Comment

NCSC - Weekly Threat Report 03 November 2017

Fake speeding notices deliver malware

Police forces around the UK are warning motorists not to be taken in by a phishing email falsely informing them that they need to pay a speeding fine. The realistic-looking email, entitled ‘Notice of Prosecution’, claims to have ‘photographic’ evidence, but clicking on the associated link will upload banking malware to the victim’s device.

The email appears official, with the logos of either the local police force or ‘gov.uk’, but there are several features that indicate that it is fake. Spelling and grammatical errors are fairly obvious, but the speed at which the vehicle was allegedly caught is unrealistic, e.g. travelling at 89mph in an area with a 25mph speed limit.  Phishing emails rely on several factors to be successful, including evading spam filters, the appearance of credibility, and being able to make the recipient take action immediately.

The police have advised that any ‘Notice of Prosecution’ would be posted to the vehicle owner’s address and never sent in an email. They also advised people to delete the email without clicking on any links.


Code-signing certificates worth more than guns on the Dark Web

An investigation by a company specialising in identity protection solutions, into the sale of code-signing certificates on the Dark Web suggests they are selling for up to $1,200, making them more expensive than fake driver’s licences, stolen credit cards, commissioning a targeted cyber attack, or even buying a handgun. This relatively high price presumably reflects customer demand.

This is not the first time that security researchers have highlighted the issue of stolen or fraudulently obtained code-signing certificates. Since at least 2011, they have noted a trend for both cyber criminals and APT cyber actors to sign their malware using stolen or fraudulently obtained certificates to bypass security measures. Signed code tends to be treated as trusted and some operating systems will flag up, or refuse to run, code that is not signed.

Over the years, attackers have managed to sign their malicious executables with certificates obtained by a variety of methods – reportedly stealing them from technology companies (including some well-known names), penetrating the networks of companies and using their signing facilities, or applying for certificates in the names of fake companies or real companies who have no need for them. As far back as 2010, the destructive worm Stuxnet included components that were signed with stolen certificates. More recently, the cyber actors who corrupted an update of clean-up tool CCleaner managed to get the update signed.

Amongst other things, this highlights the fact that, when attackers do manage to penetrate a network, they will often seek out things that facilitate further intrusions – like passwords (not only password caches, but sometimes also emails containing passwords or access codes), cookies, digital certificates and keys. System administrators should make sure they know where these are located.


The Dark Overlord – Systematic cyber-enabled extortion

A cyber crime group called ‘The Dark Overlord’ has claimed responsibility for conducting cyber-enabled extortion campaigns in recent weeks. Victims include a London-based plastic surgery clinic and a Hollywood production studio, both of which are believed to have a number of high-profile clients. The group has a history of hacking organisations to obtain sensitive information before demanding money in exchange for not leaking it into the public domain. They leak snippets of data to the media to encourage them to report on their activity. This is aimed at “proving” that a breach has taken place, and increases the pressure on the victim to pay the ransom. ‘The Dark Overlord’ has been responsible for indiscriminately targeting health institutions, schools and media production companies over the last year.

Any organisation that deals with sensitive personal information (e.g. medical institutions, law firms) is at a higher risk of being targeted, and owes a particular duty of care to its clients because of the risk of severe emotional distress if client data is made public.  Whilst evidence of the stolen data is often provided, the volume and sensitivity of the data may be exaggerated to maximise impact. This may inspire other cyber extortionists to adopt a similar methodology, especially as new opportunities present themselves due to an increasing amount of sensitive data being stored online. Any data breach and the associated media exposure may cause significant reputational damage and loss of business.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 27th October 2017

Bad Rabbit Ransomware

This week, ‘Bad Rabbit’ ransomware infections have been reported in countries including Russia, Ukraine, Bulgaria, Turkey, Germany and Japan. The NCSC has not received any reports that the UK has been affected by this latest malware attack. The majority of infections have been in Russia, where media organisations were worst affected. Russia’s Interfax News Agency suffered outages to several of its services, including its news portal. Ukrainian victims included the Ministry of Infrastructure, Odessa airport and Kiev metro.

Bad Rabbit asks victims to pay 0.05 Bitcoin (currently worth approximately £210) to restore their files. A smal number of transactions are reported to have been made, although these are unconfirmed, and it is currently unknown whether paying the ransom leads to decryption of files. The infection vector is believed to be via certain compromised media websites in the affected regions, which asks the user to execute a fake Adobe Flash Player update. Researchers including FireEye and Crowdstrike have identified several links between Bad Rabbit and the NotPetya ransomware, including the use of similar Javascript code to redirect victims. While claims have been made that Bad Rabbit made use of the EternalBlue exploit leveraged by WannaCry and NotPetya, these have been widely refuted; subsequent claims have been made that the EternalRomance exploit was leveraged.

It is currently unclear who is responsible for this ransomware. NCSC technical analysis is ongoing to provide more clarity on technical indicators. There are no reported UK victims to date. Nevertheless, it should be noted that UK organisations would be vulnerable were they to visit any of the infected websites. In the case of NotPetya for instance, a number of UK organisations were infected. The NCSC has provided some mitigation advice in its public statement, highlighting the importance of patching, using proper antivirus services and having effective backup procedures. In addition to this, Bad Rabbit makes use of a set of hard-coded username/password combinations in order to attempt to spread to SMB shares on the local network. Organisations should ensure that these username/password combinations do not exist anywhere on their network, and in general that they follow good password practices.

Is Reaper the new Mirai?

In September, cyber security firms reported the discovery of a new botnet that targets, and could already have infected millions of, vulnerable internet connected devices.

The botnet (named variously as ‘IoTroop’; ‘IoT_reaper’ or ‘reaper’) has been targeting a number of known vulnerabilities found in popular device brands including internet connected cameras and Wi-Fi routers.

Reaper is being compared to the Mirai botnet which caused serious disruption to the Dyn domain name server provider and thousands of customer websites in October 2016.  Some of Reaper’s code is reportedly similar to Mirai, however, researchers believe Reaper has many more capabilities than Mirai and the potential to cause a lot more damage.  The fast rate that Reaper has been infecting devices is also concerning and the attacker appears to be updating the malware regularly.

The purpose of the Reaper botnet is currently unclear as it does not yet appear to have been used for malicious purposes. It is possible that, like the Hajime botnet identified earlier this year, there will be speculation that it has been developed to stop vulnerable devices being harnessed for malicious activity, but it would be best to assume the worst until proven otherwise.

Ensuring your devices are fully patched and limiting access to these devices will help protect from compromise. For further advice see our 10 steps to cyber security.
 

Washington Cyber Conference reportedly targeted by hackers

The International Conference on Cyber Conflict (CyCon) will be held 7-8 November in Washington and will host a high-level gathering of NATO and US military cyber experts.

A recent Cisco report has highlighted that this conference has been targeted by cyber actors known as ‘APT28’ and ‘Fancy Bear’. Cisco report that this actor has modified an existing Microsoft Word flyer publicising the conference, added reconnaissance malware to it and has conducted an email campaign to infect potential victims. The modified document contains an embedded Visual Basic for Applications (VBA) macro which is executed when the document is opened and automatically installs the malware. Running any macro within any externally produced Microsoft Word document will usually generate a warning which must be explicitly approved by the user. However, the user is more likely to override the warning and execute the macro if the malware-bearing email appears to be from a legitimate contact.

