Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
This week, telecommunications firm Verizon released their annual data breach report. This report discusses all their discoveries, including analysis of around 32,000 security incidents and approximately 4,000 breaches. From this data, the firm found that 43% of breaches targeted web applications; this is double what was seen last year. Web applications are one of the easiest ways for an attacker to gain access to a target machine, with 90% of submitted vulnerabilities corresponding to them. If you want to learn more about Verizon’s findings, the full report can be found here.
By SiliconAngle.com
The UK’s Information Commissioner’s Office are currently investigating a recent data breach affecting 9 million EasyJet customers. According to reports, this attack was ‘highly sophisticated’, and stole the email addresses and travel details of those affected. In addition, 2,208 of these victims also had their payment card details accessed. EasyJet discovered this breach in January, and before now, only those who had their card details stolen were notified. With the investigation fully underway, the firm announced that all affected customers would be informed by 26th May.
By BBC.co.uk
The pandemic has brought along a new need for an increase in surveillance technology. An example of one of the advances being made is an autonomous laser that observes crowds of people and assesses them based on risk. These risk factors include social distancing compliance, not wearing a mask and temperature detection. These new technological advances always come during times of crisis; for example, in 2018 there was an increase in gun violence in the US, which gave way to a new gun detection system.
By ZDNet.com
A Nigerian crime ring has been actively committing large-scale fraud against unemployment insurance programs across multiple US states. The well-organised criminals have been more present recently, taking advantage of the COVID-19 pandemic to exploit vulnerable organisations. Unemployment claims have been filed using the social security numbers and personal information of identity theft victims; this indicates that the crime ring is in possession of a database containing personally identifiable information (PII). These attacks have primarily targeted Washington, but have also been seen in North Carolina, Oklahoma, and a few others. More details on this scheme can be found in the post by KrebsOnSecurity.
By KrebsOnSecurity.com
The FBI have issued a public warning regarding a new ransomware strain that has been deployed on many healthcare organisation’s systems; the malware gets manually installed onto the system after it has been infected by the Qakbot trojan. Reports from the FBI suggest that the decryption tool may not work unless it is modified, even after paying the ransom. This is similar to the Ryuk ransomware which had a similar bug. This malware emerged in March 2020 and has seen a lot of activity since then; it is not expected to slow down any time soon.
By ZDNet.com
TLS Security Protocols were designed to keep you safe and ensure that the data you send and receive preserves its integrity. When these protocols become outdated, you are not only unprotected, but also expose your systems to the unpatched vulnerabilities present within them. TLS 1.0 and 1.1 are now outdated, meaning they no longer receive updates and fixes; upgrading to 1.2 or 1.3 is essential. However, this is not something that can be done quickly, so we recommend looking into this to make sure you are doing it properly.
By Venafi.com
Microsoft has released a security advisory addressing a flaw in the Windows DNS Server. This vulnerability allows an attacker to launch a Denial-Of-Service attack. The official report shows details of the nature of the DoS, including recommendations for how to deal with it. We strongly advise applying this patch as soon as possible, as well as looking at this blog for more advice.
By DarkReading.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #92 – 22nd May 2020
Why not follow us on social media:
By
Joshua Hare
on
21/5/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The job of a cybercriminal is easier than ever due to the Covid-19 lockdown, and research backs this up. In April alone, there was a total of 404 million malware infections worldwide: this equals around 10 million infections a day. To add to this, around 64% of the attacks were launched against educational services; because of this it is recommended that educational institutions employ IT experts as we approach the exam period.
By HackRead.com
A long list of celebrities have suffered from a ransomware attack recently that stole their personal data, including contact information and employment contracts. Around 750GB has reportedly been stolen by the criminals. The attack hit a law firm known as Grubman Shire Meiselas & Sacks, whose website is now offline while they deal with the incident. The malware used in the attack has been named REvil; more information regarding the attack can be found in the blog on Naked Security.
By NakedSecurity.Sophos.com
One of the most powerful supercomputers in Britain, known as ARCHER, has been exploited by cybercriminals, forcing a system-wide reset for passwords and SSH keys. The attackers targeted the machines login nodes to achieve this attack. This supercomputer was designed as a research resource for incidents with global impact, making it invaluable in times like these. Unfortunately, due to the impact the attack had. All operations have been stopped for this week and will not be available until Friday 15th at the earliest.
By TheRegister.co.uk
A new malware known as ACbackdoor has recently surfaced and reports suggest that it affects Windows and Linux machines. Both variants use the same protocol to talk to its C&C (Command and Control) centre, and share a lot of common features; however, the Linux version of the malware possesses additional capabilities, including process renaming. It also has a much lower detection rate than its Windows counterpart. One of the scariest features is its ability to disguise itself as a legitimate process, meaning you cannot really trust anything. We still do not know who is behind the distribution of the malware, but more details can be found in the post on Cybsploit.
By Cybsploit.com
Due to the severity of Covid-19, healthcare organisations have resorted to building new hospitals to care for more patients; cybercriminals have seen this as an opportunity and the companies responsible for construction have become a big target. Reports show that the attacks suffered have not been too harmful so far. Websites and computer systems have had to be shut down as a result, but day-to-day operations have not been affected much. The NCSC (National Cyber Security Centre) is working hard to combat these cybercriminals and encourages organisations to be especially vigilant during this time.
By BBC.co.uk
This month’s patch Tuesday has finally arrived and it contains fixes for 15 critical vulnerabilities; these include several remote code execution vulnerabilities, as well as a memory corruption flaw in the Internet Explorer web browser. The patch also features updates for 95 important vulnerabilities. As always, we recommend applying these patches as soon as possible, and if you want to learn more about what was addressed this month, links to all CVEs can be found here.
By Blog.TalosIntelligence.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #91 – 15th May 2020
Why not follow us on social media:
By
Joshua Hare
on
14/5/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Many of the new campaigns being launched against key healthcare organisations rely on password-spraying techniques to gain access to accounts; because of this, strong password practice is vital. Cyber experts have published an in-depth advisory on changing passwords, strengthening them, and implementing two-factor authentication to ensure accounts are secure. The advisory also contains advise on what is considered a strong password; the guide can be found here.
By NCSC.gov.uk
Over the last week, an unknown hacker group has attempted to hijack over 900,000 WordPress sites, primarily through the exploitation of cross-site scripting vulnerabilities. This allows them to redirect all traffic to the site to a secondary malicious site. Reports revealed that more than half of the attacks exploited a specific XSS flaw in the Easy2Map plugin, which was removed from WordPress in August of 2019; this plugin was only installed on 3,000 sites. The company issued a warning that the malicious actor behind the attacks is advanced enough to create new exploits for future campaigns.
By ZDNet.com
With World Password Day being this week, we thought it would be appropriate to encourage better password habits with some staggering statistics. In the UK, an overwhelming 64% of individuals reuse passwords to avoid forgetting them, and 54% claim to not have changed their passwords after a security breach. Poor password practice has always been a big issue when it comes to account security, so why not change that today? If you want to find more of these crazy statistics, or maybe want to know how to make your accounts more secure, we recommend reading this blog.
By Blog.LastPass.com
GoDaddy, the biggest domain registrar in the world, has recently confirmed that they have suffered a data breach. According to reports, the breach took place in October 2019 and only impacts hosting accounts; those with customer accounts are not affected and their information is reportedly safe. All hosting accounts that were impacted have been reset and emails have been sent to everyone on how to regain account access. GoDaddy have responded to the incident by offering those affected with free malware protection and security services. They also confirmed that around 28,000 accounts were affected.
By Forbes.com
A new phishing campaign has launched that aims to steal Microsoft SharePoint and Office credentials from investment brokers. The fraudulent emails contain a warning demanding immediate action, as well as a malicious attachment that is in some way related to the victim’s organisation. To further deceive users, the emails contain signatures of actual FINRA officers; FINRA is the Financial Industry Regulatory Authority. These kinds of campaigns are becoming increasingly popular, and we recommend always keeping your eye out when receiving suspicious emails.
By ThreatPost.com
For the last couple of months, internet trolls have been interrupting zoom video calls with offensive content and imagery. Zoom has been working hard on ways to tackle this issue, and have implemented new security features to help. One of these features is the requirement of passwords for all meetings if you’re using a free account. Zoom has been in the spotlight recently because of the amount it has suffered from these attacks, however they have been working hard to remediate these issues and deserve credit for their effort.
By BBC.com
A new variant of the Dacls Remote Access Trojan has been found, and it appears to be associated with North Korea’s Lazarus Group; the difference is this version is specifically designed for MacOS. A trojanised two-factor authentication app called MinaOTP is used to distribute the RAT; the application is common amongst Chinese speakers. More details on the nature of the malware can be found in the technical blog on Malwarebytes’ site.
By Blog.Malwarebytes.com
A new botnet campaign called Kaiji has been created from scratch and has already begun compromising Linux servers and IoT devices. The botnet has been actively using these infected machines to launch DDoS attacks; the malware is very advanced and different to all other botnets, as it does not aim to exploit unpatched vulnerabilities. In addition it was written in the Go programming language which is very uncommon. It also uses very unusual brute force techniques that are not typical of a botnet. IoCs can be found on Intezer’s blog, and we highly advise using complex passwords to reduce the risk of a brute force attack succeeding.
By Bitdefender.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #90 – 8th May 2020
Why not follow us on social media:
By
Joshua Hare
on
7/5/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Sheffield City Councils ANPR (Automatic Number-Plate Recognition) system has been left password-less on the internet, leaking the road journeys of 8.6 million people. The management dashboard was accessible to anyone who found it, and allowed viewers to see find the number plates, times and journeys of certain vehicles with ease. South Yorkshire police are currently investigating the incident and have assured the public that a leak of this kind will not happen again.
By TheRegister.co.uk
The hacker group behind the Shade ransomware attack have stopped all operations and are no longer spreading their attacks; as well as this they issued a public statement announcing that they have released more than 750,000 decryption keys to help victims get their data back. Security researchers have confirmed that these keys work as promised and are not another scam. The group publicly apologised and also published their easy-to-use decryption tools to help more people. This is a shock to everyone, and we just hope that more groups step forward and do the same, especially those affecting the work of healthcare services.
By GrahamCluley.com
WordPress users are being urged to update the Real-Time Find and Replace plugin as soon as possible because of a cross-site request forgery bug. This flaw could allow an attacker to create rogue admin accounts and inject malicious code onto the victim’s site. This issue was patched within hours of disclosure, but reports suggest that more than 70K sites are still vulnerable; all WordPress site owners are advised to apply the recent patch as soon as they can to prevent the risk of an attack.
By BleepingComputer.com
A number of people have reportedly received an email regarding an ‘urgent Zoom meeting with your company’s HR team’. Upon clicking the link, the user is redirected to a login page, which asks for a email account credentials; there is no reason for Zoom to ask for this, so is an obvious attempt to gain unauthorised access to business systems. The number of Zoom oriented attacks has massively increased since so many people are in quarantine, and we advise all users to not click on any links unless you are 100% sure they are legitimate.
By GrahamCluley.com
Sophos and their customers recently suffered a coordinated attack which revealed the presence of an SQL injection flaw on some firewall products; this vulnerability allows an attacker to execute code remotely. The previously unknown vulnerability has since been patched by Sophos. This custom malware was created to target firewalls and steal sensitive information from them, through orchestrated chains of Linux scripts that allowed the attacker to download executable malware. The Sophos research team has investigated this attack for an extensive period to find out the nature of the attack and worked hard to remediate the discovered vulnerabilities.
