Viewing entries tagged
cyber security

Comment

NCSC - Weekly Threat Report 22nd June 2018

This report is drawn from recent open source reporting. 

Football or Phishing?

At least two phishing campaigns are taking advantage of this year’s football World Cup.

Fraudsters are attempting to exploit fans’ eagerness to keep up with the games and the results in the expectation that fans might click on links more readily.

Phishing emails are reported to be sending fixture schedules and results mappers to fans, but the links are loaded with adware and malware.

In another example, fraudsters are offering a pair of Adidas shoes in exchange for completing a survey. The victim is then redirected to a fake Adidas website asking them to pay a small fee to receive the shoes (and an ongoing monthly charge, which is hidden in the small print).

The fake Adidas site uses homographic web links, where a character is replaced by a similar looking symbol:

  • Example 1: www. thisisarealwebsite .org.com
  • Example 2: www. thisisarea|website .org.com

The letter ‘l’ in the second website name is a symbol, but at a quick glance it is not immediately obvious. Fraudsters are increasingly using this technique and we advise readers to study web links carefully before clicking on them.

The NCSC has further information on how to protect yourself from phishing scams here. Keeping your antivirus software up to date will, in most cases, help identify any malicious files that you attempt to download. For further support, please read 10 Steps to Cyber Security.
 

Is your device earning money for cyber criminals?

Recent reports have suggested a substantial increase in ‘cryptojacking’, where cyber criminals install malware onto a victim’s devices and use them to mine cryptocurrency.

Cryptojacking malware is reportedly becoming harder to detect and sometimes operates to coincide with times where the device is not normally used, and thus remains undetected.

This type of malware is increasingly being found on devices across multiple sectors and is evolving to use the processing power of internet-connected devices, such as TVs. Some aggressive mining malware has also been found to damage devices.

In response to the increase in cryptomining, Apple has recently introduced App Store guidelines prohibiting it. It is uncertain whether other providers will follow.

Cryptomining malware is a low-cost method of earning money and cyber criminals will almost certainly continue to develop and adapt it, as long as cryptocurrencies are of value.

To prevent the installation of criminal malware, please follow the NCSC’s advice and guidance.


Attackers target cryptocurrency software

On 15 June, Syscoin, a cryptocurrency that advertises its instant transactions, announced that its Github account had been compromised just under a week earlier.

An unknown user had uploaded a modified version of the program containing malicious code. The software was otherwise identical to the original program but was detected by Windows Defender SmartScreen due to its lack of signature. As the code had been modified it was no longer recognised as legitimate and designated as being from an 'unknown publisher'.

Github consequently advised developers of cryptocurrencies and other software to implement two factor authentication (2FA) on their accounts where possible. Developers were also advised to check the integrity of published software on repository sites.

Users should be cautious when downloading from online sources. It is good practice to maintain up-to-date antivirus software and avoid software from unknown publishers.

The number of systems infected by the malicious code – and the exact method used to compromise the account in this instance – are not known. The account breach demonstrates the continuing threat posed to cryptocurrency software by attackers exploiting the cryptocurrency boom.

The NCSC has issued guidance on 2FApassword managementmitigating the threat of malwareand identity authentication.

The NCSC website also maintains a general guide on measures to improve security online.


Good cyber hygiene can help fend off LokiBot

Fraudulent account activity and identity theft are some of the most common threats on the internet. Cyber criminals often use credential-stealing malware to obtain usernames and passwords.

Armed with a victim’s credentials, criminals can access their online accounts, including social media or online banking, most often with the intent of making fraudulent payments.

LokiBot, one type of credential-stealing malware, can harvest credentials from browsers, file transfers and even cryptocurrency wallets, and is primarily distributed through malicious Microsoft Office documents attached to spam emails.

Good cyber hygiene is important in mitigating malicious software such as Lokibot, and users should ensure they apply recommended security updates and use antivirus software.

Additional security features such as the use of two factor authentication (2FA) for online accounts significantly reduces the risks users face.

Members of the Cyber Information Sharing Partnership (CiSP) can view the advisory.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 20th April 2018

This report is drawn from recent open source reporting. 

Cyber criminal groups identified on social media

Last week Facebook deleted around 120 private discussion groups - equating to more than 300,000 members - that were promoting a host of illicit cyber criminal activities, including spamming, selling stolen debit and credit account credentials, phony tax refunds, DDoS-for-hire services and botnet creation tools.

