FFT news digest May 14 2021

Ransomware

Yet again, we can't say we weren't warned. The ransomware attack that shut down Colonial Pipeline's 5,500 mile-long fuel supply infrastructure is just the latest in a pandemic of such incidents. Perhaps it will result in the threat of ransomware being taken seriously - and a renewed focus on security fundamentals. Frankly, if the extraordinary pictures of Americans filling plastic bags with gasoline don't focus policymakers' minds, then nothing else will. Bloomberg reports that Colonial paid almost $5 million to restore its operations, despite earlier denials that any ransom would be paid.

It's tempting to ascribe the attack to a group with connections to the Russian government, but President Biden says this isn't so. It's true there's evidence that the attackers may be based in Russia or have Russian connections, but most analysts agree the aim was not to damage national infrastructure and simply to target an organisation with the means to pay a significant ransom. Of course, Moscow might not be unhappy about the past week's events, will certainly have studied them and most probably could have prevented them with a more muscular approach to cracking down on digital crime. The Biden administration says "decisive action" against ransomware networks will be taken.

The FBI has formally blamed the attack on a criminal group called DarkSide, but it's entirely possible it didn't carry out the Colonial Pipeline attack itself. As we (and many others) have frequently warned, there is a large and growing market for Ransomware as a Service (RaaS). This allows anyone with criminal inclinations to take advantage of others'
technical skills - and share the profits of any successful attacks with them. It is all too easy to set oneself up as a 'cyber criminal', despite some recent successes against the organised crime groups behind many incidents.

For organisations hit by ransomware, the choice is whether or not to pay. Attackers have adapted their methods to make payment more likely by not only encrypting information, but also by threatening to publish it if they don't get their money. The choice has been made somewhat easier because in many cases the ransom is paid by insurance companies. Of course, this only encourages the criminals, and governments (including the UK's) are urging organisations not to pay up. The Associated Press says insurance giant, AXA, has acceded to French government demands and will no longer reimburse ransomware payments.

And finally...Ireland's health service has suffered a ransomware attack that has forced it to take its systems offline as a "precaution".

Threats

The extraordinary scale - and rise - of digital crime are illustrated by an announcement from the UK's National Cyber Security Centre which says it took down 700,595 malicious campaigns last year. That's 15 times more than the previous year, as criminals sought to take advantage of the COVID-19 pandemic. The NCSC has a range of new tools and advice to help organisations and individuals stay safe, including an early-warning service.

Meanwhile, McAfee says fake COVID-19 test results, fraudulent vaccination cards, and questionable vaccines are emerging as hot commodities on the dark web. "The underground economy cycle continues as demand creates inventory, which in turn creates supply," a senior McAfee researcher said.

Sharepoint: Attack uses realistic email claiming linked contract needs urgent signature: Cofense

Zix: Campaign tries to harvest Office 365 account credentials by sending phishing emails from a compromised enterprise account via secure Zix email system. Abnormal Security

Android: Ingenious attack begins with message asking target to pay customs fees to release a package. If clicked, the enclosed link installs a fake Chrome app which is designed to send thousands of text messages from the infected device. Pradeo

Office 365: Attack uses email with message telling target that Office Business Essentials subscription has expired. The link leads to a realistic-looking website designed to steal credentials. Avanan

FiveHands: The US Cybersecurity & Infrastructure Security Agency has warned about a relatively new ransomware variant called FiveHands. The group using it not only encrypts a victim's files but steals some and threatens to leak them online unless its demands are met.

Dropbox: Most email security solutions will let Dropbox links through their defences, and that's what is being exploited in this sneaky campaign. Avanan

Tor network: The Tor network is designed to enable secure, anonymous browsing. The only problem is that it works by directing network traffic through a series of relays, with the 'exit' relay acting as the final link before traffic heads to its destination. A researcher says that in February an unidentified actor managed to control more than 27% of that exit capacity. It's thought this is part of a sophisticated campaign to steal cryptocurrency.

Overview

Now in its 14th year, the Verizon Data Breach Investigations Report is perhaps the most respected overview of digital security issues available. Among this year's findings...85% of breaches involved the "human element." Other key statistics; phishing played a role in 36% of breaches and 10% involved ransomware, double the rate for the previous year. Such statistics and the length of the report (it runs to 119 pages) might suggest a revolutionary response is required. In fact, its lead author says the key requirement is a focus on fundamentals - and Verizon has a free assessment tool designed for small and medium-sized organisations. The report is highly recommended and it's an easy read (The Record has a surprisingly interesting account of its history). 

