Viewing entries in
cyber security

Comment

NCSC - Weekly Threat Report 22nd June 2018

This report is drawn from recent open source reporting. 

Football or Phishing?

At least two phishing campaigns are taking advantage of this year’s football World Cup.

Fraudsters are attempting to exploit fans’ eagerness to keep up with the games and the results in the expectation that fans might click on links more readily.

Phishing emails are reported to be sending fixture schedules and results mappers to fans, but the links are loaded with adware and malware.

In another example, fraudsters are offering a pair of Adidas shoes in exchange for completing a survey. The victim is then redirected to a fake Adidas website asking them to pay a small fee to receive the shoes (and an ongoing monthly charge, which is hidden in the small print).

The fake Adidas site uses homographic web links, where a character is replaced by a similar looking symbol:

  • Example 1: www. thisisarealwebsite .org.com
  • Example 2: www. thisisarea|website .org.com

The letter ‘l’ in the second website name is a symbol, but at a quick glance it is not immediately obvious. Fraudsters are increasingly using this technique and we advise readers to study web links carefully before clicking on them.

The NCSC has further information on how to protect yourself from phishing scams here. Keeping your antivirus software up to date will, in most cases, help identify any malicious files that you attempt to download. For further support, please read 10 Steps to Cyber Security.
 

Is your device earning money for cyber criminals?

Recent reports have suggested a substantial increase in ‘cryptojacking’, where cyber criminals install malware onto a victim’s devices and use them to mine cryptocurrency.

Cryptojacking malware is reportedly becoming harder to detect and sometimes operates to coincide with times where the device is not normally used, and thus remains undetected.

This type of malware is increasingly being found on devices across multiple sectors and is evolving to use the processing power of internet-connected devices, such as TVs. Some aggressive mining malware has also been found to damage devices.

In response to the increase in cryptomining, Apple has recently introduced App Store guidelines prohibiting it. It is uncertain whether other providers will follow.

Cryptomining malware is a low-cost method of earning money and cyber criminals will almost certainly continue to develop and adapt it, as long as cryptocurrencies are of value.

To prevent the installation of criminal malware, please follow the NCSC’s advice and guidance.


Attackers target cryptocurrency software

On 15 June, Syscoin, a cryptocurrency that advertises its instant transactions, announced that its Github account had been compromised just under a week earlier.

An unknown user had uploaded a modified version of the program containing malicious code. The software was otherwise identical to the original program but was detected by Windows Defender SmartScreen due to its lack of signature. As the code had been modified it was no longer recognised as legitimate and designated as being from an 'unknown publisher'.

Github consequently advised developers of cryptocurrencies and other software to implement two factor authentication (2FA) on their accounts where possible. Developers were also advised to check the integrity of published software on repository sites.

Users should be cautious when downloading from online sources. It is good practice to maintain up-to-date antivirus software and avoid software from unknown publishers.

The number of systems infected by the malicious code – and the exact method used to compromise the account in this instance – are not known. The account breach demonstrates the continuing threat posed to cryptocurrency software by attackers exploiting the cryptocurrency boom.

The NCSC has issued guidance on 2FApassword managementmitigating the threat of malwareand identity authentication.

The NCSC website also maintains a general guide on measures to improve security online.


Good cyber hygiene can help fend off LokiBot

Fraudulent account activity and identity theft are some of the most common threats on the internet. Cyber criminals often use credential-stealing malware to obtain usernames and passwords.

Armed with a victim’s credentials, criminals can access their online accounts, including social media or online banking, most often with the intent of making fraudulent payments.

LokiBot, one type of credential-stealing malware, can harvest credentials from browsers, file transfers and even cryptocurrency wallets, and is primarily distributed through malicious Microsoft Office documents attached to spam emails.

Good cyber hygiene is important in mitigating malicious software such as Lokibot, and users should ensure they apply recommended security updates and use antivirus software.

Additional security features such as the use of two factor authentication (2FA) for online accounts significantly reduces the risks users face.

Members of the Cyber Information Sharing Partnership (CiSP) can view the advisory.

Comment

.author-name { display: none; }

Comment

NCSC Guidance Notice - Increased Cyber Threats: Security steps to take

Measures to protect and prepare your systems in the face of heightened cyber security threats 

This guidance outlines the security steps that your organisation should take in response to an increased threat of cyber attack. It’s aimed primarily at larger organisations, but the advice here is relevant to anyone who feels their systems may be targeted by cyber attack.

So, whether you hold customer data, maintain an online service or simply rely on digital services to keep your business running, these steps will help you to avoid the consequences of a successful cyber attack. And if the worse comes to the worst, they’ll help you determine what went wrong and recover quickly.

The advice we give here selects some priority measures from the comprehensive collection of cyber security advice on our website.


Increased cyber threats

How will you know if you are at an increased risk of cyber attack? There are many sources of information on this subject, including the mainstream media. There are a number of commercial, and industry specific information-sharing resources as well as the CiSP platform detailed below.
 

Steps to take now:

If you are concerned about the possibility of your organisation coming under cyber attack, the NCSC recommends three actions that you should undertake immediately:

1. Your organisation should undertake a readiness review and identify:

  • all available sources of logging
  • where those logs are stored
  • how long those logs are retained
  • who has access to them
  • that logging events are currently being generated

2. You should review your Denial of Service protection for key platforms, including websites and any digital services you offer.

3. Your organisation should sign up to the Cyber Information Sharing Partnership (CiSP), giving you access to valuable threat information, from your peers and official sources, all in a secure environment. The registration process isn’t instant, so start the sign-up process now.

These measures will help in the detection of cyber attacks and give you some front line protection against Denial of Service (DoS) attacks.
 

Steps to take in the coming weeks:

1. Improve Defences

The NCSC’s 10 Steps to Cyber Security gives you a comprehensive overview of the areas you need to consider when looking to improve the defensive posture of your organisation’s IT. A few notable areas for consideration are:

  • Your organisation should review its asset and vulnerability management processes and ensure they are in line with the NCSC advice. Where a service is found to be vulnerable and/or not required for business purposes, consider disabling it.
  • Administrators should use ‘normal’ accounts for standard business use. Highly privileged administrative accounts should not be used for high risk, or day to day user activities such as web browsing and email.
  • Create and maintain a whitelist of authorised applications that can be executed. Systems should be capable of preventing the execution of unauthorised software by employing process execution controls. The NCSC has published advice on how to do this on End User Devices.
     

2. Improve detection capability

Your organisation should securely store and have ready access to logs. We recommend storing key identifying information for three months. It helps to store logs for longer if you can, as this gives you a greater capacity for analysing attacks which may have gone undetected for some time. The logs that should be stored will vary according to the details of your IT estate.

It is important to log events, even if you have no proactive capability to examine them.

If there is a suspected incident the logs will:

  • make it easier to prove an attack has taken place
  • provide detail of how an attacker got into your system and what they were able to access (this information will make remediation more effective)
  • allow the NCSC to release Indicators of Compromise (IOCs) such as malicious IP addresses or email addresses. These can be used by other organisations to identify whether they have also been targeted
     

3. Improve response capability

Review your backup policy and ensure a systematic approach is implemented. The ability to recover your system from archived data should be tested.

Full packet capture is regularly requested as part of Incident Response. Consider how you would go about performing this on your organisation’s internet connection(s) and take action now to facilitate future packet capture. Identifying how to do this after a breach will delay effective response.

The NCSC is regularly notified of malicious activity observed ‘in the wild’ and operates a service to inform registered network owners. To enable this service, you need to contact incidents@ncsc.gov.uk who will supply you with a form to complete with your organisation’s details. 

Make sure your staff are familiar with your organisation’s incident management plan and, if necessary, ensure that arrangements are in place to bring in additional technical expertise. The NCSC has a list of certified Cyber Incident Response companies.


If an incident occurs

Please report incidents to the NCSC 24/7 Incident Management team if the following applies:

  • Significant loss of data, system availability, or control of systems
  • Unauthorised access to or malicious software present on IT systems.


Business as usual

Though the measures outlined above are essential first steps towards healthy cyber security for your organisation, they may entail some effort to put in place, and even some disruption to your usual operations. You should take this into account when putting them into action.

You should also ensure that you continue with any planned upgrades, patching regimes and security enhancements in line with the NCSC’s existing guidance.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 18th May 2018

It’s not just production that needs securing

Most large companies will use an online development environment to build and test code prior to deployment on outward and inward facing networks.

Much of the code found in development environments is sensitive and critical to running and managing a business. The unauthorised disclosure of code could allow cyber actors to identify exploitable weaknesses.

Recent open source reporting has highlighted a compromise of a company’s development environment, resulting in unauthorised access to two million lines of code, application programme interfaces and secret access keys to Amazon Web Services.

A security researcher allegedly gained access to the development environment because both the username and password were set to “admin”, which was most likely the default setting for the environment.

The latest incident follows on from other reported incidents around insecure repositories and third party storage solutions, where users have failed to alter the default settings and/or configure the environments incorrectly and subsequently exposed large volumes of sensitive data.

The failure to secure development environments poses a number of threats to an organisation including:

  • Stealing of sensitive information (such as encryption and access keys, passwords, knowledge of security controls or intellectual property)
  • An attacker embedding malicious code in your project without your knowledge
  • Using a compromised development device as a proxy to further attack your build and deployment pipeline, through to production
  • Understanding how your sensitive applications work - a first step in the planning of an attack

The NCSC has previously issued guidance on securing development environments as well as approaching enterprise technology with cyber security in mind.


GDPR-inspired phishing scams

The imminent arrival of the new EU General Data Protection Regulation (GDPR) has gifted scammers with a new hook for sending phishing emails.

Many internet users are now receiving emails from organisations that they have online dealings with, explaining the new regulations and asking them for permission to carry on storing their information.

Scammers have taken advantage of this to send fake GDPR-themed emails in an attempt to spread malware or steal personal data.

Apple customers, for example, have been sent a link advising users that their accounts had been “limited” due to unusual activity and then asking them to update their security information.

Users are then directed to a fraudulent webpage where they are asked to input security information. Once this has been completed, users are then directed back to a legitimate Apple web page.

The scammers also used Advanced Encryption Standard (AES) protocols when directing users to the page controlled by them, bypassing anti-phishing tools embedded in some antivirus software.

GDPR comes into effect on 25th May 2018, so the scammers have a short window in which to use GDPR as cover for their activities.

The NCSC has published phishing guidance and you can also read the GDPR security outcomesthat have been developed by the NCSC and the Information Commissioners Office (ICO). The ICO is the UK's supervisory authority for the GDPR and has published a lot of helpful guidance on its website.

Comment

.author-name { display: none; }

Comment

NCSC - Countdown to GDPR

Anybody who is involved in cyber security or data protection will be acutely aware that the General Data Protection Regulation - better known simply as GDPR - comes into force on Friday (the 25th of May). We have worked very closely with the Information Commissioners Office (ICO) to develop a set of a set of GDPR Security Outcomes, which we published last week. 

GDPR and cyber

If you have tried to read and understand the relevant articles described in the Regulation, well done. I personally have found it really hard work to break it apart, summarise what security measures it really seeks, and then overlay good cyber security practice to meet those requirements. Thankfully, the ICO really do understand the detail, and so we have worked together to describe what the regulation requires and provide an overview on what sorts of cyber security measures we expect those organisations processing personal data to have in place. We have published this work as a set of Security Outcomes required for GDPR, together with some relevant overarching GDPR information. Whilst we have a shared interest with the ICO on cyber security, of course they are the lead for the GDPR and you should consult their website for any general GDPR questions or needs that you might have.

What GDPR says about cyber

Now I'm going to quote parts of the Regulation here  - so bear with me - but I will give some context as well.

There is an overarching requirement that basically says that you need to protect personal information. It states that personal information must be:

"processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures"

The key thing to note here is that personal information being correct and available is in scope - not just protecting its confidentiality.

One thing that I personally like in the GDPR (OK so it's a little bit nerdy to have a favourite part of data protection legislation) is that it specifically requires organisations to think about security as you design services as well as at the point when processing happens. It means that services must be designed with security in mind from the outset, and that you have to keep them secure through the whole lifecycle. You can't just develop services and allow security debt (when security corners are cut to meet to meet business delivery) to accumulate.

The Regulation refers in a number of places to:

"appropriate technical and organisational measures"

It emphasises that you need to take a risk managed approach to security that is influenced by the risk to the individuals whose data you are processing, the state of the art (of technology) and cost. 'Appropriate' really does depend; we understand that saying 'it depends' can be really frustrating and people need a bit more certainty than that. Whilst the GDPR takes this 'it depends' approach, we have worked with the ICO to develop Security Outcomes that we would jointly expect any organisation to meet.

What are Security Outcomes?

As the name suggest these are outcomes that any organisation should seek to achieve with regards to cyber security. They do not themselves carry mandatory status, although they are our joint approximation of what appropriate means under the Regulation. You'll find that the outcomes do not say precisely what to do with regards to cyber security. That's deliberate as it's not for us (neither the NCSC nor the ICO) to tell you what technologies to use, nor to limit your choices in how you chose to protect them. Equally we need the outcomes to work for organisations of many sizes and complexity. Overall this was probably the hardest challenge and we'd like to hear your feedback if there are areas that don't quite work (and the reasons of course).

As we wrote the outcomes, we attempted to define the minimal set of measures that represent decent practice with regards to security. We do not believe we have described anything that is unreasonable, or should be surprising to you. Again let us know if you feel this isn't the case. Defining what we believe to be good practice means that existing guidance remains appropriate and can help you design measures that meet the outcomes. There is a lot of existing material  - including our own Small Business Guide and ICO's guidance on GDPR - which you may find helpful.

We know that good security isn't just about putting technical mitigations in place. The outcomes are aligned to 4 top level aims which cover how you manage security, protecting personal data from cyber attack, detecting incidents and minimising the impact if an incident does happen. 

Existing schemes and certifications

I'm asked a lot whether having Cyber Essentials means you are compliant with the GDPR cyber security requirements. Certainly having Cyber Essentials certification is a good thing and it will show that you take protecting yourself from cyber attack seriously. I wholeheartedly recommend it but there are other areas, outside the scope of Cyber Essentials, where you need to protect personal information too. A good example might be protecting data at rest on a laptop. The same logic applies to other certifications you might have; they are part of the picture, but you must still ensure that you are comprehensively protecting personal data.

If something goes wrong

Occasionally even the most diligent organisation might experience a security incident. The whole approach of the GDPR is based on managing risk, not avoiding all risk. The fact that some of our Security Outcomes describe detecting events and minimising the impact should underline this. If you are (or think you are) subject to an incident that involves personal data then you are likely to be obliged to report this to the ICO. They have published guidance on their website to help you understand what you should report, and by when.

Ian M

Principal Technical Director, Risk Management Capability

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 20th April 2018

This report is drawn from recent open source reporting. 

Cyber criminal groups identified on social media

Last week Facebook deleted around 120 private discussion groups - equating to more than 300,000 members - that were promoting a host of illicit cyber criminal activities, including spamming, selling stolen debit and credit account credentials, phony tax refunds, DDoS-for-hire services and botnet creation tools.

The groups had reportedly been operating on Facebook for an average of two years, although some had been in operation for up to nine years. The deletions were a result of analysis work carried out by a cyber security researcher using common terminology for this type of activity and it is likely that there are many more sites of this nature on Facebook and other social media platforms.

The use of social media to advertise illicit goods and services is perhaps not as well reported as the use of darknet criminal marketplaces (such as Alphabay and Hansa that were taken down by law enforcement last year) but it is of no surprise that criminals will seek to utilise whatever means available to peddle their wares.

From past experience, Facebook’s deletion of these groups is unlikely to have a long term impact, as the activity will likely be displaced elsewhere, or the groups will use names that are less obviously associated with cyber crime, to make their detection more difficult.


Airline database hacked by disgruntled former employee

A former employee at the Alaskan airline PenAir hacked her previous employer’s flight reservation system in an apparent retaliation for being fired.

Before leaving the company the individual created a fictitious user profile with escalated privileges to enable future system access. She then used this fictitious account to block other users’ access and to delete critical data.

In a second attack she also deleted seat maps used to allocate passenger seats. PenAir realised their data had been disrupted and worked through the night so that service was resumed by the morning with no impact to customers.

Identified following an FBI investigation, the individual pleaded guilty to the charges against her and was charged with carrying out fraud in ‘connection to computers’.

User privileges should always be managed and reviewed regularly. The principle of ‘least privilege’ should be followed. The NCSC has released guidance for managing user privileges as part of our 10 steps to Cyber Security: 10 Steps: Managing User Privileges.
 

Thai mobile operator in reported data breach due to poor cloud security

TrueMove H, a major mobile operator in Thailand, suffered a data breach involving the personal data of around 46,000 customers, including images of identity documents such as driving licences and passports.