The groups had reportedly been operating on Facebook for an average of two years, although some had been in operation for up to nine years. The deletions were a result of analysis work carried out by a cyber security researcher using common terminology for this type of activity and it is likely that there are many more sites of this nature on Facebook and other social media platforms.

The use of social media to advertise illicit goods and services is perhaps not as well reported as the use of darknet criminal marketplaces (such as Alphabay and Hansa that were taken down by law enforcement last year) but it is of no surprise that criminals will seek to utilise whatever means available to peddle their wares.

From past experience, Facebook’s deletion of these groups is unlikely to have a long term impact, as the activity will likely be displaced elsewhere, or the groups will use names that are less obviously associated with cyber crime, to make their detection more difficult.


Airline database hacked by disgruntled former employee

A former employee at the Alaskan airline PenAir hacked her previous employer’s flight reservation system in an apparent retaliation for being fired.

Before leaving the company the individual created a fictitious user profile with escalated privileges to enable future system access. She then used this fictitious account to block other users’ access and to delete critical data.

In a second attack she also deleted seat maps used to allocate passenger seats. PenAir realised their data had been disrupted and worked through the night so that service was resumed by the morning with no impact to customers.

Identified following an FBI investigation, the individual pleaded guilty to the charges against her and was charged with carrying out fraud in ‘connection to computers’.

User privileges should always be managed and reviewed regularly. The principle of ‘least privilege’ should be followed. The NCSC has released guidance for managing user privileges as part of our 10 steps to Cyber Security: 10 Steps: Managing User Privileges.
 

Thai mobile operator in reported data breach due to poor cloud security

TrueMove H, a major mobile operator in Thailand, suffered a data breach involving the personal data of around 46,000 customers, including images of identity documents such as driving licences and passports.

A security researcher uncovered the breach using open source tools to scan for publicly accessible information on misconfigured Amazon Web Service Simple Storage Service (AWS S3) buckets, a popular cloud storage solution. The researcher claimed there was no security protection for the files and therefore all he needed to gain access to the data was the URL.

The default setting for S3 buckets is 'private'. AWS best practice is to never open access to the public and to control access to S3 resources using a combination of Access Control Lists (ACLs) and bucket policies.

The NCSC advises that anyone seeking to exploit the benefits of cloud storage solutions should ensure that the security of the data is a prime consideration.

If you're using or considering using Cloud technology, we recommend reading the NCSC's Cloud Security Collection and Implementing the Cloud Security Principles.
 

Attacker dwell time on victim networks still too long

Security company Mandiant's latest M-Trends report has revealed there are, on average, 101 days between an attacker compromising a system and the victim detecting the compromise, with this increasing to 175 days for companies in Europe, the Middle East and Africa.

While this is a decrease from 416 days in 2011 , the current dwell time means attackers still have ample time to achieve their goal.

Attackers are always developing new and improved ways of committing network intrusions, leading to data breaches, but often they are looking for the most simple weaknesses in our defences. Following basic cyber security good practice can prove effective in preventing such breaches from happening.

The NCSC’s Cyber Essentials scheme provides relevant advice to help improve network security, alongside 10 Steps to Cyber Security.

Comment

.author-name { display: none; }

Comment

NCSC advice: Malicious software used to illegally mine cryptocurrency

Guidance for members of the public, website administrators and JavaScript developers in relation to the recently publicised cryptocurrency mining compromises of several websites 

The NCSC is aware of a compromise of the third-party JavaScript library ‘Browsealoud’ which happened on 11 February 2018. During the compromise, anyone who visited a website with the Browsealoud library embedded inadvertently ran mining code on their computer, helping to generate money for the attackers. No money was taken from users themselves, but the mining code performed computationally intensive operations that were used to earn the cryptocurrency. These operations may have affected the performance and battery life of the devices visiting the site.

Browsealoud was taken offline shortly after the compromise, mitigating the issue. However, website administrators, and other JavaScript library developers may wish to take further steps to prevent future compromise by following the guidance below.

You can also read more about cryptomining in last week’s NCSC Threat Report (published 9 February 2018).
 

