Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 22 January 2021
Black Arrow Cyber Threat Briefing 22 January 2021: Ransomware Biggest Cyber Concern; Ransomware Payments Grew 311% In 2020; Cyber Security Spending To Soar In 2021; Ransomware Provides The Perfect Cover For Other Attacks; Gdpr Fines Skyrocket As Eu Gets Tough On Data Breaches; Popular Pdf Reader Has Database Of 77 Miliion Users Leaked Online; Malware Incidents On Remote Devices Increase
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
Ransomware is now the biggest Cyber Security concern for CISOs
Ransomware is the biggest cyber security concern facing businesses, according to those responsible for keeping organisations safe from hacking and cyberattacks. A survey of chief information security officers (CISOs) and chief security officers (CISOs found that ransomware is now viewed as the main cyber security threat to their organisation over the course of the next year. Almost half – 46% – of CISOs and CISOs surveyed said that ransomware or other forms of extortion by outsiders represents the biggest cyber security threat.
https://www.zdnet.com/article/ransomware-is-now-the-biggest-cybersecurity-concern-for-cisos/
Crypto ransomware payments grew 311% in 2020
Crypto payments associated with ransomware grew at least 311% in 2020. “Ransomware” refers to a category of malicious computer programs that force users into paying ransoms. Just 0.34% of all cryptocurrency transactions last year were criminal, down from 2.1% in 2019. But that number is bound to go up, said the firm.
https://decrypt.co/54648/crypto-crime-ransomware-chainalysis-report-2020
The SolarWinds hackers used tactics other groups will copy
One of the most chilling aspects of Russia's recent hacking spree—which breached numerous United States government agencies among other targets—was the successful use of a “supply chain attack” to gain tens of thousands of potential targets from a single compromise at the IT services firm SolarWinds. But this was not the only striking feature of the assault. After that initial foothold, the attackers bored deeper into their victims' networks with simple and elegant strategies. Now researchers are bracing for a surge in those techniques from other attackers.
https://www.wired.com/story/solarwinds-hacker-methods-copycats/
Global Cyber Security spending to soar in 2021
The worldwide cyber security market is set to grow by up to 10% this year to top $60bn, as the global economy slowly recovers from the pandemic. Double-digit growth from $54.7bn in 2020 would be its best-case scenario. However, even in the worst case, cyber security spending would reach 6.6%. That would factor in a deeper-than-anticipated economic impact from lockdowns, although the security market has proven to be remarkably resilient thus far to the pandemic-induced global economic crisis. That said, SMB spending was hit hard last year, along with certain sectors like hospitality, retail and transport.
https://www.infosecurity-magazine.com/news/global-cybersecurity-spending-to/
Cyber criminals publish more than 4,000 stolen Sepa files
Sepa rejected a ransom demand for the attack, which has been claimed by the international Conti ransomware group. Contracts, strategy documents and databases are among the 4,000 files released. The data has been put on the dark web - a part of the internet associated with criminality and only accessible through specialised software.
https://www.bbc.co.uk/news/uk-scotland-55757884
Ransomware provides the perfect cover for other attacks
Look at any list of security challenges that CISOs are most concerned about and you’ll consistently find ransomware on them. It’s no wonder: ransomware attacks cripple organizations due to the costs of downtime, recovery, regulatory penalties, and lost revenue. Unfortunately, cybercriminals have added an extra sting to these attacks: they are using ransomware as a smokescreen to divert security teams from other clandestine activities behind the scenes
https://www.helpnetsecurity.com/2021/01/21/ransomware-cover/
Popular PDF reader has database of 77 million users hacked and leaked online
A threat actor has leaked a 14 GB database online containing over 77 million records relating to thousands of users of the Nitro PDF reader software, with users' email addresses, full names, hashed passwords, company names, IP addresses, and other system-related information.
Ransomware victims that have backups are paying ransoms to stop hackers leaking their stolen data
Some organisations that fall victim to ransomware attacks are paying ransoms to cyber-criminal gangs despite being able to restore their own networks from backups, in order to prevent hackers publishing stolen data. Over the course of the past year, many of the most successful ransomware gangs have added an additional technique in an effort to coerce victims into paying ransoms after compromising their networks – publishing stolen data if a payment isn't received.
GDPR fines skyrocket as EU gets tough on data breaches
Europe’s new privacy protection regime has led to a surge in fines for bad actors, according to research published today. Law firm DLA Piper says that, since January 28th, 2020, the EU has issued around €158.5 million (around $192 million) in financial penalties. That’s a 39-percent increase on the previous 20-month period Piper examined in its report, published this time last year. And as well as the increased fines, the number of breach notifications has shot up by 19 percent across the same 12-month period.
https://www.engadget.com/gdpr-fines-dla-piper-report-144510440.html
Malware incidents on remote devices increase
Devices compromised by malware in 2020, 37% continued accessing corporate emails after being compromised and 11% continued accessing cloud storage, highlighting a need for organizations to better determine how to configure business tools to ensure fast and safe connectivity for all users in 2021.
https://www.helpnetsecurity.com/2021/01/18/malware-incidents-remote-devices/
Threats
Phishing
Malware
Vulnerabilities
Signal and other video chat apps found to have some major security flaws
Automated exploit of critical SAP SolMan vulnerability detected in the wild
List of DNSpooq vulnerability advisories, patches, and update
Dnsmasq vulnerabilities open networking devices, Linux distros to DNS cache poisoning
New FreakOut botnet targets Linux systems running unpatched software
Data Breaches
Denial of Service
Cloud
Privacy
Other News
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 15 January 2021
Black Arrow Cyber Threat Briefing 15 January 2021: Two Thirds of Employees Don’t Consider Security Whilst Working from Home; Ransomware Gangs Targeting Top Execs; Microsoft emits 83 security fixes – and miscreants are already exploiting vulnerabilities in Windows Defender; Android malware gives hackers full control of your smartphone; Massive fraud campaign sees millions vanish from online bank accounts
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
Two-Thirds of Employees Don’t Consider Security Whilst Home Working
More than two-thirds (68%) of UK workers do not consider the cyber security impact of working from home, according to a new study. The survey of 2043 employees in the UK demonstrated a lack of awareness about how to stay secure whilst working remotely, which is putting businesses at risk of attacks. The shift to home working as a result of COVID-19 means that staff in many organizations are operating across insecure devices and networks, providing opportunities for cyber-criminals.
https://www.infosecurity-magazine.com/news/two-thirds-employees-security-home/
Ransomware Gangs Scavenge for Sensitive Data by Targeting Top Executives
In their attempt to extort as much money as quickly as possible out of companies, ransomware gangs know some effective techniques to get the full attention of a firm’s management team. And one of them is to specifically target the sensitive information stored on the computers used by a company’s top executives, in the hope of finding valuable data that can best pressure bosses into approving the payment of a sizeable ransom.
Microsoft emits 83 security fixes – and miscreants are already exploiting one of the vulnerabilities in Windows Defender
83 vulnerabilities in its software, which does not include the 13 flaws fixed in its Edge browser last week. That's up from 58 repairs made in December, 2020, a relatively light month by recent standards. Affected applications include: Microsoft Windows, Microsoft Edge (EdgeHTML-based), Microsoft Office and Microsoft Office Services and Web Apps, Microsoft Windows Codecs Library, Visual Studio, SQL Server, Microsoft Malware Protection Engine, .NET Core, .NET Repository, ASP .NET, and Azure.
https://www.theregister.com/2021/01/12/patch_tuesday_fixes/
This Android malware claims to give hackers full control of your smartphone
The 'Rogue' remote administration tool (RAT) infects victims with a keylogger, allowing attackers to easily monitor the use of websites and apps in order to steal usernames and passwords, as well as financial data. The low cost of the malware reflects the increasing sophistication of the criminal ecosystem that is making it possible for wannabe crooks with limited technical skills to acquire the tools to stage attacks.
Massive fraud campaign sees millions vanish from online bank accounts
Researchers have uncovered an extensive fraud campaign that saw millions of dollars drained from victims’ online bank accounts. The operation was discovered by experts at IBM Trusteer, the IT giant’s security division, who described the attack as unprecedented in scale. To gain access to online banking accounts, the fraudsters are said to have utilized a piece of software known as a mobile emulator, which creates a virtual clone of a smartphone.
SolarWinds Hack Followed Years of Warnings of Weak Cyber Security
Congress and federal agencies have been slow or unwilling to address warnings about cyber security, shelving recommendations that are considered high priority while investing in programs that have fallen short. The massive cyber-attack by suspected Russian hackers, disclosed in December, came after years of warnings from a watchdog group and cyber security experts. For instance, the Cyberspace Solarium Commission, which was created by Congress to come up with strategies to thwart sizable cyber-attacks, presented a set of recommendations to Congress in March that included additional safeguards to ensure more trusted supply chains.
