Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
South and City College in Birmingham has had to close all of its campuses for a week, due to a recent cyber-attack that crippled their IT systems. The college has notified the Information Commissioner’s Office and reverted to online classes until their systems are restored. A recent statement posted on their website labelled the incident as a “major ransomware attack” that encrypted many of their servers and workstations. The group behind the attack has not yet been identified.
By FEWeek.co.uk
Security researchers have discovered a new botnet that appears to be an enhanced variant of the well-known Mirai IoT malware. This new botnet, named ZHtrap, exploits flaws to infect CCTV cameras, Realtek devices, DVRs and more. The behaviour of this malware is quite unique, as it has been seen using honeypots to hijack bots from its rival cyber criminals.
More details on this new botnet can be found here.
By TheRecord.media
The FBI has issued warnings to the education sector following an increase in ransomware attacks, specifically the PYSA ransomware. In March alone, 12 schools from the US and UK have been hit by PYSA, including higher education facilities. Other targets of these attacks include government and healthcare institutions, as well as a handful of private companies.
More details on the techniques used in the attacks can be found here.
By ThreatPost.com
Microsoft have released a new batch of mitigation tools for on-premise Exchange servers; specifically, those who have not yet applied the latest security patches for the recent ProxyLogon 0-day. Running the new tool is the fastest way to reduce the likelihood of an attack, however this is not an alternative to the security patch, and it is still vital that systems are updated as soon as possible.
The Microsoft Safety Scanner tool can be downloaded here.
By MSRC-Blog.Microsoft.com
A twitter account impersonating Elon Musk has been plaguing users with its fake bitcoin giveaway. The scam told users that any bitcoin they sent would be doubled and returned to them; many users fell victim to this, with one man from Germany losing approximately £430,000 worth of bitcoin. This year has been incredibly profitable for scammers, with campaigns making “record-breaking sums” in 2021. As always, if something seems too good to be true, it probably is. Be careful when clicking links and providing details to suspicious individuals.
By BBC.co.uk
There are many risks that merchants face when using PayPal, including Overpayment, shipping scams and phishing. Overpayment and shipping scams are both big issues, in which scammers can trick PayPal into believing their product was not delivered, and claim back their money, while keeping the product. Generic phishing is also very popular, with PayPal being one of “the most-spoofed brands”. We advise all merchants to be cautious when using PayPal, as scams are incredibly common and can impact your bottom line if ignored.
By WeLiveSecurity.com
This is not your typical vulnerability; in fact, this is a good one is some ways. The LockBit ransomware has become increasingly active recently, and this new bug in the service allows victims to decrypt their data for free. The bug was advertised on a cybercrime forum, detailing how the one-time free decryption works. It is expected that this will be patched pretty soon, making future decryptions much more costly for victims.
By TheRecord.media
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #133 – 19th March 2021
Why not follow us on social media:
By
Joshua Hare
on
18/3/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Security company, Verkada, recently had their systems hacked by a group of unknown cybercriminals. The firm provides security cameras for many high-profile companies, such as Tesla and Virgin Hyperloop. Verkada have set up a support line for the affected customers while their security team investigates the incident alongside law enforcement. Tesla have not yet commented on the situation, but other victims such as Cloudflare have confirmed that a number of offices around the world have been affected.
By BBC.co.uk
The darknet has quickly taken advantage of those desperate to get the COVID-19 vaccine by selling them on dark web marketplaces. Prices for these vaccines range from $250 to $1,200 across 15 different marketplaces and Kaspersky researchers have observed multiple sellers, all of which have made between 100 and 500 transactions. Although some of these sellers are providing legitimate vaccines, interacting with these individuals is very risky and we advise everyone to wait for an official vaccine.
By Kaspersky.com
CISA have released an article containing guidance for those affected by the recent Microsoft Exchange vulnerabilities, this includes advice for organisation leaders and IT security staff, with remediation and mitigation techniques. We advise all companies affected by these flaws to look into this article, as it include references to multiple sources of information and will be regularly updated by CISA with new information and guidance.
By US-Cert.CISA.gov
A new phishing scheme has been discovered that is targeting Office 365 users with the intent of stealing their credentials. This scam is unique, as it uses a fake Google reCAPTCHA that redirects to a malicious Microsoft login page containing the logo of the victim’s company. All Office 365 users are advised to verify the legitimacy of any emails they receive, and be cautious when asked to provide credentials or other sensitive information.
By ThreatPost.com
Microsoft have released their monthly batch of security updates, including fixes for 89 vulnerabilities, 14 of which are considered critical. These critical flaws include remote code execution in Internet Explorer, Git for Visual Studio and DNS Servers. We advise all users to apply the latest updates as soon as possible to stay protected.
More details on these flaws can be found here.
By Blog.TalosIntelligence.com
Apple have released an emergency patch for a vulnerability affecting iOS, macOS, watchOS and the Safari web browser. The exploit was made possible by a memory corruption issue and allows an attacker to execute arbitrary code on the target devices using malicious web content. This was reported to Apple by researchers from Google’s Threat Analysis Group and Microsoft’s Browser Vulnerability Research group. We advise all Apple customers to update their devices as soon as they can.
By TheHackerNews.com
This week, F5 released a security advisory for four critical vulnerabilities, including remote code execution and buffer overflow flaws in the iControl REST interface, the TMUI and TMM. These flaws are are considered critical severity, and so F5 advises all users apply the latest updates as soon as they can.
More details on these vulnerabilities can be found here.
By Support.F5.com
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #132 – 12th March 2021
Why not follow us on social media:
By
Joshua Hare
on
11/3/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Two teenage girls recently went missing, and investigations found that they were chatting with their abductors using laptops provided by their school. Fortunately, the missing girls were found alive and were rescued by law enforcement, but it is worrying that the school-issued device could be used to reach online platforms and communicate with the abductors in this way.
By InfoSecurity-Magazine.com
UK energy company, Npower, recently suffered a data breach in which personal information was stolen and user accounts were accessed by the hackers. The attack involved credential-stuffing and many accounts were compromised; as a result, Npower have shut down their mobile app and advised all users to change their passwords as soon as possible. This attack was entirely avoidable if users had unique passwords; password reuse is one of the primary causes of account compromise, and the prime reason why this breach was possible.
By GrahamCluley.com
A new variant of the Ryuk ransomware has emerged, and this time it is capable of spreading to other Windows devices on the local network, much like a worm. In addition, it can also remotely execute itself using scheduled tasks created on each host it has compromised. This is not the first time we have seen the Ryuk ransomware or its evolution, and I doubt it will be the last.
By BleepingComputer.com
The Cisco Talos team have found a new variant of a known malware campaign that is using malicious MS Office documents, to spread the remote access trojan known as ObliqueRAT. So far, this campaign has been seen targeting organisations in South Asia; it has links to the Transparent Tribe APT group and can be difficult to spot, since the payload is hidden in “seemingly benign image files hosted on compromised websites”.
More details on this campaign can be found here.
By Blog.TalosIntelligence.com
This week, Microsoft discovered multiple zero-day exploits being used in attacks against on-premise Exchange Servers. The group responsible for the attacks is believed to be a state-sponsored group called HAFNIUM, who have been known to operate out of China. Users of on-premise Exchange Servers are strongly advised to update their systems as soon as possible.
Technical details, IoCs and other information can be found here.
By Microsoft.com
A critical vulnerability has been found affecting Cisco Nexus 3000 and Nexus 9000 Series Switches. This flaw allows remote attackers to bypass authentication on the device and is one of three critical flaws addressed in the latest patch. This authentication-bypass bug has been given a CVSS score of 10 due to how easily it can be exploited. As always, we recommend updating your devices as soon as possible.
More details can be found here in Cisco’s official security advisory.
By ThreatPost.com
Google have released their latest security patch, and in it is fixes for a newly discovered zero-day flaw that is being actively exploited in the Chrome Web Browser. The patch also addresses 46 other vulnerabilities, including an “object lifecycle issue in audio”. We advise all Chrome users to update to version 89.0.4389.72 to ensure they are protected from exploitation.
By TheHackerNews.com
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #131 – 5th March 2021
Why not follow us on social media:
By
Joshua Hare
on
4/3/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Following on from last week’s NurseryCam post, more information has come to light. Parents have now been informed of a confirmed breach of security and the company have shut down their server as a “precautionary measure”. Their services, which were being used by more than 40 nurseries across the UK, have been suspended until a fix is found. NurseryCam confirmed that usernames, passwords, names, and email addresses may have been leaked in the breach.
By BleepingComputer.com
Bombardier, a Canadian airplane manufacturer, has announced they fell victim to a recent security breach. The attack, which is likely related to the recent Accellion FTA flaw, was carried out by the Clop ransomware gang, who published the firm’s sensitive data on a dark web portal; this was made possible by a 0-day vulnerability existing in a third-party file-transfer application running on isolated servers in the Bombardier network.
More details on this breach can be found here.
By ZDNet.com
A new undetected strain of malware has been found that targets macOS systems. This malware, which has been named “Silver Sparrow”, uses a lot of common techniques such as using a LaunchAgent. However, Silver Sparrow is interesting because it does not operate the same as other strains; the main talking point being its method of execution using JavaScript. This is something that has not been seen in macOS malware before. As of February 17, this malware had infected 29,139 macOS devices across 153 countries; the majority of these infections however were in the US, the UK, Canada, France, and Germany.
