Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
2020 has seen the majority of companies shut down their offices, forcing their employees to work remotely as a result of the pandemic. While remote working has allowed businesses to continue operations it has introduced a whole new list of security issues with it; instant messaging and video conferencing applications have also become a necessity with the lack of face-to-face meetings. The rapid introduction of these technologies meant IT departments have had their hands full. 55% of businesses are now claiming that remote working has left them significantly more vulnerable to cyberattack, with very few focusing on security improvements; this number goes up to 70% when addressing large scale companies with more than 5,000 employees. With the increase in COVID related threats, now is the time to bolster your organisations security.
By InfoSecurity-Magazine.com
Facebook recently announced that they are offering grants for businesses affecting by coronavirus; as you can expect, this caught the attention of cyber criminals who immediately began creating phishing schemes. Some attackers adapted their ideas slightly to convince users that everyone was receiving the grant. The bait for this campaign is a fake CNBC article about the grants, with a link to an ‘application’ that requests your personal details. This attempt has a lot of flaws, with numerous errors in grammar, and URLs that are clearly not what they seem. More information on what to look out for in these suspicious phishing attempts can be found here.
By Kaspersky.com
Microsoft have revived their previously retired Security Intelligence Reports for 2020. The 88-page report features data from July 2019 to June 2020. The main talking points of the report are cybercrime, ransomware, supply-chain security and nation-state groups, which are touched on in this article. One of the key highlights is the scary realisation that some ransomware attacks are completed in under 45 mins. If you wish to view the report in its entirety, you can find it here, rebranded as the Microsoft Digital Defense Report.
By ZDNet.com
On October 13, 2020, Microsoft Exchange 2010 will reach end of life; this means that this version will no longer receive support or updates. Organisations that are still using Exchange 2010 are highly recommended to upgrade to a supported version as soon as possible, as using end of life technology presents a number of security risks; it is also worth noting that attackers will aim to target those still using this version, as there will be no patches issued for discovered vulnerabilities. This post by Rapid 7 covers the poor state of unsupported Exchange systems in the wild and highlights both the actions to take and considerations for upgrading.
By Blog.Rapid7.com
With Windows 7 reaching end-of-life back in January 2020, those still using it are always at risk. Attackers are taking advantage of this with a targeted phishing campaign. The attack involves a malicious email claiming to offer a free Windows 10 upgrade; the link redirects the victim to a fake Outlook login page where their account credentials are stolen. As always, the attacker wants to create a sense of urgency to scare the victim; an interesting way of doing this was shown in this campaign, where the email subject starts with ‘Re:’. This makes the user worried that they have already missed a previous email and urges them to quickly take action. We advise that Windows 7 users be on the lookout for suspicious emails like this and consider upgrading to Windows 10 as soon as possible.
By Threatpost.com
A flaw that allows an attacker to execute code remotely on Exchange servers was patched 8 months ago, yet more than half of internet exposed servers are still vulnerable. The flaw, that was addressed back in the February Patch Tuesday update, is currently affecting 61% of Exchange 2010, 2013, 2016 and 2019 servers; this is more than 430,000 worldwide. This bug is actively being exploited in the wild, so poses a more severe threat than originally stated. If you have not already, please apply the updates as soon as possible. The original security advisory for this vulnerability can be found here.
By ThreatPost.com
The Zerologon vulnerability, which we addressed in last week’s round-up, is now being actively exploited in the wild. This was discovered by Microsoft’s security intelligence team, who claim that the bug is easy to exploit, even for amateur malicious actors. Weaponised proof-of-concept exploit code has been published online; this is free to download, since details of the vulnerability were already disclosed on September 14. More information about the flaw can be found here and, as always, we advise patching as soon as possible.
By ZDNet.com
Finally for this week we just want to leave you with some important advice from the UK's National Cyber Security Centre. December 2020 will see the end for Adobe's Flash Player, and once it goes you will not be able to turn it back on.
Enterprises will need to have upgraded their services so that they do not rely on Flash, by the end of 2020.And importantly, to maintain the integrity and security of your systems, you should not disable browser and/or platform updates as a way of continuing to use Adobe Flash Player after 2020.
By NCSC.gov.uk
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #111 – 1st October 2020
Why not follow us on social media:
By
Joshua Hare
on
1/10/20
Ironshare is pleased to have once again be approved by the Crown Commercial Service to continue as a listed supplier on the new G-Cloud 12 framework.
The Digital Marketplace is a hub of cloud technology and support specialists, which public sector organisations can use to browse, compare and select potential providers.
This opens up the opportunity for our Cyber Security services and solutions to be found and selected by public sector organisations seeking reputable suppliers. What’s more, we’re proud to be part of an initiative that recognises the importance of connecting public sector organisations with credible and trusted services.
Our experience with a diverse range of clients has provided us with a unique insight into the challenges felt by organisations of all shapes and sizes, and all have one thing in common – they are seeking simple, clear and effective cyber security guidance and solutions.
Tools alone can’t beat all the challenges that organisations face, but our efficient and cost-effective services bring strong layers of security to organisations of any size.
Recent research has revealed that phishing emails redirecting to fraudulent websites are perceived as posing the biggest cyber threat to UK business, with 59% of decision makers highlighting this as a chief security concern above everything else.
With almost half the businesses in the UK suffering cyber attacks between 2019 and 2020, and with this number ever increasing, its never been more important to start defending your organisation from online threats.
Having successfully worked with many companies over the last few years, we have seen the positive impact and reassurance our service provides.
We are able to meet even the most complex public sector requirements and hope that in joining the G-Cloud 12 framework it reinforces our commitment to providing effective cyber security solutions to government organisations throughout the UK.
The Crown Commercial Service (CCS) works with both departments and organisations across the whole of the public sector to ensure maximum value is extracted from every commercial relationship and improve the quality of service delivery.
The CCS goal is to become the ‘go-to’ place for expert commercial and procurement services.
The G-Cloud 12 agreement supports the Government’s policy to centrally manage the procurement of common goods and services through an integrated commercial function at the heart of government.
Ironshare joins over 3,860 other suppliers on the framework providing more than 36,000 services across three lots; Cloud Hosting, Cloud Software and Cloud Support.
Our current list of available services can be found here on the GOV.UK Digital Marketplace.
The G-Cloud 12 framework runs from 28th September 2020 to 27 September 2021.
By
Stuart Hare
on
30/9/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The Office of National Statistics has been investigating the drastic increase in cyber crime in Cambridgeshire. Figures from their reports state that the number of attacks has increased by more than 49% in the last three years, with around 63.7 cyber attacks per 10,000 people. The rise in cyber crime in the region has been unrivalled by the rest of the UK, with only North Wales coming close with a 47% increase. Cambridgeshire now has a reputation as the ‘cyber-crime capital of the UK’; this is partly due to it being home to one of the world’s most prominent universities, which are seen as huge liabilities when it comes to cyber security.
By Brownglock.com
Twitter has prepared for the upcoming US election by providing additional account security for politicians and candidates involved. Back in June, twitter experienced a large-scale hack which affected a number of celebrities, including Joe Biden. In response to this, Twitter has taken the necessary precautions to ensure it does not happen in a time as important as the election. They confirmed they would be adding ‘proactive internal security safeguards’ for high profile individuals, including the Executive Branch, Congress, US governors, Presidential candidates and even news outlets/journalists. The new rules include much stronger password complexity requirements, as well as encouragement to use two-factor authentication.
By BBC.co.uk
The Keychain password manager has been a feature on iOS for quite a while now, but iOS 14 introduces a big addition to its functionality. The feature originally allowed users to save account credentials so they can be stored safely and not forgotten; the latest update also provides the user with a notification if one of their passwords has been compromised in a data breach. The notification also presents the user with the option to generate a strong and secure password to replace their compromised one; This new addition is a huge step forward in terms of security for the mobile operating system.
By BleepingComputer.com
As the world of cybersecurity evolves, we keep coming back to the same question: how likely is a passwordless future? Many factors seem to be driving the need for a passwordless world, including security weaknesses and the increasing popularity of BYOD (Bring Your Own Device). This has been a topic of interest in Cisco webinars lately; CISO, J. Wolfgang Goerlich has said, ‘in a passwordless world, they throw in a username and complete a secondary factor of authentication without having to enter a password, and then they don’t have to remember things or rotate things’. This whole concept is aiming to make things as easy as possible for the user, without compromising security. There has been a lot of discussion about a passwordless future, and while it may be a long time before this happens, we should expect to see the use of passwords slowly reduce in the future.
By InfoSecurity-Magazine.com
The Department of Homeland Security’s cybersecurity division has released a new emergency directive addressing a new vulnerability known as Zerologon. This is a privilege escalation flaw that exists on Windows Servers; and was addressed in Microsoft’s August Patch Tuesday update. After realising the severity of this vulnerability, DHS’s emergency directive ordered all federal civilian agencies to apply the new patch immediately; and states that the flaw is an ‘unacceptable risk’ to federal networks. The directive also stated that systems that remain unpatched by the end of Monday 21st September would be removed from the network and taken offline. The short time limit is a good indicator of just how dangerous this vulnerability is. If you haven't already please update as soon as you can.
By ZDNet.com
A vulnerability emerged earlier this year that allowed local privilege escalation and remote compromise while using the Citrix Workspace app with Windows file sharing enabled. This flaw existed in the automatic update service in the app and was patched in July. However, a new attack vector has been discovered that has revived this security flaw. The original patch did not address remote connectivity, meaning attackers can still exploit the vulnerability. More details on this new attack vector can be found in this Citrix advisory. Also, please ensure that you apply the latest security patches, which can be found here.
By ThreatPost.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #110 – 25th September 2020
Why not follow us on social media:
By
Joshua Hare
on
24/9/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
This week the UK National Cyber Security Centre released their Vulnerability Disclosure Toolkit to provide organisations with the necessary guidance to setup their own disclosure program. Vulnerabilities are a constant part of our cyber life, with new flaws discovered by researchers every day. Having a process for researchers to responsibly disclose flaws they find, helps to improve the security of your business and its systems. This new toolkit provides the essential information you need to get started. Why not check it out.
By NCSC.gov.uk
Seven Men have been charged by the US Dept of Justice for targeted attacks against the video game industry. Five men from China and two from Malaysia have been accused of attacking video game companies in the US, France, Japan, Singapore and South Korea. The attackers focused on compromising company networks to obtain in game items and currencies, the attackers would then fraudulently sell these items on for real money. At least nine firms have been listed as victims but none of them have been publicly identified yet.
By bbc.co.uk
Dunkin' Donuts settled a lawsuit this week, after it was accused of not informing its customers that hackers siphoned their personal information from its systems in 2015. The bad guys gained access to customer accounts, downloaded their details, including loyalty card info, and then sold the information on underground forums. Hackers apparently used credential stuffing to compromise DD’s customer accounts. Folks affected by the leak will now at least be informed and have fraudulent charges reversed. If you are a DD customer, or belong to any other online loyalty program, the best way to protect your account is to always use strong unique passwords, never reuse existing passwords, and enable 2FA where available.
