Tuesday, 1 December 2020

Cyber Security Roundup for December 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, November 2020.

Manchester United FC remains impacted by a seemly major cyber-attack, which I covered in a blog post titled The Multi-Million Pound Manchester United Hack. At this point, United have provided few details about their cyber-attack which has been impacting club's IT systems for well over a week. However, the UK media are widely reporting United's leaky IT defences was unable to prevent a ransomware attack and data theft.  London's Hackney Borough Council have also been tight-lipped about what they describe as "a serious cyber-attack" which has impacted its service delivery to Londoners. Like United, this attack has all the hallmarks of a mass ransomware outbreak. Both Manchester United and Hacknet Council said they are working UK's National Cyber Security Centre (NCSC).

Man.Utd hit by ransomware, who's next?

Street Fighter games maker Capcom also reported to be compromised by a ransomware attack, with up to 350,000 people said to be affected, along some of Capcom's financial information stolen. The Ragnar locker hacker group were said to be behind the attack, although indications are that Capcom hasn't given in to their ransom demands after an ominous message appeared on the Ragnar group's website, which said Capcom didn't "make a right decision and save data from leakage". 

The ransomware attacks will be going from bad to worse in 2021 according to Sophos. In its annual threat report, Sophos anticipates ransomware tactics, techniques and procedures are to become more evasive, with criminal threat actor operating more like nation-state attackers. Sophos also expects an increase in the number of entry-level, apprentice-type attackers looking for menu-driven, ransomware-for-rent, meaning the technical barrier preventing general nefarious folk orchestrating ransomware attacks is getting lower.

Its likely COVID-19 has saved Ticketmaster from a more substantial DPA/GDPR fine after the Information Commissioners Office (ICO) announced it had fined the gig ticket selling company a mere £1.25 million for failing to keep 9 million of its customer's personal data and payment cards secure.  The ICO investigation concluded a vulnerability in a third-party chatbot installed on Ticketmaster's online payments page was exploited and used to access its customer card payment details. Following the breach, 60,000 Barclays bank customers were victims of fraud, while online bank Monzo had to replace 6,000 payment cards due to fraud. Ticketmaster said it would appeal against the ICO ruling. 

An interesting new UK law is in the offing which proposes fines of 10% of turnover or more than £100,000 a day for telecoms operators that use of Huawei network equipment within their 5G networks. The bill provides the UK government new powers to force out Huawei usage with the UK telecoms giants, the threatened sum of £100,000 a day would only be used in the case of "continuing contravention" according to number 10.

Consumer group Which warned security flaws in popular smart doorbells are placing UK consumers at risk. The watchdog tested 11 smart doorbell (IoT) devices purchased from popular online marketplaces like Amazon, the dodgy products were said to have been made by Qihoo, Ctronics and Victure. The most common security flaws found by Which were weak password policies and a lack of data encryption. Two of the devices could be manipulated to steal network WiFi passwords, providing the opportunity for an attacker to then hack other smart devices within the home.

The NCSC released its annual review, confirming what we already know about the commonality of ransomware attacks on UK organisations.  The NCSC also accused Russia of trying to steal vaccine-related information through cyber-espionage, advising an "ongoing threat" of nation-states targeting the UK vaccine research-and-delivery programmes. The NCSC were not alone in pointing the finger at nation-state threat actors going after COVID-19 vaccines, Microsoft also reported state-backed hackers from Russian and North Korea were targeting organisations working on a coronavirus vaccine. The Russian group "Fancy Bear" and North Korean groups "Zinc" and "Cerium" were fingered by Microsoft as the culprits behind a spate recent cyber-attacks. Microsoft said Fancy Bear were brute-forcing accounts with millions of different passwords combinations, while North Korean groups sent spear-phishing emails posing as World Health Organisation officials, in an attempt to trick researchers into handing over their login credentials and research data. 

Stay safe and secure.

BLOG

VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

    Monday, 30 November 2020

    The Multi-Million Pound Manchester United Hack

    Earlier this year I wrote a blog post about the Manchester City Billion Pound Hack, which explored cyberattacks within elite football. Now it is the turn of City big rivals Manchester United, after they reported their IT systems had been impacted by a cyber-attack, widely reported in the UK media as a cyber-extortion attack.

    In the last couple of years, cybercriminals have significantly ramped up efforts in targeting UK businesses with cyber extortion attacks, using ransomware malware and confidential data theft to leverage their victims into paying large ransom payments anonymously in Bitcoin. Many businesses have been quick to pay out ransoms after their operations ground to halt due to their IT systems being rendered unusable due to ransomware, and also to avoid dumping their confidential data on the internet by the cybercriminals.  

    In July 2020 the UK National Cyber Security Centre (NCSC) specially warned that cybercriminals were targeting UK sports teams with ransomware attacks in a report. This NCSC report cited a ransomware attack against an unnamed English Football League club, which crippled their  IT systems to the extent it stopped their turnstiles from working and almost led to the cancellation of the league fixture, which would have cost the club hundreds of thousands of pounds in lost income. NCSC reported it suspected cyber attackers gained access to the football club's network either by a phishing email or by remote access system connected to the club's CCTV system. That access was used to spread ransomware across the entire football club IT network.  It is understood the cybercriminals behind the attack demanded 400 bitcoin (over £300,000), which was not paid.  It seems Manchester United have been targeted similarly

    In a statement on 20th November 2020, Manchester United stated, 

    'Manchester United can confirm that the club has experienced a cyber attack on its systems. The club has taken swift actions to contain the attack and is currently working with expert advisers to investigate the incident and minimize the ongoing IT disruption.

    Although this is a sophisticated operation by organized cyber criminals, the club has extensive protocols and procedures in place for such an event and had rehearsed for this risk. Our cyber defenses identified the attack and shut down affected systems to contain the damage and protect data.'