By News.Sophos.com
Adobe were forced to release a batch of emergency updates for three of their most used products; Magento, Illustrator and Bridge. The patch includes fixes for a total of 35 flaws affecting these products, all of which are vulnerable to critical code execution flaws. There are 5 known critical exploits for Illustrator, 14 for Bridge and 6 for Magento platforms; the rest are marked as important and moderate, including a few information disclosure issues. We advise applying this emergency patch as soon as possible if you use any of the products mentioned above.
By TheHackerNews.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #89 – 1st May 2020
Why not follow us on social media:
By
Joshua Hare
on
30/4/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Cybersecurity firm, Cyble, have recently discovered a database containing the profiles of 267 million Facebook users after they found the records for sale on the dark web. In order to notify users of the breach through their notification service, Cyble purchased the records for a total of £500; after further investigation it was confirmed that no passwords were exposed, however user IDs, phone numbers, usernames and email addresses were included. The company are unsure as to how the information was leaked but believe it could be due to a flaw in the Facebook developer API.
By NakedSecurity.com
Almost 25,000 email addresses and passwords have been dumped online by unknown activists; it was found that these credentials belonged to workers of the National Institutes of Health, the World Health Organisation, the Gates Foundation and many other groups involved in fighting the coronavirus pandemic. The SITE Intelligence Group were the ones who discovered this incident, who are best known for working hard to combat online extremist and terrorist groups. This leaked has highlighted another example of organisations using very poor password practices.
By msn.com
Cognizant, a well-known IT service provider, suffered a ransomware attack this month at the hands of Maze hacker group, however the group denies responsibility. The company has not yet paid the ransom and information regarding the situation is yet to be disclosed; the attack is currently being treated as a data breach, as the Maze group’s MO includes infiltrating a companies network for many weeks and stealing data prior to launching their ransomware, improving the odds of the ransom being paid . Researchers are currently awaiting development of the incident.
By BleepingComputer.com
Nintendo Switch owners have recently become a target for hackers, as a new wave of attacks allow them to access accounts and make purchases with linked payment methods. The switch features a digital store which can be linked to PayPal, meaning many users have experienced fraudulent attacks resulting in unwanted payments on their accounts. The best way to counteract these attacks is to enable two-factor authentication, this can be found in your Nintendo account settings and provides an added layer of security to prevent attackers from gaining unauthorised access. Two-Factor Authentication requires you to input a one-time code from a smartphone app as well as your password, meaning an attacker cannot break in without possessing your login details and your smartphone.
By BBC.com
Email Scams are one of the biggest threats plaguing all users, which is why the NCSC has launched a new ‘Cyber Aware’ campaign, which offers advice and services to help combat the dangers we all face. One of these features is the Suspicious Email Reporting Service, which allows anyone to forward suspicious emails to the organisation so that they can investigate and act on it. This is another great move by the NCSC in the battle to combat the phishing threat, which more recently includes COVID-19 related scams. To use this new services simply forward any suspicious emails to report@phishing.gov.uk and they will be investigated.
By NCSC.gov.uk
iPhones very rarely get caught out when it comes to attacks, with the last serious case being in Summer 2016. This week, San Francisco based security firm, ZecOps, reported that some of its customers were hit by two zero-day exploits on iOS devices, both using version 13 of the operating system. Exploits against iPhones are some of the most expensive on the market due to how rare they are. It is believed that this is not the only zero-day for iOS, as in the summer of 2019, there were rumors of an unknown hack. Keep in mind that these attacks are targeted and are not committed on a mass scale; the hack targets the default mail app, so if you’re worried remove it from your device.
By VICE.com
A few different models of connected home hubs from Fibaro, Elko and Homematic, have been compromised by vulnerabilities present in older versions of their firmware. These hubs, which connect multiple appliances within your home, have been exploited using Man in the Middle (MiTM), remote code execution and information disclosure attacks. Most of the flaws have been fixed by the vendors so it is vital that users ensure their IoT devices are regularly updated.
By ThreatPost.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #88 – 24th April 2020
Why not follow us on social media:
By
Joshua Hare
on
23/4/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Linksys, a company known for selling network hardware, recently forced a password reset for all customers using Smart WiFi. As a result of the recent COVID-19 malware attacks, many user accounts had been compromised and security firm Bitdefender confirmed that devices were being hit with credential stuffing attacks. Linksys were reportedly unclear as to why the password reset occurred, and the notice they sent to customers referenced the COVID-19 malware, but was very cryptic; all users of the Smart WiFi app must reset their password when they next log in.
By TheRegister.co.uk
We have spoke about this extensively over the last few weeks, but it doesn’t seem to be slowing down; COVID-19 themed phishing campaigns are still ongoing, causing even more unnecessary danger during the pandemic. Unit 42 has observed attacks against a Canadian Government Healthcare Organisation and a Medical Research University; the malware being utilised in these campaigns are information stealers and ransomware methods which are detailed in the blog. For safety purposes, the attacks used as examples in this post were not successful; more information on this crisis can be found here.
By unit42.paloaltonetworks.com
Over 500,000 Zoom accounts are currently listed for sale on the dark web and various hacker forums; this is the result of a credential stuffing attack, which is where leaked login credentials are used to try and gain access. Those that were successful are being sold for less than a penny each, and sometimes even free. This is to try and gain a reputation in the community. We strongly recommend not reusing passwords on multiple sites, and if you have, change them as soon as possible. We also advise using Have I Been Pwned to check if your email has been breached.
By BleepingComputer.com
Cloud Misconfigurations occur when a cloud system/asset has not been set up properly, which could have negative impacts on the security of your data. Security Researchers found that 21% of data breaches were due to misconfigurations, making it one of the most common ways for an attacker to make their way into your cloud systems. McAfee have provided a list of common misconfigurations that affect Amazon Web Services, we strongly advise looking into this and remedying any issues you may not have previously known about.
By DarkReading.com
Popular video conferencing software, Zoom, has been the victim of many hacking attempts since people have been forced to work from home, but the worst is yet to come. Reports state that a zero-day exploit for Zoom is being sold for $500,000 on the dark web. Those who trade these kinds of exploits have revealed that there are two exploits available, one for Windows and one for MacOS. Zoom are actively investigating this issue, and claim to take their user security extremely seriously; as of yet, no evidence has been found to support the claims of a zero-day being present.
By Vice.com
This month’s release of Microsoft’s Patch Tuesday just hit and it’s a big one, with a total of 115 vulnerabilities. 10 of these vulnerabilities were labelled critical and include various remote code execution and memory corruption flaws. Some of the affected engines include the Windows scripting engine in Internet Explorer, as well as Adobe Type Manager and Microsoft Edge. There are also 96 important vulnerabilities addressed in this patch; more details can be found here in the Talos blog. As always, we advise applying these patches as soon as they are available.
By TalosIntelligence.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #87 – 17th April 2020
Why not follow us on social media:
By
Joshua Hare
on
16/4/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The COVID-19 pandemic has given cyber criminals a lot of new ideas, and the virus-related activity is only increasing. NCSC has joined forces with CISA and the US’ homeland security to deliver an advisory, designed to help individuals and organisations protect against these COVID-19 related exploits. The guidance includes a list of indicators of compromise that users can look out for, as well as mitigation techniques. The full guidance document is available for download here; we advise taking advantage of this to prevent the risk of an attack.
By NCSC.gov.uk
As a result of the COVID-19 pandemic, many NASA workers are isolated to their homes. Cyber criminals see this as an opportunity to flood them with increasing waves of attacks. It is not just common criminals doing this however, NASA has also seen an increase in attacks from state-backed hackers, including attempts to exploit personal devices of those working from home. The majority of these malicious actors are focused on phishing attempts to gain access to sensitive information such as login credentials; these actors have also begun targeting mobile devices to trick their victims. NASA advises taking a look at the advisory issued by CISA on protecting against phishing and social engineering.
By BleepingComputer.com
Interpol has issued serious warnings of a significant increase in ransomware attacks, specifically targeting overwhelmed hospitals. While the staff in these hospitals are working tirelessly to save the lives of those affected by the pandemic, cyber criminals are doing everything they can to profit from their struggle; Interpol are working closely with police in an attempt to combat the ‘heightened’ ransomware threat. Technical support is being provided to its member countries, as well as actively hunting the threat through investigation of suspicious domains related to COVID-19. The pandemic has everyone on their toes; hospital workers are desperate to save the lives of patients, while cyber police are doing the same to keep the hospitals operational.
By law360.com
During the pandemic, the number of people working from home has drastically increased, making conferencing applications a necessity; as expected, cyber criminals have seen this as an opportunity. Applications such as Skype, Zoom, and WebEx have all been targets of this new campaign, and a recent report from Kaspersky revealed that 120,000 packages disguised as these applications had been spotted in the wild. A lot of these packages are just adware and knockoff versions, however a significant number of them have been found to contain various bundles of malware and trojans. It is vital during these times that we are mindful of what we are downloading from the internet; ensure that you are visiting a legitimate source, so you don’t become a victim of this campaign.
By ThreatPost.com
A new IoT botnet, known as dark_nexus, is emerging that reportedly uses compromised smart devices as part of a DDoS-for-hire service. The botnet utilises credential stuffing attacks on various devices to take control of them and add them to its list of bots; this number currently sits at 1,372. This botnet shares a lot of features with others we have seen previously, however it has been developed in a much better way making it much more dangerous and robust; it is also believed to be inspired by botnets such as Qbot and Mirai.
By TheHackerNews.com
The latest Android malware package to hit the market, known as xHelper, has become extremely prominent in Russia, Europe and Southwest Asia. Reports suggest this malware is almost impossible to remove once it has made its way onto your device, and it is affecting Android 6 and 7 devices; these make up approximately 15% of its user base. Although this is a big problem, there is a simple solution; the malware has to be downloaded from an unofficial app store. If users just stop using unofficial sources to get their apps this would not have spread as much as it has. As always, we advise using only the trusted GooglePlay store, and to avoid all third-party sources.
By TheRegister.co.uk
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #86 – 10th April 2020
Why not follow us on social media:
By
Joshua Hare
on
9/4/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Marriott Hotel Group is unfortunately in the news again for yet another breach of customer information. This latest security incident impacts their franchise chain, where the credentials of two employees were used to access the information of 5.2 million customers, between mid-January and the end of February 2020.
Although investigations are still ongoing, they believe that personal information such as contact details (name, address, phone number), loyalty account information, company, gender, and birthday has been exposed. At this time passwords and credit card information has not been accessed. The official Marriot News Center notice can be found here.
Marriott’s Starwood chain of Hotels became a major headline in November 2018 when they disclosed that half a billion customers had been impacted by a data breach, that lasted 4 years.
By Marriott.com
In the light of a significant increase in global fraud relating to the COVID-19 pandemic, the Dutch police have taken 10 online shops offline in a move to prevent internet fraud connected with coronavirus.
As the pandemic continues this type of fraud will undoubtably increase over the coming weeks and months, as the bad guys look to profit from the misfortune of others. Some of the 10 fraudulent shops had hijacked the names of well-known shops while others were completely fake.