Threats
Ransomware
Hacker used ransomware to lock victims in their IoT chastity belt
Ransomware Attack Costs Health Network $1.5m a Day
Dassault Falcon Jet reports data breach after ransomware attack
IOT
Cyber experts say advice from breached IoT device company Ubiquiti falls short
Phishing
Iranian cyber spies behind major Christmas SMS spear-phishing campaign
Malware
macOS malware used run-only AppleScripts to avoid detection for five years
Going Rogue – a Mastermind Behind Android Malware Returns with a New Remote Access Trojan (RAT)
Emotet Tops Malware Charts in December After Reboot
Vulnerabilities
Windows 10 bug corrupts your hard drive on seeing this file's icon
Sophisticated Hacks Against Android, Windows Reveal Zero-Day Trove
Adobe fixes critical code execution vulnerabilities in 2021's first major patch round
Data Breaches
Over 16,000 customers seeking compensation for British Airways data breach
New Zealand Central Bank Breach Hit Other Companies
Massive Parler data leak exposes millions of posts, messages and videos
Millions of Social Profiles Leaked by Chinese Data-Scrapers
Hackers leak stolen Pfizer COVID-19 vaccine data online
United Nations data breach exposed over 100k UNEP staff records
Organised Crime
Europol shuts down the world's largest dark web marketplace
Nation State Actors
Third malware strain discovered in SolarWinds supply chain attack
Privacy
Reports Published in the Last Week
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 08 January 2021
Black Arrow Cyber Threat Briefing 08 January 2021: Ryuk gang estimated to have made more than $150 million from ransomware; China's hackers move to ransomware; Amid hardened security, attackers seek softer targets; Hackney Council files leaked online after cyber attack; PayPal users targeted in new SMS phishing campaign; the rise of cyber-mercenaries; Declutter Your Devices to Reduce Security Risks
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
Ryuk gang estimated to have made more than $150 million from ransomware attacks
In a joint report published today, threat intel company Advanced Intelligence and cyber security firm HYAS said they tracked payments to 61 Bitcoin addresses previously attributed and linked to Ryuk ransomware attacks. "Ryuk receives a significant amount of their ransom payments from a well-known broker that makes payments on behalf of the ransomware victims," the two companies said. "These payments sometimes amount to millions of dollars and typically run in the hundreds of thousands range."
China's APT hackers move to ransomware attacks
Security researchers investigating a set of ransomware incidents at multiple companies discovered malware indicating that the attacks may be the work of a hacker group believed to operate on behalf of China. Although the attacks lack the sophistication normally seen with advanced threat actors, there is strong evidence linking them to APT27, a group normally involved in cyber espionage campaigns, also known as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse.
https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/
SolarWinds hack: Amid hardened security, attackers seek softer targets
Reported theories by SolarWinds hack investigators that federal agencies and private companies were too busy focusing on election security to recognize vulnerabilities tied to the software supply chain are unfair and misleading. And yet, those same experts acknowledge that such accusations offer an important cyber security lesson for businesses: organizations must ensure that their entire attack surface receives attention.
Hackney Council files including alleged passport documents leaked online after cyber attack
The council in East London was hit by what it described as a "serious cyber attack" in October. It reported itself to the data watchdog due to the risk criminals accessed staff and residents' data. The council said it was working with the UK's National Cyber Security Centre (NCSC) and the Ministry of Housing to investigate and understand the impact of the incident.
PayPal users targeted in new SMS phishing campaign
Now, at first glance the message may not seem all that suspicious since PayPal may, in fact, impose limits on sending and withdrawing money. The payment provider usually does so when it suspects that an account has been accessed by a third party without authorization, when it has detected high-risk activities on an account, or when a user has violated its Acceptable Use Policy. However, in this case it really is a case of SMS-borne phishing, also known as Smishing. If you click on the link, you will be redirected to a login phishing page that will request your access credentials. Should you proceed to “log in”, your credentials will be sent to the scammers behind the ruse and the fraudulent webpage will attempt to gather further information, including the full name, date of birth address, and bank details.
https://www.welivesecurity.com/2021/01/04/paypal-users-targeted-new-sms-phishing-campaign/
SolarWinds, top executives hit with class action lawsuit over Orion software breach
SolarWinds and some of its top executives have been hit with a class action lawsuit by stockholders, who allege the company lied and materially misled them about security practices leading up to a massive breach of its Orion management software that has reverberated throughout the public and private sector.
The rise of cyber-mercenaries poses a growing threat for both governments and companies
These days, 21st century mercenaries are as likely to be seated behind a computer screen, wreaking havoc for their paymasters’ enemies as slugging it out on a real-world battlefield. But the rapid rise of cyber-mercenaries - or Private Sector Offensive Actors (PSOAs) - is vexing some of the biggest names in the global technology industry, and for good reason. Globally, the cyber security industry is already vast, raking in an estimated $156bn in revenues in 2019. It is set to nearly double in size by 2027.
Declutter Your Devices to Reduce Security Risks
Everyone should set aside time to review what they’ve installed on their various devices—typically apps, but that can also include games and addons. In fact, this should be an annual cleaning, at minimum.
You’re not just doing this because you want your device to look good. That’s one benefit you get from cleaning up your digital life, but it’s not the most important one. You’re also doing this to bolster your digital security. Yes, security.
https://lifehacker.com/declutter-your-devices-to-reduce-security-risks-1845991606
Threats
Ransomware
New Year, New Ransomware: Babuk Locker Targets Large Corporations
Phishing
This new phishing attack uses an odd lure to deliver Windows trojan malware
Facebook ads used to steal 615000+ credentials in a phishing campaign
Malware
North Korean hackers launch RokRat Trojan in campaigns against the South
Thousands infected by trojan that targets cryptocurrency users on Windows, Mac and Linux
A hacker’s predictions on enterprise malware risk
Vulnerabilities
Google Warns of Critical Android Remote Code Execution Bug
Hackers are actively exploiting this leading VPN, so patch now
Data Breaches
Hacker posts data of 10,000 American Express accounts for free
Vodafone's ho. Mobile admits data breach, 2.5m users impacted
T-Mobile data breach: ‘Malicious, unauthorized’ hack exposes customer call information
Exclusive Networks hit by cyberattack on New Year's Eve
Up to half a million victims of BA data breach could be eligible for compensation
Nation State Actors
Even Small Nations Have Jumped into the Cyber Espionage Game
Denial of Service
Ransom DDoS attacks target a Fortune Global 500 company
Privacy
Telegram feature exposes your precise address to hackers
Whatsapp Competitor Signal Stops Working Properly As Users Rush To Leave Over Privacy Update
Google Chrome browser privacy plan investigated in UK
Singapore police can access COVID-19 contact tracing data for criminal investigations
Other News
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 18 December 2020
Black Arrow Cyber Threat Briefing 18 December 2020: The great hack attack - SolarWinds breach exposes big gaps in cyber security; A wake-up for the world on cyber security; White House activates cyber emergency response; US nuclear weapons agency targeted; UK companies targeted; Increasing Risk of Cyber Attacks; millions of users install malicious browser extensions; C19 Vaccines sold on dark web
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
The great hack attack: SolarWinds breach exposes big gaps in cyber security
Until this week, SolarWinds was a little known IT software group from Texas. Its deserted lobby has a framed magazine article from a few years ago when it was on a list of America’s “Best Small Companies”.
Now the Austin-based company is at the heart of one of the biggest and most startling cyber hacks in recent history, with ramifications that extend into the fields of geopolitics, espionage and national security.
For nine months, sophisticated state-backed hackers have exploited a ubiquitous SolarWinds software product in order to spy on government and business networks around the world, including in the US, UK, Israel and Canada. Wielding innovative tools and tradecraft, the cyber spies lurked in email services, and posed as legitimate staffers to tap confidential information stored in the cloud.
The bombshell revelations have sent 18,000 exposed SolarWinds customers scrambling to assess whether outsiders did indeed enter their systems, what the damage was and how to fix it.
https://www.ft.com/content/c13dbb51-907b-4db7-8347-30921ef931c2
A wake-up for the world on cyber security
Imagine intruders break into your home and loiter undetected for months, spying on you and deciding which contents to steal. This in essence is the kind of access that hackers, assumed to be Russian, achieved in recent months at US government institutions including the Treasury and departments of commerce and homeland security, and potentially many US companies. If the fear in the Cold War was of occasional “moles” gaining access to secrets, this is akin to a small army of moles burrowing through computer systems. The impact is still being assessed, but it marks one of the biggest security breaches of the digital era.
https://www.ft.com/content/d3fc0b14-4a82-4671-b023-078516ea714e
US government, thousands of businesses now thought to have been affected by SolarWinds security attack
Thousands of businesses and several branches of the US government are now thought to have been affected by the attack on software firm SolarWinds.
The Austin-based company has fallen victim to a massive supply chain attack believed to be the work of state-sponsored hackers.
Along with the US treasury and commerce departments, the Department of Homeland Security is now thought to have been affected by the attack. In a statement to the SEC today, SolarWinds said it had notified 33,000 customers of its recent hack, but that only 18,000 of these used the affected version of its Orion platform.
https://www.techradar.com/uk/news/solarwinds-suffers-massive-supply-chain-attack
White House activates cyber emergency response under Obama-era directive
In the wake of the SolarWinds breach, the National Security Council has activated an emergency cyber security process that is intended to help the government plan its response and recovery efforts, according to White House officials and other sources.
The move is a sign of just how seriously the Trump administration is taking the foreign espionage operation, former NSC officials told CyberScoop.
The action is rooted in a presidential directive issued during the Obama administration known as PPD-41, which establishes a Cyber Unified Coordination Group (UCG) that is intended to help the U.S. government coordinate multiple agencies’ responses to the significant hacking incident.
The UCG is generally led by the Department of Justice — through the FBI and the National Cyber Investigative Joint Task Force — as well as the Office of the Director of National Intelligence and the Department of Homeland Security.
https://www.cyberscoop.com/solarwinds-white-house-national-security-council-emergency-meetings/
Hackers targeted US nuclear weapons agency in massive cyber security breach, reports say
The National Nuclear Security Administration and Energy Department, which safeguard the US stockpile of nuclear weapons, have had their networks hacked as part of the widespread cyber espionage attack on a number of federal agencies.
Politico reports that officials have begun coordinating notifications about the security breach to the relevant congressional oversight bodies.
Suspicious activity was identified in the networks of the Federal Energy Regulatory Commission (FERC), Los Alamos and Sandia national laboratories in New Mexico and Washington, the Office of Secure Transportation, and the Richland Field Office of the Department of Energy.
Officials with direct knowledge of the matter said hackers have been able to do more damage to the network at FERC, according to the report.
Microsoft warns UK companies were targeted by SolarWinds hackers
Microsoft has warned that some of its UK customers have been exposed to the malware used in the Russia-linked SolarWinds hack that targeted US states and government agencies.
More than 40 of the tech giant's customers are thought to have used breached SolarWinds software, including clients in Britain, the US, Canada, Mexico, Belgium, Spain, Israel, and the UAE.
The company would not name the victims, but said they include government agencies, think tanks, non-governmental organisations and IT firms. Microsoft said four in five were in the US, with nearly half of them tech companies.
“This is not ‘espionage as usual,’ even in the digital age,” said Brad Smith, Microsoft's president. “Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world.”
The attackers, believed to be working for the Russian government, got into computer networks by installing a vulnerability in Orion software from SolarWinds.
Society at Increasingly High Risk of Cyber Attacks
Cyber attacks are becoming easier to conduct while conversely security is getting increasingly difficult, according to Kevin Curran, senior IEEE member and professor of cyber security, Ulster University, during a virtual media roundtable.
“Any company you can think of has had a data breach,” he commented. “Whenever a data breach happens it weakens our credentials because our passwords are often reused on different websites.”
He observed that the art of hacking doesn’t necessarily require a significant amount of technical expertise anymore, and bad actors can receive substantial help from numerous and readily accessible tools online. “You don’t have to spend seven years in college to learn how to hack, you just have to know about these sites and what terms to use,” noted Curran.
A number of legitimate online mechanisms that can help damaging attacks to be launched by hackers were highlighted by Curran in his presentation. These include Google Dorks, which are “search strings which point to website vulnerabilities.” This means vulnerable accounts can be identified simply via Google searches.
https://www.infosecurity-magazine.com/news/society-increasingly-risk-cyber/
Three million users installed 28 malicious Chrome or Edge extensions
More than three million internet users are believed to have installed 15 Chrome, and 13 Edge extensions that contain malicious code, security firm Avast said today.
The 28 extensions contained code that could perform several malicious operations, including:
-redirect user traffic to ads
-redirect user traffic to phishing sites
-collect personal data, such as birth dates, email addresses, and active devices
-collect browsing history
-download further malware onto a user's device
But despite the presence of code to power all the above malicious features, Avast researchers said they believe the primary objective of this campaign was to hijack user traffic for monetary gains.
https://www.zdnet.com/article/three-million-users-installed-28-malicious-chrome-or-edge-extensions/
Vaccines for sale on dark web as criminals target pandemic profits
Black market vendors were offering coronavirus vaccines for sale on hidden parts of the internet days after the first Covid-19 shot was approved this month, as criminals seek to profit from global demand for inoculations.
One such offer on the so-called dark web, traced by cyber security company Check Point Software, was priced at $250 with the seller promising “stealth” delivery in double-wrapped packaging. Shipping from the US via post or a leading courier company would cost $20, with an extra $5 securing overnight delivery.
https://www.ft.com/content/8bfc674e-efe6-4ee0-b860-7fcb5716bed6
Threats
Ransomware
FBI says DoppelPaymer ransomware gang is harassing victims who refuse to pay
House purchases in Hackney fall through following cyber attack against council
Mount Locker Ransomware Offering Double Extortion Scheme to Other Hackers
Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor
Phishing
Subway Sandwich Loyalty-Card Users Suffer Ham-Handed Phishing Scam
Microsoft Office 365 Credentials Under Attack By Fax ‘Alert’ Emails
IoT
Malware
New iOS and Android spyware responsible for multi-layered sextortion campaign
Google Chrome, Firefox, Edge hijacked by massive malware attack: What you need to know
This nasty malware is infecting every web browser — what to do now
Tor malware is becoming a worryingly popular ransomware tool
Vulnerabilities
Israeli Phone-hacking Firm Claims It Can Now Break Into Encrypted Signal App
PgMiner botnet exploits disputed CVE to hack unsecured PostgreSQL DBs
Zero-day in WordPress SMTP plugin abused to reset admin account passwords
Sophos fixes SQL injection vulnerability in their Cyberoam OS
Wormable code-execution flaw in Cisco Jabber has a severity rating of 9.9 out of 10
Data Breaches
Twitter hit with €450,000 GDPR fine nearly two years after disclosing data breach
Data Leak Exposes Details of Two Million Chinese Communist Party Members
Organised Crime
Nation State Actors
Privacy
UK police unlawfully processing over a million people’s data on Microsoft 365
Sci-fi surveillance: Europe's secretive push into biometric technology
Other News
Reports Published in the Last Week
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 04 December 2020
Black Arrow Cyber Threat Briefing 4 December 2020: Covid vaccine supply chain targeted by hackers; Criminals Favour Ransomware and BEC; Bank Employee Sells Personal Data of 200,000 Clients; 2020 Pandemic changing short- and long-term approaches to risk; Cyber risks take the fun out of connected toys; Remote Workers Admit Lack of Security Training
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
Covid vaccine supply chain targeted by hackers, say security experts
Cyber attackers have targeted the cold supply chain needed to deliver Covid-19 vaccines, according to a report detailing a sophisticated operation likely backed by a nation state.
The hackers appeared to be trying to disrupt or steal information about the vital processes to keep vaccines cold as they travel from factories to hospitals and doctors’ offices.
https://www.ft.com/content/9c303207-8f4a-42b7-b0e4-cf421f036b2f
Criminals to Favour Ransomware and BEC Over Breaches in 2021
The era of the mega-breach may be coming to an end as cyber-criminals eschew consumers’ personal data and focus on phishing and ransomware.
Cyber-criminals are relying less on stolen personal information and more on “poor consumer behaviors” such as password reuse to monetize attacks.
https://www.infosecurity-magazine.com/news/criminals-favor-ransomware-bec/
Bank Employee Sells Personal Data of 200,000 Clients
South Africa–based financial services group Absa has stated that one of its employees sold the personal information of 200,000 clients to third parties.
The group confirmed on Wednesday that the illegal activity had occurred and that 2% of Absa's retail customer base had been impacted.
The employee allegedly responsible for it was a credit analyst who had access to the group's risk-modeling processes.
Data exposed as a result of the security incident included clients' ID numbers, addresses, contact details, and descriptions of vehicles that they had purchased on finance.
https://www.infosecurity-magazine.com/news/bank-employee-sells-personal-data/
LastPass review: Still the leading password manager, despite security history
"'Don't put all your eggs in one basket' is all wrong. I tell you 'put all your eggs in one basket, and then watch that basket,'" said industrialist Andrew Carnegie in 1885. When it comes to privacy tools, he's usually dead wrong. In the case of password managers, however, Carnegie is usually more dead than wrong. To wit, I have been using LastPass so long I don't know when I started using LastPass and, for now, I've got no reason to change that.
The most significant security innovations of 2020
Who gets access? That is the question that drives every security measure and innovation that’s landed on PopSci’s annual compendium since we launched the category in 2008. Every year, that question gets bigger and bigger. In 2020, the world quaked under a global pandemic that took 1.4 million lives, the US saw a rebirth in its civil rights movement, and a spate of record-breaking wildfires forced entire regions to evacuate. And those are just the new scares. A buildup of angst against ad trackers and app snooping led to major changes in hardware and software alike. It was a year full of lessons, nuances, and mini revolutions, and we strive to match that with our choices.
https://www.popsci.com/story/technology/most-important-security-innovations-2020/
2020 security priorities: Pandemic changing short- and long-term approaches to risk
Security planning and budgeting is always an adventure. You can assess current risk and project the most likely threats, but the only real constant in cybersecurity risk is its unpredictability. Layer a global pandemic on top of that and CISOs suddenly have the nearly impossible task of deciding where to request and allocate resources in 2021.
Show how the COVID pandemic has changed what security focuses on now and what will drive security priorities and spending in 2021. Based on a survey of 522 security professionals from the US, Asia/Pacific and Europe, the study reveals how the pandemic has changed the way organizations assess risk and respond to threats—permanently.
Cyber risks take the fun out of connected toys
As Christmas approaches, internet-enabled smart toys are likely to feature heavily under festive trees. While some dolls of decades past were only capable of speaking pre-recorded phrases, modern equivalents boast speech recognition and can search for answers online in real time.
Other connected gadgets include drones or cars such as Nintendo’s Mario Kart Live Home Circuit, where players race each other in a virtual world modelled after their home surroundings.
But for all the fun that such items can bring, there is a risk — poorly-secured Internet of Things toys can be turned into convenient tools for hackers.
https://www.ft.com/content/c653e977-435f-4553-8401-9fa9b0faf632
Remote Workers Admit Lack of Security Training
A third of remote working employees have not received security training in the last six months.
400 remote workers in the UK across multiple industries, while 83% have had access to security best practice training and 88% are familiar with IT security policies, 32% have received no security training in the last six months.
Also, 50% spend two or more hours a week on IT issues, and 42% felt they had to go around the security policies of their organization to do their job.
https://www.infosecurity-magazine.com/news/remote-workers-training/
Threats
Ransomware
Delaware County Pays $500,000 Ransom After Outages
A US county is in the process of paying half-a-million dollars to ransomware extorters who locked its local government network, according to reports.
Pennsylvania’s Delaware County revealed the attack last week, claiming in a notice that it had disrupted “portions of its computer network.
“We commenced an immediate investigation that included taking certain systems offline and working with computer forensic specialists to determine the nature and scope of the event. We are working diligently to restore the functionality of our systems,” it said.
https://www.infosecurity-magazine.com/news/delaware-county-pays-500k-ransom/
MasterChef Producer Hit by Double Extortion Ransomware
A multibillion-dollar TV production company has become the latest big corporate name caught out by ransomware, it emerged late last week.
The firm owns over 120 production firms around the world, delivering TV shows ranging from MasterChef and Big Brother to Black Mirror and The Island with Bear Grylls.
In a short update last Thursday, it claimed to be managing a “cyber-incident” affecting the networks of Endemol Shine Group and Endemol Shine International, Dutch firms it acquired in a $2.2bn deal in July.
Although ransomware isn’t named in the notice, previous reports suggest the firm is being extorted.
https://www.infosecurity-magazine.com/news/masterchef-producer-double/
Sopra Steria to take multi-million euro hit on ransomware attack
The company revealed in October that it had been hit by hackers using a new version of Ryuk ransomware.
It now says that the fallout, with various systems out of action, is likely to have a gross negative impact on operating margin of between €40 million and €50 million.
The group's insurance coverage for cyber risks is EUR30 million, meaning that negative organic revenue growth for the year is now expected to be between 4.5% and five per cent (previously between two per cent and four per cent). Free cash flow is now expected to be between €50 million and €100 million (previously between €80 million and €120 million).
BEC
FBI: BEC Scams Are Using Email Auto-Forwarding
The agency notes in an alert made public this week that since the COVID-19 pandemic began, leading to an increasingly remote workforce, BEC scammers have been taking advantage of the auto-forwarding feature within compromised email inboxes to trick employees to send them money under the guise of legitimate payments to third parties.
This tactic works because most organizations do not sync their web-based email client forwarding features with their desktop client counterparts. This limits the ability of system administrators to detect any suspicious activities and enables the fraudsters to send malicious emails from the compromised accounts without being detected, the alert, sent to organizations in November and made public this week, notes.
https://www.bankinfosecurity.com/fbi-bec-scams-are-using-email-auto-forwarding-a-15498
Phishing
Phishing lures employees with fake 'back to work' internal memos
Scammers are trying to steal email credentials from employees by impersonating their organization's human resources (HR) department in phishing emails camouflaged as internal 'back to work' company memos.
These phishing messages have managed to land in thousands of targeted individuals' mailboxes after bypassing G Suite email defences according to stats provided by researchers at email security company Abnormal Security who spotted this phishing campaign.
There is a high probability that some of the targets will fall for the scammers' tricks given that during this year's COVID-19 pandemic most companies have regularly emailed their employees with updates regarding remote working policy changes.
Warning: Massive Zoom phishing targets Thanksgiving meetings
Everyone should be on the lookout for a massive ongoing phishing attack today, pretending to be an invite for a Zoom meeting. Hosted on numerous landing pages, BleepingComputer has learned that thousands of users' credentials have already been stolen by the attack.
With many in the USA hosting virtual Thanksgiving dinners and people in other countries conducting Zoom business meetings, as usual, today is a prime opportunity to perform a phishing attack using Zoom invite lures.
Malware
All-new Windows 10 malware is excellent at evading detection
Security researchers at Kaspersky have discovered a new malware strain developed by the hacker-for-hire group DeathStalker that has been designed to avoid detection on Windows PCs.
While the threat actor has been active since at least 2012, DeathStalker first drew Kaspersky's attention back in 2018 because of its distinctive attack characteristics which didn't resemble those employed by cybercriminals or state-sponsored hackers.
https://www.techradar.com/news/all-new-windows-10-malware-is-excellent-at-evading-detection
New TrickBot version can tamper with UEFI/BIOS firmware
The operators of the TrickBot malware botnet have added a new capability that can allow them to interact with an infected computer's BIOS or UEFI firmware.
The new capability was spotted inside part of a new TrickBot module, first seen in the wild at the end of October, security firms Advanced Intelligence and Eclypsium said in a joint report published today.
The new module has security researchers worried as its features would allow the TrickBot malware to establish more persistent footholds on infected systems, footholds that could allow the malware to survive OS reinstalls.
https://www.zdnet.com/article/new-trickbot-version-can-tamper-with-uefibios-firmware/
Russia-linked APT Turla used a new malware toolset named Crutch
Russian-linked APT group Turla has used a previously undocumented malware toolset, named Crutch, in cyberespionage campaigns aimed at high-profile targets, including the Ministry of Foreign Affairs of a European Union country.
The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.
https://securityaffairs.co/wordpress/111813/apt/turla-crutch-malware-platform.html
MacBooks under attack by dangerous malware: What to do
a recent spate of malware attacks targeting macOS of late that installs backdoors to steal sensitive personal information. The security firm discovered that a new malware variant is being used online and backed by a rogue nation-state hacking group known as OceanLotus, which also operates under the name AKTP2 and is based in Vietnam.
The new malware was created by OceanLotus due to the “similarities in dynamic behavior and code” from previous malware connected to the Vietnamese-based hacking group.
https://www.laptopmag.com/news/macbooks-under-attack-by-dangerous-malware-what-to-do
Hackers Using Monero Mining Malware as Decoy, Warns Microsoft
The company’s intelligence team said a group called BISMUTH hit government targets in France and Vietnam with relatively conspicuous monero mining trojans this summer. Mining the crypto generated side cash for the group, but it also distracted victims from BISMUTH’s true campaign: credential theft.
Crypto-jacking “allowed BISMUTH to hide its more nefarious activities behind threats that may be perceived to be less alarming because they’re ‘commodity’ malware,” Microsoft concluded. It said the conspicuousness of monero mining fits BISMUTH’s “hide in plain sight” MO.
Microsoft recommended organizations stay vigilant against crypto-jacking as a possible decoy tactic.
https://www.coindesk.com/hackers-using-monero-mining-malware-as-decoy-warns-microsoft
Vulnerabilities
Zerologon is now detected by Microsoft Defender for Identity
There has been a huge focus on the recently patched CVE-2020-1472 Netlogon Elevation of Privilege vulnerability, widely known as ZeroLogon. While Microsoft strongly recommends that you deploy the latest security updates to your servers and devices, we also want to provide you with the best detection coverage possible for your domain controllers. Microsoft Defender for Identity along with other Microsoft 365 Defender solutions detect adversaries as they try to exploit this vulnerability against your domain controllers.
Privacy
'We've heard the feedback...' Microsoft 365 axes per-user productivity monitoring after privacy backlash
If you heard a strange noise coming from Redmond today, it was the sound of some rapid back-pedalling regarding the Productivity Score feature in its Microsoft 365 cloud platform.
Following outcry from subscribers and privacy campaigners, the Windows giant has now vowed to wind back the functionality so that it no longer produces scores for individual users, and instead just summarizes the output of a whole organization. It was feared the dashboard could have been used by bad bosses to measure the productivity of specific employees using daft metrics like the volume of emails or chat messages sent through Microsoft 365.
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 27 November 2020
Black Arrow Cyber Threat Briefing 27 November 2020: Hundreds of C-level executives’ credentials available for $100 to $1500; Bluetooth Attack Can Steal a Tesla Model X in Minutes; Three members of TMT cybercrime group arrested in Nigeria; Cyber criminals make £2.5m raid on law firms in lockdown; Hackers post athletes’ naked photos online
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
Hundreds of C-level executives’ credentials available for $100 to $1500 per account
A credible threat actor is offering access to the email accounts of hundreds of C-level executives for $100 to $1500 per account.
The availability of access to the email accounts of C-level executives could allow threat actors to carry out multiple malicious activities, from cyber espionage to BEC scams.
The threat actor is selling login credentials for Office 365 and Microsoft accounts and the price depends on the size of the C-level executives’ companies and the internal role of the executive.
