Comment

NCSC - Weekly Threat Report 22nd June 2018

This report is drawn from recent open source reporting. 

Football or Phishing?

At least two phishing campaigns are taking advantage of this year’s football World Cup.

Fraudsters are attempting to exploit fans’ eagerness to keep up with the games and the results in the expectation that fans might click on links more readily.

Phishing emails are reported to be sending fixture schedules and results mappers to fans, but the links are loaded with adware and malware.

In another example, fraudsters are offering a pair of Adidas shoes in exchange for completing a survey. The victim is then redirected to a fake Adidas website asking them to pay a small fee to receive the shoes (and an ongoing monthly charge, which is hidden in the small print).

The fake Adidas site uses homographic web links, where a character is replaced by a similar looking symbol:

  • Example 1: www. thisisarealwebsite .org.com
  • Example 2: www. thisisarea|website .org.com

The letter ‘l’ in the second website name is a symbol, but at a quick glance it is not immediately obvious. Fraudsters are increasingly using this technique and we advise readers to study web links carefully before clicking on them.

The NCSC has further information on how to protect yourself from phishing scams here. Keeping your antivirus software up to date will, in most cases, help identify any malicious files that you attempt to download. For further support, please read 10 Steps to Cyber Security.
 

Is your device earning money for cyber criminals?

Recent reports have suggested a substantial increase in ‘cryptojacking’, where cyber criminals install malware onto a victim’s devices and use them to mine cryptocurrency.

Cryptojacking malware is reportedly becoming harder to detect and sometimes operates to coincide with times where the device is not normally used, and thus remains undetected.

This type of malware is increasingly being found on devices across multiple sectors and is evolving to use the processing power of internet-connected devices, such as TVs. Some aggressive mining malware has also been found to damage devices.

In response to the increase in cryptomining, Apple has recently introduced App Store guidelines prohibiting it. It is uncertain whether other providers will follow.

Cryptomining malware is a low-cost method of earning money and cyber criminals will almost certainly continue to develop and adapt it, as long as cryptocurrencies are of value.

To prevent the installation of criminal malware, please follow the NCSC’s advice and guidance.


Attackers target cryptocurrency software

On 15 June, Syscoin, a cryptocurrency that advertises its instant transactions, announced that its Github account had been compromised just under a week earlier.

An unknown user had uploaded a modified version of the program containing malicious code. The software was otherwise identical to the original program but was detected by Windows Defender SmartScreen due to its lack of signature. As the code had been modified it was no longer recognised as legitimate and designated as being from an 'unknown publisher'.

Github consequently advised developers of cryptocurrencies and other software to implement two factor authentication (2FA) on their accounts where possible. Developers were also advised to check the integrity of published software on repository sites.

Users should be cautious when downloading from online sources. It is good practice to maintain up-to-date antivirus software and avoid software from unknown publishers.

The number of systems infected by the malicious code – and the exact method used to compromise the account in this instance – are not known. The account breach demonstrates the continuing threat posed to cryptocurrency software by attackers exploiting the cryptocurrency boom.

The NCSC has issued guidance on 2FApassword managementmitigating the threat of malwareand identity authentication.

The NCSC website also maintains a general guide on measures to improve security online.


Good cyber hygiene can help fend off LokiBot

Fraudulent account activity and identity theft are some of the most common threats on the internet. Cyber criminals often use credential-stealing malware to obtain usernames and passwords.

Armed with a victim’s credentials, criminals can access their online accounts, including social media or online banking, most often with the intent of making fraudulent payments.

LokiBot, one type of credential-stealing malware, can harvest credentials from browsers, file transfers and even cryptocurrency wallets, and is primarily distributed through malicious Microsoft Office documents attached to spam emails.

Good cyber hygiene is important in mitigating malicious software such as Lokibot, and users should ensure they apply recommended security updates and use antivirus software.

Additional security features such as the use of two factor authentication (2FA) for online accounts significantly reduces the risks users face.

Members of the Cyber Information Sharing Partnership (CiSP) can view the advisory.

Comment

.author-name { display: none; }

Comment

NCSC Guidance Notice - Increased Cyber Threats: Security steps to take

Measures to protect and prepare your systems in the face of heightened cyber security threats 

This guidance outlines the security steps that your organisation should take in response to an increased threat of cyber attack. It’s aimed primarily at larger organisations, but the advice here is relevant to anyone who feels their systems may be targeted by cyber attack.

So, whether you hold customer data, maintain an online service or simply rely on digital services to keep your business running, these steps will help you to avoid the consequences of a successful cyber attack. And if the worse comes to the worst, they’ll help you determine what went wrong and recover quickly.

The advice we give here selects some priority measures from the comprehensive collection of cyber security advice on our website.


Increased cyber threats

How will you know if you are at an increased risk of cyber attack? There are many sources of information on this subject, including the mainstream media. There are a number of commercial, and industry specific information-sharing resources as well as the CiSP platform detailed below.
 

Steps to take now:

If you are concerned about the possibility of your organisation coming under cyber attack, the NCSC recommends three actions that you should undertake immediately:

1. Your organisation should undertake a readiness review and identify:

  • all available sources of logging
  • where those logs are stored
  • how long those logs are retained
  • who has access to them
  • that logging events are currently being generated

2. You should review your Denial of Service protection for key platforms, including websites and any digital services you offer.

3. Your organisation should sign up to the Cyber Information Sharing Partnership (CiSP), giving you access to valuable threat information, from your peers and official sources, all in a secure environment. The registration process isn’t instant, so start the sign-up process now.

These measures will help in the detection of cyber attacks and give you some front line protection against Denial of Service (DoS) attacks.
 

Steps to take in the coming weeks:

1. Improve Defences

The NCSC’s 10 Steps to Cyber Security gives you a comprehensive overview of the areas you need to consider when looking to improve the defensive posture of your organisation’s IT. A few notable areas for consideration are:

  • Your organisation should review its asset and vulnerability management processes and ensure they are in line with the NCSC advice. Where a service is found to be vulnerable and/or not required for business purposes, consider disabling it.
  • Administrators should use ‘normal’ accounts for standard business use. Highly privileged administrative accounts should not be used for high risk, or day to day user activities such as web browsing and email.
  • Create and maintain a whitelist of authorised applications that can be executed. Systems should be capable of preventing the execution of unauthorised software by employing process execution controls. The NCSC has published advice on how to do this on End User Devices.
     

2. Improve detection capability

Your organisation should securely store and have ready access to logs. We recommend storing key identifying information for three months. It helps to store logs for longer if you can, as this gives you a greater capacity for analysing attacks which may have gone undetected for some time. The logs that should be stored will vary according to the details of your IT estate.

It is important to log events, even if you have no proactive capability to examine them.

If there is a suspected incident the logs will:

  • make it easier to prove an attack has taken place
  • provide detail of how an attacker got into your system and what they were able to access (this information will make remediation more effective)
  • allow the NCSC to release Indicators of Compromise (IOCs) such as malicious IP addresses or email addresses. These can be used by other organisations to identify whether they have also been targeted
     

3. Improve response capability

Review your backup policy and ensure a systematic approach is implemented. The ability to recover your system from archived data should be tested.

Full packet capture is regularly requested as part of Incident Response. Consider how you would go about performing this on your organisation’s internet connection(s) and take action now to facilitate future packet capture. Identifying how to do this after a breach will delay effective response.

