Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Major US Twitter accounts hacked in Bitcoin scam

Billionaires Elon Musk, Jeff Bezos and Bill Gates are among many prominent US figures targeted by hackers on Twitter in an apparent Bitcoin scam.

The official accounts of Barack Obama, Joe Biden and Kanye West also requested donations in the cryptocurrency.

"Everyone is asking me to give back," a tweet from Mr Gates' account said. "You send $1,000, I send you back $2,000."

The US Senate Commerce committee has demanded Twitter brief it about the incident next week.

Twitter said it was a "co-ordinated" attack targeting its employees "with access to internal systems and tools".

"We know they [the hackers] used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf," the company said in a series of tweets.

It added that "significant steps" had been taken to limit access to such internal systems and tools while the company's investigation was ongoing.

The firm has also blocked users from being able to tweet Bitcoin wallet addresses for the time being.

Read more here: https://www.bbc.co.uk/news/technology-53425822

More Malware Found Hidden in Chinese Tax Software

A malware campaign hiding backdoors in mandatory Chinese corporate tax software is far more extensive than at first thought, according to researchers from Trustwave.

The vendor warned last month that it discovered several clients had unwittingly installed the GoldenSpy backdoor after agreeing to download the Intelligent Tax software product, produced by Aisino Corporation.

China’s banks require all companies to download software from either Aisino or Baiwang to comply with its Golden Tax VAT scheme, indicating that the malware campaign has either direct sponsorship from the government, or is happening with its blessing.

Soon after Trustwave reported on the powerful GoldenSpy backdoor, which it said could not be removed, an uninstaller appeared out of the blue which directly negates the threat.

Now the vendor has discovered a second piece of malware, dubbed GoldenHelper, which dates back to before GoldenSpy. It’s found in the Golden Tax Invoicing Software (Baiwang edition), which is digitally signed by a subsidiary of Aisino, Nou Nou Technologies.

The malware, while functionally different to GoldenSpy, has a similar delivery mechanism and it utilises three DLL files to: interface with the Golden Tax software; bypass Windows security and escalate privileges; and download and execute arbitrary code with system-level privileges.

It also uses multiple techniques to hide its presence and activity, including randomization of name whilst in transit and of file system location, timestomping, IP-based Domain Generation Algorithm (DGA), and UAC bypass and privilege escalation.

Read more here: https://www.infosecurity-magazine.com/news/more-malware-hidden/

How North Korea’s army of hackers stole $2bn through cyber bank heists

Towards the end of last year, a series of seemingly innocuous LinkedIn messages were sent to employees of aerospace and military companies in the UK, Europe and the Middle East. Curious engineers who replied to the job offers were sent further messages urging them to download files to find out more about the opportunities.

The file contained a list of available jobs and the salaries for each role. While recipients read through the list of highly paid positions, their computers were silently taken over by hackers who implanted software that allowed them to peer through all of their files and emails.

The lucrative jobs weren’t real, and neither were the recruiters. Instead the messages were sent by Lazarus, a notorious North Korean hacking group, which in 2014 had managed to break into the servers of Sony Pictures and in 2017 brought parts of the NHS to a standstill during the WannaCry ransomware attack.

Once the hackers had gained access to their target’s computer, the fake LinkedIn profiles vanished.

One hacker then used his access to a victim’s email account to find an outstanding invoice. He sent an email to another business demanding payment, but asked for the money to be sent to a new bank account controlled by the hacking group.

This cyber attack is a typical example of North Korea’s unique approach to hacking. As well as attacks to make political statements, the country uses its legions of hackers to generate billions of dollars for the regime through a series of audacious cyber bank heists.

A United Nations report published last year estimated that North Korean hackers have stolen more than $2bn (£1.5bn) and said the money was being funneled into the regime’s missile development programmes.

Cut off from almost all of the world’s financial systems, North Korea has for years relied on a series of illegal activities to bolster its income. As well as thriving drug trafficking and counterfeiting schemes, the regime has also funded hundreds of its own digital bank heists.

Read more here: https://www.telegraph.co.uk/technology/2020/07/12/north-koreas-army-hackers-stole-2bn-cyber-bank-heists/

UK ‘on alert for China cyber attack’ in retaliation for Hong Kong

The government must be alert to potential cyber attacks from countries such as China, ministers have said as tensions increase between London and Beijing.

Last month relations between the UK and China soured after Boris Johnson pledged to offer refuge to millions of Hong Kong citizens if the country implements its planned national security law. The government is also reported to have ‘changed its view’ on plans for Chinese tech company Huawei to play a role in developing the UK’s 5G network due to growing unease over security risks.

Now senior sources claim the worsening ties could see Britain be targeted by Chinese-backed hackers in a so-called ‘cyber 9/11’. This could damage computer networks, cause power and phone blackouts and bring hospitals, government and businesses to a standstill.

Britain’s National Cyber Security Centre says it is not ‘expecting’ a rise in attacks. However, one senior minister said the threat was ‘obviously part of conversations’, but added that ‘all risk must be looked at in the round’.

Read more: https://metro.co.uk/2020/07/12/ministers-fear-cyber-attack-uk-relations-worsen-china-12978970/

Ransomware warning: Now attacks are stealing data as well as encrypting it

There's now an increasing chance of getting your data stolen, in addition to your network being encrypted, when you are hit with a ransomware attack – which means falling victim to this kind of malware is now even more dangerous.

The prospect of being locked out of the network by cyber criminals is damaging enough, but by leaking stolen data, hackers are creating additional problems. Crooks use the stolen data as leverage, effectively trying to bully organisations who've become infected with ransomware into paying up – rather than trying to restore the network themselves – on the basis that if no ransom is paid, private information will be leaked.

Ransomware groups like those behind Maze and Sodinokibi have already shown they'll go ahead and publish private information if they're not paid and now the tactic is becoming increasingly common, with over one in ten attacks now coming with blackmail in addition to extortion.

Organisations in the legal, healthcare and financial sectors are among the most targeted by these campaigns, based on the assumption that they hold the most sensitive data.

Read more here: https://www.zdnet.com/article/ransomware-warning-now-attacks-are-stealing-data-as-well-as-encrypting-it/

Stop Ignoring Two-Factor Authentication Just Because You’re Lazy

A large number of people and businesses are missing out on a simple, effective online security solution by ignoring two-factor authentication (2FA), also called multi-factor authentication (MFA). The only requirement is to enter a code or press a button on a separate device from the one being used, yet for many, that effort seems too great. Laziness literally becomes the weakest point in their data protection systems.

If this sounds familiar, it’s time to change, as 2FA strengthens the security of all-important apps, including those where you share financial details such as banking and shopping apps – but to work, it has to be used.

Read more here: https://www.infosecurity-magazine.com/opinions/authentication-lazy/

Russian hackers ‘try to steal vaccine research’ in cyber attack on labs

Hackers linked to Russian intelligence agencies are targeting British scientists seeking to develop a coronavirus vaccine, spooks in the US, UK and Canada have warned.

