Cyber Round-up

Cyber Round-up for 7th December

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.

Big Breaches in the Last Week

We have seen more big data breaches in the last week starting with the Marriott Starwood hotel chain that hit the news on Friday. With up to half a billion customers impacted, this stands as one of the largest breaches of personal information we have seen to date.

The Marriot posted a notification on its news center website stating that an ongoing security investigation had determined that the Starwood properties customers database had been accessed by an unauthorised party.  Worryingly they found this unauthorised access had been in place for approximately 4 years, and during this time the actors had managed to both copy and encrypt data in order to extract it from the company’s network.

The leaked personal information included, names, addresses, email, passport numbers, arrival and departure info, as well as credit card information.

The Marriott are working with law enforcement, and on a rolling basis are contacting customers that may be affected by the breach.  A dedicated website has been setup to address questions that customers may have: https://info.starwoodhotels.com/.

Following this were reports that the Q&A website Quora suffered a similar incident that has resulted in the compromise of personal information for approximately 100 million users.

Unauthorised access to one of their systems was gained by a malicious third party, with the possibility that they have managed to access all user account information, public & non-public content, and the users encrypted passwords.

Quora are contacting affected users by email, while also providing an FAQ help page to answer questions in more detail.

If you believe you are affected by the breaches above, check your email for direct information from the company; contact your bank or credit card company to inform them and seek guidance on replacing your cards; and as a precaution replace your passwords for these sites, and any sites where you may have used the same email and password combination.

Importantly if you have used the same password elsewhere, make sure change those too, and remember, Never use the same password twice.

Fight Festive Fraud

Staying with the Holiday Season theme of our last posts, we continue to spread the word of protecting yourselves online during the festive period. We kick started this with our previous round-up posts on the 23rd November and 30th November, where we discussed the pitfalls of Holiday Season scams and what to look out for.

On the basis that anyone of us could fall victim, Action Fraud in the UK, in conjunction with the City of London Police have launched the Fight Festive Fraud Campaign, to educate the public about the perils of online shopping fraud.

Action Fraud report that during the 2017 Christmas period over 15,000 shoppers were conned by fraudsters to the sum of approx. £11 million. Deals on electronics such as mobile phones and computer devices continue to be the most profitable for the fraudsters.

Please be aware of the heightened threat of fraudulent activities during the weeks before, and directly after Christmas, and follow the advice provided by Action Fraud and our previous posts above.

Remember that if the deal looks too good to be true, its likely to be fake.

If you have been a victim of fraud, it is important to ensure that you report it to Action Fraud either online or by calling 0300 123 2040.

New APT Attack uses Flash Zero-day

The 360 Threat Intelligence Team have released a technical post on newly discovered APT attacks that take advantage of a zero-day vulnerability in Adobe Flash to compromise the victim. The attacks use malicious word documents that are embedded with the 0-day exploit, infecting the target system by deploying a Remote Access Trojan (RAT) that can be used to gain access and control the compromised target.

The Word document is sent to the victim via email attachment that when downloaded, executes the exploit code and deploys the RAT, before registering with the Command and Control service.

Once installed the RAT uses stealth techniques by pretending to be a valid Nvidia graphics card or Microsoft OneDrive program, but investigation into the executables show that the digital signatures have been revoked, thus are not valid.

Adobe have released a patch for this vulnerability that can be downloaded from from their website.

Users should always look to keep their software and operating systems up to date with the latest versions / patches and NEVER click on attachments unless they are expected and from a trusted source.

The Continued Rise of Fileless Malware

Cyber criminals are continually evolving their techniques, tactics and procedures, to ensure that attacks gain increased levels of success while avoiding detection for as long as they can. Coupling this with the realisation that the longer they remain undetected on a compromised device, the more profit they gain, has driven this need for continuous improvement and change.

Fileless malware although not new, has become a key malicious component in not only avoiding detection but also maintaining persistence on an infected device. Unlike file-based malware, Fileless attacks do not have to touch the disk, allowing them to avoid detection by traditional security defences such as signature based Anti-virus.

A report by Malwarebytes Labs estimates that attacks using Fileless malware have accounted for approximately 35% of all attacks in 2018 and they are almost 10 times more likely to be successful in comparison to file-based attacks.

Many threats in the wild are currently using these advanced techniques, including the notorious Emotet banking trojan botnet and the ransomware variants SamSam and Sorebrect, all causing major damage around the globe. While Sorebrect is completely fileless, the others use fileless techniques to maintain post infection persistence or perform malware dropper functions.

Common Fileless techniques include the use of PowerShell to launch administrative scripts on the infected system. Such PowerShell commands can be masked using Base64 encoding and hidden in the registry to be run later in memory.

If you are worried about the threat of Fileless malware compromising your company infrastructure, then you should really consider an Advanced Malware solution such as Cisco AMP for Endpoints, to defend against this threat.

BT Kicks Huawei from 5G Network

For some time now there has been talk around the security concerns of having Chinese products in the core of western national infrastructure or sensitive networks. These concerns have been based upon the likelihood that products may have been modified for the benefit of the Chinese government, to assist in acts of espionage or state sponsored cyber attacks.

BT have confirmed that equipment made by Chinese tech firm Huawei will be not be used in the core infrastructure of the new 5G mobile network. In addition to this they have also stated that all Huawei kit will be removed from the existing 3G & 4G networks.

BT have had a long relationship with Huawei dating back to 2005, and although this decision around not using their core network products has been made, BT will continue to work with Huawei for antennas and other non-critical devices.

This follows similar moves by the US, Australia and New Zealand governments to restrict Huawei from their 5G networks, on top of the mounting pressure from UK intelligence services for a decision to be made on whether the UK will continue to use, and trust Chinese owned technologies.

https://www.bbc.co.uk/news/technology-46453425

And that’s it for this week, please don’t forget to tune in for our next instalment.

Sign Up

To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailList

You can also follow us using the social media links provided.

If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReview

 

Ironshare – Security Simplified

 

Edition #20 – 7th December 2018