An unprecedented number of ransomware attacks deployed against government, healthcare and school targets in the U.S., and new attacks that not only lock up but also steal sensitive data, have prompted cybersecurity firm Emsisoft to declare a “crisis.”
An recent attack in Pensacola that “may have resulted in a municipal government’s data falling into the hands of cybercrimals” has also prompted Emsisoft to issue its 2019 “State of Ransomware in the US” report early and hopefully induce an immediate response by governments:
“We believe this development elevates the ransomware threat to crisis level and that governments must act immediately to improve their security and mitigate risks. If they do not, it is likely that similar incidents will also result in the extremely sensitive information which governments hold being stolen and leaked.”
The report describes an, “unprecedented and unrelenting barrage of ransomware attacks that impacted at least 948 government agencies, educational establishments and healthcare providers at a potential cost in excess of $7.5 billion.”
Affected organizations include:
103 federal, state and municipal governments and agencies.
759 healthcare providers.
86 universities, colleges and school districts, with operations at up to 1,224 individual schools potentially affected.
In a ransomware attack, hackers typically deploy malicious software via infected links embedded in “phishing” emails.
Sometimes these emails are spammed out randomly. In other cases, an employee working at a targeted organization is carefully profiled and sent a customized email designed to trick that individual into clicking an infected link.
In the case of one cryptocurrency exchange, hackers determined that someone working there was an extreme fan of a particular type of dog.
The hackers created fake digital materials claiming that a dog show featuring this breed would shortly be held in the employee’s region. The employee opened the email, clicked on a link it contained, and infected the entire exchange’s computer systems. The exchange was later robbed of cryptocurrencies.
In most cases, an organization’s systems are rendered unusable by ransomware and a ransom of cryptocurrencies is demanded in exchange for restoring systems or data.
In May, twenty-one civic agencies in Baltimore were disabled by a ransomware attack.
When Boston legal aid offices were disabled by Russian “Ryuk” ransomware earlier this year, trials had to be postponed, including a trial involving a child victim.
According to Emsisoft, the attacks it has lately witnessed, “put people’s health, safety and lives at risk”:
Emergency patients had to be redirected to other hospitals.
Medical records were inaccessible and, in some cases, permanently lost.
Surgical procedures were canceled, tests were postponed and admissions halted.
911 services were interrupted.
Dispatch centres had to rely on printed maps and paper logs to keep track of emergency responders in the field.
Police were locked out of background check systems and unable to access details about criminal histories or active warrants.
Surveillance systems went offline.
Badge scanners and building access systems ceased to work.
Jail doors could not be remotely opened.
Schools could not access data about students’ medications or allergies.
Emsisoft further claims that the escalated success of ransomeware attacks in 2019 resulted from “a perfect storm…(involving) existing security weaknesses and the development of increasingly sophisticated attack mechanisms specifically designed to exploit those weaknesses.”
Fabian Wosar, CTO of Emsisoft, has issued a sober warning:
“The fact that there were no confirmed ransomware-related deaths in 2019 is simply due to good luck, and that luck may not continue into 2020. Governments and the health and education sectors must do better.”
Source: National Cyber Security – Produced By Gregory Evans MONROE, La. (KNOE) – Gov. John Bel Edwards declared a state of emergency following a cyber-attack on Nov. 18. An apparent “ransomware” virus infected 1,500 of the state’s 30,000 computers last week. Source: (MGN) An apparent “ransomware” virus infected 1,500 of the state’s 30,000 computers. This […]
View full post on AmIHackerProof.com
Phishing is still a vector to attack presidential campaigns. Many 2020 candidate organizations still aren’t using best practice by implementing a proper DMARC policy.
It seems they’ve not learned from the hack on Hillary’s campaign. In 2016, John Podesta got tricked by a crude phish—and it easily could happen again.
Things are better now, but there’s still acres of room for improvement. In today’s SB Blogwatch, we dig their DNS records.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: a decade in three minutes.
Can You Spell DMARC?
What’s the craic, Zack? Mister Whittaker reports—“Only a few 2020 US presidential candidates are using a basic email security feature”:
DMARC, an email security protocol that verifies the authenticity of a sender’s email and rejects spoofed emails … could prevent a similar attack that hobbled the Democrats during the 2016 election. … Only Elizabeth Warren … Joe Biden, Kamala Harris, Michael Bloomberg, Amy Klobuchar, Cory Booker, Tulsi Gabbard and Steve Bullock have … improved their email security. … The remaining candidates, including … Donald Trump, are not rejecting spoofed emails. … That, experts say, puts their campaigns at risk from foreign influence campaigns and cyberattacks. … In the run-up to the 2016 presidential election, Russian hackers sent an email to Hillary Clinton campaign manager John Podesta, posing as a Google security warning. [It] tricked Podesta into … allowing hackers to steal tens of thousands of private emails.
Or perhaps you prefer a different topical angle? G’day, David Braue—“You may be targeting Black Friday bargains, but cybercriminals are targeting you”:
Security firms are warning shoppers to be careful online as cybercriminals increase their activity in the runup to [the] retail season. … Shoppers need to be particularly wary of online scams and malware propagated through emails spoofing legitimate retailers. … Despite efforts by the Australian Signals Directorate to promote the use of next-generation DMARC email anti-fraud tools … research suggests that just 45 percent of Australia’s biggest online retailers have actually begun implementing DMARC – and just 10 percent have adopted the strictest level of security.
Returning to this hemisphere, Agari’s Armen Najarian claims, “2020 Presidential Candidates Remain Vulnerable”:
The kinds of email attacks that helped derail Hillary Clinton’s candidacy in 2016 are only getting more sophisticated. [But some] campaigns are not taking the threat as seriously as they should. … Meanwhile, we’re seeing new trends in how cybercriminals execute … advanced threats, which are liable to throw an entire candidacy off-course. After all, it only requires one campaign employee or volunteer to click on one link in a malicious email. … It’s likely only a matter of time before the unthinkable happens once again. … The Mueller Report … squarely pointed to spear phishing as the primary attack vector for Russian hackers seeking to gain access. … Unfortunately, candidates must not only be concerned about email directed to them and their campaign staff. … Imagine the damage that can be done by emails that appear to come from the legitimate domain of the candidate, but actually come from a malicious criminal who uses that domain to spread false information to potential … donors, voters, and the media. … This is entirely possible, and likely even probable, unless candidates take the steps they need to protect against it by implementing DMARC with a p=reject policy.
DMARC: HOWTO? Chad Calease obliges—“A Definitive Guide”:
This is the time of year we’re all too aware how much phishing really sucks. … While technology isn’t able to catch all of it 100% of the time, DMARC is one of these important layers of defense that helps to dramatically minimize the amount of phishing emails that get through to our inboxes. … DMARC stands for Domain-based Message Authentication, Reporting & Conformance. [It] is a set of 3 DNS records that work together to ensure email is sent only from authorized … mail servers, thereby helping block fraudulent messages. … DMARC sets a clear policy for what to do if a message hasn’t been sent from an authorized source. … DMARC helps prevent criminals from spoofing the “header from” or “reply-to” address: … First it checks that the DKIM … digital signature is a match. Then it checks the SPF record to ensure the message came from an authorized server. If both DKIM and SPF pass these checks, DMARC delivers the message. … But if one or more of these tests fails, DMARC behaves according to a policy we set: … ‘none’ [which] doesn’t impose any actions … ‘quarantine’ [which] Flags messages … to be directed to the recipients’ spam or junk folders … ‘reject’ [which] outright refuses messages that fail … (this is the end goal of a good DMARC configuration).
OK, so why aren’t all the candidates on board? Here’s lostphilosopher:
I see this as a reflection of the candidates ability to find and listen to experts. I don’t expect a candidate to understand how to do tech “right” – I’m in the industry and still get half of it wrong! However, when you’re running a multi million dollar campaign you can afford to bring in experts to set this stuff up and audit your practices. … I assume these candidates are already doing this and that if they are still not following some basic best practices it’s because they are actively ignoring the experts. … That’s what worries me: If they can’t find or listen to these people now, what makes me think they’ll be able to in office?
And this Anonymous commentator agrees:
Think about this for a second! If the … candidates don’t care enough about their own email traffic, why would anyone vote for them to secure this nation? If your own private info is easily up for grabs, what do you honestly think national security would be like under any of them?
But gl4ss spots an oint in the flyment:
If you rely on DMARC … and just trust it blindly then you know what? You’re gonna get ****ed by someone on whthouse.org.co.uk.acva.com.
Sure the email is sent from that domain, but so what? The domain isn’t right.
It was ever thus. Ryan Dunbar—@ryandunbar2—looks back:
In 1980 we knew internet email was not secure. 2003 get email SPF 2007 get email DKIM 2012 get DMARC 2019 get ARC, BIMI 2025 get QUIC, yet email will still not be secure. 2050 get internet3 Why does it look like the ones running the internet don’t want a secure internet?
Meanwhile, El Duderino knows who to blame:
This is Al Gore’s fault because he invented the internet.
And Finally:
10 Years; 100 songs; 3 minutes
Previously in And Finally
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.
Ransomware is changing the threat landscape yet again, though this time it isn’t with malicious code.
A spike in ransomware attacks against municipal governments and healthcare organizations, coupled with advancements in the back-end operations of specific campaigns, have concerned security researchers and analysts alike. The trends are so alarming that Jeff Pollard, vice president and a principal analyst at Forrester Research, said he expects local, state and city governments will be forced to seek disaster relief funds from the federal government to recover from ransomware attacks.
“There’s definitely been an uptick in overall attacks, but we’re seeing municipality after municipality get hit with ransomware now,” Pollard said. “When those vital government services are disrupted, then it’s a disaster.”
In fact, Forrester’s report “Predictions 2020: Cybersecurity” anticipates that at least one local government will ask for disaster relief funding from their national government in order to recover from a ransomware attack that cripples municipal services, whether they’re electrical utilities or public healthcare facilities.
Many U.S. state, local and city governments have already been disrupted by ransomware this year, including a massive attack on Atlanta in March that paralyzed much of the city’s non-emergency services. A number of healthcare organizations have also shut down from ransomware attacks, including a network of hospitals in Alabama.
The increase in attacks on municipal governments and healthcare organizations has been accompanied by another trend this year, according to several security researchers: Threat actors are upping their ransomware games.
Today’s infamous ransomware campaigns share some aspects with the notable cyberattacks of 20 years ago. For example, the ILoveYou worm used a simple VB script to spread through email systems and even overwrote random files on infected devices, which forced several enterprises and government agencies to shut down their email servers.
But today’s ransomware threats aren’t just using more sophisticated techniques to infect organizations — they’ve also built thriving financial models that resemble the businesses of their cybersecurity counterparts. And they’re going after targets that will deliver the biggest return on investment.
New approaches
The McAfee Labs Threats Report for August showed a 118% increase in ransomware detections for the first quarter of this year, driven largely by the infamous Ryuk and GandCrab families. But more importantly, the vendor noted how many ransomware operations had embraced “innovative” attack techniques to target businesses; instead of using mass phishing campaigns (as Ryuk and GandCrab have), “an increasing number of attacks are gaining access to a company that has open and exposed remote access points, such as RDP [remote desktop protocol] and virtual network computing,” the report stated.
The concept of ransomware is no longer the concept that we’ve historically known it as. Raj SamaniChief scientist, McAfee
“The concept of ransomware is no longer the concept that we’ve historically known it as,” Raj Samani, chief scientist at McAfee, told SearchSecurity.
