Weekly Threat Report - 28th September 2018
Cyber criminal behind 'Scan4you' website jailed
A latvian resident was sentences to 14 years in prison last week for his e-crime service, 'Scan4you'.
Advertised as a legitimate 'penetration testing' service, Scan4you was in fact a counter antivirus operation. The service enabled cyber criminals to test their malware against antivirus software, especially those used by the US retail sector, but also global government and financial institutions.
Operating from 2009 to 2016, Scan4you is believed to have assisted with the theft of over $15 billion. The service was reportedly used by the cyber criminals behind the Citadel malware, responsible for infecting over 11 million computers and attributed with $500 million in fraud losses.
Law enforcement worldwide are tackling the enablers of cyber crime who sell their services to aid online criminals. This sentence reflects the seriousness with which courts are tackling such offences.
The NCSC operates CHECK, a penetration testing assurance scheme. Pen testers certified through the CHECK scheme are measured against the NCSC’s highest standards, ensuring that customers receive a high quality service. More information on CHECK.
UK Government Digital Services can benefit from the NCSC WebCheck service to test a range of website security properties free of charge. Registration for the service is done here: https://www.webcheck.service.ncsc.gov.uk/.
Credential stuffing botnets
According to a new report from technology company Akamai, there were over 30 billion malicious login attempts between November 2017 and the end of June 2018, with activity spiking towards the end of this period. The UK was found to be the sixth most targeted country for this type of attack.
Botnets will use breached credentials to attempt to logon to another website. Consequently, one of the most effective ways of managing these credential stuffing botnets is the 'low and slow' method, which sees attackers attempt to camouflage their attack amongst legitimate traffic whilst limiting the number of attempts made. The more attempts made, the more valid login credentials will be identified. However, the botnets need to be carefully managed to ensure victims do not notice this activity, possibly mistaking them for a DDoS attack due to the high volumes of traffic they generate.
It is worth noting that not every attack tried to be discreet. This could be because of the (lack of) skill of the botnet operator or that it is actually designed to DDoS the victim. For example, one organisation that saw 7 million legitimate logins over six days also saw over 8½ million malicious login ateempts over the same period.
Note: Credential stuffing is the technique of using compromised credentials (i.e. usernames and passwords) to try and access other websites. This technique can be successful when people reuse the same password across a number of different websites.
The NCSC has published guidance on how to protect against a password guessing attackalongside password strategies to help an organisation stay secure. Guidance on multi-factor authentication (MFA) or two-factor authentication (2FA) is also available.
Don’t yank my chain – the cyber threat to software supply chains
The continuing threat to the software supply chain is again in the spotlight following a new report by threat intelligence company Crowdstrike.
The NCSC defines the supply chain threat as “operations or activities that are designed to threaten the confidentiality, integrity or availability of communications, data or systems: and which use any part of the supply chain as an attack vector.”
A survey of senior IT Professionals by Crowdstrike[i] has emphasised the ongoing scale of the problem: two-thirds of respondents reported that their organisation had been subject to a software supply chain attack. Given the often under-reported nature of cyber attacks, this is likely to have been an underestimate.
Awareness of the cyber threat generally by organisations, combined with continual investment and development of network defences, has meant that cyber actors will seek alternative ways of attacking organisations. The supply chain can sometimes be the weak link in cyber defence.
Another study of UK businesses by telecoms firm Beaming also highlights that attitudes to lax security procedures from suppliers can affect their ability to do further business. According to the study, a third of UK firms would stop using a supplier whose negligence caused a cyber security incident.[ii]
The findings in both these reports emphasise that supply chain attacks are not a threat that will go away, but will likely increase. They offer further evidence that good cyber security is essential not just for organisations but for their suppliers as well. Cyber security is a collective, all-round endeavour and these reports firmly underline that point.
NCSC has published a range of guidance on supply chain security which can be found here:
National Cyber Security Centre Threat Reports