By theregister.com
Researchers have uncovered a phishing attack using a new technique where attackers make use of authentication APIs to validate victims’ Office 365 credentials as they enter them into the phishing page. This adds a level of advancement above that of the normal, run of the mill phishing threat. Using this technique attackers can immediately confirm the credentials are valid and compromise the account. As with a large amount of phishing threats, this started with an email that contained an attachment and link, which redirects the victim to a fake Office 365 sign on page. Your main defence against this threat is enabling MFA for your 365 accounts and exercising caution when opening emails, clicking on links or opening attachments.
By ThreatPost.com
A new SMS-based phishing (“smishing”) campaign is using the United States Postal Service (USPS) as a disguise to target mobile users. Using the lure of an important package, they sent two SMS messages that attempted to trick the recipient into clicking on a link containing a malicious domain. Smishing is just one of the ways that malicious actors seek to steal users’ credentials or infect their machines with malware. SMS Phishing is not specific to the US, so be aware of the threat and if you receive a message containing links, which you are not expecting or demands urgency, please delete and do not click.
By tripwire.com
A security researcher gained access to internal Facebook systems by exploiting a vulnerability in a popular Mobile Device Management (MDM) product, MobileIron. While hunting for vulnerabilities, the researcher concluded that MobileIron was vulnerable to the Breaking Parser Logic attack (dating back to 2018), which leverages the inconsistency between the Apache and Tomcat to bypass the access control and authentication, and leads to remote code execution. In light of this developers should keep an eye on outdated dependencies that could leave an application open to exploit.
By portswigger.net
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #109 – 18th September 2020
Why not follow us on social media:
By
Stuart Hare
on
17/9/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Newcastle University is the latest in a long line of Universities being hit by cyber attacks in recent months. A notice was released on Friday 4th September, disclosing the incident that has affected it’s IT systems, stating that it may take several weeks before full services are resumed. Although it has not been confirmed, it is thought that this is the result of yet another ransomware attack. Universities have been consistently in the news, due to both ransomware attacks and becoming victims of the Blackbaud data breach.
By grahamcluley.com
In a report published by US insurance firm Coalition, 41% of cyber insurance claims made in the first half of 2020 have been attributed to Ransomware. They observed a 260% increase in ransomware attacks targeting their customers, with the average demand increasing by 47%. The Maze group are unsurprisingly at the top of the ransomware strain list used in these attacks, with the gang demanding ransoms up to 6 times greater than the average. In addition Business Email Compromise Fraud continues to grow, with a 67% increase in claims over the previous period. Check out the article on ZDNet for more information.
By ZDNet.com
The French Cyber Security Agency have warned their public sector services of a rising threat after witnessing a surge of Emotet attacks. Emotet is a serious threat that has evolved from a banking trojan to become a dropper for more advanced malicious payloads like trojans, info stealers and ransomware. It typically uses a malicious office document attachment to perform initial infection, by convincing users to open the attachments and enable embedded macros. Although this is being reported by the French, Emotet is targeting all types businesses around the globe. Be sure to educate your users to not open suspicious attachments or enable macros unless you are certain they are being sent from a trusted source.
By BleepingComputer.com
A new timing vulnerability called Raccoon Attack has been identified by researchers, in the Transport Layer Security Protocol (TLS). TLS is the most widely used protocol for securing internet based communications, so any threat to the protocols security can quickly become a serious concern. This side channel attack exploits TLS versions 1.2 and below, by extracting the shared key used to secure the communications between the two parties. Fortunately, as is common with timing based attacks this is not something that is easy to exploit, which also relies on the same Diffie-Hellman key being used across multiple sessions. So far F5, Microsoft, Mozilla and OpenSSL have confirmed they are vulnerable, each of which have released patches to fix the issues.
By TheHackerNews.com
This week was the 2nd Tuesday of the month which as we all know is Microsoft’s Patch Tuesday. In the September edition, they have released a total of 129 vulnerabilities, which includes 23 rated critical, 105 rated important and 1 moderate flaw. The key issue patched this month is a memory corruption vuln in Microsoft Exchange mail servers that can result in remote code execution. This flaw can be exploited by simply sending a specially crafted email to a vulnerable target.
A total of seven remote code execution flaws have been found in multiple versions of SharePoint Server, while other critical issues impact the Windows Graphic Device Interface, ChakraCore, and Visual Studio.
We recommend getting these updates reviewed and deployed as soon as you can, prioritising the critical patches if you are unable to patch them all.
A list of all updates can be found at the Security Response Center portal.
By Threatpost.com
Five critical vulnerabilities have been identified in the popular messaging app WhatsApp. The flaws affected numerous WhatsApp components including both the Android and iOS applications and the desktop client. These flaws can be exploited using malicious video calls and messages and include privilege escalation, overflows and remote code execution vulnerabilities. Fortunately all of these issues were patched within days of discovery. If you haven’t already please updates your apps, if possible always set your mobile apps to automatically update.
By Forbes.com
Palo Alto have published 9 new security advisories for its PAN-OS firewall operating system, including 1 critical and 5 high rated vulnerabilities. The critical vuln is a buffer overflow, that when exploited could provide an unauthenticated attacker with the ability to launch code with root privileges, when malicious requests are sent to the captive portal or MFA interface.
A list of all the advisories can be found here.
By security.paloaltonetworks.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #108 – 11th September 2020
Why not follow us on social media:
By
Stuart Hare
on
10/9/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
CISA have published a joint advisory named ‘Technical Approaches to Uncovering and Remediating Malicious Activity’. The Five Eyes intelligence alliance comprising of cybersecurity authorities from Australia, Canada, New Zealand, the United Kingdom, and the United States all contributed to this guide. The technical details in this guide are very informational and would be especially useful if you have the time to read through it. However, the key takeaways will offer a good understanding of incident response procedures, evidence collection and remediating discovered issues. You can view a PDF version of this advisory here.
By US-Cert.CISA.gov
Previously, TLS certificates had a maximum lifetime of 27 months (825 days); this was unnecessarily long. This week, a change was implemented to reduce the lifespan down to a maximum of 13 months (398 days). This is a good step forward in terms of improving security, with Apple, Google and Mozilla all agreeing to reject certificates that have passed their expiry date. This is drastically lower than the original 8-10 year lifespan that stood before 2011. Although Certificate Authorities are not too pleased, most browsers have welcomed the change that went live on the 1st of September.
By TheHackerNews.com
The Anti-Phishing Working Group (APWG) is known for releasing quarterly reports on phishing operations. With Business Email Compromise (BEC) becoming increasingly popular over the last few years, this has become a big part of their reporting. In their latest review, it was found that the average sum requested by BEC groups is around $80,000. This seems like a large amount, but it is nothing in comparison to the work of Russian Cybercrime group Cosmic Lynx; on average, the group requests $1.27 million. Their aspirations exceed your regular BEC groups, who are content with smaller payouts. It is interesting to see how things will change in future reports.
By ZDNet.com
2020 has been a busy year for hackers, with more than 2 billion Fortnite accounts being breached and listed for sale. Researchers discovered that the hackers are earning approximately $25,000 per week from the account sales, and around $1.2 million per year. The value of these accounts is calculated by the rarity of in-game accessories and customisation and are mostly stolen with simple password cracking due to reused/common passwords. ThreatPost have spoken to Fortnite developer, Epic Games, and are currently awaiting further comments regarding the issue.
By ThreatPost.com
Apple macOS is well known for its feature that requires all distributed software to be checked for malicious content. This prevents harmful applications from being available on the app store; at least it is supposed to. Apple has recently announced that they have made a mistake with this process and accidentally approved software that was found to be malicious. This was a fake Adobe Flash Player update that under the disguise is a version of Shlayer, a common Mac infection. Ensure that you are running antivirus on your machine just in case an app such as this bypasses Apple’s notarisation process.
By GrahamCluley.com
There are currently two unpatched vulnerabilities in the DVMRP feature of IOS XR that is present on most carrier-grade routers. These flaws can both be exploited remotely and allow an attacker to cause memory exhaustion denial of service. Affected devices include ASR 9000, NCS 5500, 8000, and NCS 540 & 560 series routers. Cisco’s security advisory can be found here, if you are in search of mitigation steps, or just more information on the nature of the flaw.
By SecurityWeek.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #107 – 4th September 2020
Why not follow us on social media:
By
Joshua Hare
on
3/9/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The first half of 2020 saw its fair share of ransomware attacks, especially in the enterprise sector. All ransomware groups have their own way of doing things, but there are some intrusion methods that are incredibly popular among them. As you may have expected, Remote Desktop Protocol tops the list as the most common attack vector, with a new method that emerged this year following it. VPN appliances have risen in popularity and become the second most used intrusion vector for ransomware groups. Since summer of 2019, researchers have discovered a number of high risk vulnerabilities in VPN appliances, which over time tempted ransomware groups to change up their methods and switch their focus to targets like Citrix network gateways and Pulse Secure VPN, which have become their new favourite targets. If you haven’t updated these devices yet, or blocked access to RDP services from the internet, its time to get this done!
By ZDNet.com
ArmorBlox has detected a credential phishing attack that uses a site hosted on Box. The phishing email claims to be a legitimate third-party vendor and contains a link to a ‘secure document’. After compromising a vendor account, the attacker stands up a zero-day domain to begin their credential phishing for future attacks. They then use the vendor account to distribute fake emails to several users. Upon clicking the link in the email, the user is directed to a file containing a link to the site hosted on box; this then leads to a fake Office365 login portal. This is a very elaborate phishing scheme that we suggest you keep an eye out for. More details included in the article on ArmorBlox.
By ArmorBlox.com
NZX was taken offline for two days following multiple distributed denial-of-service attack that started this Tuesday. The attacks resulted in trading having to be halted on both days. Cyber-Security firm, CertNZ released an alert back in November 2019, warning that emails were being sent around threatening a DDoS attack if a ransom was not payed; it is believed that the group behind this was the Russian hackers, Fancy Bear. Until now, this threat was not acted on. No further information has been disclosed regarding the attack, but the company is now back to operating at full capacity.
By BBC.co.uk
Graphic Resource Company, Freepik, has recently revealed that they have been involved in a serious data breach. The breach enabled hackers to steal the personal data of 8.3 million Freepik and Flaticon users. The target of the attack was the Flaticon website, which was left vulnerable to SQL injection. This breach was quite significant, with the platform having 18 million unique users per month and 100 million monthly downloads. Of the 8.3 million affected users, 4.5 million had their email addresses stolen, with the rest having password hashes stolen as well. Freepik prompted their users to change their passwords via email; other than this, no action was taken.
By BleepingComputer.com
Conti ransomware has emerged as the successor to the infamous Ryuk; as well as the standard extortion that we see with ransomware groups like this, Conti has released a data leak site, which they use to threaten their victims. The site, Conti.News, is a very new strategy that the group is implementing, despite having already operated successfully since the summer. This new attack strategy is now a part of their ransom notes, which warns that the victim’s data will be published online if no ransom is paid. There is currently samples of confidential data of 26 victims available on the site.