A security researcher uncovered the breach using open source tools to scan for publicly accessible information on misconfigured Amazon Web Service Simple Storage Service (AWS S3) buckets, a popular cloud storage solution. The researcher claimed there was no security protection for the files and therefore all he needed to gain access to the data was the URL.

The default setting for S3 buckets is 'private'. AWS best practice is to never open access to the public and to control access to S3 resources using a combination of Access Control Lists (ACLs) and bucket policies.

The NCSC advises that anyone seeking to exploit the benefits of cloud storage solutions should ensure that the security of the data is a prime consideration.

If you're using or considering using Cloud technology, we recommend reading the NCSC's Cloud Security Collection and Implementing the Cloud Security Principles.
 

Attacker dwell time on victim networks still too long

Security company Mandiant's latest M-Trends report has revealed there are, on average, 101 days between an attacker compromising a system and the victim detecting the compromise, with this increasing to 175 days for companies in Europe, the Middle East and Africa.

While this is a decrease from 416 days in 2011 , the current dwell time means attackers still have ample time to achieve their goal.

Attackers are always developing new and improved ways of committing network intrusions, leading to data breaches, but often they are looking for the most simple weaknesses in our defences. Following basic cyber security good practice can prove effective in preventing such breaches from happening.

The NCSC’s Cyber Essentials scheme provides relevant advice to help improve network security, alongside 10 Steps to Cyber Security.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 9th March 2018

This report is drawn from recent open source reporting. 

Largest reported DDoS attacks mitigated 

The largest ever reported Distributed Denial of Service (DDoS) occurred in early March 2018, according to Netscout Arbor. A peak of 1.7 Terabits per second (Tbps) was recorded, although the attack was mitigated. This followed a recent attack against GitHub on 28 February, with a peak of 1.35 Tbps. The largest known attack previously took place in 2016 against the US DNS provider DYN, which peaked at 1.2 Tbps.

The method used for these attacks is known as a ‘memcached server DDoS’. Memcached servers store data in memory that applications may need access to on external databases. Large companies often use memcached servers to help speed up and assist in dealing with large demands on their services. When memcached servers are openly accessible over the internet via User Data Protocol (UDP), they can be utilised to significantly amplify data.

The attackers ‘ping’ a server with a small packet of data in order that memcached servers reply with a response to the victim which is up to fifty thousand times the original packet size. If there are no mitigations such as filtering or management of networks, this could easily cause a service to go offline. Whilst the vectors were different in the 2016 DYN attack, the incident demonstrates the potential ramifications if other services are dependent on the targeted service; for more information, see the NCSC Weekly Threat Report 24 October 2016.

In the attack against GitHub, there has since been reporting of a ransom made in the data payload, demanding a payment of 50 Monero (worth approx. $15 000). There are also suspicions among various mitigation service providers that this method of amplification has now been adopted by DDoS-as-a-Service providers.

These latest DDoS attacks were mitigated, but further attacks may occur. The NCSC has previously provided DDoS advice regarding understanding the threat of attacks and also response and recovery planning. There is also a detailed catalogue of NCSC DDoS guidance.

Comment

.author-name { display: none; }

Comment

NCSC advice: Malicious software used to illegally mine cryptocurrency

Guidance for members of the public, website administrators and JavaScript developers in relation to the recently publicised cryptocurrency mining compromises of several websites 

The NCSC is aware of a compromise of the third-party JavaScript library ‘Browsealoud’ which happened on 11 February 2018. During the compromise, anyone who visited a website with the Browsealoud library embedded inadvertently ran mining code on their computer, helping to generate money for the attackers. No money was taken from users themselves, but the mining code performed computationally intensive operations that were used to earn the cryptocurrency. These operations may have affected the performance and battery life of the devices visiting the site.

Browsealoud was taken offline shortly after the compromise, mitigating the issue. However, website administrators, and other JavaScript library developers may wish to take further steps to prevent future compromise by following the guidance below.

You can also read more about cryptomining in last week’s NCSC Threat Report (published 9 February 2018).
 

Advice for members of the public

  • The cryptojacking harnessed people’s computers to help ‘mine’ for cryptocurrency. This involves using your device to perform computations and does not take any money from you or your accounts.
  • The only impact on affected users’ computers was that they temporarily had minor performance loss and reduced battery power.
  • If you have experienced unusually slow performance from your computer, reduced battery life, or visited the affected websites we recommend:
    • Closing the browser you visited the webpage on is likely enough to stop the mining;
    • Clearing the browser cache will remove all traces of the code. Guidance on how to do this is available here: http://www.refreshyourcache.com/en/home/
       

Advice for website administrators 

  • Make a risk-based decision on including third-party JavaScript in your site. This will vary depending on the size of the website you manage and who is supplying the code. Consider whether the code you are including could compromise your users, and balance this against the risk of this happening for your site.
  • If practical to do, consider hosting the JavaScript locally on your own server rather than linking to code hosted elsewhere. This means changes to the libraries require access to your server, although this will mean you will need to install security patches yourself.

In certain cases, some technical measures can also help prevent inclusion of compromised third-party resources:

  • SRI (Sub-Resource Integrity) allows the browser to check a cryptographic hash of the script to ensure that your users are running the unaltered version. However, SRI will only work if the script is relatively static. If it changes regularly, the signature will no longer be valid and the script will not be loaded by users. Also, browser support for SRI is not universal.
  • CSP (Content Security Policy) allows you to whitelist locations where scripts can be loaded from. Several independent researchers have written that having a well-defined CSP in place would have blocked this attack.

We recommend putting the above mitigating measures in place where practical, and while we recognise these will not necessarily protect end users in all cases they will reduce the chances of your website being compromised.
 

Advice for third-party JavaScript developers

  • Implement robust change control for your code, including monitoring your codebase for unauthorised modifications, reviewing code contributions, and having a rapid takedown process in place for if a compromise is detected.
  • Where you offer hosted versions of your library, ensure that you have robust access control and logging in place for making changes to the library.
  • Consider supporting customers who wish to use Subresource Integrity (SRI). For example, providing numbered versions of libraries which remain static, and so have a static cryptographic hashes will enable customers to validate their integrity.
  •  

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 5th January 2018

'Meltdown' and 'Spectre' vulnerabilities to microprocessors

Reports of new security flaws affecting microprocessors called ‘Meltdown’ and ‘Spectre’ surfaced this week. Processors in most devices employ a range of techniques to speed up their operation, and the vulnerabilities allow some of these techniques to be abused to obtain information about areas of memory not normally visible to an attacker. As a result, normally difficult actions - such as recovering passwords - are theoretically made easier.

However, an attacker would still need to run code on a device. Access would typically be gained via well-known means, such as phishing attacks or browsing malicious websites. At this stage there has been no evidence of any malicious exploitation and patches are being produced for the major platforms. The NCSC has pro-actively advised that all organisations and home users continue to protect their systems from threats by installing patches as soon as they become available, and has recommended that home users enable automatic updates so future security measures are installed.

Further advice for enterprise administrators and home users can be found on this website.
 

Cyber-enabled fraud: an increasing threat for 2018

Media reporting highlights an alleged attempt by hackers to steal funds from Russian bank Globex. The hackers appear to have used legitimate credentials to access the SWIFT international payment system to attempt fraudulent wire transfer requests valued at 55 million roubles (c. £700,000).

This attempted theft highlights that poor end user security is still a problem for some global financial institutions.

Increasingly, cyber thieves are attempting to harvest legitimate login credentials, and then commit fraudulent activity using the accesses that these legitimate credentials provide. Most notoriously, around US $81 million was stolen from Bangladesh Bank in February 2016.

Analysis of the Bangladesh Bank theft indicates that the hackers responsible likely implanted malware into the banks servers to steal legitimate SWIFT credentials, which were then used to conduct the fraudulent transactions.

Most organisations in the UK finance sector will have sufficient cyber security measures in place to protect against the type of fraud which occurred against the Bangladesh and Globex banks, however, globally, this trend of cyber-enabled fraud, which seeks to acquire and then abuse legitimate credentials, is likely to continue throughout 2018, and it is likely to be attempted against UK organisations across all sectors.
 

Cyber attack forces US hospital offline

The Jones Memorial Hospital in the US state of New York was hit by a cyber attack this week impacting some of its information services. The hospital stated that they used standard computer downtime procedures in response, and they believe no patients’ financial or medical information has been compromised.

The exact cause of the incident was not revealed, although similarities can be drawn to previous ransomware attacks against healthcare providers in the US. While all sectors are vulnerable to such attacks, healthcare organisations in the US are more likely to be specifically targeted by cyber criminals because they operate privately, for profit and have a high reliance on access to data. As a result, these organisations also tend to have appropriate response and backup procedures in place, enabling them to limit the operational and financial impact of cyber attacks.

The NCSC has published guidance on how to prevent a ransomware incident and what to do if your organisation is infected.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 03 November 2017

Fake speeding notices deliver malware

Police forces around the UK are warning motorists not to be taken in by a phishing email falsely informing them that they need to pay a speeding fine. The realistic-looking email, entitled ‘Notice of Prosecution’, claims to have ‘photographic’ evidence, but clicking on the associated link will upload banking malware to the victim’s device.

The email appears official, with the logos of either the local police force or ‘gov.uk’, but there are several features that indicate that it is fake. Spelling and grammatical errors are fairly obvious, but the speed at which the vehicle was allegedly caught is unrealistic, e.g. travelling at 89mph in an area with a 25mph speed limit.  Phishing emails rely on several factors to be successful, including evading spam filters, the appearance of credibility, and being able to make the recipient take action immediately.

The police have advised that any ‘Notice of Prosecution’ would be posted to the vehicle owner’s address and never sent in an email. They also advised people to delete the email without clicking on any links.


Code-signing certificates worth more than guns on the Dark Web

An investigation by a company specialising in identity protection solutions, into the sale of code-signing certificates on the Dark Web suggests they are selling for up to $1,200, making them more expensive than fake driver’s licences, stolen credit cards, commissioning a targeted cyber attack, or even buying a handgun. This relatively high price presumably reflects customer demand.

This is not the first time that security researchers have highlighted the issue of stolen or fraudulently obtained code-signing certificates. Since at least 2011, they have noted a trend for both cyber criminals and APT cyber actors to sign their malware using stolen or fraudulently obtained certificates to bypass security measures. Signed code tends to be treated as trusted and some operating systems will flag up, or refuse to run, code that is not signed.

Over the years, attackers have managed to sign their malicious executables with certificates obtained by a variety of methods – reportedly stealing them from technology companies (including some well-known names), penetrating the networks of companies and using their signing facilities, or applying for certificates in the names of fake companies or real companies who have no need for them. As far back as 2010, the destructive worm Stuxnet included components that were signed with stolen certificates. More recently, the cyber actors who corrupted an update of clean-up tool CCleaner managed to get the update signed.

Amongst other things, this highlights the fact that, when attackers do manage to penetrate a network, they will often seek out things that facilitate further intrusions – like passwords (not only password caches, but sometimes also emails containing passwords or access codes), cookies, digital certificates and keys. System administrators should make sure they know where these are located.


The Dark Overlord – Systematic cyber-enabled extortion

A cyber crime group called ‘The Dark Overlord’ has claimed responsibility for conducting cyber-enabled extortion campaigns in recent weeks. Victims include a London-based plastic surgery clinic and a Hollywood production studio, both of which are believed to have a number of high-profile clients. The group has a history of hacking organisations to obtain sensitive information before demanding money in exchange for not leaking it into the public domain. They leak snippets of data to the media to encourage them to report on their activity. This is aimed at “proving” that a breach has taken place, and increases the pressure on the victim to pay the ransom. ‘The Dark Overlord’ has been responsible for indiscriminately targeting health institutions, schools and media production companies over the last year.

Any organisation that deals with sensitive personal information (e.g. medical institutions, law firms) is at a higher risk of being targeted, and owes a particular duty of care to its clients because of the risk of severe emotional distress if client data is made public.  Whilst evidence of the stolen data is often provided, the volume and sensitivity of the data may be exaggerated to maximise impact. This may inspire other cyber extortionists to adopt a similar methodology, especially as new opportunities present themselves due to an increasing amount of sensitive data being stored online. Any data breach and the associated media exposure may cause significant reputational damage and loss of business.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 27th October 2017

Bad Rabbit Ransomware

This week, ‘Bad Rabbit’ ransomware infections have been reported in countries including Russia, Ukraine, Bulgaria, Turkey, Germany and Japan. The NCSC has not received any reports that the UK has been affected by this latest malware attack. The majority of infections have been in Russia, where media organisations were worst affected. Russia’s Interfax News Agency suffered outages to several of its services, including its news portal. Ukrainian victims included the Ministry of Infrastructure, Odessa airport and Kiev metro.

Bad Rabbit asks victims to pay 0.05 Bitcoin (currently worth approximately £210) to restore their files. A smal number of transactions are reported to have been made, although these are unconfirmed, and it is currently unknown whether paying the ransom leads to decryption of files. The infection vector is believed to be via certain compromised media websites in the affected regions, which asks the user to execute a fake Adobe Flash Player update. Researchers including FireEye and Crowdstrike have identified several links between Bad Rabbit and the NotPetya ransomware, including the use of similar Javascript code to redirect victims. While claims have been made that Bad Rabbit made use of the EternalBlue exploit leveraged by WannaCry and NotPetya, these have been widely refuted; subsequent claims have been made that the EternalRomance exploit was leveraged.

It is currently unclear who is responsible for this ransomware. NCSC technical analysis is ongoing to provide more clarity on technical indicators. There are no reported UK victims to date. Nevertheless, it should be noted that UK organisations would be vulnerable were they to visit any of the infected websites. In the case of NotPetya for instance, a number of UK organisations were infected. The NCSC has provided some mitigation advice in its public statement, highlighting the importance of patching, using proper antivirus services and having effective backup procedures. In addition to this, Bad Rabbit makes use of a set of hard-coded username/password combinations in order to attempt to spread to SMB shares on the local network. Organisations should ensure that these username/password combinations do not exist anywhere on their network, and in general that they follow good password practices.

Is Reaper the new Mirai?

In September, cyber security firms reported the discovery of a new botnet that targets, and could already have infected millions of, vulnerable internet connected devices.

The botnet (named variously as ‘IoTroop’; ‘IoT_reaper’ or ‘reaper’) has been targeting a number of known vulnerabilities found in popular device brands including internet connected cameras and Wi-Fi routers.

Reaper is being compared to the Mirai botnet which caused serious disruption to the Dyn domain name server provider and thousands of customer websites in October 2016.  Some of Reaper’s code is reportedly similar to Mirai, however, researchers believe Reaper has many more capabilities than Mirai and the potential to cause a lot more damage.  The fast rate that Reaper has been infecting devices is also concerning and the attacker appears to be updating the malware regularly.

The purpose of the Reaper botnet is currently unclear as it does not yet appear to have been used for malicious purposes. It is possible that, like the Hajime botnet identified earlier this year, there will be speculation that it has been developed to stop vulnerable devices being harnessed for malicious activity, but it would be best to assume the worst until proven otherwise.

Ensuring your devices are fully patched and limiting access to these devices will help protect from compromise. For further advice see our 10 steps to cyber security.
 

Washington Cyber Conference reportedly targeted by hackers

The International Conference on Cyber Conflict (CyCon) will be held 7-8 November in Washington and will host a high-level gathering of NATO and US military cyber experts.

A recent Cisco report has highlighted that this conference has been targeted by cyber actors known as ‘APT28’ and ‘Fancy Bear’. Cisco report that this actor has modified an existing Microsoft Word flyer publicising the conference, added reconnaissance malware to it and has conducted an email campaign to infect potential victims. The modified document contains an embedded Visual Basic for Applications (VBA) macro which is executed when the document is opened and automatically installs the malware. Running any macro within any externally produced Microsoft Word document will usually generate a warning which must be explicitly approved by the user. However, the user is more likely to override the warning and execute the macro if the malware-bearing email appears to be from a legitimate contact.

Word and PDF documents are one of the most common ways to spread malware, so, as a security measure, Microsoft deliberately turned off auto-execution of macros by default many years ago. Many current malware infections rely on persuading the user to turn macros back on. We assess with high confidence that cyber actors will likely continue to use creative and current specialised topics to compromise targets. It is likely that this campaign has been targeting people linked to government/military cyber security.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 20th October 2017

KRACK – a fundamental flaw in Wi-Fi security

Security researchers from Belgium have found that the majority of Wi-Fi connections are potentially vulnerable to exploitation because of a fundamental weakness in the wireless security protocol – WPA2. The exploit is called “KRACK”, which is short for Key Reinstallation Attack. Reports suggest that at most risk are Linux operating systems, Internet of Things (IoT) devices and 41% of Android devices. However, many of these, especially IoT devices, may never get patched.

For further detail on this flaw, please see our KRACK guidance and the latest blog.
 