In a joint statement Britain’s National Cyber Security Centre (NCSC), the US National Security Agency and the Canadian Communication Security Establishment, said that the APT29 hacking group, also known as the ‘Dukes’ or ‘Cozy Bear’ has been hitting medical organisations and universities with cyber attacks which they believe have had the Kremlin’s blessing.

These attacks are part of a global campaign to steal research secrets of research. While the institutions targeted have not been revealed, the UK is home to two of the world’s leading coronavirus vaccine development programmes based at Oxford University and Imperial College London.

Read more: https://metro.co.uk/2020/07/16/russian-hackers-launch-cyber-attack-uk-vaccine-researchers-12998769/

Counterfeit Cisco switches raise network security alarms

In a disconcerting event for IT security professionals, counterfeit versions of Cisco Catalyst 2960-X Series switches were discovered on an unnamed business network, and the fake gear was found to be designed to circumvent typical authentication procedures, according to a report.

researcher say their investigators found that while the counterfeit Cisco 2960-X units did not have any backdoor-like features, they did employ various measures to fool security controls. For example, one of the units exploited what F-Secure believes to be a previously undiscovered software vulnerability to undermine secure boot processes that provide protection against firmware tampering.

Read more: https://www.networkworld.com/article/3566705/counterfeit-cisco-switches-raise-network-security-alarms.html

Vulnerability in Windows DNS servers

Microsoft has reported a critical vulnerability in Windows DNS server under CVE-2020-1350.

Bad news: The vulnerability scored 10 on the CVSS scale, which means it’s critical. Good news: Cyber criminals can exploit it only if the system is running in DNS server mode; in other words, the number of potentially vulnerable computers is relatively small. Moreover, the company has already released patches and a workaround.

The vulnerability lets a malefactor force DNS servers running Windows Server to execute malicious code remotely. In other words, the vulnerability belongs to the RCE class. To exploit CVE-2020-1350, one just has to send a specially generated request to the DNS server.

Installing the Microsoft patch modifies the method of handling requests by DNS servers. The patch is available for Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server version 1903, Windows Server version 1909, and Windows Server version 2004.

Read more here: https://www.kaspersky.com/blog/cve-2020-1350-dns-rce/36366/

Threat actors are scanning the Internet for Citrix systems affected by the recently disclosed vulnerabilities.

This week Citrix has addressed 11 vulnerabilities affecting the ADC, Gateway, and SD-WAN WANOP networking products. The vulnerabilities could be exploited by attackers for local privilege escalation, to trigger a DoS condition, to bypass authorization, to get code injection, and to launch XSS attacks.

Some of the addressed flaws could be exploited only if the attackers have access to the targeted system and request user interaction, or other conditions must be verified. For this reason, Citrix believes the flaws are less likely to be exploited.

Now, hackers are scanning the web for systems affected by the recently disclosed Citrix vulnerabilities.

Read more here: https://securityaffairs.co/wordpress/105776/hacking/vulnerable-citrix-systems-scan.html

Iranian Spies Accidentally Leaked Videos of Themselves Hacking

A security team obtained five hours of Iranian state actor group APT35 hacking operations, showing exactly how the group steals data from email accounts—and who it’s targeting.

Normally security researchers need to painstakingly piece together the blow-by-blow of a state-sponsored hacking operation, they're usually following a thin trail of malicious code samples, network logs, and connections to faraway servers. That detective work gets significantly easier when hackers record what they’re doing and upload the video to an unprotected server on the open internet. Which is precisely what a group of Iranian hackers may have unwittingly done.

Read more here: https://www.wired.com/story/iran-apt35-hacking-video/

Amazon-Themed Phishing Campaigns Swim Past Security Checks

A pair of recent campaigns aim to lift credentials and other personal information under the guise of Amazon package-delivery notices.

Amazon in the era of COVID-19 has become a staple of many people’s lives, as they order everything from sourdough starter to exercise equipment. Cybercrooks have latched onto the delivery behemoth as a lure for phishing emails, knowing that plenty of legitimate delivery messages are also making it into people’s inboxes and offering cover.

Researchers recently spotted a pair of savvy campaigns leveraging Amazon: A credential-phishing attempt using a purported Amazon delivery order failure notice; and a voice phishing (vishing) attempt also using Amazon delivery order. Both are examples of the ever-more sophisticated phishing efforts being developed by fraudsters that are aimed at gaming traditional email security efforts, researchers said.

Read more here: https://threatpost.com/amazon-phishing-campaigns-security-checks/157495/

Malicious Router Log-Ins Soar Tenfold in Botnet Battle

Home users are being urged to ensure their routers are adequately protected after experts revealed a tenfold spike in brute force log-in attempts.

According to the latest research from Trend Micro “Worm War: The Botnet Battle for IoT Territory”, describes a threat landscape in which rival cyber-criminals are competing against each other in a race to compromise as many devices as possible, to conscript into botnets.

The vendor claimed that automated log-in attempts against routers rose from 23 million in September to nearly 249 million attempts in December 2019. As recently as March this year, it detected almost 194 million brute force logins.

The report also revealed an uptick in routers attempting to open telnet sessions with other devices. As telnet is unencrypted it’s a favorite way for hackers or their botnets to sniff user credentials and therefore infect more routers or IoT devices.

Nearly 16,000 devices attempted to open telnet sessions with other IoT devices in a single week in mid-March, according to the data.

The report warned that these mass compromises could cause serious disruption for home networks at a time when many global users are being forced to work and study from home.

Read more here: https://www.infosecurity-magazine.com/news/malicious-router-logins-soar/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

If you’re pressed for time watch the 60 second quick fire video summary of the top Cyber and InfoSec stories from the last week:

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Businesses believe the pandemic will change the security landscape forever

After Covid-19, nothing will ever be the same again, at least in terms of how businesses approach cyber security. This is according to a new report based on a poll of 6,700 infosec professionals around the world.

The report states that 81 percent expect long-term changes to the way their business operates, mostly because of remote working.

With this in mind, examining how remote employees approach cyber security will become paramount if an organisation is to maintain a strong security posture.

A third of respondents said they worry employees may feel more relaxed about cyber security than when they are working out of the office. Employees may also be less likely to follow protocol at home, particularly when it comes to identifying and flagging suspicious activity.

Further, almost a third (31 percent) fear employees might unintentionally leak sensitive data or fall prey to a phishing scam and a quarter are afraid staff might fall victim to malware attacks.

Of the largest risks associated with remote working, respondents singled out “using untrusted networks” as the most significant. Other people accessing employees' company devices, the use of personal messaging services for work, and the unintentional sharing of company data are also high on the list of risks.

Read more: https://www.itproportal.com/news/businesses-believe-the-pandemic-will-change-the-security-landscape-forever/

Ransomware operators lurk on your network after their attack

When a company suffers a ransomware attack, many victims feel that the attackers quickly deploy the ransomware and leave so they won't get caught. Unfortunately, the reality is much different as threat actors are not so quick to give up a resource that they worked so hard to control.