By DutchNews.nl
A US hospitality provider has recently been the target of an incredibly rare BadUSB attack. The attack involves using snail mail (the regular postal service) to send a company an envelope containing a malicious USB thumb drive.
The company also received a fake BestBuy gift card and was told to plug the USB thumb drive into a computer to access a list of items the gift card could be used for. The USB drive was laced with malware and once plugged in, started infecting the machine as well as stealing both personal and financial information. The moral here is you should never use a USB drive unless you know it’s from a trusted source.
By ZDNet.com
In recent years, the modular banking trojan known as Trickbot has evolved to become one of the most advanced trojans in the wild. Trickbot was originally designed to steal sensitive information from a compromised host, but over the years, it has not only expanded that functionality, but also added new features such as the ability to be used as a dropper for other malware.
In this post by Cisco’s Talos Intelligence Threat Research team, they outline the continued evolution of Trickbot, as well as how you can defend against this threat.
By TalosIntelligence.com
In 2019, Business Email Compromise (BEC) maintained its rankings as both the most profitable and the most prominent threat. As of September 2019, loss to BEC attacks eclipsed US$26 billion globally.
In this report, Palo Alto’s Unit 42 research team identify the trends associated with SilverTerrier BEC attacks, highlighting their findings, the first Nigerian commodity tool developer, and providing an overview of actions Palo Alto Networks is undertaking internally and externally to address this threat.
By unit42.paloaltonetworks.com
To improve security for data in transit, AWS will be updating all of their Federal Information Processing Standard (FIPS) endpoints to a minimum Transport Layer Security (TLS) version TLS 1.2 over the next year.
This update will remove the ability to use TLS 1.0 and TLS 1.1 on all FIPS endpoints across all AWS Regions by March 31, 2021. If you are currently using FIPS services in AWS please check out this post to see how you may be impacted, and what you need to do to prepare for the change.
By aws.amazon.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #85 – 3rd April 2020
Why not follow us on social media:
By
Stuart Hare
on
2/4/20
Welcome to the latest edition of the Ironshare CyberRound-up where we look back at the events of that last week and cover some ofthe news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Cybercriminals have been exploiting the spread of COVID-19 and are actively targeting healthcare services with their attacks. Due to how overwhelmed the healthcare industry is, cybersecurity is not a priority at the moment, because of this hackers are finding easy ways into their systems, which not only has an effect on patient data, but can also cost lives due to compromised equipment and incorrect logs. The critical threat that is being created by these criminals has sparked an uprising of volunteer cyber-protectors who are determined to defend vulnerable healthcare organisations. Cyber Volunteers (CV19) has been established by some veteran cyber pro’s, Lisa Forte, Daniel Card and Radslaw Gnat to provide cyber support in this time of global crisis. With several thousand volunteers offering assistance, the group is doing admirable work and we suggest following their efforts on social media.
By Forbes.com
A recent Netflix scam has been fooling its victims intobelieving they’re getting a free subscription due to the coronavirus isolation.It is unclear whether these scammers plan to download malicious code or stealcredentials, but a number of people have followed the bait and shared the siteon social media. If you come across this scam, be sure to not enter any detailsand definitely do not share it with your friends; much like the virus itself,you can prevent it from spreading by keeping it away from others.
By HotForSecurity.com
US food container product company, Tupperware, has become avictim of payment card skimming; the malicious code was discovered by securityfirm, Malwarebytes, last week. Despite their warnings, Tupperware have notacknowledged the attack. The code reportedly works by impersonating the website’spayment form, collecting user data such as payment card credentials, usernames,emails and phone numbers. The fake payment form steals the data and shows atime-out error; however, by this time you’re already compromised. Attacks ononline stores are expected to rapidly increase due to most people beingconfined to their homes; this means more people than ever will rely on onlineshopping. We suggest avoiding any sites that are known to be affected whenshopping online to minimise the risk of an attack.
By ZDNet.com
A database of more than 5 billion customer records from thelast 8 years has been left publicly accessible without a password on theinternet. The exposed data includes hashed and plaintext passwords, emailaddresses and source of the leak; what makes this so much worse is that it wasleaked by a security firm. However, all data included in this breach arerecords from previous data breaches, so the victims were already at some risk;despite this, there is no excuse for a security company to put so many users atrisk and these kind of incidents should not be happening as frequently as theyare. Many admins ignore security features that are disabled by default, whichmeans systems are left completely unprotected; securing databases of this sizeis essential.
By GrahamCluley.com
Microsoft have recently warned the public of a new targeted attackcampaign affecting Windows 10 users. The attack involves the exploitation of acurrently unpatched critical vulnerability. This flaw exists in all supportedversions of Windows and allows an attacker to remotely execute arbitrary codeon the target system. Microsoft have issued a serious warning due to therebeing no fix for this exploit; it has been a tough few weeks for them, with anumber of serious vulnerabilities popping up, and they are doing their best to patchthe flaws as soon as possible. As of now, there are some preventative measuresyou can take to mitigate the risk; we suggest looking into these, which can befound in the security advisory.
By Forbes.com
Cisco Talos’ most recent vulnerability spotlight hashighlighted two denial-of-service flaws in Intel RAID Web Console 3. The flaw exitsin the application’s web API functionality and can be exploited by sendingmalicious POST requests to the API. Talos worked closely with Intel to patchthe bug as soon as possible, and an update is now available to those affected.We advise applying the necessary patch as soon as you get the chance, and ifyou want to read more about these vulnerabilities, details are included in Talos’vulnerability spotlight blog.
By TalosIntelligence.com
And that’s it for this week’s round-up, please don’t forget totune in for new instalments every week.
We hope this makes for light reading during these times ofuncertainty.
Stay Safe, Secure and Healthy!
Why not follow us on social media using the links providedon the right.
Edition #84 – 27th March 2020
By
Joshua Hare
on
26/3/20
Welcome to the latest edition of the Ironshare CyberRound-up where we look back at the events of that last week and cover some ofthe news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Cyber experts have discovered a number of attack campaignsexploiting the public’s concerns around COVID-19. Most of the general publicare largely focused on the spreading virus at the moment, meaning if they wereto receive an email addressing the issue, they would open it withouthesitation. Despite these urges, experts are strongly advising people to followonline safety advice; the harm that phishing attacks can cause is amplifiedduring this time as many people are unable to work. The loss of money orsensitive account credentials would only make things worse, so we stronglyrecommend visiting the NCSC website and reading their guidance on mitigatingthe risk of online attacks, during these unprecedented times.
By NCSC.gov.uk
A team of security researchers recently bought a Germanmilitary laptop which was found for sale on eBay for €90. The laptop containeda number of classified documents, including details of the LeFlaSys Ozelot airdefence system, which instructs how to destroy the mobile missile system. Thefiles were given the lowest level of classification and the device did notrequire a password to login; the files however were protected by what was anextremely easy to guess password. A recycling firm from Bingen were responsiblefor listing the device for sale, and in a recent report from the DefenseMinistry, they were also instructed to delete the data. Destroying all databefore selling IT devices is a legal requirement that the military did notcomply with; this is not the first time something like this has happened. Lastyear, military laptops were sold by federal authorities at an auction; uponbuying four of these laptops, a forest ranger found instructions for the Marsmobile rocket artillery. This is a perfect example of why all users & organisationsshould remove data from their devices before disposing of them; if militarydata can be stolen, so can yours.
By DW.com
MageCarts long list of victims continues to grow, andNutriBullet has become its most recent victim. Following the recent removal ofthe card skimming malware from NutriBullet’s online store, another skimmer wasinstalled just 5 days later. This has been a back and forth battle betweensecurity experts and malicious actors, in which the malware is constantlyremoved and reinstalled; this has been the case for almost a month now, andunless the underlying vulnerabilities within the NutriBullet site are patched,it will continue to happen. As always, we advise proceeding with caution whenordering products online and avoiding any affected sites temporarily while theorganisation address the incident.
By ZDNet.com
A malicious Android app has recently surfaced that claims totrack local victims of the Coronavirus. Instead the app demands a ransom of$100 in Bitcoin and locks the user out of their device. The user then has 48 hoursto pay the attacker or the contents of their device is destroyed. This schemewas discovered by security researchers at DomainTools, who have named theransomware CovidLock. The app is publicly available from a third-party website andis not on the Google Play store; this limits its capabilities when it comes toinfecting Android devices due to users having to visit the site and ignore anumber of security warnings. Devices using Android Nougat (Android 7.0) andhigher are not affected, provided they have set an unlock password already. Ifyou have been a victim of this ransomware, it is possible to get your data backwithout paying, as it is not the most advanced malware of its kind; several Redditusers have successfully recovered their data. Please take this as a warning toonly download authorised apps from the Google Play store and do not blindlytrust third-party providers.
By GrahamCluley.com
Trend Micro have been busy over the last week patching somenewly surfaced vulnerabilities that have been actively exploited in the wild.One of these is a remote code execution flaw that exists in the migration toolcomponent of Apex One and OfficeScan. The other bug that was addressed is acontent validation escape issue, and it allows an authenticated attacker to manipulatecomponents of certain agent clients. Products affected are Worry-Free BusinessSecurity, Apex One and OfficeScan. Affected versions can be found under the CVEon the TrendMicro website; we recommend updating as soon as possible to avoid therisk associated with these vulnerabilities.
By SecurityWeek.com
Adobe have addressed multiple critical vulnerabilities intheir most recent out-of-band software updates. These patches apply to flawsexisting in Genuine Integrity Service, Acrobat and Reader, Photoshop,Experience Manager, ColdFusion and Bridge. Their security advisories indicatethat 29 of the 41 flaws are marked critical, while the remaining 11 areimportant. All of the critical vulnerabilities addressed in this patch arememory corruption flaws; we recommend installing the latest version of all ofthese products to mitigate the risk of an attack.
By TheHackerNews.com
And that’s it for this week’s round-up, please don’t forgetto tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Why not follow us on social media using the links providedon the right.
Edition #83 – 20th March 2020
By
Joshua Hare
on
19/3/20
Welcome to the latest edition of the Ironshare CyberRound-up where we look back at the events of that last week and cover some ofthe news, posts, views, and highlights from the world of Security.
In this week’s round-up:
One of the world’s biggest botnets, known as Necurs, hasinfected more than nine million machines over its 8 years of malicious activity,until this week when it was taken down by the Microsoft team and its partners.They reported that this was achieved using the very domain generation algorithmthat the network used to communicate with the infected computers; they managedto crack the algorithm and predict their movements to block the infectionsahead of time. This brings to an end a mighty botnet that was used for numerouscybercrimes that included ransomware delivery, credential & identity theft,spam and online scams.
By BBC.co.uk
Over the last decade, security experts have preached the importanceof password rotation policies, but a recent change of mentality has some ofthose thinking it may not be the way to go. IT professionals will forever be indisagreement over the topic, but more and more people are starting to see the disruptioncaused by these rotation/expiration policies. Most users have too many accountsto remember unique passwords for, meaning regularly changing them will lead toreuse and will undoubtedly disrupt operations. Regularly expiring passwords,promotes reuse or common passwords, some of the main causes of account breaches,which is why it is vital that users always use unique passwords. We recommend toreduce or even remove the use of password rotation; instead encourage the useof unique hard to guess passwords combinedwith a password manager; this ensures that you will not forget your credentialsand even helps keep them unique by using a password generator.
By Sans.org
A malicious site has surfaced that appears to be a clone ofthe John Hopkins Coronavirus map; the copycat site contains malicious code buthas not yet been observed as part of any malicious campaign. The malware foundin the site is reportedly a backdoor trojan, capable of evading detection andinstalling onto a target machine. This is disguised as ‘Corona-Virus-Map.com’,a piece of software that is supposed to display a real time log of thepandemic’s spread; instead it spreads the AZORult malware. As always, take carewhen installing a program; ensure that it is safe and from a trusted sourcebefore you use it. As for the map, the legitimate site is included in thisarticle; please avoid other apps similar to this as they may be malicious.
By GrahamCluley.com
Palo Alto Networks Unit 42 Research Team have been activelywarning organisations of the risks of IoT devices, as recent studies haverevealed that 98% of their device traffic is unencrypted, which exposes sensitiveand private information. This combined with their reliance on outdatedprotocols leave IoT vulnerable to a large number of old attack techniques. Thisarticle includes the findings of a podcast recording that looks into theserisks and highlights the key vulnerabilities within IoT devices. Theinvestigations conducted by the Palo Alto research team is vital, and theydescribed the situation as a ‘ticking IoT time bomb’, which emphasises theimportance of securing all your IoT devices.
By ThreatPost.com
Microsoft recently announced the discovery of a new criticalvulnerability that exists in version 3.1.1 of their Server Message Block (SMBv3)protocol and allows the attacker to execute arbitrary code on the targetserver/client. This attack works by setting up a malicious SMB server and thentricking their victim to access it. It was confirmed that this flaw has notbeen actively exploited in the wild, and guidance has been released on how to disableSMBv3 Compression and reduce the risk of an attack. There is currently no patchavailability for this vulnerability. Please see the Microsoft security advisoryto learn more about this vulnerability and how you can protect against it.
By Microsoft.com
This edition of Microsoft’s Patch Tuesday features 25 criticalvulnerabilities, as well as 91 important and one moderate. Among this month’scritical flaws are a number of remote code execution and memory corruption vulnerabilitiesexisting in Windows, ChakraCore Scripting Engine, VBScript Engine and GDI+. Wehighly recommend updating as soon as possible to avoid the risk of an attack.Many hackers target vulnerabilities that have already been patched to catch outusers who have not yet updated; don’t let this be you.
By TalosIntelligence.com
And that’s it for this week’s round-up, please don’t forgetto tune in for new instalments every week.
Why not follow us on social media using the links providedon the right.
Edition #82 – 13th March 2020
By
Joshua Hare
on
12/3/20
Welcome to the latest edition of the Ironshare CyberRound-up where we look back at the events of that last week and cover some ofthe news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A new bug has been discovered in Let’s Encrpyt’s CA software,that prevented them from checking CAA records properly. After confirming the bug,the organisation had to suspend distribution of certificates while they workedon a fix. As a result, Let’s Encrypt began revoking certificates this weekwhich will reportedly affect around 3 million customers who will need to gettheir certificate replaced as soon as possible. The company released a list ofthe affected domains that you can find in the article on their website; as wellas providing a link to check if your certificate is affected. We advise lookinginto this to determine whether you are impacted. If you are affected simplyjust follow your normal certificate creation/renewal process to resolve thisissue.
By LetsEncrypt.org
Attackers have attempted to gain access to Boots’ customer accounts using stolen passwords; as a result, Boots have taken precautionary actions and suspended use of advantage cards for payment. The company confirmed that none of their systems were compromised and fewer than 1% of customers were affected by the incident. No payment card information was accessed, and points can still be earnt when making purchases, however they cannot be used until the service is back up and running. This incident happened shortly after a similar compromise regarding Tesco Clubcards, in which more than 620,000 clubcards had to be blocked. Both of these incidents are a result of credential stuffing attacks that are possible because customers are reusing username and passwords for multiple online services, leading to the potentially exposure of private customer information.
By BBC.co.uk
Online vigilantes have been active recently, and assistedthe police in taking down an Indian tech support scam centre. The vigilantesgained access to CCTV footage of the scam centre which led to a successful policeraid on the scammers. Many people have questioned the actions of thesevigilantes in terms of legality; however their actions were undoubtedly vitalin taking down the scamming operation. The article includes footage of thescammers at work which makes you think about both sides of the vigilante’sactions.
By GrahamCluley.com
A recent report by the FBI states that in the last six and ahalf years, over $140 million has been payed by Ransomware victims. The rapidrise in these kind of attacks is staggering, and the standout variant recentlyis Ryuk, which is responsible for generating approximately $61m in 2018/19. Itwas reported that a large portion of ransoms are payed in virtual currencies,and an estimated $37m reside in bitcoin wallets. Law Enforcement agencies areactively urging victims to avoid paying ransoms as you will not only fundcriminal activity, but also may not get your data back. We advise looking intothis article, as ransomware is something that threatens businesses of allsizes, not just big corporations.
By ZDNet.com
A new emerging phishing campaign has been found to be distributingthe Agent Tesla keylogger malware using Microsoft OneNote. This method of usingOneNote allows the attacker to bypass security and detection tools to downloadmalware without interruption; however, this is not the only process involved inthe campaign. The attempt begins with an email being sent to the victims containinga OneNote document; attackers devised several intrusion methods based aroundthis scheme which allow them to succeed in evading security measures in email.As always, we advise not opening email links or attachments if you are notcertain they are safe.
By ThreatPost.com
A recent surge in WordPress attacks has seen hackerstargeting already patched vulnerabilities in hope that admins have not yetapplied the required security patches. WordPress is always a big target forcyber criminals due to its unparalleled number of users compared to otherwebsite builders; it is also becoming more common that attackers are focusingtheir attention on WordPress plugin flaws, rather than the site itself. Toprotect against these frequent attacks, the best thing you can do is applypatches as soon as they are available; a list of all plugins being targeted whichincludes ‘Flexible Checkout Fields for Woocommerce’, ‘Profile Builder’ & ‘Duplicator’are in this post, we advise taking a look at it to determine if you are atrisk.
By BlackHatEthicalHacking.com
And that’s it for this week’s round-up, please don’t forgetto tune in for new instalments every week.
Why not follow us on social media using the links providedon the right.
Edition #81 – 6th March 2020
By
Joshua Hare
on
5/3/20
Welcome to the latest edition of the Ironshare CyberRound-up where we look back at the events of that last week and cover some ofthe news, posts, views, and highlights from the world of Security.
In this week’s round-up:
This week at the RSA conference, Cisco has unveiled SecureX,a new platform designed to improve visibility across all their cloud-based securityproducts. This dashboard aims to integrate a customer’s array of securitysolutions to streamline the customer experience, as well as incorporating thirdparty integration. SecureX introduces unified visibility, automation, managedthreat hunting and many other features designed to improve the operationalsecurity experience and speed up time to detection and remediation. You canlearn more about the upcoming platform on the Cisco website.
By Cisco.com
A facial recognition company known to work with high profilelaw-enforcement agencies has recently announced that their entire client listhas been stolen by an intruder. The company, Clearview AI, revealed that thehacker managed to gain a list of customers, number of user accounts and numberof searches made by customers; despite this, they confirmed that their networkand servers were not compromised. Clearview said they have since patched thevulnerability and as usual with these incidents they claim, ‘security is theirtop priority’, which always seem to come after the fact.
By TheDailyBeast.com
A new SMS phishing campaign has been discovered that istargeting US mobile devices. The attackers have been seen stealing bankingcredentials and reportedly installing the Emotet malware onto compromiseddevices. The phishing SMS contains a warning saying the victim’s bank accounthas been locked and prompts them to click a link to reactivate it. Thisphishing attempt looks remarkably legitimate; check out the blog post whichcontains a list of indicators to help you know if a message is a scam.
By HotForSecurity.BitDefender.com
A new version of the well-known Android banking trojan, Cerberus,is reportedly capable of stealing codes from the Google Authenticator app,therefore allowing access to 2FA-enabled accounts. Current versions of Cerberusare already remarkably advanced, possessing features usually exclusive toremote access trojans; the new versions, which are reportedly still beingtested, have capabilities very rarely seen in malware strains. The features itpossesses make it capable of bypassing all authentication on online bankingaccounts, making it extremely dangerous and profitable for the bad guys.
By ZDNet.com
Google announced this week that they have released a patchfor a zero-day bug for the Chrome web browser. This flaw was being activelyexploited in the wild and affects all versions of the browser on Windows, macOSand Linux. Google disclosed information about the severity of the bug andlabelled it as a memory corruption vulnerability linked to Chrome’s open-sourceJavaScript and Web Assembly Engine known as V8.
By ThreatPost.com
A new bug, known as Kr00k, has been discovered that allowsan attacker to intercept and decrypt WiFi network traffic. This vulnerabilityreportedly affects all WiFi devices that use Broadcom and Cypress WiFi chips;these are some of the most popular chipsets in the world and are used in themajority of devices, including smartphones laptops and even smart speakers.Patches should be available for most vulnerable devices but may require afirmware update; this article includes instructions on how to check yourdevices for a patch.
By ZDNet.com
And that’s it for this week’s round-up, please don’t forgetto tune in for new instalments every week.
Why not follow us on social media using the links providedon the right.
Edition #80 –28th February 2020
By
Joshua Hare
on
27/2/20
With the ever-expanding features being added to Umbrella, Ciscohave released a group of licensed packages to cover the new functionality itcan now deliver. This post will outline the new packages available and their associatedfeatures.
Before we move on to the new stuff, it’s important to notethat all the existing packages are not going anywhere at this stage, they arestill available to purchase under the same SKUs.
Just to recap, the below image highlights the main existing UmbrellaDNS Security packages.
We previously covered all these in another postwhich can be accessed here.
Umbrella has significantly grown as a cloud service over thelast 12 month and now boasts a strong set of integrated cloud security features.
In addition to the DNS security that has been the foundationof Umbrella, it now includes some impressive new functions such as full web proxy,Cloud Access Security Broker (CASB) / App security and cloud firewall.
Cisco have introduced three new Umbrella packages; the firsttwo relate to DNS security, while the third focuses on Umbrella’s SecureInternet Gateway functions.
These three new packages have been named:
Note: The two DNS Security packages are due to eventually replacethe Professional, Insights and Platform licenses that are currently in place.
Cisco’s aim here is to offer more flexibility and control,allowing customers to select a package that is more aligned to their requirements.
Small businesses can opt for a DNS security package toprevent the flow of online threats, phishing and malware, or if they need toprotect roaming users that are not on the company network.
While larger organisations may choose the more advanced featuresprovided by SIG Essentials.
Cisco Umbrella now incorporates a wide array of securityservices into a single cloud platform, allowing company admins and MSPs to centrallymanage the security for your office locations, branches and your users,regardless of their location.
OK so we now have a view of the three new packages on offer,but which version of Umbrella is right for you?
The table below is a useful guideline for how the newfeatures map to each licensed package.
To summarise:
DNS Security Essentials offers all the core DNS-layersecurity features, including App discovery, Content filtering based on Webcategory and off-network roaming protection. All the core management capabilitiesare included, but unlike previous packages you now get access to Umbrella’sAPIs, log exporting, and identity-based policies which are now included in thisbase package.
