FFT news digest October 2 2020

Spyware for Macs

Amnesty International has identified new variants of FinSpy spyware designed to target devices running macOS and Linux. FinSpy is a powerful surveillance solution that can intercept victims’ communications, access private data, and record audio and video. It's been in operation since at least 2011 and has been used to target activists, dissidents and journalists in a wide range of countries including Ethiopia, Bahrain, Egypt, Turkey and the UAE. Documents leaked in 2014 revealed the then list price of FinSpy was €1.4 million, though it's thought to be cheaper now. The spyware is distributed by a variety of mechanisms, including copies of legitimate programs and booby-trapped office documents.  

Threats

Sophisticated: Microsoft says cybersecurity threats have become more sophisticated, "using techniques that make them harder to spot and that threaten even the savviest targets". Its report has valuable suggestions. One stands out; multi-factor authentication would have prevented the vast majority of successful attacks, it says.

GDPR: Attackers trying to steal email credentials are targeting employees with fake GDPR compliance reminders. Area 1 Security

Wrong address: Text message offers an iPhone 12 in a bid to persuade target to click on malicious link. Naked Security

Social media: Scammers are targeting social media accounts with phishing emails pretending to be copyright violations or offering verification status. Bleeping Computer

Banks: Complex scam used social engineering, SIM card swapping, and remote desktop software to steal more than $350,000. The attack began with a classic 'too-good-to-be-true' offer; in this case a desirable apartment in Budapest at well below its market value. Bleeping Computer

Overprivileged: 36% of UK and US government workers have access to sensitive data that they don't need to complete their jobs, according to research from Forcepoint.

Political: In the run-up to the US presidential election, a new phishing campaign is targeting people’s political opinions. Criminals are impersonating political organisations, mimicking their domains and slogans, and seeking donations to fake organisations. Mimecast

Telegram: Bogus versions of messaging apps such as Telegram and Threema are being used to distribute updated malware that typically spies on targets in the Middle East. ESET

Awareness

Despite the ever increasing risk of being attacked online, around one in three people in the UK isn't actively worried about cybersecurity, according to a study by ESET. Timed to coincide with the start of cybersecurity awareness month, the survey of 2,000 people also found 57% believed they hadn't been hacked -- though 26% had no idea of how to tell if they had been. We're evangelical about the need to talk about cybersecurity, and communicate why it matters. That's why we're deeply sceptical about the effectiveness of online e-learning modules, and that view is supported by a report (R) from Osterman Research. It says users who found security training “very interesting” were over 13 times more likely to make “fundamental changes” to how they think about security compared to those who considered the training “boring.”

Remote

Another week brings another set of findings warning about the risks of remote working; or as Gartner puts it, "securing your mobile workforce has now become the single greatest existential imperative." Research from Enea says (R) the rise in working from home has led to an inevitable increase in risky behaviours and further blurring of the lines between personal and corporate IT resources. The survey found that business use of personal devices was seen as the greatest security risk. Now more than ever, it's vital to ensure employees are aware of the risks of working from home - and how to mitigate them. We have a guide and links other resources here.

Oh Auth

We're very much in favour of anything that make life online easier, but OAuth is something to be treated with extreme caution. In theory, a mechanism that allows you to sign into services without entering a password is a great idea. In practice, it can create a security vulnerability that attackers are only too happy to exploit. 'Sign in with Google' and 'Sign in with Facebook' are the best-known examples of OAuth, but this type of authorisation also underpins Microsoft 365's third-party application access. Proofpoint has found attackers creating pages for seemingly legitimate applications that request access to a user's Microsoft 365 account. Granting it gives the attacker access to the user's data. These attacks can be very persuasive and we advise extreme caution whenever anything requests access to Microsoft 365 resources.

Insiders

Protecting against the 'insider risk' is crucial to securing an organisation, and Canadian-based e-commerce company, Shopify, has some lessons for us. Last month, it disclosed a data breach involving almost 200 merchants and their customers which it said was caused by two rogue support staff. As with Twitter's gruesome security failure in July, the key to preventing such attacks is to adopt and enforce policies based on a 'least privilege' approach. That means ensuring users have only the rights needed to perform their jobs, segregating duties so that no individual can perform a sensitive task alone, and adopting processes and technology to monitor the behaviour of privileged users. In only the last fortnight, details have emerged of failures to address the insider risk at Amazon and Instacart. We have been warned.

In brief

Users of Microsoft's cloud services had a frustrating week with significant problems affecting Azure and Exchange Online. Microsoft blamed "configuration changes" and said lessons would be learned.

A reminder about the risks of default configurations, courtesy of Fortinet. Researchers identified potential security issues in the FortiGate VPN appliance. Fortinet said there's no problem providing its installation instructions are followed.

The demise of Adobe's Flash Player is fast approaching (on Dec 31), and the UK's National Cyber Security Centre has warned administrators not to try to prolong its life. "Work alongside your suppliers to remove Flash dependencies. Any...unwilling, or unable, to do this should, themselves, be considered risky," it says.

Valuable research from RadarFirst demonstrates the importance of making sure written records are kept safe. According to its data, a third of incidents involved paper records, most were accidental and only 2% involved malicious actors.

The UK government is reminding owners of .eu domains about the requirements they'll need to fulfil after Dec 31. They are; EU/EEA citizenship, residency, or (in the case of organisations) establishment in the EU/EEA.

Shortly after unveiling an indoor, flying security drone, Amazon says it's begun testing a system designed to identify shoppers from their handprints. But shopping is only a first step for 'Amazon One'. The aim is for it to be used more widely. Much more widely...

A New York college was so irritated by a parody Twitter account that it seized control of it and deleted it. Twitter apologised for handing control of the account to the State University of New York. The college insisted it does have a working sense of humour. Motherboard

Updates

Zerologon: New guidance from Microsoft on how to protect against attacks targeting the Zerologon vulnerability. The issue, which is being actively exploited, can be used to compromise Active Directory domain controllers and gain administrator access.

Exchange: More than 247,000 Microsoft Exchange servers still haven't been updated to fix a serious vulnerability that affects all versions under support. Rapid7 also reminds us that support for Exchange 2010 ends on October 10.

ChromeOS: The 85.0.4183.108 update is causing problems for many users, with reports of apps running erratically, devices overheating, and fast battery drain. There's no fix at the moment, other than reverting to an earlier version.

Cisco: Updates to address two high-severity vulnerabilities in IOS XR software that have been actively exploited for over a month.

QNAP: Users of network attached storage (NAS) devices advised to update firmware and apps to avoid infections with a new strain of ransomware named AgeLocker.

Thunderbird: Version 78.3.1 (the second update in 2 days) includes a series of fixes and should be installed automatically.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved