Viewing entries tagged
ncsc

Comment

NCSC - Weekly Threat Report 22nd June 2018

This report is drawn from recent open source reporting. 

Football or Phishing?

At least two phishing campaigns are taking advantage of this year’s football World Cup.

Fraudsters are attempting to exploit fans’ eagerness to keep up with the games and the results in the expectation that fans might click on links more readily.

Phishing emails are reported to be sending fixture schedules and results mappers to fans, but the links are loaded with adware and malware.

In another example, fraudsters are offering a pair of Adidas shoes in exchange for completing a survey. The victim is then redirected to a fake Adidas website asking them to pay a small fee to receive the shoes (and an ongoing monthly charge, which is hidden in the small print).

The fake Adidas site uses homographic web links, where a character is replaced by a similar looking symbol:

  • Example 1: www. thisisarealwebsite .org.com
  • Example 2: www. thisisarea|website .org.com

The letter ‘l’ in the second website name is a symbol, but at a quick glance it is not immediately obvious. Fraudsters are increasingly using this technique and we advise readers to study web links carefully before clicking on them.

The NCSC has further information on how to protect yourself from phishing scams here. Keeping your antivirus software up to date will, in most cases, help identify any malicious files that you attempt to download. For further support, please read 10 Steps to Cyber Security.
 

Is your device earning money for cyber criminals?

Recent reports have suggested a substantial increase in ‘cryptojacking’, where cyber criminals install malware onto a victim’s devices and use them to mine cryptocurrency.

Cryptojacking malware is reportedly becoming harder to detect and sometimes operates to coincide with times where the device is not normally used, and thus remains undetected.

This type of malware is increasingly being found on devices across multiple sectors and is evolving to use the processing power of internet-connected devices, such as TVs. Some aggressive mining malware has also been found to damage devices.

In response to the increase in cryptomining, Apple has recently introduced App Store guidelines prohibiting it. It is uncertain whether other providers will follow.

Cryptomining malware is a low-cost method of earning money and cyber criminals will almost certainly continue to develop and adapt it, as long as cryptocurrencies are of value.

To prevent the installation of criminal malware, please follow the NCSC’s advice and guidance.


Attackers target cryptocurrency software

On 15 June, Syscoin, a cryptocurrency that advertises its instant transactions, announced that its Github account had been compromised just under a week earlier.

An unknown user had uploaded a modified version of the program containing malicious code. The software was otherwise identical to the original program but was detected by Windows Defender SmartScreen due to its lack of signature. As the code had been modified it was no longer recognised as legitimate and designated as being from an 'unknown publisher'.

Github consequently advised developers of cryptocurrencies and other software to implement two factor authentication (2FA) on their accounts where possible. Developers were also advised to check the integrity of published software on repository sites.

Users should be cautious when downloading from online sources. It is good practice to maintain up-to-date antivirus software and avoid software from unknown publishers.

The number of systems infected by the malicious code – and the exact method used to compromise the account in this instance – are not known. The account breach demonstrates the continuing threat posed to cryptocurrency software by attackers exploiting the cryptocurrency boom.

The NCSC has issued guidance on 2FApassword managementmitigating the threat of malwareand identity authentication.

The NCSC website also maintains a general guide on measures to improve security online.


Good cyber hygiene can help fend off LokiBot

Fraudulent account activity and identity theft are some of the most common threats on the internet. Cyber criminals often use credential-stealing malware to obtain usernames and passwords.

Armed with a victim’s credentials, criminals can access their online accounts, including social media or online banking, most often with the intent of making fraudulent payments.

LokiBot, one type of credential-stealing malware, can harvest credentials from browsers, file transfers and even cryptocurrency wallets, and is primarily distributed through malicious Microsoft Office documents attached to spam emails.

Good cyber hygiene is important in mitigating malicious software such as Lokibot, and users should ensure they apply recommended security updates and use antivirus software.

Additional security features such as the use of two factor authentication (2FA) for online accounts significantly reduces the risks users face.

Members of the Cyber Information Sharing Partnership (CiSP) can view the advisory.

