Trustwave released a report which depicts how technology trends, compromise risks and regulations are shaping how organizations’ data is stored and protected. Data protection strategy The report is based on a recent survey of 966 full-time IT professionals who are cybersecurity decision makers or security influencers within their organizations. Over 75% of respondents work in organizations with over 500 employees in key geographic regions including the U.S., U.K., Australia and Singapore. “Data drives the global … More
The post How tech trends and risks shape organizations’ data protection strategy appeared first on Help Net Security.
A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, October 2020.
COVID-19 wasn't the only virus seriously disrupting the start of the new UK academic year, with ransomware plaguing a number of University and Colleges in September. Newcastle University was reportedly hit by the 'DoppelPaymer' crime group, a group known for deploying malware to attack their victims, and behind leaking online documents from Elon Musk's SpaceX and Tesla companies. The northeast university reported a personal data breach to the UK Information Commissioner's Office after its stolen files were posted online, along with a Twitter threat to release further confidential student and staff data if a ransom payment was not paid. In a statement, the university said "it will take several weeks" to address the issues, and that many IT services will not be operating during this period", that statement is the hallmark of recovery from a mass ransomware infection.
|Doppelpaymer Ransom notice|
On the back of the Newcastle University cyberattack, the UK National Cyber Security Centre (NCSC) issued a warning to all British universities and colleges about a spike in ransomware attacks targeting the British educational sector. NCSC's director of operations Paul Chichester said the agency had seen an increase in the "utterly reprehensible" attacks over the past 18 months and was concerned they would disrupt young people's education. The NCSC's guidance for organisations on defending against ransomware attacks is available here.
A critical Microsoft Windows Server Domain Controller vulnerability (CVE-2020-1472) is now causing concern for IT staff, after the Microsoft, CISA, the UK NCSC, and other security bodies warned the vulnerability was being actively exploited in mid-September. Dubbed 'Zerologon', Microsoft issued a security fix for the bug, which scored a maximum criticality rate of 10.0, as part of their August 2020 'Patch Tuesday' release of monthly security updates. Since that public disclosure of the flaw, there have been multiple proofs-of-concept (PoC) exploits appearing on the internet, which threat actors are now adapting into their cyberattacks. There are no mitigation or workarounds for this vulnerability, so it is essential for the CVE-2020-1472 security update is installed on all Microsoft Windows Domain Controllers, and then ensure DC enforcement mode is enabled.
- The DRaaS Data Protection Dilemma
- Top Five Most Infamous DDoS Attacks
- Cyber Security Roundup for September 2020
- Alert issued to UK Universities and Colleges about Spike in Cyberattacks
- Newcastle University Students’ Data Held to Ransom by Cyber Criminals
- Nokia clinches 5G deal with BT to phase out Huawei's kit in BT’s EE Network
- British 'Dark Overlord’ Hacker Jailed for Five Years in the US
- Large US Hospital Chain Hobbled by Ryuk Ransomware
- Massive Magecart Attacks Steal personal Data from Magento 1 stores
- Flightradar24 Website Hit By Three Suspected DDoS Attacks In 48 Hours
- Police launch Homicide inquiry after German hospital hack
- Microsoft Windows Domain Controller Critical Vulnerability being actively Exploited, Apply Patch Now!
- Microsoft Patches 120 Vulnerabilities
- Palo Alto Fixes 9 Vulnerabilities in PAN-OS
- Adobe Releases Update to Patch Critical Flaw in Experience Manager, Framemaker, and InDesign
- Critical Flaw (CVE-2020-6287) gives Attackers Control of Vulnerable SAP Business Applications
- Microsoft Reprieves SHA-1 Deprecation in Edge 85 Security Baseline
- Russia, China and Iran hackers target Trump and Biden according to Microsoft
- CISA Alert: Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity
- NIST (SP 1800-11) Guide to Help Organisations Recover from Ransomware, other Data Integrity Attacks
Taking security training courses and passing certification exams are common ingredients in the makeup of the vast majority of accomplished cybersecurity and information security professionals. As such, two security incidents last month raised more than just a surprising eyebrow or two within the UK security industry.
The first involved the renown and well respected United States security training company, The SANS Institue, announcing that a successful email phishing attack against one of its employees resulted in 28,000 personal records being stolen. SANS classified this compromise as "consent phishing", namely where an employee is tricked into providing malicious Microsoft Office 365 OAuth applications access to their O365 accounts. In June 2020, Microsoft warned 'consent phishing' scams were targeting remote workers and their cloud services.
The second incident involved British cybersecurity firm NCC Group, after The Register reported NCC marked CREST penetration testing certification exam 'cheat cheats' were posted on Github. El Reg stated the leaked NCC marked document "offered step-by-step guides and walkthroughs of information about the Crest exams. With those who posted the documents claiming that the documents contained a clone of the Crest CRT exam app that helped users to pass the CRT exam in the first attempt." CREST, a globally recognised provider of penetration testing accreditations, conducted their own investigation into the Github post and then suspended their Certified Infrastructure Tester (CCF Inf) and Certified Web Application Tester (CCT App) exams.
Reuters reported British trade minister Liam Fox email account was compromised by Russian hackers through a spear-phishing attack. This led to leaks of sensitive US-UK trade documents in a disinformation campaign designed to influence the outcome of the UK general election in late 2019.
UK foreign exchange firm Travelex is still revelling from the double 2020 whammy of major ransomware outbreak followed by the impact COVID-19, and has managed to stay in business thanks a bailout arranged by their business administrators PWC.
Uber's former Cheif Security Officer has been charged with obstruction of justice in the United States, accused of covering up a massive 57 million record data breach in 2016. Uber eventually admitted paying a hacking group $100,000 (£75,000) ransom to delete the data they had stolen.
The British Dental Association advised its dentist members that their bank account details and correspondence with them were stolen by hackers. A BDA spokeswoman told BBC News it was possible that information about patients was also exposed, but remained vague about the potential context. The cyber breach was likely caused by a hack of the BDA website given it was taken offline for a considerable amount of time after reporting the breach.
|Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global|
- Beating the Emotet Malware with SSL Interception
- Countering Cybercrime in the Next Normal
- Book Review: Crime Dot Com, From Viruses to Vote Rigging, How Hacking Went Global
- Cyber Security Roundup for August 2020
- Securing the COVID-19 'New Normal' of Homeworking
- Security Training Firm SANS Institute Data Breach after an employee fell for ‘Consent Phishing’
- Travelex Strikes Rescue deal but 1,300 UK jobs go following the impact of Ransomware Attack & COVID 19
- Uber Ex-Security Boss Accused of Covering up Hack Attack
- Suspected Russian Hackers Stole UK Trade Minister’s Personal Emails
- Cosmetics Giant Avon Leaks 19 Million Records due to Misconfigured Cloud Server
- British Dental Association members targeted by Hackers
- Internal NCC Training Data and CREST Exam Questions Leaked on Github
- Regulators levy $80 Million Fine on Capital One for Massive Breach
- Stricken Electronics Firms Weigh Reward and Cost of Paying Cyber Ransoms
- New Zealand Stock Exchange Halted by DDoS Cyber-Attack
- Hacker Leaks Passwords For 900+ Enterprise Pulse Secure VPN Servers
- Insecure satellite Internet is Threatening Ship and Plane Safety
- Tea at the Ritz Soured by Credit Card Scammers
- NCSC departing Boss reflects on China, Russia and Trust in Tech
- British Army 'could drop tanks in favour of Cyber Capabilities', says report
- GCHQ Cyberspies Foil Get-Rich-Quick Scams
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
The standout hack of July 2020, and possibly of the year, was the takeover of 45 celebrity Twitter accounts, in a bid to scam their millions of followers by requesting Bitcoin in tweets.
While the Twitter hack and scam dominated media headlines around the world, the attack was not the 'highly sophisticated cyber-attack' as reported by many media outlets, but it was certainly bold and clever. The attackers phoned Twitter administrative staff and blagged (socially engineered) their Twitter privilege account credentials out of them, which in turn gave the attackers access to Twitter's backend administrative system and to any Twitter account they desired. It is understood this Twitter account access was sold by a hacker on the dark web to a scammer in the days before the attack, that scammer(s) orchestrated a near-simultaneous Bitcoin scam tweets to be posted from the high profile accounts. On 31st July, law enforcement authorities charged three men for the attack, with one of the suspects disclosed as a 19-year British man from Bognor Regis.
There was a very serious critical Windows vulnerability disclosed as part the July 2020 Microsoft 'Patch Tuesday' security update release. Dubbed "SIGRed", it is a 17-year-old Remote Code Execution (RCE) vulnerability in Windows Domain Name System (DNS), a component commonly present in Microsoft Windows Server 2008, 2012, 2012R2, 2016 and 2019. Disclosed as CVE-2020-1350 it was given the highest possible CVSS score of 10.0, which basically means the vulnerability is “easy to attack” and “likely to be exploited”, although Microsoft said they hadn't seen any evidence of its exploitation at the time of their patch release.
Given SIGRed is a wormable vulnerability, it makes it particularly dangerous, as wormable malware could exploit the vulnerability to rapidly spread itself over flat networks without any user interaction, as per the WannaCry attack on the NHS and other large organisations. Secondly, it could be used to exploit privilege level accounts (i.e. admin accounts found on Servers). The Microsoft CVE-2020-1350 vulnerability can be mitigated on effected systems by either applying the Microsoft Windows DNS Server Microsoft released patch (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 or by applying a Registry Workaround (https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability)
As expected, the UK Government ordered UK mobile network operators to remove all Huawei 5G equipment by 2027, and banning their purchase of Huawei 5G network equipment after 31st December 2020. Digital Secretary Oliver Dowden said it follows sanctions imposed by the United States, which claims the Chinese firm poses a national security threat, which Huawei continues to resolutely deny. The ban is expected to delay the UK's 5G rollout by a year. "This has not been an easy decision, but it is the right one for the UK telecoms networks, for our national security and our economy, both now and indeed in the long run," he said.