DNS Security Advantage includes everything in Essentialsbut is where you can start to gain more in-depth visibility and inspection capabilities,with the selective Intelligent Proxy. This provides deeper inspection into riskydomains and URL’s, as well as deep file inspection using the integrated Anti-virusengine and Cisco Advanced Malware Protection. In addition, you now get accessto the powerful Investigate console, giving instant insight and threatintelligence for risky domains, IP addresses and more.
SIG Essentials wraps up the new packages includingeverything in the DNS Security options as well as a suite of cloud deliveredservices. Unlike disparate security tools, Umbrella now unifies full web proxyor secure web gateway, cloud-delivered firewall, DNS-layer security, and CASBfunctionality into a single cloud security platform. Umbrella also integrateswith Cisco SD-WAN to provide security and policies for direct internet access(DIA).
Having all this functionality in a single platform is criticalto a modern business; it helps to reduce the time, money, and resourcespreviously required for deployment, configuration and associated integrationtasks.
Licensing continues to be based on a per user per month /per annum basis.
Umbrella Support
Cisco have also changed the support model around Umbrella.Basic email support has been removed and Enhanced support is now required witheach subscription. You can also upgrade to Premium support for a more proactiveservice.
Enhanced Support option
Premium Support option
Includes Enhanced level features plus:
Cisco Umbrella is a very simple and yet very powerful Cloudbased platform that can be remotely deployed (within hours – depending on thecomplexity of your network). Once it’s in operation, it provides immediate predictivesecurity, both on-and-off your network, as well as content filtering and white /blacklist features to give better control over user activity, and much more.
The new packages offer a raft of excellent features that candeliver additional cloud security for your business all managed and controlledfrom a single platform. By starting with DNS security, you can easily expand Umbrellawith advanced Secure Internet Gateway services when you need them.
Ironshare provide a fully managed service, meaning that allyou need to do is tell us what you want to know about, and when. We’ll thentailor the service to your needs and deliver management reporting andrecommendations as often as requested.
Our service is applicable to companies of all shapes andsize, meaning that even the smallest businesses can get a full enterpriseservice, and use our reports to easily identify online threats to the business,problem PCs, or employee activity concerns.
If you’d like to get more information, detailed pricing for any of these options, or even try out Umbrella for yourself, please click here to Contact Us.
By
Stuart Hare
on
22/2/20
Welcome to the latest edition of the Ironshare CyberRound-up where we look back at the events of that last week and cover some ofthe news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Back in March 2019, the FBI announced to Citrix thatcybercriminals had gained access to their internal network via passwordspraying. The company have since released a statement saying that they believethe hackers have access and downloaded business documents, including personaland financial data. They recently announced that the hackers were present intheir network for 5 months starting October 2018 but are sure that they are nolonger present. The data stolen includes social security numbers, passportnumbers, payment card numbers and health insurance identification.
By KrebsOnSecurity.com
One of the world’s leading providers of facility services,ISS World, was a target of a malware attack this week, which has halted alloperations within the organisation. As a precaution, all systems wereimmediately disabled to isolate the incident. The company is working closelywith forensic experts to determine the source of the attack and have confirmedthat they have not found any sign of customer data being compromised. ISS havereleased a public statement warning they are still in the process of dealingwith the incident and do not yet know when their IT systems will be fullyoperational.
By TwinFM.com
A US natural gas facility had to shut down their entirepipeline asset for two days following a sever ransomware attack. The unnamedfacility said they were in no way prepared for this kind of attack and it hasmassively affected operations. It is believed that the attacker gained accessto the company’s IT network via a spear-phishing attack; this targeted a singleoffice but resulted in multiple other facilities having to shut down as well.This incident has brought the importance of cybersecurity to the forefront ofthe company’s mind, and they are now interested in implementing an offlinebackup process.
By BBC.co.uk
Researchers have developed a list of the most impersonatedbrands that are used in phishing attacks and I’m sure it will come as nosurprise to anyone that PayPal tops the list. PayPal phishing has an average of124 unique URLS every day. Another big name in this area is Microsoft, whoranks third in the list due to the overwhelming amount of file sharing phishingattempts. Others high up the list include Facebook, Netflix and manyfinancial/banking services. We advise taking a look at these rankings; keep itin mind next time you receive an email you think looks suspicious.
By HelpNetSecurity.com
The official Twitter of FC Barcelona has been taken over byhackers who have been seen posting false tweets on the account. The groupresponsible for the takeover is called OurMine and have been in the mediaspotlight over the last few months for their recent activity involving a numberof NFL teams. The intention of OurMine is to highlight the flaws in the club’ssecurity measures in an attempt to improve them; it is believed that theygained access through credential stuffing, which uses usernames and passwordsleaked in data breaches to attempt to log in. The suggested response to thisincident would be enabling two-factor authentication, which most major socialmedia platforms offer, including Twitter.
By ThreatPost.com
A critical security vulnerability has been discovered thatis affecting over 700,000 active WordPress sites. This exists in the GDPRcookie consent plugin and is a cross-site scripting flaw that could lead topotential privilege escalation. This vulnerability reportedly affects all sitesusing the plugin version 1.8.2 and below; we advise updating your plugins tothe latest version in order to stay protected against an attack of this kind.
By BlackHatEthicalHacking.com
And that’s it for this week’s round-up, please don’t forgetto tune in for new instalments every week.
Why not follow us on social media using the links providedon the right.
Edition #79 –21st February 2020
By
Joshua Hare
on
20/2/20
Welcome to the latest edition of the Ironshare CyberRound-up where we look back at the events of that last week and cover some ofthe news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Cybercriminals have taken advantage of the recentcoronavirus outbreak and have begun deceiving victims disguised as the Centerfor Disease Control (CDC). The phishing attempt includes a link that redirectsto a fake outlook page where your details can be stolen. The email is intendedto scare a user into giving up details by issuing a warning of an outbreak inyour city; at first glance this can look real but there are many obviousgiveaways if you know what you’re looking for. The link appears to go to theCDC website, but instead redirects to an outlook phishing page. We stronglyrecommend avoiding clicking email links if not from a trusted source and alwaysproceed with caution when opening attachments.
By GrahamCluley.com
Google have recently announced their plans to force Nestcustomers to use two-factor authentication; there is a lot of concern regardingthe security of smart home products like the nest, but this is definitely astep in the right direction from Google. If you are unsure what two-factorauthentication is, it requires a user to use a secondary method ofauthenticating when logging in; for example, after entering your username andpassword you may be asked for a random generated code from your smartphone.This increases account security massively; if you are interested in settingthis up, visit the Nest website to learn how to enable it.
By TheVerge.com
The records of 440 million Estée Lauder customers have beenexposed online due to a non-password protected cloud database. The leakedinformation includes plaintext email addresses and content management systemlogs. It was confirmed that no sensitive employee records or payment informationwere leaked which was fortunate. The database was exposed as a result ofmisconfiguration, however the company resolved the issue very quickly as soonas they were aware of it; this is respectable, as many organisations lack theurgency needed in these situations.
By ThreatPost.com
IBM Security’s recent threat intelligence report includeddetails of old Microsoft vulnerabilities that still seem to be actively causingtrouble. Upon investigating global spam activity, IBM X-Force discovered thattwo previously patched vulnerabilities were accountable for almost 90% of thoseexploited by threat actors in these campaigns. One of these flaws’ dates backto 2016, even though a patch was released in April 2017; the other is a memorycorruption flaw that reportedly surfaced almost 20 years ago. With oldvulnerabilities like this still active, attackers have no reason to develop newattack methods; many high-profile systems such as hospitals still run olderWindows versions that can be exploited easily, which makes the patchingsituation much more complex.
By Forbes.com
A vulnerability has been discovered that exists in the WebUIof the Vigor 2960 / 3900 DrayTek routers; this was discovered on Jan 30thand was dealt with quickly. A patch was released on Feb 6thaddressing the flaw, which we recommend applying as soon as possible. Thisissue only affects the Vigor 3900 / 2960 / 300B; if you use any of these, youshould update as soon as possible to 1.5.1 firmware or later. DrayTek also hasa number of other recommendations such as disabling remote access to mitigatethe risk of an attack; these can be found on the security advisory, as well as theassociated firmware downloads.
By DrayTek.co.uk
A total of 98 vulnerabilities have been addressed in thismonth’s bumper edition of Microsoft Patch Tuesday, 12 of which are critical.The critical flaws include 8 memory corruption vulnerabilities affecting theMicrosoft scripting engine and Windows Media Foundation, as well as 4 remotecode execution flaws which exist in Windows 10, RDP, and some versions ofWindows server. The patch also addresses 84 important vulnerabilities, forwhich details can be found online; we recommend applying these updates as soonas possible.
By TalosIntelligence.com
And that’s it for this week’s round-up, please don’t forgetto tune in for new instalments every week.
Why not follow us on social media using the links providedon the right.
Edition #78 –14th February 2020
By
Joshua Hare
on
13/2/20
Welcome to the latest edition of the Ironshare CyberRound-up where we look back at the events of that last week and cover some ofthe news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The everchanging threat landscape is a massive challengethat cyber security experts have to deal with constantly, because if preventionmethods don’t advance with it attacks will become more frequent and moredangerous. To tackle the problem, the Smart Grid Forum’s Smart GridCybersecurity 2020 conference has been created; this is where Europe’s topCISO’s and cyber experts meet to discuss ways of fighting new threats which areemerging every day, enhancing the protection of the energy sector’s smart gridplatforms.
By Finance.Yahoo.com
The Russian Cyber Threat Group, known as Gameredon, is usingUkraine as a cyber attack testing ground for releasing new weapons. Researchershave reported that their attacks on Ukraine are simply preparation for theirlatest technology before replicating the attacks on countries targeted by theRussian government. Their recent cyber campaign features newly crafted malwaredesigned to gather information, this is expected to be the ‘preparatory stage’of a larger scale cyber-attack.
By Forbes.com
Twitter have issued a warning to all users regarding arecently discovered exploit that could allow an attacker to find the phonenumbers associated with millions of user accounts. This is reportedly due to a vulnerabilityin one of the API’s designed to help user’s finding people they know, which isachieved through their phone contacts. This flaw was discovered when a securityresearcher unethically exploited it to discover the phone numbers of almost 17million users; Twitter have since taken care of the issue and announced that nouser action is required. If any users are still worried about this lack ofprivacy, the discoverability setting can be disabled in twitter to preventcontacts finding you through your phone number.
By TheHackerNews.com
A new vulnerability has been discovered that exists in thedesktop version of WhatsApp. This flaw, which affects Macs and Windows, allowsan attacker to send JavaScript in a WhatsApp message, which triggers the clientto start reading the files they have stored locally. Reportedly, this waspossible due to the software using an outdated version of the Google Chromiumengine, which had many known vulnerabilities. This flaw was addressed in lastmonth’s patch, which we recommend applying as soon as possible; it wasconfirmed that version 0.3.9309 and earlier are all affected.
By GrahamCluley.com
Cisco have released patches addressing five criticalvulnerabilities that exist in the Cisco Discovery Protocol; the info-sharinglayer present on all Cisco equipment. These flaws can reportedly allow anattacker to break network segmentation and remotely take over millions ofdevices; this collection of vulnerabilities have been named CDPwn. These remotecode execution flaws were addressed in Cisco’s most recent updates, which weadvise applying as soon as possible.
