Thursday, 3 September 2020

The DRaaS Data Protection Dilemma

Written by Sarah Doherty, Product Marketing Manager at iland

Around the world, IT teams are struggling with choosing between less critical, but important tasks, versus focusing on innovative projects to help transform your business. Both are necessary for your business and need to be actioned, but should your team do all of it? Have you thought about allowing someone else to guide you through the process while your internal team continues to focus on transforming the business? 

DRaaS Data protection dilemma; outsourcing or self-managing?
Disaster recovery can take a lot of time to properly implement so it may be the right time to consider a third-party provider who can help with some of the more routine and technical aspects of your disaster recovery planning. This help can free up some of your staff’s valuable time while also safeguarding your vital data.

Outsourcing your data protection functions vs. managing them yourself
Information technology has raised many questions about how it really should be done. Some experts favour the Disaster Recovery as a Service (DRaaS) approach. They believe that data protection, although necessary, has very little to do with core business functionality. Organisations commonly outsource non-business services, which has driven many to consider the idea of employing third parties for other business initiatives. This has led some companies to believe that all IT services should be outsourced, enabling the IT team to focus solely on core business functions and transformational growth.

Other groups challenge the concept and believe that the idea of outsourcing data protection is foolish. An organisation’s ability to quickly and completely recover from a disaster - such as data loss or an organisational breach - can be the determining factor as to whether the organisation will remain in business. Some may think that outsourcing something as critical as data protection, and putting your organisation’s destiny into the hands of a third party, is a risky strategy. The basic philosophy behind this type of thinking can best be described as: “If you want something done right, do it yourself.”

Clearly, both sides have some compelling arguments. On one hand, by moving your data protection solution to the cloud, your organisation becomes increasingly agile and scalable. Storing and managing data in the cloud may also lower storage and maintenance costs. On the other hand, managing data protection in-house gives the organisation complete control. Therefore, a balance of the two approaches is needed in order to be sure that data protection is executed correctly and securely.

The answer might be somewhere in the middle
Is it better to outsource all of your organisation’s data protection functions, or is it better to manage it yourself? The best approach may be a mix of the two, using both DRaaS and Backup as a Service (BaaS). While choosing a cloud provider for a fully managed recovery solution is also a possibility, many companies are considering moving away from ‘do-it-yourself’ disaster recovery solutions and are exploring cloud-based options for several reasons.

Firstly, purchasing the infrastructure for the recovery environment requires a significant capital expenditure (CAPEX) outlay. Therefore, making the transition from CAPEX to a subscription-based operating expenditure (OPEX) model makes for easier cost control, especially for those companies with tight budgets.

Secondly, cloud disaster recovery allows IT workloads to be replicated from virtual or physical environments. Outsourcing disaster recovery management ensures that your key workloads are protected, and the disaster recovery process is tuned to your business priorities and compliance needs while also allowing for your IT resources to be freed up.

Finally, cloud disaster recovery is flexible and scalable; it allows an organisation to replicate business-critical information to the cloud environment either as a primary point of execution or as a backup for physical server systems. Furthermore, the time and expense to recover an organisation’s data is minimised, resulting in reduced business disruption.

Consequently, the disadvantages of local backups is that it can be targeted by malicious software, which targets backup applications and database backup files, proactively searching for them and fully encrypting the data. Additionally, backups, especially when organisations try to recover quickly are prone to unacceptable Recovery Point Objectives (RPO).

What to look for when evaluating your cloud provider

It is also essential when it comes to your online backups to strike a balance between micromanaging the operations and completely relinquishing any sort of responsibility. After all, it’s important to know what’s going on with your backups. Given the critical nature of the backups and recovery of your data, it is essential to do your homework before simply handing over backup operations to a cloud provider. There are a number of things that you should look for when evaluating a provider.
  • Service-level agreements that meet your needs.
  • Frequent reporting, and management visibility through an online portal.
  • All-inclusive pricing.
  • Failover assistance in a moment’s notice.
  • Do it yourself testing.
  • Flexible network layer choices.
  • Support for legacy systems.
  • Strong security and compliance standards.
These capabilities can go a long way towards allowing an organisation to check on their data recovery and backups, on an as-needed basis, while also instilling confidence that the provider is protecting the data according to your needs. The right provider should also allow you the flexibility to spend as much or as little time on data protection, proportional to your requirements.

Ultimately, using cloud backups and DRaaS is flexible and scalable; it allows an organisation to replicate business-critical information to the cloud environment either as a primary point of execution or as a backup for physical server systems. In most cases, the right disaster recovery provider will likely offer you better recovery time objectives than your company could provide on its own, in-house. Therefore as you review your options, cloud DR could be the perfect solution, flexible enough to deal with an uncertain economic and business landscape.

Wednesday, 2 September 2020

Top Five Most Infamous DDoS Attacks

Guest article by Adrian Taylor, Regional VP of Sales for A10 Networks 

Distributed Denial of Service (DDoS) attacks are now everyday occurrences. Whether you’re a small non-profit or a huge multinational conglomerate, your online services—email, websites, anything that faces the internet—can be slowed or completely stopped by a DDoS attack. Moreover, DDoS attacks are sometimes used to distract your cybersecurity operations while other criminal activity, such as data theft or network infiltration, is underway. 
Why are DDoS attacks bigger and more frequent than ever?
DDoS attacks are getting bigger and more frequent
The first known Distributed Denial of Service attack occurred in 1996 when Panix, now one of the oldest internet service providers, was knocked offline for several days by an SYN flood, a technique that has become a classic DDoS attack. Over the next few years, DDoS attacks became common and Cisco predicts that the total number of DDoS attacks will double from the 7.9 million seen in 2018 to something over 15 million by 2023.

But it’s not just the number of DDoS attacks that are increasing; as the bad guys are creating ever bigger botnets – the term for the armies of hacked devices that are used to generate DDoS traffic. As the botnets get bigger, the scale of DDoS attacks is also increasing. A Distributed Denial of Service attack of one gigabit per second is enough to knock most organisations off the internet but we’re now seeing peak attack sizes in excess of one terabit per second generated by hundreds of thousands, or even millions, of suborned devices. Given that IT services downtime costs companies anywhere from $300,000 to over $1,000,000 per hour, you can see that the financial hit from even a short DDoS attack could seriously damage your bottom line.

So we’re going to take a look at some of the most notable DDoS attacks to date. Our choices include some DDoS attacks that are famous for their sheer scale while others are because of their impact and consequences.

1. The AWS DDoS Attack in 2020
Amazon Web Services, the 800-pound gorilla of everything cloud computing, was hit by a gigantic DDoS attack in February 2020. This was the most extreme recent DDoS attack ever and it targeted an unidentified AWS customer using a technique called Connectionless Lightweight Directory Access Protocol (CLDAP) Reflection. This technique relies on vulnerable third-party CLDAP servers and amplifies the amount of data sent to the victim’s IP address by 56 to 70 times. The attack lasted for three days and peaked at an astounding 2.3 terabytes per second. While the disruption caused by the AWS DDoS Attack was far less severe than it could have been, the sheer scale of the attack and the implications for AWS hosting customers potentially losing revenue and suffering brand damage is significant.

2. The MiraiKrebs and OVH DDoS Attacks in 2016
On September 20, 2016, the blog of cybersecurity expert Brian Krebs was assaulted by a DDoS attack in excess of 620 Gbps, which at the time, was the largest attack ever seen. Krebs had recorded 269 DDoS attacks since July 2012, but this attack was almost three times bigger than anything his site or, for that matter, the internet had seen before.

The source of the attack was the Mirai botnet, which, at its peak later that year, consisted of more than 600,000 compromised Internet of Things (IoT) devices such as IP cameras, home routers, and video players. Mirai had been discovered in August that same year but the attack on Krebs’ blog was its first big outing.

The next Mirai attack on September 19 targeted one of the largest European hosting providers, OVH, which hosts roughly 18 million applications for over one million clients. This attack was on a single undisclosed OVH customer and driven by an estimated 145,000 bots, generating a traffic load of up to 1.1 terabits per second, and lasted about seven days. The Mirai botnet was a significant step up in how powerful a DDoS attack could be. The size and sophistication of the Mirai network were unprecedented, as was the scale of the attacks and their focus.

3. The MiraiDyn DDoS Attack in 2016
Before we discuss the third notable Mirai DDoS attack of 2016, there’s one related event that should be mentioned: On September 30, someone claiming to be the author of the Mirai software released the source code on various hacker forums and the Mirai DDoS platform has been replicated and mutated scores of times since.

On October 21, 2016, Dyn, a major Domain Name Service (DNS) provider, was assaulted by a one terabit per second traffic flood that then became the new record for a DDoS attack. There’s some evidence that the DDoS attack may have actually achieved a rate of 1.5 terabits per second. The traffic tsunami knocked Dyn’s services offline rendering a number of high-profile websites including GitHub, HBO, Twitter, Reddit, PayPal, Netflix, and Airbnb, inaccessible. Kyle York, Dyn’s chief strategy officer, reported, “We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.”

Mirai supports complex, multi-vector attacks that make mitigation difficult. Even though Mirai was responsible for the biggest assaults up to that time, the most notable thing about the 2016 Mirai attacks was the release of the Mirai source code enabling anyone with modest information technology skills to create a botnet and mount a Distributed Denial of Service attack without much effort.

4. The Six Banks DDoS Attack in 2012
On March 12, 2012, six U.S. banks were targeted by a wave of DDoS attacks—Bank of America, JPMorgan Chase, U.S. Bank, Citigroup, Wells Fargo, and PNC Bank. The attacks were carried out by hundreds of hijacked servers from a botnet called Brobot with each attack generating over 60 gigabits of DDoS attack traffic per second.

At the time, these attacks were unique in their persistence: Rather than trying to execute one attack and then backing down, the perpetrators barraged their targets with a multitude of attack methods in order to find one that worked. So, even if a bank was equipped to deal with a few types of DDoS attacks, they were helpless against other types of attack.

The most remarkable aspect of the bank attacks in 2012 was that the attacks were, allegedly, carried out by the Izz ad-Din al-Qassam Brigades, the military wing of the Palestinian Hamas organisation. Moreover, the attacks had a huge impact on the affected banks in terms of revenue, mitigation expenses, customer service issues, and the banks’ branding and image.

5. The GitHub Attack in 2018
On Feb. 28, 2018, GitHub—a platform for software developers—was hit with a DDoS attack that clocked in at 1.35 terabits per second and lasted for roughly 20 minutes. According to GitHub, the traffic was traced back to “over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints.

Even though GitHub was well prepared for a DDoS attack their defences were overwhelmed—they simply had no way of knowing that an attack of this scale would be launched.