- BT says 'impossible' to remove all Huawei kit in under 10 years
- The UK faces mobile blackouts if Huawei 5G ban imposed by 2023
- Huawei ban 'would depress GDP and spark inflation', think tank warns
- Huawei: The company and the security risks explained
- Huawei U-turn: Cyberattacks, levies and other possible repercussions of the UK's 5G move
Russian Hacking Group (APT 29) was jointly accused of targeting the theft of coronavirus vaccine research by the UK NCSC, the Canadian Communication Security Establishment (CSE), United States Department for Homeland Security (DHS), Cyber-security Infrastructure Security Agency (CISA) and the US National Security Agency (NSA). The UK's National Cyber Security Centre (NCSC) said the hackers "almost certainly" operated as "part of Russian intelligence services". It did not specify which research organisations had been targeted, or whether any coronavirus vaccine research data was taken, but it did say vaccine research was not hindered by the hackers. Russia's ambassador to the UK has rejected allegations, "I don't believe in this story at all, there is no sense in it," Andrei Kelin told the BBC's Andrew Marr Show. While Foreign Secretary Dominic Raab said it is "very clear Russia did this", adding that it is important to call out this "pariah-type behaviour".
Yet another big data exposure caused by a misconfigured AWS S3 bucket was found by security researchers, one million files of Fitness Brand 'V Shred' was discovered exposed to the world, including the personal data of 99,000 V Shred customers. Interestingly V Shred defended the researcher findings by claiming it was necessary for user files to be publicly available and denied that any PII data had been exposed.
- Twitter Hack & Scam
- Returning to the Workplace and the Ongoing Threat of Phishing Attacks
- iPhone Hacks: What You Need to Know About Mobile Security
- Mind the Gaps! The Requisite Mindset to Stay Ahead of Cybersecurity Threats
- How to Embed a Positive Security Culture in the COVID-19 Remote Working ‘New Normal'
- Cyber Security Roundup for July 2020
- 45 High Profile Twitter Accounts Hacked and Used to Scam Followers
- Blackbaud Hack: Universities Lose Data to Ransomware Attack
- Russian Hacking Group (APT 29) is Targeting Coronavirus Research Theft
- Huawei 5G kit must be removed from the UK by 2027
- Hacker Ransoms 23k MongoDB Databases and Threatens to contact GDPR Authorities
- Hackers try to Steal £1m Transfer Fee during Football Club Cyber Attack
- Dave ShinyHunters Hack Exposes 7.5 Million User Records
- Smartwatch Maker Garmin took Offline by Cyber Attack
- Open S3 Bucket Exposes One Million Files of Fitness Brand V Shred
- SEI Investments Customer Data Exposed in Ransomware Attack on Vendor
- Microsoft Patches 123 Vulnerabilities
- Microsoft Critical Warning to Fix Wormable Bug “SIGRed”
- Adobe Patch Tuesday: Adobe eliminates Four Critical Bugs
- Adobe Fixes 12 Critical Bugs in Second Round of July Patches
- Adobe mends Critical Code Execution Flaws in Magento
- Cisco Patches Severe Traversal Vulnerability Exploited in the Wild
- ‘Boothole’ Threatens Billions of Linux, Windows Devices
- Survey of 127 Routers’ Vulnerabilities: Remote Workers Warned over Security Flaws
- Dacls RAT’s Goals are to Steal Customer Data and Spread Ransomware
- GoldenSpy: Chinese Tax Software found to Dish Out Backdoor Malware
- Report: The Cost of Ransomware in 2020. A Country-by-Country Analysis
Australian Prime Minister Scott Morrison announced a sophisticated nation-state actor is causing increasing havoc by attacking the country’s government, corporate institutions, and his country's critical infrastructure operators. He said, “We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used". While Morrison didn't actually name the specific country responsible in his statement, Reuters said its sources confirmed China was the culprit. Political tensions have ramped up between Australia and China in recent months after Australia called for an investigation into China’s handling of the COVID-19 pandemic. China then reacted by placing tariffs on Australian exports and banning shipments of beef from Australia.
Increased UK Huawei Tensions in June 2020
Away from the international cyber warfare scene, a coalition led by security companies is urging the UK government to revamp the much-dated Computer Misuse Act. The UK's 'anti-hacking' law is 30 years old, so written well before the internet took root in our digital society, so is not really suitable for prosecuting for modern cybercriminals, they tend to be prosecuted under financial crime and fraud laws. The coalition is calling for a change in the law includes the NCC Group, F-Secure, techUK, McAfee and Trend Micro. They argue section 1 of the Act prohibits the unauthorised access to any programme or data held in any computer and has not kept pace with advances in technology. In their letter to PM they said "With the advent of modern threat intelligence research, defensive cyber activities often involve the scanning and interrogation of compromised victims and criminals systems to lessen the impact of attacks and prevent future incidents. In these cases, criminals are obviously very unlikely to explicitly authorise such access."
Since launching a 'Suspicious Email Reporting Service' in April 2020, the UK National Cyber Security Centre (NCSC) announced it has now received one million reports, receiving around 16,500 emails a day. NCSC Chief Executive Officer Ciaran Martin called the number of reports a “milestone” and “a testament to the vigilance of the British public". I think the email reporting service is another fantastic free service provided by NCSC (i.e. UK Gov) to UK citizens, so one thing the UK government is definitely getting right in the cybersecurity space at the moment.
Some men just want to watch the world burn...
- Australia PM Claims Nation-State Actor is behind a Surge of Cyberattacks
- Zoom will Extend Optional End-to-End Encryption to Free Users
- Huawei's days in the UK could be Numbered
- NCSC: One Million Phishing Messages Reported in Two Months
- UK Gov Urged to Overhaul "unfit for purpose" Computer Misuse Act
- European Bank suffers biggest PPS DDoS Attack, New Botnet Suspected
- Criminals Intercepted Payment Card details used at Claire’s Online store for Weeks
- Amazon Thwarts Largest ever DDoS Attack
- Ransomware Gang Claims Attack on LG Electronics
- South African Bank to Replaces 12 Million Cards after Employees Stole Master Key
- Snake Ransomware behind Cyberattack that put Brakes on Honda Operations for the Third Time
- Malicious Google Extensions Research points out ‘unintended consequence’ of Cloud Computing
- Lockdown sees rise in RDP Brute Force Attacks, with over 100,000 daily
- Microsoft Patches 129 Vulnerabilities
- Adobe Fixes 18 Critical Vulnerabilities
- Cisco Security Advisories address 47 Flaws, 3 Critical
- High-Severity Bugs Patched in Chrome, Firefox Browsers
- Apple Patches iOS Jailbreak Vulnerability
- North Korea has quietly built a 7,000 Cyber Army
- Dodging AV and endpoint defenses is a ‘snap’ for new Thanos Ransomware
- Ragnar Locker teams up with Maze; Zorab ransomware imitates Decryptor
- Cybercriminals Poised to Attack as Adobe ends support for Magento 1
EasyJet's disclosure of a "highly sophisticated cyber-attack", which occurred in January 2020, impacting 9 million of their customers was the biggest cybersecurity story of May 2020 in the UK. Although no details about this 'cyber-attack' were disclosed, other than 2,208 customers had their credit card details accessed.
Using terms like "highly sophisticated" without providing any actual details of the cyberattack makes one think back to when TalkTalk CEO Dido Harding described a cyber-attack as "significant and sustained cyber-attack" in 2015. In TalkTalk's case, that cyber attack turned out to be a bunch of teenage kids taking advantage of a then 10-year-old SQL injection vulnerability. City A.M. described Dido's responses as "naive", noting when asked if the affected customer data was encrypted or not, she replied: "The awful truth is that I don’t know". Today Dido is responsible for the UK governments Track, Test and Trace application, which no doubt will ring privacy alarms bells with some.
Back to the EasyJet breach, all we know is the ICO and the NCSC are supporting UK budget airline, EasyJet said "We take issues of security extremely seriously and continue to invest to further enhance our security environment. There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing. We are advising customers to be cautious of any communications purporting to come from EasyJet or EasyJet Holidays."
It will be interesting to see the DPA enforcement line Information Commission's Office (ICO) adopts with EasyJet, especially considering the current COVID-19 impact on the UK aviation industry. Some security commentators have called ICO a "Toothless Tiger" in regards to their supportive response, an ICO label I've not heard since long before the GDPR came into force. But the GDPR still has a sting its tail beyond ICO enforcement action in the UK, in that individuals impacted by personal data breaches can undertake a class-action lawsuit. So then, it can be no real surprise to law firm PGMBM announce it has issued a class-action claim in the High Court of London, with a potential liability of an eye-watering £18 billion!. If successful, each customer impacted by the breach could receive a payout of £2,000.
The 2020 Verizon Data Breach Investigations Report (DBIR) was released, the most valuable annual report in the cybersecurity industry in my humble opinion. The 2020 DBIR used data compiled before COVID-19 pandemic. The report analyses 32,002 security incidents and 3,950 confirmed breaches from 81 global contributors from 81 countries.
- 86% of data breaches for financial gain - up from 71% in 2019
- 43% web application (cloud-based) - these attacks have doubled, reflecting the growth in the use of cloud-based services.
- 67% of data breaches resulted from credential theft, human error or social attacks.
- Clearly identified cyber-breach pathways enable a “Defender Advantage” in the fight against cyber-crime
- On-going patching successful - fewer than 1 in 20 breaches exploit vulnerabilities
- 70% with organised crime accounting for 55% of these.
- Credential theft and social attacks such as phishing and business email compromises cause the majority of breaches (over 67%), specifically:
- 37% of credential theft breaches used stolen or weak credentials,
- 25% involved phishing
- Human error accounted for 22%
REvil (aka Sodinokibi) hackers are said to have stolen celebrity data from a law firm 'Grubman Shire Meiselas & Sacks'. With 756 gigabytes of personal data, emails, and contract details were taken, including Lady Gaga, Madonna, Elton John, Barbara Streisand, Bruce Springsteen and Mariah Carey to name a few.
Pitney Bowes was hit with ransomware for the second time in 7 months. Pitney Bowes said attackers breached company systems and accessed “a limited set of corporate file shares” that “contained information used by our business teams and functional groups to conduct business-related activities.” News reports state the Maze ransomware group is behind the attack, threatening to post confidential if Pitney Bowes does not pay up.
Amazon's UK website was defaced with racist abuse, which appeared on multiple listings on its UK website. Amazon has not disclosed how long the racist language remained on the site, but it sparked outrage on Twitter, Amazon said: "We investigated, removed the images in question and took action against the bad actor".
- Passwords are and have always been an Achilles Heel in CyberSecurity
- Cyber Security Roundup for May 2020
- EasyJet admits Nine Million Customers Accounts have been Hacked
- Hackers Extort Law Firm of Lady Gaga, Drake and Madonna, stealing 756 Gig of Contracts & Emails
- Pitney Bowes hit with Second Ransomware Attack
- Amazon UK Website Defacedwith Racist Abuse
- Serco Apologises for SharingContact Tracers’ Email Addresses
- 26Million LiveJournal bloggers’ Credentials a hit on Dark Web Six Years Later
- Malicious Actor holds at least 31 Stolen SQL Databases for Ransom
- Fresh UK Review into HuaweiRole in 5G networks
- Dark Web Scammers ExploitCovid-19 Fear and Doubt
- Cybersecurityamong Six Sectors Booming during Covid-19, with Q1 Funding Exceeding £1 Billion
- £1Million UK Defence innovation funding for Cyber and Physical integration
- SixCisco Servers Compromised when Hackers Exploited SaltStack Salt Flaws
- Microsoft Patches 111 Vulnerabilities
- AdobeReader and Acrobat Patch Tuesday Releases
- VMware issues workarounds for Salt Vulnerabilities in vRealize Operations Manager
- MozillaPatches Three Critical Vulnerabilities in Firefox
- CiscoPushes out almost Three Dozen Security Updates
- Apple Release Security Patch for macOS Catalina
- GoogleRelease Security Patch for Chrome Browser
- StrandHogg 2.0 Flaw allows Hackers to Hijack almost any Android app
- FBI, CISA warn China Targeting organisations conducting COVID-19-related Vaccine, TreatmentResearch
- COVID-19Inspires Nigerian Scammers to Launch Waves of BEC Campaigns
- CISA Releases Analysis of ThreeHidden (North Korea) Cobra Malware Variants
- HackerGroup Announces Jailbreak for iOS 11 – 13.5
- Form-BasedPhishing Attacks Impersonate Branded File-Sharing and Productivity Sites
- Turla’sComRAT v4 uses Gmail Web UI to Receive Commands and Steal Data
- WolfRATMalware Targets WhatsApp, Messenger
- Crypto-jacking'Scorching-hot Hacked Computer Burned my Hand'
As well reported, UK foreign exchange firm Travelex business operations were brought to a standstill after its IT systems were severely hit by the Sodinokibi ransomware at the start of the year. It was reported that REvil group were behind the attack and had stolen 5Gbs of customer personal data, and then demanded $6 million (£4.6m) in ransom. The Wall Street Journal reported in April 2020 that Travelex had reached a deal, paying $2.3 million (£1.84m) in Bitcoin to the cybercriminals. This sort of response incentivises future ransomware activity against all other businesses and could lead to an inflation of future cyber-extortion demands in my opinion.
Cognizant, a US large digital solutions provider and IT consultancy, was reportedly hit by the Maze ransomware. Maze, previously known as the 'ChaCha' ransomware, like the Travelex attack, not only encrypts victim's files but steals sensitive data from the IT systems as well. Enabling the bad guys to threaten the publishing of the stolen data if the organisation cough up to their cyber-extortion demands, so the bad guys are very much rinsing and repeating lucrative attacks.
Microsoft wrote an excellent blog covering the 'motley crew' of ransomware payloads The blog covers ransomware payloads said to be straining security operations especially in health care, Microsoft warned, urging security teams to look for signs of credential theft and lateral movement activities that herald attacks.
Researchers continue to be busy in exposing large sensitive datasets within misconfigured cloud services. In April researchers reported 14 million Ring user details exposed in misconfigured AWS open database, fitness software Kinomap had 42 million user details exposed in another misconfigured database, and Maropost had 95 million users exposed, also in a misconfigured database.
Nintendo confirmed 160,000 of its users' accounts had been accessed, exposing PII and Nintendo store accounts. The gaming giant Nintendo said from April, its user's accounts were accessed through the Nintendo Network ID (NNID), which is primarily used for Switch gaming. The company is unaware exactly how the intrusion had occurred, saying it “seems to have been made by impersonating login to “Nintendo Network ID. “If you use the same password for your NNID and Nintendo account, your balance and registered credit card / PayPal may be illegally used at My Nintendo Store or Nintendo eShop. Please set different passwords for NNID and Nintendo account,” Nintendo said. In response to these issues the company has abolished user’s ability to log into their Nintendo account via NNID and passwords for both NNID and Nintendo accounts are being reset and the company is recommending multi-factor authentication be set up for each account. The account breaches weren't the only cyber issue affecting Nintendo in April, it reported that a bot, dubbed 'Bird Bot' was used by a reseller to buy up Nintendo Switches before customers could make their Switch purchase from Nintendo. The bot using reseller benefits at the expense of consumers, in buying up all available Switches directly from Nintendo, they are able to sell them on for higher prices, so making a quick and easy tidy profit, due to the current high demand of Switches and lack of supply.
April was a busy month for security updates, Microsoft released security patches fixing 113 vulnerabilities on Patch Tuesday and an out-of-band patch for Teams found by researchers at CyberArk. Patch Tuesday for a quiet one for Adobe, though they released fixes for 21 critical vulnerabilities in illustrator and Bridge at the end of the month. Oracle released a huge 397 fixes for 450 CVEs in over 100 products, which I think is a new record for a patch release!
Sophos said it and its customers were attacked when a previously unknown SQL injection vulnerability in their physical and virtual XG Firewall units was exploited. “The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected,” Sophos said.
There were security critical patch releases for Mozilla Firefox, Chrome (twice), and for 8 Cisco products. A bunch of VMware patches for including a CVSS scored 10 (highest possible) in vCenter, a critical in vRealize Log Insight and a critical cross-site scripting vulnerability in ESXi 6.5 and 6.7. And finally, on the patch front, Intel decided to discontinue multiple products, as it was unable to keep ahead of patch their vulnerabilities.
- How Safe are Video Messaging Apps?
- Security Threats Facing Modern Mobile Apps
- How to Keep Your Video Conferencing Meetings Secure
- YesWeHack Cybersecurity Training Temporarily Free for Schools and Universities
- Cyber Security Roundup for April 2020
- Travelex Paid $2.3 Million in Ransom to REvil Cyber Gang
- IT Services Firm Cognizant falls Victim to Maze Ransomware
- Nintendo Confirms 160,000 User Accounts Hacked
- Bug Brokers put Two Zoom Zero-Days on the Market
- 14 Million Key Ring Users Exposed in Misconfigured AWS Open Database
- Maropost Misconfigured Database with 95 Million left Open and Unsecure
- Fitness Software maker Kinomap leaves Database Open Exposing 42 Million Users
- BT Delays Removal of Huawei from EE's core Network by Two Years
- Huawei Warns cutting its 5G role would be 'disserve' to Britain
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
- Microsoft warns of Ransomware Attacks with ‘motley crew’ of Payloads
- Brute Forcing RDP Credentials on the Rise
- Emotet Banking Trojan possibly being Prepped for a New Attack
- Phishing Campaign aims to steal Zoom Credentials using Fake Layoff Notifications
- Interpol warns Hospitals about COVID-19-based Ransomware Threat
- Google Blocking 18 Million Coronavirus Scam Emails Every Day
The sudden and dramatic shift to a mobile workforce has thrust video conferencing into the global spotlight and evolved video conferencing vendors from enterprise communication tools to critical infrastructure.
During any major (and rapid) technology adoption, cyberattackers habitually follow the masses in hopes of launching an attack that could lead to a pay day or give them a competitive advantage. This has not been lost on global organisations’ security and IT teams, who are quickly working to make sure their employees’ privacy and data remains secure.
Here are some high-level tips to help keep video conferencing secure.
Update the Application
Video conferencing providers are regularly deploying software updates to ensure that security holes are mitigated. Take advantage of their diligence and update the app prior to using it every time.
Lock meetings down and set a strong password
Make sure that only invited attendees can join a meeting. Using full sentences with special characters included, rather than just words or numbers, can be helpful. Make sure you are not sharing the password widely, especially in public places and never on social media. Waiting room features are critical for privacy as the meeting host can serve as a final triage to make sure only invited participants are attending. Within the meeting, the host can restrict sharing privileges, leading to smoother meetings and ensuring that uninvited guests are not nefariously sharing materials.