    Despite the assurances in the statement the cyber-attack does appear to be contained and recovered from as yet, as both the Daily Mirror and the Daily Mail reported on 28th and 29th November 2020 respectively, that hackers had accessed the clubs scouting system's 'confidential information on targets and scouting missions'.  Several UK newspapers also reported the club's email system remains disabled.

    As yet, no details have been released about the cyberattack ingress method, the malware used or the suspected perpetrators behind the attack, when asked for details Man Utd stated 'The club will not be commenting on speculation regarding who may have been responsible for this attack or the motives behind it.'  Without any details of the cyberattack released by the club or leaked, at this stage it's difficult to draw any conclusions, but we can speculate.  

    The likely suspect is a variant of the Ryuk ransomware, possibly orchestrated by Ryuk criminal group, together with the recently reported resurgence of the Emote trojan last month, Emote is a common dropper of ransomware. It was a new variant of the Ryuk ransomware that was behind a cyberattack on digital services firm Sopra Steria in October 2020. Another common ransomware culprit is Trickbot, however, Microsoft and their partners took action last month to disrupt Trickbot botnet.

    No details have been released on how much this incident is costing Manchester United nor the ransom fee being demanded.  The media have speculated the ransom fee to be in the millions, likely based on that recent NCSC report, which stated an EFL club faced a £5 million ransom from cyber attackers.

    If this attack is found to have breached Manchester United fans data protection rights under the UK Data Protection Act (GDPR), the club could face a fine of up to £18m or 2% of their total annual worldwide turnover by the UK Information Commissioner's Office.  Further, given Manchester United are listed on New York Stock Exchange, the club could face additional US legislation if they decide to pay the ransomware fee, that fine could be up to £15m ($20m).

    The US Office of Foreign Assets Control (OFAC) warned that paying the ransom demand would only boost the criminals’ finances and encourage them to strike again elsewhere, stating, 

    ‘Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.

    Ransomware payments may also embolden cyber actors to engage in future attacks'

    The last sentence of the OFAC statement is an essential point, given many organisations are giving in to cyber-extortion demands and paying up, it is fuelling further attacks.  

    If it was made illegal in the UK to pay a cyber extortion payment, that law would both remove the temptation of giving up on recovery and paying ransoms, but also push UK organisations into investing and deploying the appropriate level of cybersecurity controls to counter the risk, as there are simple security controls which can adequately thwart the risk of successful ransomware and data theft attacks. The simple truth is most ransomware and data theft attacks aren't really 'sophisticated', successful attacks can be prevented applying security control basics, such as continually patching IT systems (esp. internet-facing remote access VPN appliances), deploying and keeping anti-virus up-to-date, blocking external suspicious emails, and ensuring staff have a good level of security awareness, particularly in their ability to spotting phishing emails.

    Without pushing down global criminal threat actors 'Reward Vs Effort' reasoning, we can expect to see further high-profile businesses like Manchester United targeted with cyber extortion attacks, which ultimately causes significant reputational and financial damage on their organisation.

    Tuesday, 24 November 2020

    Advice: Protecting Lone Workers Through Covid Restrictions

    Protecting lone workers is an issue that businesses may not have come across previously, especially those based in busy city centre office blocks pre-coronavirus. Yet with many thriving business districts deserted through a lockdown and not everyone able to work from home, it’s an issue more management teams are having to consider. 
     Firms could be inadvertently putting employees at risk of security, mental health/wellbeing and medical risk
    Here, Jonathan Fell of digital security provider Digital ID, outlines some of the ways to protect members of staff who find themselves lone working during lockdown number two.

    “Most businesses have got to grips with the challenges around managing teams remotely, but what about the needs of those employees who can’t or won’t work from home. In the following Government guidelines, firms could be inadvertently putting employees who need to stay office-based at risk in other areas – security, mental health/wellbeing and medical suitability being just a few of the potential causes for concern.

    “Even if there are a small number of employees in the workplace you should still put procedures in place for times in the day when workers will be alone for example lunchbreaks and variations in contracted hours.”

    Security and Access Control
    “Security is one of the main concerns,” said Jonathan. “Ensuring that staff members are not put into dangerous situations in the workplace. Don’t forget, empty offices could be a potential target for robberies, leaving staff on their own more vulnerable to theft. Your lone worker will need briefing and support on how to identify and report threats. 

    Empty offices are targets for robberies, lone office workers need support on dealing with such threats

    “An update to the security system will be needed to reflect who is coming in and out of the building. In terms of ID cards that means making sure your policies are updated to include new procedures relating to lone workers and the building.

    “Someone should be appointed to monitor the login records to ensure staff arrive and leave at the expected times – luckily that’s easy to do remotely with a digital ID card system. If your current access control system doesn’t allow you to do this, you should really think about upgrading your system.”

    Find out more about this over on the Digital ID blog: https://www.digitalid.co.uk/blog/to-upgrade-or-not-to-upgrade-why-2020-is-the-time-to-migrate-your-access-control-system

    “Having someone on call and close enough to respond in an emergency is another important consideration. A tip here is to print emergency contact details onto the reverse of their ID or access cards. Given that these should be kept on the person at all times, it means contact numbers easy to find and use if a person needs help quickly.

    “Things like checking your employee has good mobile phone coverage in the place of work is something a lot of people don’t think about but is very important these days. If they don’t, then they’ll need an active landline within easy access.

    “If photo ID is connected to an access control system, you may need to restrict access to some of the building in light of any new changes. Think about where needs to be accessed and how frequently by the lone worker, perhaps moving some things around within the building to ensure they can stick to a smaller footprint that will put them less at risk.

    “A final thought on security is that coming in and leaving at exactly the same time every day carrying laptops or other equipment could make them a target for personal theft, this needs to be weighed up against travelling at times when it’s dark and isolated. All should be covered in a full risk assessment.

    “It’s worth remembering that as a business you’re responsible for workers lone working at home too, so where there will not be complicated access concerns here, looking after the mental health and wellbeing of your team should remain a priority. As well as making sure they know what to do in a medical emergency”.

