Cyber Round-up for 3rd August
Welcome to Ironshare’s Cyber Round-up, where we take a look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.
Security Breach @ Reddit
Another week usually brings with it another security breach, this week we have two, with the first being the popular news and discussion forum, Reddit. Reddit is basically a message board system that enables its users to share posts, news, links and images, that are categorised based on the contents topic.
On 1st August Reddit disclosed that a hacker had gained read-only access to several of their systems, where they were able to access certain user data, as well as an old database backup from 2007 that contained copies of old salted and hashed passwords.
The attack, which happened between the 14th – 18th June, successfully compromised the accounts of Reddit employees, by taking advantage of an intercept flaw in the SMS-based Two Factor Authentication they were using.
Although Reddit did not explain how the compromise took place, this does provide a real-world example of the weaknesses in SMS messaging, and whether it should still be considered a trusted method for Two Factor Authentication. That said, although token based 2FA should always be your preferred method, if there is no other option, SMS-based 2FA is still better than no 2FA at all.
If your details were affected by the breach, Reddit will be in touch with you shortly. As always though, if you have any doubt that your account may have been compromised you should change your password immediately. For Reddit’s full release on this incident please go to:
1.3 million fashion shoppers’ details exposed
The second breach this week involved the ecommerce website Fashion Nexus, and its sister company White Room Solutions.
Graham Cluley’s blog (see the link below) details information about this breach, where the personal information and passwords hashes of approximately 1.3 million customers, were exposed.
Affected brands include AX Paris, Jaded London and Perfect Handbags.
The Fashion Nexus website (http://www.fashionnexus.co.uk/) now includes a statement about this data breach.
NCSC published new Security guidance for Ubuntu Linux
As part of their EUD (End User Device) Security Framework the NCSC has published their latest guidance for Ubuntu Linux which has been tested with Ubuntu 18.04 LTS.
The EUD Security framework aims to provide low cost, simple and effective advice for securing End User Devices, by taking advantage of inbuilt features and security controls, without the need for expensive third-party products.
This guidance document provides recommendations that should be reviewed by administrators and risk owners to ensure that an agreed approach is taken that balances security with the business objectives.
Although initially defined for Government departments and authorities, that operate using OFFICIAL & OFFICIAL-SENSITIVE information, this is good practical guidance that can be adopted by any organisation to improve or implement secure configurations
SAMSAM the Ransomware that keeps on taking
Sophos have reported through their Naked Security blog, that their continued research into the ransomware known as SAMSAM, has uncovered new details that suggest its ransom demands have generated nearly $6 million since its first appearance in December 2015.
The SAMSAM ransomware is a sophisticated, evolving threat that is used in stealthily targeted attacks, with the intent to cause maximum damage on its targets. It was previously thought that healthcare and government depts were prime targets, but Sophos state that:
“Based on the much larger number of victims now known, it seems that far from being unaffected, the private sector has actually borne the brunt of SamSam. Victims in that sector have simply been far more reluctant to come forward.”
SAMSAM uses common attack vectors that we have seen before in previous variants of ransomware, such as Dharma and Arrow (see our previous post Ransomware: Arrow). It uses Remote Desktop Protocol (RDP) combined with software like ‘nlbrute’ to compromise weak passwords and gain access to the targets network. The human attacker then installs the malware, escalates privileges and spreads across the network, to install multiple copies of the ransomware throughout the organisation.
Ensuring access to management protocols (such as RDP) are not accessible from the internet and keeping up to date backups, are key to protecting against this type of attack.
Cisco Talos Intelligence updates
Multiple Cobalt Personality Disorder
For the past couple of months, Talos has been tracking a number of email-based attacks that have been responsible for the spread of malware in a mix of targeted and widespread campaigns. Although not conclusive there is evidence that links these attacks with the actor group known as the Cobalt Gang.
These attacks have been very sophisticated, using not only multiple infections, but by also combining multiple exploits, payloads and decoys over several phases of the campaigns to ensure success.
Initial infection comes in the form of email based phishing attacks which use content taken from legitimate mailing lists etc. to convince users to click on links and download malicious PDF, RTF and Word DOCS that will kick start the infection.
The malware results in the installation of backdoor Command and Control for complete access to the infected device. It fingerprints (collects information) from the infected device, such as the operating system, installed software and user credentials, and discloses this to the attackers. From here they can continue to try and compromise other connected systems.
Warning this is a technical blog post so not for everyone.
That’s it for this edition but please stayed tuned for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailList
You can also follow us using the social media links provided.
If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReview
Ironshare – Security Simplified
Edition #2 – 3rd August 2018