Instead, ransomware attacks are conducted over time, ranging from a day to even a month, starting with a ransomware operator breaching a network.

This breach is through exposed remote desktop services, vulnerabilities in VPN software, or via remote access given by malware such as TrickBot, Dridex, and QakBot.

Once they gain access, they use tools such as Mimikatz, PowerShell Empire, PSExec, and others to gather login credentials and spread laterally throughout the network.

As they gain access to computers on the network, they use these credentials to steal unencrypted files from backup devices and servers before deploying the ransomware attack.

Once the ransomware is deployed, many victims believe that while their network is still compromised, they think the ransomware operators are now gone from the system.

This belief is far from the truth, as illustrated by a recent attack by the Maze Ransomware operators.

Read the full article here: https://www.bleepingcomputer.com/news/security/ransomware-operators-lurk-on-your-network-after-their-attack/

Prolific Hacker Made Millions Selling Network Access

A notorious Russian cyber-criminal made over $1.5m in just the past three years selling access to corporate networks around the world, according to a new report.

The study profiles the work of “Fxmsp” on underground forums where he published his first ad selling access to business networks in 2017.

Over the following years he would compromise banks, hotels, utilities, retailers, tech companies and organisations in many more verticals.

In just three years he claimed to have compromised over 130 targets in 44 countries, including four Fortune 500 firms. Some 9% of his victims were governments.

The report calculated the $1.5m figure purely from publicised sales, although 20% of those Fxmsp compromised were made through private sales, meaning the hacker’s trawl is likely to be even bigger.

Fxmsp even hired a sales manager in early 2018.

Read more here: https://www.infosecurity-magazine.com/news/infamous-hacker-millions-selling/

Rogue Postbank employees steal master encryption key; make off with $3.2 million

South Africa's Postbank has been forced to replace 12 million bank cards after a calamitous security breach that saw the bank's master encryption key printed off in plain, unencrypted language.

According to internal documents acquired by the Sunday Times of South Africa, the 36-digit code security key “allows anyone who has it to gain unfettered access to the bank’s systems, and allows them to read and rewrite account balances, and change information and data on any of the bank’s 12-million cards".

The master key was apparently printed out on plain paper in a data centre in Pretoria in 2018, enabling the fraudsters to make over 25,000 fraudulent transactions, mostly from cards used by people receiving social benefits from the government.

The crime, which is being pinned on a number of rogue bank employees, went unnoticed for months. More than $3.2 million was stolen in the raid.

The cost to the bank of replacing all the compromised cards is expected to reach $58 million.

Read more here: https://www.finextra.com/newsarticle/36059/rogue-postbank-employees-steal-master-encryption-key-make-off-with-32-million

Massive Distributed Denial of Service (DDoS) attack launched against European bank

This week, security firm Akamai mitigated what it claims to be the “largest ever packet per second (pps) DDoS attack”, launched against an unnamed European bank.

The attack reportedly generated 809 million packets per second (Mpps) - a new high for pps-focused attacks, and well over double the size of the previous record attack identified by the Akamai platform.

What also makes this DDoS attack unique is the “massive increase” in the quantity of source IP addresses observed. During the attack, Akamai identified more than 600 times average number of source IP addresses per minute, suggesting the attack was highly distributed in nature.

Further, most of the traffic came from previously unknown IP addresses (96.2 percent), which could indicate the assault was driven by an emerging botnet. Given that most of the source IP addresses could be identified within large ISPs via AS lookups, Akamai believes most of the devices used were compromised end user machines.

The speed at which the attack reached its peak was also remarkable. The company claims it grew from normal traffic levels to 418 Gbps in seconds, and took roughly two minutes to hit 809 Mpps. The attack lasted for a total of 10 minutes and was fully mitigated.

Read more here: https://www.itproportal.com/news/massive-ddos-attack-launched-against-european-bank/

'Unstoppable' Malware Uses Bitcoin To Retrieve Secret Messages - Report

Glupteba, a sneaky malware that can be controlled from afar includes a range of components to cover its tracks, and it updates itself using encrypted messages hidden in the Bitcoin blockchain.

The Glupteba bot is a malware campaign that creates backdoors with full access to contaminated devices, which are added to its growing botnet. The analysis describes it as a “highly self-defending malware” with “enhancing features that enable the malware to evade detection.”

The most interesting aspect of Glupteba is that it uses the Bitcoin blockchain as a communication channel for receiving updated configuration information, given that bitcoin transactions can also include a comment of up to 80 characters.

Glupteba uses this messaging space for encrypted messages. These messages contain secrets, such as command-and-control server names, thus cleverly hiding them in the public blockchain - in plane sight.

Read more: https://cryptonews.com/news/unstoppable-malware-uses-bitcoin-to-retrieve-secret-messages-6947.htm

Woman who deliberately deleted firm’s Dropbox is sentenced

58-year-old Danielle Bulley may not look like your typical cyber criminal, but the act of revenge she committed against a company had just as much impact as a conventional hacker breaking into a business’s servers and causing havoc.

Bulley has been successfully prosecuted under the UK’s Computer Misuse Act after deleting thousands of important files from a company that went on to collapse.

She was a director of a business called Property Press that produced a weekly property newspaper focused on south east Devon. Things turned sour, and Bulley resigned her position at the firm in 2018 before the company went into liquidation. However, fellow director Alan Marriott started a new business venture – without Bulley’s involvement – using the assets of the old firm.

Things clearly didn’t sit well with Bulley after her departure from the business, and several months after her resignation she managed to gain unauthorised access to the new company’s Dropbox account.

More than 5,000 documents were permanently erased, and the company claimed that the damage to business was so great that it could no longer operate, with people losing their jobs and a loss of almost £100,000.

The Police warned other companies of the threat which can be posed by former employees:

Ex-employees can pose a serious risk to a business because they are familiar with the company’s IT infrastructure and procedures. This can make it easier for them to carry out cyber crimes against their former organisation.

If someone is leaving your company, especially if they are quitting your firm under something of a cloud, you would be wise to check that they don’t know your business’s passwords or have retained access to sensitive information.

Passwords should be changed, and additional authentication methods should be in place to prevent unauthorised access. Dropbox, for instance, provides a two-step verification feature which all users would be wise to enable.

Read more: https://hotforsecurity.bitdefender.com/blog/woman-who-deliberately-deleted-firms-dropbox-is-sentenced-23552.html

EasyJet Lawsuit Over Data Breach Attracts 10,000 Passengers

EasyJet Plc faces a lawsuit over a data breach disclosed last month that potentially exposed private details of 9 million passengers.

More than 10,000 people have joined the suit since it was filed last month, according to the law firm handling the lawsuit. Victims are entitled to as much as £2,000 in compensation, meaning the case could be worth as much as £18 billion.

EasyJet said last month that the email addresses and travel data of about 9 million customers were taken by hackers in one of the biggest privacy breaches to hit the airline industry. The credit card details of roughly 2,200 people was also accessed.