By BleepingComputer.com
A new memory leak vulnerability has been discovered in the OpenSSL library, that could allow an attacker to access confidential data such as private keys and account credentials. A proof of concept has already been released for this flaw, and it has already been seen exploited in the wild. Despite receiving a CVSS v2 score of 5.0, the nature of the vulnerability means it has been marked as CRITICAL. As always, we urge you to apply the latest patch as soon as possible to ensure you are protected.
By sesin.at
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #106 – 28th August 2020
Why not follow us on social media:
By
Joshua Hare
on
27/8/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
This is the second in a series of posts that will aim to provide some initial guidance on the fundamentals of cyber security. Here we focus on the topic of Email Anti-spoofing.
Japanese business technology giant, Konica Minolta, was hit by a new ransomware attack that disrupted their operations for a week. The incident started with a series of outages, with customers reporting that their product supply and support site was down; this persisted for almost a week until the company informed users of a breach. Shortly after, the ransom note was revealed, which was found to be linked to a new strain of ransomware called RansomEXX. This same malware was also seen in the attack on the Texas Department of Transportation. The article does not state if the ransom was paid, we only know that their services are now available once again.
By BleepingComputer.com
Elon Musk recently issued a statement addressing the lack of two-factor authentication on the Tesla mobile app. He has apologised for being ‘embarrassingly late’ and stated that it is currently going through its final validation stage right now. Musk also confirmed that 2FA will be available through SMS or the Authenticator app and is ‘coming soon’. Two-Factor Authentication cannot come soon enough for such a high-profile app. The Tesla app allows drivers to use their phones as a car key, meaning if your device was compromised, your vehicle would be too. Tesla are a bit late to the party when it comes to 2FA and the sooner it is implemented the better.
By technowize.com
The world’s largest cruise ship operator, Carnival Corporation, announced the news of a ransomware attack this week. They reported that a portion of their IT systems were encrypted, and the attackers downloaded files from their network. The company have been working closely with law enforcement to investigate the breach and have discovered that the attackers accessed the personal data of guests and employees. No information has been shared regarding the nature of the ransomware, and it is unknown if they paid the ransom. However, they did say that they do not believe the incident will impact future operations.
By ZDNet.com
Earlier this month, SANS revealed that they had suffered a data breach as a result of a phishing campaign. The email scam prompted the user to install a malicious add-in for Office365 which created a forwarding rule. Confidential information was being forwarded to an unknown third-party for an extended period of time until it was discovered and stopped. The company have since released a list of indicators of compromise relating to the recent incident. If you wish to learn more about these, they can be found here.
By SANS.org
The South African branch of credit agency Experian has revealed that they were recently affected by a large data breach. The company stated that this happened when they delivered personal details of their customers to a fraudster disguised as a client. Experian have not commented on the exact number of customers that were affected but reports from the South African Banking Risk Centre suggest that around 24 million users were impacted, as well as just under 800,000 local businesses. They have since been working with local law enforcement and have managed to find the attacker responsible for the incident. There has been no confirmation as to what data was stolen, but it is believed that no financial information was involved.
By ZDNet.com
A new fileless botnet has emerged called FritzFrog, and it has hit more than 500 servers already. This malware has only been around since January and is already hard at work infecting a number of well-established universities in both the US and Europe. A report from Guardicore states that ‘in this network with no single point-of failure, peers constantly communicate with each other to keep the network alive, resilient and up-to-date’. This botnet seems to target SSH Servers in particular; if you wish to learn more about the nature of this malware, details can be found in this article.
By TheHackerNews.com
Microsoft was forced to release an emergency patch to address two privilege escalation flaws that have been found in the Windows Remote Access service. These vulnerabilities are affecting all supported versions of Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2. CVEs for these flaws can be found in this article, as well as more details regarding the nature of the bugs. As always, we recommend applying this patch as soon as possible to reinforce the safety of your devices.
By BleepingComputer.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #105 – 21st August 2020
Why not follow us on social media:
By
Joshua Hare
on
20/8/20
This is the second in a series of posts that will aim to provide some initial guidance on the fundamentals of cyber security. During our time assisting many organisations with improving their security, the one thing that is common across all companies, regardless of size or type, is the lack of focus on Cyber Basics.
These posts will not be in any particular order, but will aim to cover what we feel are key basic elements of any cyber security strategy or improvement programme. The great thing is this guidance is applicable to any size of company or budget, no matter how small, but can equally apply to the large enterprise.
By focusing on these basics you can significantly improve your cyber maturity and help prevent over 80% of the common cyber threats active today.
For quite some time now email has been the single biggest vector used in cyber-attacks, with over 95% of attacks delivered using email.
Most email attacks rely on deceiving the user, or impersonating a trusted source, in an effort to convince the target to click a malicious link, or download a malicious attachment. Once clicked or downloaded, you could be directed to a bad site that steals credentials, or malware could be installed on your device.
From here user accounts are often compromised for use in ongoing attacks, against other victims and companies.
Email anti-spoofing is an often unknown or misunderstood security control, that aims to reduce the chance of receiving emails impersonating (spoofing) a legitimate individual or company.
These techniques aims to protect your company and its brand from reputational damage and financial loss, by preventing the bad guys from impersonating your email accounts and using them maliciously.
Where this differs from the normal cyber security advice, is that instead of directly protecting your own users, anti-spoofing actually protects the people, partners and companies you do business with, by making it extremely difficult for criminals to send emails that look like they come from you.
To prevent spoofing of an organisations email and domains we need to use three core technology components:
Sender Policy Framework or SPF for short, is the first step on the anti-spoofing ladder. SPF has been around for some time, starting out in the early 2000’s before being published as a proposed standard in 2014.
Its role is to list the domains and IP addresses that are allowed to send email on behalf of your company domain.
SPF is quick and simple to implement using a basic DNS Text record (TXT). Once the record is published, receiving email services can check the SPF record, to ensure that sending email services are valid and authorised to send mail.
If the check passes the email is sent to the users mailbox, if it fails the receiving email service can choose to junk or reject the email.
An example SPF TXT record, that uses Microsoft Exchange online, Mailchimp bulk email services, and an on premise mail server IP address may like this:
v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net ip4:192.0.2.1 -all
To break this down:
The difficult part here is ensuring you have all your relevant mail services included. Be sure not to add to many though, as SPF has a limit of 10 lookups. Each include and IPvX entry is classed as a lookup. If you exceed 10, you impact performance and will likely receive a failure on the SPF check. Be efficient with SPF record.
Next up is Domain Keys Identified Mail (DKIM), which adds another layer of security, by digitally signing the outbound messages from your mail service.
You start by creating a cryptographic key pair (public and private keys) for your domain, this is typically completed on your mail service or email security product.
The private key is used to sign the message by adding a digital signature to the message header.
The public key is added to your domains DNS using TXT records. When your mail service sends a signed message, receivers of your email consult the published DNS records to verify the message against the public key.
If it matches it proves that the message originated from your domain and is valid. If it fails the receiving mail service can choose whether it junks or rejects the messages.
Unlike SPF, DKIM can also protect email that has been forwarded, as the signed message header is preserved as the email is forwarded from one company to another.
An example DKIM DNS TXT record can be constructed as follows:
v=DKIM1; k=rsa; p=<base64 encoded public key>;
DKIM is supported by most modern mail services and although this may sound difficult, it is relatively simple to setup. Services such as Microsoft 365 Exchange Online create the crypto keys and DNS TXT records for you. All you need to do is enable DKIM for each domain and add your associated DNS CNAME records which point to the TXT records.
The third and final layer of anti-spoofing security is called Domain-based Message Authentication, Reporting and Conformance (DMARC).
DMARC is the bow that wraps all of this together, setting and applying policy for the email domain, and generating reports based on success or failure of the verification checks.
Once the receiver has confirmed the identity and validity of the email message using SPF and DKIM, DMARC is used to inform the receiving mail service what to do in the event that the email fails any of checks.
The DMARC policy can be set to enforce three actions:
The final piece of the DMARC jigsaw is reporting. The rua value can be used in the record to set an address where you would like to send aggregated email reports. The ruf value can also be used for detailed forensic reporting.
An example DMARC DNS TXT record can be constructed as follows:
v=DMARC1; p=none; rua=mailto:companyxyz@dmarc-report.com; ruf=mailto:companyxyz@dmarc-report.com;
Once enabled these reports should then be reviewed regularly to ensure that there are no errors in your anti-spoofing setup. Any errors in the configuration may result in valid email failing to be delivered.
There are a number of reporting services online that can help with the collection and analysis of DMARC reports.
Report URI is a great example of a service, that provides a free tier for the collection of up to 10,000 reports per month. This is good starting point with a range of tools available including DMARC, CSP and Certificate Transparency logging to name a few. Chargeable subscriptions are also available.
If you want more information or would like to sign up, visit here: https://report-uri.com/
For UK public sector organisations the National Cyber Security Centre (NCSC) provide the Mail Check Service, which can help you setup strong email anti-spoofing and security configurations.
You can sign-up here: https://www.mailcheck.service.ncsc.gov.uk/
For more resources, Dmarc.org lists a number of tools that are available to assist with the implementation and analysis of these email anti-spoofing components. The list can be found here.
This second post in the cyber basics series has looked into the topic of Email Anti-spoofing. It has described how to protect your organisation, partners and customers from phishing threats that aim to impersonate the company and its staff.
Don’t be overwhelmed by the details, the above SPF, DKIM and DMARC settings really are quick and easy to setup. After some initial planning and if you have all the information to hand, your technical staff should be able to deploy this in as little as 30-60 mins.
To summarise, follow these steps:
Email providers such as Microsoft, have detailed documentation to help with deploying these features within their services. Please do go and seek these out for more information.
Hopefully this has given you valuable insight and highlighted both the importance and benefits of enabling email anti-spoofing for your organisation.
Look out for our future posts and hopefully they can help you become more secure.
By
Stuart Hare
on
18/8/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A recent coordinated campaign has taken over a number of popular subreddits, filling them with pro-Trump propaganda. Right now, experts are unaware of how the accounts were compromised, but moderators appear to be cleaning up just a few days after the incident. Investigation is currently underway, and the affected subreddits are being restored; all that is known right now is that the attacks were carried out through the use of compromised moderator accounts, however the group behind the attack is still unknown. This is not the first social media / forum takeover, as many high profile twitter accounts were taken over as part of a bitcoin scam last month; this recent increase in social media activity is worrying, and we will be keeping an eye out for future incidents.
By TheVerge.com
iOS 14 is just around the corner, and with it comes a load of new features that are sure to catch your eye. The update is rumored to contain a lot of changes for Maps and Photos, but we are more interested in the security and privacy updates that were promised. One of these features includes the ability to opt in to having your data tracked to deliver personalised ads. Another big feature that was announced is forcing app developers to specifically detail what data they will collect, and warn the user before they download the app. Users will also be notified if an app is spying on their clipboard. We are all excited to see how these brand-new features improve the security and privacy of iOS devices, and how other mobile companies manage to compete.