Advice for members of the public

  • The cryptojacking harnessed people’s computers to help ‘mine’ for cryptocurrency. This involves using your device to perform computations and does not take any money from you or your accounts.
  • The only impact on affected users’ computers was that they temporarily had minor performance loss and reduced battery power.
  • If you have experienced unusually slow performance from your computer, reduced battery life, or visited the affected websites we recommend:
    • Closing the browser you visited the webpage on is likely enough to stop the mining;
    • Clearing the browser cache will remove all traces of the code. Guidance on how to do this is available here: http://www.refreshyourcache.com/en/home/
       

Advice for website administrators 

  • Make a risk-based decision on including third-party JavaScript in your site. This will vary depending on the size of the website you manage and who is supplying the code. Consider whether the code you are including could compromise your users, and balance this against the risk of this happening for your site.
  • If practical to do, consider hosting the JavaScript locally on your own server rather than linking to code hosted elsewhere. This means changes to the libraries require access to your server, although this will mean you will need to install security patches yourself.

In certain cases, some technical measures can also help prevent inclusion of compromised third-party resources:

  • SRI (Sub-Resource Integrity) allows the browser to check a cryptographic hash of the script to ensure that your users are running the unaltered version. However, SRI will only work if the script is relatively static. If it changes regularly, the signature will no longer be valid and the script will not be loaded by users. Also, browser support for SRI is not universal.
  • CSP (Content Security Policy) allows you to whitelist locations where scripts can be loaded from. Several independent researchers have written that having a well-defined CSP in place would have blocked this attack.

We recommend putting the above mitigating measures in place where practical, and while we recognise these will not necessarily protect end users in all cases they will reduce the chances of your website being compromised.
 

Advice for third-party JavaScript developers

  • Implement robust change control for your code, including monitoring your codebase for unauthorised modifications, reviewing code contributions, and having a rapid takedown process in place for if a compromise is detected.
  • Where you offer hosted versions of your library, ensure that you have robust access control and logging in place for making changes to the library.
  • Consider supporting customers who wish to use Subresource Integrity (SRI). For example, providing numbered versions of libraries which remain static, and so have a static cryptographic hashes will enable customers to validate their integrity.
  •  

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 29th September 2017

Compromise of Deloitte

The Guardian this week reported that the global accountancy firm Deloitte had been hit by a cyber attack that has revealed client email addresses. The hackers may have also accessed usernames, passwords and personal details.

Deloitte provides auditing, tax consultancy and cyber security advice to some of the world’s biggest banks, multi-national companies, media enterprises, pharmaceutical firms and US government agencies. According to the Guardian, Deloitte clients across these sectors had material in the company email system that was breached. The breach was believed to be US-focussed, affecting well-known companies as well as US Government departments. The compromise was discovered in March this year, but it was reported that the attackers may have had access to Deloitte systems since October or November 2016.

According to the newspaper, the hacker compromised the firm’s Microsoft Azure Cloud global email server through an administrator’s account that, in theory, provided them with privileged, unrestricted access. The account required only a single password and did not have “two-step“ verification. Emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service which is Microsoft’s equivalent to Amazon Web Service and Google’s Cloud Platform.

Deloitte has stated on its website that only very few clients were impacted and no disruption has occurred to client businesses, to Deloitte’s ability to serve clients, or to consumers. The NCSC statement confirmed that we had engaged with the organisation to better understand the threat and based on current information we understand there to have been minimal UK impact.

Using a single factor authentication system like a username and an easy-to-guess password combination has allowed criminals to gain access to a user's account. Simple passwords based on dictionaries or the same passwords used on other systems that may have been leaked can give cyber attackers easy access to IT systems. Gaining access to the administrator account is the ‘jackpot’ for an attacker and will provide an attacker with unrestricted access to all user accounts.

Two Factor Authentication (or 2FA) is an extra layer of security that requires not only a password and username but also something that only that user has on them, i.e. a piece of information only they should know or have immediately to hand - such as a physical token, keyfob device, fingerprint, facial recognition or SMS confirmation via mobile phone.

A compromise would be highly unlikely if a complex password or 2FA had been implemented. See the NCSC’s Password Guidance.
 

Banks’ concerns about cloud cyber security

Investment bank Goldman Sachs has in recent days echoed concerns about the number of banks using the same small number of Cloud storage providers – pointing out that those users also include the UK financial regulatory bodies.

The bank’s Head of Technology for Europe, Middle East and Africa argues that the online platforms should be regulated from a resilience perspective, and describes a ‘concentration risk’. The concerns echo those voiced in January by the Bank of England Governor and the chair of the Financial Stability Board, who refer to the risk of a single point of failure if ‘banks come to rely on common hosts of online banking or providers of Cloud computing services’.

The use of an online network, or ‘Cloud’, increases the scale and flexibility of computing capacity, and aligns with the growing desire within the financial services industry for innovative technological business models and processes.

The Financial Stability Board (FSB) alerted the industry in June to the greater reliance on external providers of technology, and hence the potential risk of disruption, specifically citing the Cloud. The FSB highlighted the risks of financial institutions relying on the same third-party Cloud computing and data services providers, and cited other jurisdictions where, for example, guidelines had been issued for Cloud outsourcing, internet banking and technology risk management. Greater co-ordination within finance, and with non-finance partner organisations such as those with a remit for cyber security, was mooted.

Some of the growing concerns voiced within financial services about the Cloud are addressed by the NCSC’s Cloud Security Principles and advice.

 

Cryptocurrency mining by cyber criminals

Recent IBM reporting observes a sixfold increase in the use of specifically CPU-based cryptocurrency-mining malware since the beginning of 2017, a much faster rise than observed for cryptocurrency-mining malware more generally.

While there are many cryptocurrencies, with different characteristics, all rely on ‘miners’, who carry out large number of calculations to verify transactions. In exchange for contributing computing power, miners are rewarded with cryptocurrency.

Mining many currencies using a CPU has generally become economically unviable for legitimate users, as running costs outweigh their gains, so they now use graphics cards, or specially designed application-specific integrated circuits (ASICs). Running costs are no obstacle to cyber criminals, however, who can use botnets of compromised machines as miners without needing to worry about the electricity bills. Some newer currencies are also more feasible to mine using a CPU only.

In a related trend, an increasing number of website scripts are being observed which mine cryptocurrency inside a web browser. Such scripts can be used in clearly illegal ways when hidden within adverts (a form of malvertising), but some sites have also shown an interest in such scripts as a form of revenue production to replace or supplement online advertising. Torrenting site The Pirate Bay received significant press coverage when it was revealed to have adopted such scripts without the knowledge or consent of its users. There have also been reports of cyber criminals compromising popular websites and hiding mining scripts in their source code, allowing them to profit from their victim’s visitors.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 5th May 2017

This report is drawn from recent open source reporting

Google and Facebook were victims of Business Email Compromise (BEC) or ‘CEO Fraud’

Google and Facebook have been identified as the victims of an email phishing attack for which a Lithuanian man was charged in March 2017.

The attack relied upon social engineering methods rather than technical intrusion techniques. However, the individual was still able to trick the organisations into transferring over $100 million between 2013-2015, highlighting how cyber-enabled social engineering can be effectively used to commit fraud.

The individual posed as a manufacturer which both firms had existing business relationships with, and sent emails which were designed to look like they came from the manufacturer. The emails contained forged invoices and contracts which appeared to have been signed by executives. This is less technically sophisticated than some other cases of BEC whereby the third-party supplier’s legitimate email is compromised and used to request transfers. The phishing emails were highly targeted, sent to Facebook and Google employees who regularly conducted multi-million dollar transactions with the manufacturer the scammer was impersonating.

Large organisations are especially vulnerable to attacks such as this: often suppliers and individuals have less face to face interaction, and therefore may have reduced opportunities to identify bogus or suspicious transfer requests through conversation.

Fraudulent communication to convince organisations to transfer funds is not new, however it is increasingly common as a low cost, high return crime. Other variations on this attack include

  • Spear-phishing emails co-ordinated with phone calls confirming the email request
  • Impersonation of trusted partners beyond suppliers, including charities, law firms, think tanks or academic institutions
  • Impersonation of fellow employee emails, either through compromising an account, or creating a similar looking fake address
  • Use of social media to research or make contact with potential victims

The NCSC has previously issued guidance on phishing attacks aimed at senior executives or payment departments.

 

Facebook outlines plan to combat information operations

Facebook has outlined measures to combat “information operations”, which it defines as efforts conducted by organisations, including governments, to spread misleading information and falsehoods to “distort domestic or foreign political sentiment". Whilst reporting has focused on the potential impact on democratic processes, manipulation of social media could similarly be used to inflict reputational or even financial damage on organisations. An example of this would be the 2013 fake “alert” from one of America’s most trusted news sources, briefly fooling some news outlets into reporting that an explosion had occurred at the White House and causing the Dow Jones to drop 145 points in two minutes.

Facebook has highlighted that information operations extend beyond the creation of “fake” news stories: other activities such as the dissemination and promotion of stolen information, and targeted data collection on individuals have all been noted. Furthermore, the increased circulation of “fake” news stories to a larger audience is regularly achieved through artificial amplification of posts, whereby paid individuals, often using fake accounts, use techniques such as co-ordinating “likes” to boost the prominence of key postings or creating groups that camouflage propaganda by including legitimate items.

Facebook has stated that it will mitigate the artificial amplification of fake stories using machine learning and analysis to identify bogus accounts, which will then be suspended or deleted. For example, Facebook suspended 30,000 accounts in France prior to the first round of the French presidential election.
 

Vulnerabilities

Mainly platform agnostic/cross platform updates this week, leaning towards Linux and Unix based systems.

Intel released a fix to their Active Management Technology to address a flaw which could allow remote and local users to gain elevated privileges. A mitigation guide has been published here.

IBM released two updates for WebSphere to fix a browser redirect and cross-site request forgery vulnerability, and an update to DB2 to address a bug that could allow a local user to obtain root privileges.

Xen saw a number of updates to fix elevation of privilege bugs.

HPE updated NonStop Server to address a flaw that could allow a remote user to obtain sensitive information, and updated Intelligent Management Center to fix a flaw that could allow for remote code execution.

Elsewhere this week there were updates from Trend Micro to fix cross-site scripting bugs and an elevation of privilege bug. Drupal updated a flaw that could allow access to the target system and FreeBSD fixed a bug which could cause the target to reload.

Debian updates this week include LibreOffice, Ghostscript, Freetype, weechat, Libxstream-Java, MySQL-Connector-Java, Tomcat7 and Tomcat8.

ICS updates this week came from Advantech, CyberVision and Schneider Electric.

No individual sector is anticipated to be impacted more than any other this week.

Comment

.author-name { display: none; }

Comment

Threat to Managed Service Providers

Threat to Managed Service Providers

A major cyber campaign against Managed Service providers has been detected that may present risks to organisations using outsourced IT services. 

Media references to terrorist cyber capability

There have been numerous reports on the recently imposed restrictions on electronic devices larger than a smartphone being allowed in cabin baggage on flights from certain countries in the Middle East, North Africa and Turkey. A statement from the US Department of Homeland Security (DHS) said: "Evaluated intelligence indicates that terrorist groups continue to target commercial aviation, to include smuggling explosive devices in various consumer items". This physical terrorist threat to aviation is entirely separate from news reports suggesting a raised cyber terrorist threat against the civil nuclear sector. As highlighted in the recent NCSC/NCA Annual Report, the NCSC assesses that terrorist organisations currently have limited cyber capability. While they may aspire to cause a destructive cyber attack, this remains unlikely.

Malware Threat to ATMs

A fileless malware campaign that successfully targeted 140 organisations worldwide earlier this year has evolved. Criminals are now exploiting their remote access to banks' networks to drop additional malware called ATMitch, enabling them to issue remote commands to compromised ATMs to dispense cash. Banks in Russia and Kazakhstan have reportedly been victims of this malware.

Although we have previously seen cyber-criminals use malware to steal cash from ATMs, their use of a banks' internal network to remotely deliver ATM malware is a new and more sophisticated form of attack. Also, the use of fileless malware allows criminals to delete malicious commands from the ATM's hard drive, removing all traces of an attack.

There have been no reported incidents of network-delivered ATM malware attacks against UK ATMs to date. The most common attacks seen against UK ATMs continue to be more traditional physical attacks, which criminals carry out to varying levels of success. For more information on the malware threat to UK ATMs, log in to the Cyber-security Information Sharing Partnership (CiSP) to view our recently published report. Please see details on how to become a member of CiSP.

Rise in compromised websites

According to a recent Google report, the number of websites that were hacked in 2016 was 32% higher than in 2015. Google assess this trend is unlikely to lose momentum "as hackers get more aggressive and more sites become outdated".

Although it is difficult to corroborate this statistic or clarify what proportion of the allegedly compromised websites were active, the threat to websites from cybercriminals has definitely risen over recent years, with ransomware and financial scams particularly strong incentives for them to compromise websites in order to facilitate cybercrime.

Google say this problem was compounded by the fact that 61% of webmasters, whose websites were breached had not registered with Google's channel for communicating site health alerts, Search Console, and were therefore not notified by Google of the compromise.

The NCSC recommend that website owners follow NCSC guidance and regularly patch known vulnerabilities to reduce the risk of a compromise. We recommend that the public follow the malware prevention advice in 10 steps to cyber security to reduce the risk of being infected by malware from infected websites, and you may also find our guidance on designing digital services useful. Following the guidance can help prevent some of the most prevalent types of web attacks that are being carried out currently.

Website owners may also find OWASP's Top 10 project, which represents a broad consensus about what the most critical web application security flaws are, useful.

Vulnerabilities

Reports came in this week of a WebDAV buffer overflow vulnerability affecting Microsoft's Internet Information Server (IIS). There are reports that this vulnerability is being actively exploited and at the time of writing Microsoft do not yet have a fix available. NIST's National Vulnerability Database (NVD) has details. NCSC recommends where there is still a need for on premises installs, that people use the latest versions of software (Server 2016 in this case) as it more secure by default. If we receive more information on this vulnerability we will update accordingly.

Apple released an update for their iOS mobile operating system to fix a bug that could allow remote code execution within Wi-Fi range of the device.

McAfee ePolicy Orchestrator fixed a flaw in the anti-malware engine that could allow local users to cause denial of service conditions. RSA Archer GRC Security Operations Management resolved an error where local users could view passwords. Django suffered from an input validation error that could lead to remote users conducting cross-site scripting and open redirect attacks.

Elsewhere this week there were updates from HPE Business Process Monitor, Asterisk, MantisBT, PHP, WebsiteBaker, the Linux Kernel and Splunk.

Debian specific updates this week were for Samba to fix a regression bug, Firebird2.5 and Tryton-server.

ICS updates this week included several from Schneider Electric (Wonderware, Modicon Interactive Graphical SCADA), Siemens RUGGEDCON ROX I, Rockwell Automation Allen-Bradley Stratix Allen-Bradley ArmorStratix, Miele, Marel Food Processing, LCDS, BD Kiestra and 3S-Smart.

Comment

.author-name { display: none; }

Comment

NCSC- Weekly Threat Report 17th February 2017

Official Launch of the National Cyber Security Centre

February 14th marked the official launch of the National Cyber Security Centre (NCSC) HQ by Her Majesty the Queen. The Centre will work to make the UK the safest place to live and do business online.

In acknowledgement that Government alone cannot protect the public from cyber attacks, the Chancellor announced the launch of the Industry 100 initiative. Industry 100 will see the center invite expertise from industry to collaborate with the NCSC in achieving its mandate of enhancing the cyber security of the UK.

A reflection on the diversification of cyber crime

The nature of the cyber-criminal threat to the UK is diversifying: highly skilled actors are becoming increasingly competent and targeted in their attacks, while the barriers to entry for less-skilled actors are lowering.

At the high capability end of the spectrum, banking Trojans are reportedly becoming increasingly targeted, with a focus on financial institutions which offer larger relative rewards than end-user customers. Meanwhile, ransom-ware attacks are said to be specifically targeting those organisations perceived as being more likely to pay due to their timely requirement to access sometimes time-critical data.

At the other end of the skill spectrum, individuals with minimal cyber capability can carry out nefarious activities online using Crimeware-as-a-Service tools. DDoS attacks, email compromises, criminal infrastructure and more can be bought or rented at minimal cost. Notably, sites now offer live chats with support agents, and collect marketing information to better understand their customers. This trend risks further normalizing low level cyber crime.

The diversification of the cyber-crime threat poses challenges for law enforcement and security professionals, who will face highly skilled, targeted threats. Simultaneously, resources are increasingly consumed by low-skilled attackers using services offered by more competent actors. Detailed analysis of this changing cyber-criminal landscape will be published in NCSC Assessment's Annual Report.

Warning of cyber threat from building owners

The US Government Accountability Office (GAO) has warned of the potential threat of cyber intrusions from foreign owners of office buildings. Numerous properties occupied by US law enforcement agencies are owned by firms domiciled abroad, including in China, Israel, South Korea and Japan. Some of the buildings are used for sensitive activities including managing classified operations, hosting data centres and storing high-security material. Most of the agencies were unaware that their buildings were foreign-owned.

The GAO's report highlights concerns from the Department of Homeland Security that "threat actors could coerce owners into collecting intelligence about the personnel and activities of the facilities when maintaining the property." This could potentially include exploiting building infrastructure to facilitate cyber intrusions. The GAO recommends that US government agencies should be informed if their buildings are foreign-owned, so that appropriate security measures can be implemented, where necessary.

While the report focuses on the threat to official bodies, the concerns it raises may also apply to commercial organisations dealing with corporate-sensitive information. Although there are no reported instances so far of such intrusions taking place in the US or UK, this issue highlights the need for precautions regarding landowners' access to buildings hosting sensitive activities.

Weaponised Macros targeting Mac users

Security researchers have reportedly identified the emergence of Microsoft Word documents containing malware-infected macros for installing malicious software on macOS devices.

This technique has been used for some time to infect Windows users with malware. However, it is the first reported in-the-wild instance for Word documents containing malicious macros that execute solely on macOS. When users attempt to open the attachment, they are prompted to enable macros. If macros are enabled the malware executes its payload.

Although not a particularly sophisticated attack technique, this methodology has been successful in delivering ransomware and banking Trojans to Windows users worldwide. It looks like Microsoft Word users on MacOS may also now be victim to such attacks. This is a timely reminder that cyber criminals are regularly looking to enhance their pool of potential victims; regardless of software and hardware, users must be vigilant of the risks.

Watering hole attacks infected a larger pool of victims than first thought

Last week it was reported that the Polish financial sector had been the victim of a malware attack, where the attackers used the web server of the Polish financial regulator as a watering hole. Further investigation has revealed that the attackers intended to target over 100 organisations, mainly banks, in 31 different countries, including the UK.

Vulnerabilities Report

A number of cross-platform updates this week, with a predominant focus on Linux ad Unix-based systems. Microsoft held back their Patch Tuesday release cycle due to last minute complications. The most publicized vulnerability this week concerned F5’s BIG-IP and the ‘TicketBleed’ vulnerability. Adobe released updates for Flash Player and Digital Editions to fix remote code execution vulnerabilities. Elsewhere this week there were updates to BIND, Cisco AnyConnect and Cisco ASA, IBM WebSphere, HPE NonStop Server, Xen and Google’s Android.

Comment

.author-name { display: none; }
NCSC - Weekly Threat Report 20th January 2017

NCSC - Weekly Threat Report 20th January 2017

This report is drawn from recent open source reporting.

Password security

In November 2016, a study of user passwords exposed by a Yahoo data breach revealed that "123456" was the most common password, followed closely by "password" at number two. A more recent report on the most commonly used passwords revealed that "123456" was still number one, followed by the 'more complex' "123456789".

These reports highlight ongoing problems associated with conventional password policies, which tend to promote the use of complicated passwords that are harder for attackers to discover, but which also place greater burdens on users. This approach may therefore be counterproductive, leading users to opt for simple password strategies, which will also be easy for attackers to guess or brute force. In many cases, imposing technical controls such as blacklisting the most common passwords is a far more effective measure.

Mobile forensics company hacked

The Israeli mobile forensics company, Cellebrite, reports that it has become the latest in a long line of companies to have its data hacked and published online. Cellebrite is a major supplier of forensic tools to law enforcement and other security organisations worldwide. Cellebrite states that it experienced 'unauthorised access to an external web server' and that it is known the information accessed includes 'basic contact information' and 'hashed passwords'. The company advises users to change their passwords as a precaution.

The company's investigation is ongoing. Without commenting on the specifics of this case, the compromise highlights the broader issue that companies must ensure that they protect themselves and customers in a way commensurate to the threat that they face and the sensitivity of the data that they hold. Reporting data breaches is to be strongly encouraged, enabling those affected to take appropriate action, such as changing passwords.

.author-name { display: none; }