“This is a monumental data breach and a terrible failure of responsibility that has a serious impact on EasyJet’s customers, who are coming forward in their thousands,” the law firm said in a statement. “This is personal information that we trust companies with, and customers should expect that every effort is made to protect their privacy.”

Read more here: https://www.bloomberg.com/news/articles/2020-06-24/easyjet-lawsuit-over-data-breach-attracts-10-000-passengers

Twitter apologises for business data breach

Twitter has emailed its business clients to tell them that personal information may have been compromised.

Unbeknownst to users, billing information of some clients was stored in the browser's cache, it said.

In an email to its clients, Twitter said it was "possible" others could have accessed personal information.

The personal data includes email addresses, phone numbers and the last four digits of clients' credit card numbers.

The tech company says that there is no evidence that clients' billing information was compromised.

Read more here: https://www.bbc.co.uk/news/technology-53150157

Huge Data Dump of Police Files Dubbed “Blue Leaks” Leaked Online

Nearly 270 gigabytes worth of sensitive files including FBI, “fusion center” and police department data from across the US dubbed “Blue Leaks” has been stolen and leaked online on June 19 by a collective called DDoSecrets.

Fusion centres are hubs for threat and intelligence sharing. The concept was created after September 11, in a bid by the Department of Homeland Security to improve cooperation between state, local, and territorial law enforcement

The National Fusion Centre Association (NFCA) says that the data was taken after a security breach at web development firm Netsential in Houston, Texas. It includes 490 documents pertaining to the UK. Computer Business Review was not immediately able to open these to assess the contents.

DDoSecrets stated that the Blue Leaks archive spans “ten years of data from over 200 police departments, fusion centres and other law enforcement training and support resources […] among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more”.

Read more here: https://www.cbronline.com/news/blue-leaks-data-dump

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

If you’re pressed for time watch the 60 second quick fire video summary of the top Cyber and InfoSec stories from the last week:

Office 365 Phishing Campaign Exploits Samsung, Adobe and Oxford Servers

Over the last few years, the adoption of Office 365 in the corporate sector has significantly increased. Its popularity has attracted the attention of cyber criminals who launch phishing campaigns specifically to attack the platform. As 90% of cyber-attacks start with a phishing campaign, Office 365 is an attractive target for threat actors who work to evade the continuously introduced security solutions.

Recently, a seemingly unsophisticated Office 365 phishing campaign caught our attention. The attackers abused an Adobe Campaign redirection mechanism, using a Samsung domain to redirect victims to an O365 themed phishing website. The hackers took advantage of the fact that access to a reputable domain, such as Samsung’s, would not be blocked by security software.

To expand their campaign, the attackers also compromised several websites to inject a script that imitates the same mechanism offered by the Adobe redirection service. Further investigation revealed that the actors behind the campaign implemented a few other interesting tricks to hide the phishing kit and avoid detection at each stage of the attack.

Read more here: https://research.checkpoint.com/2020/phishing-campaign-exploits-samsung-adobe-and-oxford-servers/

Guernsey Police warn businesses in Guernsey using Office 365 also targeted by scammers

Guernsey Police are warning local businesses about an online scam targeting users of Office 365.

Officers have been in contact with several businesses using the service who have fallen victim to phishing scams which have allowed hackers access to their email inbox.

The hackers then distribute malicious links to their contacts.

Police say using multi-factor authentication can help keep personal data safe.

Anyone who receives an unexpected email from someone they trust containing a link should contact them directly to make sure they sent it.

Read more: https://www.itv.com/news/channel/2020-06-18/guernsey-businesses-using-office-365-targeted-by-scammers/

As Businesses Reopen, A New Storm Of Cybercrime Activity Looms

There is nothing ordinary about the amount of disruption that will impact our lives moving forward as countries and states reopen following the coronavirus pandemic. In the context of the cloud, disruptions caused by COVID-19 have opened the door to another type of virus: cybersecurity threats. Today we are witnessing a rapid rise of opportunistic cybercriminal activity taking advantage of the chaos created by COVID-19.

Focal concerns about economic recovery and a potential second wave of human infection are abounding. Still, the concern for many companies should also include heightened cybersecurity threats that can easily break companies before they have a chance to relaunch. For the many companies that are already fighting to remain afloat due to challenges faced during COVID-19, a cybersecurity breach could quickly mean the end. As businesses navigate this “new normal,” they must address weaknesses in their IT strategies exposed by COVID-19 and consider implementing a better preparedness plan to avoid long-term damage.

Read more: https://www.forbes.com/sites/emilsayegh/2020/06/18/as-businesses-reopen-a-new-storm-of-cybercrime-activity-looms/#44f38a9a1a4b

Microsoft: COVID-19 malware attacks were barely a blip in total malware volume

Microsoft says that despite all the media headlines over the past few months, malware attacks that abused the coronavirus (COVID-19) theme have barely been a blip in the total volume of threats the company sees each month.

These COVID-19 attacks included emails carrying malicious file attachments (also referred to as malspam) and emails containing malicious links that redirect users to phishing sites or malware downloads.

According to Microsoft's Threat Protection Intelligence Team, the first attacks abusing a COVID-19 lure started after the World Health Organization (WHO) declared COVID-19 a global pandemic on January 30.

As the world yearned to learn more about this new disease, attacks intensified, and they peaked in March when most of the world's countries enforced stay-at-home measures.

"The week following [the WHO] declaration saw these attacks increase eleven-fold," Microsoft said. "By the end of March, every country in the world had seen at least one COVID-19 themed attack."

Read more: https://www.zdnet.com/article/microsoft-covid-19-malware-attacks-were-barely-a-blip-in-total-malware-volume/

Cyber spies use LinkedIn to hack European defence firms

LONDON (Reuters) - Hackers posed as recruiters working for U.S. defence giants Collins Aerospace and General Dynamics (GD.N) on LinkedIn to break into the networks of military contractors in Europe, cyber security researchers said on Wednesday.

The cyber spies were able to compromise the systems of at least two defence and aerospace firms in Central Europe last year by approaching employees with pseudo job offers from the U.S. firms.

The attackers then used LinkedIn’s private messaging feature to send documents containing malicious code which the employees were tricked into opening.

The researcher declined to name the victims, citing client confidentiality, and said it was unclear if any information was stolen. General Dynamics and Collins Aerospace, which is owned by Raytheon Technologies RTX.N, declined immediate comment.

The researchers were unable to determine the identity of the hackers but said the attacks had some links to a North Korean group known as Lazarus, which has been accused by U.S. prosecutors of orchestrating a string of high-profile cyber heists on victims including Sony Pictures and the Central Bank of Bangladesh.

Read more here: https://uk.reuters.com/article/us-cyber-linkedin-hacks/cyber-spies-use-linkedin-to-hack-european-defence-firms-idUKKBN23O2L7

Australian PM says nation under serious state-run 'cyber attack' – Microsoft, Citrix, Telerik UI bugs 'exploited'

Australian Prime Minister Scott Morrison has called a snap press conference to reveal that the nation is under cyber-attack by a state-based actor, but the nation’s infosec advice agency says that while the attacker has gained access to some systems it has not conducted “any disruptive or destructive activities within victim environments.”