Sophos Labs’ 2020 Threat Report, which was published earlier this month, presented similar findings. The endpoint security vendor noted that since the SamSam ransomware attacks in 2018, more threat actors have “jumped on the RDP bandwagon” to gain access to corporate networks, not just endpoint devices. In addition, Sophos researchers found more attacks using remote monitoring and management software from vendors such as ConnectWise and Kaseya (ConnectWise’s Automate software was recently used in a series of attacks).
John Shier, senior security advisor at Sophos, said certain ransomware operations are demonstrating more sophistication and moving away from relying on “spray and pray” phishing emails. “The majority of the ransomware landscape was just opportunistic attacks,” he said.
That’s no longer the case, he said. In addition to searching for devices with exposed RDP or weak passwords that can be discovered by brute-force attacks, threat actors are also using that access to routinely locate and destroy backups. “The thoroughness of the attacks in those cases are devastating, and therefore they can command higher ransoms and getting higher percentage of payments,” Shier said.
Jeremiah Dewey, senior director of managed services and head of incident response at Rapid7, said his company began getting more calls about ransomware attacks with higher ransomware demands. “This year, especially earlier in the year, we saw ransomware authors determine that they could ask for more,” he said.
With the volume of ransomware attacks this year, experts expect that trend to continue.
The ransomware economy
Samani said the new strategies and approaches used by many threat groups show a “professionalization” of the ransomware economy. But there are also operational aspects, particularly with the ransomware-as-a-service (RaaS) model, that are exhibiting increased sophistication. With RaaS campaigns such as GandCrab, ransomware authors make their code available to “affiliates” who are then tasked with infecting victims; the authors take a percentage of the ransoms earned by the affiliates.
In the past, Samani said, affiliates were usually less-skilled cybercriminals who relied on traditional phishing or social engineering tactics to spread ransomware. But that has changed, he said. In a series of research posts on Sodinokibi, a RaaS operation that experts believe was developed by GandCrab authors, McAfee observed the emergence of “all-star” affiliates who have gone above and beyond what typical affiliates do.
“Now you’re seeing affiliates beginning to recruit individuals that are specialists in RDP stressing or RDP brute-forcing,” Samani said. “Threat actors are now hiring specific individuals based on their specialties to go out and perform the first phase of the attack, which may well be the initial entry vector into an organization.”
And once they achieve access to a target environment, Samani said, the all-stars generally lie low until they achieve an understanding of the network, move laterally and locate and compromise backups in order to maximize the damage.
Sophos Labs’ 2020 Threat Report also noted that many ransomware actors are prioritizing the types of data that certain drives, files and documents encrypt first. Shier said it’s not surprising to see ransomware campaigns increasingly use tactics that rely on human interaction. “What we’ve seen starting with SamSam is more of a hybrid model — there is some automation, but there’s also some humans,” he said.
These tactics and strategies have transformed the ransomware business, Samani said, shifting it away from the economies of scale-approach of old. “All stars” affiliates who can not only infect the most victims but also command the biggest ransoms are now reaping the biggest rewards. And the cybercriminals behind these RaaS operations are paying close attention, too.
“The bad guys are actively monitoring, tracking and managing the efficiency of specific affiliates and rewarding them if they are as good as they claim to be,” Samani said. “It’s absolutely fascinating.”
Silver linings, dark portents
There is some good news for enterprises amid the latest ransomware research. For one, Samani said, the more professional ransomware operations were likely forced to adapt because the return on investment for ransomware was decreasing. Efforts from cybersecurity vendors and projects like No More Ransom contributed to victims refusing to pay, either because their data had been decrypted or because they were advised against it.
As a result, ransomware campaigns were forced to improve their strategies and operations in order to catch bigger fish and earn bigger rewards. “Return on investment is the key motivator to the re-evolution or rebirth of ransomware,” Samani said.
Another positive, according to Shier, is that not every ransomware campaign or its affiliates have the necessary skills to emulate a SamSam operation, for example. “In terms of other campaigns implementing similar models and techniques, it’s grown in the past 18 months,” he said. “But there are some limitations there.”
On the downside, Shier said, cybercriminals often don’t even need that level of sophistication to achieve some level of success. “Not everyone has the technical expertise to exploit BlueKeep for an RDP attack,” he said. “But there’s enough exposed RDP [systems] out there with weak passwords that you don’t need things like BlueKeep.”
In addition, Samani said the ransomware operations that earn large payments will be in a position to improve even further. “If you’ve got enough money, then you can hire whoever you want,” Samani said. “Money gives you the ability to improve research and development and innovate and move your code forward.”
In order to make the most money, threat actors will look for the organizations that are not only most vulnerable but also the most likely to pay large ransoms. That, Samani said, could lead to even more attacks on government and healthcare targets in 2020.
Shier said most ransomware attacks on healthcare companies and municipal governments still appear to be opportunistic infections, but he wouldn’t be surprised if more sophisticated ransomware operations begin to purposefully target those organizations in order to maximize their earnings.
“[Threat actors] know there are organizations that simply can’t experience downtime,” Shier said. “They don’t care who they are impacting. They want to make money.”
Malicious actors are increasingly launching digital attacks against industrial organizations. Many of these campaigns have been successful, particularly those that have targeted energy utilities and manufacturing plants. In late spring 2019, for instance, aircraft parts manufacturer ASCO temporarily suspended operations worldwide after falling victim to a ransomware attack. It was about a month later when […]… Read More
The post Just 12% of ICS Security Pros Very Sure of Orgs’ Ability to Respond to Digital Attacks appeared first on The State of Security.
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by David Bisson. Read the original post at: https://www.tripwire.com/state-of-security/ics-security/ics-security-respond-digital-attacks/
A newly discovered ransomware called PureLocker is targeting the production servers of enterprises, while exhibiting some behavior that’s very unusual for most malicious encryptors.
Among its quirky features: it’s written in the PureBasic programming language, which helps it avoid conventional anti-malware detection engines; it’s very picky about who it infects, only executing if the victim machine passes a series of checks; and it appears to be used as a later stage of a larger multi-stage attack.
Researchers from Intezer and IBM X-Force IRIS analyzed the ransomware and detailed their findings in a joint blog post this week. “PureLocker is a rather unorthodox ransomware,” said Interzer security researcher Michael Kajiloti. “Instead of trying to infect as many victims as possible, it was designed to conceal its intentions and functionalities unless executed in the intended manner. This approach has worked well for the attackers who have managed to successfully use it for targeted attacks, while remaining undetected for several months.”
Much of PureLocker’s code is unique, but a certain portion, including its dropper program and its built-in evasion and anti-analysis functionalities, is borrowed from a backdoor malware called more_eggs, which is sold on cybercrime forums by a prominent malware-as-a-service provider. “These findings strongly suggest that the MaaS provider of ‘more_eggs’ has added a new malware kit to its offerings, by modifying the ‘more_eggs’ loader’s payload from a JScript backdoor to a ransomware,” the blog post concluded.
The more_eggs backdoor has been used in the past by financially motivated cybercriminal groups including the Cobalt Gang and FIN6. However, it has not been determined if one of these groups or another threat actor is responsible for distributing PureLocker.
The researchers only looked at samples that target Windows, but there are also PureLocker variants that can infect Linux-based machines as well. One Windows sample was disguised as C++ cryptography library called Crypto++, Kajiloti reported. From Oct. 13-30, the sample went almost completely undetected in VirusTotal scan results — a feat the researchers attributed to the use of PureBasic as a programming language.
“AV vendors have trouble generating reliable detection signatures for PureBasic binaries,” the blog post said. “In addition, PureBasic code is portable between Windows, Linux, and OS-X, making targeting different platforms easier.”
Shortly after installation, the malware goes through a thorough series of checks. It makes sure it’s not being analyzed or debugged, that its being executed by the command-line utility “regsrv32.exe,” that its file extension is .dll or .ocx, that the current year on the machine is 2019, and that it has administrator rights. If it does not pass all these checks, the malware exits and does not perform its attack.
If it does pass the checks, PureLocker encrypts primarily data files with AES and RSA algorithms and adds a .CR1 extension to them. It then secure-deletes the original files to thwart recovery efforts. The ransomware note threatens the victim that the private key will be erased in seven days, and leaves an email address to contact regarding payment.
Source: National Cyber Security – Produced By Gregory Evans The U.K. Labour Party’s digital platforms have been the target of distributed denial of service attack activity since yesterday, impeding access to the political body’s main website. The initial wave of DDoS attacks took place on Nov. 11. Multiple news reports today quoted a Labour Party […]
View full post on AmIHackerProof.com
Though ransomware attacks aren’t a recent phenomenon, they do seem to be increasing in frequency and intensity. If society has grown used to these kinds of cyberattacks, that’s about to change—with the reports of 20+ Texas governmental entities recently being simultaneously hit in a coordinated attack, there may be a new and even scarier method of extorting entities for their data.
By definition, ransomware is a type of malware code that uses virtually unbreakable encryption to deny user access to a company’s systems. By the time of the actual attack, the perpetrator has already done reconnaissance to find weaknesses in the chosen system, which they then exploit that to find important data, manipulating the environment to where the affected entity cannot touch its own information. The victim then receives a message demanding some kind of payment—bitcoin being a preferred option—to unlock the files or systems. In short, ransomware operates exactly as a hostage situation seen in films and television shows: The hacker literally hoards the keys to the company’s kingdom, only relinquishing them when their demands are met.
The first known ransomware attack was in 1989 and was conducted using snail-mailed floppy disks. Technology has come a long way since then and today’s attacks are much easier to carry out; they’re more lucrative, as well. Typically, ransom requests generally average around $500 USD—a seemingly tiny sum for entities worth billions. No matter what the amount, these financial after-effects are obviously painful for the victims, and sometimes the companies attacked aren’t always the sole injured party. After the 2018 attack on the City of Atlanta, wherein the ransom was $50,000 USD in bitcoin, the additional remediations totaled more than $2.6 million taxpayer dollars. However, $50,000 is a drop in the bucket for these new attackers in Texas—after their government attack, they’ve demanded a collective $2.5 million, a serious upgrade in reward for their criminal risk.
So what else makes these recent attacks in Texas unique? For one thing, nearly two dozen entities were hit in one fell swoop, something that smacks of more sophisticated methods and patience on behalf of the attacker or attackers. The 2016 Verizon Data Breach Investigations Report said phishing is the No. 1 cause of data breaches, and spear-phishing could be how the Texas criminals gained access to inject their malware. Spear-phishing is the use of targeted emails that, when the recipient clicks on a link in that message, allows the cybercriminal to obtain sensitive information—i.e., credentials—or install that malware into the company’s systems. If this is indeed how the bad actor infected government entities in Texas one by one, it shows some patience to wait until they had an opening into a number of systems, then coordinating the lockup to happen all at once. Local governments are a prime target for these kinds of hacks, and the size of this one has prompted a huge, statewide response.
Though Texas is just the latest victim, what’s scarier is that these cybercriminals and their methods will only get better and more exotic. How long before bots start locking hundreds of systems at once? Already there are ransomware-as-a-service providers that enable even the most novice cybercriminals to hack in with tools such as CryptoWall, Locky and TeslaCrypt. For everyone with data to protect, the idea is terrifying, and society isn’t doing much to help themselves—there is definitely more that could be done.
In the analog world, companies and governments actually play a part in aiding the cybercriminals when they fail to report. Even if they don’t announce the attack publicly, sometimes it’s still obvious that it happened, such as when a local or county government suddenly cannot produce vital records or process things like permits and marriage licenses. Other private companies might be down for a short amount of time, failing over to backup systems, but still in danger of at least temporarily losing some data depending on their backup frequency. As the attacks continue to intensify and grow stronger, companies must take steps to protect themselves and not give the criminals any wiggle room.
So, what are these steps? What can be done to mitigate these attacks and lessen the risk of it happening?
Make sure to run the latest patches on systems, as well as the latest versions of applications—even middleware and those on the back end.
If there is no InfoSec team dedicated to overall, company-wide security, invest and put one together as soon as possible.
Leverage industry-standard (ex: NIST, SANS) and compliance guidelines such as PCI, ISO, HIPAA, etc. to make sure at least most security bases are covered.
Educate your employees on how to spot phishing and vishing attempts.
It’s that last point that is most critical. Unfortunately, humans will always be the biggest risk to an organization’s security, and therefore, employee education is key. In this spirit, prepare and execute a robust security awareness campaign and conduct regular training sessions. Then, after you’ve completed the training and education, do it again—keep at it until security isn’t a thought anymore because it’s part of everybody’s routine, daily processes. Ransomware attacks aren’t a new or recent development, but as they continue to develop in strength and the potential for bigger financial penalties continues to grow, it’s always better to be safe rather than sorry.
How you can help fix broken confidence in the internet Tech industry has a responsibility to fix security for the next generation, says NCSC head.
The National Cyber Security Centre (NCSC) has helped UK organisations fight over 600 cyber attacks over the course of the last year, with hostile nation-states blamed for a ‘significant’ number of the attempts at hacking UK-based targets.
The NCSC Annual Review 2019 sheds a light on some of the work the cyber arm of GCHQ has done over the last year to help protect the UK from malicious cyber activity and reveals that it handled 658 incidents in the last 12 months, providing support to almost 900 victims of cyber attacks.
Some of the cyber attacks which have targeted the UK in the past year include a phishing scam posing as an airport refund email which attempted to defraud over 200,000 people, nation-state backed hackers attempting to steal intellectual property from universities, a ransomware attack against the police.
It takes the total number of cyber incidents the NCSC has dealt with since it opened its doors in 2016 to almost 1,800 as cyber criminals and other malicious threat groups continue to target the UK.
For the first time, the NCSC has detailed the sectors which has been most commonly called on to support in reaction to incidents. Government is the top target for cyber attacks, followed by academia and tech companies. Managed service providers are the fourth most common organisations which the NCSC has helped with cyber incidents, followed by transport and health in joint fifth place.
“From handling more than 600 incidents – many from hostile nation states – to equipping the public with the tools they need to stay safe online, we are employing our expertise on a number of fronts,” said Ciaran Martin, chief executive of the NCSC.
SEE: A winning strategy for cybersecurity(ZDNet special report) | Download the report as a PDF(TechRepublic)
The report lists Russia, China, Iran and North Korea as hostile states actively targeting the UK with cyber attacks, following the NCSC strategy of calling out countries conducting attacks.
The NCSC is also trying to keep individual users safe from cyber attacks and has revealed one way it has been doing so is with something called the Haulster operation which automates defence of credit cards by flagging fraudulent intention against them.
Haulster takes stolen credit card data collected by the NCSC and its partners and returns information about them to banks – often before being used for crime, allowing financial institutions to protect users from their money being stolen. So far, this operation has flagged fraudulent information against a million stolen credit cards and the NCSC aims to increase the scope of the operation.
The NCSC also continued with its policy of Active Cyber Defence (ACD), a strategy designed to ensure there are fewer cyber attacks in the world, causing less harm to users in the UK and beyond in the process.
A major element of this is a takedown service which stops phishing and other malicious websites from operating as soon as possible by contacting the web host and getting the sites removed from the internet.
According to the annual report, 98% of phishing URLs – 177,335 of them – discovered by the takedown service were successfully forced to stop operating. In 62% of cases, this happened within 24 hours of the website being deemed to be malicious.