Swedish transport networks hit by DDoS attacks

Media reported last week that trains were delayed in Sweden after the transport sector was successfully targeted by a series of DDoS attacks. On 11 October, two communication service providers serving the Swedish Transport Administration (Trafikverket) were hit by a DDoS attack, reportedly causing the Trafikverket’s train management system to go down for several hours. Consequently, manual procedures had to be used to handle rail traffic, resulting in delays for the rest of the day. The company also had to resort to using Facebook to keep customers updated as its email system and website were also unavailable. The following day, DDoS attacks targeted the Swedish Transport Agency (Transportyrelsen) and a public transport operator serving Western Sweden (Västtrafik). The impact of these attacks was less severe, briefly affecting web services including ticket booking.

Some media reports speculate that a state-linked actor may have been responsible, however investigations into the incidents continue. Overall, the case highlights how transport firms can be impacted by attacks on third party service providers (in this case, Trafikverket’s communication service providers).


Cyber-enabled intimidation of NATO personnel in Baltics

According to open source reporting, advanced surveillance techniques (possibly including drone monitoring and/or IMSI grabbing) are being used to pull data from personal smartphones of NATO personnel despite warnings not to use them following previous incidents.  There are accounts of personnel then being approached in public by individuals who convey details pulled from smartphones – in one example details about the personnel’s family.

This is not the first time NATO personnel operating in Europe have reported call interference or unusual behaviour by their mobile phones. Mobile devices operating over the public telephone system are susceptible to exploitation including interception of communications or tracking of the user. The capability to mount operations against personal electronic devices, including the use of rogue cell towers is within technical and financial reach of well-resourced threat actors. However, the more recent reporting is different as exploitation of devices has been followed up by personal approaches.

It is almost certain that personal mobile devices will increasingly become targets for a wide range of threat actors due to the amounts of personal information they hold, which is useful for espionage, targeting and criminal purposes. Personal mobiles are susceptible to a range of compromise vectors and have widely varying levels of cyber hygiene. This threat could expand beyond NATO personnel to businesses operating in the region or individuals traversing these areas on business or personal trips.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 29th September 2017

Compromise of Deloitte

The Guardian this week reported that the global accountancy firm Deloitte had been hit by a cyber attack that has revealed client email addresses. The hackers may have also accessed usernames, passwords and personal details.

Deloitte provides auditing, tax consultancy and cyber security advice to some of the world’s biggest banks, multi-national companies, media enterprises, pharmaceutical firms and US government agencies. According to the Guardian, Deloitte clients across these sectors had material in the company email system that was breached. The breach was believed to be US-focussed, affecting well-known companies as well as US Government departments. The compromise was discovered in March this year, but it was reported that the attackers may have had access to Deloitte systems since October or November 2016.

According to the newspaper, the hacker compromised the firm’s Microsoft Azure Cloud global email server through an administrator’s account that, in theory, provided them with privileged, unrestricted access. The account required only a single password and did not have “two-step“ verification. Emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service which is Microsoft’s equivalent to Amazon Web Service and Google’s Cloud Platform.

Deloitte has stated on its website that only very few clients were impacted and no disruption has occurred to client businesses, to Deloitte’s ability to serve clients, or to consumers. The NCSC statement confirmed that we had engaged with the organisation to better understand the threat and based on current information we understand there to have been minimal UK impact.

Using a single factor authentication system like a username and an easy-to-guess password combination has allowed criminals to gain access to a user's account. Simple passwords based on dictionaries or the same passwords used on other systems that may have been leaked can give cyber attackers easy access to IT systems. Gaining access to the administrator account is the ‘jackpot’ for an attacker and will provide an attacker with unrestricted access to all user accounts.

Two Factor Authentication (or 2FA) is an extra layer of security that requires not only a password and username but also something that only that user has on them, i.e. a piece of information only they should know or have immediately to hand - such as a physical token, keyfob device, fingerprint, facial recognition or SMS confirmation via mobile phone.

A compromise would be highly unlikely if a complex password or 2FA had been implemented. See the NCSC’s Password Guidance.
 

Banks’ concerns about cloud cyber security

Investment bank Goldman Sachs has in recent days echoed concerns about the number of banks using the same small number of Cloud storage providers – pointing out that those users also include the UK financial regulatory bodies.

The bank’s Head of Technology for Europe, Middle East and Africa argues that the online platforms should be regulated from a resilience perspective, and describes a ‘concentration risk’. The concerns echo those voiced in January by the Bank of England Governor and the chair of the Financial Stability Board, who refer to the risk of a single point of failure if ‘banks come to rely on common hosts of online banking or providers of Cloud computing services’.

The use of an online network, or ‘Cloud’, increases the scale and flexibility of computing capacity, and aligns with the growing desire within the financial services industry for innovative technological business models and processes.

The Financial Stability Board (FSB) alerted the industry in June to the greater reliance on external providers of technology, and hence the potential risk of disruption, specifically citing the Cloud. The FSB highlighted the risks of financial institutions relying on the same third-party Cloud computing and data services providers, and cited other jurisdictions where, for example, guidelines had been issued for Cloud outsourcing, internet banking and technology risk management. Greater co-ordination within finance, and with non-finance partner organisations such as those with a remit for cyber security, was mooted.

Some of the growing concerns voiced within financial services about the Cloud are addressed by the NCSC’s Cloud Security Principles and advice.

 

Cryptocurrency mining by cyber criminals

Recent IBM reporting observes a sixfold increase in the use of specifically CPU-based cryptocurrency-mining malware since the beginning of 2017, a much faster rise than observed for cryptocurrency-mining malware more generally.

While there are many cryptocurrencies, with different characteristics, all rely on ‘miners’, who carry out large number of calculations to verify transactions. In exchange for contributing computing power, miners are rewarded with cryptocurrency.

Mining many currencies using a CPU has generally become economically unviable for legitimate users, as running costs outweigh their gains, so they now use graphics cards, or specially designed application-specific integrated circuits (ASICs). Running costs are no obstacle to cyber criminals, however, who can use botnets of compromised machines as miners without needing to worry about the electricity bills. Some newer currencies are also more feasible to mine using a CPU only.

In a related trend, an increasing number of website scripts are being observed which mine cryptocurrency inside a web browser. Such scripts can be used in clearly illegal ways when hidden within adverts (a form of malvertising), but some sites have also shown an interest in such scripts as a form of revenue production to replace or supplement online advertising. Torrenting site The Pirate Bay received significant press coverage when it was revealed to have adopted such scripts without the knowledge or consent of its users. There have also been reports of cyber criminals compromising popular websites and hiding mining scripts in their source code, allowing them to profit from their victim’s visitors.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly threat report 7th July 2017

Scams follow widely reported attempt to compromise parliamentary email accounts

Following reported attempts by hackers to compromise parliamentary email accounts in June, scammers have recently attempted to gain information by cold-calling (or vishing) MPs and their staff. Posing as staff from the Houses of Parliament’s IT department, the scammers have reportedly been requesting the usernames and passwords of MPs. Vishing, like its online equivalent, phishing, attempts to illicit sensitive information, such as passwords, or encourage victims to visit particular (invariably malicious) websites.

Scammers try to capitalise on heightened public awareness of particular issues. Such social engineering techniques often increase in prevalence follow a high-profile incident. For example, following the WannaCry ransomware incident, there were several reported scams, including fake fixes for the malware, and malicious ‘tech support’ services. Phone calls can form part of a blended social engineering campaign, along with emails or social media contact. It is likely that scams such as these will continue to follow widely reported events. 

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 23rd June 2017

This report is drawn from recent open source reporting.

Fake airline websites distributed by social media

Scammers are using the brands of major global airlines to lure users to fake websites and then encourage them to share links to the sites with friends. When a user clicks through to the sites they are prompted to answer a few simple questions and provide personal information to get free flights. Once they give away their name, email, phone, date of birth and address they are then told they will receive the flights, only once they ‘like’ and share the page on Facebook, spreading the fake sites to new victims.

According to threat researchers, cyber criminals were observed registering 95 fake websites in late March using the brands of 19 major airlines, including ones based in the UK.  The personal details provided by the victims are used for fraudulent marketing purposes, namely to drive traffic to websites that provide online promotions and monetisation of web and mobile applications. Fraudsters, like marketing managers, often leverage an effective freebie strategy (gifts, prize draws etc.) to attract public attention.

In the run up to the summer holidays, this cyber-enabled fraud may lead to lost custom and reputational damage for the airlines. The use of social media to distribute fake websites is likely to continue to increase. It is not limited to airlines and could affect any well-known brand.  There also remains a risk that malicious actors could modify the scheme and use such sites to distribute malware to victims. For guidance see the NCSC’s 10 Steps: Malware Prevention.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 16th June 2017

 

Mouseover malware masquerading in Powerpoint files

According to media reports, a new method of delivering malware has surfaced. 'Zusy' malware, according to IT company ExtremeTech, is a banking trojan whose intention is to steal credentials. The reports suggest that simply hovering your mouse over a link will lead to infection without requiring you to click on anything. However, several stages are required to successfully infect a user.