The GitHub DDoS attack was notable for its scale and the fact that the attack was staged by exploiting a standard command of Memcached, a database caching system for speeding up websites and networks. The Memcached DDoS attack technique is particularly effective as it provides an amplification factor – the ratio of the attacker’s request size to the amount of DDoS attack traffic generated – of up to a staggering 51,200 times.

And that concludes our top five line up – it is a sobering insight into just how powerful, persistent and disruptive DDoS attacks have become.

Tuesday, 1 September 2020

Cyber Security Roundup for September 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, August 2020.

Taking security training courses and passing certification exams are common ingredients in the makeup of the vast majority of accomplished cybersecurity and information security professionals. As such, two security incidents last month raised more than just a surprising eyebrow or two within the UK security industry. 

The first involved the renown and well respected United States security training company, The SANS Institue, announcing that a successful email phishing attack against one of its employees resulted in 28,000 personal records being stolenSANS classified this compromise as "consent phishing", namely where an employee is tricked into providing malicious Microsoft Office 365 OAuth applications access to their O365 accounts. In June 2020, Microsoft warned 'consent phishing' scams were targeting remote workers and their cloud services.

The second incident involved British cybersecurity firm NCC Group, after The Register reported NCC marked CREST penetration testing certification exam 'cheat cheats' were posted on Github. El Reg stated the leaked NCC marked document "offered step-by-step guides and walkthroughs of information about the Crest exams.  With those who posted the documents claiming that the documents contained a clone of the Crest CRT exam app that helped users to pass the CRT exam in the first attempt. CREST, a globally recognised provider of penetration testing accreditations, conducted their own investigation into the Github post and then suspended their Certified Infrastructure Tester (CCF Inf) and Certified Web Application Tester (CCT App) exams.

Reuters reported British trade minister Liam Fox email account was compromised by Russian hackers through a spear-phishing attack. This led to leaks of sensitive US-UK  trade documents in a disinformation campaign designed to influence the outcome of the UK general election in late 2019.

UK foreign exchange firm Travelex is still revelling from the double 2020 whammy of major ransomware outbreak followed by the impact COVID-19, and has managed to stay in business thanks a bailout arranged by their business administrators PWC. 

Uber's former Cheif Security Officer has been charged with obstruction of justice in the United States, accused of covering up a massive 57 million record data breach in 2016. Uber eventually admitted paying a hacking group $100,000 (£75,000) ransom to delete the data they had stolen.

The British Dental Association advised its dentist members that their bank account details and correspondence with them were stolen by hackers.  A BDA spokeswoman told BBC News it was possible that information about patients was also exposed, but remained vague about the potential context. The cyber breach was likely caused by a hack of the BDA website given it was taken offline for a considerable amount of time after reporting the breach.

Its seems that every month I report a huge cloud misconfiguration data beach, typically found by researchers looking for publicity, and caused by businesses not adequately securing their cloud services.  This month it was the turn of cosmetics giant Avon after researchers 'SafetyDetectives" found 19 million records were accessible online due to the misconfiguration of a cloud server.  Accurics separately reported misconfigured cloud services accounted for 93% of 200 breaches it has seen in the past two years, exposing more than 30 billion records. Also predicting cloud services data breaches are likely to increase in both velocity and scale, I am inclined to agree.
Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global
Finally, I was invited to review a pre-release of Geoff White’s new book, Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global”. I posted a book review upon its release in August, I thoroughly recommend it. The book is superbly researched and written, the author’s storytelling investigative journalist style not only lifts the lid on the murky underground world of cybercrime but shines a light on the ingenuity, persistence and ever-increasing global scale of sophisticated cybercriminal enterprises. While this book is an easily digestible read for non-cyber security experts, the book provides cybersecurity professionals working on the frontline in defending organisations and citizens against cyber-attacks, with valuable insights and lessons to be learnt about their cyber adversaries and their techniques, particularly in understanding the motivations behind today's common cyberattacks.

Stay safe and secure.

BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Tuesday, 25 August 2020

Beating the Emotet Malware with SSL Interception

Guest post by Adrian Taylor, Regional VP of Sales for A10 Networks  

The Emotet trojan recently turned from a major cybersecurity threat to a laughingstock when its payloads were replaced by harmless animated GIFs. Taking advantage of a weakness in the way Emotet malware components were stored, white-hat hackers donned their vigilante masks and sabotaged the operations of the recently revived cyberthreat. While highly effective as well as somewhat humorous, the incident should not distract attention from two unavoidable truths. 
First, while the prank deactivated about a quarter of all Emotet malware payload downloads, the botnet remains a very real, ongoing threat and a prime vector for attacks such as ransomware. And second, relying on one-off operations by whimsical vigilantes is hardly a sustainable security strategy. To keep the remaining active Emotet botnets—and countless other cyber threats—out of their environment, organisations need to rely on more robust and reliable measures based on SSL interception (SSL inspection) and SSL decryption.

History of Emotet and the threat it presents
First identified in 2014, version one of Emotet was designed to steal bank account details by intercepting internet traffic. A short time after, a new version of the software was detected. This version, dubbed Emotet version two, came packaged with several modules, including a money transfer system, malspam module, and a banking module that targeted German and Austrian banks. Last year, we saw reports of a botnet-driven spam campaign targeting German, Polish, Italian, and English victims with craftily worded subject lines like “Payment Remittance Advice” and “Overdue Invoice.” Opening the infected Microsoft Word document initiates a macro, which in turn downloads Emotet from compromised WordPress sites.

After a relative quiet start to 2020, the Emotet trojan resurfaced suddenly with a surge of activity in mid-July. This time around, the botnet’s reign of terror took an unexpected turn when the payloads its operators had stored on – poorly secured WordPress sites – were replaced with a series of popular GIFs. Instead of being alerted of a successful cyberattack, the respective targets received nothing more alarming than an image of Blink 182, James Franco, or Hackerman.

Whilst this is all in good fun, the question remains: what if the white hats had left their masks in the drawer instead of taking on the Emotet trojan? And what about the countless other malware attacks that continue unimpeded, delivering their payloads as intended?

A view into the encryption blind spot with SSL interception (SSL inspection)
Malware attacks such as Emotet often take advantage of a fundamental flaw in internet security. To protect data, most companies routinely rely on SSL encryption or TLS encryption. This practice is highly effective for preventing spoofing, man-in-the-middle attacks, and other common exploits from compromising data security and privacy. Unfortunately, it also creates an ideal hiding place for hackers. To security devices inspecting inbound communications for threats, encrypted traffic appears as gibberish—including malware. In fact, more than half of the malware attacks seen today are using some form of encryption. As a result, the SSL encryption blind spot ends up being a major hole in the organisation’s defence strategy.

The most obvious way to address this problem would be to decrypt traffic as it arrives to enable SSL inspection before passing it along to its destination within the organisation—an approach known as SSL interception. But here too, problems arise. For one thing, some types of data are not allowed to be decrypted, such as the records of medical patients governed by privacy standards like HIPAA, making across-the-board SSL decryption unsuitable. And for any kind of traffic, SSL decryption can greatly degrade the performance of security devices while increasing network latency, bottlenecks, cost, and complexity. Multiply these impacts by the number of components in the typical enterprise security stack—DLP, antivirus, firewall, IPS, and IDS—and the problem becomes clear.

How efficient SSL inspection saves the day
With many organisations relying on distributed per-hop SSL decryption. A single SSL inspection solution can provide the best course of action by decrypting traffic across all TCP ports and advanced protocols like SSH, STARTTLS, XMPP, SMTP and POP3. Also, this solution helps provide network traffic visibility to all security devices, including inline, out-of-band and ICAP-enabled devices.

Whilst we should celebrate the work of the white hats who restrained Emotet, it is not every day that a lethal cyber threat becomes a matter of humour. But having had a good laugh at their expense, we should turn our attention to making sure that attacks like Emotet have no way to succeed in the future—without the need to count on vigilante justice - this is where SSL inspection can really save the day.

Sunday, 23 August 2020

Countering Cybercrime in the Next Normal

Guest post By Tom Kellermann, Head of Cybersecurity Strategy, VMware Carbon Black

COVID-19 has reshaped the global cyberthreat landscape. While cyberattacks have been on the rise, the surge in frequency and increased threat sophistication is notable. The latest VMware Carbon Black Global Incident Threat Report, Extended Enterprise Under Threat – Global Threat Report series, found cybercriminals have seized the opportunity, taking advantage of the global disruption to conduct nefarious activity.

COVID-19 has Exacerbated pre-existing Cyber Threats
The VMware Carbon Black latest global survey of Incident Response (IR) professionals found that COVID-19 has exacerbated pre-existing cyberthreats. From counter incident response and island hopping to destructive attacks. Remote work then compounds this bringing additional cybersecurity challenges as employees access critical data and applications from their home networks or with personal devices outside of the corporate perimeter. Cybercriminals are also targeting the cloud, which organisations rely on to enable remote work. If you’re a cybercriminal, the pool of people you can trick now is exponentially larger, simply because we are in a global disaster.

As the threat landscape transforms and expands, the underlying methodologies behind the attacks have remained relatively consistent. Attackers have just nuanced their threat strategies. For example, last Christmas, the number one consumer purchase was smart devices, now they’re in homes that have fast become office spaces. Cybercriminals can use those family environments as a launchpad to compromise and conduct attacks on organizations. In other words, attackers are still island hopping – but instead of starting from an organisation’s network and moving along the supply chain, the attack may now originate in home infrastructures.

Next-Generation Cyberattacks require Next-Generation IR
While more than half (53%) of the IR professionals reported encountering or observing an increase in cyberattacks exploiting COVID-19, this isn’t a one-sided battle and there is much security teams can do to fight back.

Next-generation cyberattacks – with adversaries increasingly working to maintain persistence on systems – call for next-generation IR, especially as corporate perimeters across the world breakdown. To this point, here are seven key steps that security teams can take to fight back:

  1. Gain better visibility into your system’s endpoints: Doing so can empower security teams to be proactive in their IR – rather than merely responding to attacks once they come, they can hunt out prospective threats. This is increasingly important in today’s landscape, with more attackers seeking to linger for long periods on a network and more vulnerable endpoints online via remote access.
  2. Establish digital distancing practices: People working from home should have two routers, segmenting traffic from work and home devices. They should have a room free of smart devices for holding potentially sensitive conversations. And they should restrict sensitive file sharing across insecure applications, like video conferencing tools.
  3. Enable real-time updates, policies and configurations across the network: This may include updates to VPNs, audits or fixes to configurations across remote endpoints and other security updates – even when outside the corporate network. It’s important to keep in mind the security architecture when making these changes, otherwise, things get changed without having the proper controls in place to react.
  4. Enhance collaboration between IT and security teams – and make IT teams more cybersecurity savvy: As noted, 92% of IR professionals agree that a culture of collaboration between IT and security teams will improve enterprise security and response to cyber risks. This is especially true under the added stress of the pandemic. Alignment should also help elevate IT personnel to become experts on their own systems, whether it’s training them to threat hunt on a Windows box or identify anomalous configurations on certain SaaS applications.
  5. Expand Cyber-Threat Hunting: Threat hunting provides ground truth and context which is essential for defence. Situational awareness is dependent on ground truth which is based in the assumption of breach. One must proactively explore their environment for abnormal activity. The cadence of threat hunting must be increased, and the scope should extend to the information supply chain as well as Senior Executives laptops as they work from home.
  6. Integrate Security Controls: Integration allows organisations to uniquely see across traditional boundaries/silos providing richer telemetry and allowing for defenders to react seamlessly.
  7. Remember to communicate: Now more than ever, organizations must motivate IT and SECops to get on the same page and prioritize change management while maintaining clear lines of communication – about new risk factors (application attacks, OS exploitation, smart devices, file-sharing applications, etc.), protocols and security resources.
As we move into the next normal, the workforce will largely remain remote and distributed. Organisations will need to prioritise sharpening their security defences and gaining a clearer picture of the evolving threat landscape to inform today, tomorrow and the challenging months to come.

Tuesday, 18 August 2020

Book Review: Crime Dot Com, From Viruses to Vote Rigging, How Hacking Went Global

I had the great delight of reading Geoff White’s new book, “Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global”, I thoroughly recommend it. The book is superbly researched and written, the author’s storytelling investigative journalist style not only lifts the lid on the murky underground world of cybercrime but shines a light on the ingenuity, persistence and ever-increasing global scale of sophisticated cybercriminal enterprises.
Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global
In Crime Dot Com Geoff takes the reader on a global historic tour of the shadowy cybercriminal underworld, from the humble beginnings with a rare interview with the elusive creator of the ‘Love Bug’ email worm, which caused havoc and panic back in 2000, right up to the modern-day alarming phenomenal of elections hacking by nation-state actors.

The book tells the tales of the most notorious hacks in recent history, explaining how they were successfully planned and orchestrated, all wonderfully written in a plain English style that my Luddite mother-in-law can understand.  Revealing why cybercrime is not just about the Hollywood stereotypical lone hacker, eagerly tapping away on a keyboard in the dark finding ingenious ways of exploiting IT systems. But is really about society obscured online communities of likeminded individuals with questionable moral compasses, collaborating, and ultimately exploiting innocent victims people out of billions of pounds.

The book covers the UK’s most notorious cyberattacks, such as the devasting 2017 WannaCry ransomware worm attack on the NHS, and the infamous TalkTalk hack carried out by teenage hackers.  Delving beyond the media 'cyber scare' headlines of the time, to bring the full story of what happened to the reader. The book also explores the rise and evolution of the Anonymous hacktivist culture and takes a deep dive into the less savoury aspects of criminal activities occurring on the dark web.

As you read about the history of cybercrime in this book, a kind of symbiosis between cybercriminals and nation-state hackers activities becomes apparent, from Russian law enforcement turning a blind-eye to Russia cybercriminals exploiting the West, to both the NSA’s and North Korea’s alleged involvement in creating the heinous WannaCry ransomware worm, and the UK cybercriminal that disabled that attack.  The growing number of physical world impacts caused by cyber-attacks are also probed in Crime Dot Com, so-called ‘kinetic warfare’. How sophisticated malware called Stuxnet, attributed by the media as United States military created, was unleashed with devastating effect to physically cripple an Iranian nuclear power station in a targeted attack, and why the latest cyber threat actors are targeting Britain’s energy network.

While this book is an easily digestible read for non-cyber security experts, the book provides cybersecurity professionals working on the frontline in defending organisations and citizens against cyber-attacks, with valuable insights and lessons to be learnt about their cyber adversaries and their techniques, particularly in understanding the motivations behind today's common cyberattacks.
5 out of 5: A must-read for anyone with an interest in cybercrime

Friday, 7 August 2020

Cyber Security Roundup for August 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, July 2020.

The standout hack of July 2020, and possibly of the year, was the takeover of 45 celebrity Twitter accounts, in a bid to scam their millions of followers by requesting Bitcoin in tweets. 
Twitter confirms internal tools used in bitcoin-promoting attack ...
Scam Tweet
The high-profile Twitter accounts compromised included Barack Obama, Elon Musk, Kanye West, Bill Gates, Jeff Bezos, Warren Buffett, Kim Kardashian, and Joe Biden. Around £80,000 of Bitcoin was sent to the scammer's Bitcoin account before Twitter swiftly took action by deleting the scam tweets and blocking every 'blue tick' verified Twitter user from tweeting, including me

While the Twitter hack and scam dominated media headlines around the world, the attack was not the 'highly sophisticated cyber-attack' as reported by many media outlets, but it was certainly bold and clever. The attackers phoned Twitter administrative staff and blagged (socially engineered) their Twitter privilege account credentials out of them, which in turn gave the attackers access to Twitter's backend administrative system and to any Twitter account they desired. It is understood this Twitter account access was sold by a hacker on the dark web to a scammer in the days before the attack, that scammer(s) orchestrated a near-simultaneous Bitcoin scam tweets to be posted from the high profile accounts. On 31st July, law enforcement authorities charged three men for the attack, with one of the suspects disclosed as a 19-year British man from Bognor Regis.