The NCSC is regularly notified of malicious activity observed ‘in the wild’ and operates a service to inform registered network owners. To enable this service, you need to contact incidents@ncsc.gov.uk who will supply you with a form to complete with your organisation’s details. 

Make sure your staff are familiar with your organisation’s incident management plan and, if necessary, ensure that arrangements are in place to bring in additional technical expertise. The NCSC has a list of certified Cyber Incident Response companies.


If an incident occurs

Please report incidents to the NCSC 24/7 Incident Management team if the following applies:

  • Significant loss of data, system availability, or control of systems
  • Unauthorised access to or malicious software present on IT systems.


Business as usual

Though the measures outlined above are essential first steps towards healthy cyber security for your organisation, they may entail some effort to put in place, and even some disruption to your usual operations. You should take this into account when putting them into action.

You should also ensure that you continue with any planned upgrades, patching regimes and security enhancements in line with the NCSC’s existing guidance.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 18th May 2018

It’s not just production that needs securing

Most large companies will use an online development environment to build and test code prior to deployment on outward and inward facing networks.

Much of the code found in development environments is sensitive and critical to running and managing a business. The unauthorised disclosure of code could allow cyber actors to identify exploitable weaknesses.

Recent open source reporting has highlighted a compromise of a company’s development environment, resulting in unauthorised access to two million lines of code, application programme interfaces and secret access keys to Amazon Web Services.

A security researcher allegedly gained access to the development environment because both the username and password were set to “admin”, which was most likely the default setting for the environment.

The latest incident follows on from other reported incidents around insecure repositories and third party storage solutions, where users have failed to alter the default settings and/or configure the environments incorrectly and subsequently exposed large volumes of sensitive data.

The failure to secure development environments poses a number of threats to an organisation including:

  • Stealing of sensitive information (such as encryption and access keys, passwords, knowledge of security controls or intellectual property)
  • An attacker embedding malicious code in your project without your knowledge
  • Using a compromised development device as a proxy to further attack your build and deployment pipeline, through to production
  • Understanding how your sensitive applications work - a first step in the planning of an attack

The NCSC has previously issued guidance on securing development environments as well as approaching enterprise technology with cyber security in mind.


GDPR-inspired phishing scams

The imminent arrival of the new EU General Data Protection Regulation (GDPR) has gifted scammers with a new hook for sending phishing emails.

Many internet users are now receiving emails from organisations that they have online dealings with, explaining the new regulations and asking them for permission to carry on storing their information.

Scammers have taken advantage of this to send fake GDPR-themed emails in an attempt to spread malware or steal personal data.

Apple customers, for example, have been sent a link advising users that their accounts had been “limited” due to unusual activity and then asking them to update their security information.

Users are then directed to a fraudulent webpage where they are asked to input security information. Once this has been completed, users are then directed back to a legitimate Apple web page.

The scammers also used Advanced Encryption Standard (AES) protocols when directing users to the page controlled by them, bypassing anti-phishing tools embedded in some antivirus software.

GDPR comes into effect on 25th May 2018, so the scammers have a short window in which to use GDPR as cover for their activities.

The NCSC has published phishing guidance and you can also read the GDPR security outcomesthat have been developed by the NCSC and the Information Commissioners Office (ICO). The ICO is the UK's supervisory authority for the GDPR and has published a lot of helpful guidance on its website.

Comment

.author-name { display: none; }

Comment

NCSC - Countdown to GDPR

Anybody who is involved in cyber security or data protection will be acutely aware that the General Data Protection Regulation - better known simply as GDPR - comes into force on Friday (the 25th of May). We have worked very closely with the Information Commissioners Office (ICO) to develop a set of a set of GDPR Security Outcomes, which we published last week. 

GDPR and cyber

If you have tried to read and understand the relevant articles described in the Regulation, well done. I personally have found it really hard work to break it apart, summarise what security measures it really seeks, and then overlay good cyber security practice to meet those requirements. Thankfully, the ICO really do understand the detail, and so we have worked together to describe what the regulation requires and provide an overview on what sorts of cyber security measures we expect those organisations processing personal data to have in place. We have published this work as a set of Security Outcomes required for GDPR, together with some relevant overarching GDPR information. Whilst we have a shared interest with the ICO on cyber security, of course they are the lead for the GDPR and you should consult their website for any general GDPR questions or needs that you might have.

What GDPR says about cyber

Now I'm going to quote parts of the Regulation here  - so bear with me - but I will give some context as well.

There is an overarching requirement that basically says that you need to protect personal information. It states that personal information must be:

"processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures"

The key thing to note here is that personal information being correct and available is in scope - not just protecting its confidentiality.

One thing that I personally like in the GDPR (OK so it's a little bit nerdy to have a favourite part of data protection legislation) is that it specifically requires organisations to think about security as you design services as well as at the point when processing happens. It means that services must be designed with security in mind from the outset, and that you have to keep them secure through the whole lifecycle. You can't just develop services and allow security debt (when security corners are cut to meet to meet business delivery) to accumulate.

The Regulation refers in a number of places to:

"appropriate technical and organisational measures"

It emphasises that you need to take a risk managed approach to security that is influenced by the risk to the individuals whose data you are processing, the state of the art (of technology) and cost. 'Appropriate' really does depend; we understand that saying 'it depends' can be really frustrating and people need a bit more certainty than that. Whilst the GDPR takes this 'it depends' approach, we have worked with the ICO to develop Security Outcomes that we would jointly expect any organisation to meet.

What are Security Outcomes?

As the name suggest these are outcomes that any organisation should seek to achieve with regards to cyber security. They do not themselves carry mandatory status, although they are our joint approximation of what appropriate means under the Regulation. You'll find that the outcomes do not say precisely what to do with regards to cyber security. That's deliberate as it's not for us (neither the NCSC nor the ICO) to tell you what technologies to use, nor to limit your choices in how you chose to protect them. Equally we need the outcomes to work for organisations of many sizes and complexity. Overall this was probably the hardest challenge and we'd like to hear your feedback if there are areas that don't quite work (and the reasons of course).

As we wrote the outcomes, we attempted to define the minimal set of measures that represent decent practice with regards to security. We do not believe we have described anything that is unreasonable, or should be surprising to you. Again let us know if you feel this isn't the case. Defining what we believe to be good practice means that existing guidance remains appropriate and can help you design measures that meet the outcomes. There is a lot of existing material  - including our own Small Business Guide and ICO's guidance on GDPR - which you may find helpful.

We know that good security isn't just about putting technical mitigations in place. The outcomes are aligned to 4 top level aims which cover how you manage security, protecting personal data from cyber attack, detecting incidents and minimising the impact if an incident does happen. 

Existing schemes and certifications

I'm asked a lot whether having Cyber Essentials means you are compliant with the GDPR cyber security requirements. Certainly having Cyber Essentials certification is a good thing and it will show that you take protecting yourself from cyber attack seriously. I wholeheartedly recommend it but there are other areas, outside the scope of Cyber Essentials, where you need to protect personal information too. A good example might be protecting data at rest on a laptop. The same logic applies to other certifications you might have; they are part of the picture, but you must still ensure that you are comprehensively protecting personal data.

If something goes wrong

Occasionally even the most diligent organisation might experience a security incident. The whole approach of the GDPR is based on managing risk, not avoiding all risk. The fact that some of our Security Outcomes describe detecting events and minimising the impact should underline this. If you are (or think you are) subject to an incident that involves personal data then you are likely to be obliged to report this to the ICO. They have published guidance on their website to help you understand what you should report, and by when.

Ian M

Principal Technical Director, Risk Management Capability

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 27th April 2018

Cost of ransomware attack on Atlanta

As reported in the Weekly Threat Report of 6 April 2018, the US city of Atlanta recently fell victim to an attack by the SamSam ransomware, which exploits a vulnerability in Java servers.

New reports indicate the city spent in the region of $2.66m responding to the attack. Costs included incident response, recovery and crisis management, but the city did not pay the ransom demand, reported to be approximately $55,000. There was also a broader cost in terms of the disruption the attack brought to city-wide services, with residents unable to pay bills and parking tickets as the city’s self-service portal was taken offline.

This case highlights the costs to organisations of ransomware attacks. However, paying a ransom does not guarantee that data will be returned and access to files restored. Nor does paying a ransom prevent a future attack; indeed, it may encourage further attacks.

Investment in cyber security can reduce the likelihood of malware infection and prevent the need for costly clean-up operations.

The NCSC has issued guidance on mitigating ransomware and other forms of malware.
 

Iran and India ban cryptocurrencies

Iran’s central bank has banned Iranian banks, credit institutions and currency exchanges from selling or purchasing digital currencies. It says cryptocurrencies, like Bitcoin, are used in money-laundering and financing terrorism, and that they are inherently unreliable and risky.

The same concerns are expressed widely around the world, including by the Chief of the International Monetary Fund, but many also believe digital currencies and the technology behind them could have a positive effect as a low-cost payment method.

Iran’s actions follow similar decisions by other central banks, such as the Reserve Bank of India’s decision in April to serve three months’ notice for entities they regulate to cease dealing in digital currencies.

The central bank decisions have been concerning for digital currency users in these countries (reportedly around five million in India), but it is too early to say whether these actions will last, have any long-term impact on the wider cryptocurrency market or whether other countries will follow suit.

Some countries are debating the regulation of digital currencies: Japan has recently created a regulatory body for its cryptocurrency exchanges, for example, and others have considered creating their own state-backed digital currencies.

The future of digital currencies is still unknown, which is a major contributing factor to their price volatility, but they are likely to be with us for the foreseeable future.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 20th April 2018

This report is drawn from recent open source reporting. 

Cyber criminal groups identified on social media

Last week Facebook deleted around 120 private discussion groups - equating to more than 300,000 members - that were promoting a host of illicit cyber criminal activities, including spamming, selling stolen debit and credit account credentials, phony tax refunds, DDoS-for-hire services and botnet creation tools.

The groups had reportedly been operating on Facebook for an average of two years, although some had been in operation for up to nine years. The deletions were a result of analysis work carried out by a cyber security researcher using common terminology for this type of activity and it is likely that there are many more sites of this nature on Facebook and other social media platforms.

The use of social media to advertise illicit goods and services is perhaps not as well reported as the use of darknet criminal marketplaces (such as Alphabay and Hansa that were taken down by law enforcement last year) but it is of no surprise that criminals will seek to utilise whatever means available to peddle their wares.

From past experience, Facebook’s deletion of these groups is unlikely to have a long term impact, as the activity will likely be displaced elsewhere, or the groups will use names that are less obviously associated with cyber crime, to make their detection more difficult.


Airline database hacked by disgruntled former employee

A former employee at the Alaskan airline PenAir hacked her previous employer’s flight reservation system in an apparent retaliation for being fired.

Before leaving the company the individual created a fictitious user profile with escalated privileges to enable future system access. She then used this fictitious account to block other users’ access and to delete critical data.

In a second attack she also deleted seat maps used to allocate passenger seats. PenAir realised their data had been disrupted and worked through the night so that service was resumed by the morning with no impact to customers.

Identified following an FBI investigation, the individual pleaded guilty to the charges against her and was charged with carrying out fraud in ‘connection to computers’.

User privileges should always be managed and reviewed regularly. The principle of ‘least privilege’ should be followed. The NCSC has released guidance for managing user privileges as part of our 10 steps to Cyber Security: 10 Steps: Managing User Privileges.
 

Thai mobile operator in reported data breach due to poor cloud security

TrueMove H, a major mobile operator in Thailand, suffered a data breach involving the personal data of around 46,000 customers, including images of identity documents such as driving licences and passports.

A security researcher uncovered the breach using open source tools to scan for publicly accessible information on misconfigured Amazon Web Service Simple Storage Service (AWS S3) buckets, a popular cloud storage solution. The researcher claimed there was no security protection for the files and therefore all he needed to gain access to the data was the URL.

The default setting for S3 buckets is 'private'. AWS best practice is to never open access to the public and to control access to S3 resources using a combination of Access Control Lists (ACLs) and bucket policies.

The NCSC advises that anyone seeking to exploit the benefits of cloud storage solutions should ensure that the security of the data is a prime consideration.

If you're using or considering using Cloud technology, we recommend reading the NCSC's Cloud Security Collection and Implementing the Cloud Security Principles.
 

Attacker dwell time on victim networks still too long

Security company Mandiant's latest M-Trends report has revealed there are, on average, 101 days between an attacker compromising a system and the victim detecting the compromise, with this increasing to 175 days for companies in Europe, the Middle East and Africa.

While this is a decrease from 416 days in 2011 , the current dwell time means attackers still have ample time to achieve their goal.

Attackers are always developing new and improved ways of committing network intrusions, leading to data breaches, but often they are looking for the most simple weaknesses in our defences. Following basic cyber security good practice can prove effective in preventing such breaches from happening.

The NCSC’s Cyber Essentials scheme provides relevant advice to help improve network security, alongside 10 Steps to Cyber Security.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 9th March 2018

This report is drawn from recent open source reporting. 

Largest reported DDoS attacks mitigated 

The largest ever reported Distributed Denial of Service (DDoS) occurred in early March 2018, according to Netscout Arbor. A peak of 1.7 Terabits per second (Tbps) was recorded, although the attack was mitigated. This followed a recent attack against GitHub on 28 February, with a peak of 1.35 Tbps. The largest known attack previously took place in 2016 against the US DNS provider DYN, which peaked at 1.2 Tbps.

The method used for these attacks is known as a ‘memcached server DDoS’. Memcached servers store data in memory that applications may need access to on external databases. Large companies often use memcached servers to help speed up and assist in dealing with large demands on their services. When memcached servers are openly accessible over the internet via User Data Protocol (UDP), they can be utilised to significantly amplify data.

The attackers ‘ping’ a server with a small packet of data in order that memcached servers reply with a response to the victim which is up to fifty thousand times the original packet size. If there are no mitigations such as filtering or management of networks, this could easily cause a service to go offline. Whilst the vectors were different in the 2016 DYN attack, the incident demonstrates the potential ramifications if other services are dependent on the targeted service; for more information, see the NCSC Weekly Threat Report 24 October 2016.

In the attack against GitHub, there has since been reporting of a ransom made in the data payload, demanding a payment of 50 Monero (worth approx. $15 000). There are also suspicions among various mitigation service providers that this method of amplification has now been adopted by DDoS-as-a-Service providers.

These latest DDoS attacks were mitigated, but further attacks may occur. The NCSC has previously provided DDoS advice regarding understanding the threat of attacks and also response and recovery planning. There is also a detailed catalogue of NCSC DDoS guidance.

Comment

.author-name { display: none; }

Comment

NCSC advice: Malicious software used to illegally mine cryptocurrency

Guidance for members of the public, website administrators and JavaScript developers in relation to the recently publicised cryptocurrency mining compromises of several websites 

The NCSC is aware of a compromise of the third-party JavaScript library ‘Browsealoud’ which happened on 11 February 2018. During the compromise, anyone who visited a website with the Browsealoud library embedded inadvertently ran mining code on their computer, helping to generate money for the attackers. No money was taken from users themselves, but the mining code performed computationally intensive operations that were used to earn the cryptocurrency. These operations may have affected the performance and battery life of the devices visiting the site.

Browsealoud was taken offline shortly after the compromise, mitigating the issue. However, website administrators, and other JavaScript library developers may wish to take further steps to prevent future compromise by following the guidance below.

You can also read more about cryptomining in last week’s NCSC Threat Report (published 9 February 2018).
 

Advice for members of the public

  • The cryptojacking harnessed people’s computers to help ‘mine’ for cryptocurrency. This involves using your device to perform computations and does not take any money from you or your accounts.
  • The only impact on affected users’ computers was that they temporarily had minor performance loss and reduced battery power.
  • If you have experienced unusually slow performance from your computer, reduced battery life, or visited the affected websites we recommend:
    • Closing the browser you visited the webpage on is likely enough to stop the mining;
    • Clearing the browser cache will remove all traces of the code. Guidance on how to do this is available here: http://www.refreshyourcache.com/en/home/
       

Advice for website administrators 

  • Make a risk-based decision on including third-party JavaScript in your site. This will vary depending on the size of the website you manage and who is supplying the code. Consider whether the code you are including could compromise your users, and balance this against the risk of this happening for your site.
  • If practical to do, consider hosting the JavaScript locally on your own server rather than linking to code hosted elsewhere. This means changes to the libraries require access to your server, although this will mean you will need to install security patches yourself.

In certain cases, some technical measures can also help prevent inclusion of compromised third-party resources:

  • SRI (Sub-Resource Integrity) allows the browser to check a cryptographic hash of the script to ensure that your users are running the unaltered version. However, SRI will only work if the script is relatively static. If it changes regularly, the signature will no longer be valid and the script will not be loaded by users. Also, browser support for SRI is not universal.
  • CSP (Content Security Policy) allows you to whitelist locations where scripts can be loaded from. Several independent researchers have written that having a well-defined CSP in place would have blocked this attack.

We recommend putting the above mitigating measures in place where practical, and while we recognise these will not necessarily protect end users in all cases they will reduce the chances of your website being compromised.
 

Advice for third-party JavaScript developers

  • Implement robust change control for your code, including monitoring your codebase for unauthorised modifications, reviewing code contributions, and having a rapid takedown process in place for if a compromise is detected.
  • Where you offer hosted versions of your library, ensure that you have robust access control and logging in place for making changes to the library.
  • Consider supporting customers who wish to use Subresource Integrity (SRI). For example, providing numbered versions of libraries which remain static, and so have a static cryptographic hashes will enable customers to validate their integrity.
  •  

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 5th January 2018

'Meltdown' and 'Spectre' vulnerabilities to microprocessors

Reports of new security flaws affecting microprocessors called ‘Meltdown’ and ‘Spectre’ surfaced this week. Processors in most devices employ a range of techniques to speed up their operation, and the vulnerabilities allow some of these techniques to be abused to obtain information about areas of memory not normally visible to an attacker. As a result, normally difficult actions - such as recovering passwords - are theoretically made easier.

However, an attacker would still need to run code on a device. Access would typically be gained via well-known means, such as phishing attacks or browsing malicious websites. At this stage there has been no evidence of any malicious exploitation and patches are being produced for the major platforms. The NCSC has pro-actively advised that all organisations and home users continue to protect their systems from threats by installing patches as soon as they become available, and has recommended that home users enable automatic updates so future security measures are installed.

Further advice for enterprise administrators and home users can be found on this website.
 

Cyber-enabled fraud: an increasing threat for 2018

Media reporting highlights an alleged attempt by hackers to steal funds from Russian bank Globex. The hackers appear to have used legitimate credentials to access the SWIFT international payment system to attempt fraudulent wire transfer requests valued at 55 million roubles (c. £700,000).

This attempted theft highlights that poor end user security is still a problem for some global financial institutions.

Increasingly, cyber thieves are attempting to harvest legitimate login credentials, and then commit fraudulent activity using the accesses that these legitimate credentials provide. Most notoriously, around US $81 million was stolen from Bangladesh Bank in February 2016.

Analysis of the Bangladesh Bank theft indicates that the hackers responsible likely implanted malware into the banks servers to steal legitimate SWIFT credentials, which were then used to conduct the fraudulent transactions.

Most organisations in the UK finance sector will have sufficient cyber security measures in place to protect against the type of fraud which occurred against the Bangladesh and Globex banks, however, globally, this trend of cyber-enabled fraud, which seeks to acquire and then abuse legitimate credentials, is likely to continue throughout 2018, and it is likely to be attempted against UK organisations across all sectors.
 

Cyber attack forces US hospital offline

The Jones Memorial Hospital in the US state of New York was hit by a cyber attack this week impacting some of its information services. The hospital stated that they used standard computer downtime procedures in response, and they believe no patients’ financial or medical information has been compromised.

The exact cause of the incident was not revealed, although similarities can be drawn to previous ransomware attacks against healthcare providers in the US. While all sectors are vulnerable to such attacks, healthcare organisations in the US are more likely to be specifically targeted by cyber criminals because they operate privately, for profit and have a high reliance on access to data. As a result, these organisations also tend to have appropriate response and backup procedures in place, enabling them to limit the operational and financial impact of cyber attacks.

The NCSC has published guidance on how to prevent a ransomware incident and what to do if your organisation is infected.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 03 November 2017

Fake speeding notices deliver malware

Police forces around the UK are warning motorists not to be taken in by a phishing email falsely informing them that they need to pay a speeding fine. The realistic-looking email, entitled ‘Notice of Prosecution’, claims to have ‘photographic’ evidence, but clicking on the associated link will upload banking malware to the victim’s device.

The email appears official, with the logos of either the local police force or ‘gov.uk’, but there are several features that indicate that it is fake. Spelling and grammatical errors are fairly obvious, but the speed at which the vehicle was allegedly caught is unrealistic, e.g. travelling at 89mph in an area with a 25mph speed limit.  Phishing emails rely on several factors to be successful, including evading spam filters, the appearance of credibility, and being able to make the recipient take action immediately.

The police have advised that any ‘Notice of Prosecution’ would be posted to the vehicle owner’s address and never sent in an email. They also advised people to delete the email without clicking on any links.


Code-signing certificates worth more than guns on the Dark Web

An investigation by a company specialising in identity protection solutions, into the sale of code-signing certificates on the Dark Web suggests they are selling for up to $1,200, making them more expensive than fake driver’s licences, stolen credit cards, commissioning a targeted cyber attack, or even buying a handgun. This relatively high price presumably reflects customer demand.

This is not the first time that security researchers have highlighted the issue of stolen or fraudulently obtained code-signing certificates. Since at least 2011, they have noted a trend for both cyber criminals and APT cyber actors to sign their malware using stolen or fraudulently obtained certificates to bypass security measures. Signed code tends to be treated as trusted and some operating systems will flag up, or refuse to run, code that is not signed.

Over the years, attackers have managed to sign their malicious executables with certificates obtained by a variety of methods – reportedly stealing them from technology companies (including some well-known names), penetrating the networks of companies and using their signing facilities, or applying for certificates in the names of fake companies or real companies who have no need for them. As far back as 2010, the destructive worm Stuxnet included components that were signed with stolen certificates. More recently, the cyber actors who corrupted an update of clean-up tool CCleaner managed to get the update signed.

Amongst other things, this highlights the fact that, when attackers do manage to penetrate a network, they will often seek out things that facilitate further intrusions – like passwords (not only password caches, but sometimes also emails containing passwords or access codes), cookies, digital certificates and keys. System administrators should make sure they know where these are located.


The Dark Overlord – Systematic cyber-enabled extortion

A cyber crime group called ‘The Dark Overlord’ has claimed responsibility for conducting cyber-enabled extortion campaigns in recent weeks. Victims include a London-based plastic surgery clinic and a Hollywood production studio, both of which are believed to have a number of high-profile clients. The group has a history of hacking organisations to obtain sensitive information before demanding money in exchange for not leaking it into the public domain. They leak snippets of data to the media to encourage them to report on their activity. This is aimed at “proving” that a breach has taken place, and increases the pressure on the victim to pay the ransom. ‘The Dark Overlord’ has been responsible for indiscriminately targeting health institutions, schools and media production companies over the last year.

Any organisation that deals with sensitive personal information (e.g. medical institutions, law firms) is at a higher risk of being targeted, and owes a particular duty of care to its clients because of the risk of severe emotional distress if client data is made public.  Whilst evidence of the stolen data is often provided, the volume and sensitivity of the data may be exaggerated to maximise impact. This may inspire other cyber extortionists to adopt a similar methodology, especially as new opportunities present themselves due to an increasing amount of sensitive data being stored online. Any data breach and the associated media exposure may cause significant reputational damage and loss of business.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 27th October 2017

Bad Rabbit Ransomware

This week, ‘Bad Rabbit’ ransomware infections have been reported in countries including Russia, Ukraine, Bulgaria, Turkey, Germany and Japan. The NCSC has not received any reports that the UK has been affected by this latest malware attack. The majority of infections have been in Russia, where media organisations were worst affected. Russia’s Interfax News Agency suffered outages to several of its services, including its news portal. Ukrainian victims included the Ministry of Infrastructure, Odessa airport and Kiev metro.

Bad Rabbit asks victims to pay 0.05 Bitcoin (currently worth approximately £210) to restore their files. A smal number of transactions are reported to have been made, although these are unconfirmed, and it is currently unknown whether paying the ransom leads to decryption of files. The infection vector is believed to be via certain compromised media websites in the affected regions, which asks the user to execute a fake Adobe Flash Player update. Researchers including FireEye and Crowdstrike have identified several links between Bad Rabbit and the NotPetya ransomware, including the use of similar Javascript code to redirect victims. While claims have been made that Bad Rabbit made use of the EternalBlue exploit leveraged by WannaCry and NotPetya, these have been widely refuted; subsequent claims have been made that the EternalRomance exploit was leveraged.

It is currently unclear who is responsible for this ransomware. NCSC technical analysis is ongoing to provide more clarity on technical indicators. There are no reported UK victims to date. Nevertheless, it should be noted that UK organisations would be vulnerable were they to visit any of the infected websites. In the case of NotPetya for instance, a number of UK organisations were infected. The NCSC has provided some mitigation advice in its public statement, highlighting the importance of patching, using proper antivirus services and having effective backup procedures. In addition to this, Bad Rabbit makes use of a set of hard-coded username/password combinations in order to attempt to spread to SMB shares on the local network. Organisations should ensure that these username/password combinations do not exist anywhere on their network, and in general that they follow good password practices.

Is Reaper the new Mirai?

In September, cyber security firms reported the discovery of a new botnet that targets, and could already have infected millions of, vulnerable internet connected devices.

The botnet (named variously as ‘IoTroop’; ‘IoT_reaper’ or ‘reaper’) has been targeting a number of known vulnerabilities found in popular device brands including internet connected cameras and Wi-Fi routers.

Reaper is being compared to the Mirai botnet which caused serious disruption to the Dyn domain name server provider and thousands of customer websites in October 2016.  Some of Reaper’s code is reportedly similar to Mirai, however, researchers believe Reaper has many more capabilities than Mirai and the potential to cause a lot more damage.  The fast rate that Reaper has been infecting devices is also concerning and the attacker appears to be updating the malware regularly.

The purpose of the Reaper botnet is currently unclear as it does not yet appear to have been used for malicious purposes. It is possible that, like the Hajime botnet identified earlier this year, there will be speculation that it has been developed to stop vulnerable devices being harnessed for malicious activity, but it would be best to assume the worst until proven otherwise.

Ensuring your devices are fully patched and limiting access to these devices will help protect from compromise. For further advice see our 10 steps to cyber security.
 

Washington Cyber Conference reportedly targeted by hackers

The International Conference on Cyber Conflict (CyCon) will be held 7-8 November in Washington and will host a high-level gathering of NATO and US military cyber experts.

A recent Cisco report has highlighted that this conference has been targeted by cyber actors known as ‘APT28’ and ‘Fancy Bear’. Cisco report that this actor has modified an existing Microsoft Word flyer publicising the conference, added reconnaissance malware to it and has conducted an email campaign to infect potential victims. The modified document contains an embedded Visual Basic for Applications (VBA) macro which is executed when the document is opened and automatically installs the malware. Running any macro within any externally produced Microsoft Word document will usually generate a warning which must be explicitly approved by the user. However, the user is more likely to override the warning and execute the macro if the malware-bearing email appears to be from a legitimate contact.

Word and PDF documents are one of the most common ways to spread malware, so, as a security measure, Microsoft deliberately turned off auto-execution of macros by default many years ago. Many current malware infections rely on persuading the user to turn macros back on. We assess with high confidence that cyber actors will likely continue to use creative and current specialised topics to compromise targets. It is likely that this campaign has been targeting people linked to government/military cyber security.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 20th October 2017

KRACK – a fundamental flaw in Wi-Fi security

Security researchers from Belgium have found that the majority of Wi-Fi connections are potentially vulnerable to exploitation because of a fundamental weakness in the wireless security protocol – WPA2. The exploit is called “KRACK”, which is short for Key Reinstallation Attack. Reports suggest that at most risk are Linux operating systems, Internet of Things (IoT) devices and 41% of Android devices. However, many of these, especially IoT devices, may never get patched.

For further detail on this flaw, please see our KRACK guidance and the latest blog.
 