The threat actor claims its database includes login credentials of high-level executives such as:
CEO, CTO, COO, CFO, CMO. President, Vice President, Executive Assistant, Finance Manager, Accountant, Director, Finance Director, Financial Controller and Accounts Payables
https://securityaffairs.co/wordpress/111588/cyber-crime/executives-credentials-dark-web.html
This Bluetooth Attack Can Steal a Tesla Model X in Minutes
Tesla has always prided itself on its so-called over-the-air updates, pushing out new code automatically to fix bugs and add features. But one security researcher has shown how vulnerabilities in the Tesla Model X's keyless entry system allow a different sort of update:
A hacker could rewrite the firmware of a key fob via Bluetooth connection, lift an unlock code from the fob, and use it to steal a Model X in just a matter of minutes.
https://www.wired.com/story/tesla-model-x-hack-bluetooth/
Three members of TMT cybercrime group arrested in Nigeria
Three Nigerians suspected of being part of a cybercrime group that has made tens of thousands of victims around the world have been arrested today in Lagos, Nigeria, Interpol reported.
In a report disclosing its involvement in the investigation, security firm Group-IB said the three suspects are members of a cybercrime group they have been tracking since 2019 and which they have been tracking under the codename of TMT.
Group-IB said the group primarily operated by sending out mass email spam campaigns containing files laced with malware.
https://www.zdnet.com/article/three-members-of-tmt-cybercrime-group-arrested-in-nigeria/
Cyber criminals make £2.5m raid on law firms in lockdown
The large number of lawyers working from home has become a magnet for cyber criminals, the Solicitors Regulation Authority has said, revealing a 300% increase in phishing scams in the first two months of lockdown alone.
In the first half of 2020, firms reported that nearly £2.5m held by them had been stolen by cybercriminals, more than three times the amount reported in the same period in 2019.
Law firm staff working remotely on less secure devices than the office network and those without dedicated office space finding it hard to keep information confidential. Those using video meetings also need to make sure that unauthorised parties cannot overhear or see a confidential meeting.
Hackers post athletes’ naked photos online
Four British athletes are among hundreds of female sports stars and celebrities whose intimate photographs and videos have been posted online in a targeted cyberattack.
The hack, which the athletes became aware of this week, has caused panic and one leading sports agency has advised its clients to take extra measures to protect their private data.
The athletes, who had photographs and videos stolen from their phones, were considering steps last night to have the material removed from the dark net.
https://www.thetimes.co.uk/article/hackers-post-athletes-naked-photos-online-86sq27hgl
Threats
Ransomware
Manchester United hackers 'demanding million-pound ransom'
Manchester United are still suffering the effects of a significant cyberattack that targeted the club earlier this week.
Following last weekend's 'sophisticated' attack, the club has revealed it is still suffering severe disruption to its internal systems, several of which had to be shut down following the incident.
Reports have also claimed that the hackers are demanding "millions of pounds" before they let the club regain full control.
https://www.techradar.com/sg/news/manchester-united-hackers-demanding-million-pound-ransom
Egregor Ransomware Attack Hijacks Printers to Spit Out Ransom Notes
The South American retail giant Cencosud was hit with ransomware last week? The retailer was infected by an Egregor ransomware attack which, in time honoured fashion, stole sensitive files that it found on the compromised network, and encrypted data on Cencosud’s drives to lock workers out of the company’s data.
A text file was left on infected Windows computers, telling the store that private data would be shared with the media if it was not prepared to begin negotiating with the hackers within three days.
That’s nothing unusual, but Egregor’s novel twist is that it can also tell businesses that their computer systems are well and truly breached by sending its ransom note to attached printers.
Sopra Steria: Adding up outages and ransomware clean-up, Ryuk attack will cost us up to €50m
Sopra Steria has said a previously announced Ryuk ransomware infection will not only cost it "between €40m and €50m" but will also deepen expected financial losses by several percentage points.
The admission comes weeks after the French-headquartered IT outsourcing firm's Active Directory infrastructure was compromised by malicious people who deployed the Ryuk ransomware, using what the company called "a previously unknown strain."
https://www.theregister.com/2020/11/25/sopra_steria_ransomware_damage_50m_euros/
Phishing
GoDaddy scam shows how voice phishing can be more deceptive than email schemes
Companies can protect employees from phishing schemes through a combination of training, secure email gateways and filtering technologies. But what protects workers from phone-based voice phishing (vishing) scams, like the kind that recently targeted GoDaddy and a group of cryptocurrency platforms that use the Internet domain registrar service?
Experts indicate that there are few easy answers, but organizations intent on putting a stop to such activity may have to push for more secure forms of verification, escalation procedures for sensitive requests, and better security awareness of account support staffers and other lower-level employees.
Google Services Weaponized to Bypass Security in Phishing, BEC Campaigns
A spike in recent phishing and business email compromise (BEC) attacks can be traced back to criminals learning how to exploit Google Services, according to research from Armorblox.
Social distancing has driven entire businesses into the arms of the Google ecosystem looking for a reliable, simple way to digitize the traditional office. A report detailing how now-ubiquitous services like Google Forms, Google Docs and others are being used by malicious actors to give their spoofing attempts a false veneer of legitimacy, both to security filters and victims.
Malware
Malware creates scam online stores on top of hacked WordPress sites
A new cybercrime gang has been seen taking over vulnerable WordPress sites to install hidden e-commerce stores with the purpose of hijacking the original site's search engine ranking and reputation and promote online scams.
The attacks were discovered earlier this month targeting a WordPress honeypot which was set up and managed.
The attackers leveraged brute-force attacks to gain access to the site's admin account, after which they overwrote the WordPress site's main index file and appended malicious code.
https://www.zdnet.com/article/malware-creates-online-stores-on-top-of-hacked-wordpress-sites/
Enter WAPDropper – An Android Malware Subscribing Victims to Premium Services by Telecom Companies
WAPDropper, a new malware which downloads and executes an additional payload. In the current campaign, it drops a WAP premium dialler which subscribes its victims to premium services without their knowledge or consent.
The malware, which belongs to a newly discovered family, consists of two different modules: the dropper module, which is responsible for downloading the 2nd stage malware, and a premium dialler module that subscribes the victims to premium services offered by legitimate sources – In this campaign, telecommunication providers in Thailand and Malaysia.
https://research.checkpoint.com/2020/enter-wapdropper-subscribe-users-to-premium-services-by-telecom-companies/
LightBot: TrickBot’s new reconnaissance malware for high-value targets
The notorious TrickBot gang has released a new lightweight reconnaissance tool used to scope out an infected victim's network for high-value targets.
Over the past week, security researchers began to see a phishing campaign normally used to distribute TrickBot's BazarLoader malware switch to installing a new malicious PowerShell script.
IoT
The smart video doorbells letting hackers into your home
Smart doorbells with cameras let you see who’s at the door without getting up off the sofa, but in-depth security testing has found some are leaving your home wide open to uninvited guests.
With internet-connected smart tech on the rise, smart doorbells are a common sight on UK streets. Popular models, such as Ring and Nest doorbells, are expensive, but scores of similar looking devices have popped up on Amazon, eBay and Wish at a fraction of the price.
https://www.which.co.uk/news/2020/11/the-smart-video-doorbells-letting-hackers-into-your-home/
Password Attacks
Up to 350,000 Spotify accounts hacked in credential stuffing attacks
An unsecured internet-facing database containing over 380 million individual records, including login credentials that were leveraged for breaking into 300,000 to 350,000 Spotify accounts. The exposed records included a variety of sensitive information such as people’s usernames and passwords, email addresses, and countries of residence.
The treasure trove of data was stored on an unsecured Elasticsearch server that was uncovered. Both the origin and owners of the database remain unknown. However, the researchers were able to validate the veracity of the data as Spotify confirmed that the information had been used to defraud both the company and its users.
Passwords exposed for almost 50,000 vulnerable Fortinet VPNs
A hacker has now leaked the credentials for almost 50,000 vulnerable Fortinet VPNs.
Over the weekend a hacker had posted a list of one-line exploits to steal VPN credentials from these devices.
Present on the list of vulnerable targets are IPs belonging to high street banks, telecoms, and government organizations from around the world.
Vulnerabilities
UK urges orgs to patch critical MobileIron RCE bug
The UK National Cyber Security Centre (NCSC) issued an alert yesterday, prompting all organizations to patch the critical CVE-2020-15505 remote code execution (RCE) vulnerability in MobileIron mobile device management (MDM) systems.
An MDM is a software platform that allows administrators to remotely manage mobile devices in their organization, including the pushing out of apps, updates, and the ability to change settings. This management is all done from a central location, such as an admin console running on the organization's server, making it a prime target for attackers.
Critical Unpatched VMware Flaw Affects Multiple Corporates Products
VMware has released temporary workarounds to address a critical vulnerability in its products that could be exploited by an attacker to take control of an affected system.
"A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system," the virtualization software and services firm noted in its advisory.
Tracked as CVE-2020-4006, the command injection vulnerability has a CVSS score of 9.1 out of 10 and impacts VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector.
https://thehackernews.com/2020/11/critical-unpatched-vmware-flaw-affects.html
GitHub fixes 'high severity' security flaw spotted by Google
GitHub has finally fixed a high severity security flaw reported to it by Google Project Zero more than three months ago.
The bug affected GitHub's Actions feature – a developer workflow automation tool was "highly vulnerable to injection attacks".
GitHub's Actions support a feature called workflow commands as a communication channel between the Action runner and the executed action.
https://www.zdnet.com/article/github-fixes-high-severity-security-flaw-spotted-by-google/
Google Chrome users still vulnerable to multiple zero-day attacks
As business users and consumers have moved most of their workloads to the cloud, more and more of their work is being done in web browsers such as Google Chrome as opposed to in applications installed locally on their systems.
This means that the web browser is now an essential yet vulnerable entry point that if compromised, could give cybercriminals access to a user's entire digital life including their email, online banking, social networks and more. However, despite this risk, users are failing to update to the latest version of Google Chrome.
https://www.techradar.com/news/google-chrome-users-still-vulnerable-to-multiple-zero-day-attacks
Microsoft releases patching guidance for Kerberos security bug
Released details on how to fully mitigate a security feature bypass vulnerability in Kerberos KDC (Key Distribution Centre) patched during this month's Patch Tuesday.
The remotely exploitable security bug tracked as CVE-2020-17049 exists in the way KDC decides if service tickets can be used for delegation via Kerberos Constrained Delegation (KCD).
Kerberos is the default authentication protocol for domain connected devices running Windows 2000 or later. Kerberos KDC is a feature that manages service tickets used for encrypting messages between network servers and clients.
Data Breaches
Sophos notifies customers of data exposure after database misconfiguration
UK-based cyber-security vendor Sophos is currently notifying customers via email about a security breach the company suffered earlier this week.
Exposed information included details such as customer first and last names, email addresses, and phone numbers (if provided).
Privacy
Microsoft productivity score feature criticised as workplace surveillance
Microsoft has been criticised for enabling “workplace surveillance” after privacy campaigners warned that the company’s “productivity score” feature allows managers to use Microsoft 365 to track their employees’ activity at an individual level.
The tools, first released in 2019, are designed to “provide you visibility into how your organisation works”, according to a Microsoft blogpost, and aggregate information about everything from email use to network connectivity into a headline percentage for office productivity.
Other News
Robot vacuum cleaners can eavesdrop on your conversations, researchers reveal - Bitdefender
You can protect the company from hackers, but can you protect the company from the CEO?
Botnets have been silently mass-scanning the internet for unsecured ENV files | ZDNet
Windows 10 KB4586819 update fixes gaming and USB 3.0 issues (bleepingcomputer.com)
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 13 November 2020
Black Arrow Cyber Threat Briefing 13 November 2020
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
Five Emerging Cyber-Threats to Watch Out for in 2021
What was the driving force behind your company’s digital strategy in 2020? Was it your CEO? Probably not. Your CTO or CISO? Perhaps.
For most organisations, it was COVID-19. In 2019, one company after another said: “work-from-home isn’t an option for us” or “we aren’t interested in shifting operations to the cloud.”
Then everything changed. The pandemic drove a massive shift towards remote work. For many companies, this wasn’t even an option — it was a case of ‘do or die.’
By April 2020, almost half of the American workforce was working from home. As organisations and employees become more comfortable with this, we shouldn’t expect a full return to the traditional in-office model anytime soon, if ever. Work-from-anywhere is the new way of doing business, with employees accessing cloud services, collaborative tools and remote systems from home and public networks – and not always through the safety of a VPN.
https://www.infosecurity-magazine.com/blogs/five-cyber-threats-2021/
Guernsey law firm fined £10,000 for data security breach
Trinity Chambers LLP sent private details about an individual and their family via emails and post, the Data Protection Authority (ODPA) found.
It said a lack of security had given "unconnected" third parties access to the data.
The breach of data by Trinity was the result of "repeated human error", an investigation found.
https://www.bbc.co.uk/news/world-europe-guernsey-54854333
Every employee has a cyber security blind spot
80% of companies say that an increased cyber security risk caused by human factors has posed a challenge during the COVID-19 pandemic, particularly in times of heightened stress.
This is a new report that explores the role employees and their personality play in keeping organisations safe from cyber threats. Including that:
· Cyber crime has increased by 63% since the COVID-19 lockdown was introduced
· Human error has been the biggest cyber security challenge during the COVID-19 pandemic, according to CISOs
· Just a quarter of businesses consider their remote working strategy effective
· 47% of people are concerned about their ability to manage stress during the coronavirus crisis
https://www.helpnetsecurity.com/2020/11/09/cybersecurity-blind-spot/
Zoom settles FTC charges for misleading users about security features
Video conferencing software maker Zoom has reached a deal today with the US Federal Trade Commission to settle accusations that its misled users about some of its security features.
During the height of the COVID-19 pandemic, Zoom had attracted users to its platform with misleading claims that its product supported "end-to-end, 256-bit encryption" and that its service would store recorded calls in an encrypted format.
However, in a complaint filed earlier this year, the investigators found that Zoom's claims were deceptive.
Despite claiming to support end-to-end encrypted (E2EE) calls, Zoom didn't support E2EE calls in the classic meaning of the word.
https://www.zdnet.com/article/zoom-settles-ftc-charges-for-misleading-users-about-security-features/
Threats
Ransomware
How Ryuk Ransomware operators made $34 million from one victim
One hacker group that is targeting high-revenue companies with Ryuk ransomware received $34 million from one victim in exchange for the decryption key that unlocked their computers.
The threat actor is highly proficient at moving laterally inside a compromised network and erasing as much of their tracks as possible before detonating Ryuk ransomware.
Ransomware hits e-commerce platform X-Cart
E-commerce software vendor X-Cart suffered a ransomware attack at the end of October that brought down customer stores hosted on the company's hosting platform.
The incident is believed to have taken place after attackers exploited a vulnerability in a third-party software to gain access to X-Cart's store hosting systems.
https://www.zdnet.com/article/ransomware-hits-e-commerce-platform-x-cart
Linux version of RansomEXX ransomware discovered
A Linux version of the RansomEXX ransomware, marking the first time a major Windows ransomware strain has been ported to Linux to aid in targeted intrusions.
RansomEXX is a relatively new ransomware strain that was first spotted earlier this year in June.
https://www.zdnet.com/article/linux-version-of-ransomexx-ransomware-discovered/
Laptop mega-manufacturer Compal hit by DoppelPaymer ransomware – same one that hit German hospital
Compal, the world’s second-largest white-label laptop manufacturer, has been hit by the file-scrambling DoppelPaymer ransomware gang – and the hackers want $17m in cryptocurrency before they'll hand over the decryption key.
The Taiwanese factory giant, which builds systems for Apple, Lenovo, Dell, and HP, finally admitted malware infected its computers and encrypted its documents after first insisting it had suffered no more than an IT "abnormality" and that its staff had beaten off a cyber-attack.
https://www.theregister.com/2020/11/09/compal_ransomware_report/
Capcom hit by ransomware attack, is reportedly being extorted for $11 million
Earlier this week it emerged that third-party giant Capcom's internal systems had been hacked, though the company claimed that no customer data was affected.
It has now emerged that the publisher was targeted by the Ragnar Locker ransomware, software designed to exfiltrate information from internal networks before encrypting the lot: at which point the victim is locked-out, contacted, and extorted.
Business Email Compromise (BEC)
Jersey business targeted in £130,000 invoice scam
A Jersey building company has been targeted by a sophisticated impersonation scam, which saw fraudsters intercept more than £130,000 in invoice payments.
The owners, who wish to remain anonymous, said they were "left reeling" after realising their email correspondence with a customer had been hacked, and payments diverted to a scam bank account.
After taking swift action, they were able to recover all their money, but they now want to make sure other islanders do not fall victim. They are encouraging businesses in particular to be "extra vigilant".
https://www.itv.com/news/channel/2020-11-13/jersey-business-targeted-in-130000-invoice-scam
Phishing
Smishing attack tells you “mobile payment problem” – don’t fall for it!
As we’ve warned before, phishing via SMS, or smishing for short, is still popular with cybercriminals.
Sure, old-fashioned text messages have fallen out of favour for personal communications, superseded round the world by instant messaging apps such as WhatsApp, WeChat, Instagram, Telegram and Signal.
But for brief, one-off business communications such as “Your home delivery will arrive at 11:30 today” or “Your one-time login code is 217828”, SMS is still a popular and useful messaging system.
That’s because pretty much every mobile phone in the world can receive text messages, regardless of its age, feature set or ability to access the internet.
Even if you’ve got no credit to send messages or make calls, no third-party apps installed, and no Wi-Fi connectivity, SMSes sent to you will still show up.
Malware
Play Store identified as main distribution vector for most Android malware
The official Google Play Store has been identified as the primary source of malware installs on Android devices in a recent academic study — considered the largest one of its kind carried out to date.
Using telemetry data, researchers analysed the origin of app installations on more than 12 million Android devices for a four-month period between June and September 2019.
In total, researchers looked at more than 34 million APK (Android application) installs for 7.9 million unique apps.
This new malware wants to add your Linux servers and IoT devices to its botnet
A new form of malware is targeting Linux servers and Internet of Things (IoT) devices and adding them to a botnet in what appears to be the first stage of a hacking campaign targeting cloud-computing infrastructure – although the purpose of the attacks remains unclear.
The malicious worm has been dubbed Gitpaste-12, reflecting on how it uses GitHub and Pastebin for housing component code and has 12 different means of compromising Linux-based x86 servers, as well as Linux ARM- and MIPS-based IoT devices.
