Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The British Council, a public sector organisation supplying English language courses has been leaking student information. The leak came from an insecure Azure blog repository that was publicly indexed. The leak could allow a hacker to obtain the full names, email addresses, student IDs, enrolment dates and duration of study to over 10,000 students at the organisation. Students are being encouraged to change passwords if they have been affected.
By PortSwigger.net
The cryptocurrency platform Wormhole has been hacked allowing hackers to run away with $322 million in Ethereum and Solana currency. The web application called Wormhole Portal was thought to be exploited by the hackers and used to release greater funds than initially provided. The attack has caused a global drop in the price of Eth & Sol causing the hacker's payment to drop from $322 million to $294 million if exchanged.
By TheRecord.media
Qubit, A finance platform, was recently hacked leaving the organization $80 million less in stolen funds. The hacker stole “Binance” coins through a vulnerability in the organisations QBridge protocol. The organisation usually offers up to $250,000 for its bug bounties however this has been increased to $2 million for the safe return of the stolen funds with the promise the hacker won’t be prosecuted. It is unknown if this agreement will be accepted or changed in the future.
By BitDefender.com
Cisco Talos researchers have observed a new campaign by MuddyWater against Turkish organisations, the cyber gang has been observed operating in Europe, the Middle East, South Asia and the US. This latest campaign is targeting private organisations and government institutions using PDF’S, XLS Files and Windows Executables to deploy PowerShell-based downloaders and gain a footing into a device. These files are thought to be downloaded from media-sharing sites and through emails.
By Blog.TalosIntelligence.com
The Cybersecurity & Infrastructure Agency recently added an additional eight vulnerabilities to its list of actively exploited bugs. This catalog was designed to generate awareness of the flaws, and prompt federal organisations to apply patches within the deadline. The newly added flaws include a memory corruption vulnerability in Apple IOMobileFrameBuffer, a Stack-Based Buffer Overflow Vulnerability in SonicWall SMA 100 Appliances and more.
A full list of the recent additions can be found here, along with more details and advice.
By BleepingComputer.com
The widely used freeware implementation of Server Message Block, Samba, recently released a security update addressing multiple critical vulnerabilities. One of the vulnerabilities covered in this patch has been given a CVSS rating of 9.9 and allows a remote attacker to execute arbitrary code with root privileges. This reportedly affects all versions before 4.13.17; all Samba users are advised to apply the latest updates as soon as possible.
By TheHackerNews.com
QNAP have published a Resolved Security Advisory related to the DeadBolt Ransomware. Shortly after publishing last week’s round-up which included the DeadBolt ransomware situation, QNAP force-installed an update on NAS devices to protect against the ransomware. This soon proved to be a mistake from QNAP, as it prevented victim’s from recovering their files if they had either paid the ransom or gained access to decryption keys. Users who are affected by this update can contact QNAP support for assistance with decrypting their files.
By QNAP.com
We have updated the Advisories and Resources section of our Log4j Vulnerability article.
We recommend keeping up to date with this information as vendors continue to fix their products and provide updates.
And that is it for this year’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #177 – 4th February 2022
Why not follow us on social media:
By
Joshua Hare
on
3/2/22
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The UK’s first cyber security strategy has just been launched, the strategy is aimed at protecting the public services from hostile attacks. A new Government Cyber Coordination Centre (GCCC) will be established to provide coordination across the public sector as well as identify, investigate and respond to attacks. A reporting service will be created to allow the public and cyber security professionals to report vulnerabilities to the government allowing them to be patched in a lively manner. £37.8 million is expected to be dished out to local authorities to aid them in protecting vital local public services such as housing benefit, voter registration, electoral management, school grants and the provision of social care.
By gov.uk
A newly proposed law is set to be debated by MP’s. The new law is aimed at securing smart devices such as phones, laptops, speakers, tv and any other devices capable of connecting to the internet. Within this law, default easy to guess passwords, provided by manufacturers on new devices are expected to be banned in favour of unique strong passwords for each device. Manufacturers are also expected to be clearer on how long devices will be receiving security updates, as well as developing a system for the public to report security vulnerabilities found on such devices. This will be a welcome change, on the path to securing personal devices and the Internet of Things.
By gov.uk
An Android banking malware has been updated with a new feature, the ability to factory reset the device. The malware, called BRATA, has been active since 2018, however researchers have recently reported a new strain of this malware wiping devices. BRATA steals the victims banking details using a fake login screen, where the credentials are sent to a hacker, however this recent strain also wipes device so that the user is unaware of any suspicious activity or bank transfers being made. This also aids in removing the malware and limiting forensic evidence.
By therecord.media
Researchers have reported that the official Segway online store has been skimming the credit card details of purchasers after suffering a Magecart attack. It is unknown how hackers managed to inject the site with malicious JavaScript, however the hackers cleverly disguised the code by labelling the loader as “copyright”. The skimmer itself impersonated a favicon.ico file, but was in face JavaScript code that stole banking credentials and sent them to a server owned by hackers. Details can be found in the MalwareBytes blog post.
By Blog.malwarebytes.com
A new ransomware called DeadBolt has been found to be targeting Network Attached Storage (NAS) devices. The ransomware is mostly found to be attacking NAS’s that are connected to the internet without any protection, and once detected they are encrypting its content. This poses a serious threat to organisations that uses these systems for day-to-day file-sharing or on-site backups. QNAP has advised users to disable the port forwarding function on routers as well as disabling the UPnP function of a QNAP NAS. It is never recommended to have NAS devices accessible from the internet but if you must, please ensure that they are secured properly; access is limited to authorised parties, default credentials are replaced with strong hard to guess passwords and multifactor authentication is enabled where available.
By bleepingcomputer.com
Dozens of WordPress Themes and Plugins have been found to contain malicious code. The code generated a backdoor into sites that it was installed on allowing the attacker full administrative control over the websites. The 40 themes and 53 plugins found infected belonged to AccessPress Themes, present on over 360,000 sites. Researchers said the same themes and plugins are safe if installed through the wordpress.org directory. Any sites running themes or plugins directly installed from AccessPress Themes website are urged to upgrade to safer versions ASAP.
By Thehackernews.com
An actively exploited Zero-Day vulnerability has been patched by apple to help protect its users. The patch hitting both iOS and macOS has not been publicly released but is labelled CVE-2022-22587, a memory corruption bug referencing IOMoblineFrameBuffer content which could be used to execute arbitrary code. All Apple users are advised to update their device to patch this vulnerability particularly since it has been reported to be exploited in the wild.
By Thehackernews.com
And that is it for this year’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #176 – 28th January 2022
Why not follow us on social media:
By
Samuel Jack
on
27/1/22
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
“Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data,” - The Red Cross.
The Red Cross program known as Restoring Family Links was recently hit by a cyber-attack, which has reportedly compromised the personal information of over 515,000 people; most of which are considered “highly vulnerable”. Many of these individuals have been separated from their families due to natural disasters, conflict, and migration; due to the situation of these people, Red Cross are pleading with the currently unknown attackers to keep their data secure. On average, this Red Cross program reunites 12 people with their families per day. The work they do is remarkable, and their director is hoping the attackers show some sign of humanity.
By TheRecord.media
New laws are being discussed to help protect UK businesses from cyber-attacks. The proposed laws are reported to create a set of certifications and qualifications that are aimed to help improve the skills of cybersecurity professionals within the UK. New laws surrounding how cyberattacks are reported are also proposed to allow flexibility with new and future technologies, as well as futureproofing the laws by allowing easier changes and including a wider scope of organisations in the future - not just MSPs. Other legislation is said to increase the security of Managed Service Providers, as increasingly cyberattacks are occurring at third parties resulting in compromise of the desired target / end customer.
By Gov.uk
FIN8, a well known financially motivated hacker group, has recently been seen launching attacks using a brand-new ransomware strain. The new strain, which has been called “White Rabbit”, was first spotted in December 2021, when it was used to attack a local bank in the US. Research suggests that White Rabbit shares some similarities with the Egregor malware, which hasn’t been seen since it was shut down in February 2021. This is another addition to the recent double extortion trend, which is becoming increasingly popular among threat actors. We will keep you up to date with this new strain and FIN8 as more activity is seen.
By TheHackerNews.com
Italian Fashion Brand, Moncler, has been hit by a cyber-attack, in which the stolen data was published on the dark web. This attack was carried out by the AlphV/BlackCat ransomware operators, and compromised the data of “employees, former employees, suppliers, consultants, business partners and some customers.”. Investigations into the attack are still ongoing and Moncler announced that they are working to mitigate the situation.
By Infosecurity-Magazine.com
During the last quarter of 2021, DHL, the largest courier and delivery provider was reported to be the most imitated organisation by hackers, trying to steal information through phishing attacks. DHL have overtaken the previous leader Microsoft, dropping them to 2nd place in the most phished list. It is believed the increase is due to Christmas, Black Friday and Cyber Monday all being within the 4th quarter when there was an increased likelihood for the target to have a delivery with DHL currently in progress. The report by Check Point noted that the top 5 most impersonated organisations are:
By BleepingComputer.com
The European Union Agency for Law Enforcement Cooperation has seized the servers of the virtual private network provider VPNLab. Although the usage of a VPN service isn’t illegal and is generally considered good cyber practice, VPNLab was specifically advertising its services to cyber criminals such as ransomware gangs. Due to this, Europol has seized 15 servers in connection to VPNLab and its website making the company inoperable. No arrests have been made but customer data has been seized and is currently being investigated.
By TheRecord.media
Yet another vulnerability has been found in a WordPress plugin. This time the plugin called “Email Template Designer - WP HTML EMAIL” could allow an unauthenticated user to inject JavaScript into a website, which would execute when an admin accessed the template editor. Furthermore, this vulnerability could allow a hacker to inject arbitrary code into the email template which would turn a legitimate email from the site into a convincing phishing email. A patch is available for the vulnerability and we recommend that any website admins running this plugin update to the newest version.
By Wordfence.com
And that is it for this year’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #175 – 21st January 2022
Why not follow us on social media:
By
Samuel Jack
on
20/1/22
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Panasonic, an electrical good producer, has disclosed a data breach lasting four months. The breach running from 22nd June 2021 to 3rd November 2021 was caused by hackers gaining access to a file server located in Japan from a subsidiary. The breach allowed hackers to access personal information via stored job applications, which Panasonic claimed was “primarily standard business contact details.” Panasonic were clear that the server held no personal information of its customers however is resistant to releasing the number of people whose personal information was possibly stolen via the stored job applications.
By BitDefender.com
With the release of FIFA 22, EA has been questioned about its user security. Reported account breaches of high-profile players has sparked players to question if the developers are taking its user's security seriously. EA reported that “less than 50” accounts have been breached since the arrival of the game through the use of exploiting human factors in customer service and bypassing two-factor authentication. EA has made plans to alter its customer service and account verification processes in an attempt to protect user accounts from hackers.
By EconoTimes.com
The last quarter of 2021 was plagued with distributed denial-of-service attacks, especially those linked to extortion and ransomware. In December alone, almost a third of all Cloudflare customers reported receiving a ransom note. Ransom DDoS attacks have become increasingly popular over the last two years, and they are rapidly increasing in strength. Cloudflare recently stated that “terabit-strong attacks are becoming the norm”. It seems that automated mitigation solutions are the way forward for dealing with this, since they can respond immediately to prevent the attacks.
More details on this can be found here.
By BleepingComputer.com
A newly discovered malware, SysJoker, is causing ripples in the world of cybersecurity. The malware is a type of backdoor that allows a hacker or command-and-control server access to a system while evading detection. This type of malware allows initial access for an attacker to take over a machine or extend their access across the organisations network. Researchers have observed that the malware has a hardcoded XOR key which allows the malware access to a file located on google drive containing the location of the command-and-control server. They have also noted that the contents of this file located on google drive have changed several times and that the attack seems targeted inferring that the cybercriminals are actively monitoring the malware.
By ThreatPost.com
Back in October 2021, the Cisco Talos team discovered a malicious campaign that was delivering variants of Nanocore, Netwire and AsyncRAT. With the majority of its victims in the US, Italy and Singapore, this campaign was targeting user information and uses cloud services such as Azure and AWS to set up their infrastructure. Not only does this make it easier for the attackers, but also makes the defender’s life much harder when trying to find them. In this instance, the threat actors used information stealing RAT variants in combination with malicious sub domains that were registered through DuckDNS. We recommend looking into this advisory by Cisco Talos, which contains an in-depth analysis of the campaign, as well as IoCs and recommendations for defending against it.
By Blog.TalosIntelligence.com
The WordPress team released version 5.8.3 last week, which includes fixes for 4 high-severity vulnerabilities, including SQL injection and cross-site scripting flaws. Wordfence is currently protecting against all flaws covered by this patch and have added new firewall rules to defend against cross site scripting. Most WordPress sites should have received automatic updates; however, we encourage all site admins to ensure updates are complete. The patch is available for anyone running a version of WordPress later than 3.7.
By Wordfence.com
Users of the Sonicwall SMA 100 VPN product are advised to apply the latest updates as soon as possible, to ensure they are protected against a recently discovered remote code execution vulnerability. This flaw, which was found in SMA 200, 210, 400, 410 and 500v products as well, has not yet been exploited in the wild; however, exploitation notes and technical details have now been released, so immediate patching is recommended. Four other flaws were disclosed as part of this patch, the most severe of which has a CVSS rating of 7.5.
By TheRegister.com
Microsoft have released their monthly batch of security updates for January. This month includes 97 flaws, 9 of which are rated critical. If you are interested in catching up on the details of this patch, you can find our Patch Tuesday blog here.
A word of caution though, it was confirmed that the latest Windows Server updates are causing issues with Hyper-V and Domain Controllers. Details on this can also be found in the Update Links & Advisories section of the Patch Tuesday blog.
And that is it for this week's round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #174 – 14th January 2022
Why not follow us on social media:
By
Joshua Hare
on
13/1/22
We're back with another round of Patch Tuesday updates from Microsoft. With a total of 97 vulnerabilities this month separated between 88 important and 9 critical, it looks like this month is full on security improvements. While 6 vulnerabilities have been publicly disclosed, surprisingly not one has been noted as exploited in the wild.
This month release covers security updates for key components including:
Important Notes
CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability
This critical vulnerability would allow a hacker to run arbitrary code on a Windows 10, 11, Server 2019 and Server 2022 machine. Although is not currently known to have been exploited, MS are urging immediate patching due to its wormable nature (meaning it can be used to spread throughout a vulnerable network, without human interaction). This vulnerability has a CVSS score of 9.8 making it the most severe of all the vulnerabilities being patched in this update.
CVE-2022-21846: Microsoft Exchange Server Remote Code Execution Vulnerability
With a CVSS score of 9.0 this critical vulnerability would allow the hackers to run their code within a Microsoft Exchange Server. Microsoft notes although the vulnerability poses a greater threat than most this would require a lot more work to exploit than other vulnerabilities.
CVE-2022-21840: Microsoft Office Remote Code Execution Vulnerability
Another critical vulnerability listed in this issue of patch Tuesday is CVE-2022-21840. This is another remote code execution vulnerability that would allow a hacker to run their code on your system. This vulnerability is said to affect all supported versions of Office and SharePoint Server.
CVE-2022-21919: Windows User Profile Service Elevation of Privilege Vulnerability
This vulnerability was a workaround for a previous patch CVE-2021-34484 which allowed the elevation of privilege to increase allowed permissions. This is a common starting vulnerability for hackers to get greater access within your device. The severity of this vulnerability is rated important and with a CVSS score of 7.0
Software patches are essential to keeping any device secure from potential threats. We highly recommend that you update these as soon as possible given the high-risk HTTPS protocol stack and Office vulnerabilities posing serious security concerns.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2022-Jan
Security update guide: https://msrc.microsoft.com/update-guide/
Windows Server Update Prevents Hyper-V From Starting and Causes DC Boot Loop - January 13
New Windows Server updates cause DC boot loops, break Hyper-V (bleepingcomputer.com)
By
Samuel Jack
on
12/1/22
HAPPY NEW YEAR! Welcome to the first Ironshare Cyber Round-up of 2022,where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The cyberattack on the Ministry of Defence’s Defence Academy in March 2021 was “sophisticated” and “significant”. The attack was thought to be from a foreign power and affected the network services of the academy. It is speculated that the attack was a way to access the ministry of defence’s core network, however no claims have been validated. Despite the significance of the attack, recovery was “manageable because your people work incredibly hard to keep things going and find backup methodologies."
More details on the nature of the incident can be found here.
By News-Sky.com
A new malware campaign has been spotted and is being run by a group of cybercriminals known as Malsmoke. This campaign appears to be using the popular Zloader banking trojan, but in a new way that we have not seen before. Historically, the trojan has been utilised in traditional phishing attacks, whereas Malsmoke are using a legitimate remote management application called Atera to gain initial access; this technique has not been seen in previous Zloader attacks making it a unique campaign. We advise all users to avoid installing programs from untrusted/unknown sources.
By infosecurity-magazine.com
The Federal Trade Commission has warned companies that they will need to patch the recent Log4j vulnerabilities or face legal action. The FTC seems to be taking the Log4j vulnerability seriously as it poses a threat to potentially millions of customers around the world. They example a previously exploited company Equifax, who failed to patch similar vulnerabilities, resulting in the compromise of their systems and exposing the data of 147 million customers. The company agreed to pay $700 million in settlement for the Federal Trade Commission, the Consumer Financial Protection Bureau and all fifty states. The FTC reported “The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”
You can read the official FTC statement here.
By TechCrunch.com
SlimPay, a payment service for businesses, has allowed the banking information of its 12 million customers to be publicly accessible for 5 years. In 2015 SlimPay was testing a new anti-fraud feature to join its service, testing of this feature used the data of real users which was within legal rights, however after the testing was complete the information of its users was found to be on a publicly facing server which could have allowed anyone access without any security in place. SlimPay have since received a €180,000 fine for failing to comply with GDPR regulations.
By TheRegister.com
More than 100 sites relating to the luxury real estate sellers, Sotheby’s, were found to be compromised with card stealing code embedded within its pages. The hackers modified JavaScript code via the Brightcove video player which was distributed to the compromised sites. The attack happened the end of last year, however the security firm Palo Alto has only just released the report of the attack. Malwarebytes are also currently looking into this to see if more Brightcove users are compromised with the same attack.
By TheRecord.media
Chrome's latest patch is set to include fixes for 37 vulnerabilities, 1 of which is considered critical. This critical flaw is a use-after-free bug that could allow actions such as executing malicious code or data corruption. Other vulnerabilities found are buffer overflows and type confusion vulnerabilities. All Chrome users are advised to update their browser as soon as possible to ensure they are protected from exploitation of these vulnerabilities.
By TheHackerNews.com
And that is it for this year’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #173 – 7th January 2022
Why not follow us on social media:
By
Samuel Jack
on
6/1/22
Welcome to the Christmas edition of the Ironshare Cyber Round-up where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
2021 has been another rollercoaster year for us all, both in day to day life and Cyber Security.
This year pretty much started as the last year finished; the majority of the country in lockdown and thousands of companies still recovering from the SolarWinds supply chain attacks that were publicised in December.
We now enter the Christmas holiday season with the disappointing expectation that more COVID based restrictions are likely to be introduced in the coming days or weeks (in the UK at least), due to the new Omicron variant.
COVID remained a popular topic throughout 2021, with a continued increase in coronavirus based phishing emails and scams, which still proved highly effectively for internet bad guys.
As expected, Ransomware continues to be a major threat. Cyber criminals have had to expand their tactics and capabilities to stay effective though:
Ransomware-as-a-Service had an increasing presence, with attackers no longer having to write their own malicious code; instead they can rent attacker infrastructure and malware in a Pay-as-you-Go model.
In addition we saw a big rise this year in Double extortion Ransomware where the bad guys are not content with encrypting your data; they first spend time in your network, extracting company and personal data, so they can threaten to leak it, if you do not pay the ransom.
Defenders & IT professionals continued to have a torrid time this year, with what seemed like an unprecedented year for zero-day vulnerabilities. The year is not out yet and we have hit an all time high with over 19.5k vulnerabilities (CVEs) reported.
Microsoft Exchange Server took one of the biggest hits this year with a number of targeted zero-day vulns. Just after recovering from the Solarwinds fallout, the IT world was hit with the first in a series of critical Exchange vulnerabilities (that seemed to trend throughout 2021), dubbed ProxyLogon. It was very quickly understood that ProxyLogon was being actively exploited by a state sponsored group called HAFNIUM. The ProxyShell flaw followed in its trails, with hackers chaining both flaws in their exploits, to often devastating effect.
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Unsurprisingly, Crypto currency exchanges became bigger targets for cyber attack as the year went on. BitMart, Liquid and the Poly Network alone saw losses in the 100's of millions dollars, on the back of successful attacks.
https://www.bbc.co.uk/news/technology-59549606
In true cybersec form, the year end has not disappointed, with a huge 10/10 disclosure for Apache Log4j. Once again IT teams & vendors around the globe have been rushing to patch this series of exploited critical vulnerabilities. Log4Shell, as its become known (we have liked the name 'Shell' this year :) ), impacts millions of devices worldwide, due to its libraries being included in lots of different web based products and services.
2021 has sounded all doom and gloom so far but there has been some positive points to note.
In response to the increasing threat of phishing attacks, the NCSC in the UK, launched a new Suspicious Email Reporting Service. This has given private sector companies and the general public the ability to report scams and phishing emails to their report@phishing.gov.uk mailbox, where they will investigate and aim to takedown any suspicious sites they find. By November 2021 the service had removed 68,000 scam email addresses and websites.
https://www.ncsc.gov.uk/collection/phishing-scams
Takedowns of attacker groups and their infrastructure, performed by law enforcement (Eurpol, National Crime Agency, FBI etc.) and big tech companies (Cisco, Microsoft etc.) have been on the rise. Arguably, none as prominent as the takedown of Emotet, one of the largest and most active malware botnets in the last decade.
For me, its pleasing to see the cyber and information security community growing at a good rate. If we are to stand a chance against the continued threat of cyber attacks, we need more skilled and passionate people to help protect the public, businesses and the internet, from these ever-present modern day threats.
On a more personal note, we have had the pleasure of being involved with both new and existing customers, who have made fantastic progress with improving their cyber maturity. Some making small progressive changes, while others have made significant strides forward. These outcomes are just some of the professional positives that have kept me smiling and going through yet another turbulent year.
In this week’s round-up:
The Cybersecurity and Infrastructure Security Agency have released a vulnerability scanner allowing for the identification of services potentially vulnerable to the Log4j vulnerabilities: CVE-2021-44228 and CVE-2021-45046. The scanner evaluates a web services web application firewall and Log4j to identify if the service is vulnerable to the critical flaws and notifies the user. Failure to patch the vulnerability could allow hackers to run malicious code with privileges to access confidential information.
By bleepingcomputer.com
Conti, A ransomware group, has been detected using the Log4Shell vulnerability in their operations to successfully infect a machine and request a ransom. The group is thought to be specifically targeting VMware vCenter Servers which are vulnerable to the attacks. After initial exploitation the group gains access to the server and moves across networks to infect machines with their ransomware.
By therecord.media
The UK’s National Crime Agency has recovered vast amounts of stolen data after accessing a database owned by hackers. The previously unknown leaked data, which included passwords and emails, has been sent to the free online service https://haveibeenpwned.com to allow the public to assess if their information has been leaked. We recommend accessing the HIBP site and test all personal and professional emails to see if they are included in this dataset. If this is the case you should reset your password and ensure you have different passwords for each of your accounts.
By BBC.co.uk
A “cyber incident” has been reported by Gloucester Council; the attack has resulted in a serious internal system and services outage. It has been reported that Gloucester council is working with the National Cyber Security Centre and the National Crime Agency to resolve the issue and find out who is behind the attack. Phone calls and emails can still be received however it is said that it will take “longer than normal” for the council to respond.
By gloucestershirelive.co.uk
Meta, the parent company of Facebook, has banned 6 companies and a Chinese law enforcement supplier as it cracks down on surveillance for hire organisations. The alarming report by meta says that it is believed that 50,000 “everyday people” have been targeted by such organisations. Meta has also noted cease-and-desist letters to the companies as well as reporting the information gathered to law enforcement agencies across the world.
By Forbes.com
Two vulnerabilities tracked as CVE-2021-42278 and CVE-2021-42287 offer the potential for privilege escalation in Active Directory Domain Services. The vulnerabilities would allow a hacker to access a system with domain admin privileges. Although patches were released in November, a proof of concept has been developed and public disclosed, forcing Microsoft to notify its business users of its Domain Controller, to update to the newest security update or risk a critical threat to its infrastructure and information.
By blackhatethicalhacking.com
Microsoft has discovered four new vulnerabilities relating to its video conferencing application Teams. The vulnerabilities are:
• Server-side request forgery
• URL preview spoofing bug for web and desktop application
• IP address leak and denial of service for Android users
So far Microsoft has only patched the IP address leak for android however the rest of the vulnerabilities are active and users should be cautious. Microsoft has said the releases for the rest of the vulnerabilities will vary and are currently unknown but users should update as soon as they become available.
By portswigger.net
And that is it for this year’s round-up, please do not forget to tune in for new instalments every week.
We wish you all a very Merry Christmas and a (hopefully COVID-reduced) prosperous New Year.
See you all in January 2022.
Stay Safe, Secure and Healthy!
Edition #172 – 24th December 2021
Why not follow us on social media:
By
Stuart Hare
on
23/12/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Located in the Cabinet Office building a secret data centre accessing a flood of data is helping the way the UK handles anything from food shortage to national relations. The situation centre has been called SitCen and is helping to inform the UK government with better, more accurate and up to date analytics. SitCen is designed to collect data from numerous sources and produce actionable data in a crisis event. Recently SitCen has been used in the fuel shortages to understand where fuel is most needed across the country to allow for fuel tankers to be directed effectively across the country. SitCen & its data analytics capability is expected to play a big role in the UK's cyber strategy and response, specifically in the event of significant cyber attacks.
By BBC.co.uk
The gay and bi dating app Grindr has recently been under investigation by the Norwegian Data Protection Authority for its breach of the European General Data Protection Regulation. The application has been found to be selling user information to third parties without explicit permission. Users were forced to agree to the terms within the privacy policy however should have been asked specifically if they consent to their data being shared for behavioural purposes. This overstep in data sharing was met with a fine of €6.5 million. Grindr has made changes to its application however it is unclear if they wish to launch an appeal against the ruling.
By InfoSecurity-Magazine.com
This week has seen a huge amount of focus on product vulnerabilities, no more so than the critical Apache Log4j (aka Log Forge) flaws. This has already had a huge impact on businesses and product vendors around the globe with millions of devices thought to be vulnerable. Here you can find our round-up of the recent Apache Log4j vulnerability, including advisories, recommendations, resources and other information.
We are already half way through December which means Microsoft's December Patch Tuesday updates are now available. Please click here for our Patch Tuesday post, including 7 critical vulnerabilities in Microsoft Defender, Office & more.
The most recent update to Apple’s IOS has been released and is fixing a slew of security problems. One of the problems has been a Remote Code Execution vulnerability allowing a jailbreak exploit chain. Safari could be exploited allowing arbitrary code to run on the device with kernel permissions. Hacker group Kunlun Lab was able to jailbreak an iPhone 13 in just 15 seconds at the International Cyber Security Contest Tianfu Cup in China. Updating to the latest version is highly recommended due to the severity and ease of the exploitation.
By ThreatPost.com
A recent vulnerability was found in System-on-Chip Wi-Fi devices prepared by Broadcom, Cypress, and Silicon Labs. The vulnerabilities were found after a series of attacks were detected using previously unknown exploit methods. The attack allowed hackers to read and alter network traffic including passwords and other private credentials. The vulnerabilities found were:
• CVE-2020-10368: Wi-Fi unencrypted data leak
• CVE-2020-10367: Wi-Fi code execution
• CVE- 2019-15063: Wi-Fi denial of service
• CVE-2020-10370: Bluetooth denial of service
• CVE-2020-10369: Bluetooth data leak
• CVE-2020-29531: Wi-Fi denial of service
• CVE-2020-29533: Wi-Fi data leak
• CVE-2020-29532: Bluetooth denial of service
• CVE-2020-29530: Bluetooth data leak
The security teams analysing the exploit have notified chip vendors which are pushing security updates. It is advised to update your devices as they become available, in case you are affected by these serious vulnerabilities.
By CyberSecurityNews.com
A high severity 'use after free' zero-day vulnerability in Chrome’s V8 JavaScript engine has been disclosed by a security researcher. These types of vulns allow hackers to run arbitrary code or escape the Chrome’s security sandbox. Details about the vulnerability are scarce as Google hasn’t disclosed information, only saying that the attack has been seen in the wild.
"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google added.
Google has since released a security patch to protect against the vulnerability but its expected to take a while before it is rolled out and available to all its users.
By BleepingComputer.com
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #171 – 17th December 2021
Why not follow us on social media:
By
Samuel Jack
on
16/12/21
The latest release of Microsoft Patch Tuesday is now active with the security update offering 67 overall vulnerabilities categorised as; 7 critical and 60 important, with 6 publicly disclosed and 1 seen being exploited in the wild.
The AppX Installer service vulnerability affecting Windows systems is the only flaw this month that is being actively exploited in the wild. This vulnerability, labelled critical, is being exploited to spread the Emotet/Trickbot/Bazaloader malware types. Microsoft commented on this, saying: "An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment".
Hackers could potentially gain elevated privileges on an affected system through the Windows Print Spool service. This is one of the 6 vulnerabilities that has been publicly released and has a low attack complexity, meaning it is easier to exploit.
Similar to the previous flaw, this publicly disclosed vulnerability could allow for unauthorised privilege escalation on a mobile device using Windows MDM. This vulnerability also allows local hackers to delete files located on the system.
Software patches are essential to keeping any device secure from potential threats. We highly recommend that you update these as soon as possible given the high-risk excel and VM vulnerabilities posing serious security concerns.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2021-Dec
Security update guide: https://msrc.microsoft.com/update-guide/
By
Samuel Jack
on
16/12/21
Last week, a critical vulnerability dubbed Log4Shell, was found in Apache’s Log4j logging tool and is currently affecting millions of devices around the world. Log4j is a logging library that is widely used across many different services and devices and is likely a lot more common than you think.
Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary code remotely. Proof-of-concept code has now been released for this vulnerability and it is being actively exploited in the wild; if left unpatched, the risk of compromise is very high, and could open the way for a number of attacks, such as credential theft, data extraction, ransomware or infection of the rest of your network.
The initial vulnerability CVE 2021-44228 has been rated with a base CVSS score of 10.0, which is the highest / most critical score available when rating vulnerabilities.
Be aware that further vulnerabilities have been found since the initial advisory and its now recommended to ensure Log4j is running updated version 2.16.0.
Many organisations and individuals may not even know that they are using Log4j, as it is simply a component used in different types of software; but it is almost a guarantee that most users are using it somewhere on their devices or in online services. The majority of users being unaware of the risks posed by this flaw, makes it even more severe, so spreading awareness of it is very important.
Generally, we recommend applying the latest updates as soon as possible, and continue to apply future patches as soon as they are made available.
As for organisations, understanding where Log4j may be present is essential; we strongly advise you try to discover all instances of Log4j within your organisation and ensure that patches are applied everywhere, as soon as they become available.
Lists of affected components, apps and vendors have been published on GitHub, which may assist in identifying instances of Log4j. These lists can be found here; please consult the advisory section below for a list of other associated and useful resources.
Here are some resources and advisories to help you understand this vulnerability. As new information is released, we will update this section and try to provide a timeline of events and updates, including any changes to advisories and recommendations as vendors begin to fix their products and provide updates.
Log4j – Apache Log4j Security Vulnerabilities
What the Log4j vulnerability is, who is affected - NCSC.GOV.UK
GitHub - cisagov/log4j-affected-db
First Log4Shell attacks spreading ransomware have been spotted - The Record by Recorded Future
Relentless Log4j Attacks Include State Actors, Possible Worm | Threatpost
Hackers Begin Exploiting Second Log4j Vulnerability as a Third Flaw Emerges (thehackernews.com)
By
Joshua Hare
on
15/12/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Last month we saw the return of Emotet, however it hasn’t been as active as we expected just yet. Emotet is now believed to be using TrickBot to spread and quickly infect devices, and its recent behaviour suggests that a wave of ransomware attacks could be approaching. Researchers have seen what seems to be a new Emotet loader being used within the TrickBot trojan, which would allow the group to install Cobalt Strike directly onto infected machines. This is a warning for all organisations to be prepared for an attack, as they could begin any day now.
By ThreatPost.com
BitMart, a popular cryptocurrency trading platform, has confirmed they were attacked earlier this month, resulting in the theft of around $150 million worth of funds. Following an investigation by security firm, Peckshield, the stolen amount is believed to be closer to $200 million, including $100 million worth of Ethereum and $96 million from the Binance blockchain. This is not the first attack on cryptocurrency platforms, but it is believed to be up there with the largest so far; BitMart confirmed they are still investigating the breach to discover how the attack was performed, and we will provide more details when we learn more.
By Portswigger.net
For a long time, Facebook has given users the option to enable multi-factor authentication on their accounts, but until now it has not been enforced. The social media platform has announced that soon, high-risk users will no longer have a choice and will be forced to enable MFA, in an attempt to dramatically increase account security. The social media platform follows in the footsteps of Google and others, who have also began enforcing MFA for administrators and other high-profile accounts. This is a huge step forward for Facebook in terms of security, and we are interested to see what steps they take next.
By Wired.com
The convenience store SPAR has recently been a victim of a cyber attack affecting its IT systems and causing some of its branches to close until the issue is resolved. 330 SPAR stores in the north of England were forced to close as EPOS systems were unable to process payments using debit or credit cards as well as losing stock logging systems.
SPAR tweeted on their twitter account "We apologize for any inconvenience this is causing our customers and we are working as quickly as possible to resolve the situation."
By InfoSecurity-Magazine.com
Zoho, a business offering SaaS and device management tools have released an alert to its ManageEngine Desktop Central users. The device management solution has been thought to be affected by a zero-day attack as Zoho told its customers:
“We are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible,”
The vulnerability allows hackers to bypass authentication and run arbitrary code on desktop central servers. More information can be found here.
By TheRecord.media
42 malicious domains have been seized by Microsoft. The sites are thought to be owned by a Chinese-based cyber group. The group has targeted both the public and private sectors in 29 different countries including the United States and the UK. The group used “highly sophisticated” attacks against its targets leveraging vulnerabilities in VPN services, Exchange Server and SharePoint services. Once initial access has been gained the group then deployed tools to steal credentials and backdoor access to command-and-control servers. This is the latest in a long line of take-down's carried out by both tech giants and law enforcement throughout 2021.
By TheHackerNews.com
A vulnerability in RegistrationMagic plugin for WordPress allowed hackers to sign into the accounts of any users on the site bypassing any type of authentication needed. The biggest threat is that administrative accounts were also vulnerable, allowing hackers to access the admin portal, modify settings, and gain access to account information and other sensitive elements. The vulnerability has now been patched. If affected we recommend updating the RegistrationMagic plugin to version 5.0.1.8 or newer to be protected.
By Wordfence.com
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #170 – 10th December 2021
Why not follow us on social media:
By
Samuel Jack
on
9/12/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Four Android banking trojans have been seen infecting devices through the Google Play Store over the last few months, with more than 300,000 recorded infections. The trojans are being contained in dropper apps and have been specially designed to deliver malware such as Anatsa, Alien, ERMAC and Hydra.
Here is a list of the applications carrying trojans:
By TheHackerNews.com
REvil and Gandora are some of the most well-known Ransomware-as-a-Service operators in the world, and work by offering ransomware services to third parties, often referred to as affiliates. It was announced last week that one of these affiliates was caught by the FBI, who managed to seize $2.3 million worth of Bitcoin from the hackers. There are no further details on how the wallet was accessed, but it was confirmed that it was found through a cryptocurrency storage solution known as Exodus.
By BleepingComputer.com
Providers of IT services could be forced to undergo new changes to their business infrastructure to support new regulations for cyber security. Current plans are being made to force businesses to be more secure from cyber security threats such as malware and confidential information breaches. Other plans include new procurement rules to guarantee that public sector businesses can only be supplied with IT Services through secure trusted providers, as well as guidance and advice for businesses on how to manage cyber threats.
By BusinessNewsWales.com
Panasonic, a Japanese electrical goods provider has disclosed a 4-month long data breach that the company was previously unaware of. The data breach was discovered on November 11th however some news reports seem to discuss that the breach had been happening since June 22nd. Panasonic has neither confirmed nor denied these allegations. Panasonic has said that it is working hard to find if the data breach involved customer data.
By TheRecord.media
Emotet has been found to be hiding in fake Adobe PDF software installer package for windows. This is shared through phishing emails trying to trick the victim to go to a website and install the malware on their device. Once complete the malware steals the victim's email contacts and forwards a copy of the email to all contacts to further infection. Once a device is infected TrickBot and Qbot can be installed which can lead to a ransomware attack.
By BleepingComputer.com
After a series of raids the Ukrainian police have seized incriminating evidence and members of the cyber gang phoenix. They have been accused of using phishing schemes to gain access to online accounts of phone manufacturers, such as Samsung and Apple, harvested banking details, and selling personal data. The group is believed to still be active but laying low after the recent raids and arrests.
By PortSwigger.net
A new strain of ransomware has been spotted recently, known as BlackByte. Reports suggest the ransomware is leveraging the ProxyShell flaws in Microsoft Exchange servers to gain access, elevate privileges and execute arbitrary code. After exploitation, the attacker can simply install and execute the ransomware via Cobalt Strike and completely lock down the target system. There is a patch available for the ProxyShell flaws being exploited, and we recommend applying the latest updates as soon as possible.
More details on the nature of this attack can be found here.
By
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #169 – 3rd December 2021
Why not follow us on social media:
By
Samuel Jack
on
2/12/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
GoDaddy recently announced that they had been hit by a data breach, in which 1.2 million user accounts may have been exposed. The breach was initially discovered when unauthorised access to GoDaddy’s WordPress server hosting system was detected; this was made possible by the compromise of an employee’s password. It was not specified if the compromised account was using multi-factor authentication but once access was gained, the attacker was able to see the email addresses and customer numbers of the users. This news story is expanding and it appears that more areas of the GoDaddy infrastructure may have been impacted. No passwords were leaked in this breach, but the exposed email addresses could be used in future phishing attacks, so we encourage everyone to be cautious when receiving suspicious emails.
By TechCrunch.com
The UK is expected to bring in new legislation to ban default passwords. The legislation is aiming to make technology in the UK more secure for its users by combating the increase in attacks on smart home devices. The legislation dictates that:
The legislation is expected to cover internet-connected devices such as: smartphones, networking routers, smart security cameras, gaming consoles, smart speakers, and kitchen goods and toys however vehicles, smart electric and gas meters as well as desktop computers and laptops are not yet in scope.
By BBC.co.uk
Python Package Index (PyPI) is a popular library that the Python community use to share and distribute software. Earlier this week, the operators of PyPI were forced to remove 11 libraries that were found to contain traces of malicious behaviour; these malicious packages were flagged for behaviour such as credential theft and the installation of remote access shells. Some packages also appeared to steal Discord access tokens. Unfortunately, these libraries accumulated 30,00 installs before being removed, so some PyPI users may have already been compromised.
A full list of the malicious packages can be found here, along with details, descriptions and number of downloads.
By TheRecord.media
WordPress servers have been receiving a vast amount of malicious traffic recently, that attempts to brute force login credentials of its users. In the past week, malicious attacks against WordPress have doubled and are expected to increase, with more than a quarter being recorded from Amazon Elastic Compute Cloud IP addresses. The reason for this increase in malicious login attempts is not yet known. WordPress admins and users should ensure that account passwords are long strong and unique, and its advised to enable 2 Factor Authentication ASAP if not already in use.
By WordFence.com
A new SMS phishing scam has been discovered that is targeting Monzo Bank customers. The SMS message received by victims reads:
“To avoid issues and remain verified with Monzo, please confirm your account at the link below. https://monzo-log-in[.]com/”
The SMS messages received by the victims appears to be spoofed to seem like a legitimate message and even groups with genuine past text messages from Monzo Bank, which further decreases suspicion from its recipients. When receiving a text message like this its best to be cautious and always validate it before clicking links or giving away your information. Always call the service directly using its helpline (and not through the number the message came from) to check if it legitimate and discuss the issue with them.
By GrahamCluley.com
The FBI has released a document detailing their recommendations on how to stay safe from phishing scams from Big Brands that are seeing an increase across the world. Their recommendations are:
See the full announcement here.
By ic3.org
Microsoft have released a threat advisory for the recently discovered Windows Installer zero-day vulnerability, that is already being exploited in the wild. This zero-day was marked as medium-severity with a CVSS score of 5.5 and currently affects every version of Windows, including Windows 11 and Server 2022. Although a patch was released by Microsoft, it was not successful in fixing the flaw, and so all systems are still at risk.
You can find Microsoft’s security advisory here.
By Blog.TalosIntelligence.com
A proof-of-concept exploit has now been released for the recently discovered Microsoft Exchange server vulnerability, which allows attackers to remotely execute arbitrary code if already authenticated. A patch is available for this flaw, so we advise all admins to update their Exchange servers as soon as possible; this is even more urgent now that proof-of-concept has been released.
You can find Microsoft’s security advisory here.
By BleepingComputer.com
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #168 – 26th November 2021
Why not follow us on social media:
By
Samuel Jack
on
25/11/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The evolution of ransomware has been a constant over the last few years, with its latest development introducing some new technology that allows attackers to “explore new dimensions”.
A popular tactic in modern ransomware attacks is double extortion, in which the attacker threatens to leak the victim’s data online if a ransom is not paid; this means that not only is your data encrypted, but it will also be made publicly accessible if you choose not to pay the threat actors. This puts victims in a difficult situation, because even if they can recover their own data, they are still at risk if they ignore the ransom.
This is becoming even more advanced now with what is known as a quadruple extortion (stolen data, locked files, denial of resources and threatening third parties).
By InfoSecurity-Magazine.com
The Cisco Talos threat intelligence team recently discovered that malicious actors were using a leaked version of the Cobalt Strike tool, which was originally designed as for legitimate remote access. These attackers are also incorporating domain fronting techniques into their campaigns too. This is a DNS-based filtering technique to hide traffic behind legitimate reputable domains.
More details on the evolution of this attack, and how it works, can be found here.
By Blog.TalosIntelligence.com
Magecart attacks exploit vulnerabilities within a third-party software vendor, content management system or domain function in order to secretly inject JavaScript code. This code skims details entered into a payment portal which is sent to a command-and-control server. These details can be used for fraudulent purchases or move the victims fund into the attacker’s account. Organisations are still trying to combat Magecart attacks on their payment portals, however they are difficult to manage due to third party programs having unknown vulnerabilities that keep getting exploited.
By cybersecurityventures.com
After 10 months of silence Emotet malware has been recorded infecting devices on the internet once again. Emotet was shut down after an international coordinated operation which disrupted its infrastructure making it unable to run command-and-control servers to send commands to infected devices. So far 9 new command-and-control servers have been found to be linked to the Emotet malware and it has been said that the newest string of infections don’t appear to be a test, rather a full-fledged campaign to infect machines via the use of dangerous emails.
By Duo.com
The FBI has been under attack recently from an unknown source, the attackers have managed to compromise one of the FBI’s public ticketing and alerting system email servers and initiated an email spam campaign. The emails contain a warning about a fake cyberattack that was taking place and caused the FBI to be flooded with emails and calls from confused organisations. The email was attempting to blame Vinny Troia, the founder of NightLion Security, as the perpetrator of a sophisticated attack. The server has since been taken offline and analysed for evidence.
By TheRecord.media
A newly discovered vulnerability affecting Intel processors could reportedly allow an attacker to gain elevated privileges. This flaw has been given a CVSS score of 7.1 out of 10, making it a high severity vulnerability, however it does require the attacker to have physical access to the hardware; exploitation of this flaw could lead to the exposure of private encryption keys. It is worth noting that this vulnerability is only exploitable in the event that your device is stolen, however we still advise applying the necessary patches as soon as possible.
By ThreatPost.com
Cybercriminals are exploring new ventures in the form of an exploit-as-a-service model, in which they are allowing customers to rent zero-day exploits to use in their own attacks. Because of the severity of zero-days, this scheme could prove to become very profitable for cybercriminals, with some discussions reportedly reaching a $10 million agreement. This is a relatively new idea and so there is not much evidence to work with, but there is some skepticism around whether the bad guys would be willing to burn a zero-day in this way - time will tell.
By PortSwigger.net
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #167 – 19th November 2021
Why not follow us on social media:
By
Joshua Hare
on
18/11/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The Cisco Talos team has recently discovered a new campaign controlled by a North Korean state-sponsored APT group, dubbed Kimsuky, specifically targeting South Korea. This malicious campaign combines an information gathering module, a keylogger module and a file injector to deliver the payload; the payload impersonates a benign tool known as Nirsoft WebBrowserPassview and is designed to steal credentials for several sites.
More details on this can be found here.
By Blog.TalosIntelligence.com
The stock trading and investment service Robinhood has been the victim of a cyber-attack. A customer support employee has believed to have disclosed their login credentials to a malicious party, which then proceeded to access Robinhood’s data to gather information about its users. The breach resulted in the disclosure of:
After the breach was discovered Robinhood received a ransom notice from the attacker to pay or risk disclosure of the data. Robinhood did not agree to the ransom and informed law enforcement instead. An email was sent to users believed to be affected by the breach, notifying them that their email might be targeted by phishing scams in the future, as well as useful tips to stay protected.
By TheRecord.media
The UK has seen 1.8 million computer misuse offences from June 2020 to June 2021. This was an 85% increase in comparison to the June 2018 to June 2019 period.
"This was an 85 per cent increase compared with the year ending June 2019, largely driven by a 161 per cent increase in 'Unauthorised access to personal information (including hacking)' offences," said the Office for National Statistics, which owns the survey.
Even with the 1.8 million people estimated to be affected by a breach in the past year the number is likely to be more, as some details are lost or stolen, and unknown or unreported breaches won’t be accounted for till they are discovered.
By TheRegister.com
Scam bots are being utilised to steal two factor authentication codes and one-time passwords. The bots are customised to appear like an automated security call from a bank or other service and ask the recipient to enter private credentials. This attack is simple as an automated voice imitates a legitimate security call such as irregular spending and gets the receiver to enter more details to validate their identity. Our advice is to never enter private information from unexpected or suspicious sounding calls; instead call the service back on a trusted helpline number and ask if the security concern was real before sharing information.
By BGR.com
The crypto exchange service Chatex has been sanctioned by the US Treasury Department. This is due to Chatex being associated with ransomware payments, with over half of their known transactions being directly linked to illicit or high-risk activities such as darknet markers and ransomware. Operations for Chatextech and IZIBITS have been suspended while law enforcement investigate the firm’s board owners.
By TheRecord.media
Microsoft’s Patch Tuesday is here which addresses a number of critical vulnerabilities. You can find our Patch Tuesday blog post here, which covers all of the important details you need to know about this month’s batch of security updates!
A new zero-day vulnerability has been discovered by researchers at Randori that impacts Palo Alto Networks GlobalProtect VPN. Exploitation of this flaw could lead to an attacker gaining unauthorised access to the target network with the ability to execute arbitrary code. This is being tracked as CVE-2021-3064 with a CVSS score of 9.8; any versions before PAN-OS 8.1.17 are affected and we advise updating as soon as possible.
You can find the official Palo Alto security advisory here.
By TheHackerNews.com
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #166 – 12th November 2021
Why not follow us on social media:
By
Joshua Hare
on
11/11/21
It’s that time again, Patch Tuesday is in full force! This latest release of Microsoft’s Patch Tuesday’s security updates comprises of 55 overall vulnerabilities categorised as; 6 critical and 49 important, with 4 publicly disclosed and 2 seen being exploited in the wild.
This month release covers security updates for 35 components including:
Microsoft exchange has been under attack numerous times this year. The vulnerability labelled as CVE-2021-42321 is a remote code execution vulnerability caused by improper validation cmdlet arguments. This would allow an attacker to run their own code and potentially take over or damage the server. To exploit this vulnerability an attacker would still have to be an authenticated user of the exchange server before it can be exploited.
Another remote code execution vulnerability has been patched. CVE-2021-38666 is an RCE vulnerability found in the remote desktop client which can be exploited when a victim machine connects to an attacker-controlled remote desktop server. This would allow the attacker to execute arbitrary code on the victim’s machine. The limitation of this vulnerability is that the victim needs to actively connect to the attacker-controlled remote desktop server so attackers might impersonate an IT employee via email, phone call or another method to persuade you to connect.
CVE-2021-26443 is a code execution vulnerability to do with Microsoft’s Virtual Machine Bus. The vulnerability could allow command execution on a guest VM on a host VM allowing for privilege escalation. This vulnerability is severe with a CVSS score is 9.0 out of 10 and labelled as critical by Microsoft.
Excel is yet again a vulnerable application on Microsoft’s Patch Tuesday dossier. The new CVE-2021-42292 vulnerability is described as a security feature bypass zero-day and has been exploited in the wild. Microsoft refused to give any further information about this vulnerability but specified that the exploitation can only occur by opening the document. This also affects Apple Mac devices, but patches are still ongoing.
Software patches are essential to keeping any device secure from potential threats. We highly recommend that you update these as soon as possible given the high-risk excel and VM vulnerabilities posing serious security concerns.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2021-Nov
Security update guide: https://msrc.microsoft.com/update-guide/
11th November 2021
Why not follow us on social media:
By
Joshua Hare
on
11/11/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
IOS 15, Windows 10 and Google Chrome Breached at Tianfu Cup
Chinese hackers slaughtered big western firms Apple, Microsoft and Google last weekend after the Tianfu Cup (a Chinese hacking contest). The contest pitches hackers against software to find vulnerabilities for a cash prize. Only 3 out of the 15 lined up were able to be impenetrable at the hands of the hackers. Microsoft saw 5 successful exploits involving its Windows 10 operating system, IOS 15.0.2 was breached twice and Google Chrome was also exploited twice. Other successful targets include: Adobe PDF, the Asus AX56U router, Docker CE, Parallels VM, QEMA VM, Ubuntu 20, VMware ESXi and Workstation.
By Forbes.com
1.6 Million Devices Infected By “Pink” Botnet Malware
Cybersecurity researchers believe they have just discovered the biggest botnet ever seen in the wild. With over 1.6 million devices primarily located in China, the goal of the botnet is believed to launch a Distributed Denial-Of-Service attack. The malware is infecting MIPS-based fiber routers utilising third party services and connecting to Command-and-Control servers, while completely encrypting traffic. The undisclosed vendor is working with the CNCERT/CC to control the outbreak however the owner of the malware is repeatedly updating firmware to defend the infected devices from being purged of the malware.
By TheHackerNews.com
EU To Support New Cybersecurity Rules
The European Commission updated the Radio Equipment Directive to introduce stricter security standards for radio and wireless equipment. This means that new phones, tablets, fitness, trackers and other IoT devices sold within the EU need to be within this updated standard believed to take effect in mid-2024. This is to update the 2014 regulatory framework that vendors must follow to sell electronic equipment in the EU market.
By TheRecord.media
ETL Grows In Complexity and Impact Analysis
The 9th edition of the ENISA Threat Landscape report realised by the European Union Agency for Cybersecurity has increased its scope of the cybersecurity world. The report which helps establish an annual understanding of the threats, impacts, attacks and other aspects within the cybersecurity world, has now included more focus of the sophistication of modern cyber-attacks as well as more realistic impacts such an attack could have on an organisation. The top 9 threats give in the report are:
• Ransomware
• Malware
• Cryptojacking
• E-mail related threats
• Threats against data
• Threats against availability and integrity
• Disinformation – misinformation
• Non-malicious threats
• Supply-chain attacks
By HelpNetSecurity.com
Goole Auto-Enrolling Users In Two Factor Authentication
Googles recent security focus seems to be on its users. The new initiative set out by google is aiming to force all of its users to have two factor authentication. This will make all user accounts more secure by adding an extra layer of sign in authentication. Such additional authentication methods could be a code or sign in confirmation prompt via a smartphone, as well as a physical security key. All accounts flagged for two factor authentication will get an email or notification from google seven days before the requirement is enforced. While some reports have been made of users already being forced to use additional authentication, Google plans to have 150 million accounts using it by the end of the year.
By ArsTechnica.com
Ransomware Group BlackMatter Shuts Down
The group BlackMatter has official disbanded and shut down its operation. VX-Underground’s twitter account shared a screenshot from BlackMatter to its affiliates that it was closing down due to the pressure of local authorities. This comes after BlackMatter attempted to negotiate payments to corporate victims of its ransomware attacks.
By GrahamCluley.com
Labour Party Hit With Cyber Attack
A third party firm that handled membership data to the labour party has been attacked, releasing “a significant quantity” of party data. Both the Information Commissioner's Office and National Cyber Security Centre are investigating the breach to find the culprit and minimise damage. The third party holding the data is still undisclosed but said to have held members, registered and affiliated supporters and other individuals who have provided support.
By BBC.co.uk
Microsoft Exchange Vulnerabilities Exploited In Ransomware Attack
Babuk ransomware is being deployed using servers running Microsoft Exchange, leveraging the ProxyShell vulnerability to place Bubak ransomware on the victim’s environment. This then utilises other vulnerabilities to enumerate its own processes and attempts to disable a number of processes related to data backups. The ransomware demands victims to pay $10,000 USD for the decryption key of victim’s data. More detailed information can be found on the Talos blog.
By Blog.TalosIntelligence.com
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #165 – 5th November 2021
Why not follow us on social media:
By
Joshua Hare
on
4/11/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
PAX Technology, a leading Point-Of-Sale provide, has their Florida offices raided by FBI. This is believed to be due to the fact that PAX’s systems have been involved in cyberattacks on US and EU organisations. In an official statement the Department of Homeland Security said that they were only executing a court authorised search at the warehouse as part of a federal investigation. The FBI has believed to have begun investigating unusual network packets originating from the company’s payment terminals after a US payment processor discovered this. A source said that the payment processor found that PAX terminals have been used as a malware dropper and a command-and-control location for staging attacks. Both the FBI and MI5 have believed to be conducting an intensive investigation into PAX Technology.
By Krebsonsecurity.com
Ofcom, the UK’s communication regulator, has told UK phone network providers to start actively campaigning to block foreign scam calls. This comes after the worst summer for scam calls where almost 45 million people had been targeted by phone scams. Ofcom is expected to make this a priority however only TalkTalk has implemented new plans to tackle foreign scam calls currently, more are expected to tackle this complex and frequent scamming method.
By bbc.co.uk
Hackers have stolen around $130 million worth of cryptocurrency assets from Cream Finance. The incident was detected by PeckShield and SlowMist. The attackers have thought to found a vulnerability in the company’s platform lending system and used to it to steal tokens and assets running on Ethereum Blockchain. Six hours after the attack Cream Finance said the vulnerability has been patched however this leaves little hope to its customers security, or the state of the stolen assets.
By TheRecord.media
The head of GCHQ, Jeremy Fleming, has said that the number of attacks associated with ransomware has doubled in the past year. This has believed to increase in popularity among criminals because it was “largely uncontested” and highly lucrative. Comments made at the Cipher Brief annual threat conference said that Russian and China are harbouring cyber criminals that are successfully targeting western organisations. The UK still seems to be an easy target for hackers as it lacks any radical cyber security developments.
By theguardian.com
A multi-country law enforcement operation to stop REvil Ransomware group has proved successful. Multiple private sector cyber experts aided the US government in the operation. The operation resulted in the infrastructure of the group being hacked by governments and taken offline for a second time this week. This is the latest action in the effort to reduce ransomware prevalence in the UK.
By thehackernews.com
WordPress plugin OptinMonster was discovered to have multiple severe vulnerabilities which could allow a site visitor to export sensitive information and add malicious JavaScript to WordPress sites. Although WordFence plugin Premium users were protected from the attack from the 28th September, a fully patched new version (2.6.5) was released on the 7th October 2021. All users of this Optinmonster plugin are advised to update to at least v2.6.5 immediately to remove this vulnerability.
By wordfence.com
Abobe has released security patches for 92 vulnerabilities found across its software with 66 rated critical. Most of the critical vulnerabilities found allow arbitrary code execution (ACE), privilege escalation, denial of service and memory leaks. The effected Adobe software is:
Adobe After Effects, Animate, Audition, Bridge, Character Animator, Illustrator, InDesign, Lightroom Classic, Media Encoder, Photoshop, Prelude, Premiere Pro, Premiere Elements and the XMP Toolkit SDK.
If you have any software listed it is highly recommended that you update to the newest patch to secure your device.
By ThreatPost.com
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #164 – 29th October 2021
Why not follow us on social media:
By
Joshua Hare
on
28/10/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The National Cyber Security Centre (NCSC) have recently revised their Device Security Guidance after the release of Microsoft’s new Windows 11 operating system. This guidance includes good practice configurations, settings, and general recommendations for Microsoft Windows devices up to the latest version. Organisations should review this updated information and look to apply a secure configuration that meets the balanced requirements of the business.
By NCSC.gov.uk
The cybersecurity experts at Trustwave recently released a free decryption tool on GitHub, that allows any victims of the BlackByte ransomware to recover their data. The firm reportedly discovered a “design flaw in the ransomware’s encryption routine”. The group responsible for the attacks responded to this and said:
“We would not recommend you to use that. because we do not use only 1 key. if you will use the wrong decryption for your system you may break everything, and you wont be able to restore your system again.we just want to warn you, if you do decide to use that, its at your own risk.”
This is entirely true, and the decryption tool could potentially corrupt your files; however, victims can find the decryption tool here should they choose to use it.
By TheRecord.media
An unknown group of cybercriminals has been seen targeting companies in the telecommunications sector for some time now, and recently they have been heavily focused on Linux and Solaris systems, which they believe “aren’t being watched by infosec teams”. The mysterious group has been named LightBasin by security researchers but has also been referred to as UNC1945. LightBasin have reportedly attacked 13 telecoms companies so far, and CrowdStrike have made recommendations on how to protect against their attacks.
More details can be found here.
By TheRegister.com
Over the summer scammers have targeted almost 45 million people in the UK according to Ofcom with half reporting at least one call a week. Text scams are most common among 16 to 34-year-olds with two thirds receiving at least one this summer. Call scams occur among the elderly with 61% of over 75’s receiving a scam phone call. If you believe you have received a scam text message you can report it by forward it to 7726. With scams on the rise over lockdown make sure to question unknown or suspicious phone calls and text messages.
By BBC.co.uk
A new phishing campaign labelled as MirrorBlast is distributing threatening excel documents through email. These documents use macros to run malicious scripts on the target’s computer, bypassing any firewalls and antivirus in place. The most dangerous part about these campaigns is that malicious code has gone under considerable obfuscation to hide from antivirus software and bespoke emails to make the excel attachment seem legitimate. To protect yourself from these attacks always check the send email for small changes such as “name@iranshare.co.uk” and never click “enable macro” when opening a excel document unless you can be sure that it’s a trustworthy excel document.
By BleepingComputer.com
The VPN service Quickfox allows users to connect to Chinese websites usually inaccessible from outside the county. Quickfox had set up access restriction to Kibana but not to their Elasticsearch server allowing skilled criminals to extract sensitive information on Quickfox & its users. This put more than 1 million users personally identifiable information at risk of being leaked.
By ThreatPost.com
Details given out by Googles threat analytic group has revealed that it has been combating a phishing campaign since 2019. The financially motivated campaign is targeting YouTube creators account access in order to take control of them. This is done by advertising a collaboration opportunity and directs them to a software download disguising cookie and password stealing malware. Some hijacked accounts have been recorded on account training markets for prices from $3 to $4000.
By DarkReading.com
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #163 – 22nd October 2021
Why not follow us on social media:
By
Joshua Hare
on
21/10/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Microsoft announced earlier this week that they had “fended off the largest DDoS attack it’s detected, which clocked in at 2.4Tbit/sec.” The attack reportedly targeted the Azure cloud, and came from almost 70,000 different sources, including many countries in the Asia-Pacific region. Microsoft announced that it was the largest attack they had ever encountered, but it may well be the largest attack ever seen anywhere.
More details on the nature of this attack can be found here.
By TheRegister.com
Coinbase users have become the victims of phishing attacks, with cybercriminals using a fake domain to capture one-time passwords for user’s accounts. This domain is set up as a password reset webpage that requests the Coinbase login credentials of the victim. Once a user arrives on the page, the attacker is alerted so that they can be ready for the one-time password to be input. This is one way that criminals are becoming clever with their ways of attacking accounts protected by multi-factor authentication. This domain has since been taken down, but reportedly was quite successful during the time it was in use. We advise all Coinbase users to be very careful when inputting credentials; you should always check that the site is what you think it is. Our recommendation is to use hardware security keys (such as YubiKey) and hardware wallets for protecting your cryptocurrency accounts and assets.
By KrebsOnSecurity.com
Sunderland University have reported “extensive IT disruption” and are currently working with the police and security experts to investigate what could potentially be a cyber-attack. The University believe the incident has “all the hallmarks of a cyber-attack” and followed up with a statement about how seriously they take the security of their systems, students, and employees. Their website, IT systems and telephone systems are all still out of operation, but face-to-face teaching is still going ahead on campus.
More details on the situation will no doubt surface in the coming weeks.
By BBC.co.uk
Cyber criminals based in Russia and its neighbouring countries have been found to be responsible for a high majority of serious ransomware attacks against the UK according to the National Cyber Security Centre. The head of the NCSC, Lindy Cameron, has said that not enough UK businesses and services are prepared for such attacks. Ms. Cameron continued by saying that ransomware will continue to be highly lucrative and attractive to cyber criminals while organizations remain vulnerable and willing to pay. A new defensive initiative has been devised in order to deliver a "sustained, proactive" campaign to interrupt hackers targeting the UK, this will involve a National Cyber Force actively protecting the UK through offensive hacking operations.
By BBC.co.uk
One of the world’s biggest hotel chains Meliá has been targeted by cyber criminals as parts of the internal network and web-based servers were took offline. While no ransomware gang has taken credit for the attack, nor has the hotel been listed on any “leak site”, this may be because some ransomware gangs don’t operate publicly. The hotel chain is reportedly now working with Telefonica’s cyber security division to deal with the attack’s aftermath.
By TheRecord.media
Apple has released their latest patch for iOS and iPadOS, 15.0.2. This patch addresses a zero-day vulnerability that was found to be actively exploited in attacks since its discovery. Exploitation of this flaw could allow an attacker to execute arbitrary code on the target device and has been classed as a critical memory corruption bug. As always, we advise updating to the latest version as soon as possible.
By BleepingComputer.com
On Tuesday Microsoft released security patches to eradicate 71 vulnerabilities in Windows and additional software and services. Two of the vulnerabilities were considered critical with the following four zero days being patched:
CVE-2021-40449 (CVSS score: 7.8) - Win32k Elevation of Privilege Vulnerability
CVE-2021-41335 (CVSS score: 7.8) - Windows Kernel Elevation of Privilege Vulnerability
CVE-2021-40469 (CVSS score: 7.2) - Windows DNS Server Remote Code Execution Vulnerability
CVE-2021-41338 (CVSS score: 5.5) - Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability
Patch Tuesday continues to be an integral part of Microsoft’s push for security of its users and services. We advise that these new updates are reviewed and installed at the earliest opportunity.
By TheHackerNews.com
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #162 – 15th October 2021
Why not follow us on social media:
By
Joshua Hare
on
14/10/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Google made an announcement this week regarding the auto-enrolment of multi factor authentication. The firm plans to automatically enable MFA on more than 150 million user accounts by the end of 2021. Many users are not aware of MFA, or simply do not care, and so it is going largely unused on most Google accounts. Multi Factor Authentication is one of the best possible ways to protect your user accounts, as it ensures protection even if your username and passwords are compromised. Google believe they “know the best way to keep our users safe” and are eagerly looking to “automatically configure our users’ accounts into a more secure state”.
By BleepingComputer.com
This week, 100GB worth of data was stolen from Twitch and posted online. The streaming service, owned by Amazon, confirmed the existence of the breach, and urged that they were working hard to “understand the extent of it”. The data reportedly includes the salaries and earnings of Twitch’s top streamers; one streamer reported that the “earnings list got my figure 100% correct”. Creators such as xQC and Summit1g, who are some of the biggest names on Twitch, were involved in the leak; The company are now “working with urgency” and will likely provide updates once the breach has been cleared.
By BBC.co.uk
Luxury Department Store, Neiman Marcus, recently discovered that they were hit by a data breach that saw the personal information of more than 4.6 million customers leaked online. The breach included names, contact information, payment card details, usernames, passwords, and recovery questions & answers. Neiman Marcus confirmed that only their online shop was affected by the breach; Bergdorf Goodman and Horchow were left completely unaffected.
By TheRecord.media
US-based trade publication and hosting firm, Sandhills Global, were recently hit by a ransomware attack that cripple their operations; this attack has forced them to suspend a number of business services and temporarily shut down their website. Users attempting to reach Sandhill’s hosting platform are met with a Cloudflare error page, which states that the service is currently unavailable. The company is working hard to restore operations as soon as possible and will “provide updates regarding this matter and the status of our services as soon as possible.”.
By BleepingComputer.com
Google has urgently released 4 new security patches for its chrome browser this week. The zero-day vulnerabilities took advantage of the Use-After-Free flaw in V8 that could allow an attacker to execute arbitrary code or crash chrome browser. The exploits labelled by the tech giant as CVE-2021-37975 and CVE-2021-37976 come as the fourth and fifth zero-day exploits in just a month with 14 totalled since the start of the year. Users of chrome are advised to update to version 94.0.4606.71 or later to avoid being at risk.
By TheHackerNews.com
The Access Demo Importer plugin for WordPress has recently been under attack, due to a vulnerability allowing authenticated users (subscribers) to install a zip file containing malicious php code as a plugin from an external source. This could allow remote code execution once extracted and take over a site. This was due to the fact the plugin didn’t analyse the imported file for malware or compatibility. The vulnerability was discovered on August 10th and a full patch has been available since September 21st. We recommend updating your plugins ASAP.
More information can be found here.
By Wordfence.com
Apache HTTP Server version 2.4.49 fixed a host of security flaws, however it has also introduced a severe vulnerability. The patch allowed attackers to utilise a path traversal vulnerability, to map and leak files located on the server. Labelled as CVE-2021-41773, the security flaw allows attackers to map URLs to files outside the expected document root, with the potential to perform enumeration of local usernames and passwords.
By ZDNet.com
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #161 – 8th October 2021
Why not follow us on social media:
By
Joshua Hare
on
7/10/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Payment service provider, Giant Umbrella, were forced to delay salary payments following a suspected data breach. The firm announced last Friday that all operations had been suspended after detecting “suspicious activity” on their network. Giant have confirmed they are doing everything they can to minimise disruption to their payroll schedule and were already able to process “8,000 of the outstanding wage payments”. Operations have not been fully restored yet and some contractors are still reporting delays in their payment.
By ComputerWeekly.com
Traditional cyber attacks are no longer as popular as they once were, with the large majority of compromises stemming from people-focused attacks. Reports from 2020 showed a 300% increase in ransomware attacks, with email as the “primary point of entry”. Phishing and email scams have proven so successful that there are few attacks that don’t start with this. Business Email Compromise has also become increasingly popular with victims losing around $2bn in the last year. As if this was not enough, the rising popularity of Steganography has also been difficult; more than one in three targets of Steganography attacks last year reportedly clicked on a malicious payload. This click rate exceeds anything ever seen before and proves that people need to become more aware of security; with people being the primary target, a strong security culture is more important than ever.
By Infosecurity-Magazine.com
The official Premier League fantasy football platform are currently investigating an incident in which several accounts were compromised and deleted. During their investigation it was confirmed that there was “no breach of their servers” and they have reinstated all affected user accounts. All users are encouraged to practice proper password management and ensure that their accounts and passwords are secure. This was the statement emailed to the users:
By SkySports.com
Cyber Experts believe that the market for “stolen gamer data” is rising rapidly and is currently in high demand on underground markets. This has led to the introduction of BloodyStealer, a trojan designed to capture cookies, passwords, payment card information saved in browsers and app sessions. All gamers are advised to personally review their account settings and take time to enable two-factor authentication and ensure their accounts are secure.
By ThreatPost.com
QNAP, maker of network-attached storage devices (NAS), have recently released a patch addressing two critical vulnerabilities in their QVR video management system. Exploitation of these flaws could allow an attacker to execute arbitrary code on the victim’s system; both of these were given a severity score of 9.8 out of 10 with a third vulnerability being given a score of 7.2. We advise all QNAP customers to update their systems as soon as possible.
More details on these bugs can be found here.
By BleepingComputer.com
Researchers have discovered a flaw in Azure Active Directory that allows an attack to brute-force the username and password without detection. Because of this flaw, the failed login attempts are not logged on the server and the attacker can try as many credentials as they want without alerting server admins. Currently, there are no workarounds for this flaw and a fix is not yet available, but details on the nature of the exploit can be found here.
By arstechnica.com
A newly discovered flaw in Apple’s contactless payment feature could allow an attacker to make “large unauthorised contactless payments”, even if the device is locked. Researchers proved the existence of this flaw with a payment of £1000 using a locked iPhone. This flaw only affects devices set up with Visa cards using “Express Transit” mode. The hack involves a piece of radio equipment that tricks the target device into thinking it is dealing with a ticket barrier; this enables the Express Transit feature and allows large transactions to be made at any payment terminal. Of course, for this to work, the victim’s device will need to be stolen and Visa believe the attack is “impractical”; however, we believe this is still a risk.
There is currently no fix, but we advise Apple Pay users who have lost their devices to block Apple Pay or wipe their device via iCloud.
By BBC.co.uk
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #160 – 1st October 2021
Why not follow us on social media:
By
Joshua Hare
on
30/9/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The Alaska Department of Health and Social Service has suffered an attack at the hands of a nation-state group of cybercriminals. The attackers were able to access IT systems and compromised the personal information of a large number of individuals; this data included names, dates of birth, social security numbers, addresses, and health and finance information. The DHSS are now working hard to investigate the incident and will soon be notifying everyone who was affected by the breach. Systems are yet to be restored and we will provide more details when we learn more.
By TheRecord.media
The European police announced recently that they had taken down a group of criminals responsible for £10M worth of online fraud, drug trafficking and property crimes. The group in question supposedly had ties with the Italian mafia, with 106 members being arrested in the police operation. This band of criminals were far more organised than typical cybercriminals and was run by experienced experts who specialised in cyber fraud and money laundering; this is just one of the steps taken towards making the internet safer for individuals and businesses, and it is exciting to see how law enforcement continues to crack down on cybercrime.
By Infosecurity-Magazine.com
A flaw in the Microsoft Exchange feature, Autodiscover, is leaking the email addresses and passwords of Windows users. Autodiscover allows an organisation to set up apps, such as email or calendar, through a configuration file that requires an email address and password. This was designed for ease of use but is currently causing a major security issue. This leak is not easily visible to those who do not know where to look, but more than 372,000 unique credentials have been discovered so far.
More details on this can be found here.
By TechCrunch.com
After the backlash received from the Google Glass eyewear, you would not expect Facebook to announce the release of their ‘Ray-Ban Stories’. These branded Facebook smart glasses are following in the footsteps of the failed Google Glass, which was found to be uploading footage to Google servers without permission. Even with the little information we have, it is clear that the Ray-Ban Stories will already face trouble with privacy regulators; Facebook’s latest project is current under investigation to determine whether “Facebook’s smart spectacles are doing enough to warn people that they are being recorded by the wearer.”.
By GrahamCluley.com
A new malware strain has been discovered that appears to be written in Go. It has reportedly been seen targeting WordPress and Linux systems, exploiting known vulnerabilities, such as the WordPress plugin Download-monitor, to break in. The strain has been named Capoae and is capable of executing arbitrary code once installed.
More details on this can be found here, as well as guidance on how to spot/prevent it.
By ZDNet.com
Researchers have discovered a zero-day flaw in Apple’s macOS Finder, that could allow an attacker to remotely execute arbitrary commands on the victim’s system. This works because of an issue with .inetloc file extensions; files with this extension are able to execute commands, as seen in the researcher’s proof-of-concept. Apple appeared to address this vulnerability in their latest patch, but it seems the fix was unsuccessful. Attackers are able to bypass the fix, which Apple have been notified of. We will provide updates when a new patch is released.
By BleepingComputer.com
The Nagios network management systems are currently plagued by 11 security vulnerabilities that allow attackers to gain the highest system privileges and execute remote code without authenticating. This opens the door for phishing attacks and credential theft, which demands an immediate fix. Nagios is akin to the Solarwinds and Kaseya network management products, and we all know the impact that can be caused by exploiting these types of products.
More details on the severity of these flaws, as well as the CVEs, can be found here.
By TheHackerNews.com
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #159 – 24th September 2021
Why not follow us on social media:
By
Joshua Hare
on
23/9/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Sportswear manufacturer, Puma, were recently hit by hackers who stole source code from one of their internal applications. The group have threatened to publish the stolen files on a specialised dark web portal in an attempt to receive ransom payment. It has since been confirmed that “No consumer or employee data was affected”, although hackers claim to possess around 1GB of Puma data. Sample files were released on a dark web site known as Marketo. It is unclear how Puma will respond, but we will provide updates when we learn more.
By TheRecord.media
Russian Internet Giant, Yandex, have become the most recent victim of a new botnet known as Meris. The botnet reportedly sent a record-breaking 21.8 million requests per second, crippling their target. Despite being a new player in the field, Meris is growing rapidly and becoming a big issue, using HTTP pipelining to carry out their DDoS attacks. We are likely to see more of this group in the future.
By TheHackerNews.com
A database of more than 60 million records was recently left unsecure and accessible online. The exposed records contained information about “wearable technology”, specifically fitness tracking services and contained names, dates of birth, weight, height, gender, and GPS locations. A sample of the leaked data shows that “the majority of data sources were from Fitbit and Apple’s HealthKit”. Researchers believe that GetHealth were possibly the owners of this data and are currently chasing them for more information.
By ZDNet.com
The US Department of Justice recently fined three former NSA employees who were reportedly offering hacker-for-hire services to the United Arab Emirates. These fines were issued as a way of evading jail time, with the three being charged $750,000, $600,000, and $335,000. The DOJ are working hard to crack down on this Hacker-for-Hire trend, and these are not likely to be the last fines issued. The punishment also includes a lifetime ban on US security clearances, restrictions for UAE employment and enforced cooperation with DOJ and FBI components.
By TheRecord.media
Anonymous recently stole gigabytes of data from web hosting provider, Epik, and has leaked it online. The hacktivist group claim that this data is “all that’s needed to trace actual ownership and management of the fascist side of the internet that has eluded researchers, activists, and, well, just everybody. Anonymous are now believed to be in possession of a “decade’s worth of data from the company.”.
By arstechnica.com
The Zloader campaign that is currently targeting Windows users has implemented a new infection method, that involves disabling Microsoft Defender to evade detection. As well as this, the campaign no longer uses phishing emails to lure in victims; they are instead using “Teamviewer Google ads published through Google Adwords”. We strongly advise being cautious when accessing ads while using your browser and recommend avoiding them all together if possible.
By BleepingComputer.com
66 vulnerabilities were addressed in the September Microsoft Patch Tuesday, three of which are rated critical. The most dangerous flaw tackled in this update was a Windows MSHTML zero-day that has reportedly been actively exploited for the last two weeks. We strongly recommend applying the latest update as soon as possible to ensure you are protected against this zero-day, as well as other critical & important flaws addressed this week.
By ThreatPost.com
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #158 – 17th September 2021
Why not follow us on social media:
By
Joshua Hare
on
16/9/21
No results found.