    Digital ID is the UK’s largest ID card company offering a complete service. For 25 years the organisation has to help businesses and their employees stay secure. It provides a range of products and services including plastic ID card printing, ID card printers and lanyards tailored to meet the requirements of its customers. Find out more at www.digitalid.co.uk

    Monday, 23 November 2020

    Seven Debunked Myths of Cybersecurity

    Article by Kristin Herman, a writer and editor at Ukwritings.com and Academized.com

    The term 'cybersecurity' has been tossed around lately. But although cybersecurity has been viewed as a saving grace for mobile devices, computers, etc. the topic is still cloaked in misconception. Things that might pop up, when it comes to cybersecurity, are:
    • The idea of security
    • Password strength
    • Who cybersecurity threats target and affect
    • If insurance will cover damages
    • How effective an IT team actually is
    • Cybersecurity “costs”
    • What devices are most vulnerable to malware?
    However, as one side says one thing, while the other side contests it, it’s easy to get caught up in believing the wrong things. In fact, a lot of people get it all wrong. So, to understand the truth about cybersecurity, then check out this quick guide, which will cover seven of the most debunked myths about the subject matter:

    1. “Physical Security and Cybersecurity are Two Different Things”
    “The truth is, physical security is not separate from cybersecurity,” says Angela Macquarie, a business writer at Academized and Oxessays. “Both can help safeguard machines and paper documents. And, while both can function online and offline, the things they protect will hold sensitive data, which can be at risk of being exposed if the owner or holder is not careful.”

    2. “Having a Good Password Protects You”
    When it comes to passwords, you can leave anything to chance. And even as weak passwords are still commonplace, it’s hard to imagine many people using passwords like “123456” or “qwerty,” especially after being warned not to do so. Therefore, it’s imperative to complicate your passwords – make it difficult for other people to figure out. And, always update your passwords, so that you can be one step ahead of cybercriminals every time.

    3. “Cybercriminals only Attack Large Businesses”
    Wrong. Cybercriminals will go after any type of business – big or small. Since cyber thieves don’t discriminate, it’s important to keep your devices and data safe with an effective cybersecurity framework, regardless of the size of a business.

    4. “Insurance will cover Cybersecurity Breaches”
    Wrong again. In actuality, most insurance policies won’t cover businesses in the event of a data breach. While some policies might cover financial losses that have transpired from it, most policies won’t.

    So, when shopping around for business-related insurance, make sure that policies will be able to compensate you whenever the dreaded breach springs up at any time. Or, you can buy insurance and cybersecurity separately. Purchasing cyber and data insurance will be worth the investment if you’re looking to protect customer and or sensitive data from infiltration.

    5. “The IT Team has you Covered”
    Think that IT teams can save your business, whenever data breaches happen? Think again!

    While IT staff will most likely know about potential vulnerabilities and hacker techniques, they still can’t control all the elements involved. Your IT staff, instead, will only act as a human firewall to prevent breaches that stem from human error. Therefore, make it your job to add more layers of protection, besides your IT team.

    6. “Cybersecurity is Costly”
    “When people think about cybersecurity, they assume that investing in it will cost hundreds, or thousands, of dollars,” says Sheila Flynn, a marketing blogger at Boom Essays and Paper Fellows. “However, having a strong human firewall to defend you against cybercrime is entirely free – apart from creating an IT security policy and training staff. Investment can go a long way, as cybersecurity will greatly benefit your business.”

    As such, consider consulting a cybersecurity expert, or look into comprehensive training and advice from cybersecurity experts, to help you put together an effective system that will protect all of your devices and data.

    7. “Viruses only affect Desktops”
    As technology continues to evolve – especially with more advanced smartphones and tablets working in almost the same capacity as computers – viruses aren’t just a computer thing. In fact, smartphones, tablets, and other mobile devices can fall victim to malware, if the user doesn’t have enough protection for them. And although it only took Internet access for malware to get to computers, other devices that connect to the Internet are still just as vulnerable to viruses.

    Conclusion
    As you read through these seven debunked myths, we hope that you have a better understanding of cybersecurity. The ultimate goal of this guide is to keep you – the device user – informed. By learning how cybercriminals work, and learning the truth about today’s debunked myths, you’ll learn from the mistakes that you might be making now with your devices, and fix them right away.

    About the Author: Kristin Herman is a writer and editor at Ukwritings.com and Stateofwriting.com. She is also a contributing writer for online publications, such as Essayroo.com. As a marketing writer, she blogs about the latest trends in online advertising and social media influencing.

    Monday, 16 November 2020

    Check, Please! Adding up the Costs of a Financial Data Breach

    Guest article by Andrea Babbs, UK General Manager at VIPRE

    Reliance on email as a fundamental function of business communication has been in place for some time. But as remote working has become a key factor for the majority of business during 2020, it’s arguably more important than ever as a communication tool. The fact that roughly 206.4 billion emails are sent and received each day means we’re all very familiar with that dreaded feeling of sending an email with typos, with the wrong attachment, or to the wrong contact. But this can be more than just an embarrassing mistake – the ramifications could, in fact, be catastrophic. 
    Check Please! Within the financial services, layered cybersecurity strategy is essential to keep sensitive information secure
    In particular, for the financial services industry that deals with highly sensitive information including monetary transactions and financial data, the consequences of this information falling into the wrong hands could mean the loss of significant sums of money. Emails of this nature are the Holy Grail for cybercriminals. So how can financial services organisations keep their confidential information secure to safeguard their data and reputation? 

    How much?
    According to research from Ponemon Institute in its Cost of a Data Breach Report 2020, organisations spend an average of $3.85 million recovering from security incidents, with the usual time to identify and contain a breach being 280 days. Accenture’s 2019 Ninth Annual Cost of Cybercrime found that financial services incurred the highest cybercrime costs of all industries. And while examples of external threats seem to make the headlines, such the Capital One cyber incident, unintentional or insider breaches don’t always garner as much attention. Yet they are both as dangerous as each other. In fact, human errors (including misdeliveries via email) are almost twice as likely to result in confirmed data disclosure.

