Weekly Threat Report - 21st September 2018
Microsoft Office Macros, most popular method of malware delivery
Cyber criminals continue to utilise weaponised macros in Microsoft Office documents to deliver malware. In a recent report from Cofense, it was noted that the exploitation of Microsoft Office macros comprised 45% of all deliveries. A separate report showed that a further 37% exploited the Microsoft Office Memory Corruption Vulnerability (CVE-2017-11882).
Macros can be easily developed and distributed. Despite Microsoft having disabled macros by default, it only takes minimal user interaction to start the infection chain. Subsequently, the victim could be infected by a range of malware, with Geodo, GandCrab and Trickbot among the variants observed.
As Cofense noted, the range of observed payloads indicates that this delivery mechanism is used widely across the cyber crime landscape by both “mature and amateur operators alike.”
The NCSC website has published guidance on Macro security for Microsoft Office. It also has guidance on phishing.
Cyber threat to university networks
The University of Edinburgh was a victim of a Denial of Service attack, which happened on the first day of freshers’ week. It affected the university’s websites, online services and Wi-Fi networks. Following the attack, the website of Jisc, who provide digital solutions to UK education and research organisations, featured a blog post which explored how and when Denial of Service attacks impact universities.
The post observed that Denial of Service attacks were most frequent between 0800 and 1500, and dramatically less frequent during university holidays. The author noted that the timing could be indicative that staff and students were the key initiators of the attacks, while recognising that there was little benefit in disrupting an organisation during its quietest periods.
The annual slow-down in attacks, which occurs as universities enter their summer break began earlier this year. The author noted that this may have been due to law enforcement activity.
In April, the National Crime Agency (NCA) and Dutch partners took down webstresser.org as part of Operation Power OFF. The website had been a leading provider of Denial of Service attacks, with upwards of 4 million attacks being orchestrated through the site, for fees as low as £11.
While disruptive attacks cause the most visible difficulties for staff and students, intrusion and theft by state-sponsored groups and cyber criminals remain key threats to the sector.
In August, Dell Secureworks reported on a global campaign which targeted 76 universities in 14 countries. The campaign saw victims directed to spoofed versions of their university’s website, where their credentials could be stolen. Stolen credentials can enable theft of sensitive information, can be used to influence or deceive others, and are themselves a saleable commodity. The report attributed the campaign to a state-sponsored Iranian group.
The NCSC has previously published guidance to help organisations understand and mitigate against DoS attacks.
GDPR three months in
The Information Commissioner’s Office (ICO) recently provided the first update on the impact of the General Data Protection Regulation (GDPR) since it went live three months ago.
Over this period, the ICO, who are the regulator under GDPR, received an average of 500 calls a week to their breach reporting line. Collected data has identified some important trends concerning the reporting of relevant incidents. The key lesson is that organisations need to get their incident reporting plans in place and to ensure that:
Breaches are reported within the appropriate time period. Breaches are to be reported within 72 working hours of the organisation becoming aware of the incident.
Breach reports are as complete as possible before reporting, where details are missing a rough timeline of when the ICO can expect further information should be provided.
The person reporting the breach is authorised to discuss the problem in the required detail.
Of the cyber incidents that were reported, nearly half were the result of phishing. Malware (10%) and ransomware (6%) were also other notable causes of breaches reported.
The NCSC, in collaboration with the ICO, has published guidance on GDPR Security Outcomes.
Bristol Airport cyber attack
Bristol Airport reported last week that it had been the victim of a cyber attack resulting in flight display screens failing. Whilst there was no reported disruption to flight departures or arrivals, flight details including check-in desks, boarding gates and flight times had to be provided via the public address system and displayed on white boards. The outage continued over two days before normal service could resume. A statement from Bristol Airport explained that the systems were taken offline by their own security administrators in order to mitigate a suspected online criminal attack and prevent any damage.
Some reports indicate that this was a ransomware attack. Ransomware comes in different forms. However, in its basic form, a payment is demanded to decrypt files or unlock a machine infected by the malware. There is no guarantee that once a payment has been made that the victim will have access restored to them.
The NCSC has published guidance on ransomware and handling an incident.