Weekly Threat Report - 20th April 2018
Report's are drawn from recent open source reporting, see the latest report here:.
Cyber criminal groups identified on social media
Last week Facebook deleted around 120 private discussion groups - equating to more than 300,000 members - that were promoting a host of illicit cyber criminal activities, including spamming, selling stolen debit and credit account credentials, phony tax refunds, DDoS-for-hire services and botnet creation tools.
The groups had reportedly been operating on Facebook for an average of two years, although some had been in operation for up to nine years. The deletions were a result of analysis work carried out by a cyber security researcher using common terminology for this type of activity and it is likely that there are many more sites of this nature on Facebook and other social media platforms.
The use of social media to advertise illicit goods and services is perhaps not as well reported as the use of darknet criminal marketplaces (such as Alphabay and Hansa that were taken down by law enforcement last year) but it is of no surprise that criminals will seek to utilise whatever means available to peddle their wares.
From past experience, Facebook’s deletion of these groups is unlikely to have a long term impact, as the activity will likely be displaced elsewhere, or the groups will use names that are less obviously associated with cyber crime, to make their detection more difficult.
Airline database hacked by disgruntled former employee
A former employee at the Alaskan airline PenAir hacked her previous employer’s flight reservation system in an apparent retaliation for being fired.
Before leaving the company the individual created a fictitious user profile with escalated privileges to enable future system access. She then used this fictitious account to block other users’ access and to delete critical data.
In a second attack she also deleted seat maps used to allocate passenger seats. PenAir realised their data had been disrupted and worked through the night so that service was resumed by the morning with no impact to customers.
Identified following an FBI investigation, the individual pleaded guilty to the charges against her and was charged with carrying out fraud in ‘connection to computers’.
User privileges should always be managed and reviewed regularly. The principle of ‘least privilege’ should be followed. The NCSC has released guidance for managing user privileges as part of our 10 steps to Cyber Security: 10 Steps: Managing User Privileges.
Thai mobile operator in reported data breach due to poor cloud security
TrueMove H, a major mobile operator in Thailand, suffered a data breach involving the personal data of around 46,000 customers, including images of identity documents such as driving licences and passports.
A security researcher uncovered the breach using open source tools to scan for publicly accessible information on misconfigured Amazon Web Service Simple Storage Service (AWS S3) buckets, a popular cloud storage solution. The researcher claimed there was no security protection for the files and therefore all he needed to gain access to the data was the URL.
The default setting for S3 buckets is 'private'. AWS best practice is to never open access to the public and to control access to S3 resources using a combination of Access Control Lists (ACLs) and bucket policies.
The NCSC advises that anyone seeking to exploit the benefits of cloud storage solutions should ensure that the security of the data is a prime consideration.
If you're using or considering using Cloud technology, we recommend reading the NCSC's Cloud Security Collection and Implementing the Cloud Security Principles.
Attacker dwell time on victim networks still too long
Security company Mandiant's latest M-Trends report has revealed there are, on average, 101 days between an attacker compromising a system and the victim detecting the compromise, with this increasing to 175 days for companies in Europe, the Middle East and Africa.
While this is a decrease from 416 days in 2011 , the current dwell time means attackers still have ample time to achieve their goal.
Attackers are always developing new and improved ways of committing network intrusions, leading to data breaches, but often they are looking for the most simple weaknesses in our defences. Following basic cyber security good practice can prove effective in preventing such breaches from happening.
The NCSC’s Cyber Essentials scheme provides relevant advice to help improve network security, alongside 10 Steps to Cyber Security.