WhatsApp'd

Just as WhatsApp told users to share their data with Facebook or accept "limited functionality", a German regulator banned Facebook from processing such data for the next three months. "There is no legal basis for processing by Facebook," the Hamburg Commissioner for Data Protection and Freedom of Information said. "The provisions on data transfers are scattered at different levels of the privacy policy, they are unclear... misleading and show considerable contradictions. Even after close analysis, it is not clear what consequences approval has for users." WhatsApp rejected the order as "wrong," saying it wouldn't impact its plans.

WiFi

Most of the technology we rely on is fundamentally insecure - and if you don't believe us, witness the flaws in WiFi that a researcher has just published. There are 12 issues affecting the design and implementation of the WiFi protocols that are supposed to secure wireless networking, and they date back to 1997. Mathy Vanhoef named the collection of flaws "FragAttacks"and says, while some would be hard to exploit, others are trivially easy to use. There's no evidence they're being actively exploited at the moment, and manufacturers are releasing fixes (see below). Even before this research, it was well demonstrated that WiFi security is vulnerable. Vanhoef has the usual recommendations; take updates, use strong passwords, avoid dodgy websites.

Disinformation

China has been conducting a highly successful social media campaign in support of its 'wolf warrior' diplomats. The only issue...research shows it has been powered by an "army of fake accounts." A seven-month investigation by the Associated Press and the Oxford Internet Institute identified 26,879 accounts used to retweet Chinese diplomats and state media before Twitter suspended them. “We will continue to investigate and action accounts that violate our platform manipulation policy,” Twitter said. China has rejected the charges.

In brief

Testing: Opinions are divided over whether fake phishing emails are an effective way of training employees how to recognise them. There's little disagreement that West Midlands Trains chose the wrong approach when its fake email promised a non-existent COVID bonus to its 2,500 staff. TSSA

Journalists: The US Justice Department tried to identify the source of Trump administration leaks by secretly obtaining phone records of three Washington Post reporters who investigated Russia's role in the 2016 election. Washington Post

Huawei: The Chinese tech giant has been accused of being able to monitor all calls on Dutch network, KPN. Both KPN and Huawei have denied any impropriety. De Volkskrant via NL Times

Cheating: The pandemic has seen a boom in websites that help students cheat on their classwork. Among them is a new variant that allows students to put classwork up for auction with a requested grade and proposed price. Wall Street Journal ($)

AWS: Users don't know how to use Amazon Web Services, resulting in more than five million records being exposed. The data include personal details and credit card transactions. Check Point has advice.

Domestic abuse: There has been a sharp rise in the number of complex domestic abuse cases in the UK involving digital technology to harass, stalk, and control their victims. The Guardian

BUTTF***KER 3000: Michigan has been using Zoom for its court cases. When Nathan Saxaon logged in to respond to drugs charges, the judge was unimpressed by his choice of username which Mr Saxaon blamed on an inside joke. Motherboard

Updates

iOS: (Very angry) iPhone users are complaining about problems after taking the iOS 14.5.1 update, saying performance has been significantly affected. Some of this might be to do with Apple's Battery Recalibration feature, which was introduced in iOS 14.5. We're waiting for Apple to comment. This is all very unfortunate because the 14.5.1 update includes critical security fixes.

Microsoft: Monthly set of updates has 55 items, four rated 'critical' and four for Exchange Server. Among the most serious is an issue that can be used to create a 'worm' which is designed to replicate itself across a network. A separate update for Outlook left some Windows users unable to view or create emails. The affected version is 2104 build 13929.20372. Bleeping Computer has details and fixes.

Adobe: Updates for 12 products, including one for Reader to address a vulnerability that is being actively exploited.

Foxit: Security updates for a high severity vulnerability that could allow attackers to run malicious code on Windows devices.

SAP: Six security notes and updates for five other security notes, including three rated 'Hot News' affecting Chromium (delivered with SAP Business Client), SAP Commerce, Business Warehouse and BW/4HANA.

VLC: Version 3.0.14 fixes a broken Windows automatic update mechanism.

Chrome: (Yet) more updates for all variants of Google's web browser. They address 19 issues, 13 rated 'high severity'.

Citrix: Security updates to address a vulnerability in Workspace App for Windows. An attacker could exploit the issue to take control of an affected system.

WiFi: Manufacturers are quietly rolling out updates to address the "Fragattacks" issues. We've identified the following; Aruba, Cisco, Eero, Intel, Juniper, Lancom, Lenovo, Linux Wireless, Mist, Netgear, Samsung, Synology, Zyxel.

Juniper: Security updates for multiple vulnerabilities in a range of products. The issues could allow an attacker to take control of an affected system.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved