Cyber Security Roundup for July 2021

    

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, June 2021.

How was UK Government Building CCTV Leaked?

The Sun newspaper published CCTV workplace footage of Health Secretary Matt Hancock, kissing aide Gina Coladangelo on 6th May 2021, the fact both are married to different people fuelled several days of sensational headlines. Given Matt Hancock has led the charge on directing the UK's COVID rules, his position in government quickly became untenable, resigning a few days later after the story broke. However, the big security concern here, is how was internal UK government building CCTV footage obtained by an external reporter?  

CCTV Leaked from UK Gov Buildings is a security concern

The Northern Ireland secretary, Brandon Lewis, summed up the security concern when he said “the security and privacy of government business mean ministers need to understand how someone was able to access and record the footage and then share it with a newspaper. What happens in government departments can be sensitive, important and people need to have confidence that what is happening in a government department is something that allows the government to be focused on these core issues, and the sensitivity sometimes in the security sense of those core issues."

Matt Hancock's replacement, Sajid Javid, said the cameras in question had been disabled, while Justice Secretary Robert Buckland revealed he asked for his office to be swept for cameras. 

Multiple media reports seem to point to a Department of Health and Social Care (DHSC) employee that was behind the leak. The Mail on Sunday reported that the leaker sent messages via Instagram to the unnamed anti-lockdown activist. One said: “I have some very damning CCTV footage of someone that has been recently classed as completely f***ing hopeless. If you would like some more information please contact me.”And a further message said, “I have the full video … it’s now been deleted off the system as it’s over 30 days.”

The government announced it will be launching an internal investigation and inquiry into how the CCTV footage was leaked. Hopefully, this inquiry's findings will be publicly shared, I say hopefully as they don't have to make their findings public.

There was another security own-goal for UK Gov after classified Ministry of Defence (MoD) documents about the HMS Defender was found at a bus stop in Kent. The MoD said it is investigating "an incident in which sensitive defence papers were recovered by a member of the public".

Pandemic Homeworker Employee Spying

Sticking with the workplace spying theme, a French court has ordered Ikea to pay a fine of €1m after the Swedish furniture chain was found guilty of spying on staff in France. Ikea France was accused of using private detectives and police officers to collect staff's private data.

 

With so many more people working from home during the pandemic, employers have stepped up the extent to which they are monitoring their staff online. Not so many years ago, employees were having to adjust to having their work emails monitored, but that seems almost quaint compared to the digital surveillance we are seeing today. Dr Evronia Azer, from Coventry University’s Centre for Business in Society, says surveillance at work can make employees feel vulnerable, leading to reduced productivity. In a recent blog, she offers solutions to curb this trend. 

FIFA 21 Source Code Stolen

Game publishing giant, Electronic Arts (EA), reported a hack involving the theft of several of their games source-code, including FIFA 21, the source code of which has been offered for sale on an underground forum. While some 780Gb of EA data was stolen, EA said no player data had been stolen. "We are investigating a recent incident of intrusion into our network where a limited amount of game source code and related tools were stolen," an EA spokesperson said in a statement. "No player data was accessed, and we have no reason to believe there is any risk to player privacy," she added. 

FIFA 21 Source Code Stolen

EA said it had already improved security and stated that it did not expect "an impact on our games or our business". The "network intrusion" was not a ransomware attack and had happened recently, EA added.

Ransomware Update

JBS, the world's largest meat processing company, had some of its global meat production operations ground to a halt after its computer systems were attacked by ransomware. It was reported JBS paid a £7.8m ($11m) Bitcoin ransom payment to the REvil, a Russian linked cybercriminal group.  REvil had initially demanded $22 Million, and after paying the ransom, the attackers provided JBS with the decryptor.

REvil Ransomware Decryptor

The United States recovered most of the £3.1m ($4.4m) ransom paid to the DarkSide group, responsible for taking the Colonial Pipeline offline last month, an attack which caused several days causing fuel shortages in the United States. DarkSide is thought to operate out of eastern Europe and possibly Russia. Deputy Attorney-General Lisa Monaco said investigators had “found and recaptured” 63.7 Bitcoin worth $2.3m – “the majority” of the ransom paid. Since the ransom was paid thought, the value of Bitcoin has fallen sharply, so a hit has been taken on the recovered amount given the new poorer exchange rate.

 

Stay safe and secure.