New 'Ghimob' malware can spy on 153 Android mobile applications
Security researchers have discovered a new Android banking trojan that can spy and steal data from 153 Android applications.
Named Ghimob, the trojan is believed to have been developed by the same group behind the Astaroth (Guildma) Windows malware, according to a report published.
Distribution was never carried out via the official Play Store.
Instead, the Ghimob group used emails or malicious sites to redirect users to websites promoting Android apps.
https://www.zdnet.com/article/new-ghimob-malware-can-spy-on-153-android-mobile-applications/
Microsoft Teams Users Under Attack in ‘Fake Updates’ Malware Campaign
Attackers are using ads for fake Microsoft Teams updates to deploy backdoors, which use Cobalt Strike to infect companies’ networks with malware.
The campaign is targeting various types of companies, with recent targets in the K-12 education sector, where organisations are currently dependent on using apps like Teams for videoconferencing due to COVID-19 restrictions.
Cobalt Strike is a commodity attack-simulation tool that’s used by attackers to spread malware, particularly ransomware. Recently, threat actors were seen using Cobalt Strike in attacks exploiting Zerologon, a privilege-elevation flaw that allows attackers to access a domain controller and completely compromise all Active Directory identity services.
https://threatpost.com/microsoft-teams-fakeupdates-malware/161071/
DDoS
DDoS attacks are cheaper and easier to carry out than ever before
DDoS attacks are getting more complex and more sophisticated while also getting cheaper and easier to carry out as cyber criminals take advantage of the sheer number of insecure internet-connected devices.
Distributed Denial of Service attacks have been a problem for many years, with cyber attackers gaining control of armies of devices and directing their internet traffic at targets in order to take the victim offline.
The disruption causes problems for both businesses and individual users who are prevented from accessing digital services they require – and that's especially a problem as 2020's coronavirus pandemic has forced people to be more reliant on digital services than ever before.
https://www.zdnet.com/article/ddos-attacks-are-cheaper-and-easier-to-carry-out-than-ever-before/
IoT
IoT security is a mess. These guidelines could help fix that
The supply chain around the Internet of Things (IoT) has become the weak link in cyber security, potentially leaving organisations open to cyber attacks via vulnerabilities they're not aware of. But a newly released set of guidelines aims to ensure that security forms part of the entire lifespan of IoT product development.
The Guidelines for Securing the IoT – Secure Supply Chain for IoT report from the European Union Agency for Cybersecurity (ENISA) sets out recommendations throughout the entire IoT supply chain to help keep organisations protected from vulnerabilities that can arise when building connected things.
https://www.zdnet.com/article/iot-security-is-a-mess-these-guidelines-could-help-fix-that/
Vulnerabilities
Windows 10 update created a major password problem
A temporary fix for a frustrating Windows 10 bug that prevents software from storing account credentials, meaning the user must re-enter their username and password each time they log-in.
The flaw is also said to delete cookies held in web browsers, preventing websites from memorising credentials and serving bespoke content to the user.
First reported in April, the issue is present in specific builds of Windows 10 version 2004 and affects applications such as Outlook, Chrome, Edge, OneDrive and more.
https://www.techradar.com/news/windows-10-update-made-a-right-mess-of-this-basic-password-feature
Colossal Intel Update Anchored by Critical Privilege-Escalation Bugs
A massive Intel security update this month addresses flaws across a myriad of products – most notably, critical bugs that can be exploited by unauthenticated cyber criminals in order to gain escalated privileges.
These critical flaws exist in products related to Wireless Bluetooth – including various Intel Wi-Fi modules and wireless network adapters – as well as in its remote out-of-band management tool, Active Management Technology (AMT).
Overall, Intel released 40 security advisories on Tuesday, each addressing critical-, high- and medium-severity vulnerabilities across various products. That by far trumps October’s Intel security update, which resolved one high-severity flaw.
https://threatpost.com/intel-update-critical-privilege-escalation-bugs/161087/
Hackers are exploiting unpatched VoIP flaws to compromise business accounts
A hacking campaign has compromised VoIP (Voice over Internet Protocol) phone systems at over 1,000 companies around the world over the past year in a campaign designed to make profit from selling compromised accounts.
While the main purpose appears to be dialling premium rate numbers owned by attackers or selling phone numbers and call plans that others can use for free, access to VoIP systems could provide cyber criminals with the ability to conduct other attacks, including listening to private calls, cryptomining, or even using compromised systems as a steppingstone towards much more intrusive campaigns.
One hacking group has compromised the VoIP networks of almost 1,200 organisations in over 20 countries by exploiting the vulnerability, with over half the victims in the UK. Industries including government, military, insurance, finance and manufacturing are believed to have fallen victim to the campaign
Google patches two more Chrome zero-days
Google has released today Chrome version 86.0.4240.198 to patch two zero-day vulnerabilities that were exploited in the wild.
These two bugs mark the fourth and fifth zero-days that Google has patched in Chrome over the past three weeks.
The difference this time is that while the first three zero-days were discovered internally by Google security researchers, these two new zero-days came to Google's attention after tips from anonymous sources.
https://www.zdnet.com/article/google-patches-two-more-chrome-zero-days/
Data Breaches
Ticketmaster fined £1.25m over payment data breach
Ticketmaster UK has been fined £1.25m for failing to keep its customers' personal data secure.
The fine was issued by the Information Commissioner's Office (ICO) following a cyber-attack on the Ticketmaster website in 2018.
The ICO said personal information and payment details had potentially been stolen from more than nine million customers in Europe.
https://www.bbc.co.uk/news/technology-54931873
Millions of Hotel Guests Worldwide Caught Up in Mass Data Leak
A cloud misconfiguration affecting users of a popular reservation platform threatens travellers with identity theft, scams, credit-card fraud and vacation-stealing.
A widely used hotel reservation platform has exposed 10 million files related to guests at various hotels around the world, thanks to a misconfigured Amazon Web Services S3 bucket. The records include sensitive data, including credit-card details.
Prestige Software’s “Cloud Hospitality” is used by hotels to integrate their reservation systems with online booking websites like Expedia and Booking.com.
https://threatpost.com/millions-hotel-guests-worldwide-data-leak/161044/
DWP exposed 6,000 people’s data online for two years
The Department for Work and Pensions (DWP) has removed the personal details of thousands of people after they were exposed online for two years.
The files, published in March and June 2018, listed routine payments to the outsourcing giant Capita and included the National Insurance (NI) numbers of approximately 6,000 people, according to the Mirror. These individuals were believed to be applying for the disability benefit, PIP. No other personal data was exposed in the incident.
https://www.itpro.co.uk/security/data-breaches/357724/dwp-data-breach-exposed-6000-ni-numbers
Data breach at Mashable leaks users’ personal information online
Technology and culture news website Mashable have announced that the personal data of users has been discovered in a leaked database posted on the internet.
In a statement issued this week, Mashable confirmed that a database containing information from readers who made use of the platform’s social media sign-in feature had been found online.
The media company said that “a hacker known for targeting websites and apps” was responsible for the breach. The suspect has not been named.
Leaked data is said to include the full names, locations, email addresses, genders, IP addresses, and links to social media profiles of users.
Other News
Try to avoid thinking of the internet as a flashy new battlefield, warns former NCSC chief
https://www.theregister.com/2020/11/11/ciaran_martin_speech_cyber_policy/
Microsoft says three APTs have targeted seven COVID-19 vaccine makers
https://www.zdnet.com/article/microsoft-says-three-apts-have-targeted-seven-covid-19-vaccine-makers/
New stealthy hacker-for-hire group mimics state-backed attackers
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber Threat Briefing 16 October 2020: ransomware tidal wave; notable ransomware victims from the last week; BEC Attacks: Nigeria no longer epicentre, losses top $26B; Trickbot back; MS fix 87 vulns
Cyber Threat Briefing 16 October 2020: ransomware tidal wave of attacks; Notable ransomware victims of the last week; BEC Attacks: Nigeria No Longer the Epicentre as Losses top $26B; Trickbot back after disruption attempts; Microsoft October 2020 Patch Tuesday fixes 87 vulnerabilities; Malware gangs love open source offensive hacking tools
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Threats
Ransomware
Ransomware is growing and growing and getting worse all the time, with the G7 this week warning of ‘a tidal wave of ransomware attacks’ [source]. It is fast approaching becoming such a problem that it may soon reach epidemic status with few organisations left unaffected as firm after firm falls victim.
The ransomware gangs have turned crime into a multi-million pound business empire, it is estimated that $7.5 billion was extorted from victims last year in the United States alone [source], putting any legitimate industry or business sector to shame in term of meteoric growth. This is not small scale actors working out of their bedrooms, they have customer support centres and 24/7 helplines, they have plush offices and flash cars, paid for by the victims of their crimes, paid for by firms like yours paying ransoms.
And here's how attackers are getting in: in nearly half (47%) of ransomware cases gangs used the open remote desktop protocol, a tool that has been used by many companies to help staff work from home, but which can also give attackers a way in if it is not correctly secured.
More than a quarter (26%) of cases were traced back to a phishing email, and a smaller number used specific vulnerability exploits (17%), including Citrix NetScaler CVE-2019-19781 and Pulse VPN CVE-2019-11510. This was followed by account takeovers, at 10%. [source]
Criminal gangs have earned so much money and power they are now outsourcing much of the labour, allowing them to live of their spoils while their empires continue to grow, while they do next to nothing, with more and more joining their ranks [source]
As long as even a small number of victims pay the ransom this remains highly lucrative for attackers.