More details on this malware, including technical analysis and a list of indicators of compromise, can be found here.
By RedCanary.com
Many Microsoft email users have reportedly received phishing emails from individuals pretending to be couriers for FedEx and DHL Express. The aim of these phishing attacks was to steal email account credentials by hosting their scam page on a legitimate domain to bypass email security measures. This is a common technique used in phishing attacks recently, with many hosting their phishing pages on services such as Google Sites and Box.
By ThreatPost.com
New social media site Clubhouse, which is known for its audio chatrooms, has suffered a data leak in which an unauthorised user was able to stream audio feeds they should not have had access to. This violated the app’s terms and conditions, and so the individual responsible was permanently banned; Clubhouse state that additional security measures were implemented to ensure this does not happen again.
By BBC.com
Recently, firewall vendor SonicWall discovered and patched a zero-day vulnerability in their SMA-100 remote access devices. A week later, a second firmware update has been published to introduce “additional safeguards”. The latest update includes performance enhancement, code-hardening fixes, a number of customer issue fixes and previous SMA 100 series zero-day fixes. We recommend applying this latest patch as soon as possible if you use SMA appliances.
By BleepingComputer.com
It was recently discovered that multiple flaws exist in the VMware ESXi and vSphere Client, including a remote code execution vulnerability with a CVSS score of 9.8. Updates have now been published for these flaws and we recommend that all VMware customers update their products to the latest version as soon as possible.
More details on these bugs can be found here.
By vmware.com
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #130 – 26th February 2021
Why not follow us on social media:
By
Joshua Hare
on
25/2/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The US Department of Justice and FBI has charged the North Korean hackers suspected to be part of the Lazarus Group. The group was responsible for a series of malicious attacks, including ATM cash-out attacks, spear phishing campaigns and ransomware creation. The director of the NCSC has expressed the UK’s full support of the charges issued against the cyber actors and will continue to work with the US to combat this kind of malicious activity.
Here is the DoJ’s official statement on the incident.
By NCSC.gov.uk
So far 2021 has seen a successful start to the year for law enforcement against cyber criminals. A few weeks ago Europol coordinated an effort to takedown the Emotet botnet and this week we see that trend continue, with French & Ukrainian police working together to arrest the operators of the Egregor Ransomware-as-a-Service. Egregor has followed a recent ransomware model that first steals the companies data, to try and force the victim to pay. If they refuse to pay they leak the stolen data on the internet as punishment. This is good news for defenders, as Egregor stood as one of 2020's most active ransomware operations.
By ZDNet.com
An unnamed company in Westport, Connecticut has reported a serious incident in which a former employee accessed their computer systems the day before ransomware was planted on the company’s network. The ex-employee is being investigated but has not yet been proven guilty. This serves as a warning for all companies to remove the user accounts of former employees and ensure that all access to systems is removed when they leave; leaving the user accounts of former employees activated poses unnecessary risk to your organisation.
By GrahamCluley.com
A NurseryCam is a device that allows parents to remotely watch their children while they are at nursery, however, there have recently been some security issues that may worry parents. The flaw that was found allows unauthorised users to access the camera feed; this includes past parents as well as anyone on the internet. Reports suggest that NurseryCam were aware of this issue back in 2015, and the bug is still present now. We agree with the researchers position, and any Nurseries using these systems are advised to unplug the device as soon as possible and contact the vendor to seek a resolution.
More details and guidance can be found here.
By CyberGibbons.com
A new variant of the Masslogger trojan has emerged and it is targeting Windows users. This malware is a form of spyware designed to steal victim’s credentials, specifically for Microsoft Outlook, Google Chrome, and multiple instant-messenger applications. As this attack typically begins with a spear-phishing attempt, we advise all users to be cautious when receiving emails, even if it appears to come from someone you know.
A list of affected applications and more details can be found here.
By ThreatPost.com
Four severe vulnerabilities have been discovered in the Ninja Forms WordPress plugin, which is currently used in more than one million sites. The first of these flaws allows an attacker to redirect administrators to arbitrary locations, while others allow mail traffic interception, central management access and the disconnection of a site’s OAuth Connection. These vulnerabilities are extremely dangerous and were all addressed in patch 3.4.34.1; we advise all users to upgrade to this version as soon as possible to ensure their site is protected.
By Wordfence.com
An Android app known as SHAREit was found to contain multiple vulnerabilities allowing attackers to execute malicious code, launch man-in-the-middle attacks and spy on activity. Despite being found and disclosed 3 months ago, these flaws remain unpatched; this is a serious issue, especially considering the application has more than 1 billion downloads. There is currently no patch for these flaws, and so all users who have downloaded this app are at risk.
By ThreatPost.com
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #129 – 19th February 2021
Why not follow us on social media:
By
Joshua Hare
on
18/2/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The administrator of the Ziggy ransomware has published a statement announcing that they are shutting down operations and publishing all decryption keys. In this announcement, the operator apologises for the harm they have caused their victims and says that the keys will be published as soon as possible. The administrator also revealed that they “created the ransomware to generate money as they live in a third-world country”; however, they felt too guilty to continue operations.
A SQL file containing 922 decryption keys was posted by the admin. Based on this information Emsisoft have made a decryptor available which can be found here.
By BleepingComputer.com
The computer systems of Oldsmar, Florida’s water treatment facility were compromised last week and the chemical levels of the drinking water were changed. The hacker, who is yet to be identified, gained access to the facility from a remote computer set up for control of the water treatment operations. The attack was discovered almost immediately, and the changes were reverted; Oldsmar city staff have confirmed that no altered water was delivered to the locals. These kind of critical infrastructure attacks are what the cyber security community have been dreading, lets hope this does not become a more common occurrence.
By ZDNet.com
CD Projekt Red, known for making games such as Cyberpunk 2077 and the Witcher, have become the latest victim of ransomware. Researchers have labelled this as a “double extortion ransomware”, as they expect another leak to be published soon. The firm have stated that they will not pay the ransom. The author of the leak has previously been seen on hacking forums associated with the Cobalt Strike malware, which explains his ability to perform the attack.
More updates will undoubtedly follow in the coming days.
By CyberNews.com
Two groups of cybercriminals from Iran have been found running surveillance operations on users in Iran, the UK, US and 10 other countries. One of the groups is known as Domestic Kitten and has been observed fooling victims into downloading malicious applications that spy on the user’s activity on their mobile device. This campaign has had over 600 successful infections so far. We advise all users to only download applications from trusted app stores.
By BBC.co.uk
Microsoft’s Patch Tuesday for February has just arrived, and it covers 56 flaws including 11 critical, 43 important and 2 moderate severity. Among the critical vulnerabilities is a zero-day that is being actively exploited in the wild; other critical flaws include a privilege escalation bug in Windows Win32K, and remote code execution bugs in Windows DNS Server, .NET Core, Visual Studio, Microsoft Windows Codecs Library and Fax Service.
Microsoft’s update guide for this patch release can be found here.
By TheHackerNews.com
Adobe have issued a warning regarding a critical vulnerability in Adobe Reader for Windows. It was confirmed that this flaw is being actively exploited in the wild and is classed as a heap-based buffer overflow bug, which could lead to the execution of arbitrary code. Adobe released a patch for this on Tuesday, and we advise all users to update as soon as possible.
By ThreatPost.com
SAP have released their latest batch of security updates which address seven vulnerabilities, including a critical remote code execution flaw existing in the Commerce product. The patch also includes updates for Google Chromium, as well as several flaws in SAP Business Warehouse. As always, we recommend applying the latest patches immediately to ensure you are protected.
By SecurityAffairs.co
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #128 – 12th February 2021
Why not follow us on social media:
By
Joshua Hare
on
11/2/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Many companies in the UK have reported a dramatic increase in cyber attacks since their employees have been working from home. Remote working opens up new avenues of attack for the bad guys, especially with the lack of control over remote users. Reports have suggested that many firms are not taking security seriously enough; we urge all businesses to focus on security, specifically user awareness, as uneducated users can become a significant business risk, especially when working remotely.
By BBC.co.uk
The Cisco Talos team recently interviewed one of the operators responsible for the Lockbit Ransomware, which provided some interesting insight into their infrastructure and thought process. The team has published a report on the interview, which includes details such as the operator’s professional background, motivations, and theories.
The report can be found here.
By Blog.TalosIntelligence.com
Mensa, a club for people with High IQs, has been criticised by its members for poorly managing their passwords. Following the departure of multiple members, it was found that there was an attack, and an “extensive investigation” was launched. The club reported their findings to their members via email, stating that no data had been lost; however, Mensa’s former technology officer confirmed that data had been being stored insecurely for years.
By GrahamCluley.com
Security researchers have discovered a new a new version of the Agent Tesla RAT, which is capable of disrupting Microsoft’s anti-malware interface and evading detection. The changes to this version of the trojan make endpoint protection and sandboxing incredibly difficult, making it an even bigger threat. A list of some of its new features can be found here.
By ThreatPost.com
A security firm known as the NCC group has found that a dangerous SonicWall zero-day is being actively exploited in the wild. This vulnerability is currently affecting Secure Mobile Access (SMA) gateways; however, details have not been published as a safety precaution.
SonicWall have now released an emergency patch for this flaw, as well as an advisory which can be found here. We advise updating your SonicWall devices as soon as possible to ensure you are protected.