Morrison said the attack has targeted government, key infrastructure and the private sector, and was sufficiently serious that he took the courteous-in-a-crisis, but not-compulsory step, of informing the leader of the opposition about the incident. He also said that the primary purpose of the snap press conference was to inform and educate Australians about the incident.

But Morrison declined to state whether Australian defence agencies have identified the source of the attack and said evidence gathered to date does not meet the government’s threshold of certainty to name the attacker.

Read more here: https://www.theregister.com/2020/06/19/australia_state_cyberattack/

Google removes 106 Chrome extensions for collecting sensitive user data

Google has removed 106 malicious Chrome extensions that have been caught collecting sensitive user data.

The 106 extensions are part of a batch of 111 Chrome extensions that have been identified as malicious in a report published this week.

These extensions posed as tools to improve web searches, convert files between different formats, as security scanners, and more.

But in reality the extensions contained code to bypass Google's Chrome Web Store security scans, take screenshots, read the clipboard, harvest authentication cookies, or grab user keystrokes (such as passwords).

Read more here: https://www.zdnet.com/article/google-removes-106-chrome-extensions-for-collecting-sensitive-user-data/

AWS stops largest DDoS attack ever

Amazon has revealed that its AWS Shield service was able to mitigate the largest DDoS attack ever recorded at 2.3 Tbps back in February of this year.

The company's new AWS Shield Threat Landscape report provided details on this attack and others mitigated by its AWS Shield protection service.

While the report did not identify the AWS customer targeted in the DDoS attack, it did say that the attack itself was carried out using hijacked CLDAP (Connection-less Lightweight Directory Access Protocol) web servers and lasted for three days.

https://www.techradar.com/news/aws-stops-largest-ddos-attack-ever

Ripple20 Vulnerabilities Affect Hundreds of Millions of IoT Devices

Zero-day vulnerabilities have been discovered that could impact millions of IoT devices found in data centres, power grids, and elsewhere.

The flaws, dubbed Ripple20, includes multiple remote code execution vulnerabilities and affects "hundreds of millions of devices (or more)."

Researchers named the vulnerabilities Ripple20 to reflect the widespread impact they have had as a natural consequence of the supply chain "ripple-effect" that has seen the widespread dissemination of the software library and its internal flaws.

"A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people," wrote researchers.

Ripple20 reached critical IoT devices involving a diverse group of vendors from a wide range of industries. Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, and Baxter.

Read more: https://www.infosecurity-magazine.com/news/ripple20-vulnerabilities-discovered/

Unpatched vulnerability identified in 79 Netgear router models

A whopping 79 Netgear router models are vulnerable to a severe security flaw that can let hackers take over devices remotely.

The vulnerability has been discovered by two security researchers independently, namely Adam Nichols from cyber-security GRIMM and a security researcher going by the nickname of d4rkn3ss, working for Vietnamese internet service provider VNPT.

According to Nichols, the vulnerability impacts 758 different firmware versions that have been used on 79 Netgear routers across the years, with some firmware versions being first deployed on devices released as far back as 2007.

This lack of proper security protections opens the door for an attacker to craft malicious HTTP requests that can be used to take over the router.

More here: https://www.zdnet.com/article/unpatched-vulnerability-identified-in-79-netgear-router-models/

New Mac malware uses 'novel' tactic to bypass macOS Catalina security

Security researchers have discovered a new Mac malware in the wild that tricks users into bypassing modern macOS app security protections.

In macOS Catalina, Apple introduced new app notarization requirements. The features, baked in Gatekeeper, discourage users from opening unverified apps — requiring malware authors to get more creative with their tactics.

As an example, researchers have discovered a new Trojan horse malware actively spreading in the wild via poisoned Google search results that tricks users into bypassing those protections themselves.

The malware is delivered as a .dmg disk image masquerading as an Adobe Flash installer. But once it's mounted on a user's machine, it displays instructions guiding users through the malicious installation process.

Read more: https://appleinsider.com/articles/20/06/18/new-mac-malware-uses-novel-tactic-to-bypass-macos-catalina-security

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week's Black Arrow Cyber Tip Tuesday, this week Tony talks about the CIA, or AIC, triad

What is the CIA triad, or AIC triad to distinguish it from one of the US intelligence agencies?

C, I & A relate to Confidentiality, Integrity and Availability.

Confidentiality is the protection of IT assets and data from unauthorised users. Integrity is ensuring that data is accurate, able to be relied upon and has not been changed or modified in an unauthorised manner and availability is ensuring that IT assets, data and networks are available to authorised users when they need it to be.

A loss of any one of these could be catastrophic to your business so you need to make sure you have appropriate controls in place to protect and if necessary recover from any problems.

Talk to us to see how we can help you.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

If you’re pressed for time watch the 60 second quick fire video summary of the top Cyber and InfoSec stories from the last week:

Honda Hit by Ransomware: Attack Follows Major 2019 Data Breach

Honda has confirmed a cyber attack on its networks that is widely believed to have involved deployment of the “Snake” ransomware.

The £22 billion by market capitalisation automotive giant has admitted that production, sales and development activities are all hit.

Chatter on social networks suggests production globally has been stopped.

The attack comes after Honda last year left an Elasticsearch database exposed to the public, with upwards of 40GB of data relating to the firm’s internal systems and devices spotted by security researchers.

Read more here: https://www.cbronline.com/news/honda-hacked-data-breach

Crooks hijack “Black Lives Matter” to spread zombie malware

Community-focused cyber security website abuse.ch has warned of a malware spreading campaign that is using “Black Lives Matter” to draw victims in.

Sneakily, the crooks have broadened the reach of their attack by keeping their emails short and objective – the crooks very deliberately haven’t taken a social or political position, but have instead invited recipients to comment anonymously on the issue.

Samples seen have their subject, body text, attachment description and filename chosen randomly each time from a list of similar text strings.

Read more here: https://nakedsecurity.sophos.com/2020/06/11/crooks-hijack-black-lives-matter-to-spread-zombie-malware/

Hackers for hire ‘targeted hundreds of institutions’

A hackers-for-hire group dubbed “Dark Basin” has targeted thousands of individuals and hundreds of institutions around the world, including advocacy groups, journalists, elected officials, lawyers, hedge funds and companies, according to the internet watchdog Citizen Lab. 

Researchers discovered almost 28,000 web pages created by hackers for personalised “spear phishing” attacks designed to steal passwords, according to a report published on Tuesday by Citizen Lab, part of the University of Toronto’s Munk School. 

Read more: https://www.ft.com/content/315aceba-935a-4e70-83c4-1d1fd7cf939b

Is a ‘Cyber Pandemic’ Coming?

For more than a decade, security leaders predicted that a “Cyber Pearl Harbour” or “Cyber 9/11” was coming that would dramatically change society as we know it.

