Viewing entries tagged
cyber threats

Comment

NCSC - Weekly Threat Report 22nd June 2018

This report is drawn from recent open source reporting. 

Football or Phishing?

At least two phishing campaigns are taking advantage of this year’s football World Cup.

Fraudsters are attempting to exploit fans’ eagerness to keep up with the games and the results in the expectation that fans might click on links more readily.

Phishing emails are reported to be sending fixture schedules and results mappers to fans, but the links are loaded with adware and malware.

In another example, fraudsters are offering a pair of Adidas shoes in exchange for completing a survey. The victim is then redirected to a fake Adidas website asking them to pay a small fee to receive the shoes (and an ongoing monthly charge, which is hidden in the small print).

The fake Adidas site uses homographic web links, where a character is replaced by a similar looking symbol:

  • Example 1: www. thisisarealwebsite .org.com
  • Example 2: www. thisisarea|website .org.com

The letter ‘l’ in the second website name is a symbol, but at a quick glance it is not immediately obvious. Fraudsters are increasingly using this technique and we advise readers to study web links carefully before clicking on them.

The NCSC has further information on how to protect yourself from phishing scams here. Keeping your antivirus software up to date will, in most cases, help identify any malicious files that you attempt to download. For further support, please read 10 Steps to Cyber Security.
 

Is your device earning money for cyber criminals?

Recent reports have suggested a substantial increase in ‘cryptojacking’, where cyber criminals install malware onto a victim’s devices and use them to mine cryptocurrency.

Cryptojacking malware is reportedly becoming harder to detect and sometimes operates to coincide with times where the device is not normally used, and thus remains undetected.

This type of malware is increasingly being found on devices across multiple sectors and is evolving to use the processing power of internet-connected devices, such as TVs. Some aggressive mining malware has also been found to damage devices.

In response to the increase in cryptomining, Apple has recently introduced App Store guidelines prohibiting it. It is uncertain whether other providers will follow.

Cryptomining malware is a low-cost method of earning money and cyber criminals will almost certainly continue to develop and adapt it, as long as cryptocurrencies are of value.

To prevent the installation of criminal malware, please follow the NCSC’s advice and guidance.


Attackers target cryptocurrency software

On 15 June, Syscoin, a cryptocurrency that advertises its instant transactions, announced that its Github account had been compromised just under a week earlier.

An unknown user had uploaded a modified version of the program containing malicious code. The software was otherwise identical to the original program but was detected by Windows Defender SmartScreen due to its lack of signature. As the code had been modified it was no longer recognised as legitimate and designated as being from an 'unknown publisher'.

Github consequently advised developers of cryptocurrencies and other software to implement two factor authentication (2FA) on their accounts where possible. Developers were also advised to check the integrity of published software on repository sites.

Users should be cautious when downloading from online sources. It is good practice to maintain up-to-date antivirus software and avoid software from unknown publishers.

The number of systems infected by the malicious code – and the exact method used to compromise the account in this instance – are not known. The account breach demonstrates the continuing threat posed to cryptocurrency software by attackers exploiting the cryptocurrency boom.

The NCSC has issued guidance on 2FApassword managementmitigating the threat of malwareand identity authentication.

The NCSC website also maintains a general guide on measures to improve security online.


Good cyber hygiene can help fend off LokiBot

Fraudulent account activity and identity theft are some of the most common threats on the internet. Cyber criminals often use credential-stealing malware to obtain usernames and passwords.

Armed with a victim’s credentials, criminals can access their online accounts, including social media or online banking, most often with the intent of making fraudulent payments.

LokiBot, one type of credential-stealing malware, can harvest credentials from browsers, file transfers and even cryptocurrency wallets, and is primarily distributed through malicious Microsoft Office documents attached to spam emails.

Good cyber hygiene is important in mitigating malicious software such as Lokibot, and users should ensure they apply recommended security updates and use antivirus software.

Additional security features such as the use of two factor authentication (2FA) for online accounts significantly reduces the risks users face.

Members of the Cyber Information Sharing Partnership (CiSP) can view the advisory.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 20th April 2018

This report is drawn from recent open source reporting. 

Cyber criminal groups identified on social media

Last week Facebook deleted around 120 private discussion groups - equating to more than 300,000 members - that were promoting a host of illicit cyber criminal activities, including spamming, selling stolen debit and credit account credentials, phony tax refunds, DDoS-for-hire services and botnet creation tools.

The groups had reportedly been operating on Facebook for an average of two years, although some had been in operation for up to nine years. The deletions were a result of analysis work carried out by a cyber security researcher using common terminology for this type of activity and it is likely that there are many more sites of this nature on Facebook and other social media platforms.

The use of social media to advertise illicit goods and services is perhaps not as well reported as the use of darknet criminal marketplaces (such as Alphabay and Hansa that were taken down by law enforcement last year) but it is of no surprise that criminals will seek to utilise whatever means available to peddle their wares.

From past experience, Facebook’s deletion of these groups is unlikely to have a long term impact, as the activity will likely be displaced elsewhere, or the groups will use names that are less obviously associated with cyber crime, to make their detection more difficult.


Airline database hacked by disgruntled former employee

A former employee at the Alaskan airline PenAir hacked her previous employer’s flight reservation system in an apparent retaliation for being fired.

Before leaving the company the individual created a fictitious user profile with escalated privileges to enable future system access. She then used this fictitious account to block other users’ access and to delete critical data.

In a second attack she also deleted seat maps used to allocate passenger seats. PenAir realised their data had been disrupted and worked through the night so that service was resumed by the morning with no impact to customers.

Identified following an FBI investigation, the individual pleaded guilty to the charges against her and was charged with carrying out fraud in ‘connection to computers’.

User privileges should always be managed and reviewed regularly. The principle of ‘least privilege’ should be followed. The NCSC has released guidance for managing user privileges as part of our 10 steps to Cyber Security: 10 Steps: Managing User Privileges.
 

Thai mobile operator in reported data breach due to poor cloud security

TrueMove H, a major mobile operator in Thailand, suffered a data breach involving the personal data of around 46,000 customers, including images of identity documents such as driving licences and passports.

A security researcher uncovered the breach using open source tools to scan for publicly accessible information on misconfigured Amazon Web Service Simple Storage Service (AWS S3) buckets, a popular cloud storage solution. The researcher claimed there was no security protection for the files and therefore all he needed to gain access to the data was the URL.

The default setting for S3 buckets is 'private'. AWS best practice is to never open access to the public and to control access to S3 resources using a combination of Access Control Lists (ACLs) and bucket policies.

The NCSC advises that anyone seeking to exploit the benefits of cloud storage solutions should ensure that the security of the data is a prime consideration.

If you're using or considering using Cloud technology, we recommend reading the NCSC's Cloud Security Collection and Implementing the Cloud Security Principles.
 

Attacker dwell time on victim networks still too long

Security company Mandiant's latest M-Trends report has revealed there are, on average, 101 days between an attacker compromising a system and the victim detecting the compromise, with this increasing to 175 days for companies in Europe, the Middle East and Africa.

While this is a decrease from 416 days in 2011 , the current dwell time means attackers still have ample time to achieve their goal.

Attackers are always developing new and improved ways of committing network intrusions, leading to data breaches, but often they are looking for the most simple weaknesses in our defences. Following basic cyber security good practice can prove effective in preventing such breaches from happening.

