Tuesday 1 June 2021

Cyber Security Roundup for June 2021


A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, May 2021.

UK Smarties Cities Cybersecurity Warning
The UK National Cyber Security Centre (NCSC) published its Smart Cities (connected places) guidance for UK local authorities. NCSC warned UK Smart Cities will be highly targeted by hackers, and as such, councils need to ensure they are properly prepared as they rollout increasingly connected and technology-reliant infrastructure. The NCSC said critical public services must be protected from disruption, while sensitive data also needs to be secured from being stolen in large volumes. Smart cities and connected rural environments promise a host of benefits for UK society, for instance, sensors will monitor pollution, real-time information on parking spaces, while cameras will track congestion and smartly manage traffic flow. However, another concern is the large volumes of personal information that will likely be collected by smart cities technology, which could erode privacy by allowing citizens to be tracked in greater detail than ever, or could be stolen by criminals or hostile states.

The NCSC's technical director, Dr Ian Levy, referred to Hollywood depictions of cyber-attacks on critical city infrastructure. He picked out the 1969 classic movie 'The Italian Job', where a computer professor switches magnetic storage tapes running traffic in the Italian city of Turin, which causes utter gridlock, enabling a haul of gold to be stolen by mini cars weaving through the traffic chaos. "A similar 'gridlock' attack on a 21st-century city would have catastrophic impacts on the people who live and work there, and criminals wouldn't likely need physical access to the traffic control system to do it" Dr Levy warns in a blog.

Is your Home Router a Security Risk?
Which? report claimed millions of UK people could be at risk of being hacked due to using outdated home routers. The consumer watchdog examined 13 router models provided to customers by internet-service companies such as EE, Sky and Virgin Media, and found more than two-thirds had security flaws.

Use of weak passwords was a common theme with the investigation, which concluded:
  • weak default passwords cyber-criminals could hack were found on most of the routers
  • a lack of firmware updates, important for security and performance
  • a network vulnerability with EE's Brightbox 2, which could give a hacker full control of the device
The routers found lacking in security updates included:
  • Sky SR101 and SR102
  • Virgin Media Super Hub and Super Hub 2
  • TalkTalk HG635, HG523a, and HG533
Which? computing editor Kate Bevan said that a proposed UK Smart Device legislation which would ban default passwords on routers "can't come soon enough. Internet service providers should be much clearer about how many customers are using outdated routers and encourage people to update devices that pose security risks".

Eight Arrested in UK Smishing Fraud Bust
Eight UK men were arrested in an investigation into scam text messages. These scam text messages are known as "smishing" within the security industry, where text messages entice victims with a web link to either malware or malicious website, in a bid to steal personal data or bank details or to have the victim make a bogus payment. The suspects, in this case, were allegedly involved in sending fake messages posing as the Royal Mail, asking people to pay a fee to retrieve a parcel.

Colonial Pipeline DarkSide Ransomware Attack
A Russian cybercriminal group called DarkSide was said to be behind a devasting ransomware cyberattack that shut down a major fuel pipeline in the United States for several days. The cyberattack took down Colonial Pipeline's IT systems which manage a 5,500-mile pipeline network that moves some 2.5 million barrels of fuel a day from the Gulf of Mexico coast up through to New York state.  The cyberattack dominated media headlines in the United States, with US drivers warned not to panic buy petrol amid shortages in eastern states. DarkSide released a statement following the publicity, stated didn't intend to take the pipeline offline - "Our goal is to make money and not creating problems for society". CNN, the New York Times, Bloomberg and the Wall Street Journal all reported Colonial Pipeline paid $5 (£3.6) million in Bitcoin to Darkside

DarkSide is a ransomware-as-a-service platform, first seen advertised in August 2020 on Russian language hacking forums.  The service can be purchased by pre-vetted cybercriminals to deliver ransomware and to perform negotiations and accept payments from victims.  Following this attack, which garnered the focus of United States President Joe Biden and the FBIDarkSide promptly shut down its ransomware-as-service operations.

UK Foreign Secretary Dominic Raab also issued a warning to Russia on ransomware attacks, "Russia can't just wave their hands and say it's nothing to do with them", he said. "Even if it is not directly linked to the state they have a responsibility to prosecute those gangs and individuals." 

It was reported DarkSide had made at least $90m in ransom payments from about 47 other victims according to Bitcoin records. DarkSide is one of at least a dozen prolific ransomware gangs making vast profits from holding companies, schools, governments and hospitals to ransom.

Conti Ransomware takes down Ireland's Health Service
Ireland's national health service (Health Service Executive (HSE)) closed down its computer systems after reportedly being hit by the Conti ransomware group, with the cybercriminals initially asking for £14m ($20m) to restore IT systems. Ireland's Health Minister Stephen Donnelly said "the incident was having "a severe impact on health and social care services".   However, the ransomware group has since handed over software to release HSE systems for free, with the Irish government insists it did not, and would not, be paying the hackers.

Conti typically steals victims' files and encrypts the servers and workstations in an effort to force a ransom payment from the victim. If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors.  The FBI issued a warning in the United States about the Conti gang targeting at least 16 healthcare networks there. More than 400 organisations have been targeted by Conti worldwide.

The BBC news website debated whether paying ransomware should be made illegal in the UK, given it is not currently explicitly illegal for UK firms, and their insurers, to pay ransoms out to cybercriminals.

More Big Data Breaches
At least 4.5 million individuals had their personal information compromised after Air India was subjected to a cyber attack. Stolen details including names, passport information and payment details stretching back 10 years were accessed by the cybercriminals.

Check Point researchers reported Amazon Web Services System Manager (SSM) misconfigurations led to the potential exposure of more than 5 million documents with personally identifiable information and credit card transactions on more than 3,000 SSM documents. Check Point said they have worked with AWS Security to provide customers with the necessary information to help them resolve any configuration issues with the SSMs. Developers did not adhere to the AWS best practices.

Check Point researchers also reported that in analysing Android apps on open databases they discovered serious cloud misconfigurations that led to the potential exposure of data belonging to more than 100 million users. Check Point explained how the misuse of a real-time database, notification managers, and storage exposed the personal data of users, leaving corporate resources vulnerable to bad threat actors.

Stay safe and secure.


No comments: