Welcome to this week's Black Arrow Cyber Tip Tuesday.

This week we are talking about why it is important to us to be independent and how our independence helps us and helps our customers.

As an independently owned and operated business we are able to be completely impartial and objective, we are not tied to any vendor, product, service provider or supplier, and this means we can objective and transparent in our approach.

We offer true independence and can advise on a range of different solutions to meet all budgets.

We can work with you whether you have IT in house or whether you outsource your IT to an external third party provider, and remember anyway that information security goes far beyond just being an IT problem.

Talk to us to see how we can help you to evaluate the efficacy of the controls you have in place or where you might benefit from new ones.

Week in review 25 January 2020 – Phishing dominates UK, Ransomware payments doubled, 160,000 breaches reported under GDPR, Citrix vulns exploited, IE 0-day

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Phishing dominates UK cybercrime landscape

If there’s one thing General Data Protection Regulation (GDPR) did for sure, it gave us a clearer picture of the UK cyber security landscape.

A new report says that more security breaches were reported to the Information Commissioner’s Office (ICO) in 2019 than in any previous year. A total of 2,376 reports were made, compared with 1,854 in 2018, and 540 in 2017.

The report shows that there was a 28 per cent increase in the number of reported incidents between 2018 and 2019.

In particular, reports of phishing skyrocketed, rising from 16 reports in 2017, to 877 in 2018, to 1,080 in 2019. Of all of the incidents reported to the ICO in 2019, 45 per cent were related to phishing.

Other notable methods included unauthorised access (791 reported incidents), malware/ransomware (243), hardware and software misconfiguration (64), and brute force password attacks (34).

Read more here: https://www.itproportal.com/news/phishing-dominates-uk-cyber-threat-landscape/

Ransomware Payments Doubled and Downtime Grew in Q4

The average ransomware payment more than doubled quarter-on-quarter in the final three months of 2019, while average downtime grew by several days, according to the latest figures from a security firm.

The security vendor analysed anonymised data from cases handled by its incident response team and partners to compile its Q4 Ransomware Marketplace report.

It revealed that the average payment in the quarter was $84,116, up 104% from the previous three months. The belief being the jump highlights the diversity of hackers utilising ransomware today.

Some variants such as Ryuk and Sodinokibi have moved into the large enterprise space and are focusing their attacks on large companies, where they can attempt to extort the organization for a seven-figure payout. Ryuk ransom payments reached a new high of $780,000 for impacted enterprises.

At the other end of the spectrum, smaller ransomware-as-a-service variants such as Dharma, Snatch, and Netwalker continue to blanket the small business space with a high number of attacks, but with demands as low as $1500.

Sodinokibi (29%) and Ryuk (22%) accounted for the majority of cases spotted in Q4 2019. Attackers using the former variant began during the quarter to use data theft to force firms to pay-up, which may have increased the figure for total losses.

During the quarter, the amount of downtime experienced by victim organizations increased from the previous three months — from 12.1 to 16.2 days. This increase was driven by the larger number of attacks targeting major enterprises with more complex network architectures, which can therefore take weeks to restore and remediate.

Phishing, RDP targeting and vulnerability exploitation remain the most popular attack methods, it added. Professional services (20%), healthcare (19%) and software services (12%) were the top three sectors targeted.

According to the data, 98% of organizations that paid a ransom received a decryption key, and those victims successfully decrypted 97% of their data. However, with multi-million-dollar ransoms now commonplace, the official advice is still not to give in to the hackers’ demands, especially as it will lead to continued attacks.

Read the original article here: https://www.infosecurity-magazine.com/news/ransomware-payments-doubled/

GDPR: 160,000 data breaches reported already, so expect the big fines to follow

Over 160,000 data-breach notifications have been made to authorities in the 18 months since Europe's new digital privacy regulation came into force, and the number of breaches and other security incidents being reported is on the rise.

Analysis by a UK law firm found that after the General Data Protection Regulation (GDPR) came into force on 25 May 2018, the first eight months saw an average of 247 breach notifications per day. In the time since, that has risen to an average of 278 notifications a day.

"GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year's report and regulators have been busy road-testing their new powers to sanction and fine organisations," according to a partner at the firm who specialises in cyber and data protection.

Read the full article on ZDNet here: https://www.zdnet.com/article/gdpr-160000-data-breaches-reported-already-so-expect-the-big-fines-to-follow/

Hackers target unpatched Citrix servers to deploy ransomware

Companies still running unpatched Citrix servers are in danger of having their networks infected with ransomware.

Multiple sources in the infosec community are reporting about hacker groups using the CVE-2019-19781 vulnerability in Citrix appliances to breach corporate networks and then install ransomware.

Ransomware infections traced back to hacked Citrix servers have been confirmed by security researchers at FireEye and Under the Breach.

The REvil (Sodinokibi) ransomware gang has been identified as one of the groups attacking Citrix servers to gain a foothold on corporate networks and later install their custom ransomware strain.

Read more here: https://www.zdnet.com/article/hackers-target-unpatched-citrix-servers-to-deploy-ransomware/

Why the Jeff Bezos phone hack is a wake-up call for the powerful

When deeply personal information about one of the world’s most powerful businessmen is exposed through an attack apparently coming from the WhatsApp account of a future head of state, then who can truly feel safe?

This week’s assertion that Jeff Bezos’s iPhone X was probably hacked by the personal account of Mohammed bin Salman, crown prince of Saudi Arabia, had plenty of shock value. For anyone operating at a senior level of business or government, it is a clear wake-up call.

Read more on the FT here: https://www.ft.com/content/b5f6f3d0-3e05-11ea-a01a-bae547046735

Top UK law firms falling victim to human error

Nearly half (48%) of the top 150 law firms have reported data breaches since the GDPR came into force in May 2018. And, of those breaches, 41% were a result of emailing the wrong person.

Read more on LegalFutures here: https://www.legalfutures.co.uk/blog/gdpr-top-uk-law-firms-falling-victim-to-human-error

Regus data breach sees staff performance data published online

A spreadsheet with names, addresses and job performance data was easily found via Google, the media claim.

Personal details, as well as professional performance, of more than 900 employees of Regus have been published online after a mishap following staff review.

The media are reporting that the major office space provider had been recording its staff, with the help of mystery shopping firm Applause, for the sake of training and improving the performance of the employees. The details were subsequently published online.

Reports state that a spreadsheet with names, addresses and job performance data was easily found via Google.

Read the full article here: https://www.itproportal.com/news/regus-data-breach-sees-staff-performance-data-published-online/

Cisco Warns of Critical Network Security Tool Flaw

The critical flaw exists in Cisco’s administrative management tool, used with network security solutions like firewalls.

A critical Cisco vulnerability exists in its administrative management tool for Cisco network security solutions. The flaw could allow an unauthenticated, remote attacker to gain administrative privileges on impacted devices.

The flaw exists in the web-based management interface of the Cisco Firepower Management Center (FMC), which is its platform for managing Cisco network security solutions, like firewalls or its advanced malware protection service. Cisco has released patches for the vulnerability (CVE-2019-16028), which has a score of 9.8 out of 10 on the CVSS scale, making it critical in severity.

Read more on ThreatPost here: https://threatpost.com/cisco-critical-network-security-tool-flaw/152131/

Microsoft Zero-Day Actively Exploited, Patch Forthcoming

An unpatched remote code-execution vulnerability in Internet Explorer is being actively exploited in the wild, Microsoft has announced. It’s working on a patch. In the meantime, workarounds are available.

The bug (CVE-2020-0674) which is listed as critical in severity for IE 11, and moderate for IE 9 and IE 10, exists in the way that the jscript.dll scripting engine handles objects in memory in the browser, according to Microsoft’s advisory, issued Friday.

The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user – meaning that an adversary could gain the same user rights as the current user.

Read more here: https://threatpost.com/microsoft-zero-day-actively-exploited-patch/152018/

Big Microsoft data breach – 250 million records exposed

Microsoft on Wednesday announced a data breach that affected one of its customer databases.