Word and PDF documents are one of the most common ways to spread malware, so, as a security measure, Microsoft deliberately turned off auto-execution of macros by default many years ago. Many current malware infections rely on persuading the user to turn macros back on. We assess with high confidence that cyber actors will likely continue to use creative and current specialised topics to compromise targets. It is likely that this campaign has been targeting people linked to government/military cyber security.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 20th October 2017

KRACK – a fundamental flaw in Wi-Fi security

Security researchers from Belgium have found that the majority of Wi-Fi connections are potentially vulnerable to exploitation because of a fundamental weakness in the wireless security protocol – WPA2. The exploit is called “KRACK”, which is short for Key Reinstallation Attack. Reports suggest that at most risk are Linux operating systems, Internet of Things (IoT) devices and 41% of Android devices. However, many of these, especially IoT devices, may never get patched.

For further detail on this flaw, please see our KRACK guidance and the latest blog.
 

Swedish transport networks hit by DDoS attacks

Media reported last week that trains were delayed in Sweden after the transport sector was successfully targeted by a series of DDoS attacks. On 11 October, two communication service providers serving the Swedish Transport Administration (Trafikverket) were hit by a DDoS attack, reportedly causing the Trafikverket’s train management system to go down for several hours. Consequently, manual procedures had to be used to handle rail traffic, resulting in delays for the rest of the day. The company also had to resort to using Facebook to keep customers updated as its email system and website were also unavailable. The following day, DDoS attacks targeted the Swedish Transport Agency (Transportyrelsen) and a public transport operator serving Western Sweden (Västtrafik). The impact of these attacks was less severe, briefly affecting web services including ticket booking.

Some media reports speculate that a state-linked actor may have been responsible, however investigations into the incidents continue. Overall, the case highlights how transport firms can be impacted by attacks on third party service providers (in this case, Trafikverket’s communication service providers).


Cyber-enabled intimidation of NATO personnel in Baltics

According to open source reporting, advanced surveillance techniques (possibly including drone monitoring and/or IMSI grabbing) are being used to pull data from personal smartphones of NATO personnel despite warnings not to use them following previous incidents.  There are accounts of personnel then being approached in public by individuals who convey details pulled from smartphones – in one example details about the personnel’s family.

This is not the first time NATO personnel operating in Europe have reported call interference or unusual behaviour by their mobile phones. Mobile devices operating over the public telephone system are susceptible to exploitation including interception of communications or tracking of the user. The capability to mount operations against personal electronic devices, including the use of rogue cell towers is within technical and financial reach of well-resourced threat actors. However, the more recent reporting is different as exploitation of devices has been followed up by personal approaches.

It is almost certain that personal mobile devices will increasingly become targets for a wide range of threat actors due to the amounts of personal information they hold, which is useful for espionage, targeting and criminal purposes. Personal mobiles are susceptible to a range of compromise vectors and have widely varying levels of cyber hygiene. This threat could expand beyond NATO personnel to businesses operating in the region or individuals traversing these areas on business or personal trips.

Comment

.author-name { display: none; }

Comment

NCSC - Statement: 'Bad Rabbit' malware incident

Statement: 'Bad Rabbit' malware incident

An official statement from the National Cyber Security Centre on the recent 'Bad Rabbit' malware cyber incident. 

A spokesperson for the National Cyber Security Centre said:

“We are aware of a cyber incident affecting a number of countries around the world.

“The NCSC has not received any reports that the UK has been affected by this latest malware attack. We are monitoring the situation and working with our partners to better understand the threat.”

Further information

  • The NCSC recommends that organisations and the public follow the guidance on the NCSC website -  install the latest security software patches, back up data and use proper antivirus software services.
  • The NCSC also recommends that passwords are never re-used across important accounts and also setting up Two-Factor Authentication (also called Two-Step Verification) in the security settings.
  • The National Crime Agency (NCA) encourages anyone who thinks they may have been subject to online fraud or cyber crime to contact Action Fraud at www.actionfraud.police.uk. It is a matter for the victim whether to pay the ransom, but the NCA encourages industry and the public not to pay. 

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 29th September 2017

Compromise of Deloitte

The Guardian this week reported that the global accountancy firm Deloitte had been hit by a cyber attack that has revealed client email addresses. The hackers may have also accessed usernames, passwords and personal details.

Deloitte provides auditing, tax consultancy and cyber security advice to some of the world’s biggest banks, multi-national companies, media enterprises, pharmaceutical firms and US government agencies. According to the Guardian, Deloitte clients across these sectors had material in the company email system that was breached. The breach was believed to be US-focussed, affecting well-known companies as well as US Government departments. The compromise was discovered in March this year, but it was reported that the attackers may have had access to Deloitte systems since October or November 2016.

According to the newspaper, the hacker compromised the firm’s Microsoft Azure Cloud global email server through an administrator’s account that, in theory, provided them with privileged, unrestricted access. The account required only a single password and did not have “two-step“ verification. Emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service which is Microsoft’s equivalent to Amazon Web Service and Google’s Cloud Platform.

Deloitte has stated on its website that only very few clients were impacted and no disruption has occurred to client businesses, to Deloitte’s ability to serve clients, or to consumers. The NCSC statement confirmed that we had engaged with the organisation to better understand the threat and based on current information we understand there to have been minimal UK impact.

Using a single factor authentication system like a username and an easy-to-guess password combination has allowed criminals to gain access to a user's account. Simple passwords based on dictionaries or the same passwords used on other systems that may have been leaked can give cyber attackers easy access to IT systems. Gaining access to the administrator account is the ‘jackpot’ for an attacker and will provide an attacker with unrestricted access to all user accounts.

Two Factor Authentication (or 2FA) is an extra layer of security that requires not only a password and username but also something that only that user has on them, i.e. a piece of information only they should know or have immediately to hand - such as a physical token, keyfob device, fingerprint, facial recognition or SMS confirmation via mobile phone.

A compromise would be highly unlikely if a complex password or 2FA had been implemented. See the NCSC’s Password Guidance.
 

Banks’ concerns about cloud cyber security

Investment bank Goldman Sachs has in recent days echoed concerns about the number of banks using the same small number of Cloud storage providers – pointing out that those users also include the UK financial regulatory bodies.

The bank’s Head of Technology for Europe, Middle East and Africa argues that the online platforms should be regulated from a resilience perspective, and describes a ‘concentration risk’. The concerns echo those voiced in January by the Bank of England Governor and the chair of the Financial Stability Board, who refer to the risk of a single point of failure if ‘banks come to rely on common hosts of online banking or providers of Cloud computing services’.

The use of an online network, or ‘Cloud’, increases the scale and flexibility of computing capacity, and aligns with the growing desire within the financial services industry for innovative technological business models and processes.

The Financial Stability Board (FSB) alerted the industry in June to the greater reliance on external providers of technology, and hence the potential risk of disruption, specifically citing the Cloud. The FSB highlighted the risks of financial institutions relying on the same third-party Cloud computing and data services providers, and cited other jurisdictions where, for example, guidelines had been issued for Cloud outsourcing, internet banking and technology risk management. Greater co-ordination within finance, and with non-finance partner organisations such as those with a remit for cyber security, was mooted.

Some of the growing concerns voiced within financial services about the Cloud are addressed by the NCSC’s Cloud Security Principles and advice.

