Cyber Round-up for 30th November
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.
Holiday Season Attacks on the Rise
Following on from last weeks round-up, where we warned about the increased threat of online shopping scams, Carbon Black have released a Holiday Threat Report on this years expected rise of cyber attacks.
According to the report, the Carbon Black Threat Analysis Unit (TAU) are expecting to see an increase of up to 60% in attempted cyber attacks in the run up to and during this year’s festive period. This increase is based on the intelligence gathered from their platform of 16 million protected endpoints, that saw a 20% increase in 2016 and a 57% increase of attempted attacks in 2017.
Analysis for 2017 shows a steady increase in attacks between Black Friday and Christmas Day, with the peak number of attacks occurring between Christmas day and New Years day, coinciding with the post-Christmas / boxing day shopping sales.
Shoppers are not the only target during this time of year though, businesses are equally in the cross hairs of attackers, as they look to expose them during this very busy period, when they are likely to be overworked, understaffed or both.
General Email Phishing attacks, along with more targeted Spear-phishing attacks remain the most common delivery of malware that leads to a successful compromise.
Remember to always keep an eye out for fake emails; look for spelling and grammatical errors; never click on a link or download an attachment unless you know for certain it’s from a trusted source; and if you receive an email from a company manager or director asking for you to do something unusual then ensure you follow-up with them in person or via phone to confirm it’s not a scam.
BBC Reporter Targeted by Sextortion Scam
There has been a lot of press reports recently on the growing rate of Sextortion scams currently doing the rounds.
Sextortion scams try to convince the victim that they have been recorded while visiting adult websites and demands a ransom to prevent the attacker from sharing the footage with friends and family.
BBC reporter Jo Whalley became a target, and although she knew that this must be a scam, she was surprised to find her real password provided by the scammers.
The video report on her investigation (linked below) provides a good summary of the scam, and how to check whether your password has been leaked, using Troy Hunt’s ‘Have I been Pwned?’ service.
York City Council App Blunder
Last week a vulnerability was disclosed in the One Planet York mobile application, that leaked the personal details of approximately 6,000 York residents. The One Planet York app, run by the York City Council, gave users information and advice on the local recycling and bin collection services.
A security researcher at RapidSpike found that when simply accessing the Leaderboard feature on the app, the API that powers the feature pushed the personal data of the current Top Ten users directly to the app in plain text (unencrypted and readable).
The pushed data included names, addresses, email, phones numbers, the users hashed password and the salt (a random piece of data used to increase the security of stored passwords). So far all very bad.
York Council worked with the application developers, quickly removing the app and its associated servers to prevent further data leakage. It has since been decided that the app will not be reintroduced, and users were advised to remove the app from their devices.
This week the situation took a dark turn when the City of York Council, reported the unnamed RapidSpike researcher to the police, claiming that they were not responsive, and it appeared to them that deliberate unauthorised access was used to determine the data leak.
RapidSpike have since responded with a post of their own, standing by the researcher, who not only followed the Councils own responsible disclosure guidelines, to inform them of the issue, but also responded within 18 mins of receiving an email from the Council.
An important point is that the researcher only had to access the Leaderboard feature and view the response, to access the data, meaning no vulnerabilities were exploited.
This always is a possible risk when it comes to security research, and a scary position for the researcher who did the right thing to privately report the leak.
A huge positive was the support from the North Yorkshire Police Cyber Crime unit who responded via their twitter account: “We are aware of the York ‘data breach’ but please be reassured we don’t regard this incident as criminal. We recognise the benefits of software vuln disclosure as part of a healthy security environment and the researcher has acted correctly.”
The latest blog post from the Talos Intelligence team covers a newly discovered campaign that’s been in operation across the Lebanon and the UAE, which to date has targeted government domains and a private Lebanese airline.
As its stands Talos believe this is a new actor or group, that is using fake malicious websites to advertise job opportunities to compromise its targets. The malware uses macro-embedded Office documents to deliver its payload, requiring the human victim to enable macros for the exploit to be deployed.
The malware dropped contains a Remote Administration Tool (RAT) and DNS capabilities for redirecting DNS traffic as well as tunnelling Command & Control traffic over DNS channels.
The DNS redirection attack has resulted in multiple public sector name servers being compromised, with the attackers repointing hostnames to IP addresses they control, in order to gain information such email or VPN credentials.
In summary this appears to be a new advanced threat actor or group, focused on hitting important targets. Organisation’s should ensure that they have strong protection in place to defend against this and similar threats. Cisco’s Umbrella and AMP for Endpoints security products provide the ideal protection against this type of threat.
The link below contains the full detailed technical information of the campaign including IOCs:
And that’s it for this week, please don’t forget to tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailList
You can also follow us using the social media links provided.
If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReview
Ironshare – Security Simplified
Edition #19 – 30th November 2018