The blog article, entitled Access Misconfiguration for Customer Support Databases, admits that between 05 December 2019 and 31 December 2019, a database used for “support case analytics” was effectively visible from the cloud to the world.

Microsoft didn’t give details of how big the database was. However, consumer the firm that says it discovered the unsecured data online, claims it was to the order of 250 million records containing:

…logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019.

According to the company that found the records, that same data was accessible on five different servers.

The company informed Microsoft, and Microsoft quickly secured the data.

Read more here: https://nakedsecurity.sophos.com/2020/01/22/big-microsoft-data-breach-250-million-records-exposed/

Exposed AWS buckets again implicated in multiple data leaks

The lack of care being taken to correctly configure cloud environments has once again been highlighted by two serious data leaks in the UK caused by leaking Amazon Simple Storage Service (S3) bucket databases.

As a default setting, Amazon S3 buckets are private and can only be accessed by individuals who have explicitly been granted access to their contents, so their continued exposure points to the concerning fact that consistent messaging around cloud security policy, implementation and configuration is failing to get through to many IT professionals.

Read the full article on ComputerWeekly: https://www.computerweekly.com/news/252476870/Exposed-AWS-buckets-again-implicated-in-multiple-data-leaks

What Is Smishing, and How Do You Protect Yourself?

You’re probably familiar with email-based phishing, where a scammer emails you and tries to extract sensitive information like your credit card details or social security number. “Smishing” is SMS-based phishing—scam text messages designed to trick you.

How-To Geek have a useful guide explaining what Smishing is and how best to protect yourselves. Read the guide here: https://www.howtogeek.com/526115/what-is-smishing-and-how-do-you-protect-yourself/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week's Black Arrow Cyber Tip Tuesday. This week James is talking about dangers from Internet of Things (IoT) and Shadow IT devices that may have crept onto your corporate networks. Do you know all the devices on your network? Do they introduce security risks to your business?

In an increasingly connected world, the security umbrella with which you protect your organisation’s information assets is constantly expanding. At the fringes and often overlooked by businesses, are the Internet of Things (or IoT) and Shadow IT.

The Internet of Things consists of an ever-increasing number of physical devices with network connectivity features. Often people associate IoT with smart consumer devices. However, there are many IoT devices which also exist in a corporate environment and they’re are often overlooked when a company evaluates its information assets. As such they remain invisible to your Vulnerability Management strategy and can seriously compromise your security posture.

Conversely, Shadow IT refers to software and applications that aren’t sanctioned by your company but have instead been installed by users (often to fulfill a single task and then they’re forgotten). This isn’t always a bad thing, except when these applications have access to company information but lack the controls and governance surrounding sanctioned applications. In which case they pose a significant risk to the security of your data and your business.

Contact us to discuss how you can decrease risk by increasing visibility.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices

A hacker has published this week a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT (Internet of Things) "smart" devices.

The list, which was published on a popular hacking forum, includes each device's IP address, along with a username and password for the Telnet service, a remote access protocol that can be used to control devices over the internet.

According to experts, and a statement from the leaker himself, the list was compiled by scanning the entire internet for devices that were exposing their Telnet port. The hacker than tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations.

Read more here: https://www.zdnet.com/article/hacker-leaks-passwords-for-more-than-500000-servers-routers-and-iot-devices/

Equifax Breach Settlement Could Cost Firm Billions

Equifax could end up paying as much as $9.5bn following a data breach settlement branded one of the largest in history by its presiding judge.

The credit reporting giant suffered a major cyber-attack in 2017 after hackers exploited an unpatched Apache Struts vulnerability, compromising highly sensitive personal and financial information on around 148 million customers.

Over two-fifths (44%) of the population of the US are thought to have been affected.

This week, a court in Georgia finally approved a settlement in the long-running class action case that followed the breach, which will require Equifax to pay $380.5m, plus potentially an extra $125m, to satisfy claims of out-of-pocket losses.

Read more here: https://www.infosecurity-magazine.com/news/equifax-breach-settlement-could/

WordPress plugin vulnerability can be exploited for total website takeover

A WordPress plugin has been found to contain "easily exploitable" security issues that can be exploited to completely take over vulnerable websites.

The plugin at the heart of the matter, WP Database Reset, is used to reset databases -- either fully or based on specific tables -- without the need to go through the standard WordPress installation process.

According to the WordPress library, the plugin is active on over 80,000 websites.

The two severe vulnerabilities were found on January 7 and either of the vulnerabilities can be used to force a full website reset or takeover.

Tracked as CVE-2020-7048, the first critical security flaw has been issued a CVSS score of 9.1. As none of the database reset functions were secured through any checks or security nonces, any user was able to reset any database tables they wished without authentication.

More here: https://www.zdnet.com/article/wordpress-plugin-vulnerability-can-be-exploited-for-full-website-hijacking/

Oracle Issues Record Critical Patch Update cycle with 334 Patches

Oracle has hit an all-time record for number of security fixes issued in a critical patch update (CPU), providing sysadmins with over 330 in its first quarterly release of the decade.

The enterprise software giant issued 334 patches in total across more than 90 products this week. As such, January 2020 easily beats the previous largest CPU, consisting of 308 fixes in July 2017.

Oracle strongly urged firms to apply the patches as soon as possible, claiming that attacks have had success in compromising customers that failed to update their systems promptly.

Among the products affected by this quarter’s CPU are popular platforms including: Oracle Database Server, which featured 12 new patches including three remotely exploitable; Oracle Communications Applications (25 patches, 23 of which are remotely exploitable); Oracle E-Business Suite (23, 21); Oracle Enterprise Manager (50, 10); Fusion Middleware (38, 30); Java SE (12); JD Edwards (9); MySQL (19, 6); Siebel CRM (5); Oracle Virtualization (22, 3); and PeopleSoft (15, 12).

It’s a busy time of the year for IT administrators. Earlier this week, Microsoft released fixes for scores of vulnerabilities in the last regular Patch Tuesday for Windows 7 and Server 2008.

Read the original article here: https://www.infosecurity-magazine.com/news/oracle-issues-record-cpu-with-334/

Giant botnet has just sprung back to life pushing a big phishing campaign

One of the world's most prolific botnets has returned and is once again attempting to deliver malware to victims via phishing attacks.

Emotet started life as a banking trojan before evolving into a botnet, which its criminal operators leased out to other hackers as a means of delivering their own malware to previously compromised machines.

Such was the power of the botnet that at one point last year it accounted for almost two-thirds of of malicious payloads delivered in phishing attacks.

But after seemingly disappearing towards the end of 2019, Emotet has now returned with a giant email-spamming campaign, as detailed by researchers at cybersecurity company Proofpoint.

Read more here: https://www.zdnet.com/article/this-giant-botnet-has-just-sprung-back-into-life-pushing-a-big-phishing-campaign/

A quarter of users will fall for basic phishing attacks

Slightly more than a quarter of people will fall for a phishing scam that claims to be an urgent message prompting them to change a password, according to statistics gathered by a cyber security testing and training firm.

The security firm studied tens of thousands of email subject lines both from simulated phishing tests and those found in the wild, and found many of the most-clicked emails related either to security or urgent work-related matters.

It revealed its top 10 most effective simulated subject lines to be: Change of Password Required Immediately (26% opened); Microsoft/Office 365: De-activation of Email in Process (14% opened); Password Check Required Immediately (13% opened); HR: Employees Raises (8% opened); Dropbox: Document Shared With You (8% opened); IT: Scheduled Server Maintenance – No Internet Access (7% opened); Office 365: Change Your Password Immediately (6% opened); Avertissement des RH au sujet de l’usage des ordinateurs personnels (6% opened); Airbnb: New device login (6% opened); and Slack: Password Reset for Account (6% opened).

In the wild, subject lines often tended to relate to Microsoft, with emails about SharePoint and Office 365 particularly likely to be opened, as well as notifications about Google and Twitter accounts. People were also likely to fall for emails pretending to be related to problems with a shipping company, with FedEx the most widely impersonated, as well as the US Postal Service.