    Costs will be wide-ranging depending on the scale of each breach, but at a minimum, there will be financial penalties, costs for audits to understand why the incident happened and what additional protocols and solutions need to be implemented to prevent it from happening in the future. There could also be huge costs involved for reimbursing customers who may have been affected by the breach in turn.

    Priceless damage
    The fallout from data breaches goes far beyond that of financial penalties and costs. Financial services businesses have reputations to uphold in order to maintain a loyal customer base. Those that fail to protect their customers’ sensitive information will have to manage the negative press and mistrust from existing and potential customers that could seriously impede the organisation as a whole. Within such a highly competitive market, it doesn’t take much for customers to take their money elsewhere – customer service and reputation is everything.

    Check, please!
    Within the financial services sector, the stakes are high, so an effective, layered cybersecurity strategy is essential to mitigate risk and keep sensitive information secure. With this, there are three critical components that must be considered: 
    1. Authentication and encryption: Hackers may try to attack systems directly or intercept emails via an insecure transport link. Security protocols are designed to prevent most instances of unauthorised interception, content modification and email spoofing. Adding a dedicated email to email encryption service to your email security arsenal increases your protection in this area. Encryption and authentication, however, do not safeguard you against human errors and misdeliveries. 
    2. Policies and training: Security guidelines and rules regarding the circulation and storage of sensitive financial information are essential, as well as clear steps to follow when a security incident happens. Employees must undergo cybersecurity awareness training when they join the organisation and then be enrolled in an ongoing programme with quarterly or monthly short, informative sessions. This training should also incorporate ongoing phishing simulations, as well as simulated phishing attacks to demonstrate to users how these incidents can appear, and educate them on how to spot and flag them accordingly. Moreover, automated phishing simulations can also provide key metrics and reports on how users are improving in their training. This reinforcement of the secure messaging, working in tandem with simulated phishing attacks ensures that everyone is capable of spotting a phishing scam or knows how to handle sensitive information as they are aware and reminded regularly of the risks involved. 
    3. Data loss prevention (DLP): DLP solutions enable the firm to implement security measures for the detection, control and prevention of risky email sending behaviours. Fully technical solutions such as machine learning can go so far to prevent breaches, but it is only the human element that can truly decipher between what is safe to send, and what is not. In practice, machine learning will either stop everything from being sent – becoming more of a nuisance than support to users – or it will stop nothing. Rather than disabling time-saving features such as autocomplete to prevent employees from becoming complacent when it comes to selecting the right email recipient, DLP solutions do not impede the working practices of users but instead give them a critical second chance to double-check.
    It is this double-check that can be the critical factor in an organisation’s cybersecurity efforts. Users can be prompted based on several parameters that can be specified. For example, colleagues in different departments exchanging confidential documents with each other and external suppliers means that the TO and CC fields are likely to have multiple recipients in them. A simple incorrect email address or a cleverly disguised spoofed email cropping up with emails going back and forth is likely to be missed without a tool in place to highlight this to the user, to give them a chance to double-check the accuracy of email recipients and the contents of attachments.

    Conclusion
    Email remains a risky, yet essential tool for every business. But with a layered security strategy in place consisting of training, authentication tools and DLP solutions, organisations can minimise the risks involved and take a proactive approach to their cyber defences.

    Given the nature of the industry, financial services organisations are a prime target for cybercriminals. The temptation of personal information and financial transactions for hackers is never going to dwindle, so financial institutions must prioritise cybersecurity, regularly assessing risks, deploying innovative, human-led solutions and educating workforces to provide the best defence possible.

    Tuesday, 10 November 2020

    One Step Beyond: Using Threat Hunting to Anticipate the Unknown

    Article by Paul German, CEO, Certes Networks

    A cyber threat could be lurking in any corner of an organisation’s infrastructure. The complex networks encompassing numerous smart and interconnected technologies make it easy for cybercriminals to hide, but much harder for them to be found.

    Yet, waiting for a cyber threat to make an appearance is far too dangerous; if left undetected, a cybercriminal could stay in an organisation’s network for years - and just think of the damage that could be caused. To combat this, threat hunting is now an essential component of any cybersecurity strategy. Rather than waiting for a hacker to make themselves known, threat hunting involves constantly and proactively searching for the threats hiding within a system, working on the assumption that a cyber hacker is ever-present and looking for signs of unusual activity before it even occurs.

    But how does threat hunting work in practice, and how can the approach ensure an organisation’s data is kept safe? Why a proactive approach to cybersecurity is essential at a time when the threat has never been more severe.
     Anticipating the unknown is the only way to stay ahead of hackers

    The Need for Observability 
    Today’s networks are complex, presenting numerous places for a cyber hacker to hide. And unfortunately, it’s not uncommon for infiltrations to go undetected in networks for days, weeks or months. In fact, a recent report shows that it takes organisations an average of 280 days to identify and contain a data breach, but organisations can’t afford to wait this long. In this time, a cyber hacker can be travelling through the network, infiltrating systems and stealing information, making an organisation’s data increasingly vulnerable.

    And the length of time can even be longer than this; in the 2018 Marriott International data breach, hackers were accessing the network for over four years before they were discovered, which resulted in the records of 339 million guests being exposed. The hotel chain then suffered a second data breach this year after cybercriminals had been in the network for over one month, impacting approximately 5.2 million guests.

    So, what needs to change? It is now more important than ever for organisations to be able to analyse contextual data in order to make informed decisions regarding their network security policy. This is not possible without 24/7/365 managed detection and response (MDR) tools for proactive threat hunting that uses event monitoring logs, automated use case data, contextual analysis, incident alerting and response and applying tactics, techniques and procedures (TTPs) to identify issues that improve an organisation’s security posture.