The NCSC’s Cyber Essentials scheme provides relevant advice to help improve network security, alongside 10 Steps to Cyber Security.

Comment

.author-name { display: none; }

Comment

NCSC advice: Malicious software used to illegally mine cryptocurrency

Guidance for members of the public, website administrators and JavaScript developers in relation to the recently publicised cryptocurrency mining compromises of several websites 

The NCSC is aware of a compromise of the third-party JavaScript library ‘Browsealoud’ which happened on 11 February 2018. During the compromise, anyone who visited a website with the Browsealoud library embedded inadvertently ran mining code on their computer, helping to generate money for the attackers. No money was taken from users themselves, but the mining code performed computationally intensive operations that were used to earn the cryptocurrency. These operations may have affected the performance and battery life of the devices visiting the site.

Browsealoud was taken offline shortly after the compromise, mitigating the issue. However, website administrators, and other JavaScript library developers may wish to take further steps to prevent future compromise by following the guidance below.

You can also read more about cryptomining in last week’s NCSC Threat Report (published 9 February 2018).
 

Advice for members of the public

  • The cryptojacking harnessed people’s computers to help ‘mine’ for cryptocurrency. This involves using your device to perform computations and does not take any money from you or your accounts.
  • The only impact on affected users’ computers was that they temporarily had minor performance loss and reduced battery power.
  • If you have experienced unusually slow performance from your computer, reduced battery life, or visited the affected websites we recommend:
    • Closing the browser you visited the webpage on is likely enough to stop the mining;
    • Clearing the browser cache will remove all traces of the code. Guidance on how to do this is available here: http://www.refreshyourcache.com/en/home/
       

Advice for website administrators 

  • Make a risk-based decision on including third-party JavaScript in your site. This will vary depending on the size of the website you manage and who is supplying the code. Consider whether the code you are including could compromise your users, and balance this against the risk of this happening for your site.
  • If practical to do, consider hosting the JavaScript locally on your own server rather than linking to code hosted elsewhere. This means changes to the libraries require access to your server, although this will mean you will need to install security patches yourself.

In certain cases, some technical measures can also help prevent inclusion of compromised third-party resources:

  • SRI (Sub-Resource Integrity) allows the browser to check a cryptographic hash of the script to ensure that your users are running the unaltered version. However, SRI will only work if the script is relatively static. If it changes regularly, the signature will no longer be valid and the script will not be loaded by users. Also, browser support for SRI is not universal.
  • CSP (Content Security Policy) allows you to whitelist locations where scripts can be loaded from. Several independent researchers have written that having a well-defined CSP in place would have blocked this attack.

We recommend putting the above mitigating measures in place where practical, and while we recognise these will not necessarily protect end users in all cases they will reduce the chances of your website being compromised.
 

Advice for third-party JavaScript developers

  • Implement robust change control for your code, including monitoring your codebase for unauthorised modifications, reviewing code contributions, and having a rapid takedown process in place for if a compromise is detected.
  • Where you offer hosted versions of your library, ensure that you have robust access control and logging in place for making changes to the library.
  • Consider supporting customers who wish to use Subresource Integrity (SRI). For example, providing numbered versions of libraries which remain static, and so have a static cryptographic hashes will enable customers to validate their integrity.
  •  

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 03 November 2017

Fake speeding notices deliver malware

Police forces around the UK are warning motorists not to be taken in by a phishing email falsely informing them that they need to pay a speeding fine. The realistic-looking email, entitled ‘Notice of Prosecution’, claims to have ‘photographic’ evidence, but clicking on the associated link will upload banking malware to the victim’s device.

The email appears official, with the logos of either the local police force or ‘gov.uk’, but there are several features that indicate that it is fake. Spelling and grammatical errors are fairly obvious, but the speed at which the vehicle was allegedly caught is unrealistic, e.g. travelling at 89mph in an area with a 25mph speed limit.  Phishing emails rely on several factors to be successful, including evading spam filters, the appearance of credibility, and being able to make the recipient take action immediately.

The police have advised that any ‘Notice of Prosecution’ would be posted to the vehicle owner’s address and never sent in an email. They also advised people to delete the email without clicking on any links.


Code-signing certificates worth more than guns on the Dark Web

An investigation by a company specialising in identity protection solutions, into the sale of code-signing certificates on the Dark Web suggests they are selling for up to $1,200, making them more expensive than fake driver’s licences, stolen credit cards, commissioning a targeted cyber attack, or even buying a handgun. This relatively high price presumably reflects customer demand.

This is not the first time that security researchers have highlighted the issue of stolen or fraudulently obtained code-signing certificates. Since at least 2011, they have noted a trend for both cyber criminals and APT cyber actors to sign their malware using stolen or fraudulently obtained certificates to bypass security measures. Signed code tends to be treated as trusted and some operating systems will flag up, or refuse to run, code that is not signed.

Over the years, attackers have managed to sign their malicious executables with certificates obtained by a variety of methods – reportedly stealing them from technology companies (including some well-known names), penetrating the networks of companies and using their signing facilities, or applying for certificates in the names of fake companies or real companies who have no need for them. As far back as 2010, the destructive worm Stuxnet included components that were signed with stolen certificates. More recently, the cyber actors who corrupted an update of clean-up tool CCleaner managed to get the update signed.

Amongst other things, this highlights the fact that, when attackers do manage to penetrate a network, they will often seek out things that facilitate further intrusions – like passwords (not only password caches, but sometimes also emails containing passwords or access codes), cookies, digital certificates and keys. System administrators should make sure they know where these are located.


The Dark Overlord – Systematic cyber-enabled extortion

A cyber crime group called ‘The Dark Overlord’ has claimed responsibility for conducting cyber-enabled extortion campaigns in recent weeks. Victims include a London-based plastic surgery clinic and a Hollywood production studio, both of which are believed to have a number of high-profile clients. The group has a history of hacking organisations to obtain sensitive information before demanding money in exchange for not leaking it into the public domain. They leak snippets of data to the media to encourage them to report on their activity. This is aimed at “proving” that a breach has taken place, and increases the pressure on the victim to pay the ransom. ‘The Dark Overlord’ has been responsible for indiscriminately targeting health institutions, schools and media production companies over the last year.

Any organisation that deals with sensitive personal information (e.g. medical institutions, law firms) is at a higher risk of being targeted, and owes a particular duty of care to its clients because of the risk of severe emotional distress if client data is made public.  Whilst evidence of the stolen data is often provided, the volume and sensitivity of the data may be exaggerated to maximise impact. This may inspire other cyber extortionists to adopt a similar methodology, especially as new opportunities present themselves due to an increasing amount of sensitive data being stored online. Any data breach and the associated media exposure may cause significant reputational damage and loss of business.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 20th October 2017

KRACK – a fundamental flaw in Wi-Fi security

Security researchers from Belgium have found that the majority of Wi-Fi connections are potentially vulnerable to exploitation because of a fundamental weakness in the wireless security protocol – WPA2. The exploit is called “KRACK”, which is short for Key Reinstallation Attack. Reports suggest that at most risk are Linux operating systems, Internet of Things (IoT) devices and 41% of Android devices. However, many of these, especially IoT devices, may never get patched.