By Forbes.com
A new phishing attack has been seen targeting cPanel users; however, it does not use the typical methods we are used to seeing. Instead, this scam sends users a fake security advisory which warns them of critical vulnerabilities affecting the web hosting platform. They are then prompted install an ‘update’ which claims to patch the flaw, but instead redirects them to login with their cPanel credentials. The attackers responsible for constructing this phishing attack have really taken the time to create a convincing scam, and it is no surprise that some people have fell for it. As always, stay safe and do not give away your login credentials unless you are certain it is safe to do so.
By BleepingComputer.com
Smart locks have become increasingly popular recently, which in turn draws attention from cybercriminals. These new IoT devices are an alternative to your traditional lock; however good they may seem they have their flaws. One has been found recently and can be quite dangerous. One feature of the smart lock is the ability to share access keys with others, so that they can gain access through their smartphone; this seems like a good idea, aside from the security risks. This new vulnerability allows an attacker to help themselves to an access key, and all they need to do so is the MAC address of the device. In response to this flaw, U-Tec began to make improvements to their security, and after a few days have resolved the issue.
By ZDNet.com
On August 6th, SANS carried out a review of their email configuration and found a mail forwarding rule that was leaking data to an external email address. The forwarded files included data such as email addresses, names, country of residence and company names. Once this was discovered, it was immediately prevented from sending any more emails, but not before a total of 513 had already been sent. SANS have said that most of the emails were harmless, but a few contained some personally identifiable information. If you wish to learn more about this attack, and how the individuals have been affected, this can all be found in this article.
By Sans.org
Microsoft’s patch Tuesday for August arrived this week, and it is a big one. With 120 total vulnerabilities addressed, 17 critical bugs and two zero-days that have already been exploited in the wild. The first zero-day is a Windows OS bug that allows attackers to bypass security features and incorrectly validate file signatures. The second zero-day is a remote code execution flaw that exists in the scripting engine in Internet Explorer. The full list of security updates can be found here on Microsoft’s Security Update Guide Portal.
By ZDNet.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #104 – 14th August 2020
Why not follow us on social media:
By
Joshua Hare
on
13/8/20
Attackers use an array of phishing methods to chain Business Email Compromise fraud and credential theft to impact multiple victims.
Ironshare were recently contacted by a customer who reported receiving a suspicious email from one of their clients. This post will share some of the evidence we found during the analysis of what first seemed like a typical phishing attack.
After initial investigation we started to identify this as a chain of attacks that spanned multiple organisations and victims. We witnessed four organisations that were involved in the overall attack.
Here is a summary of how the four companies were impacted.
Unfortunately we could not get access to samples of all the evidence from each company but include here some of the key items we can share.
After successfully compromising the directors email account at Customer B, the attackers used this access to perform Business Email compromise fraud. They intercepted an email from Company C which contained an invoice for a recent purchase. This was sent from the director to the accounting team.
Instead of just modifying the existing invoice the attackers decided to take the content and copy into a template of their own and for some reason slightly the total invoice value. This invoice looks nothing like the original and combined with the change of value triggered the user to suspect this as malicious activity.
Thankfully the accounting team did not have access to transfer funds, they identified this as highly suspicious, meaning the BEC attack was not successful.
The directors account was then used to send the below phishing email to Company C’s personnel who were included in the above invoice email.
As you can see the email was not particularly convincing in terms of its content. It did not look like or represent an normal email from director, but it did come from an other wise trusted source email address.
Unsure of the where this link would take us, we ran the URL through our Threat Grid sandbox as per our normal process to determine its intent.
As stated in the email, clicking the link did take us to a Microsoft OneNote subscription belonging to Company D. The OneNote page was amended to allow Guest access, with an image and another link added to represent the supposed proposal.
The image doesn’t represent a valid proposal. It’s heavily blurred content are barely readable, but we can just make out this reads as a Consulting Proposal Template, most possibly just downloaded from an online template site.
Once the Click to view proposal link in the OneNote page is accessed you are redirected to TypeForm.com, where a malicious form has been poorly branded as an Office 365 sign in page.
We have a few red flags here including the address pointing to typeform.com instead of OneDrive, the site display name and the branding of the page looks nothing like an official Microsoft sign in page.
The form tries to convince the users to sign in to view the document, in an attempt to steal the users credentials (email and password).
By clicking the sign in button, a new page is loaded that asked to select a email domain. A drop down menu list is displayed, containing some of the common email domains, showing the attackers are not precious about grabbing user details to maximise the service they can compromise.
Once the user has selected the email domain the form then proceeds to request the email and password of the users account.
Once the users details are entered, they are captured and stored for the attackers later use and this page is displayed which likely confuses the user.
This may have well read: ‘Thanks for providing your details we now have access to your account!’
We recently worked with our customer to investigate a potential new phishing threat that was not blocked or flagged by their email security. This wasn’t detected as it used trusted emails and common cloud services listed as safe, to complete the attack. After initial investigation we identified that one of their customers had been compromised.
After talking to Company B we started to understand the wider attack and they informed us of another party who were involved. Leading to a total of four organisations that were visible to us.
Ironshare liaised with Companies B, C & D, informing them of the threat and identified account compromises.
Our MSP blocklists were updated to prevent access to the domains and URLs, so that all our customer were protected.
We submitted these threats to both Cisco Umbrella and Phish Tank to review and place these into their global blocklists, while we work with Company D to take down the content from their OneNote account.
These types of chained phishing attacks are not a rare occurrence, and happen more often that you think, but this was the first time we had investigated different vectors that had touched this number of companies.
Thankfully for our customer, the security awareness we have been performing has helped to educate their users to identify phishing threats such as this, and prevented their users from being compromised themselves.
Below are some of the IOCs we witnessed during this investigation:
weaorg-my.sharepoint[.]com
onedrive98343.typeform[.]com
httpx://weaorg-my.sharepoint[.]com/:o:/g/personal/showarth_wea_org_uk/EgFuQlDGDn1AuTE3qNs3maYBoK02d7Wb1U-TnF_kxfl0Iw?e=pCfEJP
httpx://onedrive98343.typeform[.]com/to/Az32Z8If
By
Stuart Hare
on
9/8/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
More than 135,000 people were unable to access online public services, following a cyber-attack that hit Redcar and Cleveland’s website and computer systems. Since the attack occurred back in February, the local authority has been looking into the recovery costs and has been actively making improvements to their cyber security; they also have plans to continue these upgrades in the future to ensure another attack cannot happen. The council has estimated it has taken £10.4M to cover the costs of the incident, and they have since enrolled on an NCSC security scheme; meaning their defences will be “far more advanced than most peers in local government”.
By BBC.co.uk
The group behind Maze ransomware have published over 70GB of internal data from LG and Xerox networks. Typically, if the victim refuses to pay the ransom, their data is added to a ‘leak website’, which they then use to threaten them again. If the second attempt fails also, then the site is published. LG reportedly had 50.2 GB of data stolen, and Xerox had 25.8 GB stolen. Despite being a ransomware group, Maze issued a statement to ZDNet stating that they did not deploy the ransomware on LG’s network as they did not want to disrupt operations; instead, they simply exfiltrated their data. The same cannot be said for Xerox, who have issued no comments regarding the incident.
By ZDNet.com
The FBI has recently issued a private industry notification to US private sector partners addressing the dangers of using Windows 7 as it has reached end-of-life. With Windows 7 no longer receiving support, there have already been sights of weaponised vulnerabilities specifically targeting the operating system. Part of the FBI’s warning contained statistics from when Windows XP went end-of-life; this shows that the healthcare industry saw a huge increase of records being exposed in the following year. This will also be the case with Win7, which is why we and the FBI recommend upgrading your operating system as soon as you can.
By ZDNet.com
Recent reports have found that hundreds of Instagram users have become victims of ‘get rich quick’ schemes; Action Fraud have seen 356 separate cases of fraudulent scams on Instagram since the end of 2018, with an estimated loss of £3M. Studies found that most victims were between 20 and 30 years old, each losing approximately £9,000 to scams. The scheme requests £600 from the user, with a promise that they will receive a significant sum shortly after; as you can expect, this is not the case. Instagram have said that they are actively fighting back against fraudulent activity on the platform and are working to improve their detection systems, so scams are removed faster.
By CyberSecurityNews.com
Here we are with yet another scam that takes advantage of the pandemic. This new SMS-based phishing attack sends a text message offering a free one-year TV license because of COVID-19; the link within the message sends the user to a fraudulent site where their personal information is requested. The victim is asked to provide banking details, home addresses and dates of birth. As always, look out for suspicious messages and do not open links unless you are certain of their nature and from a trusted source.
By InfoSecurity-Magazine.com
Googles latest security patch addresses a high-severity flaw which could allow remote code execution on Android devices. This vulnerability exists in the Android Framework, a set of APIs designed to help developers quickly write apps for mobile devices. This flaw currently affects all versions before Android v10; we recommend updating as soon as possible. This patch also addresses a number of other vulnerabilities, including privilege escalation, information disclosure and denial of service flaws. If you wish to learn more about these, you can find details here on Google’s security bulletin.
By ThreatPost.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #103 – 7th August 2020
Why not follow us on social media:
By
Joshua Hare
on
6/8/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The Vatican has reported a breach in their computer systems, and it is believed that they were infiltrated by Chinese hackers. This came at an interesting time, not long after the Vatican had planned sensitive talks with Beijing over the state of religion in China. The Chinese state has faced many accusations over the years regarding cyber-espionage against religious groups; the recent Vatican incident appears to be another case of this. Investigations found that the intrusion could have revealed the Vatican’s negotiation plans ahead of their talks in September. The group behind the attack is believed to be RedDelta, who were also involved in several other incidents relating to organisations related to the Catholic Church.
By InfoSecurity-Magazine.com
Garmin have released a statement confirming they were recently a victim of a ransomware attack, which has affected them quite severely. They are returning to operation a week later, but it has been a slow process which they are staggering through. Garmin managed to restore their encrypted data, but they have not confirmed if they eventually paid the ransom. Rumours online suggest that the demand may have been in the region of $10 million. Garmin have contacted their customers stating there has been ‘no indication’ of personal data being accessed, which is reassuring for users of their tech.
By GrahamCluley.com
Dave, a popular digital banking app and tech unicorn has released a statement addressing a recent security breach, in which 7.5 million users were compromised. The breach occurred through an analytics platform known as Waydev, who were previously business partners of Dave; this allowed malicious actors to gain unauthorised access to the user data of 7,516,625 customers. The company began investigations as soon as they were made aware of the incident, and quickly patched their systems. Reports suggest that the hackers may have cracked some of the stolen passwords and are attempting to sell the credentials online. Dave are currently working with law enforcement to resolve this and have issued an app-wide password reset to compensate.
By ZDNet.com
The NCSC and CISA have jointly reported on a new malware strain that appears to target NAS devices made by QNAP. This strain, which is known as QSnatch, first surfaced in late 2019, but has only recently come under investigation; it is believed that all versions are potentially vulnerable to this malware apart from the latest version. We highly advise applying the latest security fixes to ensure your devices do not join the thousands that have already been infected worldwide.