However, over the past few years, these bold predictions that the Internet sky is falling have largely dropped off the map — until this past week under a new name.

The main reason that most cyber prognosticators dropped these scary predictions seemed to be an overdose of Fear, Uncertainty and Doubt (FUD) was bad for business and seemed to be getting old. Like constantly predicting the stock market will crash, people were getting tired of these messages. Rather, most experts started to shift to more of a pragmatic approach to future cybersecurity predictions, with ample research backing up claims.

But this trend quietly changed this past week, under a new name inspired by COVID-19.

While the majority of people were focused this past week on peaceful protests against police brutality and the death of George Floyd, or rioting in some cities, or the surprisingly positive jobs numbers and stock market performance, several well-respected leaders and groups are now predicting that a “cyber pandemic” is coming soon.

Read more here: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/is-a-cyber-pandemic-coming.html

UPnP flaw exposes millions of network devices to attacks over the Internet

Millions of routers, printers, and other devices can be remotely commandeered by a new attack that exploits a security flaw in the Universal Plug and Play network protocol, a researcher said.

CallStranger, as the exploit has been named, is most useful for forcing large numbers of devices to participate in distributed denial of service—or DDoS—attacks that overwhelm third-party targets with junk traffic. CallStranger can also be used to exfiltrate data inside networks even when they’re protected by data loss prevention tools that are designed to prevent such attacks. The exploit also allows attackers to scan internal ports that would otherwise be invisible because they’re not exposed to the Internet.

Billions of routers and other so-called Internet-of-things devices are susceptible to to the attack, however, a vulnerable device must have UPnP, as the protocol is known, exposed on the Internet.

The 12-year-old UPnP protocol simplifies the task of connecting devices by allowing them to automatically find each other over a network.

Read more here: https://arstechnica.com/information-technology/2020/06/upnp-flaw-exposes-millions-of-network-devices-to-attacks-over-the-internet/

Unsecured databases bombarded by cyberattacks

Security researchers often report finding unsecured databases online, waiting to be discovered and exploited. Sometimes, these databases remain unprotected for only a few hours, and on other occasions could sit open for weeks.

New research from Comparitech show that hackers are able to identify and exploit these unprotected databases much faster than businesses might think.

The firm set up a fake user database, which it intentionally exposed via an Elasticsearch instance. Only eight hours later, the database received its first unauthorised request (Comparitech broadly refers to these requests as “attacks”).

Five days later, the database was indexed on Shodan.io (an IoT search engine) and incurred two new attacks within a minute of the event, and 22 in total that day.

Over the course of the 12-day experiment, the database was attacked 175 times.

Read more here: https://www.itproportal.com/news/unsecured-databases-bombarded-by-cyberattacks/

60 percent of organizations expect to suffer attacks by email

Email is still a favourite attack route for cyber criminals a new study reveals, 77 percent of respondents to a survey say they have or are actively rolling out a cyber resilience strategy, yet an astounding 60 percent of respondents believe it is inevitable or likely they will suffer from an email-borne attack in the coming year.

The same threats that organisations have faced for years continue to play out with tactics matched to world events to evade detection. The increases in remote working due to the global pandemic have only amplified the risks businesses face from these threats, making the need for effective cyber resilience essential.

Read more: https://betanews.com/2020/06/09/attacks-by-email/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

If you’re pressed for time watch the 60 second quick fire video summary of the top cyber and infosec stories from the last week:

Half of employees admit they are cutting corners when working from home

Half of employees are cutting corners with regards to cyber security while working from home – and could be putting their organisation at risk of cyber attacks or data breaches as a result.

The coronavirus pandemic has forced both employers and employees to quickly adjust to remote working – and, often without the watchful eyes of IT and information security teams, workers are taking more risks online and with data than they would at the office.

Analysis by researchers reveals that 52% of employees believe they can get away with riskier behaviour when working from home, such as sharing confidential files via email instead of more trusted mechanisms.

Some of the top reasons employees aren't completely following the same safe data practices as usual include working from their own device, rather than a company issued one, as well as feeling as if they can take additional risks because they're not being watched by IT and security.

In some cases, employees aren't purposefully ignoring security practices, but distractions while working from home are having an impact on how people operate.

Meanwhile, some employees say they're being forced to cut security corners because they're under pressure to get work done quickly.

Half of those surveyed said they've had to find workarounds for security policies in order to efficiently do the work they're required to do – suggesting that in some cases, security policies are too much of a barrier for employees working from home to adapt to.

Read more here: https://www.zdnet.com/article/cybersecurity-half-of-employees-admit-they-are-cutting-corners-when-working-from-home/

C-Level Executives the Weakest Link in Organisations’ Mobile Security

C-suite executives are the people most susceptible to mobile-based cyber-attacks in businesses, according to a new study. The report found that while these executives are highly targeted by cyber-criminals in attacks on organisations, they are also more likely than anyone else to have a relaxed attitude to mobile security.

In the analysis, research from 300 enterprise IT decision makers across Benelux, France, Germany, the UK and the US was combined with findings from 50 C-level executives from the UK and the US. It revealed that many C-level executives find mobile security protocols frustrating, with 68% feeling IT security compromises their personal privacy, 62% stating it limits the usability of their device and 58% finding it too complex to understand.

As a result of these issues, 76% of C-suite executives had asked to bypass one or more of their organisation’s security protocols last year. This included requests to: gain network access to an unsupported device (47%), bypass multi-factor authentication (45%) and obtain access to business data on an unsupported app (37%).

These findings are concerning because all of these C-suite exemptions drastically increase the risk of a data breach. Accessing business data on a personal device or app takes data outside of the protected environment, leaving critical business information exposed for malicious users to take advantage of. Meanwhile, multi-factor identification – designed to protect businesses from the leading cause of data breaches, stolen credentials – is being side-stepped by C-suite execs.

To exacerbate this issue, IT decision makers included in the study overwhelmingly stated that C-suite is the group most likely to both be targeted by (78%), and fall victim to (71%), phishing attacks.

These findings highlight a point of tension between business leaders and IT departments. IT views the C-suite as the weak link when it comes to cyber security, while execs often see themselves as above security protocols.

Read more: https://www.infosecurity-magazine.com/news/executives-weakest-link-mobile/

Majority of companies suffered a cloud data breach in the past 18 months

Nearly 80% of companies have experienced at least one cloud data breach in the past 18 months, and 43% reported 10 or more breaches, a new survey reveals.

According to the 300 CISOs that participated in the survey, security misconfiguration (67%), lack of adequate visibility into access settings and activities (64%) and identity and access management (IAM) permission errors (61%) were their top concerns associated with cloud production environments.

Meanwhile, 80% reported they are unable to identify excessive access to sensitive data in IaaS/PaaS environments. Only hacking ranked higher than misconfiguration errors as a source of data breaches.

Even though most of the companies surveyed are already using IAM, data loss prevention, data classification and privileged account management products, more than half claimed these were not adequate for protecting cloud environments.