For further detail on this flaw, please see our KRACK guidance and the latest blog.
 

Swedish transport networks hit by DDoS attacks

Media reported last week that trains were delayed in Sweden after the transport sector was successfully targeted by a series of DDoS attacks. On 11 October, two communication service providers serving the Swedish Transport Administration (Trafikverket) were hit by a DDoS attack, reportedly causing the Trafikverket’s train management system to go down for several hours. Consequently, manual procedures had to be used to handle rail traffic, resulting in delays for the rest of the day. The company also had to resort to using Facebook to keep customers updated as its email system and website were also unavailable. The following day, DDoS attacks targeted the Swedish Transport Agency (Transportyrelsen) and a public transport operator serving Western Sweden (Västtrafik). The impact of these attacks was less severe, briefly affecting web services including ticket booking.

Some media reports speculate that a state-linked actor may have been responsible, however investigations into the incidents continue. Overall, the case highlights how transport firms can be impacted by attacks on third party service providers (in this case, Trafikverket’s communication service providers).


Cyber-enabled intimidation of NATO personnel in Baltics

According to open source reporting, advanced surveillance techniques (possibly including drone monitoring and/or IMSI grabbing) are being used to pull data from personal smartphones of NATO personnel despite warnings not to use them following previous incidents.  There are accounts of personnel then being approached in public by individuals who convey details pulled from smartphones – in one example details about the personnel’s family.

This is not the first time NATO personnel operating in Europe have reported call interference or unusual behaviour by their mobile phones. Mobile devices operating over the public telephone system are susceptible to exploitation including interception of communications or tracking of the user. The capability to mount operations against personal electronic devices, including the use of rogue cell towers is within technical and financial reach of well-resourced threat actors. However, the more recent reporting is different as exploitation of devices has been followed up by personal approaches.

It is almost certain that personal mobile devices will increasingly become targets for a wide range of threat actors due to the amounts of personal information they hold, which is useful for espionage, targeting and criminal purposes. Personal mobiles are susceptible to a range of compromise vectors and have widely varying levels of cyber hygiene. This threat could expand beyond NATO personnel to businesses operating in the region or individuals traversing these areas on business or personal trips.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly threat report 7th July 2017

Scams follow widely reported attempt to compromise parliamentary email accounts

Following reported attempts by hackers to compromise parliamentary email accounts in June, scammers have recently attempted to gain information by cold-calling (or vishing) MPs and their staff. Posing as staff from the Houses of Parliament’s IT department, the scammers have reportedly been requesting the usernames and passwords of MPs. Vishing, like its online equivalent, phishing, attempts to illicit sensitive information, such as passwords, or encourage victims to visit particular (invariably malicious) websites.

Scammers try to capitalise on heightened public awareness of particular issues. Such social engineering techniques often increase in prevalence follow a high-profile incident. For example, following the WannaCry ransomware incident, there were several reported scams, including fake fixes for the malware, and malicious ‘tech support’ services. Phone calls can form part of a blended social engineering campaign, along with emails or social media contact. It is likely that scams such as these will continue to follow widely reported events. 

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 23rd June 2017

This report is drawn from recent open source reporting.

Fake airline websites distributed by social media

Scammers are using the brands of major global airlines to lure users to fake websites and then encourage them to share links to the sites with friends. When a user clicks through to the sites they are prompted to answer a few simple questions and provide personal information to get free flights. Once they give away their name, email, phone, date of birth and address they are then told they will receive the flights, only once they ‘like’ and share the page on Facebook, spreading the fake sites to new victims.

According to threat researchers, cyber criminals were observed registering 95 fake websites in late March using the brands of 19 major airlines, including ones based in the UK.  The personal details provided by the victims are used for fraudulent marketing purposes, namely to drive traffic to websites that provide online promotions and monetisation of web and mobile applications. Fraudsters, like marketing managers, often leverage an effective freebie strategy (gifts, prize draws etc.) to attract public attention.

In the run up to the summer holidays, this cyber-enabled fraud may lead to lost custom and reputational damage for the airlines. The use of social media to distribute fake websites is likely to continue to increase. It is not limited to airlines and could affect any well-known brand.  There also remains a risk that malicious actors could modify the scheme and use such sites to distribute malware to victims. For guidance see the NCSC’s 10 Steps: Malware Prevention.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 16th June 2017

 

Mouseover malware masquerading in Powerpoint files

According to media reports, a new method of delivering malware has surfaced. 'Zusy' malware, according to IT company ExtremeTech, is a banking trojan whose intention is to steal credentials. The reports suggest that simply hovering your mouse over a link will lead to infection without requiring you to click on anything. However, several stages are required to successfully infect a user.

What is interesting about this malware is that the initial infection vector does not rely on Macros or JavaScript to execute its malicious code. Instead, the malware developer has focused on abusing certain features in Microsoft PowerPoint to download and deploy the banking trojan.

This malware is initially delivered to users through phishing as an email attachment. Firstly the user needs to click on and open an attachment which displays a PowerPoint slide in slide show mode. A segment of text or a picture on the PowerPoint slide will have a clickable hyperlink. The most common message seen at this time is 'Loading...Please wait'. The 'mouseover' malware will only initiate if the user directs their cursor over the text or picture. A command is then executed which attempts to run an external program such as a PowerShell script. At this point Microsoft's security feature, Protected View, which is enabled by default, will display a warning notice allowing the user to disable the program. If the program is not disabled, it will create a backdoor giving the attacker full access to the victim machine. Users running PowerPoint versions older than 2010 are particularly vulnerable to this type of attack because when they hover over the link the preview window will open automatically without giving them the option to disable the malicious program.

Historically malware infections occur when the victim clicks on a suspicious link and general guidance has always advised users to hover over links to check file formats for suspicious executables. Users should continue to remain aware and be vigilant when receiving email attachments.

Although this development is not as alarming as it may first appear, the NCSC assesses that we may see a more sophisticated version of this attack vector in the future. The NCSC recommends that users follow NCSC malware guidance which includes regularly updating antivirus software to reduce the risk of being infected.

Enterprises that implement Application whitelisting approaches as described in the NCSC Windows EUD Security Guidance will also mitigate current variants of this threat by preventing the malicious scripts and programs downloaded by the malware from running.

 

Industrial Control Systems malware (Industroyer/CrashOverride)

The NCSC is aware of open source reporting providing details of malware dubbed as 'Industroyer' or 'CrashOverride', which is reported to be connected with the December 2016 power outages in Ukraine.

Previous media reporting suggests that during this incident, cyber attackers compromised parts of the Ukrainian electricity transmission network, resulting in the loss of electricity supply to customers for approximately one hour.

The NCSC have published on CiSP details of mitigation strategies to secure networks against these attacks. US-CERT have also published analysis and indicators of compromise.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 9th June 2017

Fireball malware

More than 250 million computers worldwide have been infected with malicious adware called Fireball, according to recent reporting.  Produced by Rafotec, a Beijing-based digital marketing firm, the malware is spread mostly via bundling. That is, when a user downloads a product they want, the Fireball malware is ‘bundled’ in without the user’s knowledge or consent.

Once infected, Fireball hijacks the user’s browser, installs extra plug-ins and manipulates the user’s web traffic. By redirecting traffic to Rafotec’s fake search engines, Fireball is able to generate additional advertising revenue for the company. A greater concern is the fact that Fireball can, in theory, be repurposed to serve as a fully functioning malware downloader.

Should Fireball be repurposed for further malicious activity it could be used to harvest sensitive data, such as financial credentials, medical records, or corporate business plans for example. Whilst estimates are that Indonesia, India and Brazil have the highest infection rates at present, other countries have been impacted.

In line with NCSC guidance, make sure you only install software from trusted sources.

Single Sign On provider OneLogin is compromised

In late May, OneLogin, an online access and identity manager, experienced a security breach where sensitive customer data in its US region may have been compromised.  OneLogin primarily provides Single Sign On (SSO) and identity management services for corporate customers using cloud based applications.  It is not yet clear how the unauthorised access happened nor the impact, but it is suspected that a threat actor obtained access to Amazon Web Store (AWS) keys and used them to gain access to the AWS Application Programme Interface (API) via another smaller provider in the US.  The actor was then able to access database tables containing information about users, apps and various types of keys.  This may have included the ability to decrypt encrypted customer data.

To minimise damage OneLogin issued advice to customers which included generating new keys, authorisation tokens, security certificates and credentials and updating passwords.

This is not the first time an SSO or similar service has been targeted.  Although, like password managers, they are increasingly considered to be a better way of managing accesses, they are a tempting target for attackers, and the consequences of compromise can be severe.

A new variant of Qakbot malware is bringing down enterprise networks

A new variant of the Qakbot (aka Qbot or PinkSlip) trojan, first seen in 2009, is stealing user information and installing backdoors on Microsoft Windows operating systems. Qakbot malware is used to target online bank accounts of businesses and individuals. Victims are initially infected through an exploit kit, phishing campaign or malicious download.

This new variant has worm-like, self-replicating capabilities similar to WannaCry but it is not ransomware and does not encrypt user hard drives. In its attempts to steal or brute force login details it can cause mass Active Directory lockouts. Some organisations have had thousands of users prevented from using corporate systems as a result.

According to researchers, Qakbot code has been totally re-written and is even more advanced and effective. The new features make it difficult to detect by using obfuscating code and constantly evolving file structure and signatures.

We assess it likely that other malware campaigns will make use of these antivirus avoiding techniques. Users should stay on their guard against suspicious emails and activity and keep their systems up-to-date to help prevent infection.

Vulnerabilities

This week’s summary starts with Google and multiple flaws fixed in both Chrome and Android leading to URL spoofing, obtaining of sensitive information and remote code execution.

Cisco released updates for a number of different products; TelePresence, AnyConnect, Email Security Appliance, Prime Data Center Network Manager, NX-OS, Content Security ManagementAppliance, and 8800 Series IP phones, to address cross-site scripting, bugs that cause the target to crash, allow unauthorised access or remote code execution.

IBM released updates for their Security Access Manager Appliance, Spectrum Project (IBM Tivoli Storage Manager) and Domino TLS Server to prevent elevation of privilege, the viewing passwords, obtaining of sensitive information, and obtaining of authentication credentials.

Elsewhere this week there were updates for Wireshark, Apache Tomcat, VMware vSphere and Irssi.

Debian specific updates this week came from perl, nss and zookeeper.

ICS specific updates for Digital Canal Structural Wind Analysis and Rockwell Automation PanelView.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 26th May 2017

This report is drawn from recent open source reporting.

Russian government reaction to cyber criminals

This week Russia revealed it had arrested a cyber crime gang in November last year for a campaign that raised nearly USD900, 000. The gang was nicknamed ‘Cron’ after the malware it used, which infected over a million Android mobile devices of Russian bank customers. Users unwittingly downloaded the malware via fake mobile banking apps, pornography and e-commerce programmes. The ‘Cron’ gang exploited a Russian bank service which allows users to move small amounts of money to other accounts by sending an SMS message. The criminals sent SMS messages from infected devices instructing banks to transfer funds to their own accounts. According to Group-IB, the Russian cyber security company that worked with Russian law enforcement on the investigation, the ‘Cron’ gang were planning to rent a further piece of malware adapted to target banks in France, Germany, the UK and the US amongst other unnamed countries.

Fake applications that impersonate a brand or organisation are not new. Purchasing from legitimate sources can reduce the risk of acquiring bogus applications.


Fake malware fixes

WannaCry ransomware may not have generated the wealth the scammers responsible were hoping for but since the attack enterprising criminals have been attempting to cash in on the heightened public awareness of WannaCry. Targeting concerned users, scammers have been offering a range of fake ‘fixes’ and ‘support services’.

This type of social engineering is a common methodology for cybercriminals. Whether viral social media posts, malicious pop-ups or well-crafted phishing campaigns, high profile events such as the WannaCry attack offer cyber criminals a hook to spread malware or to solicit funds.

It’s not only online incidents that criminals seek to take advantage of. Following news of high profile disasters such as hurricane Catrina in 2005, the 2014 Ebola outbreak and the 2015 Nepal earthquake, scammers set up fake charity websites and sent phishing emails in attempts to steal funds donated to the victims.

Recent examples of scams piggybacking on the WannaCry incident include:

  • Alerts circulating of social media directing users to fake WannaCry patches which deliver malware;
  • A phishing email posing as a BT customer service email which informs the user they are locked out of their BT account and directs them to a malicious link to obtain a ‘security upgrade’ to re-establish full access;
  • Third party app stores offering ‘patches’ for mobile users - despite the fact no mobile operating systems are believed to be vulnerable to WannaCry.

The recent UK Action Fraud alert has more information on specific fraud attempts.

The NCSC guidance page has further information on how to protect against phishing attempts as well as our recent blog on social engineering.


Europol arrest 27 individuals involved in black box ATM attacks

An international law enforcement effort has resulted in the arrest of 27 individuals in connection with a string of successful black box attacks against ATMs across Europe. These attacks are thought to have generated up to EUR 0.5 million for the criminals responsible. Black Box attacks are cyber-enabled and involve physically penetrating an ATM’s casing to obtain access to exposed cables and ports. A laptop can then be connected and used to issue instructions to an ATM to cash out its bank notes. These attacks are less sophisticated and more common than cyber-dependant attacks that deploy malware to ATMs remotely, over a financial institution’s network. For more information on the cyber threat to UK ATMS, please see our recent assessment on CiSP.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 5th May 2017

This report is drawn from recent open source reporting

Google and Facebook were victims of Business Email Compromise (BEC) or ‘CEO Fraud’

Google and Facebook have been identified as the victims of an email phishing attack for which a Lithuanian man was charged in March 2017.

The attack relied upon social engineering methods rather than technical intrusion techniques. However, the individual was still able to trick the organisations into transferring over $100 million between 2013-2015, highlighting how cyber-enabled social engineering can be effectively used to commit fraud.

The individual posed as a manufacturer which both firms had existing business relationships with, and sent emails which were designed to look like they came from the manufacturer. The emails contained forged invoices and contracts which appeared to have been signed by executives. This is less technically sophisticated than some other cases of BEC whereby the third-party supplier’s legitimate email is compromised and used to request transfers. The phishing emails were highly targeted, sent to Facebook and Google employees who regularly conducted multi-million dollar transactions with the manufacturer the scammer was impersonating.

Large organisations are especially vulnerable to attacks such as this: often suppliers and individuals have less face to face interaction, and therefore may have reduced opportunities to identify bogus or suspicious transfer requests through conversation.

Fraudulent communication to convince organisations to transfer funds is not new, however it is increasingly common as a low cost, high return crime. Other variations on this attack include

  • Spear-phishing emails co-ordinated with phone calls confirming the email request
  • Impersonation of trusted partners beyond suppliers, including charities, law firms, think tanks or academic institutions
  • Impersonation of fellow employee emails, either through compromising an account, or creating a similar looking fake address
  • Use of social media to research or make contact with potential victims

The NCSC has previously issued guidance on phishing attacks aimed at senior executives or payment departments.

 

Facebook outlines plan to combat information operations

Facebook has outlined measures to combat “information operations”, which it defines as efforts conducted by organisations, including governments, to spread misleading information and falsehoods to “distort domestic or foreign political sentiment". Whilst reporting has focused on the potential impact on democratic processes, manipulation of social media could similarly be used to inflict reputational or even financial damage on organisations. An example of this would be the 2013 fake “alert” from one of America’s most trusted news sources, briefly fooling some news outlets into reporting that an explosion had occurred at the White House and causing the Dow Jones to drop 145 points in two minutes.

Facebook has highlighted that information operations extend beyond the creation of “fake” news stories: other activities such as the dissemination and promotion of stolen information, and targeted data collection on individuals have all been noted. Furthermore, the increased circulation of “fake” news stories to a larger audience is regularly achieved through artificial amplification of posts, whereby paid individuals, often using fake accounts, use techniques such as co-ordinating “likes” to boost the prominence of key postings or creating groups that camouflage propaganda by including legitimate items.

Facebook has stated that it will mitigate the artificial amplification of fake stories using machine learning and analysis to identify bogus accounts, which will then be suspended or deleted. For example, Facebook suspended 30,000 accounts in France prior to the first round of the French presidential election.
 

Vulnerabilities

Mainly platform agnostic/cross platform updates this week, leaning towards Linux and Unix based systems.

Intel released a fix to their Active Management Technology to address a flaw which could allow remote and local users to gain elevated privileges. A mitigation guide has been published here.

IBM released two updates for WebSphere to fix a browser redirect and cross-site request forgery vulnerability, and an update to DB2 to address a bug that could allow a local user to obtain root privileges.

Xen saw a number of updates to fix elevation of privilege bugs.

HPE updated NonStop Server to address a flaw that could allow a remote user to obtain sensitive information, and updated Intelligent Management Center to fix a flaw that could allow for remote code execution.

Elsewhere this week there were updates from Trend Micro to fix cross-site scripting bugs and an elevation of privilege bug. Drupal updated a flaw that could allow access to the target system and FreeBSD fixed a bug which could cause the target to reload.

Debian updates this week include LibreOffice, Ghostscript, Freetype, weechat, Libxstream-Java, MySQL-Connector-Java, Tomcat7 and Tomcat8.

ICS updates this week came from Advantech, CyberVision and Schneider Electric.

No individual sector is anticipated to be impacted more than any other this week.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 28th April 2017

This report is drawn from recent open source reporting

Increase in Homographic Phishing Attacks

Recent media reporting highlights a threefold increase in homographic phishing attacks over the past fourteen months.

Homographic attacks have been widely known about for many years, and rely on the fact there are visual similarities between many different Unicode characters to spoof well-known web addresses using similar-looking Punycode domains. For example, by registering the Unicode domain “www.xn--googl-z8a.com” an attacker would be in control of a web address, which will render in browsers as “www.googlė.com”, almost indistinguishable from the real thing.

Moreover, researchers have recently demonstrated they can use this technique to convert Unicode into ASCII characters in some browsers. By choosing letters from a single foreign language set, an attacker can register a domain that looks identical to a targeted one when rendered by vulnerable browsers. For example, proving the concept, a researcher recently registered the domain name “xn--80ak6aa92e.com”, which renders as “apple.com”.

Mitigations such as using password managers can help users spot fake websites, and therefore help mitigate this threat. In addition, email anti-spoofing measures can help prevent phishing email attacks from reaching users in the first place.


Vulnerabilities

An altogether quieter week than we have seen for a while on the vulnerabilities front. There were a number of updates from Cisco for IOS, ASA, Prime Infrastructure and Prime Network Registrar to fix cross-site scripting attacks, denial of service or target restart vulnerabilities. IBM updated WebSphere and Security Guardium this week to fix escalation of privilege bugs and also updated Domino to fix a remote code execution bug.

Palo Alto fixed an input validation flaw in PAN-OS to prevent cross-site scripting attacks and F5 Networks fixed a denial of service bug in BIG-IP and let users know about a bug in F5 Enterprise Manager which could lead to denial of service conditions, but for which no fix is currently available.

Elsewhere there were updates for Adobe ColdFusion, Apache Batik, Novell NetIQ and cURL/libcurl.

In terms of Debian this week there were updates for MySQL, Python-Django, Icedove/Thunderbird and libav.

Also a quiet week with regard to ICS-specific updates with just two: one for BLF-Tech and one for Sierra Wireless AirLink Raven.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 21st April 2017

Hajime – What is the intent of this IoT Botnet?

In October 2016 the security research group at Rapidity Networks discovered a new malware, called Hajime, with similarities to the Mirai botnet: it targets Internet of Things (IoT or internet-connected) devices by scanning the Internet for devices with network vulnerabilities and attempts to connect to them using known default username/password combinations. According to Symantec, Hajime is believed to have infected between 130, 000 and 180,000 devices worldwide with Brazil and Iran having the most infections followed by Thailand and Russia. Industry partners have suggested that the number of UK devices infected currently stands at approximately 5,000.

Hajime is being compared to the Mirai malware for a number of reasons including: similarities between initial infection vectors; the targeting of internet connected devices and the use of command and control (C2) servers to communicate and send instructions out to infected devices.  Hajime however differs as it adopts a decentralized approach with a Peer to Peer (P2P) model where communication and instructions are passed between infected nodes rather than the more traditional client-server architecture.  It is believed that this type of approach makes the malware much more resilient to take down as it does not rely on just one central server to control the malware.

The Hajime malware is also different because it doesn’t, as yet, appear to have been used for malicious intent.  Researchers have hypothesised that the controllers could be waiting for more devices to be infected before launching an attack.  A more recent theory by researchers is that Hajime has been created by ethical hackers who are targeting Mirai-infected devices with Hajime in order to deny the malware of any harmful activity.

Malware targeting of IoT devices is not new and as these products are becoming more popular amongst consumers, manufacturers and suppliers should be aware of the emerging risks and cyber threats posed when attention is not paid to IoT security.

See the NCSC website for guidance on malware prevention.
 

Insider steals employer’s proprietary trading code

A computer engineer has been charged with illegally exfiltrating the proprietary algorithmic trading model code from a global financial services firm headquartered in New York, where he worked. The code is used by the firm to generate income by predicting market movements.

From December 2016 to March 2017, the engineer took steps to obfuscate his presence on areas of the company’s network that he was not authorised to access. He used discrete areas of the network to collect over three million files, including unencrypted portions of the algorithmic source code, before exfiltrating it.

The motivation for this activity has not been conclusively reported, nor whether this individual acted alone, or on behalf of another. The tasking of insiders by criminals to exploit access to corporate networks is a common occurrence. But the exfiltration of this particular source code is significant because trading platforms could be manipulated to allow vast amounts of money to be stolen in a single attack. Alternatively the intellectual property (IP) could be sold to a rival company.

Companies can mitigate against the insider threat by incorporating security policies that restrict access to the most classified data and installing alerts when unusual activity is taking place.
 

Hotpoint service site compromise

Recent reporting by cyber security company Netcraft noted the compromise of domestic appliance manufacturer Hotpoint’s UK and Irish service websites, which has since been confirmed by Hotpoint in a statement via the Register. Customers accessing the service website were reportedly presented with fake Java dialogs, which if clicked, directed users to possibly malicious third party websites, presenting a risk that users could be infected with malware. Netcraft note that the compromise occurred shortly before the Easter weekend, suggesting that this may have been done deliberately to maximise the impact.

According to the company’s statement, no customer data was compromised and the vulnerabilities were quickly resolved. Netcraft suggest that the site’s WordPress installation may have been responsible. The NCSC provides guidance on minimising the vulnerabilities to WordPress, including the recommendation to implement regular security updates of WordPress as well as any plug-ins, only using trusted plug-ins and replacing default or easy to crack passwords.
 

Vulnerabilities

There have been a large number of updates over the last week, thanks in part at least to Oracle’s quarterly update cycle falling this week. Oracle’s updates affect multiple bugs in many of their products, from PeopleSoft, E-Business Suite, Financial Services, Java SA to MySQL, WebLogic and Solaris.

Both Mozilla and Google released updates to fix multiple vulnerabilities, the most serious of which could allow remote code execution, in their browser products, Firefox and Chrome respectively and there were three updates for BIND.

Magento saw an update to prevent the uploading of arbitrary files and remote users conducting cross-site request forgery attacks. There were also a number of updates from Cisco for ASA, IOS and Unified Communications Manager. Juniper released a number of updates for Junos.

On the virtualisation front there were updates this week for both VMware and VirtualBox.

Elsewhere this week there were updates for SquirrelMail, WatchGuard, Nessus, Wireshark and MatnisBT.

On the Debian side this week saw updates for Firefox-ESR and ICU. ICS specific updates this week came from Belden Hirschmann, Schneider Electric and Wecon.

Comment

.author-name { display: none; }

Comment

Threat to Managed Service Providers

Threat to Managed Service Providers

A major cyber campaign against Managed Service providers has been detected that may present risks to organisations using outsourced IT services. 

Media references to terrorist cyber capability

There have been numerous reports on the recently imposed restrictions on electronic devices larger than a smartphone being allowed in cabin baggage on flights from certain countries in the Middle East, North Africa and Turkey. A statement from the US Department of Homeland Security (DHS) said: "Evaluated intelligence indicates that terrorist groups continue to target commercial aviation, to include smuggling explosive devices in various consumer items". This physical terrorist threat to aviation is entirely separate from news reports suggesting a raised cyber terrorist threat against the civil nuclear sector. As highlighted in the recent NCSC/NCA Annual Report, the NCSC assesses that terrorist organisations currently have limited cyber capability. While they may aspire to cause a destructive cyber attack, this remains unlikely.

Malware Threat to ATMs

A fileless malware campaign that successfully targeted 140 organisations worldwide earlier this year has evolved. Criminals are now exploiting their remote access to banks' networks to drop additional malware called ATMitch, enabling them to issue remote commands to compromised ATMs to dispense cash. Banks in Russia and Kazakhstan have reportedly been victims of this malware.

Although we have previously seen cyber-criminals use malware to steal cash from ATMs, their use of a banks' internal network to remotely deliver ATM malware is a new and more sophisticated form of attack. Also, the use of fileless malware allows criminals to delete malicious commands from the ATM's hard drive, removing all traces of an attack.

There have been no reported incidents of network-delivered ATM malware attacks against UK ATMs to date. The most common attacks seen against UK ATMs continue to be more traditional physical attacks, which criminals carry out to varying levels of success. For more information on the malware threat to UK ATMs, log in to the Cyber-security Information Sharing Partnership (CiSP) to view our recently published report. Please see details on how to become a member of CiSP.

Rise in compromised websites

According to a recent Google report, the number of websites that were hacked in 2016 was 32% higher than in 2015. Google assess this trend is unlikely to lose momentum "as hackers get more aggressive and more sites become outdated".

Although it is difficult to corroborate this statistic or clarify what proportion of the allegedly compromised websites were active, the threat to websites from cybercriminals has definitely risen over recent years, with ransomware and financial scams particularly strong incentives for them to compromise websites in order to facilitate cybercrime.

Google say this problem was compounded by the fact that 61% of webmasters, whose websites were breached had not registered with Google's channel for communicating site health alerts, Search Console, and were therefore not notified by Google of the compromise.

The NCSC recommend that website owners follow NCSC guidance and regularly patch known vulnerabilities to reduce the risk of a compromise. We recommend that the public follow the malware prevention advice in 10 steps to cyber security to reduce the risk of being infected by malware from infected websites, and you may also find our guidance on designing digital services useful. Following the guidance can help prevent some of the most prevalent types of web attacks that are being carried out currently.

Website owners may also find OWASP's Top 10 project, which represents a broad consensus about what the most critical web application security flaws are, useful.

Vulnerabilities

Reports came in this week of a WebDAV buffer overflow vulnerability affecting Microsoft's Internet Information Server (IIS). There are reports that this vulnerability is being actively exploited and at the time of writing Microsoft do not yet have a fix available. NIST's National Vulnerability Database (NVD) has details. NCSC recommends where there is still a need for on premises installs, that people use the latest versions of software (Server 2016 in this case) as it more secure by default. If we receive more information on this vulnerability we will update accordingly.

Apple released an update for their iOS mobile operating system to fix a bug that could allow remote code execution within Wi-Fi range of the device.

McAfee ePolicy Orchestrator fixed a flaw in the anti-malware engine that could allow local users to cause denial of service conditions. RSA Archer GRC Security Operations Management resolved an error where local users could view passwords. Django suffered from an input validation error that could lead to remote users conducting cross-site scripting and open redirect attacks.

Elsewhere this week there were updates from HPE Business Process Monitor, Asterisk, MantisBT, PHP, WebsiteBaker, the Linux Kernel and Splunk.

Debian specific updates this week were for Samba to fix a regression bug, Firebird2.5 and Tryton-server.

ICS updates this week included several from Schneider Electric (Wonderware, Modicon Interactive Graphical SCADA), Siemens RUGGEDCON ROX I, Rockwell Automation Allen-Bradley Stratix Allen-Bradley ArmorStratix, Miele, Marel Food Processing, LCDS, BD Kiestra and 3S-Smart.

Comment

.author-name { display: none; }

Comment

Yahoo breach highlights cookie security issues

Last year Yahoo reported several data breaches occurring between 2013 and 2016 which affected a large number of user accounts.  Personal information stolen could have included email addresses, telephone numbers, dates of birth, hashed passwords and encrypted or unencrypted security questions and answers.

Following forensic investigations Yahoo has revealed that fake cookies were a probable method used by attackers to access user accounts without a password. According to Yahoo, the attacker was able to create fake cookies by accessing the company's proprietary source code. 

In response Yahoo invalidated unencrypted security questions and advised affected users to change their passwords. The company also recommended that users adopt its authentication tool instead as it eliminates the need for a password on Yahoo accounts.  It is unclear how the fake cookies managed to evade website security but this advice indicates authorisation and authentication issues.

A cookie is a small file that a website puts on a user's computer to store information, potentially ranging from website links visited to personally identifiable information. Cookies can also be used to store passwords and other login details. They have many functional advantages but if they are not managed correctly with appropriate security measures, attackers may be able to exploit them.

Data leak reveals spam techniques

Security researcher Chris Vickery has reported that almost 1.4 billion user records from River City Media (RCM) were exposed after being backed up online without password protection. The data has since been taken offline, but it is unknown whether other actors have accessed it.

US-based RCM describes itself as an email marketing firm, but is listed in the top 10 of the Spamhaus Register of Known Spam Operations. As a result of the leak, RCM's infrastructure has been blacklisted by anti-spam organisations.

The leak also revealed techniques used to force legitimate mail servers to deliver up to a billion emails daily. The sender's computer sends deliberately slow and incomplete requests to the mail server, keeping existing connections open, while opening as many new connections as possible. Once the sender is ready, they resume normal speed requests and use the open connections to send a flood of emails before they can be blocked. This is very similar to a Denial of Service (DoS) attack known as Slowloris, which uses large numbers of slow connections to consume server resources and prevent other users from gaining access.

Upstream services attacked to target end users card credentials

A reported security breach at the US retail platform provider Aptos has led to malware infecting machines that the company uses to host online retail services. Forty e-commerce stores using Aptos services are said to be affected by the incident, which allowed malicious actors in some cases to access customer names, phone numbers, addresses, email addresses as well as payment card numbers and expiration dates. The malware is reported to have been present on Aptos systems for up to ten months during 2016. The company is working with US authorities to investigate the breach.

This incident illustrates the risk of upstream service and software providers being compromised to reach a broader victim base. A single attack on an upstream provider can deliver a much higher return on investment, compared to attacking each retailer separately. The success of such attacks is likely to encourage cyber criminals to target more upstream service providers.

It also highlights that while services can be outsourced, responsibility for customer data ultimately lies with those who collect it. Businesses need to demand high cyber security standards from third party organisations with access to their customer data, including software and service suppliers.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 3rd March 2017

Drone-enabled hacking

An organisation’s most sensitive information is often stored on ‘air-gapped’ computers, which are physically separated from the internet.  The lack of a connection protects them from most external attackers, and even if the machine is infected with malware, the data is difficult to exfiltrate.

An Israeli researcher has demonstrated a new technique for transmitting information out of air-gapped computers, using malware to force LEDs to flash in a pattern that can be picked up by a drone hovering outside the window.  Other known methods for exfiltrating information over an air gap include varying fan speeds to produce audio signals, and using USB sticks to send RF emissions.  LEDs can transmit information at a much faster rate, however, reaching 4000 bits per second with high quality light detection equipment (corresponding to around an A4 page of text every five seconds).

This attack requires infecting air-gapped machines with specific malware, and can be mitigated by simply covering LEDs with opaque tape. However, it illustrates the potential for emerging technologies, such as drones, to enable compromises.  A potential variation on drone-enabled hacking could involve mounting a Wi-Fi access point on a drone, impersonating a corporate Wi-Fi network, and positioning it in an otherwise secure location.  Employees connecting to it would expose devices and company data to the attacker. The NCSC recommends that security scanning tools may be useful to detect and locate unauthorised or spoof wireless access points.
 

SHA-1 Collision: Cryptographic standard undermined

Researchers have successfully manipulated a commonly used cryptographic standard.  Google and the Centrum Wiskunde & Informatica (CW) made the widely expected announcement regarding the world’s first SHA-1 collision on 23 February.

SHA-1, or Secure Hash Algorithm 1, is a process that provides a unique digital fingerprint for any set of data, whether that be code, a document or a webpage. Any change to the original data, no matter how small, would produce a change in the SHA-1 identifier.  SHA-1 can therefore show if data has been tampered with between creator and end-user making it useful for a broad array of security applications such as HTTPS verification, digital document signing, version control and backing-up systems.

A ‘collision’ of SHA-1 means that two different inputs have given the same output fingerprint, which should be extremely rare.  The researchers have been able to manipulate SHA-1 to force a collision 100,000 times more quickly than a brute-force approach.

Given the difficulty and cost involved in creating the collision, it’s likely that applying it, or similar methods, for other inputs would only be feasible for determined and well-resourced actors.  It can however be seen as a proof of concept for a potential attack vector in future, as computing power increases and costs decrease.

Hypothetically, an actor could forge a SHA-1 certificate for malign code which they had altered from an original legitimate version.  A victim’s computer would see their malicious version as being identical to the verified original.

SHA-1 is already being phased out, and many web browsers will cease support for it in 2017. But its pervasiveness means that the transition will take time, and the risk is only likely to grow in future.

Comment

.author-name { display: none; }

Comment

NCSC- Weekly Threat Report 17th February 2017

Official Launch of the National Cyber Security Centre

February 14th marked the official launch of the National Cyber Security Centre (NCSC) HQ by Her Majesty the Queen. The Centre will work to make the UK the safest place to live and do business online.

In acknowledgement that Government alone cannot protect the public from cyber attacks, the Chancellor announced the launch of the Industry 100 initiative. Industry 100 will see the center invite expertise from industry to collaborate with the NCSC in achieving its mandate of enhancing the cyber security of the UK.

A reflection on the diversification of cyber crime

The nature of the cyber-criminal threat to the UK is diversifying: highly skilled actors are becoming increasingly competent and targeted in their attacks, while the barriers to entry for less-skilled actors are lowering.

At the high capability end of the spectrum, banking Trojans are reportedly becoming increasingly targeted, with a focus on financial institutions which offer larger relative rewards than end-user customers. Meanwhile, ransom-ware attacks are said to be specifically targeting those organisations perceived as being more likely to pay due to their timely requirement to access sometimes time-critical data.

At the other end of the skill spectrum, individuals with minimal cyber capability can carry out nefarious activities online using Crimeware-as-a-Service tools. DDoS attacks, email compromises, criminal infrastructure and more can be bought or rented at minimal cost. Notably, sites now offer live chats with support agents, and collect marketing information to better understand their customers. This trend risks further normalizing low level cyber crime.

The diversification of the cyber-crime threat poses challenges for law enforcement and security professionals, who will face highly skilled, targeted threats. Simultaneously, resources are increasingly consumed by low-skilled attackers using services offered by more competent actors. Detailed analysis of this changing cyber-criminal landscape will be published in NCSC Assessment's Annual Report.

Warning of cyber threat from building owners

The US Government Accountability Office (GAO) has warned of the potential threat of cyber intrusions from foreign owners of office buildings. Numerous properties occupied by US law enforcement agencies are owned by firms domiciled abroad, including in China, Israel, South Korea and Japan. Some of the buildings are used for sensitive activities including managing classified operations, hosting data centres and storing high-security material. Most of the agencies were unaware that their buildings were foreign-owned.