Read the full article here: https://www.computerweekly.com/news/252476845/A-quarter-of-users-will-fall-for-basic-phishing-attacks

Business Disruption Attacks Most Prevalent in Last 12 Months

Business disruption was the main objective of attackers in the last year, with ransomware, DDoS and malware commonly used.

According to the CrowdStrike Services Cyber Front Lines Report, which offers observations from its incident response and proactive services, a third (36%) of incidents often involved ransomware, destructive malware or denial of service attacks. Crowdstrike determined that these three factors to be focused on “business disruption,” and while an adversary’s main goal in a ransomware attack is financial gain, the impact of disruption to a business can often outweigh the loss incurred by paying the ransom.

Also observed in 25% of the investigated incidents was data theft, including the theft of intellectual property, personally identifiable information and personal health information. IP theft has been linked to numerous nation state adversaries that specialize in targeted intrusion attacks, while PII and PHI data theft can enable both espionage and criminally-motivated operations.

Read more here: https://www.infosecurity-magazine.com/news/business-disruption-attacks/

Quarter of PCs could now be more at risk from ransomware

Last week saw the day when Windows 7 reached end of life. That means that Microsoft will no longer issue regular patches or updates for the famed operating system. From now on, any flaw or vulnerability discovered will remain unpatched, and the machines running the old system will remain at risk.

Any businesses or individuals running legacy and unsupported operating systems will be at a greater risk of ransomware than before.

WannaCry, one of the most devastating ransomwares of all time, was successful mostly because of unpatched systems. Roughly 200,000 devices in 150 countries around the world will be vulnerable to similar malware, now that Windows 7 is no longer receiving security updates from Microsoft.

From this month, a quarter of all PCs are going to fall into this unsupported category so it is vital that any organisations that rely on Windows 7 are aware of the risks and what they need to mitigate them.

Read the original article here: https://www.itproportal.com/news/quarter-of-pcs-could-now-be-more-at-risk-from-ransomware/

5 tips to avoid spear-phishing attacks

Phishing, very briefly defined, is where a cybercriminal tricks you into revealing something electronically that you ought to have kept to yourself.

The good news is that most of us have learned to spot obvious phishing attacks these days.

The bad news is that you can’t reliably spot phishing attacks just by watching out for obvious mistakes, or by relying on the crooks saying “Dear Customer” rather than using your name.

You need to watch out for targeted phishing, often rather pointedly called spear-phishing, where the crooks make a genuine effort to tailor each phishing email, for example by customising it both to you and to your company.

Spear-phishing, where the fake emails really are believable, isn’t just an issue for high-profile victims such as the Burismas of the world.

Acquiring the specific data needed to come up with personalised phishing emails is easier than you might think, and much of the data gathering can be automated.

So here are Sophos’ 5 tips for dealing with phishing attacks, especially if you’re facing a crook who’s willing to put in the time and effort to win your trust instead of just hammering you with those “Dear Customer” emails:

1. Don’t be swayed just because a correspondent seems to know a lot about you

2. Don’t rush to send out data just because the other person tells you it’s urgent

3. Don’t rely on details provided by the sender when you check up on them

4. Don’t follow instructions on how to view an email that appear inside the email itself

5. Don’t be afraid to get a second opinion

Read the full article here: https://nakedsecurity.sophos.com/2020/01/17/5-tips-to-avoid-spear-phishing-attacks/

Organized cybercrime -- not your average mafia

Does the common stereotype for "organised crime" hold up for organisations of hackers? Research from a University in US is one of the first to identify common attributes of cybercrime networks, revealing how these groups function and work together to cause an estimated $445-600 billion of harm globally per year.

"It's not the 'Tony Soprano mob boss type' who's ordering cybercrime against financial institutions," said Thomas Holt, MSU professor of criminal justice and co-author of the study. "Certainly, there are different nation states and groups engaging in cybercrime, but the ones causing the most damage are loose groups of individuals who come together to do one thing, do it really well - and even for a period of time - then disappear."

In cases like New York City's "Five Families," organised crime networks have historic validity, and are documented and traceable. In the online space, however, it's a very difficult trail to follow, Holt said.

Read more here: https://eurekalert.org/pub_releases/2020-01/msu-oc-011620.php

Cybercrime Statistics in 2019

It doesn’t make for cheery reading but a researcher has compiled a list of statistics for cyber crime, here are few choice headlines:

• Cybercrime will cost as much as $6 trillion annually by 2021

• Financial losses reached $2.7 billion in 2018

• The total cost of cybercrime for each company in 2019 reached US$13M

• The total annual cost of all types of cyberattacks is increasing

Read the full article here: https://securityaffairs.co/wordpress/96531/cyber-crime/cybercrime-statistics-in-2019.html

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Today we are talking about tools, as no tool, or suite of tools, can offer one hundred percent protection, after all anything man made can be man broken!

Even if a tool did offer complete protection today there will be teams of people around the world working around the clock to break it.

Anyone who says they rest easy or who says they sleep well at night because they have a particular tool is likely overconfident in that tool's ability to keep them safe.

Multiple layers of protection are needed and any technical solution still needs to be backed up with robust people and governance controls.

We can analyse your protections to see where your weaknesses might exist, and we can help shore up people and governance controls too.

Week in review 12 January 2020 – Office 365 Phishing Attacks, Firms Hit Once Per Minute in 2019, Dixons Carphone Fined for Breach, Travelex hackers threaten to sell credit card data, Mozilla patches actively exploited Firefox zero-day, Hackers probe Citrix servers for remote code execution vulnerability

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Office 365 users: Beware of phishing emails pointing to Office Sway

One of phishers’ preferred methods for fooling both targets and email filters is to use legitimate services to host phishing pages. The latest example of this involves Office 365 users being directed to phishing and malicious pages hosted on Office Sway, a web application for content creation that’s part of Microsoft Office.

The email that tries to trick recipients into visiting the phishing page isn’t stopped by Microsoft’s filters, likely because either it was sent from an onmicrosoft.com email address or it includes links in the email that point to sway.office.com and other trusted sites (e.g., LinkedIn). The email pretends to be a fax receipt notice, shows a small image of the supposedly received fax, and asks the user to open the attachment to view it.

Read more here: https://www.helpnetsecurity.com/2020/01/10/phishing-office-sway/

Cyber-Attacks Hit UK Firms Once Per Minute in 2019

UK businesses were deluged with cyber-attacks in 2019, with the average firm hit by over half a million attempts to compromise systems, according to new report.

A UK-based business Internet Service Provider (ISP) extrapolated the findings from data on its own corporate customers across the country.

It calculated the average number of attacks aimed at a single business last year was 576,575, around 152% higher than the 281,094 recorded in 2018 and the highest since the ISP began analyzing this kind of data in 2016.

That means UK businesses were forced to repel 66 attacks per hour on average in 2019.

The firm identified 1.8 million unique IP addresses responsible for the attacks last year, just under a fifth (18%) of which were located in China. However, this is more an indication of the sheer number of potentially hijacked machines based in the country rather than the origin of the attackers.

There was a fairly big drop to second placed Brazil (7%), which was followed by Taiwan (6%) and Russia (5%) in terms of originating IP addresses for attacks.

Attackers most commonly targeted network device admin tools and IoT endpoints like connected security cameras and building control systems, according to Beaming. These suffered 92,448 attacks in total last year, while 35,807 were targeted at file sharing applications.

Read the full article here: https://www.infosecurity-magazine.com/news/cyberattacks-uk-firms-once-per/

Dixons Carphone Receives Maximum Fine for Major Breach

A major UK high street retailer has been fined the maximum amount under the pre-GDPR data protection regime for deficiencies which led to a breach affecting 14 million customers.

Privacy regulator the Information Commissioner’s Office (ICO) fined DSG Retail £500,000 under the 1998 Data Protection Act after Point of Sale (POS) malware was installed on 5390 tills.

The incident affected Currys PC World and Dixons Travel stores between July 2017 and April 2018, allowing hackers to harvest data including customer names, postcodes, email addresses and failed credit checks from internal servers, over a nine-month period.

The “poor security arrangements” highlighted by the ICO included ineffective software patching, the absence of a local firewall, and lack of network segregation and routine security testing.