There was a very serious critical Windows vulnerability disclosed as part the July 2020 Microsoft 'Patch Tuesday' security update release. Dubbed "SIGRed", it is a 17-year-old Remote Code Execution (RCE) vulnerability in Windows Domain Name System (DNS), a component commonly present in Microsoft Windows Server 2008, 2012, 2012R2, 2016 and 2019. Disclosed as CVE-2020-1350 it was given the highest possible CVSS score of 10.0, which basically means the vulnerability is “easy to attack” and “likely to be exploited”, although Microsoft said they hadn't seen any evidence of its exploitation at the time of their patch release.

Given SIGRed is a wormable vulnerability, it makes it particularly dangerous, as wormable malware could exploit the vulnerability to rapidly spread itself over flat networks without any user interaction, as per the WannaCry attack on the NHS and other large organisations. Secondly, it could be used to exploit privilege level accounts (i.e. admin accounts found on Servers).  The Microsoft CVE-2020-1350 vulnerability can be mitigated on effected systems by either applying the Microsoft Windows DNS Server Microsoft released patch (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 or by applying a Registry Workaround (https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability)

At least 10 universities in the UK had student data stolen after hackers attacked Blackbaud, an education-focused cloud service provider. UK universities impacted included York, Loughborough, Leeds, London, Reading, Exeter and Oxford. According to the BBC News website, Blackbaud said "In May of 2020, we discovered and stopped a ransomware attack. Prior to our locking the cyber-criminal out, the cyber-criminal removed a copy of a subset of data from our self-hosted environment."

As expected, the UK Government ordered UK mobile network operators to remove all Huawei 5G equipment by 2027, and banning their purchase of Huawei 5G network equipment after 31st December 2020.  Digital Secretary Oliver Dowden said it follows sanctions imposed by the United States, which claims the Chinese firm poses a national security threat, which Huawei continues to resolutely deny. The ban is expected to delay the UK's 5G rollout by a year. "This has not been an easy decision, but it is the right one for the UK telecoms networks, for our national security and our economy, both now and indeed in the long run," he said. 
In some media quarters, it was suggested the UK u-turn on Huawei could lead to cyberattack repercussions after Reuter's said its sources confirmed China was behind cyberattacks on Australia's critical national infrastructure and government institutions following their trade dispute with China.

Russian Hacking Group (APT 29) was jointly accused of targeting the theft of coronavirus vaccine research by the UK NCSC, the Canadian Communication Security Establishment (CSE), United States Department for Homeland Security (DHS), Cyber-security Infrastructure Security Agency (CISA) and the US National Security Agency (NSA). The UK's National Cyber Security Centre (NCSC) said the hackers "almost certainly" operated as "part of Russian intelligence services". It did not specify which research organisations had been targeted, or whether any coronavirus vaccine research data was taken, but it did say vaccine research was not hindered by the hackers. Russia's ambassador to the UK has rejected allegations, "I don't believe in this story at all, there is no sense in it," Andrei Kelin told the BBC's Andrew Marr Show. While Foreign Secretary Dominic Raab said it is "very clear Russia did this", adding that it is important to call out this "pariah-type behaviour". 

UK sport said hackers tried to steal a £1 million club transfer fee and froze turnstiles at a football game. Cybercriminals hacked a Premier League club managing director's email account during a player transfer negotiation, the million-pound theft was only thwarted by a last-minute intervention by a bank.  Another English football club was targeted by a ransomware attack which stopped its turnstiles and CCTV systems from working, which nearly resulted in a football match being postponed. Common tactics used by hackers to attack football clubs include compromising emails, cyber-enabled fraud and ransomware to shutting down digital systems. For further information on this subject, see my extensive blog post on football club hacking, The Billion Pound Manchester City Hack.

Smartwatch maker Garmin, had their website, mobile app and customer service call centres taken down by ransomware on 23rd July 2020. Reports suggest the fitness brand had been hit by the WastedLocker ransomware strain, which is said to have been developed by individuals linked to a Russia-based hacking group called 'Evil Corp'.  According to Bleeping Computer, Garmin paid $10 million to cybercriminals to receive decryption keys for the malware on 24th or 25th July 2020.

Yet another big data exposure caused by a misconfigured AWS S3 bucket was found by security researchers, one million files of Fitness Brand 'V Shred' was discovered exposed to the world, including the personal data of 99,000 V Shred customers. Interestingly V Shred defended the researcher findings by claiming it was necessary for user files to be publicly available and denied that any PII data had been exposed.

BLOG

NEWS
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Wednesday, 5 August 2020

Securing the COVID-19 'New Normal' of Homeworking

The COVID-19 pandemic has put into motion a scale of remote working never before seen. Our teams are no longer just grouped in different office locations – but working individually from kitchen tables, spare rooms and, for the lucky ones, home offices! It’s therefore inevitable that this level of remote working will reveal security pitfalls for remediation, with improvements that can be carried forward when this period is over.
Attackers are taking advantage of heightened anxiety and homeworking
Tony Pepper, CEO at Egress, provides his insight below, as well as his six tips to improve data security while working from home.

