Weekly Threat Report - 6th July 2018
Report's are drawn from recent open source reporting, see the latest report here:
Clipboard hijacking malware
This week, a newly-discovered clipboard hijacking malware sample has been seen monitoring over 2.3 million cryptocurrency addresses.
The malware scans the Windows Clipboard for cryptocurrency addresses, switching legitimate ones for addresses owned by the attacker. The malware runs in the background and as processes look genuine there are no tell-tale signs of infection.
Clipboard hijacking, however, is not a new threat. Historically, earlier versions of web browsers would allow websites to silently read the data stored on the Windows Clipboard. Today, updated browsers prompt the user on screen to allow access to the clipboard.
In June, a cyber security company identified a clipboard hijacking malware campaign targeting Bitcoin and Ethereum users, infecting over 300,000 computers.
Due to the complex nature of cryptocurrency addresses, transferring funds requires users to copy a destination address from one application into memory and then paste it into the program they are using to send money. Attackers are likely to have noticed this behaviour and created the malware to take advantage of this.
There is no evidence to suggest that any other information is being taken as a result of this clipboard hijacking but, since the clipboard is often used as a place to hold passwords and other sensitive information, users should be vigilant. If you are sending cryptocurrency it is recommended that the destination address is double checked to make sure it has not been replaced with a different one.
As the price and popularity of cryptocurrencies continues to grow, we assess that illicit actors will increase efforts to obtain and profit from them, including through theft, speculation, fraud, illicit mining, and abuse of new cryptocurrency offerings.
It is recommended that devices and software, including antivirus, is kept up-to-date and patched where necessary. The NCSC has also issued mitigating malware guidance.
Third party apps can access your email
When downloading an app, users may be asked to grant certain permissions, which often include providing access to their emails to the app developer.
Recent media reporting indicates that third party companies are in some cases given access to users’ Gmail inboxes when the user signs up for email-based services.
Some third party companies have reportedly used computers and, on occasions, employees to scan the email data. The companies stated that they did not require the user's specific permission as the practice was covered by their user agreements, and that they have strict protocols in place for employees who read emails.
Google has stated that "only apps which have been vetted and are trusted by our organisation are used," although details of how many apps have access to Gmail have not been disclosed.
There is no indication that third party developers have misused any data to which they have had access. Nevertheless, users are advised to pay close attention to the permissions allowed and who they are granted to.
It should be noted that apps which may have only been used once in the past may still provide access to a user's emails.
Concerned Gmail users should visit Google's security check-up page.
Significant data breaches
Recent weeks have seen the announcement of several significant data breaches affecting major companies in the UK and internationally.
Some have resulted from poorly configured servers or vulnerabilities in web applications:
In early June, in one of the largest data breaches ever disclosed, a security researcher reportedly discovered a publicly exposed server belonging to the data brokerage firm Exactis. The exposed dataset allegedly contained nearly 340 million individual records relating to hundreds of millions of US citizens and millions of US businesses. Whilst the breach does not appear to have exposed payment or social security-related information, other sensitive personal details were included in the dataset.
On 14 June, hotel booking provider Fastbookings discovered that a vulnerability in a web application hosted on its server had been exploited by a malicious actor to install malware. The cyber thief reportedly used this to steal the personal details of guests from up to 4,000 hotels in 100 different countries.
Other breaches have highlighted the ongoing cyber threat to businesses’ supply chains:
In early June, Australia-based PageUp, which runs online recruitment for Whitbread businesses, including Costa Coffee and Premier Inn, admitted a data breach. The breach reportedly included personal and biographical details of all applicants to Whitbread businesses, though it is not clear how far back the breach extends.
On 23 June, Ticketmaster UK reported malicious software on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster. Information compromised may include a range of customers’ personal and payment details. Ticketmaster has stated that fewer than 5% of their customers were affected by the incident; up to 2 million customers who visited the site from February 2018 were notified by Ticketmaster, with a forced password reset as a precautionary measure. The NCSC has issued advice for Tickemaster customers.
The NCSC website sets out clear and actionable advice to help organisations protect their bulk personal data from cyber attacks. The NCSC also recommends that users enable multi-factor authentication on any service that supports it, which will help protect user accounts if they are involved in a data breach. NCSC guidance on multi-factor authentication.
Organisations may also wish to report significant cyber incidents to the NCSC. If the incident is likely to have a national impact then we will seek to provide support, subject to resource constraints. National impact includes harm to national security, the economy, public confidence, or public health and safety.