Thursday 1 April 2021

Cyber Security Roundup for April 2021


A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, March 2021.

How not to disclosure a Hack
UK fashion retailer FatFace angered customers in its handling of a customer data theft hack.  The clothes retailer revealed a data theft which included its customer's full names, home addresses, email addresses, and partial debit\credit card details. The payment card details included the last four digits and the card's security verification code, the latter code is never permitted to be stored after a payment card authorisation under Payment Card Industry Data Security Standard requirements, so it would appear the business was not PCI DSS compliant at the time of their hack, which strongly suggests the business may not doing enough of the expected IT security good practices to prevent being hacked in the first place, a poor IT defence posture which appears to have even been corroborated by their hackers.

FatFace CEO Liz Evans released a statement which said “On 17th January 2021 FatFace identified some suspicious activity within its IT systems. We immediately launched an investigation with the assistance of experienced security professionals who, following a thorough investigation, determined that an unauthorized third party had gained access to certain systems operated by us during a limited period of time earlier the same month. FatFace quickly contained the incident and started the process of reviewing and categorising the data potentially involved in the incident.”

Customers were said to be angered that it took FatFace over two months to notify them of the breach, under the UK Data Protection Act (GDPR), UK businesses are required by law to notify data subjects (customers) within 72 hours of learning their personal data had been compromised.  Customers were said to be even further incensed that emails sent to them by FatFace were titled "Strictly private and confidential", which they considered implied they should help FatFace cover up the breach, and there was no apology by the FatFace CEO to boot.

Computer Weekly said it had learnt that FatFace paid a £1.5m ($2 million US dollar) ransom to the Conti Ransomware gang, disclosing the gang gained access to FatFace network and their IT systems via a phishing email on 10th January 2021. The ransomware attack was said to be executed on 17th January 2021 and over 200Gb of data was exfiltrated.  As part of ransomware negotiation, the original ransom ask for $8m worth of Bitcoin, was said to have included the Conti gang providing the following cybersecurity advice to FatFace:
  • IT teams to implement email filtering
  • conduct employee phishing tests
  • conduct penetration testing
  • review Active Directory password policy
  • invest in better endpoint detection and response (EDR) technology, apparently recommending Cylance or VMware Carbon Black
  • better protect the internal network and isolate critical systems
  • implement offline storage and tape-based backup
All very sound advice.

More and More Ransomware Attacks
The Harris Federation, which runs 50 primary and secondary schools, and Birmingham College probably wished they had followed the alleged Conti gang's anti-ransomware security advice after they were taken out by ransomware attacks. 

The ransomware epidemic dominated the 2021 Palo Alto Networks Unit 42 Report, echoing the constant stream of IT media headlines, namely that ransomware gangs continue to evolve their tactics and operations, and are making more and more serious money.  We are within a golden age of ransomware crime, and there are no signs of a rest bite. PA Unit 42 found that the average ransom paid by organisations nearly tripled over the past year, from $115,123 in 2019 to $312,493. High-end ransoms have gone up significantly too. Between 2015 and 2019, the largest-known individual ransom demand was $15 million. In 2020 groups were demanding as much as $30 million to unlock a victim’s files and systems.

A Russian man in the US pleaded guilty to plotting to extort money from the electric car company Tesla, after he was accused of offering an employee £721k ($1m) to place ransomware on Tesla's network. He was quoted as saying that he and his co-conspirators would steal the data and if Tesla refused to pay the ransom the company's secrets would be placed on the internet.

Microsoft Exchange Zero-Day, Exploitations Led by Hafnium

Further information about the Exchange Server zero-day vulnerability exploitations came to light throughout March, as summarised below. 
UK Gov to Ramp up Cyber Offenses and Defences
Prime Minister Boris Johnson announced he was creating a "cyber corridor" in the North of England, to bolster Britain's cyber warfare capabilities against hostile countries and terrorist groups.  A new UK National Cyber Force (NCF) will lay out "a new cyber strategy to create a cyber ecosystem."

The NCF review will "set out the importance of cyber technology" to the UK's way of life "whether it’s defeating our enemies on the battlefield, making the internet a safer place or developing cutting-edge tech to improve people’s lives.“ Basing this task force in the North of England is intended to generate economic growth in the digital and defence industries while drawing in the private sector and academia to work with the government on projects.

Britain's biggest banks, including Barclays, HSBC, and NatWest, and insurance companies, including Aviva and Direct Line, will face new tougher testing of their cyber defences by the Bank of England's Financial Policy Committee (FPC). Industry sources said the FPC will test their ability to withstand a coordinated global series of cyberattacks to form the centrepiece of the Bank of England's stress scenario reporting.

However, one recently introduced UK cybersecurity law, which was meant to boost the resilience of the UK's energy sector by obliging gas and electricity firms to report to hacks, doesn't appear to be very effectively adopted. Network & Information Systems (NIS) Regulations 2018 were introduced into UK law three years ago and has parallels with the DPA\GDPR law which was introduced at the same time. Like the GDPR, NIS requires the UK critical national infrastructure firms (i.e. ISPs, utilities) and energy sector firms (i.e. gas and electricity firms) to quickly report any hacks to their regulating authority, Ofgem. According to Sky News, only one company has ever tried to file a report informing the regulator that it had been hacked, but they were dismissed as the incident did not meet the threshold for being reported.

Recently, the British government confirmed Russian state-sponsored hackers have successfully penetrated the computer networks of the UK's energy grids, without disrupting them, and former defence secretary Gavin Williamson warned that "thousands and thousands and thousands" of people could be killed if an attempt at disruption was made.  Responding to Sky News about NIS compliance, a UK government spokesperson said: "The UK's critical infrastructure is extremely well protected and over the past five years we have invested £1.9bn in the National Cyber Security Strategy to ensure our systems remain secure and reliable." UK Gov then added that a formal review of the impact of NIS will take place within the next 12 months.

Stay safe and secure.



No comments: