Category Archives: Nation State

Enterprise security in the age of nation-state cybersecurity threats

Estimated reading time: 2 minutes

The digital modern battlefield has proven time-and-again that cyberattacks, just like tanks and guns, are one of the biggest weapons that a country possesses to wage a war. All over the world, nation-states are surreptitiously or, in some cases, openly waging cyber warfare against each other. Enterprises from so-called antagonist countries are looked upon with suspicion — consider how Huawei, among China’s biggest telecommunications firm, had to exit the American market in 2019 after being viewed suspiciously that its technology might have backdoors, enabling surveillance by the Chinese government.

Taking cognizance of the huge danger of cyber threats to nations, the Trump Administration released the National Cyber Strategy of the United States of America in 2018, a comprehensive document outlining the country’s strategy against cyberthreats. The introduction to the document outlines the reality of the cyber threats the world possesses — the US government blames Russia, Iran and North Korea for conducting ‘reckless cyberattacks that harmed American and international business of its allies and partners’ while also accusing China of engaging in ‘cyber-enabled economic espionage’.

No government or nation-state has a permanent solution to the threat of cyber warfare. There are discussions and deliberations on creating international agreements but they still remain in the planning stage. In the meantime, nations continue to fight an almost daily supply of threats from enemy states.

What role can enterprises play in negating this problem?

Recognize the scale of nation-state attacks

Nation-state cybersecurity threats operate on a larger scale than isolated, individual attacks. They are sophisticated and targeted with deployed attackers enjoying the full machinery of their state. The first step in addressing the threats they pose for an enterprise is to recognize and understand their scale and the large repercussions they can cause.

Threat of risk

Some enterprises may be more at risk to these kinds of attacks than others — it is important to do a self-assessment for enterprises to come to a conclusion. Nation-state cybersecurity threats attack targets which can cause widespread damage and cripple a country’s system — hence, enterprises who may be in wide-scale manufacturing or supplying essential services may find themselves more at risk.

Do the basics well

Even if your enterprise seems more at risk of nation-state cyber threats, there is no need to panic. Dealing with nation-state cybersecurity threats depends on focusing on the basics of cybersecurity. The proper functioning of threat defence solutions, be it internal policies or external vendors is a must. This involves executing actions such as patch and vulnerability management, privilege management, identity management, endpoint detection and response (EDR), among many others.

Constant vigilance

The most important criteria for enterprises to address nation-state cybersecurity threats is developing and maintaining a culture of constant vigilance. It is important for security administrators to have a regular cadence of authorized and unauthorized activity, raising immediate red flags if the latter occurs. The security solutions employed must provide detailed insights into traffic patterns, data usage, uptime and downtime statistics so any anomalies can be detected quickly.

Seqrite’s solutions provide state-of-the-art security and peace-of-mind to enterprises by providing a range of powerful security solutions that are committed to keep enterprises safe from nation-state cyberthreats and others.

The post Enterprise security in the age of nation-state cybersecurity threats appeared first on Seqrite Blog.

Cyber Security Roundup for November 2019

In recent years political motivated cyber-attacks during elections has become an expected norm, so it was no real surprise when the Labour Party reported it was hit with two DDoS cyber-attacks in the run up to the UK general election, which was well publicised by the media. However, what wasn't well publicised was both the Conservative Party and Liberal Democrats Party were also hit with cyber attacks. These weren't nation-state orchestrated cyberattacks either, black hat hacking group Lizard Squad, well known for their high profile DDoS attacks, are believed to be the culprits.

The launch of Disney Plus didn’t go exactly to plan, without hours of the streaming service going live, compromised Disney Plus user accounts credentials were being sold on the black market for as little as £2.30 a pop. Disney suggested hackers had obtained customer credentials from previously leaked identical credentials, as used by their customers on other compromised or insecure websites, and from keylogging malware. It's worth noting Disney Plus doesn’t use Multi-Factor Authentication (MFA), implementing MFA to protect their customer's accounts would have prevented the vast majority of Disney Plus account compromises in my view.

Trend Micro reported an insider stolen around 100,000 customer accounts details, with the data used by cyber con artists to make convincing scam phone calls impersonating their company to a number of their customers. In a statement, Trend Micro said it determined the attack was an inside job, an employee used fraudulent methods to access its customer support databases, retrieved the data and then sold it on. “Our open investigation has confirmed that this was not an external hack, but rather the work of a malicious internal source that engaged in a premeditated infiltration scheme to bypass our sophisticated controls,” the company said. The employee behind it was identified and fired, Trend Micro said it is working with law enforcement in an on-going investigation.

Security researchers found 4 billion records from 1.2 billion people on an unsecured Elasticsearch server. The personal information includes names, home and mobile phone numbers and email addresses and what may be information scraped from LinkedIn, Facebook and other social media sources.

T-Mobile reported a data breach of some their prepaid account customers. A T-Mobile spokesman said “Our cybersecurity team discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account. We promptly reported this to authorities”.

A French hospital was hit hard by a ransomware attack which has caused "very long delays in care". According to a spokesman, medical staff at Rouen University Hospital Centre (CHU) abandon PCs as ransomware had made them unusable, instead, staff returned to the "old-fashioned method of paper and pencil". No details about the strain of the ransomware have been released.

Microsoft released patches for 74 vulnerabilities in November, including 13 which are rated as critical. One of which was for a vulnerability with Internet Explorer (CVE-2019-1429), an ActiveX vulnerability known to be actively exploited by visiting malicious websites.

It was a busy month for blog articles and threat intelligence news, all are linked below.

BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCEHUAWEI NEWS AND THREAT INTELLIGENCE

For Caught in the Crossfire of Cyberwarfare

Authored by Dr Sandra Bell, Head of Resilience Consulting EMEA, Sungard Availability Services 

The 2019 National Cyber Security Centre’s (NCSC) Annual Review does not shy away from naming the four key protagonists when it comes to state-based cyber threats against our country. The review sites China, Russia, North Korea and Iran as being actively engaged in cyber operations against our Critical National Infrastructure and other sectors of society. That being said, the main cyber threat to businesses and individual citizens remains organised crime. But with the capability of organised crime matching some state-based activity and the sharing (if not direct support) of state-based techniques with cyber criminals, how are we expected to defend ourselves against such sophisticated cyberattack means?

The answer offered by Ciaran Martin, CEO of the NCSC, in his Forward to the 2019 Review only scratches the surface of the cultural change we need to embrace if we are to become truly cyber resilient to these modern-day threats.

“Looking ahead, there is also the risk that advanced cyberattack techniques could find their way into the hands of new actors, through the proliferation of such tools on the open market. Additionally, we must always be mindful of the risk of accidental impact from other attacks. Cyber security has moved away from the exclusive prevail of security and intelligence agencies towards one that needs the involvement of all of government, and indeed all of society.”

There are a few key points to draw out from this statement. Firstly, there is an acceptance that all of us may be collateral damage in a broader state-on-state cyberattack. Secondly, we should accept also that we maybe the victims of very sophisticated cyberattacks that have their roots in state-sponsored development. And finally, we must all accept that cyber security is a collective responsibility and, where businesses are concerned, this responsibility must be accepted and owned at the very top.

Modern life is now dependent on cyber security but we are yet to truly embrace the concept of a cyber secure culture. When we perceived terrorism as the major threat to our security, society quickly adopted a ‘reporting culture’ of anything suspicious, but have we seen the same mindset shift with regards to cyber threats? The man in the street may not be the intended target of a state-based or organised crime cyberattack but we can all easily become a victim, either accidentally as collateral damage or intentionally as low-hanging fruit. Either way we can all, individual citizens and businesses alike, fall victim to the new battleground of cyberwarfare.

What can business do in the face of such threats?
One could argue that becoming a victim of cybercrime is a when not an if. This can in turn bring about a sense of the inevitability. But what is clear when you see the magnitude of recent Information Commissioner’s Office (ICO) fines, is that businesses cannot ignore cyber security issues. A business that embraces the idea of a cybersecurity culture within its organisation will not only be less likely to be hit with a fine from the ICO should things go horribly wrong, but are also less likely to fall victim in the first place. Cyber security is about doing the basics well and preparing your organisation to protect itself, and responding correctly when an incident occurs.

Protecting against a new kind of warfare
Organisations need to prepare to potentially become the unintended targets of broad-brush cyberattacks, protecting themselves against the impact they could have on their operations and customer services. With each attack growing in its complexity, businesses must in-tow respond in a swift and sophisticated manner. Defence mechanisms need to be as scalable as the nefarious incidents they may be up against. To give themselves the best chance of ensuring that an attack doesn’t debilitate them and the country in which they operate, there are a few key things that businesses can do:

1) Act swiftly
A cyberattack requires an immediate response from every part of a business. Therefore, when faced with a potential breach, every individual must know how to react precisely and quickly. IT and business teams will need to locate and close any vulnerabilities in IT systems or business processes and switch over to Disaster Recovery arrangements if they believe there has been a data corruption. Business units need to invoke their Business Continuity Plans and the executive Crisis Management Team needs to assemble. This team needs to be rehearsed in cyber related crisis events and not just the more traditional Business Continuity type of crisis.

Both the speed and effectiveness of a response will be greatly improved if businesses have at their fingertips the results of a Data Protection Impact Assessment (DPIA) that details all the personal data collected, processed and stored, categorised by level of sensitivity. If companies are scrambling around, unsure of who should be taking charge and what exactly should be done, then the damage caused by the data encryption will only be intensified.

2) Isolate the threat
Value flows from business to business through networks and supply chains, but so do malware infections. Having adequate back-up resources not only brings back business availability in the wake of an attack, but it also serves to act as a barrier to further disruption in the network. The key element that cybercriminals and hacking groups have worked to iterate on is their delivery vector.

Phishing attempts are more effective if they’re designed using the techniques employed in social engineering. A study conducted by IBM found that human error accounts for more than 95 per cent of security incidents. The majority of the most devastating attacks from recent years have been of the network-based variety, i.e. worms and bots.

Right now, we live in a highly connected world with hyper-extended networks comprised of a multitude of mobile devices and remote workers logging in from international locations. Having a crisis communication plan that sets out in advance who needs to be contacted should a breach occur will mean that important stakeholders based in different locations don’t get forgotten in the heat of the moment.

3) Rely on resilience
Prevention is always better than cure. Rather than waiting until a data breach occurs to discover the hard way which threats and vulnerabilities are present in IT systems and business processes, act now.

It’s good business practice to continuously monitor risk, including information risk, and ensure that the controls are adequate. However, in the fast-paced cyber world where the threats are constantly changing this can be difficult in practice.

With effective Disaster Recovery and cyber focused Business Continuity practices written into business contingency planning, organisations remain robust and ready to spring into action to minimise the impact of a data breach.

The most effective way to test business resilience without unconscious bias risking false-positive results is via evaluation by external security professionals. By conducting physical and logical penetration testing and regularly checking an organisation’s susceptibility to social engineering, effective business continuity can be ensured, and back-up solutions can be rigorously tested.

Cyber Resilience must be woven into the fabric of business operations, including corporate culture itself. Crisis leadership training ensures the C-suite has the skills, competencies and psychological coping strategies that help lead an organisation through the complex, uncertain and unstable environment that is caused by a cyberattack, emerging the other side stronger and more competitive than ever before.

A look ahead to the future
A cyberattack is never insignificant, nor expected, but if a business suffers one it is important to inform those that are affected as quickly as possible. Given the scale at which these are being launched, this couldn’t be truer. It’s vital in the current age of state-backed attacks that businesses prioritise resilience lest they be caught in the crossfire. In a business landscape defined by hyper-extended supply chains, having a crisis communication plan that sets out in advance who needs to be contacted should a breach occur will mean that important stakeholders don’t get forgotten in the heat of the moment and that the most important assets remain protected.

Labour Party DDoS Cyber Attacks

It was just a matter of time before cyberattacks were catapulted into the forefront of the UK 2019 General Election campaign, with two cyber-attacks on the Labour Party in the last two days.


It was reported the Labour Party was targeted by two separate Distributed Denial of Service (DDoS) attacks. Labour have not publically disclosed which of its digital systems were targetted by the DDoS attacks, but it is understood cyber attacks impacted the speed of their election and campaigning tools on Monday.

A Labour spokeswoman said: “We have ongoing security processes in place to protect our platforms, so users may be experiencing some differences. We are dealing with this quickly and efficiently.” Following reports of a second cyber-attack, a Labour Party spokesperson said: "We have ongoing security processes in place to protect our platforms, so users may be experiencing some differences. We are dealing with this quickly and efficiently."

The National Cyber Security Centre (NCSC) has warned all political parties about the high likelihood of being targeted with cyberattacks during elections for years. An NCSC spokesman said the Labour Party followed the correct procedure and notified them swiftly of Monday's cyber-attack, adding: "The attack was not successful and the incident is now closed".

Despite the apparent 'failure' of this attack, it raises important questions around the security of data ahead of the vote: Who is behind this attack? What is the intended outcome? Do political parties have the required level of security to ward off nation-state hackers?

A Labour source said the attacks came from computers in Russia and Brazil, but given it was a DDoS attack, that attack source is likely from 'zombie' controlled computers, so the countries cited as generating the network traffic on mass against the Labour Party IT systems have no bearing on who the culprit behind the attacks is. The DDoS attacks such as these can be orchestrated from any part of the world, so the culprit could be anyone from a nation-state offensive cyber team to a bored 14-year-old kid sat in a bedroom.


DDoS Cyber Attack Explained
Zombie Computers
A zombie computer is where malware with ‘command and control software” has inflected a computer, which allows the computer to be remotely controlled by a hacker over the internet to perform malicious tasks. Computer users are typically unaware their computer is infected and is being controlled. Where hackers infect and control computers on mass over the internet, it is known as a botnet.

Botnets can have tens and even hundreds of thousands of computers remotely controlled by a hacker. Such botnets are used to send spam and phishing emails, and to perform Distributed Denial of Service DDoS) attacks. A DDoS attack is where a hacker instructs computers within the botnet to send network traffic to a website or server, at the same time, to flood server(s) with so much network traffic the server or website is unable to provide a service or function.


Terry Greer-King, VP EMEA at SonicWall said, "This morning’s ‘failed’ cyber attack on the Labour Party underscores the fact that we are living in an era where political attacks are business as usual for cybercriminals. Breaching a political organisation for the purpose of compromising personal information or even blackmail tampers with the political fabric of a nation and potentially tampers with democratic processes."

Greer-King stated "Despite the apparent 'failure', today's attack once again raises important questions around the upcoming election. Any vulnerabilities within political parties will be ruthlessly exploited, hindering and possibly manipulating their information and systems. Today’s trustworthy security solutions should empower government agencies and political parties, like Labour in this instance, to consistently meet cybersecurity safeguarding requirements and procedures, and implement layered security solutions to block attackers at every step of the way."

Tom Kellermann, Head Cybersecurity Strategist at VMware Carbon Black said "The UK government should be lauded for its ability to successfully thwart an attack campaign targeting its digital platforms. It’s clear the west is under siege as a new Cold War continues to emerge in cyberspace. 

Nation-state-backed hackers have often taken advantage of divisive issues like Brexit to undermine democratically elected governments and cooperative international coalitions like NATO and the EU. It’s hard to think this attack is the last that will target the UK. In turn, the US should see these cyberattacks as a prelude for what may come in 2020.”

Anthony Webb, EMEA Vice President at A10 Networks said “Distributed denial of service (DDoS) attacks present one of the most dangerous forms of cyber threat for political parties and can cause serious reputational and financial damage. This is especially prominent during a General Election campaign when the party will be engaged in influencing voters, thus widening their cyber footprint. The UK Labour Party has suffered two DDoS attacks in quick succession, indicating that similar, future attacks are likely.

While the political parties participating will be on-guard following this latest attack, they all must be prepared for even more sophisticated, multi-vector application layer attacks throughout the remainder of the election period, that could seriously undermine their campaign.

An always-on DDoS protection system between the open web and servers is essential. Network security professionals need to embrace an extensible and adaptable position to detect both application and network attacks. The choice of defensive policy will be determined by the size of the enterprise and its resources. But as the number of high-profile campaign blackouts skyrockets, it’s worth reassessing expenditure and risk levels to combat these threats.

Ultimately, key political parties that cannot ensure that their campaign communication channels are continuously available, risk severely damaging their election campaigns – and may appear untrustworthy in the eyes of constituents. The key is to be prepared: the question is not if but when an attack will come. As we’ve seen in the last three years, cyber-attacks are now commonplace when nationwide elections or referendums are taking place.”

Cyber Security Roundup for September 2019

Anyone over the age of 40 in the UK will remember patiently browsing for holidays bargains on their TV via Teletext. While the TV version of Teletext Holidays died out years ago due to the creation of the world-wide-web, Teletext Holidays, a trading name of Truly Travel, continued as an online and telephone travel agent business. Verdict Media discovered an unsecured Amazon Web Services Service (Cloud Server) used by Teletext Holidays and was able to access 212,000 call centre audio recordings with their UK customers. The audio recordings were taken between 10th April and 10th August 2016 and were found in a data repository called 'speechanalytics'. Businesses neglecting to properly secure their cloud services is an evermore common culprit behind mass data breaches of late. Utilising cloud-based IT systems does not absolve businesses of their IT security responsibilities at their cloud service provider. 

Booking Holidays on Ceefax in the 1980s

Within the Teletext Holidays call recordings, customers can be heard arranging holiday bookings, providing call-centre agents partial payment card details, their full names and dates of birth of accompanying passengers. In some call recordings, Verdict Media advised customers private conversations were recorded while they were put on hold. Teletext Holidays said they have reported the data breach to the ICO.

Separately, another poorly secured cloud server was discovered with thousands of CVs originating from the Monster.com job-hunting website.  Monster.com reported the compromise of CVs was between 2014 and 2017 and was due to a 'third-party' it no longer worked with.

Wikipedia was the subject to a major DDoS attack, which impacted the availability of the online encyclopaedia website in the UK and parts of Europe. While the culprit(s) behind the DDoS attack remains unknown, Wikipedia was quick to condemn it, it said was not just about taking Wikipedia offline, "Takedown attacks threaten everyone’s fundamental rights to freely access and share information. We in the Wikimedia movement and Foundation are committed to protecting these rights for everyone."

CEO Fraud
The BBC News website published an article highlighting the all too common issue of CEO Fraud, namely company email spoofing and fraud which is costing business billions.  

Criminals are increasingly targeting UK business executives and finance staff with ‘CEO Fraud’, commonly referred to as ‘whaling’ or Business Email Compromise (BEC) by cybersecurity professionals. CEO fraud involves the impersonation of a senior company executive or a supplier, to social engineer fraudulent payments. CEO fraud phishing emails are difficult for cybersecurity defence technologies to prevent, as such emails are specifically crafted (i.e. spear phishing) for individual recipients, do not contain malware-infected attachments or malicious weblinks for cyber defences to detect and block.

Criminals do their research, gaining a thorough understanding of business executives, clients, suppliers, and even staff role and responsibilities through websites and social media sites such as LinkedIn, Facebook, and Twitter.  Once they determine who they need to target for maximum likelihood of a financial reward return, they customise a social engineering communication to an individual, typically through email, but sometimes through text messages (i.e. smishing), or over the phone, and even by postal letters to support their scam. They often create a tremendous sense of urgency, demanding an immediate action to complete a payment, impersonating someone in the business with high authority, such as the MD or CEO. The criminal’s ultimate goal is to pressurise and rush their targetted staff member into authorising and making a payment transaction to them. Such attacks are relatively simple to arrange, require little effort, and can have high financial rewards for criminals. Such attacks require little technical expertise, as email spoofing tools and instructions are freely available on the open and dark web. And thanks to the internet, fraudsters globally can effortless target UK businesses with CEO fraud scams.

UK Universities are being targetted by Iranian hackers in an attempt to steal secrets, according to the UK National Cyber Security Centre and the UK Foreign Office. The warning came after the US deputy attorney general Rod Rosenstein said: “Iranian nationals allegedly stole more than 31 terabytes of documents and data from more than 140 American universities, 30 American companies, five American government agencies, and also more than 176 universities in 21 foreign countries."

Security Updates
'Patch Tuesday' saw Microsoft release security updates for 78 security vulnerabilities, including 17 which are 'Critical' rated in Windows RDP, Azure DevOps, SharePoint and Chakra Core.  

On 23rd September 2019, Microsoft released an ‘emergency update’ (Out-of-Band) for Internet Explorer (versions 9, 10 & 11), which addresses a serious vulnerability (CVE-2019-1367) discovered by a Google researcher and is said to be known to be actively exploited.  The flaw allows an attacker to execute arbitrary code on a victim's computer through a specially crafted website, enabling an attacker to gain the same user rights as the user and to infect the computer with malware. It is a particularly dangerous exploit if the user has local administrator rights, in such instances an attacker gain full control over a user's computer remotely. This vulnerability is rated as 'Critical' by Microsoft and has a CVSS score of 7.6. Microsoft recommends that customers apply Critical updates immediately.

Ransomware
Research by AT&T Cybersecurity found 58% of IT security professionals would refuse to pay following a ransomware attack, while 31% said they would only pay as a last resort. A further 11% stated paying was, in their opinion, the easiest way to get their data back. While 40% of IT Security Pros Would Outlaw Ransomware Payments. It is clear from the latest threat intelligence reports, that the paying of ransomware ransoms is fuelling further ransomware attacks, including targetted attacks UK businesses.

BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
HUAWEI NEWS AND THREAT INTELLIGENCEAWARENESS, EDUCATION AND THREAT INTELLIGENCE