We’re delighted to be able to share the latest developments and news relating to One Distribution and our network of solutions and services we represent. We also feature regular vendor / solution updates but you can also access our latest tweets and social media activity to keep your finger well and truly on the cyber security pulse.
The “One Intelligence” weekly report is a high-level report designed to share intelligence about the most notable attacks, breaches, and malware. Hear experts from Bullwall, Krontech, Fidelis analyse and highlight new techniques used by attackers over the last week.
In the spotlight
Universal Health Services, which is one the the largest healthcare providers in the US has been hit with Ransomware. The attack locked both computer and phone systems at multiple UHS locations across the US. Reports suggest that the type of Ransomware was the “Ryuk Ransomware” as users were displayed text referencing the “shadow universe”, a known action that the Ryuk ransomware takes. The impact on patient care is unknown as currently minimal information has been released. It doesn’t appear that any data has been stolen or breached at all in this case, just the old school standard Ransomware case of file encryption. As always, endpoint protection or EDR software cannot guarantee protection against ransomware attacks, but a last-line-of-defence Ransomware protection tool such as BullWall’s Ransomcare can spot not jut known threats but unknown threats by understanding the patterns that take place when a ransomware attack is underway.
A federal agency has fallen victim to a Cyber-espionage attack, the US CISA believe that the attacker’s way in was via a legitimate set of Office 365 login credentials, the username and password are likely to have been phished. From gaining access to their Office 365 account, they were able to do much more damage such as browsing SharePoint sites, viewing all emails, reading through chats on Teams, etc. The Attacker proceeded to download a file from SharePoint and launch a virtual VPN to the network. Once here, they use a known vulnerability to pull files across the VPN, they then set up a connection to a command and control server as a gateway for other malicious software to be transferred. Through doing this, the attackers were then able to exfiltrate data from the network – although it is not currently known what files or how sensitive they were. This attack is a classic example of how one set of credentials can cause disruption for the whole network. A simple enough fix is to use two-factor authentication, or better a full PAM solution such as Krontech’s Single Connect, which would have prevented this attack from going any further than one stolen set of credentials.
Chubb, the UKs largest fire and security firm were hit by the NetWalker ransomware, a strain of Ransomware that is very common across the world. The attackers claim to have successfully attacked the network and proved it by showing screenshots of the directories and other information that only someone with network access would be able to see. It is not yet known the extent of damage or cost.
A new variant of FinSpy has been identified, the spyware is able to access private data and record audio/video on Mac, Windows, Android, and Linux operating systems. The malware spreads by presenting itself as a Flash Player update, and then installs itself as root (with all privileges). Once the Spyware exists, it has the ability to run anything on the system and obtain any information it wants. A good EDR tool will stop these attacks as they are happening, and work to prevent future vulnerabilities – for this, it is a good idea to have an EDR tool that moves beyond just looking at signatures to stop known bad threats. Fidelis EDR is next-generation software that offers both protection and detection.
The “One Intelligence” weekly report is a high-level report designed to share intelligence about the most notable attacks, breaches, and malware. Hear experts from Krontech, Bullwall, Anomali, Zecops and Skybox analyse and highlight new techniques used by attackers over the last week.
In the spotlight
We often hear about attacks against public service organisations but do not often hear about severe repercussions as a result of an attack. A German hospital has recently been attacked with Ransomware, causing the hospital’s systems to crash, this led them to reroute patients to other hospitals, causing one patient to die. The attack was supposedly meant to take place against the university rather than the hospital, and when the attackers were contacted by the police and told this, they were quick to provide the decryption keys, however it was too late as patients had already been rerouted. It has not been disclosed who was behind this attack, however Ransomware software is easy to obtain, often by non-professionals (or script-kiddies) who do not think the attack through, such was the case in this attack. All organisations, public service or not should have adequate defences against Ransomware, especially due to the nature of the malware and how it spreads. Ransomware can also be introduced to a network in many different ways such as through cloud data services or USB cables/devices. A last-line-of-defence approach to stop the spread of Ransomware remains the best way to protect against it, Bullwall’s Ransomcare does this very well.
The university of Missouri healthcare department has also been hit with a Cyber-attack. The attacker gained access to some of the employee email accounts in May and it is not yet known how much patient data they might have had access to. The exposed data included names, dates of births, medical records, patient numbers and even social security numbers. A classic attack that we see a lot of, one that can often be stopped by identifying when an attacker is on the network. Often attackers leave traces behind, and these traces (indicators of compromise) can be picked up by various intelligence streams. For larger organisations it would be a good idea to feed these into a central TIP (Threat intelligence platform) such as Anomoli, which can take multiple intelligence feeds and compile them, giving a confidence score and other useful information.
The Covid-19 platform used by an Indian state has been breached, leaving over 8 million records exposed – these records were of those who tested positive for the virus. The code for the surveillance platform, as well as the admin login credentials were all listed in plain text on an unsecured code repository online. The exposed data contained names, gender, addresses, phone numbers and medical information. Unfortunately, there were multiple problems with how this system was configured, most importantly leaving the code exposed on a public forum. However, this breach could have been prevented if other measures were put in place, such as secure access management into the admin portal, which would have meant the code for the portal would still be available, but most importantly the admin login would be locked down. Krontech’s Single Connect would have been ideal in this scenario to provide privileged users with a secure method of connecting to this dashboard without needing to even know the password.
We recently reported on the Cerberus banking trojan after various attacks against banks. The source code of this trojan has now been released for free after an auction failed to reach $100K. The Cerberus trojan is launched on the Android operating system and is capable of intercepting communication, stealing banking credentials and other data by creating overlays on banking and social networking apps. The auction started at $50K but failed to reach the target, despite claiming the malware netted $10K per month. Although the malware is available for free now, there is not expected to be a rise in attacks, but we may see some new variants being created. Mobile device policies should be used across the organisation, whether the devices are company owned or personally owned. Another step to protect against mobile attacks is to have a DFIR system in place. There are not many offerings in this area for mobile devices, however Zecops can automate discovery, analysis, and disinfection of advanced attacks and provides intelligence for both Android and iOS devices.
A vulnerability has been found on servers hosting Active Directory that can give an attacker domain admin privilege. The vulnerability is based around encryption methods and sending certain data in an authentication response to the server, which in turn means AD passwords can be used from the hashes via a pass-the-hash attack, this can be done for all accounts including the domain admin accounts. Microsoft have released fixes to address the issues, and it is highly recommended to apply these patches to vulnerable devices as soon as possible, Skybox can help identify what devices require this patch and will prioritise patch management by combining threat-centric data, asset information and using business context.
The “One Intelligence” weekly report is a high-level report designed to share intelligence about the most notable attacks, breaches, and malware. Hear experts from Fidelis, Bullwall, Skybox, Anomali and Flashpoint analyse and highlight new techniques used by attackers over the last week.
In the spotlight
Microsoft have realised their September 2020 updates, and this batch of updates include patches for 129 vulnerabilities, which is a very large number. Of these 129 vulnerabilities, 23 are marked as critical and 105 are important. Microsoft however have said that all of these vulnerabilities are not currently being publicly exploited. With that being said, with these patches now being pushed out and made publicly available, more threat actors may look to exploit them in the hope that systems are not patched. Patch management and vulnerability assessment/control come hand in hand and the Skybox Vulnerability Control module can help prioritise vulnerabilities using threat-centric data and business context, alongside what is currently available or being exploited in the wild.
A database containing 2.4 million records of people has been leaked from a Chinese organisation “Zhenhua Data”, the organisation is believed to be linked to Chinese intelligence services. The database contained varied data including bank details, dates of birth, criminal records of politicians, lawyers, military personnel, and others – all Australian people. A lot of this data is publicly available, however there is also some private data that is raising concerns that China is developing a mass surveillance system, something that has been a worry for many western countries for a while now. Organisations should ensure that they have control of what data is leaving their network by using a data loss prevention system. Fidelis is one of the most fully featured network DLP solutions currently available and can help organisations overcome the problem of data leaks.
The UK National Cyber Security Centre has issued an alert to education establishments that they are seeing an increased number of attacks against this sector. The NSCS reported it has been seeing an increased number of ransomware attacks affecting schools, colleges, and universities since August 2020 – these attacks are likely due to schools starting again. Ransomware can enter a network in a number of ways, and many endpoint protection systems claim to protect against Ransomware, however they are relying on knowing about a particular strain of ransomware in order to protect against it. Instead it is better to have a last-line-of-defence solution such as BullWall’s Ransomcare, which also looks for the patterns that ransomware takes, such as file encryption or changes in extensions/file headers and can then intervene if a ransomware attack is suspected.
A new spout of phishing emails is doing its rounds, the “Emotet” emails are said to include malicious attachments or links made to look genuine, often including fake company documents such as invoices, CVs, scanned documents or COVID information. Phishing emails still remain the number one most common entrance point for malware and other malicious software. User training is obviously key to preventing this, however it is important to have a layered approach and use other technologies to step in should a user make a mistake. Organisations may choose to respond to cyber threats by using various intelligence streams, for example Anomoli is able to piece together indicators of compromise and show the source, severity and confidence level of threats, therefore creating an overarching umbrella of protection across the network to notice any threats coming in, not just from phishing emails but all threat sources.
The US presidential election, like other worldwide media heavily reported on is a prime event for attackers to disrupt. Microsoft has released a blog detailing the efforts Russian, Chinese and Iranian hackers have been making in an attempt to harvest log-in details, compromise accounts and gather intelligence or disrupt operations. With so much on the line, it is crucial that the organisations running these campaigns know what is being discussed and exploited in relation to their organisation and campaign. FlashPoint has hundreds of feeds across the deep and dark web and provides valuable insight in areas that are generally invisible to the public eye.
The “One Intelligence” weekly report is a high-level report designed to share intelligence about the most notable attacks, breaches, and malware. Hear experts from Flashpoint, Bullwall, Skybox, Silobreaker and Cyglass analyse and highlight new techniques used by attackers over the last week.
In the spotlight
The Argentinian immigration agency has suffered a ransomware attack that shut down the border crossing systems. The systems were shut down in an attempt to stop the spread of the ransomware. The Ransomware variant used is a known type called “Netwalker”. The group behind the attack requested a $2 million ransom to be paid in order for the decryption key to be handed over, this amount was doubled after the first week as it was not paid. Quite often Ransomware protection is put to the back of the priority list due to Cyber Security funding being assigned elsewhere, however it is not until an attack takes place that Ransomware protection becomes a priority. BullWall’s Ransomcare is a last-line-of-defence security control in place specifically to catch Ransomware attacks as they are taking place and isolate the device and/or user to stop the spread. The cost of downtime can be calculated using BullWall’s calculator (https://bullwall.com/solutions/rc/cost-of-downtime/pound/).
Windows Defender, a built-in end-point protection system for modern Microsoft operating systems has had an update that has given the software the ability to download malware onto the computer. The change means that the Microsoft anti-malware Service Utility can download files from remote locations if specific command line flags are used, meaning it is able to download malware. Microsoft Defender may still detect the malicious files downloaded, but by this point the malware could already exist on the computer. Having other endpoint protection tools may also block this type of attack, however we are seeing an increasing number of organisations using only Windows Defender. Understanding the patches you are installing onto machines is critical to protecting against current attacks and an intelligence platform can give you the visibility into these patches to help protect your network. Skybox and Silobreaker would be a good combination in this case.
Cybersquatting is a term not everyone may have heard of, it involves an attacker purchasing a domain that relates to an official organisation in the hope to either sell it to the official organisation for an overpriced figure, or to use it in fraudulent activities to trick customers into thinking the website is official. An average of 450 domains have been found each day to be under fake control, of which 37% were classified as high risk. These fake domains are used in phishing campaigns, as a way to distribute malware, unwanted programs, and many other malicious activities. User education will always be the best way to protect against these fake websites, however some are almost impossible to spot by the human eye. CyGlass however, can detect these with ease and can alert on them in real time, offering a failsafe in the event one of your users come across one of these websites.
The “One Intelligence” weekly report is a high-level report designed to share intelligence about the most notable attacks, breaches, and malware. Hear experts from Anomali, CyGlass, and Fidelis analyse and highlight new techniques used by attackers over the last week.
In the spotlight
The Qbot banking trojan has a new version that is doing its rounds, this time targeting email threats in Outlook to create personalized phishing emails based on the content of the emails themselves. The attack begins with phishing emails being sent to the victim’s Outlook inbox, much like the entry point for most cyber-attacks at the moment. The email contains a ZIP file or URL, that once executed installs the Qbot malware. This malware will then extract email threats to be used in future phishing campaigns. The malware also has the ability to steal information, conduct banking transactions and act as a dropper for other malware. There are plenty of opportunities to spot this malicious activity and having a system such as Anomoli can help find and respond to cyber threats by using various intelligence streams together with external content. It works by piecing together indicators of compromise, which for malware such as Qbot, there will be a lot of.
We have seen various attacks against AWS storage buckets recently. This week the Transport for New South Wales in Australia has been hacked and 50,000+ driving license records have been exposed. The data contained front and back images of driving licenses and scans of road and maritime data which included dates of birth and phone numbers. The attack occurred on an open AWS storage instance, likely to have been misconfigured. RangeForce offer invaluable training from beginner to expert, this training can help improve staff knowledge in technical areas including cloud computing and security configurations.
The Maze ransomware operators, which are one of the biggest operators active at the moment have breached the United Memorial Medical Center and added them to their “portfolio” on their data leak site. The group also leaked files which they claimed to have exfiltrated from the victim. One folder in particular contained sensitive patient records from patients living in the Houston area of Texas. Data exfiltration is becoming the preferred method for ransomware operators as gives greater leverage over simply encrypting the data. CyGlass is able to detect and respond to threats on the network by analysing what is normal and alerting on malicious activity, it also offers detection when data exfiltration is taking place, alerting on this in real-time.
Analysts at Flashpoint Intelligence have obtained a publicly available POC code that is capable of leveraging an internet explorer browser vulnerability (CVE-2020-1062). The analysts assess with high confidence that this vulnerability is likely to have a high impact, however they believe it may be a while before this vulnerability is actively exploited in the wild. Knowing about these vulnerabilities before they are exploited is key to protecting your network. Flashpoint intelligence platform can offer many insights into intelligence obtained from the deep and dark web and can help make business decisions and mitigate risk based on this intelligence.
“DeathStalker” a new threat actor group that is targeting companies in the financial and law sectors has been found to be stealing sensitive business information. Although the group themselves are not motivated by financial gain, they instead class themselves as “hacker-for-hire”, meaning that anyone is able to use their service to obtain business sensitive data from the victim. These attacks are often in form of APTs and can be difficult to protect against. A Defence-in-depth approach is best, focusing on network and end-point security. Fidelis would be an ideal platform to protect against these types of attacks, with their two main products Fidelis Network and Fidelis Endpoint which are able to actively hunt down these threats and alert on them.
The “One Intelligence” weekly report is a high-level report designed to share intelligence about the most notable attacks, breaches, and malware. Hear experts from Krontech, CyGlass, and Bullwall analyse and highlight new techniques used by attackers over the last week.In the spotlight
The NSA and the NCSC have issues warnings on the vulnerabilities of VPNs. With the huge increase in numbers of staff working from home and connecting into the business network using VPN connections, VPNs have been under more attack than ever before. Although most modern VPN software is secure and safe to use, it is only the case if they are properly configured. Many VPNs are left incorrectly configured or left with default passwords – especially if they were installed in a rush when the country went into lockdown. With that being said, VPNs can be complex and even experienced network engineers can miss something critical. VPNs, like all other network equipment should be regularly scanned for vulnerabilities and updated, this will help prevent any new exploits. VPN logs should also be regularly analysed, which can often be a daunting and manual task. CyGlass has a new approach to this problem and can identify threats on the network, whether they come through the VPN or not and can actively suspend user or VPN sessions. CyGlass uses machine learning to pick up on these kinds of anomalies.
The university of Utah has disclosed that it has paid a ransom of $457,000 to attackers. Student and employee data were stolen following on from an attack on July 19th, 2020. The ransom was paid not to un-encrypt their files but for the attacker to delete the stolen data, a method we are seeing more of in the world of Ransomware. Often ransomware is thought of as encryption software, but it is worth remembering that ransomware could be any malicious software that asks for a ransom amount to be paid for the act to be reversed. The most effective attacks are those that encrypt and steal the data, as this means they are more likely to be paid the ransom amount. Protection for such attacks comes in means of ransomware protection, such as BullWall’s Ransomcare, which monitors the file share for encryption that is taking place and can isolate the individual without the rest of the organisation even knowing the attack took place.
A Cryptominer has been found embedded inside an AWS application machine image (AMI), which was uploaded to the AWS community about 5 years ago. Official AMIs undergo security evaluations before being sold on the AWS store, however community submissions do not follow the same evaluations. The free AMIs are often used due to the vast number of different operating systems and software combinations, however in this case a cryptomining service that would generate bitcoin at the user’s expense was embedded. Attacks like these could remain un-noticed for many years, especially if no malicious activity is taking place. However, with many cloud environments, it is easy to analyse network and processing usage against cost, this should be reviewed regularly as activity such as mining cryptocurrency will largely increase cloud compute costs.
A new botnet has been discovered which is targeting SSH Servers around the world. The malware has been built to leave no traces on the infected machine and is actively attacking government, education, and financial institutions. This botnet works by brute forcing the password on millions of IP addresses, and is known to have successfully breached 500 servers so far. With the increase in use of IoT devices, many of which are configured or imaged very quickly, often using default or weak passwords. It is always recommended to use strong passwords and public key authentication when logging into devices, a password management or an access management tool can be the best way to manage and log into all owned devices. Krontech’s Single Connect has both password management and PAM capabilities amongst other built-in tools.
The “One Intelligence” weekly report is a high-level report designed to share intelligence about the most notable attacks, breaches, and malware. Hear experts from Krontech, Fidelis, Picus, CyGlass, and Bullwall analyse and highlight new techniques used by attackers over the last week.
In the spotlight
It has been a while since we last saw a big fine due to a data breach, Capital One suffered a large data breach in 2019 and have just been hit with a $80 million fine. Capital One, a banking regulator were delivered the fine after neglecting security by not carrying out risk assessments after migrating data to AWS. This led to over 100 million customer details being leaked online, including social security numbers and bank account numbers. The threat actor is actually believed to be a former AWS employee and was able to gain access by exploiting a misconfigured firewall. Due to the complexity of the configuration when setting up an AWS S3 bucket, mistakes can often be made, and only one is needed for it to be fatal – it is not a process that should be rushed. Correctly managing access to the server is the best way to defend it, ensuring access management and multi-factor is in place. Krontech’s Single Connect is a full PAM solution with many unique features such as password management and session management, ideal when multiple users require access to multiple servers.
20GB of internal documents from Intel have been uploaded to a sharing site. The anonymous attacker claimed to have breached Intel earlier in the year, with some of the files marked as “confidential” and “restricted secret”, analysts have reviewed these files and confirmed they contain data relating to chipset designs. The attacker claims to have retrieved these files from an unsecured server hosted on Akamai, and although they were password protected, the password of “intel123” was able to open most of them. There are a number of areas that could have prevented this breach, mainly being strong passwords, but also a defence-in-depth approach and being able to detect this malicious activity on the network, something that Fidelis would be able to pick up on quickly with their NDR solution. Another approach would be to continually test the efficacy of security controls to be able to pick up on gaps in security, Picus offer a continuous breach and attack simulation platform that would identify any gaps in security and offer remediation steps. As with most breaches, usually the breach occurs due to a series of failures, stopping the attack at any of the failure points would be enough to have stopped the breach altogether.
Monsoon accessorize, a women’s clothing and accessories franchise based in the UK have been breached due to an unpatched version of a VPN server, the server contained a vulnerability (CVE-2019-11510), within the files leaked were internal files, customer information, business documents and more. Further information on the breach has not yet been disclosed but patching the vulnerability as soon as they knew about it would have stopped the breach altogether. Sometimes organisations find it hard to prioritise alerts and vulnerabilities as they find it hard to add business context to the vulnerabilities, usually meaning patching things in the wrong order. Skybox adds business context, asset information and threat information together to create threat-centric prioritisation.
In the past month, we have reported on vulnerabilities found in the Zoom and Slack communication tools. This week TeamViewer has released an update to a number of versions of their application to patch a vulnerability. The vulnerability related to how data is passed to the application as it is launched by a URI link, allowing the attacker to craft a malicious URI that is then ingested as a direct command, for example launching a connection to a remote server. A URI link (Uniform Resource Identifier) is the string of characters that unambiguously identifies a particular resource, often seen at the end of the URL. It is recommended to update your TeamViewer applications as soon as possible, but also to follow best practices when clicking URLs, however, as this vulnerability can also be launched via an invisible iFrame embedded into a legitimate, but compromised, webserver, URL inspection would be insufficient to detect this. The best way to protect against this sort of attack is to be spot the anomaly in the network traffic. CyGlass offer a NDaaS and would identify this and send the alert to the SOC team for investigation.
The Lockbit ransomware is doing its rounds amongst various companies in the US. The Lockbit ransomware, one of the first well-known Ransomware-as-a-Service (RaaS) has previously targeted Microsoft and US healthcare services. A report has suggested that there is an increase in use of this Ransomware, likely due to it being easy to purchase and use. We are seeing a lot of cases against medium sized organisations and tailored around COVID-19. BullWall’s Ransomcare is unrivalled in its ability to monitor file shares and detect/respond to an attack, isolating the attack to just one machine and user.
The “One Intelligence” weekly report is a high- level report designed to share intelligence about the most notable attacks, breaches, and malware. Hear experts from Anomali, Flashpoint and Silobreaker, analyse and highlight new techniques used by attackers over the last week.
In the spotlight
Several US government websites have been abused by attackers using open redirects. An open redirect means that the users are shifted to a different URL than the one they requested, but more importantly, the search engine results appear to go to the official websites but are then redirected without even actually hitting the intended website at all. In this case users were forwarded to various pornographic sites. The only way to prevent this type of attack happening is to ensure correct configuration of the site, and this often means training staff to know about such vulnerabilities. RangeForce is a unique technical interactive training platform where skills can be trained and put to test in most technical areas.
Canon (US) a company known and trusted worldwide has issued a company-wide notice informing employees that they were experiencing widespread system issues. A leaked screenshot shows a ransomware note displayed on one of the Canon computer systems, Maze ransomware was behind the attack and has been claimed by them. They managed to exfiltrate 10TB of data in total. This is not only a huge amount of data of varying sensitivity, but it is also embarrassing for such a large organisation. Maze are brutal with the way they operate, and if the victim does not pay the ransom, Maze will publicly distribute the stolen data on a leak site. This breach could have been due to misconfigured devices, non-patched devices or just lack of security controls, all of which should be a priority for an organisation of that size.
Researchers have discovered an unsecured data bucket belonging to IndieFlix (content streaming service) on a publicly accessible Amazon S3 storage server. We have recently seen many similar breaches likely due to the increase in popularity of cloud storage solutions. This breach contained some sensitive data such as movie agreements, tax requests, social security numbers and employment data, contact information for film professionals and countless thousands of hours of movie clips.
Another government organisation has had a data leak, this time the Government of Iran. The data contained sensitive information surrounding the ongoing COVID-19 pandemic, the leaked files revealed that the death toll in Iran stood at around 42,000 as of July 20th 2020, the figure reported by Iran’s government was only 14,000! The data leak was quite an embarrassment for Iran who have yet to report on it. For large, wealthy organisations such as governments, a good investment in security should always be considered, especially as they are a big target for attackers. In this case an intelligence driven cybersecurity solution such as Anomoli would have detected this threat before the attackers would have had a chance to take any data. We see too many cases where various security controls are “not needed” until a breach takes place.
Researchers at Trend Micro have identified a new backdoor vulnerability for web servers running PHP. This is a unique vulnerability as it has built-in ransomware functionality. The vulnerability, which is built around webshell, means attackers can launch other malware from a command line interface when on the web server. The ransomware component is allowing the attackers to encrypt the compromised machine without any separate malware – to protect itself from being detected by XDR solutions. This vulnerability shows the complexity levels threat actors are going to in order to remain undetected. Accepting that at some point you will be targeted is the best thing to do and have defences in place to block the attack when it does happen. BullWall’s Ransomcare is a unique offering that sits as the last line of defence and can stop spread of ransomware attacks, isolating the machine and user.
Popular network storage devices QNAP are at risk of being compromised with a vulnerability that is currently affecting over 62,000 devices worldwide. The QSnatch malware has features such as password loggers, credential scraping, SSH backdoor access and file exfiltrating abilities. It is being recommended that those running the vulnerable version should do a complete factory reset and then perform the firmware upgrade, else they risk leaving the device vulnerable. We do not often see attacks against these types of devices and therefore your security controls may not protect them in attacks, for this reason it’s best to have some kind of network security that monitors all network traffic for malicious activity such as CyGlass, which would easily pick up on the malicious activity taking place.
If you would like to learn more about One Intelligence technologies, please get in touch with one of the team via firstname.lastname@example.org
The “One Intelligence” weekly report is a high- level report designed to share intelligence about the most notable attacks, breaches, and malware.
In the spotlight this week, 17 million user details are for sale on the dark web stolen from popular travel site Couchsurfing. The Couchsurfing site enables travellers to seek out hosts who offer their couch for free, or if they are lucky, even a bed; however, the travellers have not been so lucky in this instance. It is not yet clear whether passwords are included, but names, email addresses and User IDs are all available. The database is currently on offer for $700 on hacking forums and Couchsurfing has confirmed the breach via a Twitter post, stating that the FBI is involved. For large organisations with millions of customer database records it is inevitable that they will be targeted. Flashpoint Intelligence offers various deep and dark web intelligence services and having eyes and ears on dark web is key to being alerted to these types of discussions in the early stages and ensuring there are appropriate defences in place should an attack occur.
Having an effective and well-thought-out development lifecycle is crucial for software houses. Source code to software development companies is like bread to a bakery – it is what they do. For that reason, keeping source code safe and secure should be a priority. However, as things move more towards AGILE development lifecycles, we can often see loopholes in the processes, meaning source code is exposed. In addition, source code often contains hard-coded passwords and potentially secrets to new, unreleased software. This week, source code from a wide range of companies has been leaked online, including big names such as Adobe, Disney, Microsoft, and Nintendo. Within the source code developer names and hard-coded credentials have been found. In the wrong hands this could have a serious impact on a company’s reputation and therefore process and training are key to getting it right. RangeForce delivers an integrated cyber security simulation skills and training platform, with a focus on Secure DevOps and many additional features, such as CyberSiege simulations to evaluate team skills.
A large German organisation, The Dussmann Group, which specialises in facility management has been hit with ransomware. The company has 64,500 employees in 22 countries and has reportedly had data stolen during the attack, including accounting information and AutoCAD drawings. The attackers have published ‘Part 1’ of the data leak in the hope that The Dussmann Group will pay them off, which is a method we are seeing more frequently during ransomware attacks. BullWall’s Ransomcare is a last-line-of-defence security package that monitors file shares, including SharePoint and any cloud file storage systems that operate on SMB level and acts when it sees malicious activity taking place in the share. This can be a very effective tool as we see more and more ransomware variants getting past the standard endpoint protection systems.
Researchers at Kaspersky have discovered new Malware framework called “MATA” which can target multiple platforms (Windows, Linux and MacOS) making it a very powerful threat. The threat actors behind the malware have been active since April 2018 targeting numerous different sectors. A defence-in-depth approach such as Fidelis is best to protect against such threats. Network and cloud traffic analysis across all ports and protocols, deep endpoint forensics and advanced deception techniques are all used to spot when an attack is taking place and with the possibility of multi-platform attacks, it is crucial to monitor different areas of infrastructure.
MaaS is a new term that follows the same suit as many others, this time meaning Malware-as-a-Service. Golden Chickens, a crime group operating a MaaS marketplace are a preferred service provider for top-tier e-crime groups on the dark web. The ability to purchase prebuilt malware is a dangerous and worrying trend for those who are likely to be targeted by cyber-attacks. Organisations should ensure that they have the necessary detection systems in place throughout their infrastructure to know when Malware has made its way onto the network, and more importantly (due to detection systems not guaranteeing detection), an intelligence platform such as Anomali’s Threatstream to understand when malicious activity is taking place. Threatstream automates the collection and management of your threat intelligence and disseminates it in real time to your security controls.
If you would like to learn more about One Intelligence technologies, please get in touch with one of the team via email@example.com
The “One Intelligence” weekly report is a high- level report designed to share intelligence about the most notable attacks, breaches, and malware.
One of the world’s largest providers of education software, Blackbaud, has been targeted in cyber-attacks. The US-based company was hacked in May and it is reported that at least ten universities, some of which are in the UK, have had student and alumni data stolen. The ransomware attack, in which Blackbaud ended up paying the ransom, not only encrypted data but also exfiltrated it too. Recently this type of tactic has been on the increase, as it gives attackers greater financial leverage. These attacks are becoming more complex and to truly stop them specialist software is needed, for example BullWall’s Ransomcare, which is a unique last-line-of-defence protection system or CyGlass, which has a key focus on understanding when data exfiltration is taking place.
The Premier League has announced that a cyber-attack has taken place during a £1 million transfer. It has not yet been confirmed which club was affected, but it is understood that attackers gained access to the emails of the Managing Director during the negotiations and if it were not for the bank intervening, the attackers would have successfully retrieved the money. The attack is likely to be the final straw for cyber security in sport, following on from scrutiny hi-lighting that the industry is well behind where it should be in terms of cyber security. Other recent attacks have seen turnstiles and CCTV systems being disabled due to ransomware and this comes at a time when sports teams and organisations are under immense pressure to bounce back after a long period of “downtime” during the COVID-19 pandemic. Sports teams are businesses and so it is essential they understand the threat landscape and follow cyber security best practice.
The Western Australian government has had over 400 web pages of medical data stolen and posted online, including personal health information. The attack was said to have been launched by a 15-year old, who most likely discussed this over the internet before the attack. The information was not only related to coronavirus, but also included data from several government agencies. When it comes to government agencies and data protection, it is imperative to have eyes and ears across the internet and understand what discussions are taking place that relate to the cyber security of all the systems an organisation employs. This can be done with Silobreaker or Flashpoint, which both make it easy to see a clear picture of the topics of discussion on the open and deep/dark web that may be relevant to the organisation in question.
Last week we reported on the recent Zoom vulnerabilities and this week another popular communication tool, Slack, has been hit. Over 17,000 credentials and 12,000 Slack workspaces are being sold on the dark web, with prices varying from $0.50 to $300 per credential. The key message here is that no systems are truly safe, and the more third-party applications we use the more we put ourselves at risk; however, standard best practices such as using unique passwords for different systems, 2-factor authentication and PAM systems can help protect against this kind of attack. Krontech’s Single Connect is an upcoming name in the PAM space and is a highly effective solution.
Globally, financial services is one of the most targeted industries, due to the nature of the business. The attacks are generally focused on entry via weak staff with phishing emails the most common and effective entry method for attackers. The industry must recognise this is a huge issue, as millions are spent on the latest security hardware and software, yet one mistake by a member of staff could mean that all the security systems are bypassed. User education is the best way to prevent this, as the methods and attacks are constantly evolving, and the malware and other malicious software is becoming more complex; however, the entry points are still the same. Every week we see news that the sophistication level of the banking trojan landscape is steadily increasing, and the takeaways are always the same – user education.
Most people reading this would have heard of a PoC when it comes to trialling software. The term is also used when vulnerabilities are in a stage where they are being discussed on the dark web but not quite proven to work effectively yet. It is at this time, when a PoC exploit is made available, that a series of attacks may be triggered as hackers test it out. This week saw a series of attacks against a vulnerability on SharePoint servers, .NET framework and Visual Studio. It is recommended that patches are kept up to date and reviewed daily, as the difference in patching on day one and day five could be critical.
If you would like to learn more about One Intelligence technologies, please get in touch with one of the team via firstname.lastname@example.org
The “One Intelligence” weekly report is a high- level report designed to share intelligence about the most notable attacks, breaches, and malware.
Zoom, the well-known teleconferencing application, has been under the microscope throughout the COVID-19 pandemic after some critical security flaws were discovered with the application. Initially there were theories that these were just rumours started by competitors, but Zoom quickly sent out a critical patch, which confirmed the problem. These issues subsequently pushed a lot of customers elsewhere to the point where Zoom was put on the block list by some organisations. Now the dust has settled, another vulnerability has been found for Windows 7 users using Zoom. The zero-day vulnerability allows attackers to access files on the system and, if the user is an admin, access the entire computer. The patch for this must be pushed out by Microsoft; however, technical support and updates have been phased out for the old operating system. It is not yet known whether Microsoft will fix this or just encourage users to upgrade to Windows 10. At this stage, the best thing you can do is to move away from Windows 7, and in fact some patch management systems are no longer supporting Windows 7 at all.
CheckPoint researchers have found a new variant of malware targeting android devices, which is one of the first to be seen with the objective of monetary theft. The malware, “Joker”, is capable of downloading other malware and subscribing devices to premium services. ZecOps has an interesting approach when looking for malicious activity, which means no patches or updates are required as it looks for crashes and mistakes in the code used by attackers. An intelligence platform such as ZecOps is one of the best ways to protect an organisation’s mobile devices from this type of attack.
Understanding your threat landscape often requires you to have visibility of what is taking place in the “wild” and one way to do this is by having eyes on the dark web. Flashpoint is an intelligence platform that looks only at the deep and dark web and provides insights into what is being discussed and acted upon that is relevant to your specific assets and business processes. In the case of a new family of ransomware named “Conti”, this was first discussed on the deep and dark web and is now active. The unique ransomware variant allows a threat actor to control how an attack takes place and can perform a whole host of attacks. In addition, the ransomware is capable of encrypting 32 files simultaneously using AES-256 encryption.
A slightly different ransomware encryption method has also been found this week. The AgeLocker ransomware uses Google’s Age Encryption tool, which was designed as a replacement for GPG to encrypt “files, backups, and streams.” Instead of using common standard encryption methods, such as AES or RSA, it uses the age command line tool to encrypt files, which uses three very secure algorithms making it virtually impossible to decrypt. The ransom note is sent to the user via email, rather than the more commonly used method of leaving the note on a file system. The amount charged to decrypt files is about $65,000, payable in bitcoins (7 bitcoins in total). As always, endpoint detection and response tools cannot guarantee detection of ransomware as they must first be aware that the ransomware exists. Alternative defence systems such as Bullwall’s Ransomcare can be used as a last line of defence and will detect the attack without having to know the signature or strain of ransomware, giving some confidence in protection against any future ransomware variants.