By ZDNet.com
On Wednesday, security researchers discovered three new security vulnerabilities affecting SolarWinds products. Two of these flaws exist in the solar winds Orion Platform, while the third is affecting the company’s Serv-U FTP server for Windows. The researchers claim that these flaws can be exploited to remotely execute code with elevated privileges. Patches are available for all three vulnerabilities and we strongly advise updating your products as soon as possible.
By TheHackerNews.com
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #127 – 5th February 2021
Why not follow us on social media:
By
Joshua Hare
on
4/2/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Emotet has been one of the most dangerous threats over the last few years, but this week major progress was made in shutting down their operations. Authorities from the Netherlands, Germany, the US, the UK, France Lithuania, Canada, and Ukraine have collaborated with Europol to disrupt the Emotet botnet and take control of its infrastructure. This is a huge step in the security world, and you can find out more about this take down campaign here in Europol's statement.
By Europol.Europa.eu
SonicWall have suffered an attack on their internal systems after bad guys exploited probable zero-day vulnerabilities that are affecting their SMA 100 Series of devices. At this time, there is no patch for these flaws, however SonicWall have published an advisory on how to mitigate the risk of exploit. The advisory urges anyone with an SMA 100 Series appliance to enable two-factor authentication, as well as some other steps to secure your device.
More guidance can be found here.
By SonicWall.com
The NHS advise all UK citizens to keep an eye out for fake COVID-19 vaccination messages. Many people have received scam emails and SMS messages impersonating the NHS in order to bait victims into clicking a link. Upon clicking the link, the victim will be asked to provide payment card details, from which the attackers attempt to steal money. The NHS have strictly stated that they will never ask for any passwords, personal information, or payment card details; we urge everyone to be cautious with suspicious emails at all times.
By BBC.co.uk
Windows software developer, IObit, has been targeted by a ransomware gang; their forums were hacked and altered to display a ransom demand. This appears to have been done as part of their plan to distribute the DeroHE ransomware; the attackers also messaged forum users with a disguised link that installs the malware. The group are demanding $100,000 in exchange for the decryption key.
By Privacy.com
A vulnerability existing in Apple tvOS has been discovered and Apple have confirmed that it affects all versions up to 11.1. This flaw is a memory corruption vulnerability that requires authentication to be exploited. We advise all users they upgrade to version 11.2 to ensure they are protected against this flaw. If possibly its recommended to enable automatic updates on your Apple devices.
More details can be found here.
By Sesin.at
An anonymous security researcher has discovered multiple flaws that have been addressed in an emergency iOS security update. One of these vulnerabilities exists in the operating systems kernel, while the other two are associated with the WebKit browser engine. All of these zero-days are being actively exploited by the bad guys, so we urge all users to apply the latest updates as soon as possible.
By ThreatPost.com
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #126 – 29th January 2021
Why not follow us on social media:
By
Joshua Hare
on
28/1/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Wentworth Golf Club has been hit by a ransomware attack, which has reportedly affected all 4000 members. The private club, which is known for its high-profile members, celebrities, and sports stars, has warned that personal details may have been compromised; this could include names, home addresses, email addresses and partial payment card information. Wentworth have apologised to its members, but we are still unsure if they plan to pay the ransom. We will update when we hear more from the club.
By GrahamCluley.com
In December 2020, FireEye discovered a campaign in which attackers gained unauthorised access to Microsoft 365 environments. This is now being tracked as UNC2452 and FireEye have published their threat research, including remediation and hardening strategies for M365 to defend against the attack. We advise looking into these techniques so that you can harden your environment and stay protected.
Here is the Mandiant Azure AD Investigator; this detects artifacts associated with UNC2452 and flags any IoCs found in your environment.
By FireEye.com
In iomart’s recent Cybersecurity Insights Report, it was found that 25% of company directors do not offer cybersecurity training due to financial restrictions. The report also shows that 42% offer training to select employees and 82% of these claim it was simply a “short briefing rather than a comprehensive course”. Considering how frequent cyber attacks are now, this lack of training is concerning. It is important that all organisations are aware of cyber threats so that they know how to mitigate the risk and respond in the event of an attack.
By Infosecurity-Magazine.com
Symantec have found a new piece of malware that was used in the recent SolarWinds attacks. This malware is a backdoor and has been named Raindrop. Raindrop was designed to deliver a payload of Cobalt Strike and is similar to the Teardrop tool; however, the new tool was used to spread across the victim’s network.
More details on this new malware can be found here.
By Symantec-Enterprise-Blogs.Security.com
Depop has had a big problem with scammers and account takeover recently, with many users losing access to their accounts. In some cases, users regained access to their accounts to find scammers using it to steal from unknowing buyers. There have been 15 cases of this reported to BBC News and we advise all users to change their passwords and be aware of scammers when buying on Depop.
By BBC.co.uk
Researchers have issued warnings of a new malware known as FreakOut, which has been recruiting devices into a botnet to launch DDoS and cryptomining attacks. FreakOut is targeting Linux devices, specifically those that are unpatched and are vulnerable to certain flaws such as the remote code execution flaw in TerraMaster TOS. As always, ensure that you always apply the latest security updates to stay protected against these kinds of attacks.
By ThreatPost.com
Cisco’s first patch release of 2021 is here, and we advise all customers to update their systems as soon as possible. This patch cycle addresses multiple high-severity vulnerabilities, including DLL injection in Cisco AnyConnect and a CMX password authorisation flaw.
More details on these bugs can be found here.
By PortSwigger.net
JSOF Researchers have discovered seven vulnerabilities associated with an open-source DNS forwarding software known as DNSMasq; These flaws include spoofing, buffer overflow, and DNS cache poisoning. The most recent patch for DNSMasq provided fixes for these vulnerabilities, so we urge users to update when they can.
By SCMagazine.com
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #125 – 22nd January 2021
Why not follow us on social media:
By
Joshua Hare
on
21/1/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The FBI have recently been investigating a wave of ransomware attacks, known as Egregor. Reports from the agency state that more than 150 organisations have already been compromised all over the world, including Barnes & Noble Bookseller, retailer Kmart, and video game company Ubisoft. This ransomware spreads through phishing emails and malicious attachments but has also been seen infecting machines through RDP and VPNs. Unfortunately, paying the ransom was not always a way out, as many company’s files were not recovered as promised. There are many actors involved in these attacks, and they do not appear to be slowing down; we will provide updates on the situation when more details are released.
The FBI’s report on the Egregor ransomware can be found here.
By ThreatPost.com
Ransomware gangs are constantly changing their tactics and evolving, and a lot of them are suddenly changing their approach to the users they target. One group, using the Clop ransomware, has been seen targeting machines used by those in executive positions. These computers are more likely to contain sensitive data than that of a standard user, meaning the company will be more desperate to get it back. This new tactic is not thought to be widely used at the moment but is becoming increasingly popular. We expect to see more groups adopt this method in the near future, since it appears to have a big impact for the few who use it.
By ZDNet.com
Ubiquiti have announced that the identified unauthorised access to their IT systems and have provided details on the incident in a statement on their website. The firm has said that there is no indication of unauthorised activity on any user’s accounts, but they cannot say for certain that account details were not accessed. As a precaution, Ubiquiti have advised all users to change their passwords, since the potentially exposed info included email addresses, names, and one-way encrypted passwords. We also strongly advise that you enable two-factor authentication; this ensures that your account is secure, even if your password is stolen.
By Community.UI.com
A stealthy malware operation has been active in the wild for over five years; infecting macOS systems and mining cryptocurrencies from them. The malware, known as OSAMiner, was being distributed in pirated software, with League of Legends and MS Office for Mac being the most common. This operation primarily targets users in Chinese/Asia-Pacific communities and has reportedly evolved over the last few months; the malware appears to be running three consecutive run-only AppleScripts, which are downloaded with the pirated software installer. The source code for these scripts are not human-readable, making analysis especially hard for researchers. Despite these struggles, SentinelOne researcher, Phil Stokes, has published “the full-chain of this attack, along with indicators of compromise”.
Stokes’ detailed report can be found here.
By ZDNet.com
On Tuesday, Mimecast issued a statement on a “sophisticated threat actor” who stole a digital certificate, used by some customers to securely connect products to Microsoft 365. This incident was discovered when Mimecast received a breach notification from Microsoft. The stolen certificate is used by around 10% of the company’s customers, with only a small percentage of these being targeted. All customers have been advised to terminate their existing connection with M365 and establish a new one to ensure they are not at risk. The breach could have allowed the attacker to perform man-in-the-middle attacks, steal sensitive information and intercept email traffic, so we strongly recommend following this advice as soon as possible.
You can read Mimecast’s statement here on their website.
By TheHackerNews.com
CISA have released a summary of vulnerabilities that have emerged in the last week. The data comes from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) and includes a number of high severity remote code execution and SQL injection flaws, as well as many more medium and low vulnerabilities. The entries in this summary provide additional details for each flaw, as well as patch details, if any have been released.
By US-Cert.CISA.gov
The first batch of security updates for 2021 has arrived for Adobe and Microsoft. Starting with Adobe, seven flaws were patched, including uncontrolled search path element and server-side request forgery vulnerabilities. All of the flaws addressed in these patches were not under active attack at time of release. As for the Microsoft patches, there were 83 total bugs addressed, multiple privilege escalation and remote code execution vulnerabilities, 10 of which are rated critical. A remote code execution vulnerability in Microsoft Defender is listed as being under active attack. We advise all users to apply the latest updates as soon as possible.
By TheZDI.com
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #124 – 15th January 2021
Why not follow us on social media:
By
Joshua Hare
on
14/1/21
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The UK government has announced a new scheme designed to aid the education of disadvantaged children. The last year has been exceedingly difficult for a lot of children who cannot go to school and cannot access remote education; because of these struggles, there are plans to increase data allowances for mobile devices. This is expected to support children in their online learning while schools are closed. Schools, trusts and local authorities can request mobile data increases if children do not have fixed broadband at home, cannot afford mobile data, or if they cannot continue face-to-face education.
More details, including a list of networks that may be able to request these data increases, can be found here.
By Gov.uk
Everyone knows that WhatsApp is the best messenger when it comes to security. It has always been well known for its encrypted messaging and privacy settings, but where it fails is in securing your metadata. This is essentially information about your data, such as mobile numbers, device type, mobile network, and contacts. Apple’s latest update for iMessage is a “game-changer” when it comes to privacy and the collection of metadata. They have announced that they are massively cutting down on the collection of this information; while WhatsApp state that “We must collect some information to provide a reliable global communications service", Apple are ensuring that any data collected is not linked to your identity . This is a huge step forward in secure messaging, and we are intrigued to see what Apple do next.
By Forbes.com
A joint statement was issued this week by four US cyber agencies, officially pinning the recent SolarWinds attack on the Russian government. This accusation was supported by findings linking the attack to APT29, which is an industry-wide codename for hackers associated with the Russian Foreign Intelligence Service.
Here is the official CISA statement.
You can learn more about the recent SolarWinds incident in this article on our website.
By ZDNet.com
T-Mobile recently disclosed news of yet another security incident. They have stated that hackers were able to access information related to T-Mobile accounts, including customer proprietary network information (CPNI). This involves phone numbers and the number of lines subscribed to on your account. The firm have apologised for the inconvenience of the attack and once again iterated that they take “the security of customer information seriously”, this is the fourth time they have stated this in the last three years. Law enforcement and impacted customers have all been notified and T-Mobile continue to follow up on the incident.
By GrahamCluley.com
Following the Microsoft DNS vulnerability that was found back in July, a new attack method known as Side channel AttackeD DNS, or SAD, has been reinventing DNS cache poisoning. SAD has been reported as the “first weaponizable network side channel attack that has serious security impacts” and researchers have found that around 35% of open resolvers are vulnerable to the method; it was also stated that “11 of 14 public resolvers are susceptible”. If you want to know whether you are at risk of this attack, the Q&A and tool is available on this SAD DNS website.
More details by the NVD can be found here.
By InfoSecurity-Magazine.com
There has been reports of fraudulent text messages circulating, containing a link to an “extremely convincing” fake NHS website. Users who click the link are asked to input their bank details to register for the vaccine. We advise everyone to take caution when it comes to links and attachments in messages, and please note that the vaccine is free. Any site that requests payment is most likely a scam. Stay safe, and if you would like to learn more about this scam message, see here.
By BBC.co.uk
Zyxel’s latest patch addresses a critical vulnerability that allowed attackers to compromise networks with administrative privileges; this was due to a secret, undocumented account that was present in a number of Zyxel devices, including Unified Security Gateway, USG FLEX, ATP and VPN firewall products. Around 10% of 1000 devices in the Netherlands are affected by this flaw, and researchers have warned users how easy it is to exploit. We strongly advise updating your devices as soon as possible.
You can learn more from the official Zyxel security advisory here.
By TheHackerNews.com
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure, Healthy, & a Happy New year to all!
Edition #123 – 8th January 2021
Why not follow us on social media:
By
Joshua Hare
on
7/1/21
On the 8th December, FireEye, a large player in the cybersecurity world, disclosed that they were hit by a nation state-sponsored attack that they later found was the result of a backdoor in the SolarWinds Orion management and monitoring platform.
We all too often hear during disclosures of the attack being sophisticated, but in a rare occurrence this was indeed both a highly sophisticated and evasive attack. Combined this resulted in a complex supply chain attack, that compromised the supplier in order to target its high profile victims.
It was confirmed that the hacker group managed to steal the red team tools of FireEye’s professional security team, consisting of simple scripts used for automating reconnaissance to entire frameworks that are similar to technologies such as CobaltStrike and Metasploit. It was however confirmed by FireEye that the stolen tools did not contain any zero-day exploits.
Since FireEye’s announcement, there has been a lot of investigation & updates from cyber experts; mitigation techniques and threat advisories are now being released. The advisories from SolarWinds confirmed that the exploits only affect the Orion platform; we strongly advise any SolarWinds customers to review and update their platforms as soon as possible.
We are not going to try and cover the details of this attack here, but instead want to bring together a timeline of posts related to the disclosures, security advisories and recommendations from the multiple experts directly and indirectly associated with investigating the attack.
Unauthorized Access of FireEye Red Team Tools | FireEye Inc
Security Advisory | SolarWinds
Important steps from the Microsoft Blog | Microsoft
Detailed Guidance and recommendations | Microsoft Security Response Center
Emergency Directive 21-01 | cyber.dhs.gov
FireEye, Microsoft create kill switch for SolarWinds backdoor | Bleeping Computer
What you will see throughout the FireEye posts in particular is a great and commendable approach to the disclosure of the attack. FireEye have been clear, open, concise and actively trying to help the public defend against the threats that may result from the theft of their offensive tools.
With the potential for approx. 18,000 impacted customers, and numerous organisations already confirming they are also victims, this story may run for some time, so we will aim to keep this posted updated where possible.
To close, Microsoft's President posted an interesting article giving his account of what has been a challenging year for us all when it comes to cyber security threats.
SUPERNOVA: A Novel .NET Webshell | Palo Alto Networks
Understanding the threat to prevent on-premise to cloud attacks | Microsoft AAD Identity Blog
Advice for incident responders on recovery from systemic identity compromises | Microsoft DART
Summary, background, and guidance resource centre | MSRC
FireEye have released a report with detailed techniques used by the SolarWinds hackers | ZDNet.com
By
Joshua Hare
on
17/12/20
Welcome to the Christmas edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
To start things off, we want to talk about the recent FireEye SolarWinds incident and point you towards some important notices. We have written a post about the incident here, which contains links to announcements, advisories and recommendations over the last two weeks.
A ransomware attack targeting Hackney Council had a massive impact on home buyers, with many property purchases being significantly disrupted. The attack came at the start of October and reportedly impacted IT systems, including the “processing of land search requests”. The east London council recently announced that the National Cyber Security Centre and National Crime agency are working to protect user data and restore the affected systems. It was also confirmed that essential services, such as coronavirus response, were unaffected by the attack. There has been no confirmation of the ransom payment, but the time it has taken to restore the council systems suggests that no payment was made.
By BBC.co.uk
It has been a busy year in the cybersecurity world and as 2020 comes to an end, we’re trying to focus on the positives. There have been a lot of high-profile security incidents this year, but not all the attention has been bad, and with the massive increase in remote workers, Infosec teams worldwide have had to step up and adapt quickly. With more people working from home, cybercriminals have switched up their tactics, focusing on videoconferencing software such as Zoom, which they know is being used by almost everyone. As well as new attack avenues, old methods are evolving too. Ransomware attacks are becoming more targeted, which in turn makes them harder to detect. Although the increase in cyberattacks has been difficult to manage, the exposure is not all bad. Security has had its time in the spotlight this year which has definitely increased general awareness of the situation.
By TechCrunch.com
Norwegian shipping and cruise line firm, Hurtigruten, has been hit hard by a ransomware attack that has crippled their IT systems all around the world. Their website is currently down while they resolve the issue, which has been described as a “serious attack against its global IT infrastructure”. At this time, we do not know which strain of ransomware hit the company and there has been no confirmation as to whether or not the ransom has been paid. Hurtigruten are working hard to restore their systems as quickly as possible and will likely release more details once they are operational.
ByHotForSecurity.BitDefender.com
Ireland’s Data Protection Commission have issued Twitter with a fine after failing to comply with Europe’s GDPR rules. Twitter received a fine of $550,000 when they did not properly document or disclose details of a recent data breach. This was the first major GDPR decision made by Ireland’s DPC and they are facing criticism for the time it has taken them to make a decision. In the case of this twitter incident, “some half a year extra was added to the decision timeline”.
By TechCrunch.com
As 5G networks are slowly introduced around the world, it is important to assess the weaknesses that may be exploited during the rollout. Multiple exploitable flaws have been discovered that could lead to a potential denial-of-service attack. Researchers have also found bugs in the subscriber authentication that could allow an attacker to steal authentication information. Despite these vulnerabilities, there are key security benefits to using 5g including the encryption of Mobile Subscriber Identity numbers.
More details on the flaws affecting 5G networks can be found here.
ByTheHackerNews.com
A patch has been released for the Firefox web browser, addressing one critical vulnerability and some high-severity flaws. The critical flaw exists in a JavaScript component called BigInt and has the potential to expose uninitialized memory. This flaw was originally found affecting the Chrome web browser and was patched by Google earlier this month. We advise updating your browsers as soon as possible to ensure you are protected.
By ThreatPost.com
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Merry Christmas / Happy Holidays to all.
Stay Safe, Secure and Healthy!
Edition #122 – 18th December 2020
Why not follow us on social media:
By
Joshua Hare
on
17/12/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A food bank in Philadelphia was recently hit by a business email compromise scam, which has resulted in the loss of almost $1 million. According to reports of this incident, the food bank is currently working on the construction of a new community kitchen, with attackers using this opportunity to pose as the construction company and steal their money. This incident was not discovered until 18 days later, when they found that the legitimate company was still awaiting payment. Last year, $1.7 billion were stolen through business email compromise scams, and they are still as present in 2020. As always be careful when receiving suspicious emails, especially when payments are involved.
By GrahamCluley.com
Randstad, one of the world’s biggest recruitment agencies, has been hit by the Egregor ransomware. The agency reported that there wasn’t any major impact on their operations but confirmed that data was stolen by the attackers. Randstad, who claim to have 280,000 clients in 38 different countries, became aware of the attack last week and quickly acted to “mitigate the incident while further protecting Randstad’s systems”.
You can read Randstad’s full statement on the incident here.
By InfoSecurity-Magazine.com
The European Medicines Agency, who were responsible for approving the recent COVID-19 vaccines, has announced that they have suffered a cyber-attack. This was disclosed via a short statement on their website, which states that they will not release any further details during their ongoing investigation. This comes as no surprise, as many organisations involved with COVID-19 research have been targeted recently, mainly by state-sponsored hacker groups.
By ZDNet.com
Cyberpunk 2077 is one of the most highly anticipated games of all time, so it is no surprise that hackers are taking advantage of gamers who are desperate to get their hands on it. You may have seen advertisements for a ‘free’ copy of the game; however, cybercriminals are using these ads to lure in victims and steal their personal information. We strongly advise you only purchase the game from trusted sellers and avoid any downloads claiming to be ‘free’; if it sounds too good to be true, it probably is.
By ThreatPost.com
In 2020, CrowdStrike has investigated around 200 incidents and according to their yearly report, 51% of these were ransomware. 63% of the incidents were financially motivated. The company’s investigations also found that both attackers and defenders have been improving and adapting, with much more sophisticated attacks being used.
If you want to read more about CrowdStrike’s findings, you can read the report here.
By DarkReading.com
WordPress released their last major patch of 2020 on 8 December, and it includes some important features. With 5.6, WordPress have introduced a new feature that “allows external applications to request permission to connect to a site”. If access is granted, the user can perform actions through an API. Although this is an interesting feature, it opens the possibility of more attacks, specifically focused on social engineering. As you can imagine, it would not be too difficult for an attacker to trick a site administrator into clicking a link pretending to be a permission request. To make this even more dangerous, the newly generated passwords are sent to the requester via a redirect URL, which will make attacks even more difficult to spot for those who are not actively looking. A recent WordFence release addresses this issue; in 7.4.14, application passwords are disabled by default.
By WordFence.com
Its that time again. Microsoft have released their monthly batch of security updates, addressing 58 vulnerabilities; 10 of which are considered critical. Some of these critical vulnerabilities include a remote code execution flaws in SharePoint, Windows NTFS and Exchange. We advise applying the latest updates as soon as possible to ensure you are protected against attacks.
A full list of disclosed vulnerabilities can be found here.
By Blog.TalosIntelligence.com
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #121 – 11th December 2020
Why not follow us on social media:
By
Joshua Hare
on
10/12/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Delaware County, Pennsylvania was recently hit by the DoppelPaymer ransomware. The attack took their computer systems offline and compromised a lot of their network; this was addressed in a public statement that was made at the start of the week. The county also announced they had been working tirelessly to “restore the functionality of our systems”; however, it seems this has not gone to plan, as recent reports suggest they are in the process of paying the $500K ransom. So far this is all we know; once Delaware county release more information, we will provide an update on the situation.
By BleepingComputer.com
Royalty-free image website, 123RF.com, recently suffered a data breach which led to more than 8.5 million user records being leaked on a Russian hacker forum. The stolen data included full names, email addresses, IP addresses, locations, and password hashes. Those involved in the breach are advised to enable two factor authentication and change their passwords for 123RF.com, PayPal and Facebook as soon as possible.
You can check if your data has been compromised here.
By CyberNews.com
A new type of malware was recently discovered, and hacker groups have been seen utilising it in campaigns targeting MacOS users. Security researchers believe the activity is linked to the OceanLotus group, who have been associated with nation-state-backed hacking operations for the Vietnamese government. This updated malware provides a backdoor for attackers and makes its way onto the target device through email phishing attempts; this attack, much like its predecessors, aims to install malicious software and steal system information. We advise all users to be cautious when it comes to links/attachments in emails. Ensure that the email is from a trusted source before clicking anything.
By ZDNet.com
A new phishing attack has emerged that is impersonating the popular videoconferencing service, Zoom. Its not a surprise that a scheme like this is in circulation; with the increase in remote workers, it is the perfect target for scammers. The attack begins with an email that features a link to a fake Zoom login page, where the victim’s credentials are then stolen. As always, keep your eye out for these scams, and avoid clicking links and attachments unless you are certain they are trustworthy.
By ThreatPost.com
Security Researchers have discovered a new flaw that exists in the Apple Wireless Direct Link. This uses WiFi to allow users to AirDrop photos and files to nearby devices. This flaw could be used steal emails, photos, and access the camera and microphone. Although this has not been exploited in the wild, Google Project Zero researcher Ian Beer was able to pull off the attack after 6 months of investigating. This is a dangerous bug, as it does not require any user interaction and can be executed without the owner doing anything. The bug was patched by Apple back in May, so any updated devices are secure, however it is rare to see a smartphone hack that doesn’t rely on user interaction; it will be interesting to see if these kind of flaws continue to emerge in the near future.
By BBC.co.uk
Multiple botnets have been seen taking advantage of thousands of unpatched Oracle WebLogic servers. Many of these servers have been infected with cryptominers that are actively stealing sensitive information, despite a patch already being released. We are urging all users to update their systems as soon as possible to prevent an attack like this happening; unpatched systems are always a massive target for hackers, so you are at risk until you apply the fix.
By TheHackerNews.com
The US Cybersecurity and Infrastructure Security Agency has issued a warning about a password leak that could lead to further exploitation of vulnerable Fortinet VPNs. Following this, Fortinet has released a security advisory to “highlight mitigation of this vulnerability”, which CISA advises users to follow. We advise all users to apply the necessary updates as soon as possible to ensure you are protected against exploitation.
By DataBreachToday.eu
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #120 – 4th December 2020
Why not follow us on social media:
By
Joshua Hare
on
3/12/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The new National Cyber Force (NCF) is working alongside the NCSC to improve and maintain the UK’s reputation as a world-leader in cyber power. The prime minister has announced plans to transform the country’s cyber capabilities with help from the NCF, which employs personnel from GCHQ, the Ministry of Defence and MI6. The director of GCHQ has stated that “the National Cyber Force operates in a legal, ethical and proportionate way to help defend the nation”. The NCF has received a lot of praise and we are interested to see the impact they have on the UK’s cyber power going forward.
By GCHQ.gov.uk
Manchester United have confirmed that their operations were recently disrupted by a cyber-attack. This appears to have been a sophisticated attack carried out by an organised group of criminals. Despite the effort put into this attack, the effects were not too severe; the club’s systems were only shut down for a short period of time, and they believe that no personal data was compromised. The club were ready for their next fixture at Old Trafford, with all critical systems now fully operational.
By ManUTD.com
Smart Doorbells have rapidly increased in popularity this year, which in turn makes them a bigger target for hackers. Many hackers have found these doorbells to be incredibly easy targets for their attacks, mostly due to weak password policies and a lack of data encryption. If you own, or are looking to buy, a smart doorbell, ensure that you enable two factor authentication and purchase one from a trusted provider to ensure you are protected.
By BBC.co.uk
Well known security firm, Sophos, has confirmed that they were recently affected by a security breach, which reportedly exposed customer support data. The company has not stated the number of customers affected but have stated that the exposed data includes first and last names, email addresses and contact number. Sophos have been seen issuing support emails to the affected customers, declaring that no action is required at this time. If a security firm as big as Sophos is capable of being attacked, then so are others, including small to medium businesses.
By GrahamCluley.com
Over one million android users have fell victim to the recent Minecraft mod campaign, in which fake mod packages are advertised and available to download. Once on your device, the mod pack overwhelms the user with constant advertisements, rendering the device unusable. The malware also talks to a command and control server, which is used to send instructions; these commands include opening browsers, playing videos, and opening the app store in a seemingly random fashion. Reseachers advise removing the application from the device settings; this should prevent the attackers from continuing to overload your mobile phone.
By GrahamCluley.com
Security researchers have been working hard to find vulnerabilities in Tesla’s Model X, and one has succeeded. Lennert Wouters, a computer security student from Belgium, has discovered a way of overwriting the firmware in the Model X’s key fob, which allows the attacker to hijack the vehicle. This is Wouters’ third hack on Tesla in the last three years; he claims that his most recent exploit “only takes a few minutes to execute and requires inexpensive gear.”. In response to this discovery, Tesla is said to be rolling out over-the-air software updates, so owners of the Model X should be looking out for this.
By ZDNet.com
cPanel recently discovered a critical vulnerability that would allow a remote attacker to bypass two factor authentication on the target account. Despite being able to bypass the 2FA protection, the attacker will still need valid credentials to log in. Reports have shown that this flaw is present in cPanel and Web Host Manager (WHM) software; a patch has been released, meaning that versions 11.92.0.2, 11.90.0.17 and 11.86.0.32 are protected.
If you are interested, more details can be found here.
By TheHackerNews.com
And that is it for this week’s round-up, please don’t forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #119 – 27th November 2020
Why not follow us on social media:
By
Joshua Hare
on
26/11/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Last week, we briefly mentioned that Capcom had suffered a ransomware attack at the hands of the Ragnar Locker team, however we did not go into detail. More information has since been released by the video game developers, giving us a better understanding of the incident. Capcom developers originally stated that there was “no indication that any customer information was breached”; however it has since been confirmed that the attackers gained access to the sensitive data of 350,000 people, including names, addresses, HR information, sales reports and financial information. Capcom have not confirmed whether they will pay the ransom, however their actions indicate that they have no plans to negotiate with the attackers.
By GrahamCluley.com
Emotet is one of the biggest malware families being distributed today; despite their extended breaks, they always come back to cause trouble. At the start of 2020, Emotet was being heavily distributed and was active until February, at which point they paused their operations once again. This didn’t last long however, and things picked back up in June when incredible amounts of spam emails were seen in circulation. It was not a coincidence that operations resumed during the peak of the pandemic, as their newly crafted spam campaigns revolved around current events. The Emotet group were not the first to incorporate the COVID scare into their work, and they will not be the last. This detailed post by the team at Talos covers their activities with Emotet throughout this year.
By Blog.TalosIntelligence.com
NordPass have compiled a list of the most common passwords used in 2020. This list has been created based on the number of times that password has been exposed in a breach. It also includes the time it would take to crack. ‘123456’ tops the list, with 2.5 million users; this is followed by ‘123456789’, ‘picture1’ and ‘password’.
84% of breaches leverage weak passwords, which is why it is vital that you use strong passwords and do not reuse them. We advise taking a look at this list; and if you see your password somewhere, change it immediately. The article also includes some guidance on how to create stronger passwords, although the best option is to generate strong random passwords using a password manager.
By NordPass.com
The Epsilon framework, which serves as a theme builder platform within WordPress, has recently had multiple critical flaws patched, which allowed remote code-execution. Despite being patched, multiple versions of themes are still vulnerable. The Wordfence Threat Intelligence team have observed more than 7.5 million probes targeting these vulnerabilities, across 1.5 million websites. This data is from the last 4 days alone. We urge all website owners to update all themes to the latest versions to avoid becoming a victim of these attacks.
By ThreatPost.com
Cisco have released an emergency patch for a critical path-traversal flaw, shortly after Proof-of-Concept exploit code was released. This vulnerability exists in the Cisco Security Manager, a security management application for enterprise admins, and allows an unauthenticated remote attacker to access sensitive data on the target system. It was confirmed that this flaw affects versions 4.21 and earlier of Cisco Security Manager; the issue is not present in release 4.22, so we recommend updating as soon as possible.
CVE details for this flaw can be found here.
By ThreatPost.com
The Cisco Talos team have been investigating the Nibiru ransomware variant, which is not as advanced as others we typically see. Talos label Nibiru as a “poorly executed ransomware variant”, with weak encryption, which they were able to leverage to create a decryptor program. They also state that the ransomware encrypts files with Rijndael-256, and target common file extensions such as .doc, .docx, .xlsx, and .ppt. A full list of targeted extensions, as well as other details can be found here.
You can also download the decryptor program here.
By Blog.TalosIntelligence.com
And that is it for this week’s round-up, please don’t forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #118 – 20th November 2020
Why not follow us on social media:
By
Joshua Hare
on
19/11/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The UK government is currently performing a defence and security review to “boost the nation’s cyber-capabilities”, but Ciaran Martin, the former cyber-chief of the NCSC, is worried that things are going in the wrong direction. The cyberworld appears to be shifting towards more offensive methods of security, while the ex-chief is wishing for more restraint. He believes that the best way to guarantee safety and security is defensive measures, rather than the offensive cyber-weapons that are being utilised by many nations, including the UK. Russia seems to be one of the primary users of these cyber-weapons and have been linked to many attacks over the last few years. Despite this focus from many nations, Martin encourages restraint and claims that weaponizing the internet is a big mistake.
By BBC.co.uk
Campari Group, an Italian company known for producing spirits and wines, has suffered a ransomware attack in which 24 of their servers from around the world were compromised. The hackers have reportedly stolen and encrypted 2TB of data and have demanded a ransom of $15 million. A note left for the company states that if the ransom is not paid, then the encrypted data will be released to the public and/or sold to criminals. There is currently no further information, and it is unclear if the group plans to pay the attackers; what we do know is that Campari appears to be rebuilding its services with dramatically increased security. Research into the incident has shown that it could be linked to the recent attack against game developer, Capcom. Capcom have displayed notices on their website stating that many services, including email systems and file servers are impacted.
Expect updates as soon as more information is released.
By HotForSecurity.BitDefender.com
Ghimob is a new banking trojan specifically created for Android devices; the malware can spy on 153 applications and steal data from them. Security firm Kaspersky has been looking into this new banking trojan, and they believe it was developed by the group behind the Astaroth Windows malware. Please note that this malware is being distributed via email and malicious sites; these methods redirect the user to a site, where they are prompted to download a fake version of legitimate application, such as WhatsApp or Google Docs. As always, we strongly recommend downloading applications from the official Play Store and avoiding third-party stores.
By ZDNet.com
Microsoft have warned of a new trend, in which attackers advertise fake Microsoft Teams updates to deploy malicious payloads. A recent security advisory shows that the ads contain a link that leads to a site controlled by the attackers; this downloads a payload that executes a PowerShell script that loads the malware. The link also installs a legitimate version of Microsoft Teams to avoid suspicions from the victim. This campaign takes advantage of companies who are working remotely and rely on video conferencing software such as Microsoft Teams. Please ensure that you download Teams from the official site, and do not trust third party sources.
By ThreatPost.com
Microsoft’s latest batch of security updates has arrived in their November 2020 Patch Tuesday. This includes fixes for 112 security flaws, including a zero-day vulnerability that exists in the Windows kernel; this reportedly affects all current supported versions of the operating system. The patch also addresses 24 remote code execution flaws in Excel, Sharepoint, Exchange Server and more. As always, we recommend updating as soon as possible.
Microsoft Security Update Guide can be found here.
By ZDNet.com
Google recently patched two zero-day vulnerabilities affecting the Chrome web browser for desktop. One of these flaws was a memory corruption flaw in the site isolation feature, and the other was an “inappropriate implementation of Chrome’s V8 JavaScript rendering engine”. It is not known if these vulnerabilities are related, but they have both been actively exploited in the wild. This makes it essential that you update the Chrome web browser as soon as possible.
By TheHackerNews.com
And that is it for this week’s round-up, please don’t forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #117 – 13th November 2020
Why not follow us on social media:
By
Joshua Hare
on
12/11/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
In 2014, 339 Million Guest Records were stolen in a cyber-attack on Starwood Hotels and Resorts Worldwide Inc. The attack remained undiscovered until four years later, at which point the company had been taken over by Marriott International. As the new owners of the company, Marriott are now facing a fine of £18.4 million for failing to keep their customer’s personal data secure. The stolen data reportedly included names, email addresses, phone numbers, passport numbers and arrival/departure information.
More details on the attack here.
By ICO.org.uk
The National Cyber Security Centre (NCSC) produces annual reports on cyber incidents in the UK. Their most recent review addresses everything from September 2019 to August 2020; during this period, the NCSC responded to 723 incidents, with 194 of them being Covid-related. Some of the most prominent attacks seen during this period include ransomware attacks and cyber-espionage attempting to steal vaccine-related information. As well as these attacks, it was found that 15,354 phishing campaigns used COVID-19 themed content to lure in victims.
By BBC.co.uk
The Maze Ransomware group created a new tactic called double-extortion back in 2019; this involves the data being stolen, and then potentially being published online if a ransom is not paid. This was later adopted by many other ransomware groups as it typically encouraged the victims to pay. However, recent research has found that many groups do not keep their promise to delete the stolen data, meaning your information could still be published after paying the ransom. This is yet another reason cyber experts encourage companies not to pay ransomware groups.
By BleepingComputer.com
An unknown cybercriminal is selling account databases online, which reportedly contain 34 million user records from 17 different companies. On October 28th, a new topic was spotted on a hacker forum regarding the stolen databases and BleepingComputer have been in contact with the broker; in this conversation, it was revealed that they were not responsible for stealing the company data, and is simply acting as a seller. The largest of the stolen databases belongs to Geekie.com.br, with 8.1 million records being exposed.
The list of stolen databases can be found here.
By BleepingComputer.com
Data breach index site, Cit0Day.in, is known for collecting hacked databases and providing records to hackers for a subscription fee. More than 23,000 of these hacked databases were made available for download on a number of hacking forums; analysis from threat experts suggests that this is the biggest leak of its kind in recent history. The databases were only available for a few hours however, before being reported and taken down. ZDNet managed to download a portion of the dataset but was not able to retrieve it all. The leaked data includes usernames, emails, addresses and even cleartext passwords.
By ZDNet.com
Researchers have found a new phishing campaign that uses Google Forms as a landing page that collects the credentials of customers from more than 25 companies, brands and government agencies, with over 70% appearing to come from AT&T; Other popular brands include Citibank and Capital One. The most popular form being used appears to request the victim’s username and passwords; this phish is sometimes difficult to spot due to Google Forms providing a valid SSL certificate. Despite showing a secure certificate, users can tell If the form is a scam by the final button. After inputting credentials, the final button says ‘Submit’, rather than ‘Login’ which is not common in login pages. As always, keep an eye out for phishing attempts and be careful when providing details.
By ThreatPost.com
Just one day after the release of version 5.5.2, WordPress were forced to release an emergency 5.5.3 patch to address a newly discovered issue. This flaw made it impossible to install WordPress on a new website without configuring a database connection beforehand. While preparations were being made for the emergency patch, another issue arose that automatically updated sites to version 5.5.3-alpha. WordPress site users should update to 5.5.3 as soon as possible if they are not doing so automatically to avoid encountering any of the new issues.
Security release details can be found here.
By WordFence.com
And that is it for this week’s round-up, please don’t forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #116 – 6th November 2020
Why not follow us on social media:
By
Joshua Hare
on
5/11/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Nitro, a PDF service used by approximately 1.8 million users, to create, and sign digital documents has suffered a major data breach. Nitro issued an advisory on the 21st October stating they had experienced a low impact security incident and that no customer data was at risk. That was not the whole story, with a database of 70 million records containing email, names, hashed passwords and IP addresses, being amongst the data for sale via private auction. If you have a Nitro account its advisable to get that password changed ASAP.
By bleepingcomputer.com
The guys at PWNDEFEND have published a new blog highlighting the 10 things you wish you had done before being hit by a ransomware attack. The last thing any of us want when we login for the first time, on a new day at work, is to be presented with a dreaded ransom note. For those of you that want to try and prevent this very scenario, head over to the blog to see what these 10 things can do to help you and your business.
By pwndefend.com
Patients of Vastaamo, a large clinic based in Finland, have been subjected to a blackmail campaign, after their data was stolen in a breach. Personally identifiable information and recorded notes about therapy sessions were stolen during two incidents in November 2018 and March 2019. Patients are being contacted by ‘the ransom guy’ and ordered to pay increasing fees, and if they fail to pay, their details and sessions will be published online. Approximately 300 records have so far been published on the dark web.
By bbc.co.uk
DNS based attacks are on the rise with over 83% of service providers experiencing some form of attack. Common attack types used by hackers were phishing attacks (37%), DNS-based malware (33%), DDoS attacks (27%), lock-up domain attacks (22%), which may cause DNS services to exhaust their resources. Successful DNS attacks can have far reaching consequences, affecting both the provider and its customers, experiencing disruptions and outages. An effective DNS security architecture is key to fend off these attacks and avoid unwanted impact.
By helpnetsecurity.com
An alert has been issued by the FBI and Human Health Services in the US, warning of the continued threat of ransomware attacks on the health sector. Even during the pandemic, bad guys continue to use malware such as RYUK and TrickBot, to target healthcare which results in ransomware, data theft and disruption to health services. Recommendations include a strict patching regime, network segmentation and regular offline backups, to help both prevention and recovery activities.
The CISA alert can be found here.
By thehackernews.com
Researchers are warning that a critical remote code execution vulnerability in Oracle WebLogic (CVE-2020-14882), is being actively exploited by malicious actors. The vuln in question affects the WebLogic console and was fixed in the October release of its quarterly critical patch update. The attack is easy to execute, requiring no privileges and no user interaction to exploit using network access via HTTP. Oracle WebLogic users are urged to review and update their systems as soon as they can.
By threatpost.com
And that is it for this week’s round-up, please don’t forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #115 – 30th October 2020
Why not follow us on social media:
By
Stuart Hare
on
29/10/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Protecting the healthcare industry from cyberattacks is more important than ever, and the biggest threat to them is people, with research showing that more than 90% of advanced cyberattacks start with phishing emails. Since employees are the biggest risk to the industry, security awareness training is essential; by educating your users on phishing attacks and scams, they are much less likely to interact with an email that leads to an attack. Training alone though is not enough, an email security gateway should be used to detect suspicious links and attachments, this could eliminate the possibility of human interaction which is ideal for uneducated users. More details on how the healthcare industry can protect against cyberattacks can be found here.
By StaySafeOnline.org
British Airways suffered a data breach in 2018 which saw the payment card information of 400,000 users stolen. Investigations found that the company had been storing credit card details with no encryption since 2015, and as a result they have been charged with the largest fine ever issued by the UK’s Information Commissioner’s Office (ICO). The £20 million fine comes as a result of numerous other security mistakes that were discovered in the aftermath of the breach, including “a failure to enforce the use of multi-factor authentication” and “a failure to prevent the exploitation of a Citrix vulnerability”. Although this was the largest fine ever handed out, it is nothing compared to the £183 million they were originally facing; however, the sum was reduced significantly due to the impact of COVID-19.
By HotForSecurity.BitDefender.com
Sandbox Interactive, the developers of fantasy video game Albion Online, have announced to their player base that they have suffered a data breach. The hackers managed to gain access to parts of the forum’s user database, which contained usernames and salted / hashed passwords. All players have been advised to change their passwords immediately as the stolen database has been listed for sale. The vulnerability that was exploited to access the database has reportedly been patched, and Sandbox have confirmed that “a full security review" is under way.
By HotForSecurity.BitDefender.com
Check Point Research have released their Q3 Brand Phishing Report, which shows that Microsoft makes up for 19% of all brand phishing attempts this year. The report shows that technology, banking, and social networks were the biggest sectors targeted; it is no surprise that technology tops the list with the rising popularity of remote workers this year. If you are unaware of phishing threats, or wish to know more, you can find a list of the most popular brands here; this also features examples of phishing emails from different companies.
By Blog.Checkpoint.com
Security researchers have discovered two new phishing operations; one targets Facebook messenger account holders, and the other aims to steal credentials of business services like Office 365. The business focused campaign has reportedly reached “tens of thousands of inboxes”, and has been seen spoofing applications such as Office, Microsoft Teams and Zoom. It appears that clicking the link in the email sends the user to a phishing kit disguised as a log in page; to avoid being blocked in a corporate environment, the attackers use redirects from benign domains (global brands such as Sony.com). Reports suggest that the links can “bypass native security controls offered by victims’ email providers”.
By SCMagazine.com
Adobe has released their latest batch of security updates, which address 20 total vulnerabilities affecting Windows and macOS, 18 of which are considered critical. There are patches available for Adobe Creative Cloud Desktop Application, Adobe InDesign, Adobe Media Encoder, Adobe Premiere Pro, Adobe Photoshop, Adobe After Effects, Adobe Animate, Adobe Dreamweaver, Adobe Illustrator, and Marketo. The critical flaws could allow an attacker to execute arbitrary code on vulnerable systems; we recommend applying the latest updates as soon as possible to protect against these kinds of attacks. A full list of the addressed vulnerabilities can be found here.
By BleepingComputer.com
WordPress’ security team has taken action against a newly discovered SQL injection flaw that affects the Loginizer plugin. The team immediately patched this bug and considered it serious enough to force a security update for all sites running the plugin. Forcing updates is rare for the WordPress team, and the public isn’t happy about it; however, many security experts believe it was entirely necessary due to the severity of the vulnerability. Loginizer is a very popular plugin, with more than one million installs; this is likely one of the reasons why patching it was such a priority.
By ZDNet.com
And that is it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #114 – 23rd October 2020
Why not follow us on social media:
By
Joshua Hare
on
22/10/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
An electronic document-signing service called Docsketch recently announced they had suffered a security breach in which a three-week old copy of their database was accessed. This breach occurred back in August, and the company has since revealed that the stolen information included names, signatures, personal data and, in some cases, payment card and login details. They also confirmed that some passwords were included; even though they were clear that the password strings were salted and hashed, the complexity of the hashing was not stated. Docsketch have begun sending alerts to customers they believe were affected; however, we recommend all users of this service update their passwords as soon as possible.
By ZDNet.com
Carnival Corporation, the world’s largest cruise line operator, recently confirmed that they had suffered a ransomware attack. The attack occurred back in August 2020, and reportedly included “unauthorised access to personal data of guests and employees”. The security team is currently investigating the attack and has so far found no indication that the stolen data has been misused. It is not currently known if the ransom has been paid, as investigation is still ongoing; details on the attack and initial compromise can be found here.
By BleepingComputer.com
Microsoft’s cyber security researchers have discovered a new type of ransomware designed to infect Android devices. This new malware uses entirely new techniques and capabilities, including open-source machine learning and the ability to evade detection from security solutions. This variant also uses social engineering and disguises itself as popular applications, however it does not encrypt data or lock users out of their device. Instead, it displays a ransom note message over every window that the user tries to open; the note threatens the user and urges them to pay a ransom. To ensure that you do not become a victim of this attack, we advise that you only download applications from trusted app stores and avoid third party stores which are notorious for distributing malicious apps.
By HackRead.com
With ransomware attacks being so present lately, everything else has really been pushed out of the spotlight. However, Cisco Talos recently discovered a new campaign that uses a multi-modular botnet in combination with a cryptocurrency mining payload. The threat has been named ‘Lemon Duck’, and it has seen an increase in activity over the last few months, despite previously being inactive since December 2018. Talos advises that everyone “monitors the behaviour of systems within their network to spot new resource-stealing threats such as cryptominers”, and with Lemon Duck’s increasing presence, we strongly recommend you follow this advice.