Phishing

It’s sad, but it’s no surprise that phishing attacks have increased due to COVID-19– and businesses need to be prepared. Attackers are taking advantage of an environment of heightened anxiety and disrupted work settings to trick people into making mistakes, and they’re unlikely to stop until at least the main wave of the pandemic has passed.

Research shows that phishing is a major security issue under normal circumstances. Egress’ recent Insider Data Breach survey found that 41% of employees who had accidentally leaked data had done so because of a phishing email. More worryingly due to their level of access to data and systems, senior personnel are typically the most likely group to fall victim to phishing attacks, with 61% of directors saying that they’d caused a breach in this way.

And education and training can only go so far. Of course, we must continue to encourage employees to be vigilant to suspicious emails and to do things like hovering over links before clicking on them. We also need to reduce blame culture and free up employees to report genuine mistakes without fear.

But this can only go so far. People will always make mistakes. The good news is that advanced technology like contextual machine learning can remediate the targeted attacks, like conversation hijacking, that usually do the most damage to businesses.

Productivity and Security
Even in our tech-savvy world, there are still organisations that don’t have VPN access set up or enough laptops, mobile devices or processes to enable home working. But while IT teams try to quickly sort this situation out, we’re seeing employees finding workarounds, for example by sharing files using FTP sites or sending data to personal devices to work on.

We talk a lot about ‘human layer security’ technologies, which find the right balance between productivity and security. Right now, as well as looking at technologies to help securely move meetings, events and other activities online, businesses should also check that usually easy routine tasks can still be carried out safely – such as sharing large files or sending sensitive data via email. In particular, technologies like contextual machine learning and AI can identify what typically ‘good’ security behaviour looks like for individual users and then prevent abnormal behaviours that put data at risk.

For example, with people working on smaller screens and via mobile devices, it’s more likely they might attach the wrong document to an email or include a wrong recipient. Contextual machine learning can spot when incidents like this are about to happen and correct the user’s behaviour to prevent a breach before it happens.

Human Error
People are the new perimeter when it comes to data security – their decisions and behaviours can put data at risk every day, especially at a time of global heightened anxiety.

We know from our 2020 Insider Data Breach Survey that over half of employees don’t think their organisation has sole ownership over company data – instead believing that it is in-part or entirely owned by the individuals and teams who created it. And we also know that people are more likely to take risks with data they feel belongs to them than data they believe belongs to someone else. When they don’t have access to the right tools and technology to work securely – or they think the tools they do have will slow them down, especially at a time when the need for productivity is at its highest – they’re more likely to cut corners.

Maintaining good security practices is essential – and the good news is there are technologies on the market that can help ensure the right level of security is applied to sensitive data without blocking productivity.

Six Tips to improve Data Security while Working from Home 
We can all agree that times are incredibly tough right now. For security professionals looking to mitigate some of the risks, here are six practical tips are taken from the conversations we’re having with other organisations right now:

  1. Look for security software that doesn’t hamper productivity. It’s generally the aim of the game anyway – but right now, employees are feeling increased pressure to prove their productivity. If you’re finding yourself selecting new solutions, it’s never been more crucial to select technologies that don’t add difficult extra steps for them or anyone they’re working with outside the organisation.
  2. Choose collaboration/productivity solutions that have security baked into them. The other side to the coin of the point above, really: when choosing any new solution to implement at this time, make sure that security measures are part of a product’s standard design, and not an after-thought.
  3. Automate security wherever possible. If it’s possible, take decisions out of end users’ hands to ensure the security of sensitive information in line with policy, reducing the risk of someone accidentally or intentionally not using security software.
  4. Engage employees over security best practices. Phishing is a good example of this. Some inbound risks will evade the filters on your network boundary and end up in users’ mailboxes. Effort to proactively engage employees through e-learning and other educational measures can help them to know what to do with emails they think are suspicious (for example, hovering over links before clicking on them).
  5. Look to AI and machine learning to help solve advanced risks. Use cases like conversation hijacking, misdirected emails or people attaching the wrong files to documents can now be mitigated by intelligent technology like contextual machine learning, which determines what “good security behaviour” looks like for each individual, and alerts them and administrators to abnormal incidents – effectively stopping breaches before they happen.
  6. Implement no-fault reporting. People often don’t report security incidents because they’re concerned about the repercussions. Where it’s appropriate to do so, implement no-fault reporting to encourage individuals to report incidents in a timely manner, so you can focus on remediating the problem as quickly as possible.

Friday, 17 July 2020

Twitter Hack & Scam

What Happened?
Twitter confirmed 130 celebrity Twitter accounts were targeted in the cyberattack on Wednesday 15th July, with 45 successfully compromised. The hacked Twitter accounts included high profile individuals such as Barack Obama, Elon Musk, Kanye West, Bill Gates, Jeff Bezos, Warren Buffett, Kim Kardashian, and Joe Biden. Their accounts were used to send a tweet to scam Bitcoin out of their millions of followers.

Twitter confirms internal tools used in bitcoin-promoting attack ...
Scam Social Engineering Tweet sent from Bill Gates' Twitter Account
Twitter quickly reacted to the hack by taking an unprecedented step of temporarily preventing all verified users from tweeting, including yours truly; I was trying to warn people about the attack but my tweets were repeatedly prevented from posting. Before the scam tweets were taken down more than £80,000 ($100,000) was sent to the scam Tweet's advertised Bitcoin address. The FBI is investigating the incident.

How the Twitter Accounts were Compromised
Twitter said hackers had targeted employees with access to its internal systems and "used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf".  A report by security researcher firm HudsonRock said an advert appeared on a dark web hacker's forum earlier in the week, which offered a service to takeover any Twitter account. The seller said they were able to achieve this by being able to change any Twitter account's linked email address. 

The seller was a group or individual that managed to hack their way into Twitter's backend systems, probably by social engineering Twitter's staff, to gain full administration rights at Twitter. This enabled them to provide their buyers with the opportunity to control any Twitter account and to write those accounts' tweets. Hence this nefarious service being bought and then used to acquire Bitcoin via scam messages.
Hackers posted the view from the Twitter control panel
Security researchers at Hudson Rock spotted Twitter Hack advertisement
Additional Impact?
It is not yet clear whether the hacker(s) stole the Direct Messages (private messages) of the high profile Twitters users, such messages could be used to cause embarrassment and for cyber extortion.  The attack appears to be a quick 'smash and grab' money maker, by both the seller to make a quick buck and by the buyer, who used the service to quickly obtain £80k worth of Bitcoin, rather than anything more sinister or sophisticated. 

Update as of 18th July 2020
Twitter confirmed the perpetrators used its administration tools to orchestrate the attack and had downloaded data from up to eight of the accounts involved, but said none of these accounts was "verified" high profile accounts.  

A New York Times article suggested at least two of the attackers are from England. The attackers successfully manipulated a small number of employees and used their credentials to access Twitter's internal systems

Twitter's statement said "The attackers successfully manipulated a small number of employees and used their credentials to access Twitter's internal systems. We are continuing our investigation of this incident, working with law enforcement, and determining longer-term actions we should take to improve the security of our systems. We're embarrassed, we're disappointed, and more than anything, we're sorry."

Facts Twitter confirmed
  • Attackers were not able to view previous account passwords, as those are not stored in plain text or available through the tools used in the attack.
  • Attackers were able to view personal information including email addresses and phone numbers, which are displayed to some users of our internal support tools.
  • In cases where an account was taken over by the attacker, they may have been able to view additional information. Forensic investigation of these activities is still ongoing.
What the Experts Think
Nigel Thorpe, technical director at SecureAge said the latest Twitter hack exposes the identity and access management vulnerability and the risk of administrator accounts being compromised, leaving data vulnerable. It appears that cybercriminals gained access to Twitter's internal network, then used an admin tool to control the user accounts of prominent individuals and organisations to post fraudulent messages. Using social engineering to gain access to Twitter staff accounts, giving access to data stored in the network.

This incident illustrates the loophole with identity and access management such that if a user account is compromised, data is left unprotected. This loophole can be closed by taking a data-centric approach to security, where information is automatically protected, with authenticated encryption built right into the data. This means that even unencrypted files, when changed or moved, will immediately be encrypted so that, if stolen, they will appear to be garbage to the thief.

A compromised user account still has access to data, but it remains encrypted all the time, even when in use. When copied from its ‘safe’, access-controlled location - even if that's outside the organisation - the data remains encrypted and therefore useless. No ransom, no embarrassing disclosures, no legal action.

Liviu Arsene, Global Cybersecurity Researcher at Bitdefender said with attackers successfully compromising high-profile Twitter accounts that potentially also had two-factor authentication can only point to a coordinated cyberattack at Twitter’s employees and systems. It’s likely this could be a result of attackers exploiting the work-from-home context, in which employees are far more likely to fall prey to scams and spearphishing emails that end up compromising devices and ultimately company systems.

This high-profile Twitter breach could be the result of a spray-and-pray spear-phishing campaign that landed some opportunistic cybercriminals the could potentially be the hack of the year for Twitter. They could have done potentially far more damage. Instead, by delivering a simple Bitcoin scam, we could be looking at attackers that wanted to quickly monetize their access, instead of a highly coordinated and sophisticated operation performed by an APT group.

If this is the case, it’s likely that more companies could potentially be breached as a result of cybercriminals phishing employees. With 50% of organizations not having a plan for supporting and quickly migrating employees and infrastructure to full remote work, we’re probably going to see more data breaches that either exploit employee negligence or infrastructure misconfigurations left behind during the work from home transition.

While large organizations may have strong perimeter security defences, security professionals mostly worry that a potential breach could occur because of attackers exploiting the weakest link in the cybersecurity chain: the human component.

Tony Pepper, CEO of Egress said Twitter has suffered a co-ordinated attack targeting its employees "with access to internal systems and tools" is deeply concerning. However, screenshots obtained from two sources who took over accounts which suggest that this breach was caused by an intentionally malicious insider adds an additional layer of concern and complexity to this saga.

In our 2020 Insider Data Breach, we found that 75% of IT leaders surveyed believe employees have put data at risk intentionally in the past year and this latest breach seems to bear out those beliefs.

So, what can security professionals do to prevent this risk and keep sensitive data out of the reach of malicious threat actors? Organisations have an opportunity to do more by understanding the ‘human layer’ of security, including breach personas and where different risks lie. Technology needs to do more by providing insight into how sensitive data in the organisation is being handled and identifying risks, including human-activated threats.

By spotting the characteristics of a potentially malicious insider and being aware of what they are susceptible to and motivated by, organisations can put the tactics, techniques, and technology in place to mitigate the risk.