MGM, a very well known and reputable name in the hotel industry has had details of at least 142 million hotel guests put up for sale on the dark web, details of the breach and attack have not been disclosed fully but it is more than likely that the attacker was on the network for a long period of time in order to exfiltrate such a large amount of data. In most large scale breaches such as this, the attacker leaves behind traces of their movement and actions. Having an intelligence platform such as Anomoli to pick up on all indicators of compromise and understand what is happening would have helped identify an attack was taking place early enough to prevent a data breach.
Silobreaker have released information showing that discussions around vulnerabilities in Windows Servers have been trending this week. Likely because of a series of vulnerabilities found, one of them being a 17-year old DNS bug that allows attacks to gain domain admin privileges into the network. The “SigRed” vulnerability (CVE-2020-1350) affects all servers between 2003 and 2019. It works by sending a crafted DNS request to the Windows DNS server, allowing them to be able to input code to execute. The vulnerability is even more critical as it can also spread through the network without the need for human interaction (worm capabilities). It is obvious that this should be patched on all Windows servers, but you can also set a limit to the size of DNS messages which should help eliminate the chances of a buffer overflow which would take place during an attack.
F5 have released a critical patch for their BIG-IP devices. A vulnerability that allows for remote code execution (including Java scripts) without any authentication has been found. This vulnerability has been marked as critical and multiple security researchers have been able to prove its effectiveness. This patch should be applied immediately for anyone with an affected device, even more so because this vulnerability is now being discussed widely on the open web, meaning more threat actors are likely to use this vulnerability. It really is a race against time as soon as these critical vulnerabilities are discussed on the open web. Progress of the growth’s discussions and use can be tracked using Silobreaker, a well featured open-source intelligence tool. And of course, having a patch management system has never been more important. It is best to have an intelligent system that prioritises vulnerabilities based on your assets and network information, a tool such as Skybox would do this well.
Cyber Espionage, a term many may not have heard of before. Cyber Espionage is the act of stealing classified or sensitive data to gain an advantage over a company or government. In some cases, this type of attack has influenced outcome of elections, caused havoc during international events and much more. PROMETHIUM is a threat actor that has been linked to Cyber Espionage attacks since 2012, they specialise attacking state-sponsored operations. They have recently added four new trojanized applications to their arsenal, including FireFox. This means anyone who downloads this infected version of Firefox is at risk. Infected systems can then be used to contribute towards the espionage or be turned into part of a larger botnet of machines that can be controlled by the threat actors. Whilst not all malware is detectable right away, potentially because the malware hides itself – it will still leave traces of its existence behind, so it’s important to use intelligence software such as Anomoli to pick up on the indicators of compromise and alert where necessary.
Another big name in security has recently released some patches to address an issue allowing threat actors to bypass the authentication of the device. Palo Alto Networks have released these patches that affect a number of different PAN-OS versions between 8.0 and 9.1.3. This vulnerability allows anyone to obtain admin access without any authentication at all, which is obviously a problem. Palo Alto themselves have rated this vulnerability at 10.0 on the CVSS base scoring system, which is the highest possible criticality. There are a few workarounds that can be put in place if the patches cannot be fixed right away, such as disabling SAML authentication. As always it is best practice to keep up to date with the hardware and software you use as an organisation.
A Texas-based health clinic is informing 19,000 of its patients that there has been a potential data breach. The breach took place via a phishing attack against an employee’s email account. The data includes names, dates of service and more importantly, health information. Although this type of attack is taking place every day, this organisation could potentially go under due to this breach. It’s important to get the balance right between what you need to buy in order to secure your network, but also what you need to train your staff – oftentimes we are seeing all existing security controls bypassed because the weak link was the user operating the computer systems. There are protection methods available to try and help in cases where a user has fallen for a phishing scam, however protection cannot be guaranteed and therefore end-user training is crucial. A last line of defence in these situations would be to have the ability to stop data exfiltration, Cyglass can spot when a data exfiltration attempt is taking place and stop/alert on it.
We have seen several Ransomware attacks that are taking place on suppliers. If one of your suppliers has access to your data and gets hit by a ransomware attack, your data will be also be attacked. Proper vetting on your suppliers and knowing what systems they have in place to protect against these types of attacks is obviously a key part to ensuring your data is kept safe, but there are no guarantees that perhaps a new strain of ransomware might come out that they are not protected against. BullWall’s Ransomcare however looks at the behaviour of a ransomware attack rather than for specific strains, meaning that if configured properly it protects against future ransomware strains. A system such as this would protect your data whether it is being used on your device or your supplier’s devices as it looks at the actual file share rather than end devices.
iOS 14, a not-yet publicly released operating system for iPhones, has a new functionality that warns users when an app reads the contents of the clipboard. The operating system is currently available to developers in the BETA program. TikTok, a popular social media platform, has been found to be accessing clipboard information after users received warnings. With many iOS devices used as business phones, data security and privacy are huge concerns. Apple also has the functionality for Mac or iPads to share a clipboard with iOS devices, meaning items copied on a Mac/iPad could also be read by TikTok. Organisations should ensure they are putting measures in place both to prevent users copying sensitive information, and to ensure updates are installed as soon as they are released.
An unnamed Chinese bank is implanting backdoor trojan software onto target systems that use their official tax software. The software called “Intelligent Tax” allows companies to pay tax but also installed the GoldenSpy trojan with system level privileges. These attacks are said to have targeted Western organisations and so far, two UK-based companies have found the trojan on their networks, which enables commands to be executed remotely, as well as the uploading/downloading of other payloads. Organisations should always ensure that the software they are using comes from trusted sources. As an additional measure, an intelligence service such as Flashpoint will monitor discussions on the dark web about any apps that an organisation is using. As with all threats, a layered defence approach is best and a system like Anomoli gives good visibility, as it monitors all indicators of compromise throughout the network.
The most recent large firm to be hit by ransomware is LG Electronics. The operators of the ransomware collected over 40gb of data relating to ongoing projects with several US companies and released screenshots and stolen emails to prove the legitimacy of the breach. This type of ransomware has been seen a lot recently (Maze Ransomware) and uses exposed remote desktop connections to operate. Ransomware is an ongoing threat for all organisations and having endpoint protection is not always enough – specific ransomware protection such as Bullwall’s Ransomcare product works differently and ensures protection against both current and future strains of ransomware.
There was another report concerning web application security this week with hackers exploiting Google’s analytics services to steal credit card information from infected e-commerce sites. Threat actors were able to inject data-stealing code onto the compromised websites in combination with tracking code generated by Google Analytics, allowing them to exfiltrate payment information, even where security policies are set for maximum protection. There are several recommendations to protect against these types of breaches, the main one being to avoid installing web apps and components that are not needed or are from untrusted sources.
In April, Australia’s government called for an investigation into the origins of the COVID-19 virus, accusing the Chinese of engaging in ‘economic coercion’. Australia has also claimed that a foreign threat actor has been targeting its government, business, and public services in coordinated cyber-attacks. It is not confirmed that these attacks have been launched from China, but with tensions running high between the two countries it is thought that they are most likely to be originating from there. The previous year, the Chinese were believed to have targeted the Australian parliament and political parties in the lead up to a general election – a lot of this information is being discussed on the open web and can be seen clearly with a tool such as Silobreaker. Having a defence-in-depth approach is the best way to protect from Advanced Persistent Threats (APTs), focusing on network and host-based security. Picus, a breach and attack simulation tool can offer great visibility and defence against APTs and similar attacks to nodes within a network.
Cognizant, one of the largest IT managed service providers in the world, was recently in the spotlight due to claims it had been hit with Ransomware and a data breach. After releasing a statement and contacting customers to let them know that no data was breached, the company was more recently forced to admit that threat actors did indeed access sensitive customer data. Threat actors had network access weeks before any file encryption took place, so the real damage is unknown. With a tool such as Anomoli, Cognizant would have been able to spot indicators of compromise and traces left behind by threat actors, making the business aware that an attack was taking place. Once encryption has started, it is crucial that the Ransomware is detected as early as possible. Traditional antivirus and endpoint protection may not have picked up on this, but a last line of defence tool such as Ransomcare by Bullwall would have done. Cognizant has since been offering credit and identity theft monitoring services to the individuals affected.
Google’s Play Store has recently removed 38 apps that were associated with threats relating to ad fraud. The apps bombarded users’ devices with fraudulent advertising and in total had more than 20 million downloads. It can be difficult to identify when attacks such as these are taking place, but as always with non-legitimate software there are traces and mistakes left behind. These are easily picked up by a tool such as ZecOps which specialises in finding attackers’ mistakes to identify when malicious activity is taking place.
Telegram, an online messaging application has had one of its databases containing 900MB of user data leaked onto a dark web forum. The database includes phone numbers linked to millions of Telegram accounts. The source of the leak is still unclear, but the data was confirmed to have been collected using the Telegram contact import function. It is likely that an attack such as this was discussed and planned on the dark web prior to taking place. Having intelligence in the dark web by using a tool such as Flashpoint intelligence allows organisations to be better protected against these potential attacks.