By Blog.TalosIntelligence.com
Microsoft’s October Patch Tuesday is finally here, and it addresses 87 total vulnerabilities. These include 21 RCE flaws, the most dangerous of which is a remote code execution that exists in the Windows TCP/IP stack; it allows a remote attacker to take over the target system by sending malicious ICMPv6 Router Advertisement packets. If you want to see a list of all the addressed vulnerabilities, it can be found here; and please remember to apply the latest patches as soon as possible.
By ZDNet.com
A team of security researchers has discovered 55 new vulnerabilities affecting Apple software and services, 11 of which are considered critical. The group disclosed their findings to Apple, who began patching immediately; as part of Apple’s bug bounty program, the team of researchers have been awarded a $288,500 payout. 28 of the 55 were patched within 1-2 days, and the rest are currently in progress. The critical flaws included remote code execution, authentication bypass, command injection and memory leak vulnerabilities. We recommend updating your apple devices regularly, or preferably, set your devices to update automatically as soon as future patches become available.
By TheHackerNews.com
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #113 – 16th October 2020
Why not follow us on social media:
By
Joshua Hare
on
15/10/20
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Does your organisation have a Bring Your Own Device (BYOD) policy? If so, you may be interested in what you can do to ensure your company data is being accessed securely on employee’s personal devices. As always, user awareness plays a big part in information security; as an employee, you should always be looking out for suspicious phishing attempts. On top of this, keeping your devices up to date ensures that you are not at risk from known vulnerabilities. Additional guidance on the use of personal devices for remote workers can be found here; we advise you look into this if your organisation has recently employed a BYOD policy.
By NCSC.gov.uk
Cloud computing provider, Blackbaud, suffered a ransomware attack back in May which saw the information of 166 UK organisations stolen by hackers; this number includes universities, schools, and charities. New findings suggest that millions of people worldwide may have been affected as well, including international clients such as hospitals and human rights organisations. This new investigation also found that the criminals had access to unencrypted customer data, including bank account information, social security numbers, usernames, and passwords. Most of the sensitive data was encrypted; however, it is worth noting that this was not the case for all of it as stated above. Since the breach, the firm claims to have paid the ransom despite being advised against it; the hacker group also claims to have destroyed the stolen data after the payment was made.
By BBC.co.uk
Medical software company, eResearchTechnology, has been hit by a ransomware attack. The company is currently conducting clinical trials for a COVID-19 vaccine; however, the actions of the attackers has halted this process. The motivations of the group are unclear at this time, and it is not yet known if the ransom was payed; despite this, the firm is now in recovery mode and is making progress in restoring their systems. eResearchTechnology was responsible for 75% of all FDA drug-approvals last year, which shows how much of an impact this attack has had.
By ThreatPost.com
iOS 14 is the latest operating system for apple’s mobile devices; the upgrade brought with it a number of important security and privacy features that really enhance your iPhone. A new feature that was implemented exists in Apple’s password manager; this new security recommendation update warns users when their saved passwords have been compromised in a data breach. This new feature is amazing and prompts you to change your password as soon as its security checks detect a compromise. Apple seems to be making all the right moves when it comes to security, and we are excited to see what they produce in the future.
By Forbes.com
Google are determined to restore everyone’s faith in the Android operating system, despite it having a reputation for its lack of security. In a recent announcement, Google stated they are taking the necessary steps to resolve their issues. They said they are working to “drive remediation and provide transparency to users about issues we have discovered at Google that affect device models shipped by Android partners”. This means that Google’s Android Partner Vulnerability Initiative will be addressing several security flaws found in third-party Android devices. This is directly aimed at Android devices that are not maintained by Google; the uncovered vulnerabilities include insecure backups, password manager flaws and more. More details can be found here on AVPI’s bug tracker.
By GrahamCluley.com
Google released Chrome 86 this week, and a number of huge security enhancement features along with it. These features include password security, insecure download protection. These changes will be introduced for both desktop and mobile users, and even includes automatic update checking for the browser. Additional support for password check-ups is also being implemented, which aims to warn users if any of their saved passwords have been involved in a data breach; a prompt urging you to change your password will be displayed if this check succeeds. These are big steps in the right direction when it comes to security, and we can expect more important updates from Google in the future.
By BleepingComputer.om
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #112 – 9th October 2020
Why not follow us on social media:
By
Joshua Hare
on
8/10/20
This is number three in our series that will aim to provide you with more guidance on the fundamentals of cyber security, this time focusing on Email Security.
By focusing on these cyber basics you can significantly improve your cyber maturity and help prevent over 80% of the common cyber threats active today.
As we explained in the previous post, email has been the biggest vector used in cyber-attacks for many years, with over 95% of attacks delivered using email. Email attacks have a high success rate for the bad guys, which is the reason why they are only continuing to increase.
Most email attacks such as phishing, rely on deceiving the user, or impersonating a trusted source; the goal is to convince the target to click a malicious link, or download a malicious attachment. Once clicked or downloaded, you could be directed to a bad site that steals credentials, or malware could be installed on your device.
Now some people reading the above paragraph, will see phishing, clicking on links and downloading attachments, and immediately jump to Security Awareness training for users, as the preventative measure to stop these threats.
Although this is a reasonable jump, and is definitely a valid response to dealing with these challenges, like other controls it is not a silver bullet to the problem.
Just to be clear, there is no silver bullet single solution that can solve all your security problems.
Awareness training is a great tool, but we humans have a knack of making mistakes; even seasoned infosec veterans can fall victim and click stuff if they have a lapse in concentration or haven’t had enough coffee in the morning.
This is why training alone is not enough. In true defence in depth style, we also need technology to assist us with preventing threats, when these mistakes inevitably happen.
This is where an Email Security solution comes in, to protect our users from ever-present evolving email attacks.
Below we will cover some of the key benefits provided by modern Email Security solutions.
Spam is an unwanted junk email message that can originate from a business promoting ads for commercial benefit, or most often when used to deliver online scams. Typical scams include ‘You have won a prize - send us all your details so we can pay you’, or the old school Nigerian Prince scheme, that promises you millions in exchange for your bank account details. Spam has been a huge nuisance to users and email administrators alike for many years.
When email went mainstream in the 90’s, spam took off, bombarding users mailboxes with junk. The very first email security products focused on filtering out this spam.
Today, Spam accounts for more than 80% of email sent every day. According to Cisco Talos, during August 2020 they witnessed a total of 406 Billion emails sent, of which 344 Billion were Spam.
By preventing Spam you can increase productivity, allowing users to get to the important messages quicker, while email admins have less demand on their time having to deal with high levels of unwanted email.
While Spam is largely an annoyance due to the volume of unwanted emails received, phishing presents a very real threat to anyone with an email account. A phishing attack aims to trick the user into taking an action and handing over sensitive information.
Attackers send masses of fake emails to potential victims, mimicking real companies like Google, Facebook, Amazon and PayPal, in an attempt to steal your credentials, money, or personal information. Once the bad guys have your information, they can gain access to your accounts and company systems, commit identity fraud, or sell your personal information on dark web forums.
Attackers have real success with phishing, which is why some groups work hard on evolving their phishing emails, making them as convincing as possible. Unfortunately this makes it much harder for our users to spot, which is why we need technology, in the form of email security, to detect and stop it for us.
A common inclusion in most email attacks today, whether phishing or scams, is the presence of malicious links. These bad links, when clicked, direct the victim to an online site or service with the intention of stealing personal information, gaining access to user accounts (usernames and passwords) or downloading malware to infect your PC or mobile device.
With Email Security, users are protected via link rewrite and inspection features. Before the email is delivered to the users inbox the email security solution will change the link to point it to the email inspection engine. In the inevitable event that a user clicks one of these links, email security will inspect it before allowing access to it. If the inspection determines the link is bad, the user will presented with an onscreen block notification.
Like Spam, malicious email attachments have been around since the early days of email. With no real prevention in place initially, hackers would send virus file attachments to unsuspecting users, knowing they had a very high probability of being opened. Once executed the attachments infect the device with malware (viruses, trojan horses, worms etc.), gaining control of the device, deleting files, or spreading the malware to other users.
Although mail services have improved in protecting users, the basic offerings do not deliver sufficient prevention. Attackers are now constantly evolving their malware to disguise it and bypass these default protection measures.
One of the biggest threats today is a piece of malware called Emotet. Emotet is a great example of advanced malware, that leverages email to infect its victims via malicious Office document attachments. More information on Emotet can be found here.
Email security is a must for enabling effective protection against malicious attachments. Each vendor solution works slightly differently, but essentially the attachment is scanned prior to the email being delivered to the user. If it is deemed bad the attachment is quarantined immediately preventing the threat; typically email security then notifies the user and email administrator of the block.
The third post in the cyber basics series covers the essentials of email security and the benefits to an organisation. With email being a primary starting point for cyber-attacks, securing your email services has never been more important.
As described, continuing with the basic security measures provided by email clients and services is not enough to prevent todays modern emails attacks. Vendor solutions such as Cisco’s Email Security / Cloud Mailbox Defense, Microsoft’s Advanced Threat Protection, and Proofpoint’s Email Security / Essentials for Small Business, are just a few examples that can significantly improve your email defences.
We have not included an exhaustive list of features here, instead we have focused on some of the key benefits and protection points email security can provide.
To summarise, Email Security:
To conclude Email Security is an important component of your Cyber Basics delivery.
We hope this post has been useful and please stay tuned for further articles in this Cyber Basics series.
By
Stuart Hare
on
3/10/20
No results found.