By ThreatPost.com
Many Windows 10 users have taken to social media reportingissues with the main search bar feature of the operating system. Users have allbeen sharing the same problem with the start menu showing as a blank box,rather than showing search results. This can be very inconvenient as it isquite time consuming to scroll through the list of applications, rather thansearch for it. Shortly after user reports were posted on social media,Microsoft issued a fix for the issue, which has now been released; apparentlythe bug was due to Bing integration in the Windows 10 start menu.
By BBC.co.uk
And that’s it for this week’s round-up, please don’t forgetto tune in for new instalments every week.
Why not follow us on social media using the links providedon the right.
Edition #77 –7th February 2020
By
Joshua Hare
on
6/2/20
Welcome to the latest edition of the Ironshare CyberRound-up where we look back at the events of that last week and cover some ofthe news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Despite warnings from the US, the UK has decided to allowHuawei to participate in building its 5G networks. The UK Prime Ministerbelieves working together is important in diversifying the market, but stillproceeded with caution; restrictions will be implemented that exclude Huaweifrom high profile areas, such as military bases and nuclear sites. The UK andUS are in disagreement over this decision, as the US believe it to be too big arisk; despite this, the Foreign Secretary has confirmed that the changes willnot affect the UK’s intelligence-sharing relationship with allies, includingthe US.
By BBC.co.uk
Microsoft have plans to build a new cyber security centreand have chosen Belfast as its location. Northern Ireland has taken a recentinterest in cyber security, and the sector has been growing rapidly; because ofthis, Microsoft are providing £800,000 to fund the pre-employment training providedby Belfast Met college. This collaboration with the college will aim to developthe necessary skills to compete for a place within the company’s new cybersecurity centre. This will create eighty-five new jobs initially, nut thegovernment plan to establish Northern Ireland as a global hub for cybersecurity within the next 10 years, with over 5,000 employed professionals.
By BBC.co.uk
The UN are facing criticism following a major attack ontheir IT systems in Europe that started back in July 2019. Despite the severityof the attack, the UN decided to not disclose it to the public. It is said thatstaff records, details of health insurance and commercial contract details wereall compromised, and it is believed that the entire breach could have beenprevented with a simple software patch. The breach reportedly affected dozensof servers in multiple locations and included the personal information of itsemployees and staff. The public are unhappy with the secrecy of the UNregarding this attack and see it as a breach of trust; the scale of theorganisation only amplifies the risk of such careless procedures.
By TheNewHumanitarian.org
The Shlayer malware, which was discovered two years ago, is continuingto infect Apple Mac devices at an increasing rate. Shlayer disguises itself asan Adobe Flash Player update and although it was considered a minor threat backthen, it now has almost 32,000 unique variants that make up a third of allmalware detections of Mac AV products. The staggering statistics show that 10%of all macOS users have reported seeing this malware and it was the most commonin all of 2019. Users of Adobe Flash are warned to only download updates fromthe official Adobe website to avoid the risk of an attack; we advise lookinginto all the mitigation techniques to best protect against this kind ofmalware.
By GrahamCluley.com
Version 2.3.4 of the Magento e-commerce platform has beenreleased, and it addresses a number of vulnerabilities, three of which wererated critical. The critical vulnerabilities include an SQL injection flawcapable of leaking personal information, as well as two remote code executionflaws. Other important vulnerabilities include cross-site scripting and pathtraversal and as far as we know, these attacks are not being actively exploitedin the wild. All versions of Magento Commerce, Open Source, Enterprise Editionand Community Edition are at risk; we highly recommend applying the recentpatch as soon as possible.
By SecurityAffairs.co
Apple has released their monthly patches, 23 affecting iOS,31 in macOS and 2 in Safari. This long list of security issues includes addressbar spoofing exploits, memory corruption issues, iOS camera exploits and remotecode execution flaws. Apple refuses to disclose details of vulnerabilitiesuntil after they have been patched. These serious vulnerabilities affect allprevious versions, and we advise updating as soon as possible to minimise therisk of an attack.
By SCMagazine.com
And that’s it for this week’s round-up, please don’t forgetto tune in for new instalments every week.
Why not follow us on social media using the links providedon the right.
Edition #76 – 31st January 2020
By
Joshua Hare
on
30/1/20
Welcome to the latest edition of the Ironshare CyberRound-up where we look back at the events of that last week and cover some ofthe news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The Computer Misuse Act was introduced in 1990 as a way ofcriminalising unauthorised computer activity, however 30 years later, cybersecurity experts want change. According to the Criminal Law Reform Now Network,the Computer Misuse Act is restricting expert’s ability to carry out researchinto threats, thus compromising the UK’s cyber security. The report from CLRNNincludes a list of recommendations on how the CMA can be improved to bothcriminalise malicious activity and benefit threat intelligence research.
By Birmingham.ac.uk
The Information Commissioner’s Office, which is responsiblefor the UK’s data privacy regulations, have published a new code of practiceaimed at protecting the privacy of children online. The long overdue code issaid to be ‘transformational’ and comes following the suicide of a 14-year-oldgirl who killed herself in response to graphic content she had seen online. Theprivacy settings introduced by the Age Appropriate Design Code are likely to bein operation by autumn 2021, once it is approved by parliament; to furtherenforce these privacy policies, large fines will be issued to online contentproviders, such as social media platforms for breaches in its conduct.
By BBC.co.uk
250 million Microsoft customer records from the last 14years have been exposed in an online database with no password protection. The exposed records included theemail addresses, IP addresses, locations and support cases of those affected;this database is a goldmine for fraudsters planning to carry out Microsoftsupport scams. The exposure was found on December 28, 2019 and was disclosed toMicrosoft immediately; within 24 hours all servers had been secured. Theseverity of this leak comes as no surprise; Microsoft have been in the news alot recently, and not for good reasons.
By Forbes.com
Citrix have partnered with well-known security company,FireEye, to develop a tool that can be used to check for compromise. After thenews hit regarding critical vulnerabilities being actively exploited, Citrixresponded with this tool which they highly recommend to all of their customers.The tool is said to provide a quick response assessment that highlights anyindicators of compromise based on known attacks and exploits; it is alsocompatible with all versions of the Citrix Application Delivery Controller andGateway. If you are concerned that you might be impacted, Citrix customers shouldtry this tool to quick assess their products; it is both free and easy to use.
By Forbes.com
Following a recent series of exploitation attempts andproof-of-concept exploits, Citrix has sped up their patch rollout process, andintends to have all versions of their Application Delivery Controller andGateway products patched by January 24. Citrix originally stated they would notbe patching the products; however, they were given no choice afterproof-of-concept exploit code was published publicly. We suggest looking intothis if you use these products to understand what versions are expectingupdates and when they can be applied.
By ThreatPost.com
An unpatched zero-day vulnerability has been discovered inInternet Explorer, and it is being actively exploited in targeted attacks. Theflaw could allow an attacker to execute arbitrary code and is typically beingexploited via web-based attacks in which the victim is sent to a maliciouswebpage, often through an email link. This vulnerability is believed to belinked to a critical Firefox flaw from earlier this month, and Microsoft haveconfirmed that all supported versions of windows are vulnerable. There iscurrently no security patch for this flaw, however Microsoft have released alist of workarounds to help mitigate the threat. We highly recommend lookinginto these workarounds to best protect yourself from potential attacks.
By GrahamCluley.com
And that’s it for this week’s round-up, please don’t forgetto tune in for new instalments every week.
Why not follow us on social media using the links providedon the right.
Edition #75 – 24th January 2020
By
Joshua Hare
on
23/1/20
Welcome to the latest edition of the Ironshare CyberRound-up where we look back at the events of that last week and cover some ofthe news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The UK and US are still in disagreement over the decisionthey face regarding Huawei. The Chinese company want to build a 5G telecomsinfrastructure, but the US government have said they are not willing to takethe risk following recent espionage rumours. The UK government have disclosedthat they may be open to allowing Huawei to operate in certain parts of the 5Gnetwork that are deemed ‘non-sensitive’, however the US are not in agreement.The decision is one of the biggest this government may face, and the companyare facing security assessments from the government to help them come to aconclusion.
By BBC.co.uk
After a short three-week break over the holidays, Emotet isback to its malicious ways, targeting more than eighty countries with its spamcampaigns. The campaign consists of crafted emails disguised as invoices, partyinvites and reports; the newest addition to their email templates is an inviteto Greta Thunberg’s climate change demonstration. The Emotet trojan is moreadvanced than ever and can be a massive threat to your organisation, includinga potential ransomware attack. With Emotet back active, it is vitally importantthat you and your employees understand the dangers of opening emailattachments; educating users and spreading awareness is the best way to protectagainst this kind of threat.
By BleepingComputer.com
Citrix technology, which is used by thousands of companiesworldwide, has been targeted by hackers over the last few days who areattempting to exploit a critical vulnerability. This vulnerability exists inthe Citrix Application Delivery Controller and Gateway Servers, and potentiallyallows an unauthenticated attacker to execute arbitrary code on the affectedmachine. There are currently no patches addressing this flaw, but Citrix hasreleased a number of steps that may help mitigate the risk of an exploit untila permanent fix is available. We highly recommend following these steps to bestdefend against an attack until a future update.
By GrahamCluley.com
A serious vulnerability has been discovered that affects allversions of Windows. This flaw exists in a core cryptographic component ofWindows and presents many security risks, from authentication to spoofing adigital signature and appearing to be a legitimate company. Microsoft havereportedly released a patch for their high-value customers, including the U.S.Military; sources suspect that these organisations have signed agreements tonot disclose the details of this vulnerability until Patch Tuesday hits.Despite this, Microsoft responded to the speculations saying that they refuseto discuss details of vulnerabilities before updates are available to thepublic, and do not release updates ahead of the regular schedule.
ByKrebsOnSecurity.com
Microsoft have released the first Patch Tuesday of 2020, andit’s a big one. This month’s update covers 8 critical vulnerabilities as wellas 41 Important. It is important to note that this is the last patch thatoffers updates for Windows 7 and Windows Server 2008/2008 R2, as they are nolonger supported. Among the critical vulnerabilities are 7 remote codeexecution flaws residing in the .NET and ASP.NET core software, Windows RDPClient and Gateway Server. The other is a memory corruption flaw affectingInternet Explorer, which could allow an attacker to execute arbitrary code. Werecommend looking through the details of this month’s patch and applying theupdates as soon as possible.
By Blog.TalosIntelligence.com
And that’s it for this week’s round-up, please don’t forgetto tune in for new instalments every week.
Why not follow us on social media using the links providedon the right.
Edition #74 – 17th January 2020
By
Joshua Hare
on
16/1/20
Welcome to the first 2020 edition of the Ironshare CyberRound-up where we look back at the events of that last week and cover some ofthe news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A telemarketing company which was crippled by a ransomwareattack in the October of 2019, have had to close their doors and shut downindefinitely, sending home over 300 employees. These employees were notnotified until a few days before Christmas, leaving them jobless over theholidays. The company’s CEO spoke out about the incident and announced that theywere not aware of the attack and were caught off guard; despite efforts torecover their data, the company was unable to recover and lost hundreds ofthousands of dollars in the process. Many companies disregard the importance ofcybersecurity and are not aware of how badly these kinds of attacks can affect anorganisation; this is a prime example of how a cyber-attack can finish abusiness and why it is vitally important that all businesses prepare themselvesto ensure this doesn’t happen again.
