Monday 1 March 2021

Cyber Security Roundup for March 2021


A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, February 2021.

Serious Linux Vulnerability
Last month a newly discovered critical vulnerability in 'sudo', a fundamental program present in all Linux and Unix operating systems caught my eye. The sudo vulnerability aka CVE-2001-3156, seemed to go under the radar after it was announced and patches were released on 26th January 2021. I wrote a blog post about my concerns given Linux is embedded everywhere, yet many of these systems are rarely, and even never updated with security updates. From IoT devices to internet-based services, the security of countless devices and web-based services' are dependant upon a secure Linux account privilege model. While these Linux operating systems remain unpatched to prevent exploitation of the CVE-2021-3156 vulnerability, there are waiting to be hacked.

Npower App Hack
Npower removed its mobile app after an attack exposed "some customers' financial and personal information." The energy firm did not say how many accounts were affected by the breach, which was first reported by Npower said "We identified suspicious cyber-activity affecting the Npower mobile app, where someone has accessed customer accounts using login data stolen from another website. This is known as 'credential stuffing'," the firm said in a statement. We've contacted all affected customers to make them aware of the issue, encouraging them to change their passwords and offering advice on how to prevent unauthorised access to their online account." The Information Commissioner's Office (ICO) confirmed it had been informed.

Total Fitness Ransomware Attack
UK media didn't report UK gym chain Total Fitness had been hit by a ransomware attack. In a statement released by Total Fitness on 5th February, the gym chain said,
"On 26th January, Total Fitness’ threat detection software exposed a cyber-attack affecting our internal systems, processes, and communications. Immediately following the attack, our well-rehearsed recovery and continuity plans were instigated which included the lock down and securing of all Total Fitness information.

Total Fitness is continuing to respond to the ongoing ransomware attack likely to be by international serious and organised cyber-crime groups. The matter is subject to a live criminal investigation.

Our Incident Response Team are informing and collaborating with expert organisations including the National Cyber Security Centre, the North West Regional Organised Crime Unit, the National Crime Agency and the Information Commissioner's Office on what is a complex and sophisticated criminal act."

Total Fitness kindly linked several pieces of UK National Cyber Security Centre (NCSC) business ransomware prevention guidance at the bottom of their statement, seemingly they hadn't followed the last linked guidance, which is a basic business good practice to prevent ransomware attacks.
I became aware of the Total Fitness cyber breach after several of their members contacted me for advice following the receipt of an email by Total Fitness, which said there was "a low risk" their personal information was compromised. 

Total Fitness email
"We’re emailing to let you know that Total Fitness’ IT systems were attacked by a highly sophisticated international organised cyber-crime network.  We believe the risk is low for you and your data. To reassure you immediately, we can confirm that your highly sensitive information such as username, password, and credit card information have not been compromised."

Sero and CD Projekt Ransomware Attacks
While the Bakuk ransomware gang claimed it had infiltrated Serco last year, Serco confirmed a cyberattack on 31st January to Sky News.  A Serco spokesperson said there had been no impact on any of its UK operations, given the attack centred on isolated European systems. The Babuk group claimed to have had access to Serco’s systems for three weeks and to have already exfiltrated a terabyte of data. The cybercriminals made specific references to Serco partners, including Nato and the Belgian Army, and threatened Serco with consequences under the General Data Protection Regulation (GDPR). There was further confirmation that the UK NHS Test and Trace programme was unaffected by the incident.

CD Projekt Red, the developers of the controversial Cyberpunk 2077 game, was hit with a 48-hour ransom demand by the HelloKitty ransomware operation. In a ransom note, the attackers said they had stolen the source code for Cyberpunk 2077 and the Witcher 3 game.  CD Projekt Red announced they would not be paying the ransom,  which led to the attackers auctioning the stolen data on a hacker forum. There have since been claims that full copies of the Cyberpunk game source code have been made available on the dark web. CD Projekt Red later in the month said it was delaying an update to their Cyberpunk game until late March due to the cyberattack.

Kia \ Hyundai Reported Ransomware Attack
According to reports, the DopplePaymer ransomware gang hit both Kia and parent company Hyundai, demanding a $20 million extortion payment. Kia's online services have suffered outages assumingly due to the cyberattack, however, Kia is denying the reports releasing a statement which said We are aware of online speculation that Kia is subject to a ransomware attack. At this time, and based on the best and most current information, we can confirm that we have no evidence that Kia or any Kia data is subject to a ransomware attack”.  Meanwhile, Hyundai America said "Hyundai Motor America is experiencing an IT outage affecting a limited number of customer-facing systems. Those systems are in the process of coming back online. We would like to thank our customers for their continued patience. At this time, we can also confirm that we have no evidence of Hyundai Motor America or its data being subject to a ransomware attack”

Attempted Florida City Water Supply Positioning Cyberattack
Hackers attempted to poison the water supply of the city of Oldsmar in Florida, by remotely infiltrating the water treatment facility's controlling IT system, using it to increase the Sodium Hydroxide (NaOH) levels in the water. The computer systems of a water treatment facility were remotely breached twice on 5th February, through an insecure TeamViewer remote access application. On the last intrusion, the hackers tried to increase the NaOH levels but were foiled as an operator who was watching the attack in real-time. “What it is, is that somebody hacked into the system, not just once but twice, and controlled the system, took control of the mouse, moved it around, opened the programme and changed the levels from 100 to 11,100 parts-per-million with a caustic substance,” said the city sheriff Bob Gualtieri. 

Further to the attack on Oldsmar, Florida’s water facility, CTO of Cymulate Avihai Ben-Yossef warned, "in 2020 we saw a dramatic increase in Nation-State actors attempting attacks on critical infrastructure like power and utility companies.  The number of warnings, and specifically where they originate, insinuate that the level of activity has been elevated. Moreover, we are now witnessing these Nation State actors attempting to gain a foothold into utilities in order to build proactive attack capabilities - and they are trying to manipulate them with deadly consequences.  

The change is partly due to the fact that a few hackers who have gained these attack capabilities are also more inclined to be aggressive - with Iran being the number one proponent. In Israel, Iranian state actors attempted, without success, to attack Israeli water utilities last year. While this isn’t the first effort to manipulate US water supplies, this new attack in Florida is the first time we have seen an attempt with lethal consequences. This is in contrast to the spate of ransomware attacks like those currently victimising Florida hospitals, which points to a different trend where criminal attackers aim to profiteer. "

Nation-Station Solarwinds Attack Update
Microsoft wrapped up its SolarWinds cyberattack investigation by concluding in a blog post that none of its systems was used to attack others thanks to Microsoft's adoption of a 'Zero Trust' model. The Microsoft blog post encouraged all organisations to follow suit in adopting a 'zero trust mindset', stating 'Microsoft points out that organizations should go one step further by adopting it as a mindset – accept that all of the initial lines of defense can fail and that security controls need to be layered across all systems critical to an organization”.

I completely agree with Microsoft on this one, 'Zero Trust' architectures are the future to secure enterprises, taking a "never trust and always verify" approach on all users and devices (inside the network) which connect with the organisation's infrastructure, IT systems, and data.

Stay safe and secure.


No comments: