Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between November 13 and November 20. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
20201120-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, October 2020.
London's Hackney Borough Council has been tight-lipped about "a serious cyber-attack" which took down its IT systems, impacting its service delivery to citizens. Providing scant information about the attack, but it does have all the hallmarks of a ransomware outbreak. The council says it is working with the UK's National Cyber Security Centre (NCSC) and the Ministry of Housing to investigate and understand the impact of the incident. Ransomware attacks continue to be a major blight for UK public services, with councils to hospitals struggling to defend their IT systems against ransomware. Earlier this year Redcar and Cleveland Borough Council said it had been hit by a ransomware attack, which cost it more than £10m.
BA lost 430,000 payment card details to hackers after Magecart e-commence skimming attack in 2018
This data breach was a lesson in failing at PCI DSS compliance, with customer credit card details stolen due to ‘Magecart’ payment card skimming script being injected onto the BA payment page. The attackers initially compromised the BA network through a third-party worker’s remote access (not MFA protected), gaining access to BA's Citrix environment. Once inside the BA network, the attackers were gifted privilege level access after finding a domain admin account username and password in plaintext on a server folder. I understand investigators found the storage of payment cards in plaintext, including CVV numbers post-payment authorisation which is never permitted under PCI DSS rules. Aside from the ICO fine and reputational damage, this breach cost is likely to have cost BA a small fortune in specialised PCI PFI digital investigation forensic work, a complete solution rebuild, and with card brand penalties. The Visa Chief Enterprise Risk Officer once said ‘no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach’, I understand that statement still rings true today.