Weekly Threat Report - 15th December 2017
Report's are drawn from recent open source reporting, see the latest report here:
Increase in HTTPS phishing attacks
Over the past few years website owners have been encouraged to adopt HTTPS website domains rather than HTTP. With HTTPS, data in transit is encrypted; this provides additional security for transiting data, such as login credentials, which may contain information of use to attackers.
HTTPS domains are verified by SSL Certificate Authorities, who issue and authenticate certificates. The padlock symbol in the URL field links to the certificate provider’s website, and users are often advised to trust webpages with this symbol. However, while the padlock shows that encryption is used, it does not guarantee the legitimacy of the website. It is possible for attackers to compromise sites using HTTPS domains and use them to host malicious links. It is also easy for attackers to obtain legitimate certificates (often for free) and use them to set up their own malicious website.
Although this rising attack trend has been previously reported, recent research by cyber security company PhishLabs highlights a common misconception amongst average internet users, that websites using SSL and HTTPS, as signified by the padlock, are safe and secure to use. This is not necessarily the case and attackers have increasingly exploited this misunderstanding. In the third quarter of 2017, PhishLabs found that nearly a quarter of all phishing attacks observed were hosted on HTTPS domains.
To avoid becoming a victim of HTTPS phishing attacks, users and organisations should not rely on a padlock or link to an SSL certificate alone to verify the legitimacy of a website. Other methods include paying close attention to the URL spelling and comparing it to a known and trusted version, and looking at the email source code to find the real name of a website or its IP address.
The NCSC provides guidance to help companies and individuals know what to worry about when using HTTPS to protect data.
Triton malware targeting safety controllers
There have been reports in UK and international media outlets of a directed incident targeting the safety system of a critical infrastructure facility. FireEye Inc disclosed the incident on Thursday, saying it had targeted Triconex industrial safety technology from Schneider Electric SE.
Schneider confirmed that the incident had occurred and that it had issued a security alert to users of Triconex. FireEye and Schneider declined to identify the victim, industry or location of the attack.
The NCSC confirmed that there was no evidence that the UK had been affected directly by this incident. Protecting and securing the UK’s critical systems against cyber attack is a key priority for the NCSC and its technical experts have been working with industry partners to ensure their critical systems are appropriately secure and the cyber risk is being properly managed.
Threat actors exploit vulnerabilities with increasing speed
Research by information security company FireEye highlights the decreasing timeframe users have to apply new software patches once they are released. According to the research, an APT group was observed using an exploit for the Microsoft CVE-2017-11882 less than a week after Microsoft released a patch for it in November.
Threat actors are increasingly able to develop new exploits in very short timeframes. In some cases, new patches will need to be applied within a week of release to avoid machines being vulnerable to freshly developed exploits. And the longer devices go unpatched, the more likely they are to fall victim to avoidable network penetration or data theft.
This trend of increasingly fast turnaround times for exploits is likely to continue. Some threat actors may soon be able to turn new exploits around in a matter of days, or even hours.
This threat can be mitigated through routine and well-implemented patching regimes. The NCSC’s End User Device Security collection has details about securing various platforms, and includes advice on patching.
Latest digital currency breach
According to media reports hackers stole the entire contents of the Bitcoin wallet of NiceHash, a Slovenian mining and Bitcoin exchange service. NiceHash are trying to determine exactly how many Bitcoins were stolen, but the figure is being widely reported as being over 4000, worth over £50 million at today’s Bitcoin exchange rate.
As the value of digital currencies, especially Bitcoin, has continued to increase, so has the investment interest in them, making digital currency exchanges a newly attractive target for cyber criminals. The last year has seen thefts from several cryptocurrency exchanges in South Korea and Israel. There has also been a reported increase in DDoS attacks against digital currency exchanges.
The attacks do temporarily affect the value of digital currencies, but have not deterred investors. However, potential investors should be aware that there is no physical acknowledgement of ownership when dealing with digital currencies and no underlying institutional backing. Nor is there a financial ombudsman or regulatory recourse to turn to. In a separate news report, Chris Ensor, the Deputy Director for Cyber Skills and Growth at the National Cyber Security Centre, told The Sunday Telegraph it was investigating potential security risks associated with Bitcoin on behalf of government departments (paywall).
Chris Ensor said: “We are interested in anything that could affect the country, so Bitcoin is a major thing now.” He said work on the cryptocurrency included assessing how it worked as the Treasury considered a crackdown, as well as the potential benefits of blockchain, its underlying technology.