Cyber Security Roundup for October 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, September 2020.

COVID-19 wasn't the only virus seriously disrupting the start of the new UK academic year, with ransomware plaguing a number of University and Colleges in September.  Newcastle University was reportedly hit by the 'DoppelPaymer' crime group, a group known for deploying malware to attack their victims, and behind leaking online documents from Elon Musk's SpaceX and Tesla companies. The northeast university reported a personal data breach to the UK Information Commissioner's Office after its stolen files were posted online, along with a Twitter threat to release further confidential student and staff data if a ransom payment was not paid. In a statement, the university said "it will take several weeks" to address the issues, and that many IT services will not be operating during this period", that statement is the hallmark of recovery from a mass ransomware infection.

Doppelpaymer Ransom notice

On the back of the Newcastle University cyberattack, the UK National Cyber Security Centre (NCSC) issued a warning to all British universities and colleges about a spike in ransomware attacks targeting the British educational sector. NCSC's director of operations Paul Chichester said the agency had seen an increase in the "utterly reprehensible" attacks over the past 18 months and was concerned they would disrupt young people's education.  The NCSC's guidance for organisations on defending against ransomware attacks is available here.

Recently reported cyberattacks in the educational sector.

• Newcastle University faces cyber-attack
• Northumbria University hit by cyber-attack
• UK universities in Blackbaud attack
• Leeds college group under cyber-attack
• Hackers beat university cyber-defences in two hours
• Students blamed for college cyber-attacks

Across the pond, healthcare giant Universal Heather Services (UHS), which operates nearly 400 hospitals and clinics, was said to be severely disrupted by the Ryuk ransomware. According to Bleeping Computer, a UHS employee said encrypted files had the telltale .ryk extension, while another employee described a ransom note fitted the Ryuk ransomware demand note. A Reddit thread claimed “All UHS hospitals nationwide in the US currently have no access to phones, computer systems, internet, or the data center. Ambulances are being rerouted to other hospitals, the information needed to treat patients – health records, lab works, cardiology reports, medications records, etc. – is either temporarily unavailable or received with delay, affecting patient treatment. Four people died tonight alone due to the waiting on results from the lab to see what was going on”. In response, UHS released a statement which said, “We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods".

'Dark Overlord', the handle of a British hacker involved in the theft of information as part of "The Overlord" hacking group was jailed for five years in the United States and ordered to pay $1.5 million in restitution, after pleading guilty to conspiring to commit aggravated identity theft and computer fraud, in other words, orchestrating cyber exportation attacks against US firms.

Finnish telecoms firm Nokia is inline for a major cash bonanza due to the Huawei 5G by the UK Government, following their deal to provide BT with 5G equipment at some 11,600 sites

ZeroLogon:  IT Support Staff must Patch Now!
A critical Microsoft Windows Server Domain Controller vulnerability (CVE-2020-1472) is now causing concern for IT staff, after the Microsoft, CISA, the UK NCSC, and other security bodies warned the vulnerability was being actively exploited in mid-September. Dubbed 'Zerologon', Microsoft issued a security fix for the bug, which scored a maximum criticality rate of 10.0, as part of their August 2020 'Patch Tuesday' release of monthly security updates. Since that public disclosure of the flaw, there have been multiple proofs-of-concept (PoC) exploits appearing on the internet, which threat actors are now adapting into their cyberattacks. There are no mitigation or workarounds for this vulnerability, so it is essential for the CVE-2020-1472 security update is installed on all Microsoft Windows Domain Controllers, and then ensure DC enforcement mode is enabled. 

Stay safe and secure.

BLOG

• The DRaaS Data Protection Dilemma
• Top Five Most Infamous DDoS Attacks
• Cyber Security Roundup for September 2020

NEWS

• Alert issued to UK Universities and Colleges about Spike in Cyberattacks 
• Newcastle University Students’ Data Held to Ransom by Cyber Criminals 
• Nokia clinches 5G deal with BT to phase out Huawei's kit in BT’s EE Network
• British 'Dark Overlord’ Hacker Jailed for Five Years in the US
• Large US Hospital Chain Hobbled by Ryuk Ransomware
• Massive Magecart Attacks Steal personal Data from Magento 1 stores
• Flightradar24 Website Hit By Three Suspected DDoS Attacks In 48 Hours 
• Police launch Homicide inquiry after German hospital hack

VULNERABILITIES AND SECURITY UPDATES

• Microsoft Windows Domain Controller Critical Vulnerability being actively Exploited, Apply Patch Now!
• Microsoft Patches 120 Vulnerabilities
• Palo Alto Fixes 9 Vulnerabilities in PAN-OS
• Adobe Releases Update to Patch Critical Flaw in Experience Manager, Framemaker, and InDesign
• Critical Flaw (CVE-2020-6287) gives Attackers Control of Vulnerable SAP Business Applications
• Microsoft Reprieves SHA-1 Deprecation in Edge 85 Security Baseline

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

• Russia, China and Iran hackers target Trump and Biden according to Microsoft
• CISA Alert: Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity
• NIST (SP 1800-11) Guide to Help Organisations Recover from Ransomware, other Data Integrity Attacks