Weekly Threat Report - 15th February 2019
Microsoft act to defend against credential stealing attacks on Office 365
Back in December 2018, we published an advisory after seeing a number of credential stealing attacks affecting Office 365.
The advisory gave details on how to protect those accounts, but Microsoft has since published new security guidance which gives more detailed advice on how to implement changes in line with the NCSC’s cloud security principles and recommended configurations.
These types of compromises are becoming commonplace with brute force attacks and spear phishing being just two ways in which actors have been able to compromise Office 365 accounts.
Anyone with an Office 365 account should consider taking on the recommendations we put forward in December’s advisory, but crucially should also consider multi-factor authentication (MFA) as a priority. Users tend to re-use passwords across different services, so MFA adds another layer of security. The NCSC’s MFA guidance is the perfect place to start if you’re looking to make improvements to your online services.
An NCSC blog post issued this week dives into the detail on how the advisory and Microsoft’s new guidance can help protect your cloud services.
Dark web selling stolen account details following hacks
Details stolen from almost 620 million accounts following website hacks have appeared for sale on the dark web.
16 websites including the likes of MyFitnessPal, MyHeritage and Dubsmash suffered hacks mostly during 2018 with the hacker explaining that they were able to exploit security vulnerabilities within web apps. Some of the websites including MyHeritage and MyFitnessPal have previously notified customers of the breach, although a number had not admitted to the breach until it had become public knowledge.
The types of detail stolen includes names, passwords, email addresses and other personal information but no payment or banking details have yet to appear for sale.
If bought, this kind of information can be used to hack into other online accounts but there are a number of ways you can help to defend yourselves against these risks.
Haveibeenpwned.com allows you to check whether you have an account that has been compromised in a data breach. If you find that you have been affected then changing your passwords on key accounts is a good first step, whilst ensuring you have unique passwords for those important accounts also. You can also find helpful NCSC password advice published to help defend against password guessing attacks. We would also recommend using two-factor authentication where possible to add another layer of security.
Google highlights Android vulnerability
In a security bulletin published in early February, Google released details of an Android security vulnerability that was leaving users open to a potential attack.
The bulletin states the bug “could allow a remote attacker using a specially crafted Portable Network Graphic (.PNG) file to execute arbitrary code within the context of a privileged process.”
The bug was reported by Google - with the problem since being fixed - and there have been no reports of any victims so far.
Android users will have received a patch that fixes the issue if your phone has recently received an update.
However, as Android is run across billions of devices not all may have received this update. Android users have been urged to update their device.
Android users should also be conscious when opening or downloading PNG files and ensure the source can be trusted before clicking on or downloading a file.
Researcher claims more than 14 million Instagram accounts could be vulnerable to hackers
A security researcher has said information on more than 14 million Instagram accounts is being kept in an unsecure database.
According to cyberscoop, the database, physically located here in the UK, holds 14,526,602 entries including details of users’ profile names, links to profiles and Instagram IDs.
Researcher Oliver Hough, who found the vulnerability, has suggested a third party could be scraping the social media outlet and storing public data for analysis for things like targeted marketing.
However, he told cyberscoop that information found in this database could be linked with unrelated databases of stolen passwords, which hackers could use to their advantage.
At the time of publication, there was no word from Instagram on this issue. The NCSC has previously published advice and guidance on protecting bulk personal data.