The GAO's report highlights concerns from the Department of Homeland Security that "threat actors could coerce owners into collecting intelligence about the personnel and activities of the facilities when maintaining the property." This could potentially include exploiting building infrastructure to facilitate cyber intrusions. The GAO recommends that US government agencies should be informed if their buildings are foreign-owned, so that appropriate security measures can be implemented, where necessary.

While the report focuses on the threat to official bodies, the concerns it raises may also apply to commercial organisations dealing with corporate-sensitive information. Although there are no reported instances so far of such intrusions taking place in the US or UK, this issue highlights the need for precautions regarding landowners' access to buildings hosting sensitive activities.

Weaponised Macros targeting Mac users

Security researchers have reportedly identified the emergence of Microsoft Word documents containing malware-infected macros for installing malicious software on macOS devices.

This technique has been used for some time to infect Windows users with malware. However, it is the first reported in-the-wild instance for Word documents containing malicious macros that execute solely on macOS. When users attempt to open the attachment, they are prompted to enable macros. If macros are enabled the malware executes its payload.

Although not a particularly sophisticated attack technique, this methodology has been successful in delivering ransomware and banking Trojans to Windows users worldwide. It looks like Microsoft Word users on MacOS may also now be victim to such attacks. This is a timely reminder that cyber criminals are regularly looking to enhance their pool of potential victims; regardless of software and hardware, users must be vigilant of the risks.

Watering hole attacks infected a larger pool of victims than first thought

Last week it was reported that the Polish financial sector had been the victim of a malware attack, where the attackers used the web server of the Polish financial regulator as a watering hole. Further investigation has revealed that the attackers intended to target over 100 organisations, mainly banks, in 31 different countries, including the UK.

Vulnerabilities Report

A number of cross-platform updates this week, with a predominant focus on Linux ad Unix-based systems. Microsoft held back their Patch Tuesday release cycle due to last minute complications. The most publicized vulnerability this week concerned F5’s BIG-IP and the ‘TicketBleed’ vulnerability. Adobe released updates for Flash Player and Digital Editions to fix remote code execution vulnerabilities. Elsewhere this week there were updates to BIND, Cisco AnyConnect and Cisco ASA, IBM WebSphere, HPE NonStop Server, Xen and Google’s Android.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 3rd February 2017

This report is drawn from recent open source reporting.

Shamoon 2

The Saudi Arabian Government warned on 23 January that the destructive wiper malware Shamoon 2 had been detected on its government networks.

Shamoon 2 is an updated version of Shamoon, the disk-wiping malware that disabled thousands of computers at Saudi state-linked energy company Saudi Aramco in 2012.

The Saudi authorities are reporting on these latest compromises publicly and have provided reassurance that the damage is currently limited and mitigation is in place.


The re-emergence of Dridex

The notorious Dridex banking Trojan has returned. Flashpoint researchers observed a small Dridex spear-phishing campaign targeting UK financial institutions on 25 January. This is not the first time Dridex has made a reappearance; there have been peaks and troughs in the distribution of this Trojan since it first emerged in 2014. What has remained consistent, however, is the upgraded capability seen within the malware upon its return.

This Dridex re-emergence is no exception: Flashpoint researchers identified a previously unobserved User Account Control bypass mechanism in the most recent iteration of the malware. This bypass means the Windows user prompt requesting administration access for an application is not displayed, enabling Dridex to gain administrative system access without user approval.

This frequent evolution ensures infection levels are kept high, whilst frustrating the capability of network defenders to respond to attacks. Although relatively resource intensive, these regular changes have so far been worthwhile in establishing Dridex's status as one of the most prolific banking Trojans to feature in the UK, as well as yielding estimated profits of upwards of £20 million.

The Evolution of Ransomware

An earlier weekly threat report predicted further innovations in ransomware, and this has already happened with the targeting of internet-connected devices to create a “Ransomware of Things”. 

Internet of Things (IoT) devices are increasing, many with poor security, which presents opportunities for exploitation by cyber criminals. According to research company, Gartner, there will be more than 26 billion IoT devices by 2020.

Researchers from IT security company ESET predict that the next step in the evolution of ransomware is "jackware" where internet-connected devices are targeted to create a Ransomware of Things (RoT). Recent RoT incidents have locked people out of hotel rooms and left a family unable to access their smart TV.

2016 was dubbed "The Year of Ransomware", but as the number of connected devices continues to increase, this phenomenon will only continue to gather pace.  

Hiding in Plain Sight

According to recent research by Forcepoint Security Labs, the Carbanak Group is now using malware that uses Google cloud services for command and control infrastructure. The group is named after Carbanak (aka Anunak) malware, which is a banking Trojan that has been used to steal hundreds of millions of pounds from international financial institutions.

The new malware issues command and control instructions to and from Google Forms Services, Google Apps Script and Google Sheets to manage infected computers. Investigations suggest that a trojanised RTF document was likely responsible for infecting the computers with the malware.

Using a legitimate third party service like Google helps the attacker hide their communications in plain sight amongst regular traffic that is unlikely to be blocked by an organisation or identified by intrusion detection systems. Detecting such threats will therefore require an evolution in protective monitoring.

This isn't the first time that cloud hosting services have been used as an attack vector, services like DropBox have been used in the past, but it is likely to become more popular as individual users, government departments and industry organisations make increasingly greater use of the cloud.

Vulnerabilities

This was a relatively quiet week for vulnerabilities, with mainly platform-agnostic updates issued for Linux and Unix systems. Google Chrome, OpenSSL and WordPress each fixed multiple flaws addressing remote access, bypassing of security controls, and spoofing of the user interface, among other issues.  Elsewhere there were updates from F5 Networks, RSA, and IBM. No one sector was disproportionately affected this week.

Comment

.author-name { display: none; }
NCSC - Weekly Threat Report 20th January 2017

NCSC - Weekly Threat Report 20th January 2017

This report is drawn from recent open source reporting.

Password security

In November 2016, a study of user passwords exposed by a Yahoo data breach revealed that "123456" was the most common password, followed closely by "password" at number two. A more recent report on the most commonly used passwords revealed that "123456" was still number one, followed by the 'more complex' "123456789".

These reports highlight ongoing problems associated with conventional password policies, which tend to promote the use of complicated passwords that are harder for attackers to discover, but which also place greater burdens on users. This approach may therefore be counterproductive, leading users to opt for simple password strategies, which will also be easy for attackers to guess or brute force. In many cases, imposing technical controls such as blacklisting the most common passwords is a far more effective measure.

Mobile forensics company hacked

The Israeli mobile forensics company, Cellebrite, reports that it has become the latest in a long line of companies to have its data hacked and published online. Cellebrite is a major supplier of forensic tools to law enforcement and other security organisations worldwide. Cellebrite states that it experienced 'unauthorised access to an external web server' and that it is known the information accessed includes 'basic contact information' and 'hashed passwords'. The company advises users to change their passwords as a precaution.

The company's investigation is ongoing. Without commenting on the specifics of this case, the compromise highlights the broader issue that companies must ensure that they protect themselves and customers in a way commensurate to the threat that they face and the sensitivity of the data that they hold. Reporting data breaches is to be strongly encouraged, enabling those affected to take appropriate action, such as changing passwords.

.author-name { display: none; }