    Anticipating the Unknown
    When anticipating the unknown, cybersecurity analytics tools can capture data and detect evasive and malicious activity, wherever they are in the network in real-time. Generating fine-grained policies and enforcing these is one step security teams can take to proactively detect and remediate malicious activity immediately. With policy enforcement, attackers will have a hard time attempting to make lateral ‘east-west’ movements or remaining hidden in any part of the network, as the security team will be able to see inside the network and protect against threats across all attack surfaces across all manged endpoints with a unified multi-layer approach. This includes policy generation and enforcement MDR tools that can provide greater insight into the overall reliability, impact and success of network systems, their workload and their behaviour to identify threats and proactively respond and protect assets. 

    In reality, this means that security teams can take measurable steps towards controlling system access of the network environment; knowing who is in the network, who should be able to access what data and which applications, and being the first to detect indicators of compromise (IOC).

    Ahead of the Game
    Threat hunting is a way to stay one step ahead of cybercriminals. Organisations no longer have to wait to be alerted of a data breach before taking action; today it is essential to have a complete picture of the entire network in real-time, including extending these capabilities to teleworkers, so that unusual activity can be identified and halted immediately before any damage occurs. With strong MDR tools at the core, organisations can ensure a strong and effective security posture based on anticipating the unknown, clear visibility into vulnerabilities that pose the biggest threat and identifying barriers that prevent successful tracking and remediation.

    Wednesday, 4 November 2020

    Cyber Security Roundup for November 2020

    A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, October 2020.

    London's Hackney Borough Council has been tight-lipped about "a serious cyber-attack" which took down its IT systems, impacting its service delivery to citizens. Providing scant information about the attack, but it does have all the hallmarks of a ransomware outbreak. The council says it is working with the UK's National Cyber Security Centre (NCSC) and the Ministry of Housing to investigate and understand the impact of the incident. Ransomware attacks continue to be a major blight for UK public services, with councils to hospitals struggling to defend their IT systems against ransomware. Earlier this year Redcar and Cleveland Borough Council said it had been hit by a ransomware attack, which cost it more than £10m.

    It looks like the ransomware will continue to pose a major threat to the UK for some time to come, with separate reports advising a resurgence in the Emotet trojan, a common dropper of ransomware, while the hacking group behind the notorious Ryuk ransomware has been reported as being active again. A new variant of the Ryuk ransomware was behind a cyberattack on Sopra Steria’s operations in October 2020, the digital services company confirmed.

    British Airways had it credit card breach DPA fine cut by a massive £163m to £20m by the UK Information Commissioner's Office (ICO), which imposed the original fine after the now pandemic financially beleaguered airline lost 430,000 payment card details to hackers after an e-commence skimming attack in 2018

     BA lost 430,000 payment card details to hackers after Magecart e-commence skimming attack in 2018
    This data breach was a lesson in failing at PCI DSS compliance, with customer credit card details stolen due to ‘Magecart’ payment card skimming script being injected onto the BA payment page. The attackers initially compromised the BA network through a third-party worker’s remote access (not MFA protected), gaining access to BA's Citrix environment. Once inside the BA network, the attackers were gifted privilege level access after finding a domain admin account username and password in plaintext on a server folder. I understand investigators found the storage of payment cards in plaintext, including CVV numbers post-payment authorisation which is never permitted under PCI DSS rules. Aside from the ICO fine and reputational damage, this breach cost is likely to have cost BA a small fortune in specialised PCI PFI digital investigation forensic work, a complete solution rebuild, and with card brand penalties. The Visa Chief Enterprise Risk Officer once said ‘no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach’, I understand that statement still rings true today.

    The ICO didn't hold back in dishing a massive DPA (GDPR) fine to the Marriott Hotels chain to the tune of £18.4m after a major data breach which affected up to 7 million UK guests. The ICO reported UK citizen names, contact information, and passport details were compromised in the cyber-attack. The ICO also said the company failed to put appropriate safeguards in place but acknowledged it had improved.

    Meanwhile, the UK NCSC released an advisory which repeated an earlier United States warning that Chinese Threat Actors are exploiting well-known software vulnerabilities. The advisory details 25 top vulnerabilities that are being exploited whilst offering mitigation advice. Many of the vulnerabilities allow attackers to gain access to a victim’s network by exploiting products directly connected to the internet. The NSA has also produced a nice infographic breaking the 25 vulnerabilities down by threat.


    Stay safe and secure.

    BLOG

    NEWS
    AWARENESS, EDUCATION AND THREAT INTELLIGENCE

      Thursday, 8 October 2020

      Securing an Agile and Hybrid Workforce

      Guest article by Andrea Babbs, UK General Manager, VIPRE

      2020 has forced businesses to revise many of their operations. One significant transition being the shift to a remote working model, for which many were unprepared in terms of equipment, infrastructure and security. As the government now urges people to return to work, we’re already seeing a shift towards a hybrid workforce, with many employees splitting their time between the office and working from home.

      As organisations are now reassessing their long-term office strategies, front and centre to that shift needs to be their IT security underpinned by a dependable and flexible cloud infrastructure. Andrea Babbs, UK General Manager, VIPRE, discusses what this new way of working means long-term for an organisation’s IT security infrastructure and how businesses can successfully move from remote working to a secure and agile workforce.

      Power of the Cloud
      In light of the uncertainty that has plagued most organisations, many are looking to options that can future-proof their business and enable as much continuity as possible in the event of another unforeseen event. The migration of physical servers to the Cloud is therefore a priority, not only to facilitate agile working, but to provide businesses with greater flexibility, scalability and more efficient resources. 

      COVID-19 accelerated the shift towards Cloud-based services, with more data than ever before now being stored in the Cloud. For those organisations working on Cloud-based applications and drives, the challenges of the daily commute, relocations for jobs and not being able to ‘access the drive’ are in the past for many. Cloud services are moving with the user – every employee can benefit from the same level of security no matter where they are working or which device they are using. However, it’s important to ensure businesses are taking advantage of all the features included in their Cloud subscriptions, and that they’re configured securely for hybrid working. 