By NCSC.gov.uk
If you own an ASUS RT-AC1900P home router, it is vital that you do a firmware update as soon as possible. The latest firmware for this device includes two security bugs that could be have severe impact if exploited. The first would allow firmware updates to be passed without checking the digital signature, meaning the router accepts forged certificates; this could result in a MITM attack once connected to a malicious network. The other flaw exists in the management web interface for the router’s firmware release notes; the vulnerability allows cross site scripting, allowing it to be used in coordination with the first flaw to execute malicious JavaScript. Versions 3.0.0.4.385_20253 and later are unaffected by these flaws; we recommend updating as soon as you can. Here is the security advisory from Trustwave if you are interested in learning more.
By NakedSecurity.Sophos.com
Cisco has issued a warning to their customers regarding a high severity flaw that is affecting its network security software. They made it clear that a remote, unauthenticated attacker could access sensitive data, and that this is already being actively exploited. This flaw exists in the web services interface of Firepower Threat Defense software and their Adaptive Security Appliance software. A patch for these vulnerabilities have been released, which we recommend applying as soon as possible. CVE details for this vulnerability have been released, with a CVSS score of 7.5 out of 10. More details on the advisories can be found here.
By ThreatPost.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #102 – 31st July 2020
Why not follow us on social media:
By
Joshua Hare
on
30/7/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
CV19, also known as Cyber Volunteers, are working to ‘protect the people who protect our health’. The Covid-19 pandemic hit many companies hard, even their IT systems. Since the outbreak, many hacker groups began targeting healthcare organisations that were vulnerable, specifically hospitals. What started out as cyber security has now grown to include physical security, due to the ongoing theft of healthcare worker’s ID badges and Personal Protective Equipment (PPE). In response to this, CV19 have published a new awareness campaign to ensure key workers are keeping their sensitive possessions safe. They also ran a social engineering assessment, during which the volunteers were able to steal identity badges and gain access to computer systems. If you would like to see their latest awareness campaign or learn more about their work, please visit the CV19 site here.
By cyberv19.org.uk
The United States Department of Justice has taken action against two Chinese hackers who have committed cyber crimes in 11 different countries and targeted hundreds of organisations and government agencies over the last decade. Some of their most recent work was targeting the companies responsible for COVID-19 vaccine development. They have been actively exploiting vulnerabilities in government systems as well, including those containing weapon designs and personally identifiable information. Like certain other nations, China have developed a reputation for their state-sponsored hackers and protection of cyber criminals.
By TheHackerNews.com
The University of York has launch an investigation after their customer relationship management system provider, Blackbaud, was hit by ransomware back in May. Reports suggest that the data stolen included names, date of birth, student numbers, addresses and contact details; in order to keep the student data safe, Blackbaud paid the ransom and recovered their data. It was confirmed that no payment card information or passwords were stolen, and steps are being taken towards making their systems more secure. Despite this, many are still concerned about trusting that the criminals deleted their stolen data; Unsurprisingly Blackbaud has since stated that keeping their customer’s data secure is a top priority.
By YorkPress.co.uk
The most active botnet of 2019 has returned after going offline back in February of 2020. No activity had been seen since the 7th Feb until this week, when users were reporting a flurry of spam emails containing the new Emotet malware payload. Reports have said that the emails contain either a Word doc attachment, or a URL to download a Word doc; these documents are designed to download and install Emotet if content is enabled by the user. Around 250,000 messages have been seen so far today, and the campaign has only just begun. As always, stay safe and keep your eye out for potential threats. Don’t click anything unless you know it is safe to do so. Our first indication of the return was from Microsoft’s @MsftSecIntel twitter feed, when they warned of the new campaign; read details on the initial warning here.
By ZDNet.com
A new phishing scam has emerged in the UK, which utilises a fake Facebook page, SMS, and email to bait consumers into disclosing sensitive information. The hackers were requesting payment card data from their victims in exchange for a HD TV. The scam has been prominent on Facebook, stating that:
“We have around 500 TVs in our warehouse that are about to be binned as they have slight damage and can’t be sold. However, all of them are in fully working condition, we thought instead of binning them we’d give them away free to 500 people who have shared and commented on this post by July 18.”
At least 100 consumers have fallen for the scam, according to reports as always, we advise you to be cautious when it comes these kinds of scams. Do not give out your details unless you are 100% sure it is safe. If it seems too good to be true its most probably a scam.
By InfoSecurity-Magazine.com
Microsoft are currently being sued for violating data privacy policies. Recent reports revealed that they have been sharing customer business data from Office 365 with Facebook’s app developers and partners. Microsoft has regularly said that data will only be shared when necessary, but recent events suggest that they have been sharing with Facebook, even when the customer and their contacts are not Facebook users. After the recent Cambridge Analytica outrage, it is understandable why so many have been uneasy about this breach of trust. A Microsoft spokesperson has addressed the allegations claiming they are false; time will tell.
By TheRegister.com
Adobe was forced to release an emergency fix for a new batch of critical vulnerabilities that exist in Photoshop, Bridge and Prelude. All the addressed flaws are capable of leading to remote code execution if exploited, which is why they have been prioritised so heavily. We advise updating as soon as possible, and if you are looking for a list of affected versions please see the following article here.
By ZDNet.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #101 – 24th July 2020
Why not follow us on social media:
By
Joshua Hare
on
23/7/20
Welcome to this special edition of the Ironshare Cyber Round-up where we look back at the biggest events and news, we’ve reported on over the last two years. This week’s Round-Up is the 100th edition, which is why we wanted to do something a little different.
Here are the top events from the last two years that we have covered in previous posts:
The one thing we certainly haven’t had a shortage off in the last few years is reports of Data breaches. It now seems like we cannot go a week without a new company being compromised or data being leaked to the internet / dark web.
The breaches have come in all shapes and sizes, with root causes including network compromises, poor security misconfigurations, ecommerce card skimming, or third party supply chain issues.
Marriott Starwood Hotel chains had their networks compromised, reportedly for as long as four years. After a thorough investigation their breach totalled a loss of 383 million records. Including personal, credit card and passport information
Facebook have suffered multiple breaches / data leaks, as a result of partners, supply chains, and unprotected online services/data stores, totalling well over half a billion records. More info below.
Earlier this year tech giant Microsoft exposed 250 million customer records, spanning 14 years’ worth of support data, after an unprotected database was found accessible online.
We believe the Yahoo incident back in 2013 still stands as the biggest breach to date with over 3 billion records involved.
Source: https://www.informationisbeautiful.net
Like data breaches, vulnerabilities in hardware and software remains one of the key threats, with new disclosures appearing on an almost daily basis.
In October of 2019 multiple vulnerabilities were reported in Pulse Secure VPN services including a critical vuln with a CVSS score of 10. The UK and US intelligence services reported that these were actively being exploited by Advanced Persistent Threat (APT) groups and that patches should be applied immediately.
https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities
https://us-cert.cisa.gov/ncas/current-activity/2019/10/16/multiple-vulnerabilities-pulse-secure-vpn
In late December 2019 a critical bug in Citrix Netscaler and ADC, a product that provides remote access and virtual desktop services, had customers desperately scrambling to patch their systems, after hackers were remotely exploiting it in wild.
Disappointingly, in both cases there are still vulnerable systems out there, that are potentially being exploited.
In the last two weeks alone we have seen a significant number of critical patches released for disclosed vuln’s, from the likes of Microsoft, Cisco, Citrix, Juniper, Adobe, SAP, and Oracle to name a few.
With the increase in the number of security researchers, searching for vulnerabilities and the continued rise of the use Bug Bounty programs (such as HackerOne and BugCrowd), the number of CVE’s registered and patches deployed are only going to get bigger.
Having a focused regular patching program to ensure that all systems are updated as quickly as possible, is one of the key fundamentals that all organisations can easily do to help keep their environments secure.
Over the last couple of years, Huawei has hardly left the spotlight when it comes to the world of cyber. They have been a controversial topic when it comes to the new 5G mobile networks and general security issues. We first addressed this controversy back in December of 2018, when BT decided to remove the Chinese tech firm’s equipment from their 5G networks and cease their mobile network partnership entirely.
This has only escalated since, with Huawei being the target of accusations from the UK and US governments regarding state-sponsored spies and spyware on their products. This was addressed when Microsoft researchers reported a flaw in Huawei MateBook laptops that would allow an attacker to take control and spy on the target device. 18 Months later the tech giant is still a primary focus in the cyberworld; the US have imposed sanctions based on threat posed by Huawei is causing wider repercussions in the west with more news released this week from the UK government stating they will now be banning the use of Huawei 5G kit from their networks.
There still appears to be a divide with some saying the risk can be managed, while others saying it cannot. This saga is undoubtably going to roll on.
BT Kicks Huawei Off 5G Networks: https://www.bbc.co.uk/news/technology-46453425
Huawei Threat to UK Security: https://www.theguardian.com/technology/2019/may/16/huawei-poses-security-threat-to-uk-says-former-mi6-chief
UK & US Discuss Huawei 5G Contribution: https://www.bbc.co.uk/news/technology-51112232
Huawei 5G kit must be removed from UK by 2027 https://www.bbc.co.uk/news/technology-53403793
We first reported on Facebook back in October of 2018, when 50 million users were compromised by a zero-day vulnerability that allowed secret login tokens to be stolen. Although no passwords were stolen, this was a big incident. Less than 6 months later, they were back in the spotlight after Apple blocked Facebook on their devices due to their poor data privacy approach.
Their reputation continued to go downhill shortly after this when 540 million user records were exposed online in unsecured Amazon S3 buckets, for the public to freely access. As you can expect, 2019 didn’t get any easier; the social media giant faced a $5 billion fine, once again because of their poor data privacy practices. Facebook has received a lot of criticism recently, and for good reason; their poor security practices have made them one of the biggest focuses of the last two years when it comes to cyber news.
Facebook Data Breach Affecting 50 Million: https://about.fb.com/news/2018/09/security-update/
Apple Blocks Facebook on iOS: https://www.theverge.com/2019/1/30/18203551/apple-facebook-blocked-internal-ios-apps
Facebook Face $5 Billion Fine: https://threatpost.com/facebook-5-billion-ftc-fine/144104/
Emotet has grown to be one of the biggest, most dangerous malware strains in recent history; it has been constantly evolving over the last few years, which we first reported back December 2018. What started out as a banking trojan botnet back in 2014, it evolved to use advanced techniques such as fileless malware, and just a couple of weeks later, began sending out holiday greeting cards via email which, to noones surprise, contained the Emotet trojan payload. By this point, that generic banking trojan had become a distributor of malware and destruction.
After establishing itself as one of the biggest distributors of malware, the Emotet gang disappeared. They took an extended break over the holidays in 2019 and ceased all operations. This was a shock to everyone, but not as big as the shock of their return. It didn’t take long before all operations were back online, and their spam campaign was completely revived.
After another hiatus of several months, Emotet has once again returned, with several indications from multiple sources in the last 24 hours, including tweets from Microsoft, Cryptolaemus and CSIS, that Emotet is back with a bang. No doubt more info will follow in the upcoming days and weeks.
We have found ourselves writing about Emotet numerous times over the last two years; they have been one of the most prevalent threats of recent times in the cyber world, and we won’t be forgetting about them any time soon.
Emotet Holiday Greetings: https://www.ironshare.co.uk/news/cyber-round-up-for-21st-december/
Emotet Returns After Holiday Break: https://www.bleepingcomputer.com/news/security/emotet-malware-restarts-spam-attacks-after-holiday-break/
Emotet Evolution: https://www.ironshare.co.uk/technical/the-emotet-threat-keeps-rolling-on/
The British Airways Data Breach was not one of the biggest data breaches to date but it certainly grabbed big headlines in the cyberworld. This first came to light in September 2018, when they initially announced they had suffered a breach; 380,000 customers were compromised, including their personal and financial information. The breach was resolved fairly quickly, but this was not the end of the incident. Updates were released weeks after, revealing that the breach was larger than originally expected. It was found that an additional 185,000 customers were affected, and that full credit card information was compromised, including email addresses, billing information and names.
It didn’t take long after the drama had died down for this huge incident to come back into the spotlight. In the July of 2019, British Airways were fined £183 million, which was revealed to be just 4% of their annual turnover. The hacker group behind the British Airways breach, Magecart, was involved in some of the biggest scams and breaches in recent times, which we cover in the section below.
British Airways Initial Breach: https://www.thesun.co.uk/money/7195832/british-airways-hacked-personal-data-bank-details-stolen/
British Airways GDPR Fine: https://www.tripwire.com/state-of-security/featured/british-airways-faces-record-138-million-gdpr-fine-data-breach/
Magecart have been one of the most active threats over the last few years, and there has been no shortage of news to report on. We first wrote about Magecart back in September 2018, shortly after they were involved in the British Airways and Ticketmaster data breaches when they hit American retailer Newegg. They placed a card skimmer onto the e-commerce website and stole the payment card information of numerous customers.
This wasn’t the only big attack that year; just two months later the hacker group targeted the Vision Direct website. Research discovered that 20% of compromised online stores were likely to be re-infected, and it was discovered that Magecart had infected some stores up to 18 times.
More recently Nutribullet and 8 US City Websites have been the victims of successful Magecart attacks.
Over time, the Magecart group have become more advanced, and do not need to compromise a site to scam customers. They have been responsible for some of the most high profile breaches in the last couple of years, and don’t seem to be going anywhere.
Magecart Development: https://www.bleepingcomputer.com/news/security/magecart-group-evolves-tactics-to-better-steal-your-credit-cards/
Magecart Newegg Breach: https://www.riskiq.com/blog/labs/magecart-newegg/
Vision Direct Breach: https://www.visiondirect.co.uk/customer-data-theft
Magecart Nutribullet: https://threatpost.com/magecart-cyberattack-targets-nutribullet-website/153855/
And that’s it for this special edition round-up, please don’t forget to tune in for our edition later this week.
Stay Safe, Secure and Healthy!
Special Edition #100 – 17th July 2020
Why not follow us on social media:
By
Joshua Hare
on
18/7/20
Welcome to the 100th edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
It’s been a another crazy week in Security, where we have lost count of the number of flaws found in products such as Microsoft, SAP, Adobe, Cisco, Juniper, and a new record for vulnerabilities disclosed by Oracle.
In addition to this 100th Edition keep your eyes peeled for an upcoming special, where we take a look back at some of the highlights of our previous Cyber Round-ups.
In this week’s round-up:
Twitter have been the victim of a major system compromise that resulted in the twitter accounts of many high profile individuals, including Barack Obama, Elon Musk, and Bill Gates, being hacked to take part in a Bitcoin scam. Although details are not available Twitter confirmed that their internal employee tools were hacked to take access of these accounts. The Bitcoin scam was tweeted on all of the accounts, requesting bitcoin to be sent to an account so double the amount can be sent back. It is unclear if anyone fell victim to this scam, but Twitter confirmed that they have locked the compromised accounts while investigating. They also stated that access will not be returned to the owners until they are certain they are secure.
By TheVerge.com
MGM Resorts was affected by a data breach back in 2019, and it was originally reported that 10.6 million hotel guests were affected by the incident. A recent sales listing on the dark web proved that the breach was a lot larger than we initially believed. A total of 142 million hotel guest records were found for sale, all for the price of $2,900. The stolen data included names, postal addresses, and email addresses; although it was confirmed that no financial information was compromised. There are still suspicions that the breach may be even larger than what was seen in this dark web sale, so we are waiting for more updates in the future.
By ZDNet.com
The UK government has made the decision to ban the use of Huawei equipment in 5G networks, stating that all Huawei 5G kit must be removed from UK networks by 2027. This decision comes shortly after the sanctions issued by the US, affecting all future equipment; despite this, the US has no intention of removing 3G and 4G equipment. Please note that these bans do not affect Huawei’s smartphone sales, and their devices will still be sold in both the UK and US. The UK are not the first to implement this ban and have joined a long list of countries who are refusing to partner with ‘high-risk vendors’.
By BBC.co.uk
Following the recent security concerns with TikTok, US banking firm Wells Fargo has banned their employees from using the app on company devices. TikTok has been under fire recently over suspicions that it is spying on its users and collecting data for the Chinese government; although these suspicions have not been confirmed, many companies are taking precautions when it comes to using the app on corporate devices. Amazon also issued a similar ban, before releasing an email to its employees confirming that the ban was accidental, and users can continue using the application. TikTok are working hard to eradicate any concerns regarding its security but is not quite there yet.
By Finextra.com
On Saturday, security researchers discovered a security breach involving a LiveAuctioneers database. The database contained username and password combinations of 3 million customers that has been found for sale online. The seller apparently gave away a small amount of user records to prove to buyers that they are authentic. Any users of the auctioning site are advised to change their passwords on LiveAuctioneers, as well as any sites where they may have reused the same password.
By GrahamCluley.com
Microsoft has released its monthly batch of security updates, including more than 120 vulnerabilities, with 17 critical flaws being addressed.
The main critical flaw appears in the Windows DNS Server, in the form a remote code execution that has been tagged with a CVSS Score of 10 and classified as a wormable vulnerability, which means that malware can spread between vulnerable hosts with the need for user interaction. More details can be found here.
Other critical vulnerabilities this month are remote code execution flaws existing in the RemoteFX feature of Windows Hyper-V engine, GDI+, DirectWrite, Microsoft Graphics and Windows Font Library.
Most of the bugs addressed in these updates are important, and details for these flaws can be found here in Microsoft’s update page. As always, we recommend applying these new patches as soon as possible.
By Blog.TalosIntelligence.com
A vulnerability has been discovered in the LM Configuration Wizard component of NetWeaver Application Server Java platform. This flaw was marked as critical and could allow an unauthenticated user to take over SAP applications and execute arbitrary OS commands. This flaw has since been patched by SAP, and we recommend updating as soon as possible. The bug received a CVSS score of 10 and currently affects more than 40,000 SAP customers; follow this link for the associated US CISA security advisory.
By TheHackerNews.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #100 – 17th July 2020
Why not follow us on social media:
By
Joshua Hare
on
16/7/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A spokesperson for the North American energy company, Energias de Portugal, has released a statement confirming they were hit by a Ragnar Locker ransomware attack. The attack targeted the information systems of EDPR’s parent corporation, who started investigating the incident immediately. They quickly discovered that their computer systems were being accessed by an unauthorised third-party, reportedly for ‘the first time’. The attack was announced by an EDP spokesperson, who spoke about a ransom note requesting $10 million in bitcoin; the company however stated they were unaware of a ransom demand being issued. No further details regarding the ransom have been released, however reports suggest that attackers stole 10 TB of data, including contracts and transactions with clients and partners.
By BleepingComputer.com
A group of cybercriminals has taken advantage of Covid-19 through the use of phishing & Business Email Compromise (BEC) campaigns. Their attacks have targeted Office 365 customers specifically, luring victims in with news of the virus. Their operation works different to most as it does not lead users to a phishing site, instead victims are baited into installing a malicious Office 365 app from a linked document. This month, Microsoft received a court order, giving them the ability to take control of six domains that were being used in the criminal group’s operations. More details on the nature of the campaign can be found here.
By ZDNet.com
A premium WordPress plugin known as Adning Advertising is currently affected by critical vulnerability that could allow an unauthenticated remote attacker to execute code on the target system. This could lead to a full site takeover, which warrants a CVSS severity score of 10; it is also worth noting that this flaw has already been exploited in the wild. The author of the plugin has released a patch included in version 1.5.6, we strongly recommend you apply this patch as soon as possible, since there are no workarounds. In addition a second flaw is addressed in this patch, related to file deletion and directory traversal.
By ThreatPost.com
Over the years there have been some serious security flaws affecting smart tracker watches, and this one is just as bad, if not worse. The most recent one was aimed at elderly people, specifically those with dementia and similar illnesses. One of the main features of a dementia sufferer’s smart watch is the reminder to take medication, meaning it could be exploited, tricking the user into taking too much medication and potentially overdosing. The requirements to hack these kinds of smart devices are not very complex, and anyone with basic hacking skills could do it, making it very serious. More details on the nature of this issue can be found here.
By PenTestPartners.com
One of the world’s leading providers of networking equipment, F5 Networks, has warned its customers of a particularly dangerous security flaw. This vulnerability specifically affects their BIG-IP product, which are multi-purpose network devices. The flaw exists in the management interface of BIG-IP devices and allows an unauthorised remote attacker to execute arbitrary code. These network devices are immensely popular all over the world and are used in many government networks. The vulnerability was given a CVSS severity score of 10 causing the release of immediate patch. Users of these devices are recommended to apply the patch as soon as possible. Here is the official security advisory posted by F5
By ZDNet.com
Citrix have released a security bulletin addressing a number of vulnerabilities present in Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP edition. The company announced that there are barriers for many of these attacks, which limit their potential; for example, if no untrustworthy traffic is present on the management network, denial-of-service is the only real risk. Other flaws include information disclosure, privilege escalation, authorisation bypass and code injection. As always we highly recommend applying patches as soon as possible; if you are interested, more CVE details can be found here.
By Citrix.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #99 – 10th July 2020
Why not follow us on social media:
By
Joshua Hare
on
9/7/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Recent studies have shown that more than 30% of businesses do not have an emergency recovery plan in the event of a ransomware attack. Ransomware has become increasingly popular recently, and the chances of your organisation being hit are greater than ever. Data recovery firm, Ontrack, conducted research that proved 26% of organisations could not access their backups after an attack; most people do not consider the need for security until after they have suffered an attack, implementing a plan before you get hit will greatly reduce the damage done. This post contains some mitigation steps to help deal with your security.
By InfoSecurity-Magazine.com
Cybercriminal group, Netwalker, has attacked the University of California, San Francisco, extorting more than $1 million dollars in a ransomware scheme. The university is a leading medical-research institution and is currently working on a cure for Covid-19; a recent statement confirmed that they had paid the hackers ransom. The Netwalker group has been associated with multiple other ransomware attacks in the last two months, specifically targeting universities. The above article discusses the importance of an emergency recovery plan for ransomware attacks; these recent campaigns prove its significance.
By BBC.co.uk
On September 1, Apple will be rejecting any new HTTPS certificates that are valid for more than 398 days, they have confirmed that any connections to TLS servers that do not meet their requirements will fail. This new policy will force website owners to update their certificates annually so that they meet certain standards; this will crack down on long-term phishing campaigns and other malicious activity. Google Chrome and Firefox have agreed to follow in Apple’s footsteps and pursue these same goals in the near future.
By TheRegister.com
A new ransomware strain has emerged that appears to exclusively target macOS users. The strain, which has been called EvilQuest, exceeds our usual expectations of ransomware, possessing a number of features that are quite uncommon; these features include a deployable keylogger and the ability to steal cryptocurrency wallets stored on the target system. Other than these additional features, the ransomware is not overly advanced, it uses a very basic method of infection that is common among other macOS variants; despite its lack of sophistication, EvilQuest has seen some success. As always, stay safe and make sure you take care when downloading software and avoid pirated content.
By ThreatPost.com
Palo Alto have disclosed a critical vulnerability in PAN-OS. Enabling Security Assertion Markup Language (SAML) authentication without also enabling the ‘Validate Identity Provider Certificate’ option allows an unauthenticated user to bypass verification with an improper signature; this allows the attacker to access protected resources. Please note that the attacker needs network access to the target server in order to exploit this flaw. This vulnerability currently affects a large number of PAN-OS versions that can be found in the description of this post. This issue has since been patched, and we recommend updating as soon as possible.
By Security.PaloAltoNetworks.com
Microsoft has released software updates to address two critical security vulnerabilities affecting Windows 10 and Server users. This out-of-band patch comes two weeks before their scheduled ‘patch Tuesday’ due to the severity of the flaws; both of which reside in the Windows Codecs Library which is a remarkably easy avenue of attack that involves social engineering. This enables attackers to manipulate users into running malicious files. The Codecs Library contains support for Windows operating system’s audio and video file extensions; the vulnerabilities present in this feature could lead to the remote execution of arbitrary code on the compromised machine. A list of affected OS versions as well as CVE details are included here; as always, update your systems as soon as possible.
By TheHackerNews.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #98 – 3rd July 2020
Why not follow us on social media:
By
Joshua Hare
on
2/7/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The CLOP ransomware has struck again, this time crippling the operations of Indian conglomerate, Indiabulls Group; the attackers have released screenshots of the stolen data, requesting contact within 24 hours. They have confirmed that more data will be leaked if the ransom is not paid. No one knows when the attack occurred or how much the hackers demanded. The company has not yet responded to any demands, so the attackers leaked all of their data online after not being paid.
By BleepingComputer.com
Cisco Talos are doing their best to help contribute to the anti-racism movements that have drastically risen over the last few weeks. Although the term blacklist is not specifically discriminatory, the movement is trying to remove the negative connotations surrounding the colour black. There has always been a general idea that white is good and black is bad, and this is used in many different concepts; in an attempt to break this stigma, Cisco are now replacing all mentions of ‘blacklist’ and ‘whitelist’ with ‘block list’ and ‘allow list’.
By Blog.TalosIntelligence.com
Twitter has informed its business clients of a data breach that has exposed their personal information. Reports suggest that email addresses, phone numbers, and certain payment card details could have been stolen. There is currently no evidence of billing information being compromised, but the company has since fixed the issue. Twitter have apologised for the breach and advise users to change passwords as a precaution.
By BBC.co.uk
A lot of company’s have taken to remote work since the lockdown began; although employing remote users has its benefits, it also introduces new security risks. Sending emails and dealing with critical company information can be risky when working from home, especially when it requires a lot of user interaction. In this situation, the biggest threat is human error, for example: sending critical data to the wrong email address. When working remotely, ensure that you are taking every precaution to keep your company’s data secure; just because you’re at home doesn’t mean you can relax.
By ThreatPost.com
A popular video game known as Stalker Online has been hacked, and over one million user passwords have been posted online available for download. The database of passwords was found for sale on a hacking forum at the start of May, which led to an investigation that uncovered the existence of a breach. The database is being sold for several hundred Euros worth of bitcoin, and also includes usernames, email addresses, phone numbers and IP addresses. If you have an account for this game, we highly recommend updating your password as soon as possible.
By GrahamCluley.com
As the need for Flash Player slowly disappears, Adobe are urging its users to uninstall the software from their computers. The product is scheduled for end-of-life on December 31, 2020, and we recommend removing it from your machines by this date; keeping out of date software on your computer presents a number of unnecessary security risks. The Flash Player has always been a primary target for hackers, and once it stops receiving updates, it will be an extreme risk to have on your machines.
By ZDNet.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #97 – 26th June 2020
Why not follow us on social media:
By
Joshua Hare
on
25/6/20
This is the first in a series of posts that will aim to provide some initial guidance on the fundamentals of cyber security. During our time assisting many organisations with improving their security, the one thing that is common across all companies, regardless of size or type, is the lack of focus on Cyber Basics.
These posts will not be in any particular order, but will aim to cover what we feel are key basic elements of any cyber security strategy or improvement programme. The great thing is this guidance is applicable to any size of company or budget, no matter how small, but can equally apply to the large enterprise.
By focusing on these basics you can significantly improve your cyber maturity and help prevent over 80% of the common cyber threats active today.
Here we start with what we feel is the most overlooked aspect of any security activity, especially in smaller orgs; Identifying and Assessing the Risks. We decided to cover this first as it naturally fits as one of the first tasks to complete.
Start by asking yourself a question, do you know ALL the IT assets you have in the organisation?
An IT asset could be a PC, laptop, server, mobile phone, tablet, security device (firewall), network device (switch or wi-fi), printers, software or any internet connected smart device (TV, camera or speaker) etc.
If the answer is yes, then excellent you are in the very small percentage of organisations who do, and you are on to a great start.
If like most the answer is no, then your very first step is to create an inventory of all assets in your IT estate. The bottom line here is, if you don’t know about it, how can you secure and protect it!
This can be as simple as cataloguing everything in a spreadsheet or having a tool actively scan your networks to identify your assets, such as Lansweeper, SolarWinds, or Qualys.
These automated scanners are the preferred method, as they have the benefit of detecting assets that you may be unaware of, leaving further gaps in your security. Not all business budgets will extend this far though.
“If you don’t know about it, how can you secure and protect it!”
Your inventory should contain as much information about the assets for both hardware and software as you can find. Include items such as: Make & model, hostname, IP address, software & firmware versions, upcoming end of sale, life or support dates, vendor, serial numbers and location to name a few.
Once you have a list of your assets, it’s a good idea to identify which of those assets you deem most critical to the business. This will differ significantly from business to business, but will allow you to focus priorities, especially if you have a large number of devices.
For example use a simple method such as the High, Medium, and Low classifications to define which assets matter most, requiring greater attention to protect the device and the data it holds.
Critical assets in the High classification may be your authentication servers or a database that contains your HR or customer records. While a device classified as Low may be your user PC’s or mobile devices.
So you have created an asset inventory and decided which assets are most important to you, now is a good time to perform an initial Cyber Assessment.
Cyber assessments are a great first step in your journey to better cyber security. They provide numerous benefits:
Identify your gaps – one of the key steps in assessing your business is identifying the gaps in your current security. Gaps are holes in your security that can be exploited by the bad guys. Identifying the gaps is critical step to your overall improvement.
Assess your risks – once you have found the gaps in your security, the next step is to assess the risk that is posed by each gap. If you are new to risk assessments, keep it simple.
Using a High, Medium & Low scoring system, calculate the risk using the impact it could have on the business combined with the likelihood of impact occurring.
For example; a high impact gap that has a high likelihood of occurring would equal a high risk.
Baseline your maturity – completing your first cyber assessment will allow you to understand your current maturity level and create an initial baseline.
This baseline is your starting point and can be used to monitor and track your progress as your journey unfolds.
Prioritise actions based on risk – now your risks are identified you need to create an action plan. The action plan is where you start making changes to resolve the risks, plug your gaps and improve your security.
The best way to do this is via a risk based approach that focuses on prioritising the actions based on the calculated risk. Start by tackling the high risks first, once they are complete move to the medium risks and finally the lows.
This allows you to allocate budget accordingly, while dealing with the things that could have the biggest impact on your organisation first.
Continuously assess – our final step here is to realise that the cyber journey never ends; every day new threats appear and new vulnerabilities are discovered. Once you are on the path, its important to stay on it by continuously assessing your organisation.
Perform assessments regularly, we recommend at least on an annual basis. By carrying out periodic reviews, you can assess your progress and maturity improvements, as well as keeping on top of any new or emerging security gaps.
Cyber Assessments can come in different forms, from simple Q&As to full business and technical assessments.
If you have your own internal security team then look to define your own assessments and maturity model which are based on common frameworks available via the likes of NIST and CIS.
If you don’t, not to worry, your best option is to seek assistance from expert security professionals to assist you with the process, there are plenty of us out there to choose from so take your pick.
Above all, Keep it simple. Choose what’s best for you and tailor it to your needs.
This first post in the cyber basics series has looked into what we consider the initial steps to get you started on your journey to a new and improved security posture.
To summarise, follow these steps:
Look out for our future posts and hopefully they can help you become more secure.
Strap yourself in, you’re in for a bumpy yet enjoyable ride! 😊
By
Stuart Hare
on
24/6/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A Specialist CIA Division that creates high level hacking tools, hadn’t taken the necessary protective measures and has suffered an attack. Reports suggest that it was the worst data loss in the history of the agency, and many secrets were stolen. A lot of the reports regarding the situation are redacted, however it was confirmed that sensitive cyber tools used to hack into rival networks as well as around 180 gigabytes of data was stolen. Just another example that even those skilled in cyber security can be pwned.
By NYPost.com
A recent survey by Scottish Crime and Justice, reports that the most common problem that users encounter is virus infections, as well as payment card theft. In addition, 4.5% of people say they’ve been a victim of an email scam. It was found that most victims of cyber attacks do not report incidents; the only cases that are frequently reported are those involving payment cards and bank accounts. These kinds of reports open our eyes to the dangers of cyber attacks and how much they can affect the average user; many people believe they are too insignificant to be attacked. It is important to understand that everyone is at risk, and you should always do what you can to stay safe online.
By BBC.co.uk
Cosmetic Company, Avon, has been taken offline following a ransomware attack. The attack reportedly affected the back-end IT systems across multiple countries, including Poland and Romania. The breach was disclosed to the public via a notification to the US Securities and Exchange Commission. The Brazilian-owned company is currently investigating the incident, which was disclosed on June 9th, and have not yet released any further details regarding the ransom. The company reportedly had backups of all their data and are working on restoring their operations.
By ComputerWeekly.com
As viewers return to watch the Premier League this week, the risk of cyberattackers targeting live streams follows. Fans have eagerly awaited the return of football and will likely do whatever they can to stream every game possible, and hackers will be looking to take advantage of this. A wave of phishing attacks, scams and account takeovers are expected to arrive with the restart of English Football. As always, our advice is to be mindful when receiving adverts or emails, specifically those containing links and attachments, use good password practice to secure accounts, along with implementing 2FA where possible.
By ThreatPost.com
Apple Mac users have been issued a warning by the security experts at Intego following the disclosure of a malware threat. The threat has been seen active in the wild and disguises itself as a Flash Player installer to spread. This is not a new tactic for malware to use, however it is unusual that it tries to hide its activity from the user and security software. A security researcher confirmed that the flash installer is a bash shell script; the exact nature of this can be found in the post by Graham Cluley. As always, we advise you to take care when downloading software, and ensure that it is actually what you think it is.
By GrahamCluley.com
Amazon released a report recently about how they have stopped a 2.3Tbps DDoS attack in February of this year. This is apparently the largest DDoS attack ever recorded and they are happy that they managed to mitigate it. The customer targeted was not disclosed, but AWS said that the attack was carried out through the use of hijacked CLDAP servers, which are connectionless versions of LDAP protocol. This protocol has been used by many hackers looking to perform DDoS attacks; however none have ever been this large.
By ZDNet.com
Homeland Security and CISA ICS-CERT have released warnings of a critical security flaw affecting billions of devices that connect to the internet. There is a set of 19 vulnerabilities for ‘Ripple20’ that can allow remote takeover of target devices without any user interaction. The flaws were found by Israeli cybersecurity company - JSOF; they said that affected devices will impact a number of industries, including medical and healthcare as well as telecom and transportation.
By TheHackerNews.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #96 – 19th June 2020
Why not follow us on social media:
By
Joshua Hare
on
18/6/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A trend has emerged among cyber criminals that involves stealing YouTube account credentials, specifically for prominent users with a lot of subscribers. Many criminals have recently developed an interest for these accounts, although the reason is unclear, they are not reluctant to selling these credentials on the dark web. The price of the accounts entirely depends on the number of subscribers and how active they are, the issue around this is how quickly they have to sell due to account owners contacting Google support to get their account back. Reports suggest that this account theft is easier than it should be due to Google’s two-step verification being unsecure.
By TheWindowsClub.com
Security Researchers have recently uncovered the origin of major cybercriminal operations around the world; reports suggest that Dark Basin, a hack-for-hire group, has been behind a large amount of them. They have been known to target institutions on more than six continents, but their primary targets are American nonprofit organisations, specifically those involved in the #ExxonKnew campaign, which suggests that climate change information was kept secret by ExxonMobil for decades. They have also been involved in various phishing attacks and have links to an Indian Tech company known as BellTroX InfoTech Services.
By CitizenLab.ca
IT services firm, Conduent, has become the latest victim of the Maze ransomware. The organisation provides critical services for more than 500 governments and 100 companies, making this attack’s impact much bigger than expected. Reportedly the ransomware only interrupted operations for a short time after the attack on May 29, and systems have since been fully restored. Apparently, the hit was made possible by a vulnerability in the ADC and Citrix Gateway products which was originally found and disclosed in December 2019. As always, security experts suggest updating systems as soon as possible to avoid situations like this, no matter how big or small your organisation is.
By InfoSecurity-Magazine.com
Nintendo warns its users not to reuse passwords following a staggering amount of account compromises. Since April, the video game firm has identified 300,000 accounts that have been compromised by hackers, primarily due to poor password practice and reuse. Reusing passwords is an easy way to get your account stolen, so please ensure that you are not using the same password on multiple accounts, especially those that include sensitive details or payment card information. The most effective way to keep your account secure is to enable two-step verification; this requires you to input a single use unique code from your smartphone when you log in. This means that even if an attacker gets your password, they still cannot gain access.
By GrahamCluley.com
Microsoft has released its monthly security patch, which addresses over 120 vulnerabilities affecting various products. The critical flaws include remote code execution in SMBv1, Word for Android and Windows GDI, as well as a few more products. If you want to know more about this patch, details are included in this Talos blog. Microsoft confirmed that none of the vulnerabilities had been exploited in the wild prior to the patch release, but we advise updating as soon as possible.
By Blog.TalosIntelligence.com
Proof-of-concept exploit code has been published on Github for a wormable Windows vulnerability. Worms are always extremely dangerous since they have the potential to spread to other machines without user interaction. The exploit that was posted is unreliable but still proves that there is risk present. This flaw affects Windows 10 versions 1903 and 1909 and Windows Server 1903 and 1909; which was also patched in a recent update. We advise all users to apply updates as soon as possible.
By arstechnica.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #95 – 12th June 2020
Why not follow us on social media:
By
Joshua Hare
on
11/6/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The hacker group known as NetWalker has launched a ransomware against Weiz, a village in Austria; the attack has crippled the city’s public services and leaked data from building inspections. Reports from Panda Security suggest that the attack was a result of another COVID-19 themed phishing attack. The ransomware is a newly released version that spreads via VBScripts, which allows it to infect an entire Windows network, not just the machine it initially compromises. Weiz is the home of many big companies that operate worldwide and is considered the economic centre of its region, which is causing disruptions outside of the village too. Officials have not yet confirmed whether they will pay the ransom and investigation is still going on.
By CoinTelegraph.com
Kent Commercial Services, who provide protective equipment for COVID-19, have become the latest victim of ransomware. The attackers encrypted a large portion of the firm’s data, demanding a ransom of £800K in Bitcoin. This attack was particularly harmful, since it disrupts essential operations during the pandemic; however, it was confirmed that no personal information was stolen. The company confirmed that they have not paid the ransom and they are still looking into the incident.
By BBC.co.uk
A recent study carried out by Carnegie Mellon University academics found that only a third of users change their passwords after a data breach has been discovered. This number is staggeringly low and proves that most people do not understand the dangers of poor password practice. Out of the 249 participants, only 63 admitted to changing their credentials; of those 63, only 15 did so within 3 months of the breach. Educating users on the importance of password practice is vital; uneducated users are just as big a threat as malware.
By ZDNet.com
Hackers are once again targeting WordPress websites with a new campaign that attacks unpatched plugins. The aim of this campaign is to download configuration files, which allow the attackers to gain access to databases using the credentials. This campaign alone was responsible for 75% of all attempted exploits for plugin vulnerabilities across all WordPress sites. More details can be found in this article by ZDNet, including more information on the nature of the attacks.
By ZDNet.com
The NHS disclosed recently that contact tracers will send text messages to individuals who have reported exposure to coronavirus; this government message requests a lot of personal information to help identify you and those you have been in contact with. As you can probably guess, malicious actors have already seized the opportunity to claim this information for themselves by spoofing government contact tracers. This is unbelievably easy to do according to researchers; however, they will not be disclosing tools or methods to the public.
By TheRegister.com
Vulnerability researcher Bhavuk Jain has been paid $100,000 following his discovery of a critical flaw which affected the ‘Sign in with Apple’ system. The vulnerability allows a remote attacker to gain access to a user account without authentication, provided they registered via the ‘Sign in with Apple’ option. This critical bug has since been patched by apple. Details on the nature of the attack can be found here.
By TheHackerNews.com
Critical vulnerabilities have recently been found by security researchers that affects SAP’s Adaptive Server Enterprise software. These flaws could allow an unprivileged user to gain complete control of databases and operating systems. SAP have since patched these 6 critical vulnerabilities and strongly advise users to apply the updates as soon as possible.
By ThreatPost.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #94 – 5th June 2020
Why not follow us on social media:
By
Joshua Hare
on
4/6/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The twitter account for the UK Civil Service published a tweet during the Prime Minister’s controversial statement regarding the Dominic Cummings incident. The employee in control of the account tweeted “Arrogant and offensive. Can you imagine having to work with these truth twisters?” The comment received 30,000 retweets within 10 minutes, with the UK Cabinet Office confirming that the tweet was unauthorised just moments later. It is likely that this employee lost his job following the tweet, but there is not much you can do to secure an account when the user in control of it ‘goes rogue’. Another real world example of an Insider Threat.
By GrahamCluley.com
The research team at Chinese security firm, Qihoo 360 Netlab, has been working closely with Baidu to disrupt a malware botnet that has reportedly infected over 100 thousand hosts. The botnet reportedly belongs to a hacker group known as ShuangQiang, who was been actively compromising systems since 2017. The group has been infecting hosts using steganography, which involves hiding malicious code within another piece of data, in this case it was images uploaded to Baidu Tieba, the biggest Chinese search engine. The security team has been blocking downloads from involved URLs to prevent the botnet from spreading.
By TheHackerNews.com
A Russian blogging service known as LiveJournal was hacked back in 2017; the hackers stole 26 million user accounts, including usernames email addresses and passwords. This attack was not discovered until this week when the stolen credentials were published online to various hacker forums. The breach was reported this week by Troy Hunt’s well known ‘Have I Been Pwned?’ service, which notifies users if their email address has been compromised in a data breach. The details of the situation are unclear, but we strongly advise updating your password for LiveJournal, as well as any other accounts using the same credentials.
By TheRegister.co.uk
Ransomware attacks have been growing in popularity among the cybercriminal community, and they are getting braver every day. In the last 12 months, their ransom demands have increased by 14 times and more groups are gravitating to this profitable approach of attack. One of the biggest ransomware groups, GandCrab, retired their operations last year, and since then their Ransomware-As-A-Service model has become the preferred way of doing things. This time last year, the average ransom price demanded by the biggest ransomware groups was around $6,000; this has since increased to almost $84,000. If you would like to learn more about how ransomware works and the tactics used by criminals, we suggest looking at this article by BleepingComputer.
By BleepingComputer.com
A hacker group has emerged with a new jailbreak method that even works on the latest iOS version 13.5. The method uses an unpatched zero-day exploit to seize control of the devices for the first time since iOS 8. Reports suggest that even once the flaw is patched, users will be able to remain on the exploitable version to keep their devices jailbroken. This new tool allows you to have complete control while retaining security features from the OS; security was always a big problem with jailbreaking in the past, but this new feature is something the developers have bragged about. This, however, increases the risk associated with downloading rogue applications that may harm your device.
By ThreatPost.com
The latest update for macOS Catalina, 10.15.5, addresses 44 security flaws affecting AirDrop, Bluetooth, Calendar and much more. Some of these vulnerabilities could lead to denial of service, arbitrary code execution, privilege escalation and memory leaks. This rollout also featured patches for multiple Safari bugs. As always, we recommend applying these updates as soon as possible to ensure you are protected from associated exploits.
By SecurityWeek.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #93 – 29th May 2020
Why not follow us on social media:
By
Joshua Hare
on
28/5/20
No results found.