Discussing sensitive information
If sensitive material must be discussed, ensure that the meeting name does not suggest it is a top-secret meeting, which would make it a more attractive target for potential eavesdroppers. Using code words to depict business topics is recommended during the cyber crime wave we are experiencing.
Restrict the sharing of sensitive files to approved file-share technologies, not as part of the meeting itself
Using an employee sharing site that only employees have access to (and has multi-factor authentication in place) is a great way to make sure sensitive files touch the right eyes only. This should be mandated as this is a huge Achilles heel.
Use a VPN to protect network traffic while using the platform
With so many employees working remotely, using a virtual private network (VPN) can help better secure internet connections and keep private information private via encryption. Public WiFi can be a gamble as it only takes one malicious actor to cause damage. Do not use public WiFi, especially in airports or train stations. Cyber criminals lurk in those locations.
If you can, utilise two networks on your home WiFi router, one for business and the other for personal use.
Make sure that your work computer is only connected to a unique network in your home. All other personal devices – including your family’s – should not be using the same network. The networks and routers in your home should be updated regularly and, again, should use a complex password. Additionally, you should be the only system administrator on your network and all devices that connect to it.
All of us have a role to play in mitigating the cyber crime wave. Please remember these best practices the next time you connect. Stay safe online
Also related - How Safe are Video Messaging Apps such as Zoom?
The UK went into lockdown in March due to the coronavirus pandemic, these are unprecedented and uncertain times. Unfortunately, cybercriminals are taking full advantage of this situation, both UK citizens and businesses have been hit with a wave of COVID-19 themed phishing emails, and scam social media and text messages (smishing). Which prompted warnings by the UK National Cyber Security Centre and UK Banks, and a crackdown by the UK Government.
I have not had the opportunity to analyse a copy of the above scam text message (smishing), but it looks like the weblink displayed is not as it appears. My guess is the link is not part of the gov.uk domain, but the attacker has used an international domain name homograph attack, namely using foreign font characters to disguise the true address of a malicious website that is linked.
I was privileged to be on The Telegraph Coronavirus Podcast on 31st March, where I was asked about the security of video messaging apps, a transcript of what I advised is here. Further coronavirus cybersecurity advice was posted on my blog, on working from home securely and to provide awareness of coronavirus themed message scams. It was also great to see the UK payment card contactless limit increased from £30 to £45 to help prevent coronavirus spread.
March threat intelligence reports shone a light to the scale of the cybercriminal shift towards exploiting COVID-19 crisis for financial gains. Check Point Global Threat Index reported a spike in the registration of coronavirus themed domains names, stating more than 50% of these new domains are likely to be malicious in nature. Proofpoint reports for more 80% of the threat landscape is using coronavirus themes in some way. There has been a series of hacking attempts directly against the World Health Organisation (WHO), from DNS hijacking to spread a malicious COVID-19 app to a rather weird plot to spread malware through a dodgy anit-virus solution.
International hotel chain Marriot reported 5.2 million guest details were stolen after an unnamed app used by guests was hacked. According to Marriots online breach notification, stolen data included guest name, address, email address, phone number, loyalty account number and point balances, employer, gender, birthdays (day and month only), airline loyalty program information, and hotel preferences. It was only on 30th November 2018 Marriott disclosed a breach of 383 million guests. Tony Pepper, CEO at Egress said “Marriott International admitted that it has suffered another data breach, affecting up to 5.2 million people. This follows the well-documented data breach highlighted in November 2018 where the records of approximately 339 million guests were exposed in a catastrophic cybersecurity incident. Having already received an intention to fine from the ICO to the tune of £99m for that, Marriott will be more than aware of its responsibility to ensure that the information it shares and stores is appropriately protected. Not only does this news raise further concerns for Marriott, but it also serves as a reminder to all organisations that they must constantly be working to enhance their data security systems and protocols to avoid similar breaches. It will be interesting to see if further action is taken by the ICO”
March was another busy month for security updates, patch Tuesday saw Microsoft release fixes for 116 vulnerabilities and there was an out-of-band Microsoft fix for 'EternallDarkness' bug on 10th March, but a zero-day exploited vulnerability in Windows remained unpatched by the Seattle based software giants. Adobe released a raft of security patches, as did Apple (over 30 patches), Google, Cisco, DrayTek, VMware, and Drupal.
Stay safe, safe home and watch for the scams.
- How Safe are Video Messaging Apps?
- Working from Home Cybersecurity Guidance
- Coronavirus Cybersecurity: Scams To Watch Out For
- Payment Card Transactions in the UK will be increased from £30 to £45 due to Coronavirus
- Cyber Security Roundup for March 2020
- UK Banks warn on Wave of COVID-19 Themed Text Message ‘Smishing’ Scams
- UK Government Cracks Down on Fake Coronavirus Advice on Social Media and WhatsApp
- Virgin Media leaves Database Open, Thousands of Records Exposed
- T-Mobile Email Vendor Breach Exposes Info on Customers and Employees
- Five Billion Records Exposed in Open ‘Data Breach Database’ by UK-based Security Company’
- New Marriott Data Breach Impacts 5.2 Million Guests
- 8 Million EU Retail Sales Records Exposed on AWS MongoDB
- Blisk Browser left open, 2.9 Million Records Exposed
- Boots halts Advantage Card Payments after Credentials Stuffing Cyber-Attack
- Huawei: Government wins vote after Backbench Rebellion
- Unpatched Windows Zero-Day Flaws exploited according to Microsoft
- Drupal, Google and Cisco Post Security Advisories
- Adobe Patches 41 Vulnerabilities, 22 in Photoshop
- Adobe Patches Critical Flaw in Creative Cloud
- Cisco Fixes Three High-Level bugs, but a Fourth Remains Unpatched
- Apple Releases more than 30 Security Patches
- Zero-day vulnerabilities used against DrayTek Routers and Switches
- VMware Fixed Critical Code Execution Bug in Hypervisors
- MicrosoftIssues Out-of-Band Fix for Leaked ‘EternalDarkness’ Bug
- Hijacked Routers and attempted WHO hacks highlight latest COVID-19 attacks
- Thousands of New Coronavirus-Themed Domains Registered, more than 50% likely to be Malicious
- APT41 Activity Down during China COVID-19 Quarantines; Massive Campaign Undeterred
- Coronavirus Tracking App Locks up Android Phones for Ransom
- Russian Cybercrime Forums have seen selling Malware-Sabotaged COVID-19 map
- TrickBot Banking Trojan introduces RDP Brute Forcing Module
- Necurs Botnet Operation Dismantled; Millions of Malicious Domains Disabled
- Foreign APT groups use Coronavirus Phishing Lures to drop RAT Malware
Our increased use of video messaging apps has not gone unnoticed by cybercriminals, who are seeking to exploit the increase of use by sending phishing emails, social media scam messages and even scam text messages, with fake invitations to video messaging app meetings.
Typically, these scam messages will entice you into either opening a malicious attachment or click a web link which directs to a malicious website. The ultimate aim of these cyberattacks is to deliver malicious software, such as ransomware which locks your PC and demands a ransom payment to unlock, scam a payment, or steal your personal information which can be resold to other cybercriminals on the dark web.
So, never open an attachment or click on any links within any unexpected or suspicious emails, social media messages and text messages.
The next piece of advice is to ensure your video messaging app is always kept up-to-date. Luckily most modern smartphones and computer operating systems will automatically update your apps, but it is always worth double-checking and not to suppress any app updates from occurring, as often the app updates are fixing security flaws.
And finally, on home computers and laptops, when not using video messaging apps, either cover your webcam with a piece of tape or face your webcam towards a wall or ceiling, just in case your computer is covertly compromised and a malicious actor gains access to your computer's webcam.
One tip I didn't have time to say on the podcast, is always ensure your video chats are set to private, using a strong password to prevent ZoomBombing. Recent reportshave shown a series of “Zoombombing” incidents lately, where unwanted guests have joined in on open calls.
Bharat Mistry, Principal Security Strategist at Trend Micro on Zoom advises “Although not alone in being targeted, Zoom has been the subject of some of the highest-profile incidents so far this year. Fortunately, there are things you can do to keep your business safe.
It’s all about taking advantage of unsecure settings in the app, (and possibly using brute-force tools to crack meeting IDs). With access to a meeting, hackers could harvest highly sensitive and/or market-critical corporate information, or even spread malware via a file transfer feature.
Hackers know users are looking en masse for ways to communicate during government lockdowns. By creating legitimate-looking Zoom links and websites, they could steal financial details, spread malware or harvest Zoom ID numbers, allowing them to infiltrate virtual meetings. One vendor discovered 2,000 new domains had been registered in March alone, over two-thirds of the total for the year so far.
- Ensure Zoom is always on the latest software version
- Build awareness of Zoom phishing scams into user training programmes. Users should only download the Zoom client from a trusted site and check for anything suspicious in the meeting URL when joining a meeting
- Ensure all home workers have anti-malware including phishing detection installed from a reputable vendor
- Ensure you also generate a meeting ID automatically for recurring meetings
- Set screen-sharing to “host only” to prevent uninvited guests from sharing disruptive content
- Don’t share any meeting IDs online
- Disable “file transfers” to mitigate risk of malware
- Make sure that only authenticated users can join meetings
- Lock the meeting once it’s started to prevent anyone new joining
- Use waiting room feature, so the host can only allow attendees from a pre-assigned register
- Play a sound when someone enters or leaves the room
- Allow host to put attendees on hold, temporarily removing them from a meeting if necessary”