Weekly Threat Report - 8th February 2019
Deliveroo reportedly suffers credential stuffing attack
Deliveroo customers have reported that their accounts have been accessed, delivery addresses added and orders made without their knowledge or consent.
Scammers are reportedly ordering huge quantities of food and drink to seemingly random addresses, using bank details linked to the victim’s account.
Some account holders report receiving emails to say Deliveroo account details had been changed – specifically email addresses and phone numbers, rendering them unable to access their accounts.
One media outlet has reported that as many as 40 people have experienced this seemingly fraudulent activity.
Hackers appear to be using credential stuffing, a technique which involves hackers obtaining usernames and passwords from data breaches and testing the same details against a range of online accounts.
Credential stuffing takes advantage of people reusing username and password combinations across different accounts. By fraudulently gaining valid combinations for one site, and successfully using them on other sites an attacker can access legitimate accounts. The primary motivation is financial, but it can lead to identity theft.
Deliveroo is now introducing a "dedicated team" to handle complaints of accounts being compromised in this way.
The NCSC has published an advisory to help organisations protect themselves against credential stuffing and also guidance on how to protect against a password guessing attack alongside password strategies to help an organisation stay secure. Guidance on multi-factor authentication (MFA) is also available for organisations looking to bolster defences for their users.
Norwegian cloud computing company admits to compromise by APT10
A joint report by Recorded Future and Rapid7 has accused APT10 of infiltrating the network of Norwegian cloud computing company Visma.
According to Visma, its IT security staff detected the intrusion promptly. Although the incident did not affect any of Visma's clients' systems, it "could have been catastrophic" had it not been identified early.
Visma is one of the largest cloud service providers in Europe. The firm offers online HR, accounting, and other software to over 900,000 customers across Scandinavia and other regions of Europe.
The attacks are believed to be a part of a global hacking campaign, codenamed Operation Cloudhopper, that started in 2017 and mainly targets cloud service providers.
In December 2018, the NCSC assessed with the highest level of probability that a group known as APT 10 acted on behalf of the Chinese Ministry of State Security to carry out a malicious cyber campaign targeting intellectual property and sensitive commercial data in Europe, Asia and the US.
APT10 (also known as Stone Panda, MenuPass and Red Apollo) is a threat actor known to have been active since at least 2009. Since then it has targeted healthcare, defence, aerospace, government, heavy industry/mining, Managed Service Providers (MSPs) and IT industries, among many other sectors, for the likely purpose of intellectual property theft.
The group almost certainly continues to target a range of global companies, seeking to gain access to commercial secrets. The NCSC’s updated advisory on APT10 provides guidance on how companies can protect themselves against this threat.
Recall of children’s smartwatch following data risk
A recall of a children’s smartwatch has been ordered by the European Commission following fears over a lack of encryption.
The Commission noted in a recall alert that the Enox Safe-Kid-One device was sending and receiving data unencrypted which increases the risk of attackers taking advantage. Furthermore, the Commission stated: "A malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS,"
Enox have appealed against the decision describing it as ‘excessive’ adding that the version tested by the Commission was no longer on sale.
This isn’t the first time that smartwatches have been in the spotlight with Germany banning the devices in November 2017. The NCSC provided advice to parents in 2017 following concerns around Vikfjord, Gator 2 and Xplora products.
Manufacturers should ensure that appropriate security measures are built in to their internet-connected devices and that emerging technologies are secure by design. The NCSC has guidance around how to build devices that are Secure by Default.
Sophisticated phishing campaign targeting top brass
A new phishing campaign to steal login credentials from businesses is specifically targeting senior executives.
A fake email claiming to be from a company CEO discusses the rescheduling of a board meeting, but the email’s link leads users to a page resembling a Doodle poll which can steal Office 365 credentials. Researchers at GreatHorn first discovered the campaign.
According to findings, the campaign is hitting organisations of different sizes and industries with the email’s content always remaining the same. If successful, the attackers could have the opportunity to steal important credentials which could create an entry point for further attacks.
The NCSC has published phishing guidance available which organisations can use to bolster a defence against this type of campaign.
The NCSC will also be launching a Board Toolkit in the coming weeks to help encourage essential cyber security discussions between the Board and their technical experts. In the meantime, there are five questions that every board should have on their agenda with cyber literacy more important than ever.