 

Cryptocurrency mining by cyber criminals

Recent IBM reporting observes a sixfold increase in the use of specifically CPU-based cryptocurrency-mining malware since the beginning of 2017, a much faster rise than observed for cryptocurrency-mining malware more generally.

While there are many cryptocurrencies, with different characteristics, all rely on ‘miners’, who carry out large number of calculations to verify transactions. In exchange for contributing computing power, miners are rewarded with cryptocurrency.

Mining many currencies using a CPU has generally become economically unviable for legitimate users, as running costs outweigh their gains, so they now use graphics cards, or specially designed application-specific integrated circuits (ASICs). Running costs are no obstacle to cyber criminals, however, who can use botnets of compromised machines as miners without needing to worry about the electricity bills. Some newer currencies are also more feasible to mine using a CPU only.

In a related trend, an increasing number of website scripts are being observed which mine cryptocurrency inside a web browser. Such scripts can be used in clearly illegal ways when hidden within adverts (a form of malvertising), but some sites have also shown an interest in such scripts as a form of revenue production to replace or supplement online advertising. Torrenting site The Pirate Bay received significant press coverage when it was revealed to have adopted such scripts without the knowledge or consent of its users. There have also been reports of cyber criminals compromising popular websites and hiding mining scripts in their source code, allowing them to profit from their victim’s visitors.

Comment

.author-name { display: none; }

Comment

NCSC - WEEKLY THREAT REPORT 21ST JULY 2017

New SMB protocol exploit effective against most windows operating systems

An EternalSynergy based exploit has now been developed which can compromise newer (unpatched) versions of Windows. The original ETERNALSYNERGY exploit released by The Shadow Brokers in April exploited an SMB protocol vulnerability, CVE-2017-0143, to allow attackers to inject code onto Windows machines but only worked on versions up to Windows 8.

A security researcher has now modified and upgraded ETERNALSYNERGY to be able to compromise all supported but unpatched Windows operating systems except for Windows 10. This new exploit code is publicly available to download on GitHub and ExploitDB.

This case shows that exploits previously thought to only be effective against older or unsupported operating systems such as Windows XP can be modified to compromise newer and currently supported systems. This illustrates the importance of rigorous vulnerability management and patching, including patching newer operating systems.

Rise in cyber crime as a service

A new credential-stealing malware, named Ovidiy Stealer, is being sold on cyber crime forums for as little as £6. The low price reflects its limited capabilities. It is non-persistent, so can be removed by simply rebooting an infected computer, but it is reportedly easy to use and capable of harvesting usernames and passwords for a number of common applications. Ovidiy Stealer has compromised targets around the world, including in the UK.

Similarly, a new Phishing-as-a-Service platform, 'HackShit', has been marketing itself to would-be fraudsters. For a monthly subscription, users can generate plausible looking login pages which imitate popular social media and dating sites. The subscribers can also use the platform to trade compromised accounts for cryptocurrency, and to view tutorials on hacking and phishing.

The increasingly low barriers to entry for cyber crime are of concern because individuals with limited technical knowledge can now purchase basic cyber capabilities for a modest sum.

 

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 14th July 2017

China to ban personal VPNs

The Chinese government has told state-owned telecoms companies to block individuals’ access to virtual private networks (VPNs) by 1 February 2018, according to media reports. The ban will greatly restrict individuals’ unfettered access to the Internet. VPNs have often been used to circumvent China’s Great Firewall and communicate securely with servers outside of China. The Chinese government has increasingly cracked down on them in pursuit of “Internet sovereignty”, or controlling online activity within China’s borders.

The ban on individual access to VPNs follows new rules introduced in June 2017 requiring companies wishing to use VPNs to apply to the government for permission. They also face strict rules on data transfers. Many foreign businesses have expressed concern at the implications for privacy, data protection and the security of their intellectual property. Possible workarounds may exist for technically proficient individuals, but average Internet users face being cut off from the free and open Internet.

Sources: Bloomberg News, “China Tells Carriers to Block Access to Personal VPNs by February” (10 July 2017); Washington Post, “Here’s China’s latest plan to keep its citizens from the open Internet” (10 July 2017)
 

Communications take quantum leap forward in China?

China’s ongoing project to develop an ‘unhackable’ quantum communications (QC) network, where communications cannot be intercepted without being detected, continues to move forward. The country is developing the world’s longest land-based QC network stretching 2,000 km between Beijing and Shanghai. It is being developed in the eastern city of Jinan, where a trial network of 200 terminals will enter service in August 2017. China intends to use it to enable ultra-secure communications for the government, military and commercial banks.

China has also reportedly demonstrated the first ground-to-orbit quantum teleportation (QT) using an experimental satellite. The test was conducted by “entangling” two photons, one on the ground and the other on the satellite, then using quantum physics to transmit information from one to the other at a distance of 500 km. While QT has previously been conducted through fibre-optic cables, a successful trial in space offers the prospect of ultra-secure wireless data communications. China’s claim has yet to be verified by other scientists.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly threat report 7th July 2017

Scams follow widely reported attempt to compromise parliamentary email accounts

Following reported attempts by hackers to compromise parliamentary email accounts in June, scammers have recently attempted to gain information by cold-calling (or vishing) MPs and their staff. Posing as staff from the Houses of Parliament’s IT department, the scammers have reportedly been requesting the usernames and passwords of MPs. Vishing, like its online equivalent, phishing, attempts to illicit sensitive information, such as passwords, or encourage victims to visit particular (invariably malicious) websites.

Scammers try to capitalise on heightened public awareness of particular issues. Such social engineering techniques often increase in prevalence follow a high-profile incident. For example, following the WannaCry ransomware incident, there were several reported scams, including fake fixes for the malware, and malicious ‘tech support’ services. Phone calls can form part of a blended social engineering campaign, along with emails or social media contact. It is likely that scams such as these will continue to follow widely reported events. 

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 30th June 2017

Password challenges

Passwords have been in the news again recently. Most notably, on Friday 23 June accounts with weak passwords on the UK Parliamentary network were compromised; however less than 1% of the system’s 9,000 accounts were directly affected. Attention was also drawn this week to router password vulnerabilities, as Virgin Media advised customers with Virgin Super Hub 2 home routers to reset their passwords. This followed concerns that the routers had a relatively weak eight-character default password consisting of lower case letters that could be cracked in four days, potentially allowing access to other home devices. Routers supplied by other service providers may also come with default passwords. 

Passwords also featured in Ciaran Martin’s interview with BBC’s Today programme (Friday 30 June, 0810) where he recommended that two-factor authentication be used so that a stolen password is much less valuable to a criminal.


A portion of Microsoft Windows 10 Source code leaked online

Microsoft have confirmed a portion of its source code has been leaked online. The initial source of the leak is unknown; however, the content was posted to Beta Archive, one of the largest online ‘Beta and Abandonware’ repositories for prototype software. The leaked content was 1.2GB in size and has since been removed from the Beta Archive site. 

Microsoft already shares some of its source code with industry partners and government through its Shared Source Initiative. However, this instance represents an unauthorised leak. A number of theories about who is responsible are currently circulating. Was it one of Microsoft’s trusted partners who already had access to the source code? Or was it a criminal who illegitimately obtained access to the code before leaking it? There is no evidence to confirm either way at this stage. The leak occurred one day after two men were arrested in the UK for unauthorised access to Microsoft’s network, however there is no evidence that these two incidents are related. 

Some reports have highlighted the risks of malicious actors using the leak to identify vulnerabilities in the code before developing exploits to target them.  However, when a similar leak occurred in 2004 of Microsoft’s Windows 2000 code, similar claims were made, but did not result in a significant up-tick in related attacks. Also, white hat hackers may use the leaked code as an opportunity to investigate it for vulnerabilities before reporting them to Microsoft for fixing.

While Microsoft has responded to this incident, questions have been raised about how the source code was originally obtained.


Disgruntled ex-employee conducts Smart Meter Network attack

A former radio frequency engineer used information about systems he had worked on to disable meter reading equipment at several US water utility companies. The individual has since been convicted of two counts of "unauthorized access to a protected computer and thereby recklessly causing damage” and has been sentenced to 12 months in prison.

This case demonstrates the importance of removing software accesses when dismissing staff and appropriate access management. The software used by the former employee remained on his home computer following termination, he also retained access to default root passwords. Using this he took advantage of his pre-existing network and systems accesses to cause disruption (including changing the password to an obscenity and the code for a computer script to the lyrics of a Pink Floyd song) reportedly out of frustration more than a malicious, destructive intent. 

Critically this was not a sophisticated cyber attack; the perpetrator knew enough about the system to effectively disrupt it with limited cyber capabilities. Appropriate access management is important not only for employees leaving organisations, but also those moving into different departments where their access requirements may change. Lax access management often enables insiders to have greater, more targeted impact against their organisations.


Cyber crime trends and statistics in 2016

The FBI have recently published their annual internet crime report.  The trending topics for 2016 were Business Email Compromise (BEC), ransomware, technical support fraud and extortion.

A total of 298,728 complaints were received, with reported losses in excess of $1.3 billion.  The FBI estimate that only 15 percent of fraud victims in the US report their crimes to law enforcement.

The UK's National Crime Agency (NCA) considers underreporting a huge barrier to understanding the true scale and cost of cyber crime. The reasons for underreporting include reputational damage; not knowing who to report the crime to; what constitutes a cyber crime; and being unaware that a crime has taken place.

Although figures in the FBI report are not directly comparable with UK statistics, they do indicate similarities in overall trends such as the increase in ransomware crimes, BEC compromise and technical support fraud.

NCA has recently published a report highlighting these cyber crime trends as well as an increase in the prevalence of mobile malware. NCA has also highlighted the Internet of Things (IoT) threat as having become more mature in 2016.

The UK has also seen an increase in technical support fraud, and British law enforcement and Microsoft have been working together for two years investigating these scams.  Criminals will typically trick victims into believing their computers have been infected with malware and then persuade the victim to pay for the problem to be fixed. Sometimes the scam involves a pop-up message appearing on a computer claiming to be "Microsoft Technical Support".  As a result of the investigation, four UK citizens have recently been arrested.

The NCSC has guidance for businesses in understanding the cybercrime model and for members on the public how to protect against cyber crime and what to do if you think you have been the victim of a cyber crime.


Ransomware tool causes widespread disruption

On Tuesday 27 June, widespread disruption was caused in Ukraine by a ransomware tool that spread to other organisations worldwide via trusted networks. The ransomware tool, with similarities to the Petya ransomware that first struck in early 2016, was inserted into a compulsory software update for Ukrainian financial and government institutions.

Once the malware was installed it looked for other systems to exploit using some of the same worm-like capabilities seen in the WannaCry attacks. In addition, infected devices were subjected to a memory and file system scrape to steal credentials which allowed the malware to move laterally through a network even if it was patched against the exploits used. This highly crafted tool was designed to spread rapidly, in some cases overriding the Master Boot Record (MBR) on infected computers and displaying a ransom note asking for payment in Bitcoins. Despite the request for bitcoins it should be noted that the malware does not store a decryption key and as such attackers could not restore a victim’s files following payment; there have been no reported successful decryptions following payment.

The NCSC announced on Thursday 29 June that while managing the impact to the UK, its experts had found evidence that questioned initial judgements that the intention of this malware was to collect a ransom. The NCSC is investigating with the NCA and industry whether the intent was to disrupt rather than for any financial gain.

The malware has spread to a number of organisations worldwide that do business with Ukraine, including Russia’s oil firm Rosneft, Danish shipping concern Maersk and a large UK advertising agency.

Whilst this latest ransomware infection is more limited in scale than the WannaCry, it is assessed that the success of these two incidents are likely to motivate other actors who aim to cause widespread disruption to employ “ransomware” to do so.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 23rd June 2017

This report is drawn from recent open source reporting.

Fake airline websites distributed by social media

Scammers are using the brands of major global airlines to lure users to fake websites and then encourage them to share links to the sites with friends. When a user clicks through to the sites they are prompted to answer a few simple questions and provide personal information to get free flights. Once they give away their name, email, phone, date of birth and address they are then told they will receive the flights, only once they ‘like’ and share the page on Facebook, spreading the fake sites to new victims.

According to threat researchers, cyber criminals were observed registering 95 fake websites in late March using the brands of 19 major airlines, including ones based in the UK.  The personal details provided by the victims are used for fraudulent marketing purposes, namely to drive traffic to websites that provide online promotions and monetisation of web and mobile applications. Fraudsters, like marketing managers, often leverage an effective freebie strategy (gifts, prize draws etc.) to attract public attention.

In the run up to the summer holidays, this cyber-enabled fraud may lead to lost custom and reputational damage for the airlines. The use of social media to distribute fake websites is likely to continue to increase. It is not limited to airlines and could affect any well-known brand.  There also remains a risk that malicious actors could modify the scheme and use such sites to distribute malware to victims. For guidance see the NCSC’s 10 Steps: Malware Prevention.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 16th June 2017

 

Mouseover malware masquerading in Powerpoint files

According to media reports, a new method of delivering malware has surfaced. 'Zusy' malware, according to IT company ExtremeTech, is a banking trojan whose intention is to steal credentials. The reports suggest that simply hovering your mouse over a link will lead to infection without requiring you to click on anything. However, several stages are required to successfully infect a user.

What is interesting about this malware is that the initial infection vector does not rely on Macros or JavaScript to execute its malicious code. Instead, the malware developer has focused on abusing certain features in Microsoft PowerPoint to download and deploy the banking trojan.

This malware is initially delivered to users through phishing as an email attachment. Firstly the user needs to click on and open an attachment which displays a PowerPoint slide in slide show mode. A segment of text or a picture on the PowerPoint slide will have a clickable hyperlink. The most common message seen at this time is 'Loading...Please wait'. The 'mouseover' malware will only initiate if the user directs their cursor over the text or picture. A command is then executed which attempts to run an external program such as a PowerShell script. At this point Microsoft's security feature, Protected View, which is enabled by default, will display a warning notice allowing the user to disable the program. If the program is not disabled, it will create a backdoor giving the attacker full access to the victim machine. Users running PowerPoint versions older than 2010 are particularly vulnerable to this type of attack because when they hover over the link the preview window will open automatically without giving them the option to disable the malicious program.

Historically malware infections occur when the victim clicks on a suspicious link and general guidance has always advised users to hover over links to check file formats for suspicious executables. Users should continue to remain aware and be vigilant when receiving email attachments.

Although this development is not as alarming as it may first appear, the NCSC assesses that we may see a more sophisticated version of this attack vector in the future. The NCSC recommends that users follow NCSC malware guidance which includes regularly updating antivirus software to reduce the risk of being infected.

Enterprises that implement Application whitelisting approaches as described in the NCSC Windows EUD Security Guidance will also mitigate current variants of this threat by preventing the malicious scripts and programs downloaded by the malware from running.

 

Industrial Control Systems malware (Industroyer/CrashOverride)

The NCSC is aware of open source reporting providing details of malware dubbed as 'Industroyer' or 'CrashOverride', which is reported to be connected with the December 2016 power outages in Ukraine.

Previous media reporting suggests that during this incident, cyber attackers compromised parts of the Ukrainian electricity transmission network, resulting in the loss of electricity supply to customers for approximately one hour.

The NCSC have published on CiSP details of mitigation strategies to secure networks against these attacks. US-CERT have also published analysis and indicators of compromise.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 9th June 2017

Fireball malware

More than 250 million computers worldwide have been infected with malicious adware called Fireball, according to recent reporting.  Produced by Rafotec, a Beijing-based digital marketing firm, the malware is spread mostly via bundling. That is, when a user downloads a product they want, the Fireball malware is ‘bundled’ in without the user’s knowledge or consent.

Once infected, Fireball hijacks the user’s browser, installs extra plug-ins and manipulates the user’s web traffic. By redirecting traffic to Rafotec’s fake search engines, Fireball is able to generate additional advertising revenue for the company. A greater concern is the fact that Fireball can, in theory, be repurposed to serve as a fully functioning malware downloader.

Should Fireball be repurposed for further malicious activity it could be used to harvest sensitive data, such as financial credentials, medical records, or corporate business plans for example. Whilst estimates are that Indonesia, India and Brazil have the highest infection rates at present, other countries have been impacted.

In line with NCSC guidance, make sure you only install software from trusted sources.

Single Sign On provider OneLogin is compromised

In late May, OneLogin, an online access and identity manager, experienced a security breach where sensitive customer data in its US region may have been compromised.  OneLogin primarily provides Single Sign On (SSO) and identity management services for corporate customers using cloud based applications.  It is not yet clear how the unauthorised access happened nor the impact, but it is suspected that a threat actor obtained access to Amazon Web Store (AWS) keys and used them to gain access to the AWS Application Programme Interface (API) via another smaller provider in the US.  The actor was then able to access database tables containing information about users, apps and various types of keys.  This may have included the ability to decrypt encrypted customer data.

To minimise damage OneLogin issued advice to customers which included generating new keys, authorisation tokens, security certificates and credentials and updating passwords.

This is not the first time an SSO or similar service has been targeted.  Although, like password managers, they are increasingly considered to be a better way of managing accesses, they are a tempting target for attackers, and the consequences of compromise can be severe.

A new variant of Qakbot malware is bringing down enterprise networks

A new variant of the Qakbot (aka Qbot or PinkSlip) trojan, first seen in 2009, is stealing user information and installing backdoors on Microsoft Windows operating systems. Qakbot malware is used to target online bank accounts of businesses and individuals. Victims are initially infected through an exploit kit, phishing campaign or malicious download.

This new variant has worm-like, self-replicating capabilities similar to WannaCry but it is not ransomware and does not encrypt user hard drives. In its attempts to steal or brute force login details it can cause mass Active Directory lockouts. Some organisations have had thousands of users prevented from using corporate systems as a result.

According to researchers, Qakbot code has been totally re-written and is even more advanced and effective. The new features make it difficult to detect by using obfuscating code and constantly evolving file structure and signatures.

We assess it likely that other malware campaigns will make use of these antivirus avoiding techniques. Users should stay on their guard against suspicious emails and activity and keep their systems up-to-date to help prevent infection.

Vulnerabilities

This week’s summary starts with Google and multiple flaws fixed in both Chrome and Android leading to URL spoofing, obtaining of sensitive information and remote code execution.

Cisco released updates for a number of different products; TelePresence, AnyConnect, Email Security Appliance, Prime Data Center Network Manager, NX-OS, Content Security ManagementAppliance, and 8800 Series IP phones, to address cross-site scripting, bugs that cause the target to crash, allow unauthorised access or remote code execution.

IBM released updates for their Security Access Manager Appliance, Spectrum Project (IBM Tivoli Storage Manager) and Domino TLS Server to prevent elevation of privilege, the viewing passwords, obtaining of sensitive information, and obtaining of authentication credentials.

Elsewhere this week there were updates for Wireshark, Apache Tomcat, VMware vSphere and Irssi.

Debian specific updates this week came from perl, nss and zookeeper.

ICS specific updates for Digital Canal Structural Wind Analysis and Rockwell Automation PanelView.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 2nd June 2017

Android app malware

According to IT security company Check Point, as many as 36 million Android devices may have been infected with ad-click malware. The malware, dubbed Judy, is reported to have been present in approximately 50 apps in Google’s play store, but the total number of infections cannot be accurately determined as it is not known for how long the apps have been malicious.

Those responsible generate money through ad-clicks – in this instance Judy silently imitated a browser and clicked on banners from Google’s ad infrastructure to generate revenue for the malware author. The malware has had little real impact upon the end user, though it does equate to an illegitimate use of a device, and could potentially be exploited for more sophisticated attacks, including: gaining control of devices for additional malware download, conducting DDoS attacks or gaining access to private networks.

Google’s protection system did not immediately identify the problem because the apps themselves did not contain any malicious code. Rather, once downloaded from the play store, the affected apps are designed to call out to a remote server which then delivers malicious ad-click software to devices.

This type of two-stage delivery is increasingly common. Last month, FalseGuide malware was discovered hidden inside apps and games on the play store. Following download, these compromised apps allow malicious actors to install additional malicious software. App stores may come under increased pressure to enhance their scrutiny of apps before permitting them to feature, particularly if the number of instances of adware infections increases.

The NCSC recommends that users only install apps from the official application store for your device. Malicious apps in official stores are more likely to be discovered, and subsequently removed from the store and the device.
 

RoughTed Malvertising Campaign

Threat researchers at internet security firm Malwarebytes have recently highlighted a significant malvertising campaign, called RoughTed, which has been running for over a year.

Malvertising (or ‘malicious advertising’) uses online advertising as a delivery method for malware. Malware-infected ads can be inserted into popular, legitimate websites, and often do not require user action to be effective: simply visiting an infected site can be enough to get infected.

Criminal use of malvertising as a vector for malware delivery has been an increasing trend since it was first observed in approximately 2007 with the exploitation of a vulnerability in Adobe Flash. In 2015 Google disabled more than 780 million ads that violated their policies, some of which carried malware, up from 524 million in 2014.

RoughTed is notable for its prolific distribution, with associated domains accumulating in excess of half a billion visits in a three month period. According to researchers, traffic diverted to RoughTed-related domains comes from thousands of different websites, some of which ranked in the electronic personal assistant, Alexa’s, top 500 websites. RoughTed can reportedly target a wide array of users according to their operating system, browser and geolocation before delivering a variety of payloads, including exploit kits and malware. Moreover, RoughTed has been circumventing adblockers, broadening the pool of potential victims.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 26th May 2017

This report is drawn from recent open source reporting.

Russian government reaction to cyber criminals

This week Russia revealed it had arrested a cyber crime gang in November last year for a campaign that raised nearly USD900, 000. The gang was nicknamed ‘Cron’ after the malware it used, which infected over a million Android mobile devices of Russian bank customers. Users unwittingly downloaded the malware via fake mobile banking apps, pornography and e-commerce programmes. The ‘Cron’ gang exploited a Russian bank service which allows users to move small amounts of money to other accounts by sending an SMS message. The criminals sent SMS messages from infected devices instructing banks to transfer funds to their own accounts. According to Group-IB, the Russian cyber security company that worked with Russian law enforcement on the investigation, the ‘Cron’ gang were planning to rent a further piece of malware adapted to target banks in France, Germany, the UK and the US amongst other unnamed countries.

Fake applications that impersonate a brand or organisation are not new. Purchasing from legitimate sources can reduce the risk of acquiring bogus applications.


Fake malware fixes

WannaCry ransomware may not have generated the wealth the scammers responsible were hoping for but since the attack enterprising criminals have been attempting to cash in on the heightened public awareness of WannaCry. Targeting concerned users, scammers have been offering a range of fake ‘fixes’ and ‘support services’.

This type of social engineering is a common methodology for cybercriminals. Whether viral social media posts, malicious pop-ups or well-crafted phishing campaigns, high profile events such as the WannaCry attack offer cyber criminals a hook to spread malware or to solicit funds.

It’s not only online incidents that criminals seek to take advantage of. Following news of high profile disasters such as hurricane Catrina in 2005, the 2014 Ebola outbreak and the 2015 Nepal earthquake, scammers set up fake charity websites and sent phishing emails in attempts to steal funds donated to the victims.

Recent examples of scams piggybacking on the WannaCry incident include:

  • Alerts circulating of social media directing users to fake WannaCry patches which deliver malware;
  • A phishing email posing as a BT customer service email which informs the user they are locked out of their BT account and directs them to a malicious link to obtain a ‘security upgrade’ to re-establish full access;
  • Third party app stores offering ‘patches’ for mobile users - despite the fact no mobile operating systems are believed to be vulnerable to WannaCry.

The recent UK Action Fraud alert has more information on specific fraud attempts.

The NCSC guidance page has further information on how to protect against phishing attempts as well as our recent blog on social engineering.


Europol arrest 27 individuals involved in black box ATM attacks

An international law enforcement effort has resulted in the arrest of 27 individuals in connection with a string of successful black box attacks against ATMs across Europe. These attacks are thought to have generated up to EUR 0.5 million for the criminals responsible. Black Box attacks are cyber-enabled and involve physically penetrating an ATM’s casing to obtain access to exposed cables and ports. A laptop can then be connected and used to issue instructions to an ATM to cash out its bank notes. These attacks are less sophisticated and more common than cyber-dependant attacks that deploy malware to ATMs remotely, over a financial institution’s network. For more information on the cyber threat to UK ATMS, please see our recent assessment on CiSP.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 19th May 2017

WannaCry ransomware attack illustrates risk of using unlicensed software

The WannaCry international ransomware attack has highlighted the risks of relying on unpatched software. The scale of the outbreak has been blamed in part on the widespread use of unlicensed software. Pirated software is often insecure as it does not benefit from manufacturers’ updates to fix vulnerabilities.

Several of the countries reported by cyber security companies to be worst affected are also amongst the countries where unlicensed software is most widely used.

This incident illustrates that while using unlicensed software might be seen as a way of saving money in the short term, it can put cyber security at serious risk and may potentially lead to losses far outweighing any savings.

The NCSC's guidance on protecting your organisation from ransomware can be found here. Further guidance for home users and small businesses as well as enterprise administrators is also available.

Comment

.author-name { display: none; }

Comment

NCSC Guidance - Protecting your organisation from ransomware

Protecting your organisation from ransomware

Created:  17 Oct 2016

Updated:  17 Oct 2016

How to prevent a ransomware incident, and what to do if your organisation is infected.

Ransomware is a growing global cyber security threat, and one which could affect any organisation that does not have appropriate defences. The first half of 2016 saw an almost threefold increase in ransomware variants compared to the whole of 2015[1].  While ransomware against Windows operating systems has been commonplace for some years, attacks against Mac and Linux systems are also seen.

The methods for infecting systems with ransomware are similar to other types of malicious software, as are the steps organisations can take to protect themselves. Depending on your level of preparation, ransomware infection can cause minor irritation or wide-scale disruption.

This guidance provides an overview of ransomware, suggests some simple steps to prevent a ransomware incident, and advises on what to do if your organisation is infected by ransomware.

What is ransomware?

There are two types of ransomware; the first type encrypts the files on a computer or network. The second type locks a user's screen. Both types require users to make a payment (the 'ransom') to be able to use the computer normally again. The ransom is often demanded in a cryptocurrency such as Bitcoin.

In many cases, the ransom amount is quite modest. This is designed to make paying the ransom the quickest and cheapest way to return to normal use. However, there is no guarantee that the key or password (to 'unlock' the computer) will be provided upon payment of the ransom.

The scale and automated nature of a ransomware attack makes it profitable through economies of scale, rather than through extorting large amounts from targeted victims. In some cases, ransomware has been known to strike the same victim more than once in succession. Ransomware attacks are not normally targeted at specific individuals or systems, so infections can occur in any sector or organisation.

How does ransomware infect your system?

Computers are infected with ransomware via a number of routes. Sometimes users are tricked into running legitimate-looking programs, which contain the ransomware. These may arrive via authentic-looking email attachments or links to apparently genuine websites (otherwise known as phishing). More recently, we have seen ransomware infections which rely on unpatched vulnerabilities in computers, and simply visiting a malicious website can be enough to cause a problem.

Although less common, data transfers between computers (such as via USB memory sticks) can also cause ransomware to spread.

Preventing ransomware using good enterprise security

Ransomware is one of many types of malware, and the methods for its delivery are common to most other types. You can minimise the risk of being infected by ransomware by taking the same precautions necessary to guard against malware in general.

The following mitigations are examples of good security practice, and link to other NCSC guidance where available:

  • Vulnerability management and patching - some ransomware gains control by exploiting software vulnerabilities in operating systems, web browsers, browser plug-ins or applications. Often these vulnerabilities have been publicly known about for some time and the software providers will have made patches available to mitigate them. Deploying these patches, or otherwise mitigating the vulnerabilities, is the most effective way of preventing systems being compromised. However, as well as patching the devices used for web browsing and email, it's important to patch the systems they are connected to, since some ransomware is known to move around systems, encrypting files as it goes.
  • Controlling code execution - consider preventing unauthorised code delivered to end user devices from running.  One common way that attackers gain code execution on target devices is to trick users into running macros. You can prevent these attacks from being successful in your organisation by preventing all macros from executing - unless you have explicitly trusted them. It's also good practice to ensure users do not have privileges to install software on their devices without the authorisation of an administrator. Remember that users may sometimes legitimately need to run code that you have not pre-authorised; consider how you will enable them to do this, so that they are not tempted to do it secretly, in ways you can't see or risk-manage. See our End User Device security guidance for recommended configuration of the platforms you are running.
  • Filter web browsing traffic - we recommend using a security appliance or service to proxy your outgoing web browsing traffic. Filter attempted connections based on categorisation or reputation of the sites which your users are attempting to visit.
  • Control removable media access - see our advice on management of removable media to prevent ransomware from being brought in to an organisation via this channel.

For more information see Approaching enterprise technology with cyber security in mind.

What impact does ransomware have?

Ransomware will prevent access to systems or data until a solution is found. If systems are delivering critical services, this can have serious reputational, financial and safety impacts on affected organisations and their customers. Even if the victim has a recent backup of their system, it may still take considerable time to restore normal operations. During this time, organisations may have to invoke their Business Continuity processes.

It is worth noting that if a criminal organisation has carried out a successful ransomware attack, questions should be raised about the possibility of more indirect and lasting impacts. For example, how many instances of the ransomware are still present in the system waiting to be activated? How should they be removed, and how should users be warned? Were other types of malware also deployed at the same time? What are they and what will they do? And when?

Limiting the impact of a ransomware attack

The following measures can all help to limit the impact of a ransomware attack.

  • Good access control is important. The compartmentalisation of user privileges can limit the extent of the encryption to just the data owned by the affected user.  Re-evaluate permissions on shared network drives regularly to prevent the spreading of ransomware to mapped and unmapped drives. System administrators with high levels of access should avoid using their admin accounts for email and web browsing.
  • Ransomware doesn’t have to go viral in your organisation; limit access to your data and file systems to those with a business need to use them. This is good practice anyway and, like many of the recommendations we make here, prevents against a range of cyber attacks.
  • Have a backup of your data. Organisations should ensure that they have fully tested backup solutions in place. Backup files should not be accessible by machines which are at risk of ingesting ransomware. It is important to remember backups should not be the only protection you have against ransomware - the adoption of good security practices will mean not getting ransomware in the first place. For further guidance on backups, please see our Securing Bulk Data guidance, which discusses the importance of knowing what data is most important to you, and how to back it up reliably.

What to do if your organisation has been infected with ransomware

If you need to know more about ransomware and its effects, or you have a ransomware issue, there are a number of sources of further advice and guidance:

  • The National Crime Agency encourages anyone who thinks they may have been subject to online fraud to contact Action Fraud at www.actionfraud.police.uk.  It is a matter for the victim whether to pay the ransom, but the NCA encourages industry and the public not to pay.
  • The National Cyber Security Centre (NCSC) runs a commercial scheme called Cyber Incident Response, where certified companies provide crisis support to affected organisations.
  • The Cyber Security Information Sharing Partnership (CiSP) offers organisations in the UK a safe portal in which to discuss and share intelligence that can assist the community and raise the UK's cyber resilience. We encourage our members to share technical information and indicators of compromise so that the effects of new malware, and particularly ransomware, can be largely reduced. 

Here at the NCSC, we welcome those who would like to share their experiences of ransomware in confidence. NCSC Operations provide threat intelligence to government, industry and the public. Case studies - even anonymised - can be very helpful.

Comment

.author-name { display: none; }

Comment

UK hospital meltdown after ransomware worm uses NSA vuln to raid IT

UK hospital meltdown after ransomware worm uses NSA vuln to raid IT

Docs use pen and paper after computers scrambled amid global outbreak

Final update UK hospitals have effectively shut down and are turning away non-emergency patients after ransomware ransacked its networks.

Some 16 NHS organizations across Blighty – including several hospital trusts such as NHS Mid-Essex CCG and East and North Hertfordshire – have had their files scrambled by a variant of the WannaCrypt, aka WanaCrypt aka Wcry, nasty. Users are told to cough up $300 in Bitcoin to restore their documents.

Doctors have been reduced to using pen and paper, and closing A&E to non-critical patients, amid the tech blackout. Ambulances have been redirected to other hospitals, and operations canceled.

It is understood WannaCrypt, which is raiding companies and organizations across the planet today, is being spread by a worm that exploits unpatched vulnerabilities in Windows machines – particularly MS17-010, an SMB bug attacked by the leaked NSA tool, EternalBlue. The security hole has been patched for modern Windows versions, but not WindowsXP – and the NHS is a massive user of the legacy operating system.

A spokesperson for NHS Digital said: "We're aware that a number of trusts that have reported potential issues to the CareCERT team. We believe it to be ransomware."

East and North Hertfordshire NHS confirmed in a press statement: "Today, the trust has experienced a major IT problem, believed to be caused by a cyber attack. Immediately on discovery of the problem, the trust acted to protect its IT systems by shutting them down; it also meant that the trust's telephone system is not able to accept incoming calls.

"The trust is postponing all non-urgent activity for today and is asking people not to come to A&E – please ring NHS111 for urgent medical advice or 999 if it is a life-threatening emergency."

It said the trust's IT specialists were working to clean up the mess.

"I'm led believe that there is a major attack underway on the NHS with systems down nationwide," one reader told us. "My wife is a GP and their systems were just shut down and they were told it was because of a 'National hack of the computer health care system'."

Updated to add

Payments appear to be being made to the Bitcoin addresses given in the NHS ransomware attack – which in turn confirms that the same strain of malware has infected Telefónica Spain, Gareth Corfield reports.

This same address is seen on computer screens in Spain and other countries hit by the WannaCrypt variant. A payment of 0.15 Bitcoin – worth roughly $266 dollars at the time of writing – was made to that address two hours ago, as the Blockchain tracker shows. It is not possible to say who paid this amount. The NHS attackers are asking for $300 worth of Bitcoin in ransom payments.

NHS Digital response

NHS Digital confirmed a number of organisations have reported they have suffered a ransomware attack which is affecting a number of different organisations.

It said: "The investigation is at an early stage but we believe the malware variant is Wanna Decryptor. At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this. NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and to recommend appropriate mitigations. This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors.

"Our focus is on supporting organisations to manage the incident swiftly and decisively, but we will continue to communicate with NHS colleagues and will share more information as it becomes available." ®

Comment

.author-name { display: none; }

Comment

Sophos waters down 'NHS is totally protected' by us boast

Watered down homeopathy for computers is more powerful, m'kay?

Updated Sophos updated its website over the weekend to water down claims that it was protecting the NHS from cyber-attacks following last week's catastrophic WannaCrypt outbreak.

Proud website boasts that the "NHS is totally protected with Sophos" became "Sophos understands the security needs of the NHS" after the weekend scrub-up.

Security-watchers, including former staffer Graham Cluley, noticed the reverse ferret.

Sophos didn't publish a definition update until 1825 BST, hours after an outbreak that forced hospitals to postpone scheduled treatments and appointments in scores of NHS Trusts. Sophos Live Protection functionality, if enabled, could detect WannaCrypt earlier than that.

Signature updates aren't the only layer of security in modern anti-malware but this only raises further questions about why Sophos's technology didn't pick up an attack based on a known exploit patched by Microsoft two months prior.

Sophos has been talking a lot about building better anti-ransomware defences over recent weeks, most particularly following the Invincea purchase back in February. Last month the company launched anti-ransomware CryptoGuard technology, a paid add-on to its Sophos Server Protection products.

El Reg asked Sophos to comment on what seemingly went wrong with its security defences but we're yet to hear back beyond an acknowledgement of our query.

Sophos's social media staff were tweeting about how its tech could protect against ransomware attacks on Thursday, a day before disaster struck.

It's all a bit awkward.

Sophos executives can, however, console themselves that the security firm's share price has risen markedly since the outbreak, rising 7.5 per cent in pre-lunchtime trading on Monday alone to reach 366.80 at the time of writing. ®

Updated at 15.05 UTC to add: Sophos has contacted us to say that customers using Sophos Intercept X or Exploit Prevention (EXP) "were protected proactively against the ransomware behaviour from the very first instance".

It added: "Sophos Endpoint Protection already detected some variants of the WannaCry ransomware. We added further detection at 15.58 UTC on Friday 12th May for samples in the new attack that we missed. This was a complex set of executables and exploits which took some time to analyse. We also thoroughly test all identity and rule updates before releasing them to our customers. The 17.25 UTC time in the KBA on our website is the time by which all our customers should have been updated. We are in the process of updating this wording in the KBA to be clearer.

"Sophos has added subsequent identities and generic detection rules to Sophos Endpoint Protection since then to block potential future variants of the malware and its techniques. We have also proactively contacted all our customers to advise them to deploy the Microsoft patch that mitigates the underlying vulnerability in the Microsoft OS."

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 5th May 2017

This report is drawn from recent open source reporting

Google and Facebook were victims of Business Email Compromise (BEC) or ‘CEO Fraud’

Google and Facebook have been identified as the victims of an email phishing attack for which a Lithuanian man was charged in March 2017.

The attack relied upon social engineering methods rather than technical intrusion techniques. However, the individual was still able to trick the organisations into transferring over $100 million between 2013-2015, highlighting how cyber-enabled social engineering can be effectively used to commit fraud.

The individual posed as a manufacturer which both firms had existing business relationships with, and sent emails which were designed to look like they came from the manufacturer. The emails contained forged invoices and contracts which appeared to have been signed by executives. This is less technically sophisticated than some other cases of BEC whereby the third-party supplier’s legitimate email is compromised and used to request transfers. The phishing emails were highly targeted, sent to Facebook and Google employees who regularly conducted multi-million dollar transactions with the manufacturer the scammer was impersonating.

Large organisations are especially vulnerable to attacks such as this: often suppliers and individuals have less face to face interaction, and therefore may have reduced opportunities to identify bogus or suspicious transfer requests through conversation.

Fraudulent communication to convince organisations to transfer funds is not new, however it is increasingly common as a low cost, high return crime. Other variations on this attack include

  • Spear-phishing emails co-ordinated with phone calls confirming the email request
  • Impersonation of trusted partners beyond suppliers, including charities, law firms, think tanks or academic institutions
  • Impersonation of fellow employee emails, either through compromising an account, or creating a similar looking fake address
  • Use of social media to research or make contact with potential victims

The NCSC has previously issued guidance on phishing attacks aimed at senior executives or payment departments.

 

Facebook outlines plan to combat information operations

Facebook has outlined measures to combat “information operations”, which it defines as efforts conducted by organisations, including governments, to spread misleading information and falsehoods to “distort domestic or foreign political sentiment". Whilst reporting has focused on the potential impact on democratic processes, manipulation of social media could similarly be used to inflict reputational or even financial damage on organisations. An example of this would be the 2013 fake “alert” from one of America’s most trusted news sources, briefly fooling some news outlets into reporting that an explosion had occurred at the White House and causing the Dow Jones to drop 145 points in two minutes.

Facebook has highlighted that information operations extend beyond the creation of “fake” news stories: other activities such as the dissemination and promotion of stolen information, and targeted data collection on individuals have all been noted. Furthermore, the increased circulation of “fake” news stories to a larger audience is regularly achieved through artificial amplification of posts, whereby paid individuals, often using fake accounts, use techniques such as co-ordinating “likes” to boost the prominence of key postings or creating groups that camouflage propaganda by including legitimate items.

Facebook has stated that it will mitigate the artificial amplification of fake stories using machine learning and analysis to identify bogus accounts, which will then be suspended or deleted. For example, Facebook suspended 30,000 accounts in France prior to the first round of the French presidential election.
 

Vulnerabilities

Mainly platform agnostic/cross platform updates this week, leaning towards Linux and Unix based systems.

Intel released a fix to their Active Management Technology to address a flaw which could allow remote and local users to gain elevated privileges. A mitigation guide has been published here.

IBM released two updates for WebSphere to fix a browser redirect and cross-site request forgery vulnerability, and an update to DB2 to address a bug that could allow a local user to obtain root privileges.

Xen saw a number of updates to fix elevation of privilege bugs.

HPE updated NonStop Server to address a flaw that could allow a remote user to obtain sensitive information, and updated Intelligent Management Center to fix a flaw that could allow for remote code execution.

Elsewhere this week there were updates from Trend Micro to fix cross-site scripting bugs and an elevation of privilege bug. Drupal updated a flaw that could allow access to the target system and FreeBSD fixed a bug which could cause the target to reload.

Debian updates this week include LibreOffice, Ghostscript, Freetype, weechat, Libxstream-Java, MySQL-Connector-Java, Tomcat7 and Tomcat8.

ICS updates this week came from Advantech, CyberVision and Schneider Electric.

No individual sector is anticipated to be impacted more than any other this week.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 28th April 2017

This report is drawn from recent open source reporting

Increase in Homographic Phishing Attacks

Recent media reporting highlights a threefold increase in homographic phishing attacks over the past fourteen months.

Homographic attacks have been widely known about for many years, and rely on the fact there are visual similarities between many different Unicode characters to spoof well-known web addresses using similar-looking Punycode domains. For example, by registering the Unicode domain “www.xn--googl-z8a.com” an attacker would be in control of a web address, which will render in browsers as “www.googlė.com”, almost indistinguishable from the real thing.

Moreover, researchers have recently demonstrated they can use this technique to convert Unicode into ASCII characters in some browsers. By choosing letters from a single foreign language set, an attacker can register a domain that looks identical to a targeted one when rendered by vulnerable browsers. For example, proving the concept, a researcher recently registered the domain name “xn--80ak6aa92e.com”, which renders as “apple.com”.

Mitigations such as using password managers can help users spot fake websites, and therefore help mitigate this threat. In addition, email anti-spoofing measures can help prevent phishing email attacks from reaching users in the first place.


Vulnerabilities

An altogether quieter week than we have seen for a while on the vulnerabilities front. There were a number of updates from Cisco for IOS, ASA, Prime Infrastructure and Prime Network Registrar to fix cross-site scripting attacks, denial of service or target restart vulnerabilities. IBM updated WebSphere and Security Guardium this week to fix escalation of privilege bugs and also updated Domino to fix a remote code execution bug.

Palo Alto fixed an input validation flaw in PAN-OS to prevent cross-site scripting attacks and F5 Networks fixed a denial of service bug in BIG-IP and let users know about a bug in F5 Enterprise Manager which could lead to denial of service conditions, but for which no fix is currently available.

Elsewhere there were updates for Adobe ColdFusion, Apache Batik, Novell NetIQ and cURL/libcurl.

In terms of Debian this week there were updates for MySQL, Python-Django, Icedove/Thunderbird and libav.

Also a quiet week with regard to ICS-specific updates with just two: one for BLF-Tech and one for Sierra Wireless AirLink Raven.

Comment

.author-name { display: none; }