By ZDNet.com
Foreign currency exchange service, Travelex, was forced totake its systems offline on New Year’s Eve following a compromise. According toTravelex, a software virus was discovered that had been affecting some of theirsystems. More than a week later, the service is still offline and other banks,such as Barclays, HSBC and First Direct, have reported that they are unable tooffer online currency services as a result of the Travelex incident. Although reportshave not confirmed it this appears to be yet another ransomware attack.
By GrahamCluley.com
On January 14, Microsoft will be discontinuing support forWindows 7, meaning they will no longer release updates or provide technicalassistance for it. This puts anyone using the operating system at risk fromvulnerabilities that will no longer be patched. We highly recommend upgradingto Windows 10 before Windows 7 support ends to ensure that you are protectedfrom the flaws of an outdated OS. More details can be found on the Microsoftsupport site.
By Microsoft.com
Predator the Thief, a well-known information stealer, hasrecently been updated to feature new capabilities; the update includes phishingdocuments that are harder for users to detect. The malware was first seen inJuly 2018, and is known to steal usernames, passwords, cryptocurrency wallets;it can also take control of a victim’s webcam to take photos. The regularupdates that the info stealer receives make it harder to track and monitor, andmore effective at detecting debuggers and sandboxes. This malware is difficultto deal with; we recommend patching your systems regularly and alerting staff tothe risks phishing attacks.
By ZDNet.com
Pulse Secure’s Zero Trust business VPN systems has been compromised and is being actively exploited to install REvil ransomware on the company networks. This was discovered by researcher Kevin Beaumont, who disclosed the critical vulnerabilities to Pulse Secure. Despite patches being released in April of 2019, firms were still not patching in August when 14,528 servers were found to still be running the vulnerable software. As a result of compromising vulnerable systems, attackers were able to install backdoors to gain access if patching occurred. Eight months on from the public being made aware of the serious weaknesses in the Pulse VPN system, 3,826 devices are still open to exploitation.
By NakedSecurity.Sophos.com
Cisco have released patches for three criticalvulnerabilities that exist in the Data Center Network Manager platform that isused to manage NX-OS, the operating system used by Cisco Nexus switches. Allthree are authentication bypass flaws that allow a remote attacker to executearbitrary code with administrative rights. Cisco confirmed that there are noworkarounds for these vulnerabilities but have released software updatesaddressing them.
By ThreatPost.com
The first Android Security Bulletin of 2020 addresses sevennew vulnerabilities affecting the Android operating system, one of which is acritical flaw impacting versions 8, 8.1 and 9 of the OS. The flaw allows aremote attacker to execute arbitrary code on the victim’s device; no furtherdetails have been disclosed, but researchers suspect that a malicious appinstalled on the device could potentially abuse the vulnerability. We recommendinstalling the January security updates as soon as possible.
By Forbes.com
And that’s it for this week’s round-up, we hope you all hada fantastic Christmas / Holiday season. Please don’t forget to tune in for newinstalments every week.
Happy New Year!
Why not follow us on social media using the links providedon the right.
Edition #73 – 10th January 2020
By
Joshua Hare
on
9/1/20
Welcome to the Christmas 2019 edition of the Ironshare CyberRound-up where we look back at the events of that last week and cover some ofthe news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Many small to medium businesses do not understand theimportance of security and believe they are not at risk when it comes to cyber-attacks.Some of the main reasons they believe this is that they think they have nothingworth stealing and are too small to be of interest to attackers. At Ironshare wewant to do our part to reduce the number of cyber-attacks on small to medium businesseswhich starts with our Cyber Assessments; our post here highlights some of thekey findings, during the assessments we carried out throughout 2019.
By Ironshare.co.uk
The UK’s Ministry of Defence have recently announced thecreation of a new strategic service called the Defence Digital Service (DDS). TheDDS has been created to rapid delivery of Defence based user-centred productsand services. The DDS aim to bring tactical and strategic advantage byresponding rapidly to user needs, both in the office and in the battlespace. Thisis a small team with big goals, so will be good to watch their progress, inthis critical area.
By UK Ministry of Defence - defencedigital.blog.gov.uk
This time of the year is a treat for cyber criminals, asshoppers are rushing to bag last minute bargains, and employees are alreadymentally clocking out for the holidays. Check out the SW RCCU’s cyber briefingfor great advice on staying safe online during the holidays.
By South West Regional Cyber Crime Unit
The City of New Orleans has suffered a cybersecurity attackserious enough for Mayor LaToya Cantrell to declare a state of emergency. Duringa press conference, Mayor Cantrell confirmed that this was a ransomware attack.Unfortunately, this is just another ransomware based cyber attack that isplaguing the US government in the last months. Last month we saw Louisiana targetedand back in August we saw 23 Texas based agencies taken down due to the samethreat.
By Forbes – Davey Winder
This year saw a number of big-name malware families comeonto the scene, including Sea Turtle, one of the most high-profile DNShijacking attempts in recent memory. BlueKeep also stirred up controversy whenthe RDP vulnerability was first discovered, but researchers are still holdingtheir breath, waiting for the first major exploits to happen. This latest blogfrom Talos gives a month by month view on the major malware and news that cameout of Talos in 2019.
By Cisco Talos - talosintelligence.com
Approximately 38,000 German students have had to queue inperson to regain access to their accounts after the Justus Liebig Universitywas hit by a cyber-attack. The attack that occurred on the 8th Decembertook the University offline and for legal reasons each student then had tocollect their account password personally. Details of the attack are limited atthis time, but staff are being given USB sticks to scan devices for virusinfections.
By BBC.co.uk
Google is changing the way that it grants third-party appsaccess to G Suite accounts as it tries to improve security. It is weeding outwhat it calls ‘less secure apps’ (LSAs) by denying them access to its services.In summary Google want to move people away from using simple username andpasswords for allowing apps access to G Suite, to using OAuth. This will allowmore granular access to be defined for the requesting application, making itmore secure and more convenient for the users.
By Naked Security
A firmware vulnerability in TP-Link Archer C5 v4 routers whichare used in enterprise and home networks, have been found to allow unauthorizedremote access to the device with administrative privileges. If using one ofthese vulnerable devices, it can become an entry point for an attacker to gainaccess to the network, before moving laterally to compromise other devices. Firmwareupdates have been made available by TP-Link, so we recommend getting thesedevices patched ASAP.
By Threatpost.com
And that’s it for this week’s round-up, we hope you all havea fantastic Christmas / Holiday season and get all the family downtime youdeserve. Please don’t forget to tune in for our next instalment coming your wayin the New Year.
Merry Christmas and a Happy New Year!
Why not follow us on social media using the links providedon the right.
Edition #72 – 20th December 2019
By
Stuart Hare
on
19/12/19
Cisco AMP or Advanced Malware Protection, is Cisco’s answer to the Next Generation of visibility, control, and protection against advanced threats for today’s internet connected world. AMP gives you real-time blocking of malware and advanced sandboxing, that is backed up by world class global threat intelligence, to provide rapid detection, containment and removal of advanced malware.This post will highlight the features that make AMP’s continuous analysis, monitoring and retrospective security capabilities possible.
Cisco Talos Security Intelligence and Research Group, in conjunction with Threat Grid threat intelligence feeds, provides one of the largest collections of real-time threat intelligence with extensive visibility, the largest footprint, as well as the ability to put this collection of intelligence to work across multiple security platforms.The image below displays a summary of the Talos groups make up and threat intelligence functions.
Cisco AMP combines the use of advanced file behaviour patterns, along with collective intelligence to determine whether a file is good (safe) or bad (malicious). This allows AMP to perform more accurate detections during file analysis and inspection.File reputation is based upon a variety of factors determined over a period of time, it supports most file types, and identifies each file by its content, so is not dependant on the file extension to determine type.
IOCs (also known as Indications or Indicators of Compromise) are pieces of information that can help identify specifics around abnormal or malicious behaviour on a network or system. With AMP, File activity and recorded events are linked together and prioritized as potential active breaches.AMP automatically captures and links this security event data from multiple sources (such as intrusion and malware events) to help security teams connect the individual events to larger, coordinated attacks and prioritize them as high-risk.
The built-in AV engines perform offline system-based detections, which includes scanning for the presence of rootkits, to complement Cisco’s advanced endpoint protection capabilities such as local IOC scanning, and device and network flow monitoring.If a customer wishes to consolidate both their antivirus and their advanced endpoint protection to run under a single agent, then the AV engine can be enabled in policy to achieve this. Two engines exist in the AMP for Endpoints product; the ClamAV engine is available for running on Linux and Mac based devices, while the Tetra engine is available for Windows devices.
A safe and highly secure sandboxing environment helps you execute, analyse, and test both malware and files with unknown reputation or behaviour, in order to discover previously unknown zero-day threats.Cisco has integrated Threat Grid’s advanced sandboxing, using it’s static and dynamic malware analysis technology, into their AMP solutions. This integration results in a more comprehensive analysis by performing checks against a large set, of more than a 1000 highly accurate behavioural indicator’s. Threat Grids analysis produces very few false positive results (a result which indicates something is bad when it is not), increasing your confidence, so you can make fast and accurate decisions.
Instead of just analysing network traffic or a file when it first arrives, Cisco AMP uses continuous analysis and retrospective security, even after the initial inspection occurs. We have come to realise over the years that traditional signature-based scanning and blocking methods are not 100% effective, especially against modern day threats.Through continuous analysis techniques, AMP monitors and records file activity and network communications, to detect if behaviour changes, and help identify stealthy or malicious threats. Alerts are sent at the first sign of suspicious activity, i.e. when a file disposition changes after extended analysis (a good file turns bad); giving the security team awareness of and visibility into the malware that evades initial defences.As AMP records all activity, it knows where these files or network communications have been seen across your organisation, then using retrospective security can quickly respond and remove, or quarantine, the malware for all users and endpoints, eliminating the threat.
The Prevalence feature displays all files that have been run in your organization, ordered by a prevalence rating from lowest to highest. This helps you become aware of previously undetected threats that have been seen by a small number of users.Generally, files that are run by a large number of users (high prevalence) tend to be valid applications. Whereas files that are run by only a few users (low prevalence) may be considered malicious (such as a targeted advanced threats) or questionable applications you may not want on your extended network.Prevalence is another powerful feature of AMP for the detection of advanced threats, with all low prevalence files being automatically sent to Threat Grid for analysis.
This feature is used to continuously track a files presence throughout your network environment over time, to achieve visibility and reduce the time required to scope a malware breach.File trajectory maps the file to which endpoints it has been seen on, and how the file has been transferred across the network. It contains the files disposition (good, bad or unknown), determines the first endpoint that saw the threat, and whether you have other hosts containing the file that are also at risk. This is a key component of AMP’s retrospective security.The below image shows the file trajectory from AMP for Networks.
Device trajectory continuously tracks the file activity and communications at an endpoint device level to quickly understand both the root cause and the history of events leading up to and after a compromise. This trajectory is the view of the threat that is seen from a single endpoints perspective.This feature allows us to see when the file was first executed on the endpoint, what process was involved in the creation of the file, and what happened as a result of the file executing.The below image shows the device trajectory from AMP for Endpoints.
The improved version of Device Trajectory is cleaner, more usable and threats are easier to dig into. The event, file and threat information is now fixed to the right hand side of the device trajectory for easier navigation and switching between file, event and process information.A time navigation bar has been added to the filters section so you can quickly identify when threat events have occurred. Clicking on the red dot focus's device trajectory to the threat event.
Security administrators who use AMP have the ability to submit their own IOCs in order to catch new targeted attacks. These endpoint IOCs let security teams perform deeper levels of analysis and investigation on advanced threats that are specific to users or applications in their environment.An Endpoint IOC feature is a powerful tool used in post-compromise incident response. It can be setup using custom made signatures to trigger on file attributes such as: name, type, size and hash to name a few.
Elastic search is simply a search tool that lets you search for all sorts criteria without specifying the type of item you are searching for. AMPs elastic search allows for queries on file properties, telemetry, security intelligence data, IP address and domains etc. to help you quickly understand the information related to an IOC or malicious application.
With AMP for Endpoints you can also scan for vulnerable software on your system. Once a scan is completed its shows a list of vulnerable software, the hosts containing that software, and the hosts most likely to be compromised. Powered by Cisco’s threat intelligence and security analytics, AMP also identifies vulnerable software being targeted by malware, as well as the potential exploit, this information is then displayed to give you a prioritized list of hosts that need software to be patched.This feature does not scan all software for vulnerabilities but focuses on the common software found in most environments. E.g. Internet browsers (IE & Chrome etc.), Adobe Acrobat, Oracle Java Platform, Microsoft office etc.
You can achieve control over suspicious files or outbreaks and remediate an infection without waiting for a content update, with AMP’s outbreak control feature. Outbreak control provides:
The exploit prevention engine protects your Windows endpoints from memory injection attacks, used against unpatched software vulnerabilities in applications such as web browsers, MS Office, Adobe Acrobat and remote management software. Memory attacks aim to compromise endpoints and are typically used in malware and zero-day attacks.Exploits against protected system processes, such as LSASS (Local Security Authority Subsystem) and CSRSS (Client/Server Runtime Subsystem), can also be prevented by AMP. Both of these engines will block attacks against these processes and will trigger events in the cloud console.
In the event that you believe that an endpoint has been compromised Endpoint Isolation is there to help. Connector version 7.0.5 introduced the Endpoint Isolation feature for Windows, which allows you to block inbound and outbound traffic without losing access to the endpoint.DNS and DHCP traffic are still permitted as is connectivity to the AMP cloud. A one-click isolation session can be established in the Computer Management section and allows you to prevent threats, lateral movement and data exfiltration.
A great feature that was added in connector version 6.1.5 is the malicious activity protection (MAP) engine. MAP provides endpoints with much needed defensive measures against Ransomware, detecting processes that exhibit malicious encryption behaviour and stopping them in their tracks.If a system is infected with a previously unknown variant of ransomware which has managed to evade detection by other security measures, AMP can block the process and prevent the encryption of your data.It key to understand that AMP needs to detect the encryption of files before it can react to the attack and classify it as ransomware; this means that the encryption of the first few files will complete before the process can be blocked. AMP will identify any files that have been encrypted so that you can restore them from backup later.
Threat hunting is the process of proactively (or even reactively) seeking out and identifying threats on your network and endpoints. AMP for Endpoints has the capability to integrate with Cisco Threat Response, a great free tool that is available to customers of their security products; such as Amp for Endpoints, Umbrella, Email Security and Next Gen Firewalls.Threat Response can be used for both Threat Hunting and Incident Response scenarios, allowing security teams to save time and be far more efficient in their investigations.By Clicking the blue Casebook icon in the bottom right corner of the AMP for Endpoints or Threat Response consoles, you can open or create casebooks for a specific incident or threat hunting session.
By adding observables (IPs, File hashes, domains etc.) to the casebook you can investigate their presence across your network, endpoints and supporting security products, to get clear visibility of their classification, where they originated, where they were sighted and their associated actions.
With Cisco AMP for Endpoints and Threat Response you can easily add Threat Hunting to your arsenal of security tools.
The information above gives you a breakdown of the many features that work together to make Cisco AMP a great Malware Protection technology. These features combined provide AMP customers with comprehensive levels of visibility, protection and control, that is necessary to quickly detect and respond to advanced modern-day threats.New benefits and features are also on the horizon as all of Cisco’s security products continue to evolve on a regular basis. Integration to other products improves with each version, and the addition of great a tool like Cisco Threat Response can give that extra edge your security team needs.This post has been updated to include a bunch of new features released throughout 2019.
Ironshare are a security consultancy focused on delivery of fast and efficient solutions to businesses. Our experienced team aim to provide a fully managed service that takes the strain away from your employees and allows you to focus on your core business.Ironshare can help you to get up and running with Cisco AMP for Endpoints within days.We not only provide step-by-step guidance on deployment within your organisation, we can also manage the day-to-day running and reporting, leaving your teams to get on with their usual day job.Our aim is to provide Security, Simplified. That means we can communicate in a non-technical manner (or technical if you prefer) and just give you the information you want.Ironshare – Security, SimplifiedIf you have any questions or would like to get in touch to find out how Cisco AMP can be used to improve your organisations security, then please Contact Us here.Originally published - March 2019Updated - December 2019
By
Stuart Hare
on
18/12/19
Having a cyber security plan or strategy is something that haslong been associated with larger enterprise organisations, but with the continuedrapid increase of online threats and weekly reports of data breaches, this isno longer the case.
In the last few years Small and Medium businesses havebecome common targets for hackers and cyber criminals. As large enterprises spendbig money on securing the organisation, SMB’s are the opposite often having nothoughts, plan, or budget for security, making them easy targets for attackers.
The main issue why smaller companies don’t prepare andsecure their business is that they don’t think it will ever happen to them. Theyfeel that:
The reality is small businesses simply do not understand therisk and impact of a cyber-attack. According to a report by Hiscox 47% ofSmall businesses (1-49 employees) and 63% of Medium businesses (50-250employees) across the UK, Europe and the US, have been impacted by a cyber-attackin 2019 and this is only getting worse each year.
In an effort to stem this continued downward slide, Ironsharework with UK based SMB’s to assess and improve their cyber maturity, with anultimate goal of reducing the risk of cyber-attack for each organisation.
During 2019 Ironshare have performed numerous CyberAssessments for Small and Medium businesses, with some unsurprising results. Belowwe share with you some of the key findings from our assessments.
Keeping systems up to date with the latest versions is oneof the leading core fundamentals in Cyber Security. This significantly reduces boththe number of vulnerabilities in your systems and the likelihood of successful attack.
Unfortunately, 53% of those assessed did not have aregular patching process to update their IT systems or software applications.
Those that did have a patching process, mostly focused onWindows patching and neglected software applications and network devices. Rememberthat your patching process must include all IT systems and software not just Windows.
Another cyber fundamental is User Awareness training. Byeducating your users, who are typically the weakest link in your organisation’ssecurity, you can prepare them to spot signs of malicious activity.
Our assessments show that 51% failed to provide theirusers with fundamental security awareness training.
Even the most basic of user education is better than none. Tryto provide awareness into the most common threats, such as phishing attacks,social engineering and online fraud to better prepare your users.
If your budget can reach, then we also recommend implementingphishing simulation campaigns, to enhance education and provide insight into theusers that may prevent the biggest risk to your company. Evidence shows that companydirectors / VIPs often present the biggest risk.
Default passwords are configured by the vendors of new hardwareand software. They are readily available from the internet, giving attackers aneasy way to gain access to devices on your network.
We found that 42% of customers had Default Passwordspresent on one or more network connected devices.
Like with patching above you need to ensure that all defaultcredentials are replaced during the deployment of new hardware and software,including network, printer and IoT devices, not just Windows systems.
Backups are essential in today’s world that relies oninformation and data to succeed. Backups ensure that in the event of a disasteror cyber attack you can quickly recovery your data with reduced impact tobusiness.
Unsurprisingly 65% did not have an Offline Backup solutionin place. This is a common gap in the security of organisations and is as commonin large enterprises as it is in small business.
We recommend implementing an offline backup solution toensure that your organisation’s data is safe. Malware infections such asRansomware can delete or encrypt your files; which makes performing offlinebackups vital to retaining your data in these situations.
Don’t fall into the trap of thinking that because your datais in the cloud that it is backed up, this is often not the case. A separatesolution is normally required. Also be sure that your backup is truly offlineand away from the systems you want to protect. Storing backups on network sharesor storage, or always available USB drives is not an offline backup.
Web and Email are the two biggest methods for deliveringthreats on the internet today. Over 95% of successful attacks start withan email, which can deliver malware as an attachment or direct users to a maliciousweb site that can then deliver malware or steal your data.
83% of customers had no or only limited protectionfrom web or email threats.
We all know that Anti-Virus and Firewalls are fundamentalsecurity components of any network, but they fall very short when blocking modernday threats. This is why you need multiple layers of security.
You should always consider implementing a secure web or emailgateway, to control which places your users can access on the internet and ensurethat bad email is filtered before reaching your users. This will help defendagainst common malware and phishing attacks.
What you don’t know about, you cannot protect. This is relevantto both Vulnerability and IT asset Management. Understanding your assets andknowing the vulnerabilities that may exist in them is critical to establishingand maintaining a strong cyber security posture.
With 86% having no capability in place to identifyand manage vulnerabilities across their IT assets, the risk to small businessis huge.
We recommend carrying out annual vulnerability assessmentsas a minimum. This is another area that can help to prioritise items whentrying to create a new cyber action plan.
Knowing and controlling what services you make available to thepublic via the internet, is critical to securing an organisation. Having excessiveor vulnerable services exposed, increases a hacker’s opportunity to launch asuccessful attack.
64% of customers allowed Vulnerable Services andProtocols to be accessible from the internet.
Most of these organisations had management protocols such asRemote Desktop Protocol (RDP) accessible from the internet; this is a commonmethod used by malicious actors to gain access to an environment and launchRansomware attacks. Ensure that only necessary services are available from theinternet, and that management services are only accessible from the internalnetwork.
Of the customers assessed, it was disappointing to find thatnone were using, enforcing or even recommending the use of Multi FactorAuthentication (MFA) to their users.
In addition, only a single customer was recommending the useof Password Managers.
Studies show that approx. 75% of people reuse thesame password on more than one website or service. And with the ever-risingnumber of data breaches, we see the number of compromised accounts continue toincrease with them.
Password Managers provide users with a safe way to generateand securely store unique random passwords and reduce the password reuseproblem. While MFA adds another layer of security to the users accountrequiring a one-time passcode and reducing the risk of account compromise.
The assessments and their associated results highlight thefact that most smaller companies are just not preparing themselves effectivelyand securing their businesses.
Core fundamentals are not being addressed in most caseswhich leaves organisations vulnerable to the most common of cyber-attacks.
Considering that most of these organisations had experiencedsome form of security incident in the last 2 years, this is more evidence of howimportant it is to get the basics in place.
If you are not sure where to start with your cyber security,then begin with completing a Cyber Assessment. Engaging a specialist to assessyour business security is a great first step to understanding your risks andgaps. Assessments will help you to focus on the items with the highest risk anddeal with these first.
Please don’t be another cyber statistic, start securing your business today!
By
Stuart Hare
on
15/12/19
No results found.
