Weekly Threat Report - 1st February 2019
Iranian hackers believed to be targeting sensitive personal data
Security researchers at FireEye have reported that Iranian hackers are targeting businesses in the telecommunications and travel industries as part of an international surveillance campaign.
Whilst the group has primarily been active in the Middle East, individuals in nations such as the US, Australia, Norway and Spain are also known to have been targeted, according to FireEye. They have named the group APT39.
Researchers posit that the group is attempting to gain access to these industries so it can monitor and track specific individuals for operations believed to serve Iran's national security strategic objectives. This includes collecting individual’s location details through travel itineraries and telecommunications metadata.
According to FireEye: "APT39's focus on the widespread theft of personal information sets it apart from other Iranian groups... which have been linked to influence operations, disruptive attacks, and other threats."
Any organisation that deals with sensitive personal information is at a higher risk of being targeted by malicious actors.
Designers, developers and operators of online services can find guidance on how to make services harder to compromise here. The NCSC has also published 15 good practice measures for the protection of bulk personal data.
B&Q reportedly exposes details of suspected thieves
B&Q reportedly exposed details of suspected store thieves to the internet without password protection, according to a security researcher.
The exposed records reportedly included 70,000 offender and incident logs, including full names, physical characteristics, vehicle details and the value of the goods stolen.
The data is believed to have been kept in Internet-accessible data store that had not been set up to require user-ID authentication.
A spokeswoman for B&Q said that it believed that there were a number of inaccuracies in the security researchers reporting of the issue, and they are investigating whether to inform the ICO.
Under GDPR, organisations are required to notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people's rights and freedoms. If an organisation decides that a breach doesn't need to be reported they should keep their own record of it, and be able to explain why it wasn't reported if necessary.
Many Internet-connected services, including those hosted in the cloud, are intentionally designed to promote collaboration and data sharing, however accidental data breaches can occur when organisations using cloud services fail to apply the security settings needed to keep information private.
The NCSC has published measures which organisations can take to make such incidents less likely, such as setting sharing to be ‘off’ by default. It’s also worth noting the possible threat of phishing following data breaches.
FaceTime privacy bug allows unauthorised eavesdropping
Researchers identified a flaw in Apple's FaceTime application affecting the camera and microphone of iPhones and Macs that could allow attackers to eavesdrop on another FaceTime user, even when the recipient doesn’t accept the call.
The flaw allows attackers to access the recipient's front-facing camera and can also reportedly be exploited when the device is in "Do Not Disturb" mode.
To address the flaw, Apple have said they will release an update this week, and have temporarily disabled Group FaceTime until the fix is available.
Attacks of this nature may be used by threat actors to steal confidential data or monitor target individuals.
The NCSC recommends that devices are kept up-to-date and patched wherever possible. Patches contain bug-fixes to protect against vulnerabilities.