      Layered Security Defence
      Cloud-powered email, web and network security will always underline IT security defences, but these are only the first line of defence. Additional layers of security are also required to help the user understand the threat landscape, both external and internal. Particularly when working remotely with limited access to IT support teams, employees must be ready to question, verify the authenticity and interrogate the risk level of potential phishing emails or malicious links. 

      With increased pressure placed on users to perform their roles faster and achieve greater results than ever before, employees will do what it takes to power through and access the information they need in the easiest and quickest way possible. This is where the cloud has an essential role to play in making this happen, not just for convenience and agility but also to allow users to stay secure – enabling secure access to applications for all devices from any location and the detection and deletion of viruses – before they reach the network. 

      Email remains the most-used communication tool, even more so when remote working, but it also remains the weakest link in IT security, with 91%of cybercrimes beginning with an email. By implementing innovative tools that prompt employees to double-check emails before they send them, it can help reduce the risk of sharing the wrong information with the wrong individual. 

      Additional layers of defence such as email checking tools, are removing the barriers which slow the transition to agile working and are helping to secure our new hybrid workforce, regardless of the location they’re working in, or what their job entails. 

      Educating the User
      The risk an individual poses to an organisation can often be the main source of vulnerability in a company’s IT infrastructure. When remote working became essential overnight, businesses faced the challenges of malware spreading from personal devices, employees being distracted and exposing incorrect information and an increase in COVID-related cyber-attacks. 

      For organisations wanting to evolve into a hybrid work environment, their IT security policies need to reflect the new reality. By re-educating employees about existing products and how to leverage any additional functionality to support their decision making, users can be updated on these cyber risks and understand their responsibilities.

      Security awareness training programmes teach users to be alert and more security conscious as part of the overall IT security strategy. In order to fully mitigate IT security risks and for the business to benefit from an educated workforce, both in the short and long term, employees need to change their outdated mindset. 

      Changing the Approach
      The evolution of IT and security over the past 20 years means that working from home is now easily achievable with cloud-based setups, whereas in the not too distant past, it would have been impossible. But the key to a successful and safe agile workforce is to shift the approach of full reliance on IT, to a mindset where everyone is alert, responsible, empowered and educated with regular training, backed up by tools that reinforce a ‘security first’ approach. 

      IT departments cannot be expected to stay one step ahead of cybercriminals and adapt to new threats on their own. They need their colleagues to work mindfully and responsibly on the front lines of cyber defence, comfortable in the knowledge that everything they do is underpinned by a robust and secure IT security infrastructure, but that the final decision to click the link, send the sensitive information or download the file, lies with them. 

      Conclusion
      As employees prove they can work from home productively, the role of the physical office is no longer necessary. For many companies, it is a sink or swim approach when implementing a hybrid and agile workforce. Introducing and retaining flexibility in operations now will help organisations cope better with any future unprecedented events or crises.

      By focusing on getting the basics right and powered by the capabilities of the Cloud, highlighting the importance of layered security and challenging existing mindsets, businesses will be able to shift away from remote workers being the ‘exception,’ to a secure and agile workforce as a whole.

      Thursday, 1 October 2020

      Cyber Security Roundup for October 2020

      A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, September 2020.

      COVID-19 wasn't the only virus seriously disrupting the start of the new UK academic year, with ransomware plaguing a number of University and Colleges in September.  Newcastle University was reportedly hit by the 'DoppelPaymer' crime group, a group known for deploying malware to attack their victims, and behind leaking online documents from Elon Musk's SpaceX and Tesla companies. The northeast university reported a personal data breach to the UK Information Commissioner's Office after its stolen files were posted online, along with a Twitter threat to release further confidential student and staff data if a ransom payment was not paid. In a statement, the university said "it will take several weeks" to address the issues, and that many IT services will not be operating during this period", that statement is the hallmark of recovery from a mass ransomware infection.

      Doppelpaymer Ransom notice

      On the back of the Newcastle University cyberattack, the UK National Cyber Security Centre (NCSC) issued a warning to all British universities and colleges about a spike in ransomware attacks targeting the British educational sector. NCSC's director of operations Paul Chichester said the agency had seen an increase in the "utterly reprehensible" attacks over the past 18 months and was concerned they would disrupt young people's education.  The NCSC's guidance for organisations on defending against ransomware attacks is available here.

      Across the pond, healthcare giant Universal Heather Services (UHS), which operates nearly 400 hospitals and clinics, was said to be severely disrupted by the Ryuk ransomware. According to Bleeping Computer, a UHS employee said encrypted files had the telltale .ryk extension, while another employee described a ransom note fitted the Ryuk ransomware demand note. A Reddit thread claimed “All UHS hospitals nationwide in the US currently have no access to phones, computer systems, internet, or the data center. Ambulances are being rerouted to other hospitals, the information needed to treat patients – health records, lab works, cardiology reports, medications records, etc. – is either temporarily unavailable or received with delay, affecting patient treatment. Four people died tonight alone due to the waiting on results from the lab to see what was going on”. In response, UHS released a statement which said, “We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods".

      'Dark Overlord', the handle of a British hacker involved in the theft of information as part of "The Overlord" hacking group was jailed for five years in the United States and ordered to pay $1.5 million in restitution, after pleading guilty to conspiring to commit aggravated identity theft and computer fraud, in other words, orchestrating cyber exportation attacks against US firms.


      ZeroLogon:  IT Support Staff must Patch Now!
      A critical Microsoft Windows Server Domain Controller vulnerability (CVE-2020-1472) is now causing concern for IT staff, after the Microsoft, CISA, the UK NCSC, and other security bodies warned the vulnerability was being actively exploited in mid-September. Dubbed 'Zerologon', Microsoft issued a security fix for the bug, which scored a maximum criticality rate of 10.0, as part of their August 2020 'Patch Tuesday' release of monthly security updates. Since that public disclosure of the flaw, there have been multiple proofs-of-concept (PoC) exploits appearing on the internet, which threat actors are now adapting into their cyberattacks. There are no mitigation or workarounds for this vulnerability, so it is essential for the CVE-2020-1472 security update is installed on all Microsoft Windows Domain Controllers, and then ensure DC enforcement mode is enabled. 

      Stay safe and secure.

      BLOG

      NEWS
      AWARENESS, EDUCATION AND THREAT INTELLIGENCE

            Thursday, 3 September 2020

            The DRaaS Data Protection Dilemma

            Written by Sarah Doherty, Product Marketing Manager at iland

            Around the world, IT teams are struggling with choosing between less critical, but important tasks, versus focusing on innovative projects to help transform your business. Both are necessary for your business and need to be actioned, but should your team do all of it? Have you thought about allowing someone else to guide you through the process while your internal team continues to focus on transforming the business? 

            DRaaS Data protection dilemma; outsourcing or self-managing?
            Disaster recovery can take a lot of time to properly implement so it may be the right time to consider a third-party provider who can help with some of the more routine and technical aspects of your disaster recovery planning. This help can free up some of your staff’s valuable time while also safeguarding your vital data.

            Outsourcing your data protection functions vs. managing them yourself
            Information technology has raised many questions about how it really should be done. Some experts favour the Disaster Recovery as a Service (DRaaS) approach. They believe that data protection, although necessary, has very little to do with core business functionality. Organisations commonly outsource non-business services, which has driven many to consider the idea of employing third parties for other business initiatives. This has led some companies to believe that all IT services should be outsourced, enabling the IT team to focus solely on core business functions and transformational growth.

            Other groups challenge the concept and believe that the idea of outsourcing data protection is foolish. An organisation’s ability to quickly and completely recover from a disaster - such as data loss or an organisational breach - can be the determining factor as to whether the organisation will remain in business. Some may think that outsourcing something as critical as data protection, and putting your organisation’s destiny into the hands of a third party, is a risky strategy. The basic philosophy behind this type of thinking can best be described as: “If you want something done right, do it yourself.”

            Clearly, both sides have some compelling arguments. On one hand, by moving your data protection solution to the cloud, your organisation becomes increasingly agile and scalable. Storing and managing data in the cloud may also lower storage and maintenance costs. On the other hand, managing data protection in-house gives the organisation complete control. Therefore, a balance of the two approaches is needed in order to be sure that data protection is executed correctly and securely.

            The answer might be somewhere in the middle
            Is it better to outsource all of your organisation’s data protection functions, or is it better to manage it yourself? The best approach may be a mix of the two, using both DRaaS and Backup as a Service (BaaS). While choosing a cloud provider for a fully managed recovery solution is also a possibility, many companies are considering moving away from ‘do-it-yourself’ disaster recovery solutions and are exploring cloud-based options for several reasons.

            Firstly, purchasing the infrastructure for the recovery environment requires a significant capital expenditure (CAPEX) outlay. Therefore, making the transition from CAPEX to a subscription-based operating expenditure (OPEX) model makes for easier cost control, especially for those companies with tight budgets.

            Secondly, cloud disaster recovery allows IT workloads to be replicated from virtual or physical environments. Outsourcing disaster recovery management ensures that your key workloads are protected, and the disaster recovery process is tuned to your business priorities and compliance needs while also allowing for your IT resources to be freed up.

            Finally, cloud disaster recovery is flexible and scalable; it allows an organisation to replicate business-critical information to the cloud environment either as a primary point of execution or as a backup for physical server systems. Furthermore, the time and expense to recover an organisation’s data is minimised, resulting in reduced business disruption.

            Consequently, the disadvantages of local backups is that it can be targeted by malicious software, which targets backup applications and database backup files, proactively searching for them and fully encrypting the data. Additionally, backups, especially when organisations try to recover quickly are prone to unacceptable Recovery Point Objectives (RPO).

            What to look for when evaluating your cloud provider

            It is also essential when it comes to your online backups to strike a balance between micromanaging the operations and completely relinquishing any sort of responsibility. After all, it’s important to know what’s going on with your backups. Given the critical nature of the backups and recovery of your data, it is essential to do your homework before simply handing over backup operations to a cloud provider. There are a number of things that you should look for when evaluating a provider.
            • Service-level agreements that meet your needs.
            • Frequent reporting, and management visibility through an online portal.
            • All-inclusive pricing.
            • Failover assistance in a moment’s notice.
            • Do it yourself testing.
            • Flexible network layer choices.
            • Support for legacy systems.
            • Strong security and compliance standards.
            These capabilities can go a long way towards allowing an organisation to check on their data recovery and backups, on an as-needed basis, while also instilling confidence that the provider is protecting the data according to your needs. The right provider should also allow you the flexibility to spend as much or as little time on data protection, proportional to your requirements.

            Ultimately, using cloud backups and DRaaS is flexible and scalable; it allows an organisation to replicate business-critical information to the cloud environment either as a primary point of execution or as a backup for physical server systems. In most cases, the right disaster recovery provider will likely offer you better recovery time objectives than your company could provide on its own, in-house. Therefore as you review your options, cloud DR could be the perfect solution, flexible enough to deal with an uncertain economic and business landscape.

            Wednesday, 2 September 2020

            Top Five Most Infamous DDoS Attacks

            Guest article by Adrian Taylor, Regional VP of Sales for A10 Networks 

            Distributed Denial of Service (DDoS) attacks are now everyday occurrences. Whether you’re a small non-profit or a huge multinational conglomerate, your online services—email, websites, anything that faces the internet—can be slowed or completely stopped by a DDoS attack. Moreover, DDoS attacks are sometimes used to distract your cybersecurity operations while other criminal activity, such as data theft or network infiltration, is underway. 
            Why are DDoS attacks bigger and more frequent than ever?
            DDoS attacks are getting bigger and more frequent
            The first known Distributed Denial of Service attack occurred in 1996 when Panix, now one of the oldest internet service providers, was knocked offline for several days by an SYN flood, a technique that has become a classic DDoS attack. Over the next few years, DDoS attacks became common and Cisco predicts that the total number of DDoS attacks will double from the 7.9 million seen in 2018 to something over 15 million by 2023.

            But it’s not just the number of DDoS attacks that are increasing; as the bad guys are creating ever bigger botnets – the term for the armies of hacked devices that are used to generate DDoS traffic. As the botnets get bigger, the scale of DDoS attacks is also increasing. A Distributed Denial of Service attack of one gigabit per second is enough to knock most organisations off the internet but we’re now seeing peak attack sizes in excess of one terabit per second generated by hundreds of thousands, or even millions, of suborned devices. Given that IT services downtime costs companies anywhere from $300,000 to over $1,000,000 per hour, you can see that the financial hit from even a short DDoS attack could seriously damage your bottom line.

            So we’re going to take a look at some of the most notable DDoS attacks to date. Our choices include some DDoS attacks that are famous for their sheer scale while others are because of their impact and consequences.

            1. The AWS DDoS Attack in 2020
            Amazon Web Services, the 800-pound gorilla of everything cloud computing, was hit by a gigantic DDoS attack in February 2020. This was the most extreme recent DDoS attack ever and it targeted an unidentified AWS customer using a technique called Connectionless Lightweight Directory Access Protocol (CLDAP) Reflection. This technique relies on vulnerable third-party CLDAP servers and amplifies the amount of data sent to the victim’s IP address by 56 to 70 times. The attack lasted for three days and peaked at an astounding 2.3 terabytes per second. While the disruption caused by the AWS DDoS Attack was far less severe than it could have been, the sheer scale of the attack and the implications for AWS hosting customers potentially losing revenue and suffering brand damage is significant.

            2. The MiraiKrebs and OVH DDoS Attacks in 2016
            On September 20, 2016, the blog of cybersecurity expert Brian Krebs was assaulted by a DDoS attack in excess of 620 Gbps, which at the time, was the largest attack ever seen. Krebs had recorded 269 DDoS attacks since July 2012, but this attack was almost three times bigger than anything his site or, for that matter, the internet had seen before.

            The source of the attack was the Mirai botnet, which, at its peak later that year, consisted of more than 600,000 compromised Internet of Things (IoT) devices such as IP cameras, home routers, and video players. Mirai had been discovered in August that same year but the attack on Krebs’ blog was its first big outing.

            The next Mirai attack on September 19 targeted one of the largest European hosting providers, OVH, which hosts roughly 18 million applications for over one million clients. This attack was on a single undisclosed OVH customer and driven by an estimated 145,000 bots, generating a traffic load of up to 1.1 terabits per second, and lasted about seven days. The Mirai botnet was a significant step up in how powerful a DDoS attack could be. The size and sophistication of the Mirai network were unprecedented, as was the scale of the attacks and their focus.

            3. The MiraiDyn DDoS Attack in 2016
            Before we discuss the third notable Mirai DDoS attack of 2016, there’s one related event that should be mentioned: On September 30, someone claiming to be the author of the Mirai software released the source code on various hacker forums and the Mirai DDoS platform has been replicated and mutated scores of times since.

            On October 21, 2016, Dyn, a major Domain Name Service (DNS) provider, was assaulted by a one terabit per second traffic flood that then became the new record for a DDoS attack. There’s some evidence that the DDoS attack may have actually achieved a rate of 1.5 terabits per second. The traffic tsunami knocked Dyn’s services offline rendering a number of high-profile websites including GitHub, HBO, Twitter, Reddit, PayPal, Netflix, and Airbnb, inaccessible. Kyle York, Dyn’s chief strategy officer, reported, “We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.”

            Mirai supports complex, multi-vector attacks that make mitigation difficult. Even though Mirai was responsible for the biggest assaults up to that time, the most notable thing about the 2016 Mirai attacks was the release of the Mirai source code enabling anyone with modest information technology skills to create a botnet and mount a Distributed Denial of Service attack without much effort.

            4. The Six Banks DDoS Attack in 2012
            On March 12, 2012, six U.S. banks were targeted by a wave of DDoS attacks—Bank of America, JPMorgan Chase, U.S. Bank, Citigroup, Wells Fargo, and PNC Bank. The attacks were carried out by hundreds of hijacked servers from a botnet called Brobot with each attack generating over 60 gigabits of DDoS attack traffic per second.

            At the time, these attacks were unique in their persistence: Rather than trying to execute one attack and then backing down, the perpetrators barraged their targets with a multitude of attack methods in order to find one that worked. So, even if a bank was equipped to deal with a few types of DDoS attacks, they were helpless against other types of attack.

            The most remarkable aspect of the bank attacks in 2012 was that the attacks were, allegedly, carried out by the Izz ad-Din al-Qassam Brigades, the military wing of the Palestinian Hamas organisation. Moreover, the attacks had a huge impact on the affected banks in terms of revenue, mitigation expenses, customer service issues, and the banks’ branding and image.

            5. The GitHub Attack in 2018
            On Feb. 28, 2018, GitHub—a platform for software developers—was hit with a DDoS attack that clocked in at 1.35 terabits per second and lasted for roughly 20 minutes. According to GitHub, the traffic was traced back to “over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints.

            Even though GitHub was well prepared for a DDoS attack their defences were overwhelmed—they simply had no way of knowing that an attack of this scale would be launched.

            The GitHub DDoS attack was notable for its scale and the fact that the attack was staged by exploiting a standard command of Memcached, a database caching system for speeding up websites and networks. The Memcached DDoS attack technique is particularly effective as it provides an amplification factor – the ratio of the attacker’s request size to the amount of DDoS attack traffic generated – of up to a staggering 51,200 times.

            And that concludes our top five line up – it is a sobering insight into just how powerful, persistent and disruptive DDoS attacks have become.