Category Archives: vmware

Cyber Security Roundup for June 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, May 2020.

EasyJet's disclosure of a "highly sophisticated cyber-attack", which occurred in January 2020, impacting 9 million of their customers was the biggest cybersecurity story of May 2020 in the UK. Although no details about this 'cyber-attack' were disclosed, other than 2,208 customers had their credit card details accessed.  


Using terms like "highly sophisticated" without providing any actual details of the cyberattack makes one think back to when TalkTalk CEO Dido Harding described a cyber-attack as "significant and sustained cyber-attack" in 2015. In TalkTalk's case, that cyber attack turned out to be a bunch of teenage kids taking advantage of a then 10-year-old SQL injection vulnerability.  City A.M. described Dido's responses as "naive", noting when asked if the affected customer data was encrypted or not, she replied: "The awful truth is that I don’t know". Today Dido is responsible for the UK governments Track, Test and Trace application, which no doubt will ring privacy alarms bells with some. 

Back to the EasyJet breach, all we know is the ICO and the NCSC are supporting UK budget airline, EasyJet said "We take issues of security extremely seriously and continue to invest to further enhance our security environment. There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing. We are advising customers to be cautious of any communications purporting to come from EasyJet or EasyJet Holidays." 

It will be interesting to see the DPA enforcement line Information Commission's Office (ICO) adopts with EasyJet, especially considering the current COVID-19 impact on the UK aviation industry.  Some security commentators have called ICO a "Toothless Tiger" in regards to their supportive response, an ICO label I've not heard since long before the GDPR came into force. But the GDPR still has a sting its tail beyond ICO enforcement action in the UK, in that individuals impacted by personal data breaches can undertake a class-action lawsuit. So then, it can be no real surprise to law firm PGMBM announce it has issued a class-action claim in the High Court of London, with a potential liability of an eye-watering £18 billion!. If successful, each customer impacted by the breach could receive a payout of £2,000.

The 2020 Verizon Data Breach Investigations Report (DBIR) was released, the most valuable annual report in the cybersecurity industry in my humble opinion. The 2020 DBIR used data compiled before COVID-19 pandemic.  The report analyses 32,002 security incidents and 3,950 confirmed breaches from 81 global contributors from 81 countries.
  • 86% of data breaches for financial gain - up from 71% in 2019 
  • 43% web application (cloud-based) - these attacks have doubled, reflecting the growth in the use of cloud-based services.
  • 67% of data breaches resulted from credential theft, human error or social attacks. 
  • Clearly identified cyber-breach pathways enable a “Defender Advantage” in the fight against cyber-crime 
  • On-going patching successful - fewer than 1 in 20 breaches exploit vulnerabilities
The vast majority of breaches continue to be caused by external actors.
  • 70% with organised crime accounting for 55% of these. 
  • Credential theft and social attacks such as phishing and business email compromises cause the majority of breaches (over 67%), specifically:
    • 37% of credential theft breaches used stolen or weak credentials,
    • 25% involved phishing
    • Human error accounted for 22%
The 2020 DBIR highlighted a two-fold increase in web application breaches, to 43%, and stolen credentials were used in over 80% of these cases. Ransomware had a slight increase, found in 27% of malware incidents compared to 24% in the 2019 DBIR with 18% of organisations reported blocking at least one piece of ransomware last year.

REvil (aka Sodinokibi) hackers are said to have stolen celebrity data from a law firm 'Grubman Shire Meiselas & Sacks'. With 756 gigabytes of personal data, emails, and contract details were taken, including Lady Gaga, Madonna, Elton John, Barbara Streisand, Bruce Springsteen and Mariah Carey to name a few. 

Pitney Bowes was hit with ransomware for the second time in 7 monthsPitney Bowes said attackers breached company systems and accessed “a limited set of corporate file shares” that “contained information used by our business teams and functional groups to conduct business-related activities.” News reports state the Maze ransomware group is behind the attack, threatening to post confidential if Pitney Bowes does not pay up.

Amazon's UK website was defaced with racist abuse,  which appeared on multiple listings on its UK website. Amazon has not disclosed how long the racist language remained on the site, but it sparked outrage on Twitter, Amazon said: "We investigated, removed the images in question and took action against the bad actor".

LogMeOnce, a password identity management suite provider, has published a detailed interview with myself titled 'Passwords are and have always been an Achilles Heel in CyberSecurity'. In the Q&A I talk about Passwords Security (obviously), Threat Actors, IoT Security, Multi-Factor Authentication (MFA), Anti-Virus, Biometrics, AI, Privacy, and a bit on how I got into a career in Cybersecurity.

BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

    Cyber Security Roundup for May 2020

    A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, April 2020.

    As well reported, UK foreign exchange firm Travelex business operations were brought to a standstill after its IT systems were severely hit by the Sodinokibi ransomware at the start of the year. It was reported that
     REvil group were behind the attack and had stolen 5Gbs of customer personal data, and then demanded $6 million (£4.6m) in ransom. The Wall Street Journal reported in April 2020 that Travelex had reached a deal, paying $2.3 million (£1.84m) in Bitcoin to the cybercriminals. This sort of response incentivises future ransomware activity against all other businesses and could lead to an inflation of future cyber-extortion demands in my opinion.

    Cognizant, a US large digital solutions provider and IT consultancy, was reportedly hit by the Maze ransomware.  Maze, previously known as the 'ChaCha' ransomware, like the Travelex attack, not only encrypts victim's files but steals sensitive data from the IT systems as well. Enabling the bad guys to threaten the publishing of the stolen data if the organisation cough up to their cyber-extortion demands, so the bad guys are very much rinsing and repeating lucrative attacks.

    Microsoft wrote an excellent blog covering the 'motley crew' of ransomware payloads  The blog covers ransomware payloads said to be straining security operations especially in health care, Microsoft warned, urging security teams to look for signs of credential theft and lateral movement activities that herald attacks.

    Researchers continue to be busy in exposing large sensitive datasets within misconfigured cloud services.  In April researchers reported 14 million Ring user details exposed in misconfigured AWS open database, fitness software Kinomap had 42 million user details exposed in another misconfigured database, and Maropost had 95 million users exposed, also in a misconfigured database.

    Nintendo confirmed 160,000 of its users' accounts had been accessed, exposing PII and Nintendo store accounts. The gaming giant Nintendo said from April, its user's accounts were accessed through the Nintendo Network ID (NNID), which is primarily used for Switch gaming. The company is unaware exactly how the intrusion had occurred, saying it “seems to have been made by impersonating login to “Nintendo Network ID. “If you use the same password for your NNID and Nintendo account, your balance and registered credit card / PayPal may be illegally used at My Nintendo Store or Nintendo eShop. Please set different passwords for NNID and Nintendo account,” Nintendo said. In response to these issues the company has abolished user’s ability to log into their Nintendo account via NNID and passwords for both NNID and Nintendo accounts are being reset and the company is recommending multi-factor authentication be set up for each account.  The account breaches weren't the only cyber issue affecting Nintendo in April, it reported that a bot, dubbed 'Bird Bot' was used by a reseller to buy up Nintendo Switches before customers could make their Switch purchase from Nintendo. The bot using reseller benefits at the expense of consumers, in buying up all available Switches directly from Nintendo, they are able to sell them on for higher prices, so making a quick and easy tidy profit, due to the current high demand of Switches and lack of supply.

    April was a busy month for security updates, Microsoft released security patches fixing 113 vulnerabilities on Patch Tuesday and an out-of-band patch for Teams found by researchers at CyberArk. Patch Tuesday for a quiet one for Adobe, though they released fixes for 21 critical vulnerabilities in illustrator and Bridge at the end of the month.  Oracle released a huge 397 fixes for 450 CVEs in over 100 products, which I think is a new record for a patch release!  

    Sophos said it and its customers were attacked when a previously unknown SQL injection vulnerability in their physical and virtual XG Firewall units was exploited. “The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected,Sophos said.

    There were security critical patch releases for Mozilla Firefox, Chrome (twice), and for 8 Cisco products. A bunch of VMware patches for including a CVSS scored 10 (highest possible) in vCenter, a critical in vRealize Log Insight and a critical cross-site scripting vulnerability in ESXi 6.5 and 6.7. And finally, on the patch front, Intel decided to discontinue multiple products, as it was unable to keep ahead of patch their vulnerabilities.

    Stay safe, safe home and watch for the scams.

    BLOG
    NEWS

    AWARENESS, EDUCATION AND THREAT INTELLIGENCE