuine user.
Read more here: https://www.techradar.com/news/bot-traffic-fueling-rise-of-fake-news-and-cybercrime
Cyber Weekly Flash Briefing 03 April 2020 – GFSC warn over increased fraud & cybercrime, attacks up 37% in a month, criminals sending USB devices in post, Zoom phishers register 2000 domains
Cyber Weekly Flash Briefing for 03 April 2020 – GFSC warns over increased risk of fraud and cyber crime, Attacks Up 37% over last month, criminals sending USB device in post, Zoom Phishers Register 2000 Domains in a Month, increase in DDoS attacks
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
GFSC warns over increased risk of fraud and cyber crime
The GFSC has put out a warning to regulated firms on the Island around increased likelihood of fraud and other cyber crimes as a result of the COVID-19 pandemic.
The Commission has stated that they expect licensees to apply effective controls, including having suitable controls to prevent cybercrime.
Cyber-Attacks Up 37% Over Past Month as #COVID19 Bites
Online threats have risen by as much as six-times their usual levels over the past four weeks as the COVID-19 pandemic provides new ballast for cyber-attacks.
Analysis of UK traffic figures for the past four weeks compared to the previous month noted a sharp uptick in malicious activity.
Hacking and phishing attempts were up 37% month-on-month, while on some days, there were between four- and six-times the number of attacks it would usually see.
More here: https://www.infosecurity-magazine.com/news/cyberattacks-up-37-over-past-month/
Cybercrime spikes during coronavirus pandemic, says Europol
Just like everyone else in the face of a pandemic, criminals seem to be staying home — but they're just turning to different methods to make a buck.
That's the message from a new Europol report out this week, which reveals that criminals are adapting to exploit the global chaos.
While many police departments are reporting a lull in physical crime, other types of crime are having a heyday — and those numbers are only expected to increase.
Europol identified cybercrime, fraud, counterfeit goods and organised property crime as categories of particular concern.
Read more here: https://www.euronews.com/2020/03/27/cybercrime-spikes-during-coronavirus-pandemic-says-europol
Cybercriminal group mails malicious USB dongles to targeted companies
Security researchers have come across an attack where an USB dongle was mailed to a company under the guise of a Best Buy gift card. This technique has been used by security professionals during physical penetration testing engagements in the past, but it has very rarely been observed in the wild. This time it's a known sophisticated cybercriminal group who is likely behind it.
The attack was analysed after a US company in the hospitality sector received the USB sometime in mid-February.
The package contained an official-looking letter with Best Buy's logo and other branding elements informing the recipient that they've received a $50 gift card for being a regular customer. "You can spend it on any product from the list of items presented on an USB stick," the letter read. Fortunately, the USB dongle was never inserted into any computers and was passed along for analysis, because the person who received it had security training.
Top Email Protections Fail in Latest COVID-19 Phishing Campaign
Threat actors continue to capitalize on fears surrounding the spread of the COVID-19 virus through a surge in new phishing campaigns that use spoofing tactics to effectively evade Proofpoint and Microsoft Office 365 advanced threat protections (ATPs), researchers have found.
New phishing attacks were discovered that use socially engineered emails promising access to important information about cases of COVID-19 in the receiver’s local area.
The emails evade basic security checks and user common sense in a number of ways, to circumvent detection and steal the user’s Microsoft log-in credentials, he said. They also don’t include specific names or greetings in the body of the messages, suggesting they are being sent out to a broad target audience, according to the report.
More: https://threatpost.com/top-email-protections-fail-covid-19-phishing/154329/
Zoom Phishers Register 2000 Domains in a Month
Over 2000 new phishing domains have been set up over the past month to capitalise on the surging demand for Zoom from home workers, according to new data.
The report analysed data from a threat hunting system since the start of the year, and found 3300 new domains had been registered with the word “Zoom” in them.
The vast majority of these (67%) were created in March, as the COVID-19 pandemic forced lockdowns in multiple European countries and across parts of the US.
With surging levels of interest in Zoom and other video conferencing apps, comes renewed scrutiny from cyber-criminals.
Nearly a third (30%) of the new “Zoom” websites spotted activated an email server which indicates these domains are being used to facilitate phishing attacks.