The fight against these malicious domains means the UK only accounts for 2% of the websites hosting phishing scams around the world – down from 3% last year and 5% when the NCSC started operating.
However, despite a number of successes from the NCSC, the organisation isn’t under any illusion that the fight against cyber attacks and hacking is anywhere near over – and that everyone has a part to play in battle.
“Looking ahead, there is also the risk that advanced cyber attack techniques could find their way into the hands of new actors, through proliferation of such tools on the open market,” said Martin.
“Cyber security has moved away from the exclusive prevail of security and intelligence agencies towards one that needs the involvement of all of government, and indeed all of society,” he added.
An estimated 97% of cyber-attacks originate from or involve email.
This estimate cited by The Wall Street Journal may be a little bit high, according to IT consultant J. Peter Bruzzese, who believes it is between 90% and 95%. But it nevertheless means emails are the biggest threat and employees are typically the weakest point at which an organisation can be attacked.
Speaking at the Armour Expo on Friday, 4 Oct., Bruzzese said gone are the days when hackers would drop infected USB sticks in the parking lot of their target organisation.
Those who picked up the devices and used them would ultimately infect their computers and potentially a whole network. The method was so successful that IT teams started to super glue the USB drives on computers to render them unusable.
“We actually have software for that,” the IT consultant said. “But some people are really extreme. Why? Because that’s where the threat was coming from.”
Nowadays these types of attack have been replaced by sophisticated email scams.
These can take the form of ransomware and other malware attacks, URL links that lead to malicious websites and even impersonation attacks that make heavy use of “social engineering”, the hacker term for manipulating the victim through verbal or written interaction.
Far from the Nigerian email scams, which involved preposterous stories written in bad English, these attacks appeal right to the heart of the victim, said Bruzzese. They are emails using sophisticated language, often imitating a person known to the target, and containing plausible messages or requests.
The IT consultant presented an email that he, although highly sensitised to the threat, fell prey to himself. It was purportedly sent from the CEO of a client company, who informed Bruzzese that the company had changed direction and to continue the collaboration his compensation structure would have to be adjusted. More information was supposedly contained in an attached Excel file.
Of course, Bruzzese said, he should have noticed that he had never communicated with the CEO about compensation in the past or that an Excel spreadsheet was not really needed in this context.
“I wasn’t thinking. That is what your end-user is like most of the time,” he told local IT professionals at the event hosted by IT and cyber-security firm eShore.
The first thing he therefore recommends is end-user training.
“You have to prevent the end-user from making that click or opening that attachment. If you can stop that just a proportion of the time, you will save the company the frustration of a ransomware attack, the frustration of some form of impersonation attack or URL-based attack where they get password credentials.”
But in some cases, even the best training will not be sufficient. When homoglyphs, different character sets that look like letters, are used to replicate an email domain name, Brazzese said what looks like “apple.com” to the naked eye will actually be “xm00-ak68.com”, adding, “That’s how sneaky these folks are.”
The solution therefore must involve technology on top of user security awareness because most people will not pick up on these attempts. “You have to have the technology in place. An end-user is never going to see a URL that is based on homoglyphs.”
Moving email systems into the cloud will take care of some, but not all, security issues. Most people think that if they use Office365 they will never have a problem with a ransomware attack because their email is in the cloud and on Microsoft servers, Brazzese noted. “That makes sense, except there is a new form of attack called a ‘ransomcloud’ attack.”
In this attack, the end-user is prompted with a fake Microsoft message to opt into certain settings to enhance their security. Once these settings are accepted, the attackers can take control of the Microsoft mailbox online and they can encrypt it.
“They only way you can get your mailbox back is to pay the ransom unless you have a back-up, which in Office365 most people don’t,” the IT consultant added, because most people believe that Microsoft backs up their emails in such a way that they can be easily restored. But with 180 million corporate users across the globe that is impossible, he said.
D5 Creation