The ransom for Software AG is $23m, but they will demand much smaller sums from much smaller firms – so how are they doing this? Are larger firms being specifically targeted with tailored phishing campaigns, where they hope they will get lucky in getting an employee to fall for the bait, where lower value targets are being hit with machine/algorithmic generated phishing attacks, with lower levels of sophistication and more of a ‘spray and pray’ approach, hoping casting a wide enough net will still result in larger numbers of lower value victims.
We keep trying to warn firms how bad this is getting, and we don’t do this to drum up business, we do this because we are hugely concerned about the direction this is going and how damaging this can be for any firm.
Many firms are reluctant to take cyber security seriously, believing it won’t happen to them, but it is happening to firm after firm after firm who believed it wouldn’t happen to them. It’s too late to start thinking about what you should have done after you’ve become a victim, it’s far better, and far cheaper, to take steps to avoid being a victim in the first place than trying to recover or pay the ransom.
Of the increasing number of firms that do go hit, many don’t survive, and those that do often find things are never the same again, with impacts on confidence levels in your staff and in your IT and information security departments [source]
Ransomware is not only affecting desktops, laptops and servers, but also now increasingly Android and other mobile platforms [source]
Protecting against ransomware is not a luxury or something that can kicked down the road to look at another day, firms need to ensure they are protecting themselves against this threat now – before they become a victim.
Notable ransomware victims of the last week
There have been a number of high profile victims of ransomware in the last week, notably Software AG, a German conglomerate with operations in more than 70 countries, which was attacked by the Clop group who are threatening to dump stolen data if the $23 million ransom is not paid.
Carnival Cruises were hit with ransomware affecting data and personal information for guests, employees and crew for Carnival Cruises, Holland America and Seabourn as well as casino operations.
Early indications point to the disruption being experiences by Hackney Council with their systems stemming from a ransomware attack, although this has not been confirmed.
BEC
BEC Attacks: Nigeria No Longer the Epicentre as Losses top $26B
Business Email Compromise (BEC) Fraudsters now have bases of operation across at least 39 countries and are responsible for $26 billion in losses annually, and growing.
A study of more than 9,000 instances of BEC attacks all over the world shows that the number has skyrocketed over the past year, and that the social-engineering scam has expanded well beyond its historic roots in Nigeria.
Why this matters:
A recent report entitled The Global Reach of Business Email Compromise, found that these attacks cost businesses a staggering $26 billion every year. And that trend appears to be accelerating. In fact, researchers found BEC attacks currently make up a full 40 percent of cyber crime losses globally, impacting at least 177 countries.
For context, the Anti-Phishing Working Group recently find that the average wire transfer in a BEC scan is around $80,000.
In a BEC attack, a scammer impersonates a company executive or other trusted party and tries to trick an employee responsible for payments or other financial transactions into writing money to a bogus account. Attackers usually conduct a fair amount of recon work, studying executive styles and uncovering the organisations vendors, billing system practices and other information to help mount a convincing attack.
Read more: https://threatpost.com/bec-attacks-nigeria-losses-snowball/160118/
Trickbot back after disruption attempts
The Trickbot botnet looks to be working once again, despite separate efforts in the past few weeks aimed at disrupting its operation.
Earlier this month the Emotet spam botnet – which is often the precursor to TrickBot being loaded onto a system – began receiving spam templates intended for mass distribution. These spam templates contained Microsoft Word document attachments with malicious macros that fetch and load a copy of Emotet onto the victim machine. The Emotet bot reached out to its controllers and received commands to download and execute Trickbot on victim machines.
The Trickbot group tag that researchers identified is tied to a typical infection campaign that information security researchers have been observing for the past 6 months or more.
Additionally, Intel 471 researchers saw an update to the Trickbot plugin server configuration file. Fifteen server addresses were added, and two old servers were retained in the configuration, along with the server’s ‘.onion’ address. This was likely done as a fix that would help operators maintain that their infrastructure remains operational. [link]
Why this matters:
The fix is another round in the back-and-forth between Trickbot’s operators and the separate public and private sector parties that have attempted to disrupt the botnet’s actions. This includes actions by the US Cyber Command and Microsoft, who issued a public statement that it had taken legal action to “combat ransomware ahead of U.S. elections.” The legal action involved Microsoft attempting to disrupt a number of Trickbot command and control server IP addresses in the United States.
The fact that Trickbot has resumed normal operations despite the best efforts of the likes of the US Cyber Command and Microsoft shows how resilient of an operation Trickbot is, and how much more effort is needed to fully take the botnet offline for good. The botnet’s operators have all the IT support of legitimate enterprises – continuity planning, backups, automated deployment, and a dedicated workforce – that allow them to quickly react to disruptive measures.
Read more: https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/
Vulnerabilities
Microsoft October 2020 Patch Tuesday fixes 87 vulnerabilities
Microsoft this week released its monthly batch of security updates known as Patch Tuesday, and this month the OS maker has patched 87 vulnerabilities across a wide range Microsoft products.
By far, the most dangerous bug patched this month is CVE-2020-16898. Described as a remote code execution (RCE) vulnerability in the Windows TCP/IP stack, this bug can allow attackers to take over Windows systems by sending malicious ICMPv6 Router Advertisement packets to an unpatched computer via a network connection.
Another bug to keep an eye on is CVE-2020-16947, a remote code execution issue in Outlook. Microsoft says this bug can be exploited by tricking a user to open a specially crafted file with an affected version of Microsoft Outlook software. [source1] [source2]
Why this matters:
The bug was discovered internally by Microsoft engineers, and OS versions vulnerable to CVE-2020-16898 include Windows 10 and Windows Server 2019.
With a severity score of 9.8 out of a maximum 10, Microsoft considers the bug dangerous and likely to be weaponised, and rightfully so.
Patching the bug is recommended, but workarounds such as disabling ICMPv6 RDNSS support also exist, which would allow system administrators to deploy temporary mitigations until they quality-test this month’s security updates for any OS-crashing bugs.
Critical SonicWall VPN Portal Bug Allows DoS, Worming RCE
A critical security bug in the SonicWall VPN Portal can be used to crash the device and prevent users from connecting to corporate resources. It could also open the door to remote code execution (RCE), researchers said.
The flaw (CVE-2020-5135) is a stack-based buffer overflow in the SonicWall Network Security Applicance (NSA). According to researchers who discovered it, the flaw exists within HTTP/HTTPS service used for product management and SSL VPN remote access. [source]
Why this matters:
An unskilled attacker could trigger a persistent denial-of-service condition using an unauthenticated HTTP request involving a custom protocol handler.
Adding insult to injury, this particular flaw exists in a pre-authentication routine, and within a component (SSL VPN) which is typically exposed to the public internet.
‘More Than A Billion’ Phone Wide Open To ‘Backdoor’ Remote Code Execution in Adtech Company’s Code
Malicious code impacting more than a billion smartphone owners is currently in the wild and enabling remote code execution. [source]
Why this matters:
Remote code execution is a very serious security violation, and basically enables the owner of that code do almost anything they want on your phone.
Miscellaneous Cyber News of the Weeks
Malware gangs love open source offensive hacking tools
In the cyber security field, the term OST (Open Source Tools) refers to software apps, libraries, and exploits that possess offensive hacking capabilities and have been released as either free downloads or under an open source license.
OST projects are usually released to provide a proof-of-concept exploit for a new vulnerability, to demonstrate a new (or old) hacking technique, or as penetration testing utilities shared with the community.
These discussions have been taking place for more than a decade. However, they have always been based on personal experiences and convictions, and never on actual raw data.
That changed this week when a security researcher compiled data on 129 open source offensive hacking tools and searched through malware samples and cyber-security reports to discover how widespread was the adoption of OST projects among hacking groups — such as low-level malware gangs, elite financial crime groups, and even nation-state sponsored APTs. [source]
The results were compiled in an interactive map – available here
Why this matters:
Today, OST is one of the most (if not the most) controversial topics in the information security community.
On one side, you have the people who are in favour of releasing such tools, arguing that they can help defenders learn and prepare systems and networks for future attacks.
On the opposing side, you have the ones who say that OST projects help attackers reduce the costs of developing their own tools and hiding activities into a cloud of tests and legitimate pen-tests.
Fitbit Spyware Steals Personal Data via Watch Face
A researcher has found they can take advantage of lax Fitbit privacy controls to build a malicious spyware watch face.
A wide-open app-building API (Application Programming Interface) could allow an attacker to build a malicious application that could access Fitbit user data, and send it to any server.
A proof-of-concept was created to do just that, after realizing that Fitbit devices are loaded with sensitive personal data. [source]
Why this matters:
Essentially, the API could send device type, location and user information including gender, age, height, heart rate and weight and it could also access calendar information. While this doesn’t include PII profile data, the calendar invites could expose additional information such as names and locations.
The researcher was able to make the app available through the Fitbit Gallery (where Fitbit showcases various third-party and in-house apps). Thus, the spyware appears legitimate, and increase the likelihood it would be downloaded.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.