More here: https://www.infosecurity-magazine.com/news/zoom-phishers-register-2000/
Across-the-board increase in DDoS attacks of all sizes
There has been a 168% increase in DDoS attacks in Q4 2019, compared with Q4 2018, and a 180% increase overall in 2019 vs. 2018, according to a report.
DDoS attacks grew across all size categories increase in 2019, with attacks sized 5 Gbps and below seeing the largest growth. These small-scale attacks made up more than three quarters of all attacks the company mitigated on behalf of its customers in 2019.
In 2019, the largest mitigated threat, at 587 gigabits per second (Gbps), was 31% larger than the largest attack of 2018, while the maximum attack intensity observed in 2019, 343 million packets per second (Mpps), was 252% higher than that of the most intense attack seen in 2018.
However, despite these higher peaks, the average attack size (12 Gbps) and intensity (3 Mpps) remained consistent year over year. The longest single, uninterrupted attack experienced in 2019 lasted three days, 13 hours and eight minutes.
Though the number of attacks increased significantly across all size categories, small-scale attacks (5 Gbps and below) again saw the largest growth in 2019, continuing the trend from the previous year.
More here: https://www.helpnetsecurity.com/2020/03/27/ddos-attacks-increase-2020/
Cybersecurity insurance firm Chubb investigates its own ransomware attack
A notorious ransomware gang claims to have successfully compromised the infrastructure of a company selling cyber insurance.
The Maze ransomware group says it has encrypted data belonging to Chubb, which claims to be one of the world’s largest insurance companies, and is threatening to publicly release data unless a ransom is paid.
The announcement by the cybercrime gang was published on Maze’s website, where it lists what it euphemistically describes as its “new clients”.
Maze’s normal modus operandi is to compromise an organisation, steal its data, infect the network with its ransomware, and post a pre-announcement on its website as a warning to the corporate victim that if they do not pay a ransom their stolen data will be published on the internet.
Read the full article here: https://hotforsecurity.bitdefender.com/blog/cybersecurity-insurance-firm-chubb-investigates-its-own-ransomware-attack-22753.html
Ransomware Payments on the Rise
More ransomware victims than ever before are complying with the demands of their cyber-attackers by handing over cash to retrieve encrypted files.
New research published this week shows that both the number of ransomware attacks and the percentage of attacks that result in payment have increased every year since 2017.
The report states 62% of organisations were victimised by ransomware in 2019, up from 56% in 2018 and 55% in 2017.
In 2017, just 39% of organizations hit by ransomware paid to retrieve their encrypted data. That figure rose to 45% in 2018, then shot up to 58% in 2019.
Read the full article here: https://www.infosecurity-magazine.com/news/rise-in-ransomware-payments/
Marriott hit by second data breach exposing “up to” 5.2 million people
Hotel chain Marriott International this week announced that it has been hit by a second data breach exposing the personal details of “up to approximately 5.2 million guests”.
The breach, which began in mid-January 2020 and was discovered at the end of February 2020, saw contact details, including names, addresses, birth dates, gender, email addresses and telephone numbers exposed. Employer name, gender, room stay preferences and loyalty account numbers were also exposed.
The hotel company has stressed that not all data was exposed for each person.
Marriott has also said that at present it does not believe passports, payment details or passwords were exposed in the data breach.
The data is believed to have been accessed by an unknown third party using the login credentials of two employees at a group hotel operated as a franchise. Marriott has said that it has notified relevant authorities, and has begun notifying those whose data was exposed in the breach. It has also set up a dedicated website to help those impacted by the breach.
More here: https://www.verdict.co.uk/marriott-second-data-breach/
Lawyers urged to switch off Alexa when working from home
Law firms are warning their employees to turn off their smart speakers while working from home due to security concerns.
Smart speakers such as Amazon’s Echo series and Google’s Nest range have become wildly popular in Britain with an estimated 34pc of households now using them.
But privacy and security experts have repeatedly said the devices may pose a security threat and now law firms have advised staff not to disclose sensitive details when they are in use nearby.
A spokesman from one firm of solicitors said that that hackers could access sensitive details through the speakers, telling their staff to check the default settings on the speaker and to the extent that you can, switch them off during the working day.
More here: https://www.telegraph.co.uk/technology/2020/03/30/lawyers-urged-switch-alexa-working-home/