More information here: https://www.infosecurity-magazine.com/news/dixons-carphone-receives-maxi-fine/

Travelex hackers threaten to sell credit card data on dark web

Cyber gangsters have stepped up the pressure on Travelex to pay a $6m ransom to decrypt the company’s data by issuing a new threat to sell personal data about its customers on the dark web.

The threat comes after a cyber crime group used sophisticated malware, known as Sodinokibi or REvil, to encrypt the currency exchange’s computer files, forcing the company to switch off its worldwide computer network.

Travelex, which has hired computer experts to investigate the incident, said on 9 January that it was making progress in bringing its systems back online and that there was “still no evidence to date that any data has been exfiltrated”.

The attack has disrupted Travelex operations for 10 days, leaving the firm’s customers unable to collect foreign currency orders, use the Travelex app, or pay for currency using credit cards. This has led to widespread complaints from customers.

Over a dozen banks, including the Royal Bank of Scotland, NatWest, First Direct, Barclays and Lloyds, which rely on Travelex to provide services, have also told customers they are unable to take orders for foreign currency.

The crime group has stepped up pressure on Travelex, which has operations in 70 countries, by threatening to sell personal data collected from the company, including credit card details, on a Russian cyber crime forum.

Read the full article here: https://www.computerweekly.com/news/252476526/Travelex-hackers-threaten-to-sell-credit-card-data-on-dark-web

PayPal Confirms ‘High-Severity’ Password Security Vulnerability

PayPal has confirmed that a researcher found a high-severity security vulnerability that could expose user passwords to an attacker. The problem, which was disclosed on January 8 was patched by PayPal on December 11, 2019.

Read more here: https://www.forbes.com/sites/daveywinder/2020/01/10/paypal-confirms-high-severity-password-security-vulnerability/#42f496561b50

Mozilla patches actively exploited Firefox zero-day

Mozilla has patched a Firefox zero-day vulnerability (CVE-2019-17026) that is being exploited in attacks in the wild and is urging Firefox and Firefox ESR users to update their installations as soon as possible.

Read more here: https://www.helpnetsecurity.com/2020/01/09/cve-2019-17026/

Hackers probe Citrix servers for weakness to remote code execution vulnerability

Cyberattackers are performing scans to find Citrix servers vulnerable to a critical security flaw.

Disclosed in December, the severe vulnerability, tracked as CVE-2019-19781, impacts the Citrix Application Delivery Controller (ADC) -- also known as NetScaler ADC -- alongside Citrix Gateway, formerly known as NetScaler Gateway. The critical vulnerability permits directory traversal and if exploited permits threat actors to conduct Remote Code Execution (RCE) attacks.

Researchers have estimated that at least 80,000 organizations in 158 countries are users of ADC and could, therefore, be at risk. Companies in the firing line are predominantly based in the US -- roughly 38 percent -- as well as the UK, Germany, the Netherlands, and Australia.

Read more here: https://www.zdnet.com/article/hackers-probe-unsecured-citrix-servers-for-netscaler-vulnerability/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to our first Black Arrow Cyber Tip Tuesday for 2020 a chance for us to have a think about what's coming up over the next couple of months.

Firstly, we know the new GFSC rules on cyber security will be going out to consultation and we know that the GFSC will be putting a lot more focus on cyber security, both in terms of operational and governance risk, and regulated firms need to think about how they are going to demonstrate compliance with these new regulations.

Secondly, we will be holding our first workshop for charities later in Q1, once we have completed a number of case studies with local charities to ensure the workshop hits the right note with the charities we are trying to help. More info on this will follow in the next month or so.

Whether you're a regulated financial services firm, any other kind of business, large or small, or a charity, contact us today to see how we can help make security easier for you to understand and protect yourselves against attacks.

Contact us for more

There has been extensive coverage in both tech and mainstream media warning about the possibility of revenge cyber attacks by Iran following the targeted killing of Iranian General Qasem Soleimani by the United States last week.

Whilst there is a chance that Iran will attack the US and her allies, firms in the West need to consider their threat models and whether or not Iranian interests intersect with their business operations.

Unless a local Channel Islands firm is providing high profile services directly to the US, or otherwise would have operations significant enough to be directly targeted by Iran, it is unlikely there is much danger to Channel Islands firms specifically from the Iranians as a result of this assassination.

Nation State actors do pose an ongoing threat to businesses across the Channel Islands and good cyber hygiene should be followed to guard against by Nation States, and any other malicious actors wanting to cause you harm.

If you have any specific concerns or if you want to discuss your existing defensive capabilities please contact us.

Week in review 05 January 2020 - Round up of the most significant open source stories of the last week, December breaches, worst passwords, Travelex taken offline, IoT security stinks, Iran revenge attacks expected on US

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to our first blog post of 2020:

List of data breaches and cyber attacks in December 2019 – 627 million records breached

The new year – and new decade – is underway, but before saying goodbye to 2019, ITGovernance had one more monthly round-up to get to.

December saw 90 disclosed data breaches and cyber attacks, with 627,486,696 records being compromised. That’s about a third of the average monthly total, although the number of incidents has climbed steadily throughout the year.

Refer to the original article for the full list of December’s incidents: https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-december-2019

These are officially the worst passwords of 2019

SplashData has released its annual list of the most commonly-used passwords across the world, uncovering that old security habits really do die hard.

The security firm investigated over five million leaked passwords over the past twelve months, and found that many of the most common logins would be easy to guess for even the most incompetent hackers.

In perhaps the most surprising news, "password" has for the first time been knocked out of the top two spots, being replaced by the painfully simple "123456" and "123456789".

SplashData estimates almost 10 percent of people have used at least one of the 25 worst passwords on this year’s list, with nearly three percent using "123456".

Here are the so-called "worst passwords of 2019"

• 123456

• 123456789

• qwerty

• password

• 1234567

• 12345678

• 12345

• iloveyou

• 111111

• 123123

Read the original article here: https://www.techradar.com/uk/news/these-are-officially-the-worst-passwords-of-2019

Hacks and Breaches of 2019: A Year in Review

SecurityBoulevard have a review of the biggest hacks and breaches from 2019, including Fortnite in January, WhatsApp from May, Facebook from April, Amazon Web Services from July and Zynga from September.

Read the full article here: https://securityboulevard.com/2020/01/hacks-and-breaches-of-2019-a-year-in-review/

US based Company shuts down because of ransomware, leaves 300 without jobs just before holidays

An Arkansas-based telemarketing firm sent home more than 300 employees and told them to find new jobs after IT recovery efforts didn't go according to plan following a ransomware incident that took place at the start of October 2019.

Employees of Sherwood-based telemarketing firm The Heritage Company were notified of the decision just days before Christmas, via a letter sent by the company's CEO.

Speaking with local media, employees said they had no idea the company had even suffered a ransomware attack, and the layoffs were unexpected, catching many off guard.

This shows how devastating ransomware attacks can be on businesses of all sizes.

Read the original article here: https://www.zdnet.com/article/company-shuts-down-because-of-ransomware-leaves-300-without-jobs-just-before-holidays/

Travelex site taken offline after cyber attack

The foreign-currency seller Travelex had to suspend some of its services to protect data since the firm suffered from a ‘software virus attack’ on New Year's Eve.

The company has resorted to carrying out transactions manually, providing foreign-exchange services over the counter in its branches.

A spokesman stated the firm is doing all it can to restore full services as soon as possible

More from the BBC here: https://www.bbc.com/news/business-50977582

After latest hack, experts say smart home security systems stink at securing data

Another day, another smart home camera system security hack, this one affecting the Seattle-based company Wyze. First reported by a Texas-based cybersecurity firm and confirmed by Wyze, the hack is estimated to have affected 2.4 million customers who had their email addresses, the emails of anyone they ever shared camera access with, a list of their cameras, the last time they were on, and much more information exposed. Some customers even had their health data leaked.

Wyze is a home camera system similar to Amazon’s Ring that’s more economical: Wyze’s products are about a third of Amazon’s Ring. Both companies have now experienced at least one kind of major breach — either a hack or a leak — that should raise the eyebrows of anyone considering purchasing this type of home security.

Read the full article here: https://www.digitaltrends.com/news/wyze-data-hack-protection/

Iran 'revenge' could come in the form of cyber-attacks, experts warn

The US assassination of Qassem Suleimani has increased the likelihood of protracted cyber-hostilities between the US and Iran could escalate into true cyberwarfare.

With tensions mounting and Iran threatening “severe revenge” over the killing, concerns have arisen that blowback could come in the form of hacking attacks on critical infrastructure sectors, which include the power grid, healthcare facilities, banks and communications networks.

Iran has invested heavily in its cyber-attack forces since the Stuxnet attack in 2010 – which saw the US and Israel degrade Iran’s nuclear capabilities by means of a computer virus. It has demonstrated its capabilities with attacks on US banks and a small dam, and the US has countered with attacks on an Iranian intelligence group and missile launchers.

There is a danger attacks by Iran against the US spread to other targets in the West and we will continue to monitor any developments.

Read the original article here: https://www.theguardian.com/world/2020/jan/03/iran-cyberattacks-experts-us-suleimani

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our new regular ‘Cyber Tip Tuesday’ video blog, here and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to the final Cyber Tip Tuesday of the year, on this the last day of 2019.

As we look back over the last twelve months, the most significant thing, at least as far as regulated financial services firms in the Bailiwick are concerned, is that the GFSC is putting a lot more focus on, and changing the ways it is assessing, cyber risk - both in terms of operational risk and governance risk.

The Commission will be putting new regulations out to public consultation in the new year, but firms need to think about getting on the front foot and consider whether they are doing all they should be doing in relation to cyber security.

We know what the Commission will be looking for as we were directly involved in the thematic review that led to these new regulations, and provided direction for the regulations themselves and the changes to the way firms will be assessed as part of ongoing supervision.

Talk to us to see how we can help you to ensure that you have appropriate protections and controls in place and to help you meet the new regulations when they come into force.

Have a happy, safe and secure 2020

Welcome to a special Christmas Eve 2019 Black Arrow Cyber Tip Tuesday.

Christmas is a time for giving so we thought it would be an ideal time to mention the services we give free of charge to help protect Guernsey and the local community.

1. Mentoring: if you are looking to start or progress your career in cyber security, you could be eligible for our mentoring program consisting of a rolling series of one to one meetings to see where our experience and guidance can help you.

2. Free 30 minute chats for Startups and Entrepreneurs: a free 30 minute consultation for new startups and entrepreneurs to help ensure they are getting the fundamentals of cyber security in place to protect their growing business.

3. Free pro bono advisory services for charities and non-profits: we are giving one day every month to support those that support our communities in Guernsey, to help them protect themselves, using where possible, or where appropriate, low or no cost solutions.

Black Arrow Cyber Consulting wishes everyone a Happy Christmas and a safe, secure and prosperous 2020

Black Arrow Cyber Consulting would like to wish everyone a very Happy Christmas! Whilst enjoying the festivities just bear in mind that the bag guys don’t stop and cyber attacks typically increase around this time of year.

Week in review 22 December 2019

Round up of the most significant open source stories of the last week

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Black Arrow Cyber Consulting would like to wish customers old and new a Very Happy Christmas and a happy, prosperous, and cyber safe, 2020

Christmas malware spreading fast: Protect yourself now

Holiday party invitations may infect your PC

It's time for ugly Christmas sweaters — and for ugly Christmas-themed malicious spam emails.

A new malspam campaign dumps an email in your inbox marked "Christmas Party," "Christmas Party next week," "Party menu," "Holiday schedule" or something similar. But the attached Word document delivers a lump of coal: the notorious Emotet Trojan malware.

"HAPPY HOLIDAYS," begins the email, as spotted by researchers. "I have attached the menu for the Christmas Party next week. If you would like bring something, look at the list and let me know.

"Don't forget to get your donations in for the money tree," the email adds. "Also, wear your tackiest/ugliest Christmas sweater to the party." Sometimes it adds, "Details in the attachment."

More here: https://www.tomsguide.com/news/ugly-christmas-emails-give-the-gift-of-malware

Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up

As if the scourge of ransomware wasn’t bad enough already: Several prominent purveyors of ransomware have signaled they plan to start publishing data stolen from victims who refuse to pay up. To make matters worse, one ransomware gang has now created a public Web site identifying recent victim companies that have chosen to rebuild their operations instead of quietly acquiescing to their tormentors.

The cyber criminals behind the Maze Ransomware strain erected a Web site on the public Internet, and it currently lists the company names and corresponding Web sites for eight victims of their malware that have declined to pay a ransom demand.

“Represented here companies dont wish to cooperate with us, and trying to hide our successful attack on their resources,” the site explains in broken English. “Wait for their databases and private papers here. Follow the news!”

Researchers were able to verify that at least one of the companies listed on the site indeed recently suffered from a Maze ransomware infestation that has not yet been reported in the news media.

The information disclosed for each Maze victim includes the initial date of infection, several stolen Microsoft Office, text and PDF files, the total volume of files allegedly exfiltrated from victims (measured in Gigabytes), as well as the IP addresses and machine names of the servers infected by Maze.

As shocking as this new development may be to some, it’s not like the bad guys haven’t warned us this was coming.

Read the full article here: https://securityboulevard.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/

Ransomware: The number of victims paying up is on the rise, and that's bad news

The number of organisations that are giving into the extortion demands of cyber criminals after falling victim to ransomware attacks has more than doubled this year.

A rise in the number of ransomware attacks in the past year has contributed to to the increased number of organisations opting to pay a ransom for the safe return of networks locked down by file-encrypting malware.

That's according to figures in the newly released 2019 CrowdStrike Global; Security Attitude Survey, which said the total number of organisations around the world that pay the ransom after falling victim to a supply-chain attack has more than doubled from 14% of victims to 39% of those affected.

In the UK specifically, the number of organisations that have experienced a ransomware attack and paid the demanded price for the decryption key stands at 28% – double the 14% figure of the previous year.

Read the full article here: https://www.zdnet.com/article/ransomware-the-number-of-victims-paying-up-is-on-the-rise-and-thats-bad-news/

Microsoft Office apps hit with more cyber attacks than ever

New reports have claimed Microsoft Office was the most commonly exploited application worldwide as of the the third quarter of this year.

Researchers found that Microsoft Office solutions and applications were the target of exactly 72.85 percent of cyber exploits this year according to the firm's research.

However, cyber criminals also targeted web browsers with 13.47 percent of the total number of exploits, Android (9.09 percent), Java (2.36 percent), and Adobe Flash (1.57 percent).

Read the full article here: https://www.techradar.com/uk/news/microsoft-office-apps-hit-with-more-cyberattacks-than-ever

Inconsistent password advice could increase risk of cyber attacks

New research suggests that ‘inconsistent and misleading’ password meters seen on various websites could increase the risk of cyber attacks.

The study, led by researchers at the University of Plymouth, investigated the effectiveness of 16 password meters that people are likely to use or encounter on a regular basis.

It tested 16 passwords against the various meters, with 10 of them being ranked among the world’s most commonly used passwords (including ‘password’ and ‘123456’).

Of the 10 explicitly weak passwords, only five of them were consistently scored as such by all the password meters, while ‘Password1!’ performed far better than it should do and was even rated strongly by three of the meters.

However, the team at Plymouth said one positive finding was that a browser-generated password was consistently rated strong, meaning users can seemingly trust these features to do a good job.

More here: https://eandt.theiet.org/content/articles/2019/12/inconsistent-password-advice-could-increase-risk-of-cyber-attacks/

Cyber security predictions for 2020: 45 industry experts have their say

Cyber security is a fast-moving industry, and with a new decade dawning, the next year promises new challenges for enterprises, security professionals and workers. But what predictions do experts have for cybersecurity in 2020?

Verdict.co.uk heard from 45 experts across the field of cybersecurity about their predictions for 2020, from new methods and targets to changing regulation and business practices.

Read the full list of predictions here: https://www.verdict.co.uk/cybersecurity-predictions-2020/

This ‘grab-bag’ hacking attack drops six different types of malware in one go

'Hornet's Nest' campaign delivers a variety of malware that could create a nightmare for organisations that fall victim to attacks, warn researchers.

A high-volume hacking campaign is targeting organisations around the world with attacks that deliver a 'grab-bag' of malware that includes information-stealing trojans, a remote backdoor, a cryptojacker and a cryptocurrency stealer.

Uncovered by researchers at Deep Instinct, the combination of the volume of attacks with the number of different malware families has led to the campaign being named 'Hornet's Nest'.

The attacks are suspected to be offered as part of a cybercrime-as-a-service operation with those behind the initial dropper, which researchers have dubbed Legion Loader, leasing out their services to other criminals.

Clues in the code point to the Legion Loader being written by a Russian-speaker – and researchers note that the malware is still being worked on and updated. Attacks using the loader appear to be focused on targets in the United States and Europe.

Read the full article here: https://www.zdnet.com/article/this-grab-bag-hacking-attack-drops-six-different-types-of-malware-in-one-go/

Tiny band of fraud police left to deal with third of all crime

Only one in 200 police officers is dedicated to investigating fraud despite it accounting for more than a third of all crimes, The Times revealed.

Most forces have less than half of 1 per cent of their officers allocated to fraud cases and some have none at all, according to figures disclosed under the Freedom of Information Act. In some areas the number of officers tackling fraud has fallen significantly.

Amid a surge in online and cold-calling scams, there were 3.8 million incidents of fraud last year, more than a third of all crimes in England and Wales. Victims are increasingly targeted online and can lose their life savings. However, as few as one in 50 fraud reports leads to a “judicial outcome” such as a suspect being charged.

Last night police bosses said the failure to investigate the cases was due to budget cuts and “poor government direction” and the situation had become a national emergency. Boris Johnson has pledged to “make the streets safer” by recruiting an extra 20,000 police officers but there are concerns that victims of fraud will continue to be failed.

Read the original article here: https://www.thetimes.co.uk/article/less-than-1-of-police-officers-target-fraud-kf6d37qfz

IT worker with a grudge jailed for cyber attack that shut down network for 12 hours

A contractor with a grudge over the handling of an incident in Benidrom has been jailed for carrying out a revenge cyber attack. Scott Burns, 27, was unhappy with the way a disciplinary matter against him by Jet2 was dealt with so decided to cause harm. The attack led to the company’s computer network being shut down for 12 hours and it was only thanks to a fast-thinking colleague that a ‘complete disaster’ was avoided. Burns’s attack cost the company £165,000 in lost business, Leeds Crown Court was told. Jailing Burns for 10 months, Judge Andrew Stubbs QC heard how the motive was revenge because Burns was unhappy about how Jet2 dealt with a disciplinary matter against him relating to an incident at a ‘roadshow in Benidorm’ in 2017. No further details of the incident were outlined in court.

Read more here: https://metro.co.uk/2019/12/20/worker-grudge-jailed-cyber-attack-shut-network-12-hours-11937687/

30 years of ransomware: How one bizarre attack laid the foundations for the malware taking over the world

In December 1989 the world was introduced to the first ever ransomware - and 30 years later ransomware attacks are now at crisis levels.

Ransomware has been one of the most prolific cyber threats facing the world throughout 2019, and it's unlikely to stop being a menace any time soon.

Organisations from businesses and schools to entire city administrations have fallen victim to network-encrypting malware attacks that are now demanding hundreds of thousands of dollars in bitcoin or other cryptocurrency for the safe return of the files.

While law enforcement recommends that victims don't give into the demands of cyber criminals and pay the ransom, many opt to pay hundreds of thousands of dollars because they view it as the quickest and easiest means of restoring their network. That means some of the criminal groups operating ransomware campaigns in 2019 are making millions of dollars.

But what is now one of the major cyber scourges in the world today started with much more humble origins in December 1989 with a campaign by one man that would ultimately influence some of the biggest cyber attacks in the world thirty years later.

The first instance of what we now know as ransomware was called the AIDS Trojan because of who it was targeting – delegates who'd attended the World Health Organization AIDS conference in Stockholm in 1989.

Attendees were sent floppy discs containing malicious code that installed itself onto MS-DOS systems and counted the number of the times the machine was booted. When the machine was booted for the 90th time, the trojan hid all the directories and encrypted the names of all the files on the drive, making it unusable.

Victims saw instead a note claiming to be from 'PC Cyborg Corporation' which said their software lease had expired and that they needed to send $189 by post to an address in Panama in order to regain access to their system.

It was a ransom demand for payment in order for the victim to regain access to their computer.

Read the full article here: https://www.zdnet.com/article/30-years-of-ransomware-how-one-bizarre-attack-laid-the-foundations-for-the-malware-taking-over-the-world/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our new regular ‘Cyber Tip Tuesday’ video blog, here and on our YouTube channel

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week's Black Arrow Cyber Tip Tuesday.

This week we are talking about the ways that ransomware attacks are changing and getting even more nasty, and how  firms and individuals will need to strengthen their approach to protecting themselves.

Traditionally the main defence against ransomware was having backups of your data, such that you could revert to a good copy of your data if you got infected, now though criminals are going after your backup data too, especially if these backups are stored on your networks, so it is now even more critical to have offline copies of your data that cannot themselves be infected.

The other significant development seen recently is now not only are criminals holding your data to ransom they are also now threatening to release your confidential data to the public.

Many firms will not survive the damage caused to their reputation if customers and investors see their private and confidential data is available for the world to see.

The only way to defend against this is to avoid being a victim in the first place, and this includes the principle of defence in depth using multiple layers of protection and different controls.

Talk to us today to ensure you are doing all the things you should be doing to keen yourself safe from ransomware.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Ransomware: Cybercriminals are adding a new twist to their demands

Ransomware could be getting even nastier: a security firm is warning over a new trend among some ransomware attackers to not just encrypt data, but steal some of it and use it as leverage to ensure a target pays up.

In several recent cases it has been reported that the ransomware gang have not just encrypted data but also threatened to leak the data, too. These attacks elevate the ransomware threat "to crisis level" and organisations should work to immediately improve their security as resorting to backups, the usual best defence against ransomware, won’t protect firms.

https://www.zdnet.com/article/ransomware-cybercriminals-are-adding-a-new-twist-to-their-demands/

New ransomware attacks target your NAS devices, backup storage

Sticking with ransomware for a minute, the number of ransomware strains targeting NAS and backup storage devices is also growing, with users "unprepared" for the threat, researchers say.

Ransomware comes in many forms and guises. The malware variant is popular with cybercriminals and is used in attacks against the enterprise, critical services -- including hospitals and utilities -- and individuals.

Once deployed on a system, the malware will usually encrypt files or full drives, issue its victim with a ransom note, and demand payment in return for a way to decrypt and restore access to locked content.

If backup devices themselves are being specifically targeted in attacks then they cannot be relied upon to recover from. This emphasises the requirement to ensure firms have offline copies of backusp such that backup copies cannot themselves fall victim to ransomware.

If the only backups a firm has are connected to a network and backing up in real time is it increasingly unlikely firms will be able to depend on these backups to get their business back on its feet.

More here: https://www.zdnet.com/article/new-ransomware-attack-targets-your-nas-devices-backup-storage/

New Plundervolt attack impacts Intel CPUs

Academics from three universities across Europe have this week disclosed a new attack that impacts the integrity of data stored inside Intel SGX, a highly-secured area of Intel CPUs.

The attack, which researchers have named Plundervolt, exploits the interface through which an operating system can control an Intel processor's voltage and frequency -- the same interface that allows gamers to overclock their CPUs.

Academics say they discovered that by tinkering with the amount of voltage and frequency a CPU receives, they can alter bits inside SGX to cause errors that can be exploited at a later point after the data has left the security of the SGX enclave.

They say Plundervolt can be used to recover encryption keys or introduce bugs in previously secure software.

Intel desktop, server, and mobile CPUs are impacted. Including:

• Intel® 6th, 7th, 8 th, 9th & 10th generation CoreTM processors

• Intel® Xeon® Processor E3 v5 & v6

• Intel® Xeon® Processor E-2100 & E-2200 families

Intel has released microcode (CPU firmware) and BIOS updates to address the Plundervolt attack.