BLOG

• Why Freelancers Should Prioritise Cybersecurity
• Top Cyber Security Challenges Post Lockdown
• Cyber Security Roundup for May 2021

NEWS

• Classified Ministry of Defence Documents found at Bus Stop
• UK Gov to Investigate How Internal CCTV footage of Hancock kissing aide Gina Coladangelo was obtained by the Press
• Gaming Giant, EA, Hacked and Source Code Stolen
• How Hackers are using Gamers to become Crypto-rich
• US Recovers $2.3 million of paid Bitcoin Colonial Pipeline Ransom
• Group linked to Russia is behind Hacking of World's Largest Meatpacking Company
• Meat giant JBS pays $11m in Ransom to resolve Cyber-Attack
• Digital ad Industry accused of Huge Data Breach
• Why Cyber Gangs won't worry about US-Russia talks
• Chinese Hackers used Pulse Secure Zero-Day Vulnerability to infiltrate MTA systems
• Irish Police to be given Powers over Passwords
• One Fastly Customer Triggered an Internet meltdown
• Costs from Ransomware Attack against Ireland Health System reach £435M
• Ikea Fined One Million Euros for Spying on Staff in France
• John McAfee: Antivirus software entrepreneur found dead in Spanish prison cell

VULNERABILITIES AND SECURITY UPDATES

• Microsoft Patches 49 Vulnerabilities, 5 Rated as Critical
• Vulnerability in Peloton Bikes: Example of a widespread Security Issue
• 30M Dell Devices at Risk for Remote BIOS Attacks

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

• ‘Nameless’ malware attacks 1.2TB database in the cloud

Cyber Security Roundup for May 2021

  

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, April 2021.

Think Before You LinkedIn!

Business social media platform LinkedIn is being exploited by nation-state threat actors to target UK citizens.  The UK Security Service MI5 said 10,000 staff from every UK government department and from important UK industries have been lured by fake LinkedIn profiles. MI5 said the faked LinkedIn accounts are created and operation by nation-state spy agencies, with an intent to recruit individuals or gather sensitive information. MI5 released a campaign video called "Think Before You Link" to raise awareness of the threat.

The personal information of 11 million UK Facebook profiles were been found on a hackers website, with the social media giant seemingly dismissing the significance of the data within a statement, "This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019".  However, personal information is rarely historic data that losses significance to the person it is associated with. In this case, the leaked Facebook data included full names, locations, birthdates, email addresses, Facebooks IDs, and even phones numbers. Such personal data is unlikely to have changed for the vast majority of people in the last couple of years, therefore this data is of concern to its owners, and also remains of good value to scammers. You can check if your phone number or email address is part of this Facebook data leak and other data breaches on the Have I Been Pwned website. Facebook faces a privacy regulation investigation over this data breach.

The Ransomware Scourge

The Institute for Science and Technology 'Ransomware Task Force' (RTF), which is a collaboration of more than 60 stakeholders, finally released its ransomware framework, which comprised of 48 strategies to tackle the ransomware problem. “Ransomware attacks will only continue to grow in size and severity unless there is a coordinated, comprehensive, public-private response,” the 80-page report says. “It will take nothing less than our total collective effort to mitigate the ransomware scourge.” 

The RFT listed its top-five priority strategies, which are:

1. Co-ordinated, international diplomatic and law enforcement efforts must proactively prioritize ransomware through a comprehensive, resourced strategy, including using a carrot-and-stick approach to direct nation-states away from providing safe havens to ransomware criminals.
2. The United States should lead by example and execute a sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign, coordinated by the White House. This must include the establishment of 1) an Interagency Working Group led by the National Security Council in coordination with the nascent National Cyber Director; 2) an internal U.S. Government Joint Ransomware Task Force; and 3) a collaborative, private industry-led informal Ransomware Threat Focus Hub.
3. Governments should establish Cyber Response and Recovery Funds to support ransomware response and other cybersecurity activities; mandate that organizations report ransom payments; and require organizations to consider alternatives before making payments.
4. An internationally coordinated effort should develop a clear, accessible, and broadly adopted framework to help organizations prepare for, and respond to, ransomware attacks. In some under-resourced and more critical sectors, incentives (such as fine relief and funding) or regulation may be required to drive adoption.
5. The cryptocurrency sector that enables ransomware crime should be more closely regulated. Governments should require cryptocurrency exchanges, crypto kiosks, and over-the-counter (OTC) trading “desks” to comply with existing laws, including Know Your Customer (KYC), Anti-Money Laundering (AML), and Combatting Financing of Terrorism (CFT) laws.

The RFT report concludes, “Despite the gravity of their crimes, the majority of ransomware criminals operate with near-impunity, based out of jurisdictions that are unable or unwilling to bring them to justice. “This problem is exacerbated by financial systems that enable attackers to receive funds without being traced.”

The UK Government have chipped in £3.68 million of a £10.4 million bill for Redcar and Cleveland Council on the back of a ransomware attack that took the Councils IT systems down in February last year. The ransom was said not to have been paid by the Council, in a statement, LibDem Council leader Mary Lanigan said "No money was handed over to these criminals and we continue to hope that they will eventually be brought to justice.".  

A freedom of information request revealed the Scottish Environment Protection Agency (Sepa) spent £790,000 to recover from a Christmas Eve Conti ransomware attack. Cybercriminals stole over 4,000 files, but Sepa also refused to pay the ransom.

Meanwhile, on the other side of the pond, it was reported that Russian-speaking ransomware gang Babuk had infiltrated Washington D.C. Met Police, and with the gang threatening to disclose confidential information via Twitter, including suspected gang member informants. The REvil ransomware gang are also reported to be demanding a hefty ransom payment from Apple, else 15 unreleased MacBook schematics and gigabytes of stolen personal data would be leaked online. The ransomware gang said it was seeking a $50 million ransom to be paid by 27th April, else the ransom would increase to $100 million.

Millions in the UK Targeted by Malware via a DHL Scam Text Message

Millions of UK citizens received a scam text message (aka smashing) which impersonated DHL in April.  The message said "DHL: Your parcel is arriving, track here <link>". That link would attempt to install spyware called Flubot, malware designed to steal online banking data from Android devices. 

A Vodafone spokesman said, "We believe this current wave of Flubot malware SMS attacks will gain serious traction very quickly, and it's something that needs awareness to stop the spread". 

If you receive any Text Message which includes a web link, "Think before you Click!", and if you have any doubt about message origin, always better to stay safe and delete it, or to report the message to your network provider, by forwarding to 7726.

• NCSC advice FluBot: Guidance for ‘package delivery’ text message scam 

How Strong is Your Password?

Millions of British people are using their pet's name as an online password, despite it being an easy target for hackers to work out, according to a National Cyber Security Centre (NCSC) survey. The NCSC said 15% of brits use their pets names, while 14% use a family member's name, and 13% pick a notable date. A favourite sports team accounted for 6% of passwords, while a favourite TV show accounted for 5%.  Most concerning is that 6% of people are still using "password" as all, or a part of their password.

"Millions of accounts could be easily breached by criminals using trial-and-error techniques," the NCSC warned. The NCSC urges people to choose random words that cannot be guessed instead. An example they give is "RedPantsTree", which is unlikely to be used anywhere else online.

• Passwords are and have always been an Achilles Heel in Cybersecurity
• The Problem with Website Passwords (from Blog Post from 2009)

Stay safe and secure.

BLOG

• Which is more Important: Vulnerability Scans Or Penetration Tests?
• Should Doctors Receive a Cybersecurity Education?
• The Future of Service Management in the DevOps Era
• Flexibility and Security, You Can Have it All!
• Adapting Security Awareness to the Post-Pandemic World
• Important Strategies for Aligning Security With Business Objectives
• Building a Security Conscious Workforce
• Cyber Security Roundup for April 2021

NEWS

• Nation-State Threat Actors used Fake LinkedIn Profiles to Lure 10,000 UK Citizens
• Facebook details of 11 Million UK Users Found on Website for Hackers
• The Scottish Environment Protection Agency Spent nearly £800,000 on Cyber Attack Response
• Redcar Cyber-Attack: UK Government to Cover £3.68 Million of the Costs
• Ransomware Gang Babuk claims DC’s Metropolitan Police Attack
• Flubot: Warning over SMS “Package Delivery” Scam Message which Delivers Android Malware
• Ransomware Task Force releases Recommendations
• REvil seeks to Extort Apple and Hits Supplier with $50 Million Ransom
• Hackers Hit Nine Countries, Expose 623,036 Payment Card Records 

VULNERABILITIES AND SECURITY UPDATES

• More Critical Patches for Microsoft Exchange Server (Versions 2013, 2016, & 2019)
• Microsoft Warns of Damaging Vulnerabilities in Dozens of IoT Operating Systems
• Critical Microsoft Patches 108 Vulnerabilities, 20 Rated as Critical
• Unpatched Fortinet VPN Devices Vulnerable to New Cring Ransomware
• Microsoft SharePoint Vulnerability and China Chopper Web Shell used in Ransomware Attacks

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

• Hackers Exploit Unpatched Vulnerabilities, Zero Day to Attack Governments and Contractors
• Phishing Scammers imitate Windows logo with HTML Tables to Slip through Email Gateways
• Ransomware Group Targeted SonicWall Vulnerability Pre-Patch
• Malware Operators Leverage TLS in 46% of Detected Communications
• Pets’ Names used as Passwords by Millions, NCSC Study Finds

Cyber Security Roundup for May 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, April 2020.

As well reported, UK foreign exchange firm Travelex business operations were brought to a standstill after its IT systems were severely hit by the Sodinokibi ransomware at the start of the year. It was reported that REvil group were behind the attack and had stolen 5Gbs of customer personal data, and then demanded $6 million (£4.6m) in ransom. The Wall Street Journal reported in April 2020 that Travelex had reached a deal, paying $2.3 million (£1.84m) in Bitcoin to the cybercriminals. This sort of response incentivises future ransomware activity against all other businesses and could lead to an inflation of future cyber-extortion demands in my opinion.