Swedish transport networks hit by DDoS attacks

Media reported last week that trains were delayed in Sweden after the transport sector was successfully targeted by a series of DDoS attacks. On 11 October, two communication service providers serving the Swedish Transport Administration (Trafikverket) were hit by a DDoS attack, reportedly causing the Trafikverket’s train management system to go down for several hours. Consequently, manual procedures had to be used to handle rail traffic, resulting in delays for the rest of the day. The company also had to resort to using Facebook to keep customers updated as its email system and website were also unavailable. The following day, DDoS attacks targeted the Swedish Transport Agency (Transportyrelsen) and a public transport operator serving Western Sweden (Västtrafik). The impact of these attacks was less severe, briefly affecting web services including ticket booking.

Some media reports speculate that a state-linked actor may have been responsible, however investigations into the incidents continue. Overall, the case highlights how transport firms can be impacted by attacks on third party service providers (in this case, Trafikverket’s communication service providers).


Cyber-enabled intimidation of NATO personnel in Baltics

According to open source reporting, advanced surveillance techniques (possibly including drone monitoring and/or IMSI grabbing) are being used to pull data from personal smartphones of NATO personnel despite warnings not to use them following previous incidents.  There are accounts of personnel then being approached in public by individuals who convey details pulled from smartphones – in one example details about the personnel’s family.

This is not the first time NATO personnel operating in Europe have reported call interference or unusual behaviour by their mobile phones. Mobile devices operating over the public telephone system are susceptible to exploitation including interception of communications or tracking of the user. The capability to mount operations against personal electronic devices, including the use of rogue cell towers is within technical and financial reach of well-resourced threat actors. However, the more recent reporting is different as exploitation of devices has been followed up by personal approaches.

It is almost certain that personal mobile devices will increasingly become targets for a wide range of threat actors due to the amounts of personal information they hold, which is useful for espionage, targeting and criminal purposes. Personal mobiles are susceptible to a range of compromise vectors and have widely varying levels of cyber hygiene. This threat could expand beyond NATO personnel to businesses operating in the region or individuals traversing these areas on business or personal trips.

Comment

.author-name { display: none; }

Comment

NCSC - Statement: 'Bad Rabbit' malware incident

Statement: 'Bad Rabbit' malware incident

An official statement from the National Cyber Security Centre on the recent 'Bad Rabbit' malware cyber incident. 

A spokesperson for the National Cyber Security Centre said:

“We are aware of a cyber incident affecting a number of countries around the world.

“The NCSC has not received any reports that the UK has been affected by this latest malware attack. We are monitoring the situation and working with our partners to better understand the threat.”

Further information

  • The NCSC recommends that organisations and the public follow the guidance on the NCSC website -  install the latest security software patches, back up data and use proper antivirus software services.
  • The NCSC also recommends that passwords are never re-used across important accounts and also setting up Two-Factor Authentication (also called Two-Step Verification) in the security settings.
  • The National Crime Agency (NCA) encourages anyone who thinks they may have been subject to online fraud or cyber crime to contact Action Fraud at www.actionfraud.police.uk. It is a matter for the victim whether to pay the ransom, but the NCA encourages industry and the public not to pay. 

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 29th September 2017

Compromise of Deloitte

The Guardian this week reported that the global accountancy firm Deloitte had been hit by a cyber attack that has revealed client email addresses. The hackers may have also accessed usernames, passwords and personal details.

Deloitte provides auditing, tax consultancy and cyber security advice to some of the world’s biggest banks, multi-national companies, media enterprises, pharmaceutical firms and US government agencies. According to the Guardian, Deloitte clients across these sectors had material in the company email system that was breached. The breach was believed to be US-focussed, affecting well-known companies as well as US Government departments. The compromise was discovered in March this year, but it was reported that the attackers may have had access to Deloitte systems since October or November 2016.

According to the newspaper, the hacker compromised the firm’s Microsoft Azure Cloud global email server through an administrator’s account that, in theory, provided them with privileged, unrestricted access. The account required only a single password and did not have “two-step“ verification. Emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service which is Microsoft’s equivalent to Amazon Web Service and Google’s Cloud Platform.

Deloitte has stated on its website that only very few clients were impacted and no disruption has occurred to client businesses, to Deloitte’s ability to serve clients, or to consumers. The NCSC statement confirmed that we had engaged with the organisation to better understand the threat and based on current information we understand there to have been minimal UK impact.

Using a single factor authentication system like a username and an easy-to-guess password combination has allowed criminals to gain access to a user's account. Simple passwords based on dictionaries or the same passwords used on other systems that may have been leaked can give cyber attackers easy access to IT systems. Gaining access to the administrator account is the ‘jackpot’ for an attacker and will provide an attacker with unrestricted access to all user accounts.

Two Factor Authentication (or 2FA) is an extra layer of security that requires not only a password and username but also something that only that user has on them, i.e. a piece of information only they should know or have immediately to hand - such as a physical token, keyfob device, fingerprint, facial recognition or SMS confirmation via mobile phone.

A compromise would be highly unlikely if a complex password or 2FA had been implemented. See the NCSC’s Password Guidance.
 

Banks’ concerns about cloud cyber security

Investment bank Goldman Sachs has in recent days echoed concerns about the number of banks using the same small number of Cloud storage providers – pointing out that those users also include the UK financial regulatory bodies.

The bank’s Head of Technology for Europe, Middle East and Africa argues that the online platforms should be regulated from a resilience perspective, and describes a ‘concentration risk’. The concerns echo those voiced in January by the Bank of England Governor and the chair of the Financial Stability Board, who refer to the risk of a single point of failure if ‘banks come to rely on common hosts of online banking or providers of Cloud computing services’.

The use of an online network, or ‘Cloud’, increases the scale and flexibility of computing capacity, and aligns with the growing desire within the financial services industry for innovative technological business models and processes.

The Financial Stability Board (FSB) alerted the industry in June to the greater reliance on external providers of technology, and hence the potential risk of disruption, specifically citing the Cloud. The FSB highlighted the risks of financial institutions relying on the same third-party Cloud computing and data services providers, and cited other jurisdictions where, for example, guidelines had been issued for Cloud outsourcing, internet banking and technology risk management. Greater co-ordination within finance, and with non-finance partner organisations such as those with a remit for cyber security, was mooted.

Some of the growing concerns voiced within financial services about the Cloud are addressed by the NCSC’s Cloud Security Principles and advice.

 

Cryptocurrency mining by cyber criminals

Recent IBM reporting observes a sixfold increase in the use of specifically CPU-based cryptocurrency-mining malware since the beginning of 2017, a much faster rise than observed for cryptocurrency-mining malware more generally.

While there are many cryptocurrencies, with different characteristics, all rely on ‘miners’, who carry out large number of calculations to verify transactions. In exchange for contributing computing power, miners are rewarded with cryptocurrency.

Mining many currencies using a CPU has generally become economically unviable for legitimate users, as running costs outweigh their gains, so they now use graphics cards, or specially designed application-specific integrated circuits (ASICs). Running costs are no obstacle to cyber criminals, however, who can use botnets of compromised machines as miners without needing to worry about the electricity bills. Some newer currencies are also more feasible to mine using a CPU only.

In a related trend, an increasing number of website scripts are being observed which mine cryptocurrency inside a web browser. Such scripts can be used in clearly illegal ways when hidden within adverts (a form of malvertising), but some sites have also shown an interest in such scripts as a form of revenue production to replace or supplement online advertising. Torrenting site The Pirate Bay received significant press coverage when it was revealed to have adopted such scripts without the knowledge or consent of its users. There have also been reports of cyber criminals compromising popular websites and hiding mining scripts in their source code, allowing them to profit from their victim’s visitors.

Comment

.author-name { display: none; }

Comment

NCSC - WEEKLY THREAT REPORT 21ST JULY 2017

New SMB protocol exploit effective against most windows operating systems

An EternalSynergy based exploit has now been developed which can compromise newer (unpatched) versions of Windows. The original ETERNALSYNERGY exploit released by The Shadow Brokers in April exploited an SMB protocol vulnerability, CVE-2017-0143, to allow attackers to inject code onto Windows machines but only worked on versions up to Windows 8.

A security researcher has now modified and upgraded ETERNALSYNERGY to be able to compromise all supported but unpatched Windows operating systems except for Windows 10. This new exploit code is publicly available to download on GitHub and ExploitDB.

This case shows that exploits previously thought to only be effective against older or unsupported operating systems such as Windows XP can be modified to compromise newer and currently supported systems. This illustrates the importance of rigorous vulnerability management and patching, including patching newer operating systems.

Rise in cyber crime as a service

A new credential-stealing malware, named Ovidiy Stealer, is being sold on cyber crime forums for as little as £6. The low price reflects its limited capabilities. It is non-persistent, so can be removed by simply rebooting an infected computer, but it is reportedly easy to use and capable of harvesting usernames and passwords for a number of common applications. Ovidiy Stealer has compromised targets around the world, including in the UK.

Similarly, a new Phishing-as-a-Service platform, 'HackShit', has been marketing itself to would-be fraudsters. For a monthly subscription, users can generate plausible looking login pages which imitate popular social media and dating sites. The subscribers can also use the platform to trade compromised accounts for cryptocurrency, and to view tutorials on hacking and phishing.

The increasingly low barriers to entry for cyber crime are of concern because individuals with limited technical knowledge can now purchase basic cyber capabilities for a modest sum.

 

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 14th July 2017

China to ban personal VPNs

The Chinese government has told state-owned telecoms companies to block individuals’ access to virtual private networks (VPNs) by 1 February 2018, according to media reports. The ban will greatly restrict individuals’ unfettered access to the Internet. VPNs have often been used to circumvent China’s Great Firewall and communicate securely with servers outside of China. The Chinese government has increasingly cracked down on them in pursuit of “Internet sovereignty”, or controlling online activity within China’s borders.

The ban on individual access to VPNs follows new rules introduced in June 2017 requiring companies wishing to use VPNs to apply to the government for permission. They also face strict rules on data transfers. Many foreign businesses have expressed concern at the implications for privacy, data protection and the security of their intellectual property. Possible workarounds may exist for technically proficient individuals, but average Internet users face being cut off from the free and open Internet.

Sources: Bloomberg News, “China Tells Carriers to Block Access to Personal VPNs by February” (10 July 2017); Washington Post, “Here’s China’s latest plan to keep its citizens from the open Internet” (10 July 2017)
 

Communications take quantum leap forward in China?

China’s ongoing project to develop an ‘unhackable’ quantum communications (QC) network, where communications cannot be intercepted without being detected, continues to move forward. The country is developing the world’s longest land-based QC network stretching 2,000 km between Beijing and Shanghai. It is being developed in the eastern city of Jinan, where a trial network of 200 terminals will enter service in August 2017. China intends to use it to enable ultra-secure communications for the government, military and commercial banks.

China has also reportedly demonstrated the first ground-to-orbit quantum teleportation (QT) using an experimental satellite. The test was conducted by “entangling” two photons, one on the ground and the other on the satellite, then using quantum physics to transmit information from one to the other at a distance of 500 km. While QT has previously been conducted through fibre-optic cables, a successful trial in space offers the prospect of ultra-secure wireless data communications. China’s claim has yet to be verified by other scientists.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly threat report 7th July 2017

Scams follow widely reported attempt to compromise parliamentary email accounts

Following reported attempts by hackers to compromise parliamentary email accounts in June, scammers have recently attempted to gain information by cold-calling (or vishing) MPs and their staff. Posing as staff from the Houses of Parliament’s IT department, the scammers have reportedly been requesting the usernames and passwords of MPs. Vishing, like its online equivalent, phishing, attempts to illicit sensitive information, such as passwords, or encourage victims to visit particular (invariably malicious) websites.

Scammers try to capitalise on heightened public awareness of particular issues. Such social engineering techniques often increase in prevalence follow a high-profile incident. For example, following the WannaCry ransomware incident, there were several reported scams, including fake fixes for the malware, and malicious ‘tech support’ services. Phone calls can form part of a blended social engineering campaign, along with emails or social media contact. It is likely that scams such as these will continue to follow widely reported events. 

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 30th June 2017

Password challenges

Passwords have been in the news again recently. Most notably, on Friday 23 June accounts with weak passwords on the UK Parliamentary network were compromised; however less than 1% of the system’s 9,000 accounts were directly affected. Attention was also drawn this week to router password vulnerabilities, as Virgin Media advised customers with Virgin Super Hub 2 home routers to reset their passwords. This followed concerns that the routers had a relatively weak eight-character default password consisting of lower case letters that could be cracked in four days, potentially allowing access to other home devices. Routers supplied by other service providers may also come with default passwords. 

Passwords also featured in Ciaran Martin’s interview with BBC’s Today programme (Friday 30 June, 0810) where he recommended that two-factor authentication be used so that a stolen password is much less valuable to a criminal.


A portion of Microsoft Windows 10 Source code leaked online

Microsoft have confirmed a portion of its source code has been leaked online. The initial source of the leak is unknown; however, the content was posted to Beta Archive, one of the largest online ‘Beta and Abandonware’ repositories for prototype software. The leaked content was 1.2GB in size and has since been removed from the Beta Archive site. 

Microsoft already shares some of its source code with industry partners and government through its Shared Source Initiative. However, this instance represents an unauthorised leak. A number of theories about who is responsible are currently circulating. Was it one of Microsoft’s trusted partners who already had access to the source code? Or was it a criminal who illegitimately obtained access to the code before leaking it? There is no evidence to confirm either way at this stage. The leak occurred one day after two men were arrested in the UK for unauthorised access to Microsoft’s network, however there is no evidence that these two incidents are related. 

Some reports have highlighted the risks of malicious actors using the leak to identify vulnerabilities in the code before developing exploits to target them.  However, when a similar leak occurred in 2004 of Microsoft’s Windows 2000 code, similar claims were made, but did not result in a significant up-tick in related attacks. Also, white hat hackers may use the leaked code as an opportunity to investigate it for vulnerabilities before reporting them to Microsoft for fixing.

While Microsoft has responded to this incident, questions have been raised about how the source code was originally obtained.


Disgruntled ex-employee conducts Smart Meter Network attack

A former radio frequency engineer used information about systems he had worked on to disable meter reading equipment at several US water utility companies. The individual has since been convicted of two counts of "unauthorized access to a protected computer and thereby recklessly causing damage” and has been sentenced to 12 months in prison.

This case demonstrates the importance of removing software accesses when dismissing staff and appropriate access management. The software used by the former employee remained on his home computer following termination, he also retained access to default root passwords. Using this he took advantage of his pre-existing network and systems accesses to cause disruption (including changing the password to an obscenity and the code for a computer script to the lyrics of a Pink Floyd song) reportedly out of frustration more than a malicious, destructive intent. 

Critically this was not a sophisticated cyber attack; the perpetrator knew enough about the system to effectively disrupt it with limited cyber capabilities. Appropriate access management is important not only for employees leaving organisations, but also those moving into different departments where their access requirements may change. Lax access management often enables insiders to have greater, more targeted impact against their organisations.


Cyber crime trends and statistics in 2016

The FBI have recently published their annual internet crime report.  The trending topics for 2016 were Business Email Compromise (BEC), ransomware, technical support fraud and extortion.

A total of 298,728 complaints were received, with reported losses in excess of $1.3 billion.  The FBI estimate that only 15 percent of fraud victims in the US report their crimes to law enforcement.

The UK's National Crime Agency (NCA) considers underreporting a huge barrier to understanding the true scale and cost of cyber crime. The reasons for underreporting include reputational damage; not knowing who to report the crime to; what constitutes a cyber crime; and being unaware that a crime has taken place.

Although figures in the FBI report are not directly comparable with UK statistics, they do indicate similarities in overall trends such as the increase in ransomware crimes, BEC compromise and technical support fraud.

NCA has recently published a report highlighting these cyber crime trends as well as an increase in the prevalence of mobile malware. NCA has also highlighted the Internet of Things (IoT) threat as having become more mature in 2016.

The UK has also seen an increase in technical support fraud, and British law enforcement and Microsoft have been working together for two years investigating these scams.  Criminals will typically trick victims into believing their computers have been infected with malware and then persuade the victim to pay for the problem to be fixed. Sometimes the scam involves a pop-up message appearing on a computer claiming to be "Microsoft Technical Support".  As a result of the investigation, four UK citizens have recently been arrested.

The NCSC has guidance for businesses in understanding the cybercrime model and for members on the public how to protect against cyber crime and what to do if you think you have been the victim of a cyber crime.


Ransomware tool causes widespread disruption

On Tuesday 27 June, widespread disruption was caused in Ukraine by a ransomware tool that spread to other organisations worldwide via trusted networks. The ransomware tool, with similarities to the Petya ransomware that first struck in early 2016, was inserted into a compulsory software update for Ukrainian financial and government institutions.

Once the malware was installed it looked for other systems to exploit using some of the same worm-like capabilities seen in the WannaCry attacks. In addition, infected devices were subjected to a memory and file system scrape to steal credentials which allowed the malware to move laterally through a network even if it was patched against the exploits used. This highly crafted tool was designed to spread rapidly, in some cases overriding the Master Boot Record (MBR) on infected computers and displaying a ransom note asking for payment in Bitcoins. Despite the request for bitcoins it should be noted that the malware does not store a decryption key and as such attackers could not restore a victim’s files following payment; there have been no reported successful decryptions following payment.

The NCSC announced on Thursday 29 June that while managing the impact to the UK, its experts had found evidence that questioned initial judgements that the intention of this malware was to collect a ransom. The NCSC is investigating with the NCA and industry whether the intent was to disrupt rather than for any financial gain.

The malware has spread to a number of organisations worldwide that do business with Ukraine, including Russia’s oil firm Rosneft, Danish shipping concern Maersk and a large UK advertising agency.

Whilst this latest ransomware infection is more limited in scale than the WannaCry, it is assessed that the success of these two incidents are likely to motivate other actors who aim to cause widespread disruption to employ “ransomware” to do so.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 23rd June 2017

This report is drawn from recent open source reporting.

Fake airline websites distributed by social media

Scammers are using the brands of major global airlines to lure users to fake websites and then encourage them to share links to the sites with friends. When a user clicks through to the sites they are prompted to answer a few simple questions and provide personal information to get free flights. Once they give away their name, email, phone, date of birth and address they are then told they will receive the flights, only once they ‘like’ and share the page on Facebook, spreading the fake sites to new victims.

According to threat researchers, cyber criminals were observed registering 95 fake websites in late March using the brands of 19 major airlines, including ones based in the UK.  The personal details provided by the victims are used for fraudulent marketing purposes, namely to drive traffic to websites that provide online promotions and monetisation of web and mobile applications. Fraudsters, like marketing managers, often leverage an effective freebie strategy (gifts, prize draws etc.) to attract public attention.

In the run up to the summer holidays, this cyber-enabled fraud may lead to lost custom and reputational damage for the airlines. The use of social media to distribute fake websites is likely to continue to increase. It is not limited to airlines and could affect any well-known brand.  There also remains a risk that malicious actors could modify the scheme and use such sites to distribute malware to victims. For guidance see the NCSC’s 10 Steps: Malware Prevention.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 16th June 2017

 

Mouseover malware masquerading in Powerpoint files

According to media reports, a new method of delivering malware has surfaced. 'Zusy' malware, according to IT company ExtremeTech, is a banking trojan whose intention is to steal credentials. The reports suggest that simply hovering your mouse over a link will lead to infection without requiring you to click on anything. However, several stages are required to successfully infect a user.

What is interesting about this malware is that the initial infection vector does not rely on Macros or JavaScript to execute its malicious code. Instead, the malware developer has focused on abusing certain features in Microsoft PowerPoint to download and deploy the banking trojan.

This malware is initially delivered to users through phishing as an email attachment. Firstly the user needs to click on and open an attachment which displays a PowerPoint slide in slide show mode. A segment of text or a picture on the PowerPoint slide will have a clickable hyperlink. The most common message seen at this time is 'Loading...Please wait'. The 'mouseover' malware will only initiate if the user directs their cursor over the text or picture. A command is then executed which attempts to run an external program such as a PowerShell script. At this point Microsoft's security feature, Protected View, which is enabled by default, will display a warning notice allowing the user to disable the program. If the program is not disabled, it will create a backdoor giving the attacker full access to the victim machine. Users running PowerPoint versions older than 2010 are particularly vulnerable to this type of attack because when they hover over the link the preview window will open automatically without giving them the option to disable the malicious program.

Historically malware infections occur when the victim clicks on a suspicious link and general guidance has always advised users to hover over links to check file formats for suspicious executables. Users should continue to remain aware and be vigilant when receiving email attachments.

Although this development is not as alarming as it may first appear, the NCSC assesses that we may see a more sophisticated version of this attack vector in the future. The NCSC recommends that users follow NCSC malware guidance which includes regularly updating antivirus software to reduce the risk of being infected.

Enterprises that implement Application whitelisting approaches as described in the NCSC Windows EUD Security Guidance will also mitigate current variants of this threat by preventing the malicious scripts and programs downloaded by the malware from running.

 

Industrial Control Systems malware (Industroyer/CrashOverride)

The NCSC is aware of open source reporting providing details of malware dubbed as 'Industroyer' or 'CrashOverride', which is reported to be connected with the December 2016 power outages in Ukraine.

Previous media reporting suggests that during this incident, cyber attackers compromised parts of the Ukrainian electricity transmission network, resulting in the loss of electricity supply to customers for approximately one hour.

The NCSC have published on CiSP details of mitigation strategies to secure networks against these attacks. US-CERT have also published analysis and indicators of compromise.

Comment

.author-name { display: none; }