More here: https://www.zdnet.com/article/new-plundervolt-attack-impacts-intel-cpus/

The phishing tricks that break through standard email filters

Some phishing emails are easy to spot: the spelling is bad, the spoofed email is clearly a fake, and the images are too warped to have possibly been sent by a reputable brand. If you receive one of these low-quality phishing emails, you’re lucky. Today’s phishing emails are extremely sophisticated, and if you’re not well trained to spot one, you probably won’t.

Email filters have long relied on fingerprint and reputation-based threat detection to block phishing emails. A fingerprint is essentially all the evidence a phisher leaves behind -- a signature that, once identified, will be recognized on future phishing attempts and the phishing email or webpage blocked. Examples of a fingerprint include the header, subject line, and HTML.

Reputation refers to phishing URLs and IPs or domains where phishing emails and webpages originate. An IP or domain that is identified as a sender or host for phishing emails and webpages is, like the fingerprint example above, identified and then blacklisted. The same goes for the phishing URL.

Once a tried and true method to stop phishing, hackers have developed new techniques to get around these outdated methods.

Read more here: https://betanews.com/2019/12/12/phishing-tricks/

Malware variety sees major growth in 2019

New research from security firm Kaspersky has revealed that malware variety grew by 13.7 percent in 2019 and the cybersecurity firm attributes this growth to a rise in web skimmers.

According to the Kaspersky Security Bulletin 2019, the number of unique malicious objects detected by the company's web antivirus solution increased by an eighth compared to last year to reach over 24m due a 187 percent increase in web skimmer files.

Kaspersky also found that other threats such as backdoors and banking Trojans grew while the presence of cryptocurrency miners dropped by more than half.

These trends demonstrate a shift in the type of threats employed by cybercriminals who are constantly searching for more effective ways to target users online.

Read the original article here: https://www.techradar.com/uk/news/malware-variety-sees-major-growth-in-2019

Adobe patches 17 critical code execution bugs in Photoshop, Reader, Brackets

Adobe's December security release includes fixes for 17 critical vulnerabilities in software that could be exploited to trigger arbitrary code execution.

As part of the software vendor's standard security schedule, vulnerabilities have been patched in Photoshop, Reader, Brackets, and ColdFusion.

Firms using any of these products should update them as soon as possible to mitigate these newly announced vulnerabilities.

More info: https://www.zdnet.com/article/adobe-patches-17-critical-code-execution-bugs-in-photoshop-reader-brackets/

The Vulnerability used in Equifax breach is the top network attack in Q3 of 2019

Network security and intelligence company WatchGuard Technologies has released its internet security report for the third quarter of 2019 showing the most popular network attacks.

Apache Struts vulnerabilities -- including one used in the devastating Equifax data breach which tops the list -- appeared for the first time on WatchGuard's list. The report also highlights a major rise in zero day malware detections, increasing use of Microsoft Office exploits and legitimate penetration testing tools, and more.

More details here: https://betanews.com/2019/12/11/equifax-vulnerability-top-network-attack/

Why Ring Doorbells Perfectly Exemplify the IoT Security Crisis

There's been a lot of creepy and concerning news about how Amazon's Ring smart doorbells are bringing surveillance to suburbia and sparking data-sharing relationships between Amazon and law enforcement. News reports this week are raising a different issue: hackers are breaking into users' Ring accounts, which can also be connected to indoor Ring cameras, to take over the devices and get up to all sorts of invasive shenanigans.

More on Wired here: https://www.wired.com/story/ring-hacks-exemplify-iot-security-crisis/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our new regular ‘Cyber Tip Tuesday’ video blog, here and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

This week’s Tip Tuesday focuses on Charities and how cyber security affects them.

Charities can be an attractive target for cyber criminals who want to access charities' information or funds.

Unfortunately, charities often do not have the expertise to establish good cyber hygiene, but they still need to operate in the same connected world as commercial organisations with larger budgets.

If a charity experiences an attack, then ultimately it is the wider community that suffers.

That is why charities need to take appropriate steps to secure themselves against a cyber-attack.

Fortunately, many of the things that charities will benefit from doing can be achieved with little or no cost, and Black Arrow also provides pro bono advisory services to charities in Guernsey to show how this can be done.

Week in review 08 December 2019

Round up of the most significant open source stories of the last week

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

5,183 breaches in first nine months of 2019 exposed 7.9b data records

As many as 7.9 billion data records were leaked, stolen or exposed as a result of 5,183 data breaches that took place in the first nine months of 2019, making it the worst year ever for data breaches.

This alarming statistic was revealed by security firm Risk Based Security which observed that based on recent trends, the number of breached data records could touch 8.5 billion by the end of the year.

The firm also noted that the total number of data breaches worldwide rose by 33.3 percent compared to the mid-year of 2018 and the number of records breached also rose by 112 percent. As many as 3.1 million data records were breached as a result of six data breach incidents that took place between 1 July and 30 September.

The majority of data records were exposed or leaked as a result of accidental exposure of data on the internet by organisations. The fact that hackers are quite willing to take advantage of such data exposure has also led to a rise in the number of breached records.

https://www.teiss.co.uk/data-records-breached-2019/ 

44 million Microsoft customers found using compromised passwords

Microsoft's identity threat researchers have revealed that 44 million of its users are still using passwords that have previously been compromised in past data breaches.

The 44 million weak accounts comprised both Microsoft Services Accounts (regular users) and Azure AD accounts too, suggesting businesses are not adopting proper password hygiene.

A total of three billion user credentials were checked in a database populated from numerous sources including law enforcement and public databases.

Using the data set of three billion credentials, Microsoft was able to identify the number of users who were reusing credentials across multiple online services.

Microsoft forced a password reset for all of those users who were found to have leaked credentials during the scan which took place between January and March 2019.

https://www.itpro.co.uk/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using

Evil Corp: US charges Russians over hacking attacks

US authorities have filed charges against two Russian nationals alleged to be running a global cyber crime organisation named Evil Corp.

An indictment named Maksim Yakubets and Igor Turashev - who remain at large - as figures in a group which used malware to steal millions of dollars in more than 40 countries.

Those affected by the hacks include schools and religious organisations. It is also alleged that Mr Yakubets worked for Russian intelligence.

The attacks are said to be amongst the worst computer hacking and bank fraud schemes of the past decade. The $5m reward being offered for information leading to their arrest and prosecution is the largest yet for catching cyber criminals.

Thursday's indictment came after a multi-year investigation by the US and British law enforcement agencies.

Authorities allege that the group stole at least $100m (£76m) using Bugat malware - known as Dridex.

The malware was spread through so-called "phishing" campaigns, which encouraged victims to click on malicious links sent by email from supposedly trusted entities.

Once a computer was infected, the group stole personal banking information which was used to transfer funds.

A network of money launderers - targeted by the NCA and Britain's Metropolitan Police - were then utilised to funnel the criminal proceeds to members of Evil Corp. Eight members of this network have been sentenced to a total of over 40 years in prison.

https://www.bbc.co.uk/news/world-us-canada-50677512 

New ransomware attacks target your NAS devices, backup storage

New ransomware that targets Network Attached Storage devices and other backup devices has surged in recent months with many users unprepared for the increased level of threat.

As with all ransomware paying the ransom is no guarantee of getting data back and should only ever be an absolute last resort.

With networked and backup storage devices falling victim to ransomware infections that emphasises the need to ensure firms have offline copies of backups. Backups that are that are disconnected from systems cannot themselves be corrupted or fall victim to ransomware and would therefore be a firm’s best bet in being able to recover from such an attack.

https://www.zdnet.com/article/new-ransomware-attack-targets-your-nas-devices-backup-storage/ 

New vulnerability lets attackers sniff or hijack VPN connections

Academics have disclosed this week a security flaw impacting Linux, Android, macOS, and other Unix-based operating systems that allows an attacker to sniff, hijack, and tamper with VPN-tunneled connections. OpenVPN, WireGuard, and IKEv2/IPSec VPNs are all vulnerable to attacks.

The vulnerability -- tracked as CVE-2019-14899 -- resides in the networking stacks of multiple Unix-based operating systems, and more specifically, in how the operating systems reply to unexpected network packet probes.

According to the research team, attackers can use this vulnerability to probe devices and discover various details about the user's VPN connection status.

Whilst this vulnerability affects Linux, Android, Mac and other Unix-based operating systems this vulnerability is not currently believed to affect Windows based systems.

https://www.zdnet.com/article/new-vulnerability-lets-attackers-sniff-or-hijack-vpn-connections/  

Newly discovered Mac malware uses “fileless” technique to remain stealthy

Hackers believed to be working for the North Korean government have upped their game with a recently discovered Mac trojan that uses in-memory execution to remain stealthy.

In-memory execution, also known as fileless infection, never writes anything to a computer hard drive. Instead, it loads malicious code directly into memory and executes it from there. The technique is an effective way to evade antivirus protection because there’s no file to be analyzed or flagged as suspicious.

In-memory infections were once the sole province of state-sponsored attackers. By 2017, more advanced financially motivated hackers had adopted the technique. It has become increasingly common since then.

https://arstechnica.com/information-technology/2019/12/north-koreas-lazarus-hackers-up-their-game-with-fileless-mac-malware/ 

Europol seizes more than 30,000 counterfeit sites on Cyber Monday

Europol has taken down more than 30,000 different web domains which allowed cyber criminals to sell counterfeit and pirated items online.

The joint operation between 18 member states and the US National Intellectual Property Rights Coordination Centre, with help Eurojust and INTERPOL, included the seizure of articles such as fake medicines, pirated movies, music, software and counterfeit electronics.

In addition, officials identified and froze more than €150 000 (£128,000) in several bank accounts and online payment platforms.

As a result of the coordinated operation, codenamed IOS X (In Our Sites), three arrests have been made and 26,000 "luxury products" have been seized along with the swathe of illicit websites.

The IOS campaign launched in 2014, one that Europol has gained in strength year-on-year, and aims to "make the internet a safer place for consumers by recruiting more countries and private sector partners to participate in the operation and providing referrals".

You can contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our regular ‘Cyber Tip Tuesday’ video blog here and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week's Black Arrow cyber tip Tuesday, this week we are talking about lessons we can learn from the Titanic.

Cyber security is a lot like the titanic, people often ignore warnings until it's too late. The day the Titanic sank the crew received seven iceberg warnings, yet such was the competition to make the crossing in six days, orders were given to maintain the speed of the ship.

They thought they could ignore the warnings and steamed on ahead in the mistaken belief they would be unaffected.

Now, if they'd heeded the warnings and slowed down they would have stood a better chance of avoiding the icebergs, and in particular the iceberg that led to their sinking.

That's not to say good security means you need to slow down, not wishing to mix my metaphors but brakes were not added to cars to make them go slower, brakes were a necessity to be added to cars to allow them to go faster.

So don't slow down necessarily, just maybe don't avoid the warnings and don't believe that somehow you will remain safe as you steer your own ships through a see unfortunately filled with icebergs.

A summary of the top cyber news events from the last week and how they relate to business and individuals in Guernsey and the wider Channel Islands.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Nearly half of workers have clicked on a phishing email

New research released this week has revealed that almost a quarter of businesses have fallen victim to a phishing attack.

A survey of 714 people working in businesses across the US discovered that many organizations are not taking the proper measures to protect themselves from phishing attacks including employee training and the implementation of two-factor authentication.

Of those surveyed, only 64 percent said they currently use a two-factor authentication system to help protect their organization's data. This means that over one third of organizations are potentially leaving themselves exposed to phishing attacks.

Some phishing schemes, such as spear phishing, target specific members of staff within an organisation and this is typically accomplished through social engineering.

In order to combat these phishing scams firms should ensure the provide staff with suitable social engineering training.

https://www.techradar.com/news/nearly-half-of-workers-have-clicked-on-a-phishing-email

Phishing emails are still managing to catch everyone out

Staying with Phishing, another article this week points out that workers are still finding it too hard to spot phishing emails, with nearly three-quarters of companies seeing staff hand over passwords when tested by a security company.

A security consultancy tested 525 businesses for their susceptibility to a range of different hacking techniques and security vulnerabilities. It found that employees at 71% of these businesses handed over access credentials when targeted with phishing attacks by penetration testers -- up from 63% last year.

In 20% of cases, login details were shared by more than half of employees, compared to just 10% last year.

The firm doing the research carried out 623 penetration tests across the US, Europe and the UK, aiming to simulate a range of cyberattacks to assess how well companies were able to cope with them.

Weak passwords and insecure internal procedures, such as improper file-access restrictions and a lack of staff training, along with using out-of-date software, were the three most common vulnerabilities discovered during the tests.

The original article can be found here: https://www.zdnet.com/article/phishing-emails-are-still-managing-to-catch-everyone-out/

Many UK businesses have no IT disaster recovery plan

Disaster recovery plan, a set of steps designed to help businesses get back on their feet after an incident as soon as possible, is not something many UK businesses have.

A Survey of 1,125 IT workers came to the conclusion that a quarter of SMEs don’t have such a plan set up and this equates to “gambling with the continuity of business”.

In the report, it stresses that four fifths of all businesses who suffered a major incident failed within a year and a half.

Among businesses that do have a disaster recovery plan created – more than half (54 per cent) don’t regularly test it. A third has never tested it, at all. A small portion of the firms don’t have automated backups set up, either.

“The message to business leaders is get a DR plan in place and test, test, test!”

https://www.itproportal.com/news/many-uk-businesses-have-no-it-disaster-recovery-plan/

 Ransomware: Big paydays and little chance of getting caught means boom time for crooks

Ransomware will continue to plague organisations in 2020 because there's little risk of the cyber criminals behind the network-encrypting malware attacks getting caught; so for them there's only a small amount of risk, but a potentially large reward.

During the last year, there's been many examples of ransomware attacks where victims have given into the extortion demands of the attackers, often paying hundreds of thousands of dollars in bitcoin in exchange for the safe return of their networks.

In many cases, the victims will pay the ransom because it's seen as the quickest – and cheapest – means of restoring the network.

The full article can be found here: https://www.zdnet.com/article/ransomware-big-paydays-and-little-chance-of-getting-caught-means-boom-time-for-crooks/

A decade of hacking: The most notable cyber-security events of the 2010s

The 2010s decade is drawing to a close and ZDNet have taken a look back at the most important cyber-security events that have taken place during the past ten years.

There have been monstrous data breaches, years of prolific hacktivism, plenty of nation-state cyber-espionage operations, almost non-stop financially-motivated cybercrime, and destructive malware that has rendered systems unusable.

Read the full article for the full list here:

https://www.zdnet.com/article/a-decade-of-hacking-the-most-notable-cyber-security-events-of-the-2010s/ 

Authorities take down 'Imminent Monitor' RAT malware operation

Law enforcement agencies from all over the world announced this week that they took down the infrastructure of the Imminent Monitor remote access trojan (IM-RAT), a hacking tool that has been on sale online for the past six years.

According to a press release from Europol, the operation had two stages. The first occurred in June 2019, when Australian and Belgian police forces searched the homes of the IM-RAT author and one of his employees.

The second stage took place earlier this week, when authorities took down the IM-RAT website, its backend servers, and arrested the malware's author and 13 of the tool's most prolific users.

Europol reported arrests in Australia, Colombia, Czechia, the Netherlands, Poland, Spain, Sweden, and the United Kingdom.

Authorities also served search warrants at 85 locations and seized 430 devices they believed were used to spread the malware.

The UK National Crime Agency (NCA) took credit for a good chunk of the bounty, with 21 search warrants, nine arrests, and more than 100 seized devices.

More here: https://www.zdnet.com/article/authorities-take-down-imminent-monitor-rat-malware-operation/

Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our new regular ‘Cyber Tip Tuesday’ video blog, here and on our YouTube channel.

You can also follow us on Facebook and Twitter