Weekly Threat Report - 26th July 2019
Met Police newsdesk breached
London’s Metropolitan Police suffered a “hack” which saw their Twitter feed and press bureau post a series of bizarre messages.
Scotland Yard confirmed that a third party platform had "been subject to unauthorised access".
The Met Police Press Bureau uses an online provider called MyNewsDesk to issue news releases and other content. When a story is published via MyNewsDesk, it appears on the Met’s website and Twitter accounts and generates an email to those who’ve subscribed to news updates.
Met Police have confirmed there was no compromise of their own IT infrastructure.
Subscription-based newsdesk services are widely used across the public and private sector.
The NCSC recommends that businesses implement authentication policies to help mitigate unauthorised access, for example using multi-factor authentication, where possible, and helping users generate better passwords.
The NCSC also advises developers to build security into their products. You can read more about secure by default here.
Cyber crime group develop Reverse-Shell malware
Cyber crime organisation FIN8 have evolved their techniques used to steal consumers credit card information.
FIN8 was first identified in 2016 for their spear-phishing activity, targeting over 150 organisations with their financially-motivated attacks. Following a period of relative dormancy, the group have recently begun utilising their variant of the ShellTea attack designed to install Point of Sale (PoS) malware on hospitality companies.
Research from cyber security firm Gigamon has uncovered FIN8’s new BADHATCH reverse shell malware which infects a network via a more traditional phishing attack. Once on the system BADHATCH utilizes its file transfer functionality, allowing FIN8 to further infect networks with other attacks such as the aforementioned ShellTea virus, in order to steal consumers payment information.
The NCSC has published guidance on how best to recognise and protect against the type of phishing attacks that FIN8 have previously utilised.
National Cyber Security Centre Threat Reports