Weekly Threat Report - 26th October 2018
The insider threat
A recent Court of Appeal case dismissed an appeal against an earlier ruling that the supermarket Morrisons was liable for its employees’ misuse of data. Previously in 2015 a former Morrisons employee had been convicted of leaking employee payroll records.
The case reinforces the importance of safeguarding data within an organisation, not only from external threats but also insiders. The insider threat refers to employees who either deliberately or accidentally pose a threat to the confidentiality, integrity or availability of an organisation’s data. The outcome has significant implications for all data controllers and data processors.
A good start for any organisation keen on safeguaring their data would be to read the NCSC's 10 Steps to Cybr Security.
Remote access trojan developer convicted
A Remote Access Trojan (RAT) developer from the US has been sentenced to 30 months in prison for creating and selling a RAT known as LuminosityLink. A RAT is a programme, which once installed on a victim’s machine, allows remote administrative control. In a malicious context it can, among many other functions, be used to install backdoors and key loggers, take screenshots, and exfiltrate data.
According to the US Department of Justice more than 6,000 customer had purchased this trojan, and its use in criminal or espionage activity has been widely documented.
The NCSC has previously highlighted the threat from publicly available hacking tools available for sale online, including commercial software packages which could potentially be used for malicious purposes. Although some of these are legitimate penetration testing or administration tools, many are being used by hackers to facilitate malicious activity.
The availability of these hacking tools provides threat actors of varying capabilities the opportunity to compromise information and establish persistence on a target network. Their relatively wide uptake and use make defending networks and attributing incidents more challenging.
The NCSC has recently published advice on limiting the effectiveness of hacking tools, as well as detecting their use in a network environment.
Further details on TRITON malware attack
A recent report by FireEye has provided further details about the intrusion activity leading to the deployment of the TRITON attack framework, which caused a Saudi petrochemical plant to go into safe shutdown in 2017.
The NCSC believes this was a highly targeted attack, and there is no credible evidence that the UK has been affected directly by this malware. The incident demonstrates how the global cyber threat continues to increase and change; ensuring the CNI is protected against possible risks is a vital part of keeping the UK secure.
The NCSC has previously issued advice to Industrial Control System operators via CISP and in a public advisory on the website, recommending a range of detection and mitigation activities.