What is interesting about this malware is that the initial infection vector does not rely on Macros or JavaScript to execute its malicious code. Instead, the malware developer has focused on abusing certain features in Microsoft PowerPoint to download and deploy the banking trojan.

This malware is initially delivered to users through phishing as an email attachment. Firstly the user needs to click on and open an attachment which displays a PowerPoint slide in slide show mode. A segment of text or a picture on the PowerPoint slide will have a clickable hyperlink. The most common message seen at this time is 'Loading...Please wait'. The 'mouseover' malware will only initiate if the user directs their cursor over the text or picture. A command is then executed which attempts to run an external program such as a PowerShell script. At this point Microsoft's security feature, Protected View, which is enabled by default, will display a warning notice allowing the user to disable the program. If the program is not disabled, it will create a backdoor giving the attacker full access to the victim machine. Users running PowerPoint versions older than 2010 are particularly vulnerable to this type of attack because when they hover over the link the preview window will open automatically without giving them the option to disable the malicious program.

Historically malware infections occur when the victim clicks on a suspicious link and general guidance has always advised users to hover over links to check file formats for suspicious executables. Users should continue to remain aware and be vigilant when receiving email attachments.

Although this development is not as alarming as it may first appear, the NCSC assesses that we may see a more sophisticated version of this attack vector in the future. The NCSC recommends that users follow NCSC malware guidance which includes regularly updating antivirus software to reduce the risk of being infected.

Enterprises that implement Application whitelisting approaches as described in the NCSC Windows EUD Security Guidance will also mitigate current variants of this threat by preventing the malicious scripts and programs downloaded by the malware from running.

 

Industrial Control Systems malware (Industroyer/CrashOverride)

The NCSC is aware of open source reporting providing details of malware dubbed as 'Industroyer' or 'CrashOverride', which is reported to be connected with the December 2016 power outages in Ukraine.

Previous media reporting suggests that during this incident, cyber attackers compromised parts of the Ukrainian electricity transmission network, resulting in the loss of electricity supply to customers for approximately one hour.

The NCSC have published on CiSP details of mitigation strategies to secure networks against these attacks. US-CERT have also published analysis and indicators of compromise.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 9th June 2017

Fireball malware

More than 250 million computers worldwide have been infected with malicious adware called Fireball, according to recent reporting.  Produced by Rafotec, a Beijing-based digital marketing firm, the malware is spread mostly via bundling. That is, when a user downloads a product they want, the Fireball malware is ‘bundled’ in without the user’s knowledge or consent.

Once infected, Fireball hijacks the user’s browser, installs extra plug-ins and manipulates the user’s web traffic. By redirecting traffic to Rafotec’s fake search engines, Fireball is able to generate additional advertising revenue for the company. A greater concern is the fact that Fireball can, in theory, be repurposed to serve as a fully functioning malware downloader.

Should Fireball be repurposed for further malicious activity it could be used to harvest sensitive data, such as financial credentials, medical records, or corporate business plans for example. Whilst estimates are that Indonesia, India and Brazil have the highest infection rates at present, other countries have been impacted.

In line with NCSC guidance, make sure you only install software from trusted sources.

Single Sign On provider OneLogin is compromised

In late May, OneLogin, an online access and identity manager, experienced a security breach where sensitive customer data in its US region may have been compromised.  OneLogin primarily provides Single Sign On (SSO) and identity management services for corporate customers using cloud based applications.  It is not yet clear how the unauthorised access happened nor the impact, but it is suspected that a threat actor obtained access to Amazon Web Store (AWS) keys and used them to gain access to the AWS Application Programme Interface (API) via another smaller provider in the US.  The actor was then able to access database tables containing information about users, apps and various types of keys.  This may have included the ability to decrypt encrypted customer data.

To minimise damage OneLogin issued advice to customers which included generating new keys, authorisation tokens, security certificates and credentials and updating passwords.

This is not the first time an SSO or similar service has been targeted.  Although, like password managers, they are increasingly considered to be a better way of managing accesses, they are a tempting target for attackers, and the consequences of compromise can be severe.

A new variant of Qakbot malware is bringing down enterprise networks

A new variant of the Qakbot (aka Qbot or PinkSlip) trojan, first seen in 2009, is stealing user information and installing backdoors on Microsoft Windows operating systems. Qakbot malware is used to target online bank accounts of businesses and individuals. Victims are initially infected through an exploit kit, phishing campaign or malicious download.

This new variant has worm-like, self-replicating capabilities similar to WannaCry but it is not ransomware and does not encrypt user hard drives. In its attempts to steal or brute force login details it can cause mass Active Directory lockouts. Some organisations have had thousands of users prevented from using corporate systems as a result.

According to researchers, Qakbot code has been totally re-written and is even more advanced and effective. The new features make it difficult to detect by using obfuscating code and constantly evolving file structure and signatures.

We assess it likely that other malware campaigns will make use of these antivirus avoiding techniques. Users should stay on their guard against suspicious emails and activity and keep their systems up-to-date to help prevent infection.

Vulnerabilities

This week’s summary starts with Google and multiple flaws fixed in both Chrome and Android leading to URL spoofing, obtaining of sensitive information and remote code execution.

Cisco released updates for a number of different products; TelePresence, AnyConnect, Email Security Appliance, Prime Data Center Network Manager, NX-OS, Content Security ManagementAppliance, and 8800 Series IP phones, to address cross-site scripting, bugs that cause the target to crash, allow unauthorised access or remote code execution.

IBM released updates for their Security Access Manager Appliance, Spectrum Project (IBM Tivoli Storage Manager) and Domino TLS Server to prevent elevation of privilege, the viewing passwords, obtaining of sensitive information, and obtaining of authentication credentials.

Elsewhere this week there were updates for Wireshark, Apache Tomcat, VMware vSphere and Irssi.

Debian specific updates this week came from perl, nss and zookeeper.

ICS specific updates for Digital Canal Structural Wind Analysis and Rockwell Automation PanelView.

Comment

.author-name { display: none; }

Comment

NCSC Guidance - Protecting your organisation from ransomware

Protecting your organisation from ransomware

Created:  17 Oct 2016

Updated:  17 Oct 2016

How to prevent a ransomware incident, and what to do if your organisation is infected.

Ransomware is a growing global cyber security threat, and one which could affect any organisation that does not have appropriate defences. The first half of 2016 saw an almost threefold increase in ransomware variants compared to the whole of 2015[1].  While ransomware against Windows operating systems has been commonplace for some years, attacks against Mac and Linux systems are also seen.

The methods for infecting systems with ransomware are similar to other types of malicious software, as are the steps organisations can take to protect themselves. Depending on your level of preparation, ransomware infection can cause minor irritation or wide-scale disruption.

This guidance provides an overview of ransomware, suggests some simple steps to prevent a ransomware incident, and advises on what to do if your organisation is infected by ransomware.

What is ransomware?

There are two types of ransomware; the first type encrypts the files on a computer or network. The second type locks a user's screen. Both types require users to make a payment (the 'ransom') to be able to use the computer normally again. The ransom is often demanded in a cryptocurrency such as Bitcoin.

In many cases, the ransom amount is quite modest. This is designed to make paying the ransom the quickest and cheapest way to return to normal use. However, there is no guarantee that the key or password (to 'unlock' the computer) will be provided upon payment of the ransom.

The scale and automated nature of a ransomware attack makes it profitable through economies of scale, rather than through extorting large amounts from targeted victims. In some cases, ransomware has been known to strike the same victim more than once in succession. Ransomware attacks are not normally targeted at specific individuals or systems, so infections can occur in any sector or organisation.

How does ransomware infect your system?

Computers are infected with ransomware via a number of routes. Sometimes users are tricked into running legitimate-looking programs, which contain the ransomware. These may arrive via authentic-looking email attachments or links to apparently genuine websites (otherwise known as phishing). More recently, we have seen ransomware infections which rely on unpatched vulnerabilities in computers, and simply visiting a malicious website can be enough to cause a problem.

Although less common, data transfers between computers (such as via USB memory sticks) can also cause ransomware to spread.

Preventing ransomware using good enterprise security

Ransomware is one of many types of malware, and the methods for its delivery are common to most other types. You can minimise the risk of being infected by ransomware by taking the same precautions necessary to guard against malware in general.

The following mitigations are examples of good security practice, and link to other NCSC guidance where available:

  • Vulnerability management and patching - some ransomware gains control by exploiting software vulnerabilities in operating systems, web browsers, browser plug-ins or applications. Often these vulnerabilities have been publicly known about for some time and the software providers will have made patches available to mitigate them. Deploying these patches, or otherwise mitigating the vulnerabilities, is the most effective way of preventing systems being compromised. However, as well as patching the devices used for web browsing and email, it's important to patch the systems they are connected to, since some ransomware is known to move around systems, encrypting files as it goes.
  • Controlling code execution - consider preventing unauthorised code delivered to end user devices from running.  One common way that attackers gain code execution on target devices is to trick users into running macros. You can prevent these attacks from being successful in your organisation by preventing all macros from executing - unless you have explicitly trusted them. It's also good practice to ensure users do not have privileges to install software on their devices without the authorisation of an administrator. Remember that users may sometimes legitimately need to run code that you have not pre-authorised; consider how you will enable them to do this, so that they are not tempted to do it secretly, in ways you can't see or risk-manage. See our End User Device security guidance for recommended configuration of the platforms you are running.
  • Filter web browsing traffic - we recommend using a security appliance or service to proxy your outgoing web browsing traffic. Filter attempted connections based on categorisation or reputation of the sites which your users are attempting to visit.
  • Control removable media access - see our advice on management of removable media to prevent ransomware from being brought in to an organisation via this channel.

For more information see Approaching enterprise technology with cyber security in mind.

What impact does ransomware have?

Ransomware will prevent access to systems or data until a solution is found. If systems are delivering critical services, this can have serious reputational, financial and safety impacts on affected organisations and their customers. Even if the victim has a recent backup of their system, it may still take considerable time to restore normal operations. During this time, organisations may have to invoke their Business Continuity processes.

It is worth noting that if a criminal organisation has carried out a successful ransomware attack, questions should be raised about the possibility of more indirect and lasting impacts. For example, how many instances of the ransomware are still present in the system waiting to be activated? How should they be removed, and how should users be warned? Were other types of malware also deployed at the same time? What are they and what will they do? And when?

Limiting the impact of a ransomware attack

The following measures can all help to limit the impact of a ransomware attack.

  • Good access control is important. The compartmentalisation of user privileges can limit the extent of the encryption to just the data owned by the affected user.  Re-evaluate permissions on shared network drives regularly to prevent the spreading of ransomware to mapped and unmapped drives. System administrators with high levels of access should avoid using their admin accounts for email and web browsing.
  • Ransomware doesn’t have to go viral in your organisation; limit access to your data and file systems to those with a business need to use them. This is good practice anyway and, like many of the recommendations we make here, prevents against a range of cyber attacks.
  • Have a backup of your data. Organisations should ensure that they have fully tested backup solutions in place. Backup files should not be accessible by machines which are at risk of ingesting ransomware. It is important to remember backups should not be the only protection you have against ransomware - the adoption of good security practices will mean not getting ransomware in the first place. For further guidance on backups, please see our Securing Bulk Data guidance, which discusses the importance of knowing what data is most important to you, and how to back it up reliably.

What to do if your organisation has been infected with ransomware

If you need to know more about ransomware and its effects, or you have a ransomware issue, there are a number of sources of further advice and guidance:

  • The National Crime Agency encourages anyone who thinks they may have been subject to online fraud to contact Action Fraud at www.actionfraud.police.uk.  It is a matter for the victim whether to pay the ransom, but the NCA encourages industry and the public not to pay.
  • The National Cyber Security Centre (NCSC) runs a commercial scheme called Cyber Incident Response, where certified companies provide crisis support to affected organisations.
  • The Cyber Security Information Sharing Partnership (CiSP) offers organisations in the UK a safe portal in which to discuss and share intelligence that can assist the community and raise the UK's cyber resilience. We encourage our members to share technical information and indicators of compromise so that the effects of new malware, and particularly ransomware, can be largely reduced. 

Here at the NCSC, we welcome those who would like to share their experiences of ransomware in confidence. NCSC Operations provide threat intelligence to government, industry and the public. Case studies - even anonymised - can be very helpful.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 5th May 2017

This report is drawn from recent open source reporting

Google and Facebook were victims of Business Email Compromise (BEC) or ‘CEO Fraud’

Google and Facebook have been identified as the victims of an email phishing attack for which a Lithuanian man was charged in March 2017.

The attack relied upon social engineering methods rather than technical intrusion techniques. However, the individual was still able to trick the organisations into transferring over $100 million between 2013-2015, highlighting how cyber-enabled social engineering can be effectively used to commit fraud.

The individual posed as a manufacturer which both firms had existing business relationships with, and sent emails which were designed to look like they came from the manufacturer. The emails contained forged invoices and contracts which appeared to have been signed by executives. This is less technically sophisticated than some other cases of BEC whereby the third-party supplier’s legitimate email is compromised and used to request transfers. The phishing emails were highly targeted, sent to Facebook and Google employees who regularly conducted multi-million dollar transactions with the manufacturer the scammer was impersonating.

Large organisations are especially vulnerable to attacks such as this: often suppliers and individuals have less face to face interaction, and therefore may have reduced opportunities to identify bogus or suspicious transfer requests through conversation.

Fraudulent communication to convince organisations to transfer funds is not new, however it is increasingly common as a low cost, high return crime. Other variations on this attack include

  • Spear-phishing emails co-ordinated with phone calls confirming the email request
  • Impersonation of trusted partners beyond suppliers, including charities, law firms, think tanks or academic institutions
  • Impersonation of fellow employee emails, either through compromising an account, or creating a similar looking fake address
  • Use of social media to research or make contact with potential victims

The NCSC has previously issued guidance on phishing attacks aimed at senior executives or payment departments.

 

Facebook outlines plan to combat information operations

Facebook has outlined measures to combat “information operations”, which it defines as efforts conducted by organisations, including governments, to spread misleading information and falsehoods to “distort domestic or foreign political sentiment". Whilst reporting has focused on the potential impact on democratic processes, manipulation of social media could similarly be used to inflict reputational or even financial damage on organisations. An example of this would be the 2013 fake “alert” from one of America’s most trusted news sources, briefly fooling some news outlets into reporting that an explosion had occurred at the White House and causing the Dow Jones to drop 145 points in two minutes.

Facebook has highlighted that information operations extend beyond the creation of “fake” news stories: other activities such as the dissemination and promotion of stolen information, and targeted data collection on individuals have all been noted. Furthermore, the increased circulation of “fake” news stories to a larger audience is regularly achieved through artificial amplification of posts, whereby paid individuals, often using fake accounts, use techniques such as co-ordinating “likes” to boost the prominence of key postings or creating groups that camouflage propaganda by including legitimate items.

Facebook has stated that it will mitigate the artificial amplification of fake stories using machine learning and analysis to identify bogus accounts, which will then be suspended or deleted. For example, Facebook suspended 30,000 accounts in France prior to the first round of the French presidential election.
 

Vulnerabilities

Mainly platform agnostic/cross platform updates this week, leaning towards Linux and Unix based systems.

Intel released a fix to their Active Management Technology to address a flaw which could allow remote and local users to gain elevated privileges. A mitigation guide has been published here.

IBM released two updates for WebSphere to fix a browser redirect and cross-site request forgery vulnerability, and an update to DB2 to address a bug that could allow a local user to obtain root privileges.

Xen saw a number of updates to fix elevation of privilege bugs.

HPE updated NonStop Server to address a flaw that could allow a remote user to obtain sensitive information, and updated Intelligent Management Center to fix a flaw that could allow for remote code execution.

Elsewhere this week there were updates from Trend Micro to fix cross-site scripting bugs and an elevation of privilege bug. Drupal updated a flaw that could allow access to the target system and FreeBSD fixed a bug which could cause the target to reload.

Debian updates this week include LibreOffice, Ghostscript, Freetype, weechat, Libxstream-Java, MySQL-Connector-Java, Tomcat7 and Tomcat8.

ICS updates this week came from Advantech, CyberVision and Schneider Electric.

No individual sector is anticipated to be impacted more than any other this week.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 21st April 2017

Hajime – What is the intent of this IoT Botnet?

In October 2016 the security research group at Rapidity Networks discovered a new malware, called Hajime, with similarities to the Mirai botnet: it targets Internet of Things (IoT or internet-connected) devices by scanning the Internet for devices with network vulnerabilities and attempts to connect to them using known default username/password combinations. According to Symantec, Hajime is believed to have infected between 130, 000 and 180,000 devices worldwide with Brazil and Iran having the most infections followed by Thailand and Russia. Industry partners have suggested that the number of UK devices infected currently stands at approximately 5,000.

Hajime is being compared to the Mirai malware for a number of reasons including: similarities between initial infection vectors; the targeting of internet connected devices and the use of command and control (C2) servers to communicate and send instructions out to infected devices.  Hajime however differs as it adopts a decentralized approach with a Peer to Peer (P2P) model where communication and instructions are passed between infected nodes rather than the more traditional client-server architecture.  It is believed that this type of approach makes the malware much more resilient to take down as it does not rely on just one central server to control the malware.

The Hajime malware is also different because it doesn’t, as yet, appear to have been used for malicious intent.  Researchers have hypothesised that the controllers could be waiting for more devices to be infected before launching an attack.  A more recent theory by researchers is that Hajime has been created by ethical hackers who are targeting Mirai-infected devices with Hajime in order to deny the malware of any harmful activity.

Malware targeting of IoT devices is not new and as these products are becoming more popular amongst consumers, manufacturers and suppliers should be aware of the emerging risks and cyber threats posed when attention is not paid to IoT security.

See the NCSC website for guidance on malware prevention.
 

Insider steals employer’s proprietary trading code

A computer engineer has been charged with illegally exfiltrating the proprietary algorithmic trading model code from a global financial services firm headquartered in New York, where he worked. The code is used by the firm to generate income by predicting market movements.

From December 2016 to March 2017, the engineer took steps to obfuscate his presence on areas of the company’s network that he was not authorised to access. He used discrete areas of the network to collect over three million files, including unencrypted portions of the algorithmic source code, before exfiltrating it.

The motivation for this activity has not been conclusively reported, nor whether this individual acted alone, or on behalf of another. The tasking of insiders by criminals to exploit access to corporate networks is a common occurrence. But the exfiltration of this particular source code is significant because trading platforms could be manipulated to allow vast amounts of money to be stolen in a single attack. Alternatively the intellectual property (IP) could be sold to a rival company.

Companies can mitigate against the insider threat by incorporating security policies that restrict access to the most classified data and installing alerts when unusual activity is taking place.
 

Hotpoint service site compromise

Recent reporting by cyber security company Netcraft noted the compromise of domestic appliance manufacturer Hotpoint’s UK and Irish service websites, which has since been confirmed by Hotpoint in a statement via the Register. Customers accessing the service website were reportedly presented with fake Java dialogs, which if clicked, directed users to possibly malicious third party websites, presenting a risk that users could be infected with malware. Netcraft note that the compromise occurred shortly before the Easter weekend, suggesting that this may have been done deliberately to maximise the impact.

According to the company’s statement, no customer data was compromised and the vulnerabilities were quickly resolved. Netcraft suggest that the site’s WordPress installation may have been responsible. The NCSC provides guidance on minimising the vulnerabilities to WordPress, including the recommendation to implement regular security updates of WordPress as well as any plug-ins, only using trusted plug-ins and replacing default or easy to crack passwords.
 

Vulnerabilities

There have been a large number of updates over the last week, thanks in part at least to Oracle’s quarterly update cycle falling this week. Oracle’s updates affect multiple bugs in many of their products, from PeopleSoft, E-Business Suite, Financial Services, Java SA to MySQL, WebLogic and Solaris.

Both Mozilla and Google released updates to fix multiple vulnerabilities, the most serious of which could allow remote code execution, in their browser products, Firefox and Chrome respectively and there were three updates for BIND.

Magento saw an update to prevent the uploading of arbitrary files and remote users conducting cross-site request forgery attacks. There were also a number of updates from Cisco for ASA, IOS and Unified Communications Manager. Juniper released a number of updates for Junos.

On the virtualisation front there were updates this week for both VMware and VirtualBox.

Elsewhere this week there were updates for SquirrelMail, WatchGuard, Nessus, Wireshark and MatnisBT.

On the Debian side this week saw updates for Firefox-ESR and ICU. ICS specific updates this week came from Belden Hirschmann, Schneider Electric and Wecon.

Comment

.author-name { display: none; }

Comment

Threat to Managed Service Providers

Threat to Managed Service Providers

A major cyber campaign against Managed Service providers has been detected that may present risks to organisations using outsourced IT services. 

Media references to terrorist cyber capability

There have been numerous reports on the recently imposed restrictions on electronic devices larger than a smartphone being allowed in cabin baggage on flights from certain countries in the Middle East, North Africa and Turkey. A statement from the US Department of Homeland Security (DHS) said: "Evaluated intelligence indicates that terrorist groups continue to target commercial aviation, to include smuggling explosive devices in various consumer items". This physical terrorist threat to aviation is entirely separate from news reports suggesting a raised cyber terrorist threat against the civil nuclear sector. As highlighted in the recent NCSC/NCA Annual Report, the NCSC assesses that terrorist organisations currently have limited cyber capability. While they may aspire to cause a destructive cyber attack, this remains unlikely.

Malware Threat to ATMs

A fileless malware campaign that successfully targeted 140 organisations worldwide earlier this year has evolved. Criminals are now exploiting their remote access to banks' networks to drop additional malware called ATMitch, enabling them to issue remote commands to compromised ATMs to dispense cash. Banks in Russia and Kazakhstan have reportedly been victims of this malware.

Although we have previously seen cyber-criminals use malware to steal cash from ATMs, their use of a banks' internal network to remotely deliver ATM malware is a new and more sophisticated form of attack. Also, the use of fileless malware allows criminals to delete malicious commands from the ATM's hard drive, removing all traces of an attack.

There have been no reported incidents of network-delivered ATM malware attacks against UK ATMs to date. The most common attacks seen against UK ATMs continue to be more traditional physical attacks, which criminals carry out to varying levels of success. For more information on the malware threat to UK ATMs, log in to the Cyber-security Information Sharing Partnership (CiSP) to view our recently published report. Please see details on how to become a member of CiSP.

Rise in compromised websites

According to a recent Google report, the number of websites that were hacked in 2016 was 32% higher than in 2015. Google assess this trend is unlikely to lose momentum "as hackers get more aggressive and more sites become outdated".

Although it is difficult to corroborate this statistic or clarify what proportion of the allegedly compromised websites were active, the threat to websites from cybercriminals has definitely risen over recent years, with ransomware and financial scams particularly strong incentives for them to compromise websites in order to facilitate cybercrime.

Google say this problem was compounded by the fact that 61% of webmasters, whose websites were breached had not registered with Google's channel for communicating site health alerts, Search Console, and were therefore not notified by Google of the compromise.

The NCSC recommend that website owners follow NCSC guidance and regularly patch known vulnerabilities to reduce the risk of a compromise. We recommend that the public follow the malware prevention advice in 10 steps to cyber security to reduce the risk of being infected by malware from infected websites, and you may also find our guidance on designing digital services useful. Following the guidance can help prevent some of the most prevalent types of web attacks that are being carried out currently.

Website owners may also find OWASP's Top 10 project, which represents a broad consensus about what the most critical web application security flaws are, useful.

Vulnerabilities

Reports came in this week of a WebDAV buffer overflow vulnerability affecting Microsoft's Internet Information Server (IIS). There are reports that this vulnerability is being actively exploited and at the time of writing Microsoft do not yet have a fix available. NIST's National Vulnerability Database (NVD) has details. NCSC recommends where there is still a need for on premises installs, that people use the latest versions of software (Server 2016 in this case) as it more secure by default. If we receive more information on this vulnerability we will update accordingly.

Apple released an update for their iOS mobile operating system to fix a bug that could allow remote code execution within Wi-Fi range of the device.

McAfee ePolicy Orchestrator fixed a flaw in the anti-malware engine that could allow local users to cause denial of service conditions. RSA Archer GRC Security Operations Management resolved an error where local users could view passwords. Django suffered from an input validation error that could lead to remote users conducting cross-site scripting and open redirect attacks.

Elsewhere this week there were updates from HPE Business Process Monitor, Asterisk, MantisBT, PHP, WebsiteBaker, the Linux Kernel and Splunk.

Debian specific updates this week were for Samba to fix a regression bug, Firebird2.5 and Tryton-server.

ICS updates this week included several from Schneider Electric (Wonderware, Modicon Interactive Graphical SCADA), Siemens RUGGEDCON ROX I, Rockwell Automation Allen-Bradley Stratix Allen-Bradley ArmorStratix, Miele, Marel Food Processing, LCDS, BD Kiestra and 3S-Smart.

Comment

.author-name { display: none; }