Weekly Threat Report - 27th July 2018
Report's are drawn from recent open source reporting, see the latest report here:
Data breach suffered by Reddit
Reddit confirmed earlier this week that it had suffered a data breach back in June 2018 with all data created between 2005 and 2007 compromised.
This data included users’ protect passwords and email addresses as well as current usernames and corresponding email addresses which were obtained from the weekly email digests that roundup top Reddit posts.
The NCSC has issued advice for Reddit users who have had an account between 2005 and the present day.
Used connected cars need disconnecting
Once upon a time you sold your car, handed over the keys, log book, MOT certificate and pocketed the cash or bought a new car and thought no more about it. No longer. In today’s connected world – you may have just sold a computer on wheels.
As of late 2017 there were around 9 million internet-connected cars on UK roads. Most new cars have features that allow the owner to interact with the vehicle, even when nowhere near it. This varies from the ability to set climate control, through to uploading sat nav destination details and more. This information is then stored in the online account associated with the car.
This data is not the only personal information that remains with the car. For instance, phones that have been paired with the car should also be unpaired when the car is sold.
When selling an old phone or device most people would ensure that any personal data on it was completely wiped. The same principle applies when an internet-connected car is sold; it is generally the seller’s responsibility to disable the online account that they used with that car.
Many car manufacturers and dealers state this in their terms and conditions. However, some customers may not read them that closely and fail to delete their personal accounts and access. When the car is then sold on, the previous owner can track and monitor the car’s location and other data without the new owner’s knowledge.
The key message is to treat a modern car like any other connected device that is being sold: delete all personal data and disable the account that has been used with the car. Privacy is already seen as a key issue with phones, tablets, and laptops. Cars and other internet connected devices should also be added to the list.
Social engineering as a malware delivery mechanism: technical support fraud
We are all used to warnings about the need to keep security patches up-to-date in an effort to make our computers harder to exploit, but hackers have long been using social engineering alone as a means to exploit us and our computers. One type of scam – technical support fraud – seems to be on the rise again.
It sees hackers pose as employees of trusted organisations such as an IT company, Internet Service Provider, bank or, as in April 2018, even as Action Fraud. They phone the intended victim, claiming there is a problem with their account/internet/computer, and they need remote access to the victim’s device to demonstrate and fix it.
Granting them this access gives the hackers complete control. They can, for example, install a key logger or other malware, launch phishing attacks against the victim’s contacts or access the victim’s personal information, including passwords and banking details.
Technical support fraud affects businesses as well as individuals, with some hackers regarding businesses as more lucrative victims.
This technique is not new, but it appears to be on the increase. Microsoft reported that it had received 153,000 complaints about technical support fraud from around 183 countries in 2017, a 24% increase from the previous year. Although the hackers can be very convincing, most organisations do not make unsolicited phone calls offering to fix problems.
Not your typical ransomware
We previously reported on the SamSam ransomware attack on the Colorado transport system, the city of Atlanta and the ongoing costs of the ransomware attacks. A recent report by cyber security company Sophos has shed further light on SamSam – its evolution, the revenue it has generated and details of the attacker(s), who is yet to be identified. Key findings from Sophos include:
SamSam has earned more than $5.9m (£4.5m) from ransom payments since late 2015. The attacker’s revenue now averages around $300,000 (£250,000) per month.
Most of the known victims are based in the United States (74%), but other regions are known to have suffered attacks, including the UK (8%).
Medium to large public sector organisations in healthcare, education, and government account for about 50% of the total number of known victims, with the rest in unidentified parts of the private sector.
The ransom demands have increased considerably, and the tempo of attacks shows no sign of abating.
The attacker is thorough and consistent in covering their tracks and making analysis difficult.
The SamSam campaign operates differently from most ransomware threats. Most malicious actors perform mass distribution schemes to spread ransomware through email spamming or malware-infected adverts. In the case of SamSam, the attacker is patient, persistent and selective, targeting one victim at a time.
The best way for organisations to protect themselves against SamSam, and many other attacks, is to reduce their threat profile and not be an easy target in the first place. The NCSC has issued guidance on mitigating ransomware and other forms of malware.
Recent data breach investigations highlight ongoing data storage concerns
Retailer Dixons Carphone and shipping company Clarksons both experienced compromises on their systems in 2017 leading to large amounts of data being stolen.
Both companies have recently reported the results of investigations indicating that the scale and extent of each compromise was significantly greater than originally reported.
This is not unusual. The full extent of data breaches is often not discovered or reported until long after the initial breach, which can lead to delays in alerting affected individuals and provide a wider window of opportunity for cyber criminals to monetise the data (e.g. through spear-phishing campaigns or using online banking credentials).
Therefore, even individuals who may not have been affected by reported breaches should be vigilant. Business best practice is to regularly review personal data held and only retain that which is necessary and then ensure that this data is sufficiently protected.
The NCSC website has published updated guidance on the Dixons Carphone plc breach. It also has detailed guidance on phishing as well as the threat following data breaches.
Following US arrests, prolific cyber gang, FIN7 now smaller
Three members of the prolific ‘FIN7’ hacking group have been arrested, the US Department of Justice announced this week.
It is alleged that the group stole over 15 million customer card records from over 3,600 locations, impacting at least 100 businesses in the US, UK, France and Australia, predominantly in the restaurant, gaming and hospitality industries.
The group, which has also been referred to as Carbanak and the Navigator Group, used phishing and spear-phishing emails, such as complaint emails with malicious attachments, to target their victims, often accompanied with a telephone call for authenticity.
Once the attachment was opened, the group used malware to steal card details which they then used or sold for profit on the criminal darknet.
The FIN7 group have also purportedly recruited hackers using a front company, Combi Security, to provide a guise of legitimacy.
One of the individuals is in the US, the other two are in Poland and Spain, though the US is seeking to have both extradited. The investigation into the remainder of the group is continuing.
Phishing is a widely used technique which criminals use to try to obtain access to systems. The NCSC has issued guidance about defending your organisation from phishing.