Cognizant, a US large digital solutions provider and IT consultancy, was reportedly hit by the Maze ransomware.  Maze, previously known as the 'ChaCha' ransomware, like the Travelex attack, not only encrypts victim's files but steals sensitive data from the IT systems as well. Enabling the bad guys to threaten the publishing of the stolen data if the organisation cough up to their cyber-extortion demands, so the bad guys are very much rinsing and repeating lucrative attacks.

Microsoft wrote an excellent blog covering the 'motley crew' of ransomware payloads  The blog covers ransomware payloads said to be straining security operations especially in health care, Microsoft warned, urging security teams to look for signs of credential theft and lateral movement activities that herald attacks.

Microsoft Blog Covering Various Ransomware Groups

Researchers continue to be busy in exposing large sensitive datasets within misconfigured cloud services.  In April researchers reported 14 million Ring user details exposed in misconfigured AWS open database, fitness software Kinomap had 42 million user details exposed in another misconfigured database, and Maropost had 95 million users exposed, also in a misconfigured database.

Nintendo confirmed 160,000 of its users' accounts had been accessed, exposing PII and Nintendo store accounts. The gaming giant Nintendo said from April, its user's accounts were accessed through the Nintendo Network ID (NNID), which is primarily used for Switch gaming. The company is unaware exactly how the intrusion had occurred, saying it “seems to have been made by impersonating login to “Nintendo Network ID. “If you use the same password for your NNID and Nintendo account, your balance and registered credit card / PayPal may be illegally used at My Nintendo Store or Nintendo eShop. Please set different passwords for NNID and Nintendo account,” Nintendo said. In response to these issues the company has abolished user’s ability to log into their Nintendo account via NNID and passwords for both NNID and Nintendo accounts are being reset and the company is recommending multi-factor authentication be set up for each account.  The account breaches weren't the only cyber issue affecting Nintendo in April, it reported that a bot, dubbed 'Bird Bot' was used by a reseller to buy up Nintendo Switches before customers could make their Switch purchase from Nintendo. The bot using reseller benefits at the expense of consumers, in buying up all available Switches directly from Nintendo, they are able to sell them on for higher prices, so making a quick and easy tidy profit, due to the current high demand of Switches and lack of supply.

April was a busy month for security updates, Microsoft released security patches fixing 113 vulnerabilities on Patch Tuesday and an out-of-band patch for Teams found by researchers at CyberArk. Patch Tuesday for a quiet one for Adobe, though they released fixes for 21 critical vulnerabilities in illustrator and Bridge at the end of the month.  Oracle released a huge 397 fixes for 450 CVEs in over 100 products, which I think is a new record for a patch release!  

Sophos said it and its customers were attacked when a previously unknown SQL injection vulnerability in their physical and virtual XG Firewall units was exploited. “The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected,” Sophos said.

There were security critical patch releases for Mozilla Firefox, Chrome (twice), and for 8 Cisco products. A bunch of VMware patches for including a CVSS scored 10 (highest possible) in vCenter, a critical in vRealize Log Insight and a critical cross-site scripting vulnerability in ESXi 6.5 and 6.7. And finally, on the patch front, Intel decided to discontinue multiple products, as it was unable to keep ahead of patch their vulnerabilities.

Stay safe, safe home and watch for the scams.

BLOG

• How Safe are Video Messaging Apps?
• Security Threats Facing Modern Mobile Apps
• How to Keep Your Video Conferencing Meetings Secure
• YesWeHack Cybersecurity Training Temporarily Free for Schools and Universities
• Cyber Security Roundup for April 2020

NEWS

• Travelex Paid $2.3 Million in Ransom to REvil Cyber Gang
• IT Services Firm Cognizant falls Victim to Maze Ransomware
• Nintendo Confirms 160,000 User Accounts Hacked
• Bug Brokers put Two Zoom Zero-Days on the Market
• 14 Million Key Ring Users Exposed in Misconfigured AWS Open Database
• Maropost Misconfigured Database with 95 Million left Open and Unsecure
• Fitness Software maker Kinomap leaves Database Open Exposing 42 Million Users
• BT Delays Removal of Huawei from EE's core Network by Two Years
• Huawei Warns cutting its 5G role would be 'disserve' to Britain

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

• Microsoft warns of Ransomware Attacks with ‘motley crew’ of Payloads
• Brute Forcing RDP Credentials on the Rise
• Emotet Banking Trojan possibly being Prepped for a New Attack
• Phishing Campaign aims to steal Zoom Credentials using Fake Layoff Notifications
• Interpol warns Hospitals about COVID-19-based Ransomware Threat
• Google Blocking 18 Million Coronavirus Scam Emails Every Day