Read the original article here: https://www.helpnetsecurity.com/2020/06/03/cloud-data-breach/

NSA and NCSC publicly warn of attacks by Kremlin hackers – so take this critical Exim flaw seriously

The NSA has raised the alarm over what it says is Russia's active exploitation of a remote-code execution flaw in Exim for which a patch exists.

The American surveillance agency said last week that the Kremlin's military intelligence hackers are actively targeting some systems vulnerable to CVE-2019-10149, a security hole in the widely used Exim mail transfer agent (MTA) that was fixed last June.

Because Exim is widely used on millions of Linux and Unix servers for mail, bugs in the MTA are by nature public-facing and pose an attractive target for hackers of all nations.

Read more here: https://www.theregister.com/2020/05/29/nsa_warns_of_gru/

Cisco's warning: Critical flaw in IOS routers allows 'complete system compromise’

Cisco has disclosed four critical security flaws affecting router equipment that uses its IOS XE and IOS software.

The four critical flaws are part of Cisco's June 3 semi-annual advisory bundle for IOS XE and IOS networking software, which includes 23 advisories describing 25 vulnerabilities.

Read more: https://www.zdnet.com/article/ciscos-warning-critical-flaw-in-ios-routers-allows-complete-system-compromise/

Malware-laced CVs steal banking credentials from users' PCs

If you work for a financial institution that happens to be hiring, be extra careful when downloading and opening CVs - many could be carrying a password-stealing banking malware.

This is according to a new report which identified the new malware distribution campaign in the wild.

According to the report, criminals are sending out emails with the subject lines “applying for a job” and “regarding job”, containing an Excel attachment with a malicious macro. Once the file is opened, the victim is prompted to “enable content”, which triggers the download of ZLoader malware.

ZLoader is capable of stealing credentials from the infected PC, as well as passwords and cookies stored in the target’s browser. With the stolen intel, the attacker could also use the victim’s device to make illicit financial transactions.

Read more: https://www.itproportal.com/news/malware-laced-cvs-steal-banking-credentials-from-users-pcs/

Hackers are targeting your smartphone as way into the company network, mobile phishing up a third in a few months

The number of phishing attacks targeting smartphones as the entry point for attempting to compromise enterprise networks has risen by more than a third over the course of just a few months.

Analysis by cyber security company Lookout found that there's been a 37% increase in mobile phishing attacks worldwide between the last three months of 2019 and the first few months of 2020 alone.

Phishing emails have long been a problem for desktop and laptop users, but the increased use of mobile devices – especially as more people are working remotely – has created an additional attack vector for cyber criminals who are targeting both Android and IOS phones.

Attacks targeting desktop email applications can leave tell-tale signs that something might not be quite right, such as being able to preview links and attachments, or see email addresses and URLs that might look suspicious.

However, this is harder to spot on mobile email, social media and messaging applications because the way they're designed for smaller screens.

Read more here: https://www.zdnet.com/article/cybersecurity-warning-hackers-are-targeting-your-smartphone-as-way-into-the-company-network/

Tens of thousands of malicious Android apps flooding user devices

Tens of thousands of dangerous Android apps are putting mobile users at heightened risk of fraud and cyber attack, a report has claimed.

A mobile security firm identified over 29,000 malicious Android apps in active use during Q1 2020, double the number logged in the same quarter last year (just over 14,500).

The investigation also showed that almost all (90%) of the ten most malicious apps were - or are still - present on the official Google Play Store. This suggests that hackers consistently found ways to dance their way through Google’s vetting system.

In line with this trend, this time period also saw a 55% rise in fraudulent transactions on Android platforms, as well as a spike in the number of malware-infected devices.

Read more here: https://www.techradar.com/news/tens-of-thousands-of-malicious-android-apps-flooding-google-play-store

George Floyd: Anonymous hackers re-emerge amid US unrest

As the United States deals with widespread civil unrest across dozens of cities, "hacktivist" group Anonymous has returned from the shadows.

The hacker collective was once a regular fixture in the news, targeting those it accused of injustice with cyber-attacks.

After years of relative quiet, it appears to have re-emerged in the wake of violent protests in Minneapolis over the death of George Floyd, promising to expose the "many crimes" of the city's police to the world.

However, it's not easy to pin down what, if anything, is genuinely the mysterious group's work.

The "hacktivist" collective has no face, and no leadership. Its tagline is simply "we are legion", referring to its allegedly large numbers of individuals.

Without any central command structure, anyone can claim to be a part of the group.

This also means that members can have wildly different priorities, and there is no single agenda.

But generally, they are activists, taking aim at those they accuse of misusing power. They do so in very public ways, such as hijacking websites or forcing them offline.

Their symbol is a Guy Fawkes mask, made famous by Alan Moore's graphic novel V for Vendetta, in which an anarchist revolutionary dons the mask to topple a corrupt fascist government.

Read the original article: https://www.bbc.co.uk/news/technology-52879000

EasyJet Cyber Attack Likely the Work of Chinese Hackers

The recent high-profile cyber attack that struck British budget airline easyJet may have been carried out by Chinese hackers, new research and multiple sources have suggested.

The cyber attack, which saw the email addresses and travel details of millions of passengers being robbed—as well as the credit card details of some 2,000—was reportedly conducted by the very same group of Chinese hackers responsible for other attacks on a number of airlines in recent months.

Read more: https://www.cpomagazine.com/cyber-security/easyjet-cyber-attack-likely-the-work-of-chinese-hackers/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

In this week's Tip Tuesday, Bruce looks at the role of HR in Cyber Security.

Cyber Security, and the wider field of Information Security, require a combination of technical controls and people controls to reduce risk. HR has a major role in both.

This is more than education and awareness programmes.

It's about ensuring the leadership team demonstrate consistently good practices, because employees watch what their leaders do and will follow their behaviours more than their words.

HR should also work with managers to drive an appropriate conduct management for employees who deliberately circumvent or disregard cyber security controls.

It am not talking about punishing honest mistakes, because it is important to foster a culture where employees quickly admit mistakes.

I am talking here about employees who do things like repeatedly sharing passwords, or leaving their computer screen unlocked, or leaving confidential papers on their desk overnight. Or worse, an employee who abuses their system access privileges or makes fraudulent transactions.

Contact us to see how people controls and technical controls fit together as part of your defence in depth.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

60ish second video roundup

Cyber-Criminals Impersonating Google to Target Remote Workers

Remote workers have been targeted by up to 65,000 Google-branded cyber-attacks during the first four months of 2020, according to a new report. The study found that Google file sharing and storage websites were used in 65% of nearly 100,000 form-based attacks the security firm detected in this period.

According to the analysis, a number of Google-branded sites, such as storage.googleapis.com, docs.google.com, storage.cloud.google.com and drive.google.com, were used to try and trick victims into sharing login credentials. Google-branded attacks were far in excess of those impersonating Microsoft, with the sites onedrive.live.com, sway.office.com and forms.office.com making up 13% of attacks.

Other form-based sites used by attackers included sendgrid.net (10%), mailchimp.com (4%) and formcrafts.com (2%).

Read the full article here: https://www.infosecurity-magazine.com/news/cyber-criminals-impersonating/

Ransomware Demands Soared 950% in 2019

Ransomware operators had another standout year in 2019, with attacks and ransom demands soaring according to new data.

A new report claimed that, after a relatively quiet 2018, ransomware was back with a vengeance last year, as attack volumes climbed by 40%.

As large enterprises became an increasing focus for attacks, ransom demands also soared: from $8,000 in 2018 to $84,000 last year. That’s a 950% increase.

The “greediest ransomware families with highest pay-off” were apparently Ryuk, DoppelPaymer and REvil, the latter on occasion demanding $800,000.

Read more: https://www.infosecurity-magazine.com/news/ransomware-demands-soared-950-in/

Use of cloud collaboration tools surges and so do attacks

The COVID-19 pandemic has pushed companies to adapt to new government-mandated restrictions on workforce movement around the world. The immediate response has been rapid adoption and integration of cloud services, particularly cloud-based collaboration tools such Microsoft Office 365, Slack and videoconferencing platforms. A new report shows that hackers are responding to this with increased focus on abusing cloud account credentials.

Analysis of cloud usage data that was collected between January and April from over 30 million enterprise indicated a 50% growth in the adoption of cloud services across all industries. Some industries, however, saw a much bigger spike--for example manufacturing with 144% and education with 114%.

The use rate of certain collaboration and videoconferencing tools has been particularly high. Cisco Webex usage has increased by 600%, Zoom by 350%, Microsoft Teams by 300% and Slack by 200%. Again, manufacturing and education ranked at the top.

More here: https://www.csoonline.com/article/3545775/use-of-cloud-collaboration-tools-surges-and-so-do-the-attacks-report-shows.html

Huge rise in hacking attacks on home workers during lockdown

Hackers have launched a wave of cyber-attacks trying to exploit British people working from home, as the coronavirus lockdown forces people to use often unfamiliar computer systems.

The proportion of attacks targeting home workers increased from 12% of malicious email traffic before the UK’s lockdown began in March to more than 60% six weeks later, according to new data.

Attacks specifically aimed at exploiting the chaos wrought by Sars-CoV-2 have been evident since January, when the outbreak started to garner international news headlines.

The attacks have increased in sophistication, specifically targeting coronavirus-related anxieties rather than the more usual attempts at financial fraud or extortion.

In early May “a large malicious email campaign” was detected against UK businesses that told employees they could choose to be furloughed if they signed up to a specific website.

Read more here: https://www.theguardian.com/technology/2020/may/24/hacking-attacks-on-home-workers-see-huge-rise-during-lockdown?CMP=share_btn_tw

EasyJet faces £18 billion class-action lawsuit over data breach

UK budget airline easyJet is facing an £18 billion class-action lawsuit filed on behalf of customers impacted by a recently-disclosed data breach.

Made public on May 19, easyJet said that information belonging to nine million customers may have been exposed in a cyber attack, including over 2,200 credit card records.

The "highly sophisticated" attacker to blame for the security incident managed to access this financial information, as well as email addresses and travel details. EasyJet is still contacting impacted travelers.

The carrier did not explain how or exactly when the data breach took place, beyond that "unauthorized access" has been "closed off."

The National Cyber Security Centre (NCSC) and the UK's Information Commissioner's Office (ICO) have been notified, of which the latter has the power to impose heavy fines under GDPR if an investigation finds the carrier has been lax in data protection and security.

Last year, British Airways faced a "notice of intent" filed by the ICO to fine the airline £183.4 million for failing to protect the data of 500,000 customers in a data breach during 2018.

Read the full article here: https://www.zdnet.com/article/easyjet-faces-18-billion-class-action-lawsuit-over-data-breach/

Data Breach at Bank of America

Bank of America Corporation has disclosed a data breach affecting clients who have applied for the Paycheck Protection Program (PPP).

Client information was exposed on April 22 when the bank uploaded PPP applicants' details onto the US Small Business Administration's test platform. The platform was designed to give lenders the opportunity to test the PPP submissions before the second round of applications kicked off.

The breach was revealed in a filing made by Bank of America with the California Attorney General's Office. As a result of the incident, other SBA-authorized lenders and their vendors were able to view clients' information.

Data exposed in the breach consisted of details relating not only to individual businesses, but also to their owners. Compromised data may have included the business address and tax identification number along with the owner's name, address, Social Security number, phone number, email address, and citizenship status.

More Here: https://www.infosecurity-magazine.com/news/data-breach-at-bank-of-america/

Apple sends out 11 security alerts – get your fixes now!

Apple has just blasted out 11 email advisories detailing its most recent raft of security fixes.

There were 63 distinct CVE-tagged vulnerabilities in the 11 advisory emails.

11 of these vulnerabilities affected software right across Apple’s mobile, Mac and Windows products.

Read more: https://nakedsecurity.sophos.com/2020/05/27/apple-sends-out-11-security-alerts-get-your-fixes-now/

NSA warns of new Sandworm attacks on email servers

The US National Security Agency (NSA) has published a security alert warning of a new wave of cyber attacks against email servers conducted by one of Russia's most advanced cyber-espionage units.

The NSA says that members of Unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service, have been attacking email servers running the Exim mail transfer agent (MTA).

Also known as "Sandworm," this group has been hacking Exim servers since August 2019 by exploiting a critical vulnerability.

Read more: https://www.zdnet.com/article/nsa-warns-of-new-sandworm-attacks-on-email-servers/

DoubleGun Group Builds Massive Botnet Using Cloud Services

An operation from the China-based cybercrime gang known as DoubleGun Group has been disrupted, which had amassed hundreds of thousands of bots that were controlled via public cloud services, including Alibaba and Baidu Tieba.

Researchers in a recent post said that they noticed DNS activity in its telemetry that traced back to a suspicious domain controlling mass amounts of infected Windows devices. Analysis of the command-and-control (C2) infrastructure of the operation and the malware used to build the botnet showed that the effort could be attributed to a known threat group – DoubleGun, a.k.a. ShuangQiang.

Read more: https://threatpost.com/doublegun-massive-botnet-cloud-services/156075/

Malicious actor holds at least 31 stolen SQL databases for ransom

A malicious cyber actor or hacking collective has reportedly been sweeping the internet for online stores’ unsecured SQL databases, copying their contents, and threatening to publish the information if the rightful owners don’t pay up.

The perpetrator has stolen the copied versions of at least 31 SQL databases, which have been put up for sale on an unnamed website. These databases constitute roughly 1.620 million rows of information, including e-commerce customers’ names, usernames, email addresses, MD5-hashed passwords, birth dates, addresses, genders, account statuses, histories and more

Read more: https://www.scmagazine.com/home/security-news/data-breach/malicious-actor-holds-at-least-31-stolen-sql-databases-for-ransom/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.