Comment

.author-name { display: none; }

Comment

NCSC Guidance Notice - Increased Cyber Threats: Security steps to take

Measures to protect and prepare your systems in the face of heightened cyber security threats 

This guidance outlines the security steps that your organisation should take in response to an increased threat of cyber attack. It’s aimed primarily at larger organisations, but the advice here is relevant to anyone who feels their systems may be targeted by cyber attack.

So, whether you hold customer data, maintain an online service or simply rely on digital services to keep your business running, these steps will help you to avoid the consequences of a successful cyber attack. And if the worse comes to the worst, they’ll help you determine what went wrong and recover quickly.

The advice we give here selects some priority measures from the comprehensive collection of cyber security advice on our website.


Increased cyber threats

How will you know if you are at an increased risk of cyber attack? There are many sources of information on this subject, including the mainstream media. There are a number of commercial, and industry specific information-sharing resources as well as the CiSP platform detailed below.
 

Steps to take now:

If you are concerned about the possibility of your organisation coming under cyber attack, the NCSC recommends three actions that you should undertake immediately:

1. Your organisation should undertake a readiness review and identify:

  • all available sources of logging
  • where those logs are stored
  • how long those logs are retained
  • who has access to them
  • that logging events are currently being generated

2. You should review your Denial of Service protection for key platforms, including websites and any digital services you offer.

3. Your organisation should sign up to the Cyber Information Sharing Partnership (CiSP), giving you access to valuable threat information, from your peers and official sources, all in a secure environment. The registration process isn’t instant, so start the sign-up process now.

These measures will help in the detection of cyber attacks and give you some front line protection against Denial of Service (DoS) attacks.
 

Steps to take in the coming weeks:

1. Improve Defences

The NCSC’s 10 Steps to Cyber Security gives you a comprehensive overview of the areas you need to consider when looking to improve the defensive posture of your organisation’s IT. A few notable areas for consideration are:

  • Your organisation should review its asset and vulnerability management processes and ensure they are in line with the NCSC advice. Where a service is found to be vulnerable and/or not required for business purposes, consider disabling it.
  • Administrators should use ‘normal’ accounts for standard business use. Highly privileged administrative accounts should not be used for high risk, or day to day user activities such as web browsing and email.
  • Create and maintain a whitelist of authorised applications that can be executed. Systems should be capable of preventing the execution of unauthorised software by employing process execution controls. The NCSC has published advice on how to do this on End User Devices.
     

2. Improve detection capability

Your organisation should securely store and have ready access to logs. We recommend storing key identifying information for three months. It helps to store logs for longer if you can, as this gives you a greater capacity for analysing attacks which may have gone undetected for some time. The logs that should be stored will vary according to the details of your IT estate.

It is important to log events, even if you have no proactive capability to examine them.

If there is a suspected incident the logs will:

  • make it easier to prove an attack has taken place
  • provide detail of how an attacker got into your system and what they were able to access (this information will make remediation more effective)
  • allow the NCSC to release Indicators of Compromise (IOCs) such as malicious IP addresses or email addresses. These can be used by other organisations to identify whether they have also been targeted
     

3. Improve response capability

Review your backup policy and ensure a systematic approach is implemented. The ability to recover your system from archived data should be tested.

Full packet capture is regularly requested as part of Incident Response. Consider how you would go about performing this on your organisation’s internet connection(s) and take action now to facilitate future packet capture. Identifying how to do this after a breach will delay effective response.

The NCSC is regularly notified of malicious activity observed ‘in the wild’ and operates a service to inform registered network owners. To enable this service, you need to contact incidents@ncsc.gov.uk who will supply you with a form to complete with your organisation’s details. 

Make sure your staff are familiar with your organisation’s incident management plan and, if necessary, ensure that arrangements are in place to bring in additional technical expertise. The NCSC has a list of certified Cyber Incident Response companies.


If an incident occurs

Please report incidents to the NCSC 24/7 Incident Management team if the following applies:

  • Significant loss of data, system availability, or control of systems
  • Unauthorised access to or malicious software present on IT systems.


Business as usual

Though the measures outlined above are essential first steps towards healthy cyber security for your organisation, they may entail some effort to put in place, and even some disruption to your usual operations. You should take this into account when putting them into action.

You should also ensure that you continue with any planned upgrades, patching regimes and security enhancements in line with the NCSC’s existing guidance.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 18th May 2018

It’s not just production that needs securing

Most large companies will use an online development environment to build and test code prior to deployment on outward and inward facing networks.

Much of the code found in development environments is sensitive and critical to running and managing a business. The unauthorised disclosure of code could allow cyber actors to identify exploitable weaknesses.

Recent open source reporting has highlighted a compromise of a company’s development environment, resulting in unauthorised access to two million lines of code, application programme interfaces and secret access keys to Amazon Web Services.

A security researcher allegedly gained access to the development environment because both the username and password were set to “admin”, which was most likely the default setting for the environment.

The latest incident follows on from other reported incidents around insecure repositories and third party storage solutions, where users have failed to alter the default settings and/or configure the environments incorrectly and subsequently exposed large volumes of sensitive data.

The failure to secure development environments poses a number of threats to an organisation including:

  • Stealing of sensitive information (such as encryption and access keys, passwords, knowledge of security controls or intellectual property)
  • An attacker embedding malicious code in your project without your knowledge
  • Using a compromised development device as a proxy to further attack your build and deployment pipeline, through to production
  • Understanding how your sensitive applications work - a first step in the planning of an attack

The NCSC has previously issued guidance on securing development environments as well as approaching enterprise technology with cyber security in mind.


GDPR-inspired phishing scams

The imminent arrival of the new EU General Data Protection Regulation (GDPR) has gifted scammers with a new hook for sending phishing emails.

Many internet users are now receiving emails from organisations that they have online dealings with, explaining the new regulations and asking them for permission to carry on storing their information.

Scammers have taken advantage of this to send fake GDPR-themed emails in an attempt to spread malware or steal personal data.

Apple customers, for example, have been sent a link advising users that their accounts had been “limited” due to unusual activity and then asking them to update their security information.

Users are then directed to a fraudulent webpage where they are asked to input security information. Once this has been completed, users are then directed back to a legitimate Apple web page.

The scammers also used Advanced Encryption Standard (AES) protocols when directing users to the page controlled by them, bypassing anti-phishing tools embedded in some antivirus software.

GDPR comes into effect on 25th May 2018, so the scammers have a short window in which to use GDPR as cover for their activities.

The NCSC has published phishing guidance and you can also read the GDPR security outcomesthat have been developed by the NCSC and the Information Commissioners Office (ICO). The ICO is the UK's supervisory authority for the GDPR and has published a lot of helpful guidance on its website.

Comment

.author-name { display: none; }

Comment

NCSC - Countdown to GDPR

Anybody who is involved in cyber security or data protection will be acutely aware that the General Data Protection Regulation - better known simply as GDPR - comes into force on Friday (the 25th of May). We have worked very closely with the Information Commissioners Office (ICO) to develop a set of a set of GDPR Security Outcomes, which we published last week. 

GDPR and cyber

If you have tried to read and understand the relevant articles described in the Regulation, well done. I personally have found it really hard work to break it apart, summarise what security measures it really seeks, and then overlay good cyber security practice to meet those requirements. Thankfully, the ICO really do understand the detail, and so we have worked together to describe what the regulation requires and provide an overview on what sorts of cyber security measures we expect those organisations processing personal data to have in place. We have published this work as a set of Security Outcomes required for GDPR, together with some relevant overarching GDPR information. Whilst we have a shared interest with the ICO on cyber security, of course they are the lead for the GDPR and you should consult their website for any general GDPR questions or needs that you might have.

What GDPR says about cyber

Now I'm going to quote parts of the Regulation here  - so bear with me - but I will give some context as well.

There is an overarching requirement that basically says that you need to protect personal information. It states that personal information must be:

"processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures"

The key thing to note here is that personal information being correct and available is in scope - not just protecting its confidentiality.

One thing that I personally like in the GDPR (OK so it's a little bit nerdy to have a favourite part of data protection legislation) is that it specifically requires organisations to think about security as you design services as well as at the point when processing happens. It means that services must be designed with security in mind from the outset, and that you have to keep them secure through the whole lifecycle. You can't just develop services and allow security debt (when security corners are cut to meet to meet business delivery) to accumulate.

The Regulation refers in a number of places to:

"appropriate technical and organisational measures"

It emphasises that you need to take a risk managed approach to security that is influenced by the risk to the individuals whose data you are processing, the state of the art (of technology) and cost. 'Appropriate' really does depend; we understand that saying 'it depends' can be really frustrating and people need a bit more certainty than that. Whilst the GDPR takes this 'it depends' approach, we have worked with the ICO to develop Security Outcomes that we would jointly expect any organisation to meet.

What are Security Outcomes?

As the name suggest these are outcomes that any organisation should seek to achieve with regards to cyber security. They do not themselves carry mandatory status, although they are our joint approximation of what appropriate means under the Regulation. You'll find that the outcomes do not say precisely what to do with regards to cyber security. That's deliberate as it's not for us (neither the NCSC nor the ICO) to tell you what technologies to use, nor to limit your choices in how you chose to protect them. Equally we need the outcomes to work for organisations of many sizes and complexity. Overall this was probably the hardest challenge and we'd like to hear your feedback if there are areas that don't quite work (and the reasons of course).

As we wrote the outcomes, we attempted to define the minimal set of measures that represent decent practice with regards to security. We do not believe we have described anything that is unreasonable, or should be surprising to you. Again let us know if you feel this isn't the case. Defining what we believe to be good practice means that existing guidance remains appropriate and can help you design measures that meet the outcomes. There is a lot of existing material  - including our own Small Business Guide and ICO's guidance on GDPR - which you may find helpful.

We know that good security isn't just about putting technical mitigations in place. The outcomes are aligned to 4 top level aims which cover how you manage security, protecting personal data from cyber attack, detecting incidents and minimising the impact if an incident does happen. 

Existing schemes and certifications

I'm asked a lot whether having Cyber Essentials means you are compliant with the GDPR cyber security requirements. Certainly having Cyber Essentials certification is a good thing and it will show that you take protecting yourself from cyber attack seriously. I wholeheartedly recommend it but there are other areas, outside the scope of Cyber Essentials, where you need to protect personal information too. A good example might be protecting data at rest on a laptop. The same logic applies to other certifications you might have; they are part of the picture, but you must still ensure that you are comprehensively protecting personal data.

If something goes wrong

Occasionally even the most diligent organisation might experience a security incident. The whole approach of the GDPR is based on managing risk, not avoiding all risk. The fact that some of our Security Outcomes describe detecting events and minimising the impact should underline this. If you are (or think you are) subject to an incident that involves personal data then you are likely to be obliged to report this to the ICO. They have published guidance on their website to help you understand what you should report, and by when.

Ian M

Principal Technical Director, Risk Management Capability

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 20th April 2018

This report is drawn from recent open source reporting. 

Cyber criminal groups identified on social media

Last week Facebook deleted around 120 private discussion groups - equating to more than 300,000 members - that were promoting a host of illicit cyber criminal activities, including spamming, selling stolen debit and credit account credentials, phony tax refunds, DDoS-for-hire services and botnet creation tools.

The groups had reportedly been operating on Facebook for an average of two years, although some had been in operation for up to nine years. The deletions were a result of analysis work carried out by a cyber security researcher using common terminology for this type of activity and it is likely that there are many more sites of this nature on Facebook and other social media platforms.

The use of social media to advertise illicit goods and services is perhaps not as well reported as the use of darknet criminal marketplaces (such as Alphabay and Hansa that were taken down by law enforcement last year) but it is of no surprise that criminals will seek to utilise whatever means available to peddle their wares.

From past experience, Facebook’s deletion of these groups is unlikely to have a long term impact, as the activity will likely be displaced elsewhere, or the groups will use names that are less obviously associated with cyber crime, to make their detection more difficult.


Airline database hacked by disgruntled former employee

A former employee at the Alaskan airline PenAir hacked her previous employer’s flight reservation system in an apparent retaliation for being fired.

Before leaving the company the individual created a fictitious user profile with escalated privileges to enable future system access. She then used this fictitious account to block other users’ access and to delete critical data.

In a second attack she also deleted seat maps used to allocate passenger seats. PenAir realised their data had been disrupted and worked through the night so that service was resumed by the morning with no impact to customers.

Identified following an FBI investigation, the individual pleaded guilty to the charges against her and was charged with carrying out fraud in ‘connection to computers’.

User privileges should always be managed and reviewed regularly. The principle of ‘least privilege’ should be followed. The NCSC has released guidance for managing user privileges as part of our 10 steps to Cyber Security: 10 Steps: Managing User Privileges.
 

Thai mobile operator in reported data breach due to poor cloud security

TrueMove H, a major mobile operator in Thailand, suffered a data breach involving the personal data of around 46,000 customers, including images of identity documents such as driving licences and passports.

A security researcher uncovered the breach using open source tools to scan for publicly accessible information on misconfigured Amazon Web Service Simple Storage Service (AWS S3) buckets, a popular cloud storage solution. The researcher claimed there was no security protection for the files and therefore all he needed to gain access to the data was the URL.

The default setting for S3 buckets is 'private'. AWS best practice is to never open access to the public and to control access to S3 resources using a combination of Access Control Lists (ACLs) and bucket policies.

The NCSC advises that anyone seeking to exploit the benefits of cloud storage solutions should ensure that the security of the data is a prime consideration.

If you're using or considering using Cloud technology, we recommend reading the NCSC's Cloud Security Collection and Implementing the Cloud Security Principles.
 

Attacker dwell time on victim networks still too long

Security company Mandiant's latest M-Trends report has revealed there are, on average, 101 days between an attacker compromising a system and the victim detecting the compromise, with this increasing to 175 days for companies in Europe, the Middle East and Africa.

While this is a decrease from 416 days in 2011 , the current dwell time means attackers still have ample time to achieve their goal.

Attackers are always developing new and improved ways of committing network intrusions, leading to data breaches, but often they are looking for the most simple weaknesses in our defences. Following basic cyber security good practice can prove effective in preventing such breaches from happening.

The NCSC’s Cyber Essentials scheme provides relevant advice to help improve network security, alongside 10 Steps to Cyber Security.

Comment

.author-name { display: none; }

Comment

NCSC Guidance - Protecting your organisation from ransomware

Protecting your organisation from ransomware

Created:  17 Oct 2016

Updated:  17 Oct 2016

How to prevent a ransomware incident, and what to do if your organisation is infected.

Ransomware is a growing global cyber security threat, and one which could affect any organisation that does not have appropriate defences. The first half of 2016 saw an almost threefold increase in ransomware variants compared to the whole of 2015[1].  While ransomware against Windows operating systems has been commonplace for some years, attacks against Mac and Linux systems are also seen.

The methods for infecting systems with ransomware are similar to other types of malicious software, as are the steps organisations can take to protect themselves. Depending on your level of preparation, ransomware infection can cause minor irritation or wide-scale disruption.

This guidance provides an overview of ransomware, suggests some simple steps to prevent a ransomware incident, and advises on what to do if your organisation is infected by ransomware.

What is ransomware?

There are two types of ransomware; the first type encrypts the files on a computer or network. The second type locks a user's screen. Both types require users to make a payment (the 'ransom') to be able to use the computer normally again. The ransom is often demanded in a cryptocurrency such as Bitcoin.

In many cases, the ransom amount is quite modest. This is designed to make paying the ransom the quickest and cheapest way to return to normal use. However, there is no guarantee that the key or password (to 'unlock' the computer) will be provided upon payment of the ransom.

The scale and automated nature of a ransomware attack makes it profitable through economies of scale, rather than through extorting large amounts from targeted victims. In some cases, ransomware has been known to strike the same victim more than once in succession. Ransomware attacks are not normally targeted at specific individuals or systems, so infections can occur in any sector or organisation.

How does ransomware infect your system?

Computers are infected with ransomware via a number of routes. Sometimes users are tricked into running legitimate-looking programs, which contain the ransomware. These may arrive via authentic-looking email attachments or links to apparently genuine websites (otherwise known as phishing). More recently, we have seen ransomware infections which rely on unpatched vulnerabilities in computers, and simply visiting a malicious website can be enough to cause a problem.

Although less common, data transfers between computers (such as via USB memory sticks) can also cause ransomware to spread.

Preventing ransomware using good enterprise security

Ransomware is one of many types of malware, and the methods for its delivery are common to most other types. You can minimise the risk of being infected by ransomware by taking the same precautions necessary to guard against malware in general.

The following mitigations are examples of good security practice, and link to other NCSC guidance where available:

  • Vulnerability management and patching - some ransomware gains control by exploiting software vulnerabilities in operating systems, web browsers, browser plug-ins or applications. Often these vulnerabilities have been publicly known about for some time and the software providers will have made patches available to mitigate them. Deploying these patches, or otherwise mitigating the vulnerabilities, is the most effective way of preventing systems being compromised. However, as well as patching the devices used for web browsing and email, it's important to patch the systems they are connected to, since some ransomware is known to move around systems, encrypting files as it goes.
  • Controlling code execution - consider preventing unauthorised code delivered to end user devices from running.  One common way that attackers gain code execution on target devices is to trick users into running macros. You can prevent these attacks from being successful in your organisation by preventing all macros from executing - unless you have explicitly trusted them. It's also good practice to ensure users do not have privileges to install software on their devices without the authorisation of an administrator. Remember that users may sometimes legitimately need to run code that you have not pre-authorised; consider how you will enable them to do this, so that they are not tempted to do it secretly, in ways you can't see or risk-manage. See our End User Device security guidance for recommended configuration of the platforms you are running.
  • Filter web browsing traffic - we recommend using a security appliance or service to proxy your outgoing web browsing traffic. Filter attempted connections based on categorisation or reputation of the sites which your users are attempting to visit.
  • Control removable media access - see our advice on management of removable media to prevent ransomware from being brought in to an organisation via this channel.

For more information see Approaching enterprise technology with cyber security in mind.

What impact does ransomware have?

Ransomware will prevent access to systems or data until a solution is found. If systems are delivering critical services, this can have serious reputational, financial and safety impacts on affected organisations and their customers. Even if the victim has a recent backup of their system, it may still take considerable time to restore normal operations. During this time, organisations may have to invoke their Business Continuity processes.

It is worth noting that if a criminal organisation has carried out a successful ransomware attack, questions should be raised about the possibility of more indirect and lasting impacts. For example, how many instances of the ransomware are still present in the system waiting to be activated? How should they be removed, and how should users be warned? Were other types of malware also deployed at the same time? What are they and what will they do? And when?

Limiting the impact of a ransomware attack

The following measures can all help to limit the impact of a ransomware attack.

  • Good access control is important. The compartmentalisation of user privileges can limit the extent of the encryption to just the data owned by the affected user.  Re-evaluate permissions on shared network drives regularly to prevent the spreading of ransomware to mapped and unmapped drives. System administrators with high levels of access should avoid using their admin accounts for email and web browsing.
  • Ransomware doesn’t have to go viral in your organisation; limit access to your data and file systems to those with a business need to use them. This is good practice anyway and, like many of the recommendations we make here, prevents against a range of cyber attacks.
  • Have a backup of your data. Organisations should ensure that they have fully tested backup solutions in place. Backup files should not be accessible by machines which are at risk of ingesting ransomware. It is important to remember backups should not be the only protection you have against ransomware - the adoption of good security practices will mean not getting ransomware in the first place. For further guidance on backups, please see our Securing Bulk Data guidance, which discusses the importance of knowing what data is most important to you, and how to back it up reliably.

What to do if your organisation has been infected with ransomware

If you need to know more about ransomware and its effects, or you have a ransomware issue, there are a number of sources of further advice and guidance:

  • The National Crime Agency encourages anyone who thinks they may have been subject to online fraud to contact Action Fraud at www.actionfraud.police.uk.  It is a matter for the victim whether to pay the ransom, but the NCA encourages industry and the public not to pay.
  • The National Cyber Security Centre (NCSC) runs a commercial scheme called Cyber Incident Response, where certified companies provide crisis support to affected organisations.
  • The Cyber Security Information Sharing Partnership (CiSP) offers organisations in the UK a safe portal in which to discuss and share intelligence that can assist the community and raise the UK's cyber resilience. We encourage our members to share technical information and indicators of compromise so that the effects of new malware, and particularly ransomware, can be largely reduced. 

Here at the NCSC, we welcome those who would like to share their experiences of ransomware in confidence. NCSC Operations provide threat intelligence to government, industry and the public. Case studies - even anonymised - can be very helpful.

Comment

.author-name { display: none; }