ESET researchers have discovered that the InvisiMole threat group has created an improved toolset targeting diplomatic and military entities in Europe. InvisiMole distributed its backdoor payloads using a .NET downloader and leveraged vulnerabilities (EternalBlue and RDP vulnerability BlueKeep) to spread across networks. The group used stolen documents and modified them to act as trojans that would later install the payloads when executed. Having a patching schedule in place across all networked devices is crucial, even if not exposed to the internet. Skybox can help understand and visualise attack surfaces and vectors to prioritise patches based on several different factors. In this case, behavioural monitoring capabilities, including detecting when files and data are accessed outside of normal working hours would have been beneficial.
The sixth edition of the “One Intelligence” weekly report is a high- level report designed to share intelligence about the most notable attacks, breaches and malware. Here experts from Anomali, Flashpoint and Silobreaker, analyse and highlight new techniques used by attackers over the last week.
It is not unheard of for malware to sit undetected for months, sometimes years as an attacker slowly navigates their way around the network and infects different systems as they go (lateral movement). This was the case in a recent data breach on Austria largest ISP. It was reported that the malware went undetected for a month, infecting 27,000 systems, 12,000 of those being servers. The attacker was able to run database queries on the backend systems. The clean-up operation took 6 months, with the security team working to try and find and remove any backdoors that had been created into the network. It is likely that the malware would have left traces that should have been flagged on any threat intelligence platform (TIP) such as Anomoli, who look for indicators of compromise and piece these together to understand whether an attack is taking place or not. In this case, the ISP was in the dark. The attack is said to have been carried out by a Chinese APT that is well known for targeting large telecom providers.
The City of Knoxville, Tennessee is in the news this week due to a Ransomware attack that went unnoticed until multiple systems had been encrypted. The strain of Ransomware is unknown, and it is also unknown as to how the ransomware spread. With most cases of ransomware, an issue is usually reported by a user who attempts to open a file but finds out it is encrypted and then reported to IT. This sometimes takes hours to take place and by then the ransomware could have encrypted the entire network – with modern high-speed networks you can expect to see 7000-10,000 files encrypted per minute. It is imperative that the spread of the ransomware is stopped as early as possible and to do this, Ransomware protection is advised, such as BullWall’s Ransomcare. In some cases, a simple Anti-virus or Endpoint solution will not be enough to prevent a Ransomware outbreak, as they rely on knowing that a strain of ransomware exists before they can protect against it, this new patch then needs to be rolled out to the endpoints to protect them. Protection specifically for Ransomware works by looking at file changes and additions and looks for patterns that indicate a Ransomware attack is taking place, meaning this will stop any new strains despite whether they are a zero-day attack.
The deep and dark web is usually the place where discussions are held on new types of Cyber attacks and methodologies, sometimes these are discussed months prior to an attack taking place. Often these attacks are crafted specifically for a purpose, such as an individual planning an attack against an organisation. For that reason, having eyes and ears on the dark web is just as important as having eyes and ears on the open web. Flashpoint intelligence does this by embedding themselves into the dark web communities to extract useful intelligence data. For example, Flashpoint analysts can see chatter about vulnerabilities before they are exploited, very handy for organisations to spot this and patch against them before attacks take place. Such is the case for CVE-2020-2883, where chat has included sharing of related news articles and proof of concept code to exploit this vulnerability.
Security researches at ZecOps have discovered a critical vulnerability affecting the SMB protocol on Windows devices. The vulnerability allows for kernel memory to be leaked remotely, which can then be paired up with previous vulnerability SMBGhost to achieve remote code execution. As with most findings by security firm ZecOps, the vendors are quick to listen and act on reported vulnerabilities. Microsoft added this patch into their June 2020 update (which in total has patches for 129 vulnerabilities). Having a good patching schedule is always a good idea, or even better a platform that will analyse the vulnerabilities/patches against your devices and their properties (internet-facing, public servers, etc) and prioritise which vulnerabilities you should patch first. Skybox’s understanding and contextualisation of security controls and network configuration offers customers an unparalleled insight into patching prioritisation.
Silobreaker, an Open-source intelligence platform regularly reports on topics that have been mentioned more than usual, for example this week VLC Media Player has been discussed a lot on the open web. Though this might mean nothing to most people, Silobreaker can be tailored to meet the intelligence needs of the organisation, giving insights into hot topics relating to the organisation. This type of intelligence is becoming increasingly popular as it would be impossible for a human to scan the whole internet for discussions on particular topics. Although Silobreaker is a security intelligence tool, it can be used for a huge number of things, market intelligence and competitor analysis just to name a couple.
The fifth edition of the “One Intelligence” weekly report is a high- level report designed to share intelligence about the most notable attacks, breaches and malware. Here experts from Anomali, Flashpoint and Silobreaker, analyse and highlight new techniques used by attackers over the last week.
Financial data shows a 50% growth in the use of mobile banking since the start of 2020 and we are expecting to see a corresponding increase in number of threat actors targeting these platforms. The FBI has warned that they expect attacks to utilise app-based banking trojans and fake banking apps to target customers. The security of mobile devices has been questioned for a while now, with a huge amount of sensitive data being used and stored on them. A security platform such as ZecOps will look at the underlying system logs of the device and can indicate whether the device has been compromised or not, something no other security organisation is doing.
Conduent, a large US-based business process services company has been hit by Maze, a strain of ransomware that is already well known across the world. The operators of this attack leaked 1GB of data from Conduent’s network on the website, stating that they had stolen sensitive data and had encrypted devices. It is thought that they leveraged a vulnerability in a Citrix server that allowed for remote code execution, followed by lateral movement to collect data, and encrypt drives. Several security systems could have prevented the spread of this attack, such as ransomware detection (Bullwall) to stop file encryption and to alert on an attack and a proper patching schedule and configuration management system, such as Skybox.
The recent death of a US citizen has sparked global uproar and wherever there is a big worldwide news story, there are opportunities for threat actors to take advantage of the situation. Far-right extremists across the world discuss have begun to discuss this on both the open web, and deep and dark web. There is the potential for the acceleration of violence via various online communities that are using acronyms such as “ACAB” (All Cops are Bastards), which is causing an increase of violence against law enforcement. It is important for public-facing organisations to understand how the discussion of violence and extremist communications could affect them, and with the use of Silobreaker (for open web discussions) and FlashPoint (for deep and dark web discussions) business decisions can be made around this topic.
One of NASA’s IT contractors (Digital Management Inc.) is said to have been breached, when the network was compromised by the operators of the DopplePaymer ransomware. The group leaked 20 files onto its dark web portal to prove legitimacy of the compromise. The data leaked included HR details, project plans and employee records. The breach not only hit NASA, as a total of 2,500 servers and workstations within the Digital Management Inc. internal network had been encrypted and held at ransom. The attack is likely to have entered the network through a phishing attack and side stepped through the network to get to the sensitive systems. Early detection of such attacks would have given Digital Management Inc. the information to stop the attack before too much damage was done. A system such as Anomoli would look for early indicators of a compromise and alert where necessary. Anti-virus and endpoint protection software could be used but cannot guarantee prevention of ransomware, as new strains of ransomware can sometimes take weeks to be patched. A last line of defence system, such as Bullwall,would provide a more reliable prevention technique as it looks at the file headers, extensions, and patterns despite the strain of ransomware, so can stop new strains from day one.
A data breach linked to the Spanish language e-learning platform 8Belts, has exposed PII data of its customers. The breach was a result of misconfigured AWS systems, and affected many hundreds of thousands of users around the world. It is critical to ensure you regularly review the configuration of all hosted systems. A defence-in-depth approach is the best way to defend against advanced attacks, which means having layered security infrastructure to protect against each phase of an attack.
Our fourth weekly edition of the “One Intelligence” report is a high-level report designed to share intelligence about the most notable attacks, breaches and malware that experts from Anomali, Flashpoint and Silobreaker, who have analysed and highlighted new techniques used by attackers over the last week.
With healthcare-related organisations now in the spotlight across the world, there is a large market for stolen data on both the deep and dark web. These data sets include data from health insurance organisations. Generally, the data obtained from breaches, compromised remote desktop protocols and ransomware. The healthcare industry is notorious for being behind with security, patching, hardware etc and therefore, is easily targeted. Due to the nature of healthcare organisations, significant volumes of PII data on patients is retained, in addition to financial records when healthcare insurance is concerned. This data is an attractive and easy target for threat actors who have been selling the exfiltrated data on the deep and dark web for approximately $0.50 to $1.00 per medical record; however, some posts in early 2020 advertised the medical data for around $2.00 per record. With healthcare organisations being pushed both physically and financially during the first half of this year, they are prime targets for cyber-attacks.
A US-based marketplace for independent artists has disclosed a data breach after a hacker sold a database containing 5 million user records on a dark web marketplace. Exposed data includes names, email addresses, hashed and salted passwords, billing addresses, and more. There is a constant stream of data breaches that are disclosed publicly, all this information can be seen using tools such as Silobreaker.
There has been an alert about malware found in Java projects that can run on Linux, MacOS and Windows operating systems. Vulnerability is in an IDE named NetBeans. Once the user downloads a repository, the malware infects the local machine and spreads into other Java projects, the next step of the malware is to download a Remote Access Trojan, which sniffs for confidential information, including source code, which if exfiltrated could be a huge issue for software development organisations. There are a few things to help in spotting attacks like these. Anomoli can spot the indictors of a compromise early on and if the attack gets to data exfiltration stage, CyGlass is able to alert and stop these kinds of attacks.
Microsoft’s IIS servers have been exploited due to a critical vulnerability allowing threats actors to host a cryptominer on the server. The vulnerability allows attackers to gain backdoor and shell access in just two steps. With such a simple attack, it is imperative to ensure a patching schedule is in place and adhered to.
WordPress is yet again being targeted with over 130 million attacks hitting 1.3 million WordPress sites. These attacks attempted to download a file critical to the WordPress installations, which contains backend database credentials, connection information, unique keys, and salts. WordPress has come forward and stated that the attacks are linked to an attacker who previously launched a similar scale attack targeting cross-site scripting flaw. WordPress is quite often left unpatched, meaning that a huge number of websites and backend data are exposed. Several discussions on this matter have been seen on the internet. These attacks can be seen using tools such as Silobreaker.
There has been a critical update released for iOS and iPadOS devices, related to two vulnerabilities in the default email application. These vulnerabilities allow threat actors to corrupt and modify memory or terminate applications. All devices running iOS versions 3.1.3 up to 13.4.1 are vulnerable. Apple has patched these upon the release of 13.5. Forbes reported on these vulnerabilities which were initially discovered by ZecOps and reported to Apple directly.
Welcome to our third edition of the “One Intelligence” Weekly Report. This high-level report is designed to share intelligence about the most notable attacks, breaches and malware that experts from Anomali, Flashpoint and Silobreaker, who have analysed and highlighted new techniques used by attackers over the last week.
Several financial technology applications are said to be targeted, as threat actors on both the deep web and dark web express interest in buying and selling accounts for such applications. Some of these apps are dedicated to personal finance activities and often contain highly sensitive data. The data retrieved from these apps is also being used as a method of payment on the deep and dark webs. Although the financial technology apps are apparently not being targeted any more than the traditional financial institutions, these types of applications contain payment details, mortgage details, credit card information etc that can be exploited for fraudulent purposes. Organisations that have had a significant number of fraud-related references across the deep and dark webs include Credit Karma (previously Noddle), Plaid and Square Cash. It is recommended that passwords for all online accounts are updated regularly to prevent access in the event of a password leak. Learn more about Flashpoint’s Intelligence Platform.
Another large financial and retail technology company Diebold Nixdorf (a major provider of ATM machines) was hit by a ransomware attack earlier this month. The group behind the attack, ProLock Ransomware, is a relatively new group that uses phishing emails to gain initial entrance (as with most ransomware). It then uses incorrectly configured Remote Desktop services and attempts to steal login credentials for networks using only a single authentication method. Once the attackers gain access, they then identify backups, including Microsoft’s built-in shadow copies, and aim to delete or encrypt them, making it more difficult to restore the data. Many ransomware variants are now stealing data before they encrypt it to use against the organisation in an attempt to obtain the ransom amount. It is not yet known how much this has cost Diebold Nixford. Learn more about the last line of defence from BullWall.
A new variant of the information stealing malware family “racoon” has been discovered. These new variants are said to impersonate popular legitimate programs such as Revo Uninstaller. The latest version aims to collect sensitive data, as well as capturing the screen and collecting keystrokes of the users. PowerShell scripts are used to disable Windows Defender and modify various registry key values to remove the admin prompt that would usually be displayed when making changes to the system. These new techniques are forever changing and becoming more complex and the best way to prevent them is to spot the indicators of compromise early with systems such as behavioural analysis defences. Anomali arms security teams with machine learning optimised threat intelligence and identifies hidden threats targeting their environments.
Since last week’s report, Adobe has released another set of critical patches for its products, this time including Character Animator, Premier Pro, Audition and Premiere Rush. These patches are said to prevent critical buffer overflow vulnerabilities, which could provide threat actors with the ability to execute remote code onto a target system. With these various critical patches, some vulnerabilities are classified as “out-of-bounds” meaning that disclosing what the patches are fixing could disclose sensitive information for threat actors to further manipulate. Get Complete and Contextual Visibility with Skybox Security.
A new Bluetooth vulnerability has been found that affects all modern devices capable of Bluetooth pairing, including IoT devices, laptops, smartphones, and tablets. The vulnerability (CVE-2020-10135) relates to how devices are pared with Bluetooth using a link key. Threat actors can masquerade as genuine devices and gain access with the link key. Bluetooth chips used by Apple, CSR, Intel, Samsung, and Qualcomm are all vulnerable to these attacks unless patched.
A hacker is reportedly selling details of 9 million Zoomcar users for $300 on the dark web. This data includes names, email addresses, passwords, mobile numbers, and IP addresses. The data is said to have been obtained in a 018 data breach. Zoomcar’s CEO claims that its data is “absolutely secure” and a breach involving its customers’ data is untrue. Learn more about Flashpoint’s Intelligence Platform.
Researchers have measured the prevalence of exposed sensitive assets at leading banks, including exposed databases, remote login services and development tools. It is reported that 23% of banks had at least one misconfigured database exposed to the internet, meaning this data could potentially be leaked. 54% of the banks had at least one Remote Desktop Protocol exposed to the internet, 31% had at least one vulnerability to remote code execution and Multiple File Transfer servers with anonymous authentication were discovered. Although banks usually have well established security structures, which are heavily regulated, up to 84% of the exposed assets are likely to fall under IT and security teams’ radars and out of the scope of traditional asset management and security tools. It is imperative to understand and have visibility of internet facing assets to manage and mitigate the risks. Get Complete and Contextual Visibility with Skybox Security.
Welcome to our “One Intelligence” Weekly Report. This high-level report is designed to share intelligence about the most notable attacks, breaches and malware that experts from Anomali, Flashpoint and Silobreaker, who have analysed and highlighted new techniques used by attackers over the last week.
This week saw another huge data breach, this time affecting EasyJet customers. It has been reported that approximately nine million customers may have had their email addresses and travel details stolen, and over 2000 customers also had their credit/debit card details “accessed”. It is not yet known exactly how the attack was perpetrated; however, it is likely to have come from a phishing attack. A similar data breach in 2018 saw the airline British Airways fined £183m by the regulator. EasyJet is likely to incur a similar fine.
The Bank of America has also issued notice of a data breach to its clients, with a set of customers who applied for a particular loan program being impacted. Exposed data included tax ID numbers, full names, phone numbers, email addresses, physical addresses, social security numbers and more. It is not yet known exactly how many customers have been affected.
A sophisticated Android spyware framework has been identified by researchers and is said to have been undetected for four years. The spyware named “Mandrake” embeds itself into applications to avoid detection. The Spyware is said to have been found on seven apps available on the Google Play Store. This attack is mainly targeting Art, Finance, Media, and the Auto industry for use in espionage campaigns. The Spyware works by collecting SMS messages, contact lists and lists of applications. It can also send SMS messages, initiate calls, uninstall applications, steal credentials from the applications and enable GPS tracking. The information is then sent to a Command and Control server operated by the threat actors.
Researchers from Checkpoint have announced that a previously patched Remote Desktop Services (RDP) vulnerability is being bypassed in order to further exploit the RDP functionality. The exploit allows remote code execution to take place, even using Microsoft’s built-in client “MSTSC.exe”, a commonly used service. Microsoft was notified of this new vulnerability and has since released a patch (CVE-2020-0655). Checkpoint has reviewed the patch and confirmed it does not rectify the issues, but does function as a workaround. Get Complete and Contextual Visibility with Skybox Security.
The US government has linked three different Malware variants to the North Korean group HIDDEN COBRA. The malware includes a Remote Access Tool targeting cryptocurrency exchanges; a trojan masquerading as Microsoft Narrator, that will execute modules received from the Command and Control server; and finally, a trojan that provides access to CLI to execute, upload and download files. HIDDEN COBRA is known to target industry sectors in South Korea and the US, as well as entertainment, media, and non-government organisations, using spearphishing as an initial point of entry. Anomali arms security teams with machine learning optimised threat intelligence and identifies hidden threats targeting their environments.
Adobe have become the next big software company to have its software attacked. Thirty-six patches for various Adobe products have been published, including 16 critical vulnerability patches. These vulnerabilities would allow for remote code execution and can evade security solutions. Microsoft has also released two patches to resolve the issues.
The data from 40 Million Wishbone app users is for sale for approximately $8,000 across multiple hacking forums on the dark web. The data is claimed to have been obtained in an attack that took place earlier in 2020. The data sample that was advertised included usernames, emails, phone numbers, physical address details and hashed passwords. Discover insights that are buried deep inside the data, and uncover the information that is most valuable to you with Silobreaker.
Welcome to the first edition of our “One Intelligence” Weekly Report. This high-level report is designed to share intelligence about the most notable attacks, breaches and malware that experts from Anomali, Flashpoint and Silobreaker, who have analysed and highlighted new techniques used by attackers over the last week. Some of the trends we are seeing this week confirms the prediction that global ransomware damage costs will reach $20 billion by 2021 – which is 57X more than it was in 2015. This makes ransomware the fastest growing type of cybercrime!
12th May saw over sixty mentions relating to Coronavirus Malware, the highest figure since mid-April. This was mainly due to an increase in discussions around Sphinx Trojan, Maze Ransomware and AgentTesla Keylogger, all of which are targeting home users by email with fake phishing Coronavirus campaigns.
The Sphinx Trojan is targeting North American banks and has seen some changes in 2020 including new persistence mechanisms, injection techniques, bot configurations and more – all to increase the spread during the pandemic.
The Maze Ransomware, like all Ransomware, demands a payment in Cryptocurrency for an organisation to get its data back; however, Maze could potentially be even more dangerous as it also exfiltrates the data it finds to servers controlled by the hackers, who then threaten to release this data should the ransom not be paid. In addition, this means that restoring from backup will not eradicate the problem.
Ransomware attacks are becoming smarter and a report has suggested a new propagation method is being used, Wake-on-LAN. Wake-on-LAN means that a networking device can be powered on over the network with no physical actions required and therefore Ransomware can potentially encrypt the data of a machine when it is switched off. Wake-on-LAN functionality does not exist on all systems, and often has to be enabled. To mitigate this, network administrators are encouraged to switch off this feature on all systems, or at least restrict which devices can trigger this function.
A recent survey carried out by the Identify Defined Security Alliance (IDSA) revealed that 79% of organisations have experienced an identity-related security breach in the past two years. 99% of those surveyed believe that the breach was preventable, but fewer than half had actually fully implemented key identity-related security outcomes.
The hacker group “Shiny Hunters” is selling millions of user records from eleven different companies in an undisclosed dark web marketplace and in total 164.2 million records are being sold. The affected companies have all been contacted by Bleeping Computer (Tokopedia, Bhinneka, Chatbooks, The Chronicle of Higher Education, Ggumim, Home Chef, Mindful, Minted, Star Tribune, StyleShare, and Zoosk).
Europe’s largest private hospital operator, Fresenius, has been targeted by another Ransomware attack, which aims to identify enterprise management tools and industrial control systems (ICS) in order to take advantage of health care providers who are attempting to resolve the pandemic.
A recent report from Trend Micro found that a threat group known as “Tropic Trooper” is currently infiltrating physically isolated (Air-Gapped) networks of the Philippine and Taiwanese armies, as well as government institutions, hospitals, and banks in these countries. The threat group has been active since 2011 and is continuously improving its methods. This particular method works by using USB malware called “USBFerry”, which injects the payload onto a USB and waits for it to be plugged into an Air-Gapped device.
Web hosting provider Digital Ocean has also notified some customers about a security lapse that exposed their account details. The leak occurred as a result of an internal document which was left accessible online via a public link. The document was reported to have been opened 15 times; however, Digital Ocean claims the file only contained details of less than 1% of the company’s total customer base.
Anomali, a leader in intelligence-driven cybersecurity solutions, and One Distribution, the leading technology distributor, today announced that the companies have entered into a strategic partnership giving One Distribution the ability to deploy and support Anomali threat intelligence solutions in the UK and Ireland. By broadening its portfolio to include Anomali, One Distribution is expanding their ‘One’ Intelligence suite of integrated solutions.
“Businesses in Europe are looking for new and innovative ways to respond to cyberattacks and are willing to invest in proven security solutions,” said John Dams, General Manager, One Distribution. “Anomali brings a unique approach to improving defences that many Europe-based organisations are using to reduce risk across their environments. By expanding our product offering with Anomali, we expect to accelerate the adoption of cyber threat intelligence solutions across the region.”
ZecOps, the first agentless automated Digital Forensics and Incident Response (DFIR) & APT detection platform, and One Distribution, the leading technology distributor, announced today the launch of their strategic partnership, enabling One Distribution to deliver, deploy and support ZecOps solutions in the UK & Ireland. One Distribution is expanding its security solutions and services with ZecOps ground-breaking offering, providing automated detection, analysis, and response of sophisticated attacks that are crafted to evade security controls.
One Distribution are delighted to be adding Nominet to our growing portfolio of threat intelligence solutions. One Distribution is a people-centric business. It combines a personal, consultative approach and early engagement to ensure that it fully understands all its partners and business requirements. One Distribution provides unrivalled expertise and agility to the Cyber Security marketplace, driving growth and expanding market opportunities for technology partners within the UK and Ireland.
Nominet NTX is a Network Detection and Response platform purpose built to analyse billions of DNS data packets in real time, pinpointing and eradicating malicious activity quickly and seamlessly. NTX can identify malware, phishing attacks, data theft, DNS hijacks and DNS tunnelling, even at patient zero. Allowing it to effectively and comprehensively eradicate malicious activity on the network.
Able to identify malware, phishing attacks, data theft, DNS hijacks and DNS tunnelling so early, as well as being able to protect patient-zero, makes it both effective and comprehensive in its mission to eradicate malicious activity on the network.
Nominet is the organisation responsible for running and protecting the .UK. For over 20 years it has been operating at the heart of the internet infrastructure. This experience also underpins its cyber-security capability which is used by the UK government and other global enterprises to secure their networks.
Dave Polton, VP of Cyber Solutions at Nominet said; “Effective network detection and response is a fundamental part of a robust security posture. The network offers broad visibility and with intelligent machine-learnt algorithms it can be used to identify and eliminate threats early. Every organisation has a DNS layer that is ubiquitous, failing to take advantage of this for threat defence really is a missed opportunity.”
“We’re excited to be partnering with One Distribution to enable more enterprises to take advantage of this untapped area of the IT estate for threat detection and response.”
Take a closer look at how Nominet NTX can improve your security posture here.
One Distribution Ltd, has today announced they have signed a distribution agreement with Krontech.
Krontech is a technology company that specialises in Privileged Access Management (PAM) and Single Connect™ is their comprehensive PAM Suite. Single Connect™ is used as an information security and governance tool to prevent internal and external data breaches and attacks using privileged accounts and is known to be the fastest to deploy and the most secure PAM solution for business of all sizes including enterprises and telco’s globally.
The partnership between Silobreaker and Flashpoint represents a union between technology and data, and of two companies with a common goal: empowering organisations to predict, detect and mitigate risk of all kinds by turning unstructured data into timely and actionable intelligence.
Flashpoint’s data is being ingested by Silobreaker’s platform, where it is indexed and fully integrated for use across all analytical tools, visualisations and workflow features. When correlated with Silobreaker’s open source data, this combination empowers customers to move seamlessly between the two data-sets in a single application, expanding their analyses to include both.
Access to Flashpoint data in Silobreaker requires licenses from both companies.
The team at One Distribution have experienced first-hand the broad use of “Threat Intelligence” and how it can sometimes be confusing, and still result in huge volumes of collected threat data with limited resource at hand to do the necessary deeper investigation. Silobreaker is not a TIP, it is a complementary technology that provides the required and often missing context in a TIP or SIEM system, and it’s only by building that interconnected ecosystem of security and intelligence solutions that an organisation can take their current security posture from ‘good’ to ‘great’!
With InfoSec 2019 looming we can’t help but think about
hangovers and freebies, not to mention security! What will
you be looking to gain from the event this year?
One Distribution solutions portfolio now offers the Flashpoint Intelligence Platform, which includes Flashpoint’s expansive archive of Finished Intelligence reporting and Deep & Dark Web (DDW), Risk Intelligence Observables (RIOs), and Chat Services datasets. By granting access to all of these resources in a single, finished intelligence experience, the platform aims to empower experienced and entry-level users alike with the context they need to make better decisions about threats, adversaries, and risks relevant to them.
One Distribution, a leading technology distributor, has signed a distribution agreement with Skybox®Security, a global leader in cybersecurity management. This agreement leverages One Distribution’s expertise in sales enablement and education programmes to fuel Skybox’s channel expansion plans and long-term channel partnerships across the UK and Ireland.