Lockbit Taken Offline By National Crime Agency

Ransomware provider LockBit has been taken offline by a joint operation involving law enforcement agencies from eleven countries.

As of the 20th February, a banner on LockBit’s website declares that the site is now under the control of the UK’s National Crime Agency, part of a coordinated operation to take down the group’s ‘command and control’ infrastructure.

Authorities from the NCA, the FBI, Europol and others from around the world swooped on a number of individuals believed to be involved with Lockbit – making arrests in Poland, Ukraine, and in the United States. Two further named individuals are believed to be Russian nationals.

The combined operation (‘Operation Cronos’) also froze more than two hundred cryptocurrency accounts, took down 34 servers and closed 14,000 rogue accounts.

operation cronos banner from lockbit's website

LockBit made headlines as one of the world’s most successful ‘Ransomware-as-a-service’ providers: offering a toolkit any would-be cyber criminal could use to launch their own cyber extortion operation, demanding more than $120m in ransoms for unlocking encrypted data.

The group behind LockBit, which first emerged on Russian forums in 2020, did not respond to Reuters following requests for comment, but published messages on an encrypted messaging app stating it has backup servers not yet ‘touched’ by law enforcement. Investigations by police in numerous countries also revealed copies of stolen data the group claimed to have deleted after negotiating ransom payments.

More than 1,700 organisations are believed to have been compromised by LockBit, many of which are now listed online – and include Royal Mail, the NHS, Boeing and ICBC, China’s largest bank, among many others.

Decryption tools have so far been released to victims of LockBit in 37 languages, as part of the ‘No More Ransom’ project, with UK authorities pledging to reach out to organisations affected by the ransomware.

 

For Cyber Security expertise and assistance, please contact our team today.


2023 Cyber Breaches Survey

The 2023 Cyber Breaches Survey has been released, highlighting key findings about the state of the UK’s cyber health.

This year’s study found that cyber security breaches and attacks remain a common threat, with 32% of businesses and 24% of charities recalling any breaches or attacks within the last 12 months – but with cyber security taking a back seat in the minds of many, falling behind economic issues like inflation.

In more positive news, a majority of businesses and charities have a broad range of measures in place, with the most common being endpoint security software (75%), cloud backups (70%), restricted admin rights (67%) and network firewalls (66%).

However general cyber hygiene may actually be getting worse. The report also highlights that the routine avoidance of relatively unsophisticated threats needs greater attention over more advanced hacking, with smaller businesses in particular losing ground in some very fundamental areas, including:

Use of password policies (79% in 2021, vs. 70% in 2023)
Use of network firewalls (78% in 2021 vs. 66% in 2023)
Restricting admin rights (75% in 2021, vs. 67% in 2023)
Security updates within 14 days (43% in 2021, vs. 31% in 2023).

A mere three-in-ten businesses have undertaken any kind of cyber security risk assessment – again showing low scores among smaller firms and driven in most cases by either changes at board level or the demands of customers – corresponding to an increase in businesses reporting checks on their own suppliers.

“Taken together, these findings highlight an increasing cyber hygiene challenge among small to medium enterprises (SMEs) in the post-pandemic era.”

Fewer than four-in-ten businesses have cyber security insurance, just 21% have an incident response plan, and only 14% of businesses are even aware of the NCSC’s important Cyber Essentials Scheme. A mere 9% successfully adhere to ISO 27001 standards.

In particular, the survey highlighted the food and hospitality sectors, entertainment and the construction sectors for reporting low take-up of cyber security measures. The UK’s largest businesses generally report higher scores across all areas, with the exception of patch management (44%) and restricting access to organisation-owned devices (31%).

Among the 11% of businesses that have suffered cyber crime in the last 12 months, the annual (mean) cost of an incident is now estimated to be approximately £15,300 per victim.

 

For Cyber Security advice and expertise, please contact our team today.


FBI Warn Against Public Charging

The FBI has cautioned smartphone users to avoid public USB ports due to the risks of malware delivered by public charging stations. The Denver FBI office, through CNBC on Twitter, stated that public charging stations in hotels, airports, and shopping centers are all susceptible to opportunistic malware attacks.

According to the FBI, malicious individuals have discovered that public USB ports can be adapted to “inject malware and monitoring software onto devices.” As a result, users should bring their own charger and USB cord while in public and use an electrical outlet for charging instead of a public USB port if possible.

Using a public USB port to transfer malware to a device, such as a computer, tablet, or smartphone, allows hackers to obtain sensitive data on the device, such as usernames and passwords, hijack email accounts, steal funds from online accounts, and much more.

While Apple’s iPhones and Macs possess a USB security feature that disables data transfer through the Lightning port when the device has been locked for over an hour, this feature does not prevent malware installation when the device is in use and connected to a public port.

To safeguard against this potential method of attack, the recommended solution is to bring your own USB cable to charge in public spaces. The FBI has issued a comparable warning on its website, cautioning individuals against using free charging stations, using public Wi-Fi for sensitive transactions, opening suspicious documents, utilizing the same password for all accounts, and clicking unsolicited links in text messages and emails.

 

For cyber security expertise and support, please contact our team today.


Home PC Hack Topples LastPass

LastPass have confirmed that a hack on a staff member’s home PC led to a massive cyber security breach on the company.

The second stage of the attack used data stolen in LastPass’s August breach, cross-referenced with other stolen information, to launch a targeted sting on one of their DevOps engineers – installing a key logger on the staff member’s home PC which resulted in the loss of yet more data.

LastPass confirmed the attacker was able to steal the user’s master password, gaining access to corporate vault resources and shared folders. In the process, encrypted notes and decryption keys needed to access LastPass production backups based in Amazon Web Services (AWS) – cloud-based storage and critical database backups were also compromised.

Since the August 2022 breach, when LastPass source code was stolen, the company has admitted the breach also saw the theft of account usernames, hashed passwords, and some Multi-Factor Authentication (MFA) settings belonging to end users.

Unfortunately LastPass also acknowledged that saved URL for each password entry was unencrypted, giving potential attackers an obvious clue to the purpose of each set of credentials.

The breach highlights the way remote working culture has introduced significant new digital risks – such as the danger of home users accessing work data, resources and applications on devices that sit ‘outside’ of company cyber security protections.

LastPass is believed to be used by over 85,000 businesses and 30 million end users.

 

For Cyber Security Expertise & Support, please contact our team today.

Managed Cyber Security


Your Official Briefing

We recently attended a special event about the danger of Russian cyber aggression against the UK: here’s the latest guidance from the UK National Cyber Security Centre.

 

Be prepared for changes to Russian strategy

A feared ‘firestorm’ of wholesale attacks on the digital infrastructure of the UK and Ukraine’s other Western allies hasn’t arrived, but the NCSC urges Russia remains extremely unpredictable.

Intelligence agencies are now concerned Russia may launch a new cyber attacks on the West this year, partly as compensation for Russian ground war failures.

Rates of cyber attacks on UK organisations remain ‘steady’, with some very serious incidents reported – and the NCSC has emphasised before how Russian cyber attacks on satellite networks and banking systems in Ukraine have spilled over into multiple countries.

We do know that behind the scenes a number of UK organisations have been carefully briefed to prepare for Russian cyber attacks over the past year – and a ‘handful’ of cyber incidents each year are serious enough to require COBRA meetings.

 

Yes, REALLY unpredictable

Russian strategic aims are often inconsistent. Boldness and risk-taking are known to be favoured in Russian high command – which itself encourages reckless cyber operations, experimental techniques and surprise attacks – but also corners-cut and operational errors.

Much like the Russian ground offensive, many of the most aggressive Russian cyber attacks – such as the widespread use of destructive Wiper malware – appear to have been ‘front-loaded’ during March/April, preparing for a quick victory which did not materialise even as Ukrainian systems have been hardened.

Far less technical attacks also appear to have crept into the mix – alongside a curious quality gap in the actual work of Russian operatives, as if threat actors are being supplemented by other personnel. Recent incidents have highlighted the names of known Russian intelligence officers visible within the code of malware, and fascinating research by Mandiant even suggests attempts by the GRU to recruit assistance from amateur hacktivist volunteers via covert pro-Russian Telegram channels.

However, the NCSC emphasises that ineptitude or failure is not a barrier to the further attacks by Russia – the individuals behind the attacks are shameless, and cyber attacks remain a convenient way to highlight weaknesses from policy makers in other countries.

Essentially ‘nothing is off-limits’ – an approach that is also exacerbated by the internal competition between Russian service branches, with the FSB, FDR, GRU and others often seeking to outdo each other.

 

Who is a target in the UK?

Past experience suggest Russian cyber operations often include a key psychological element – following infamous KGB tradition.

As a result, the Russian military likes to target ‘pressure points’ in particular: critical infrastructure, the energy sector, transport, media organisations, senior politicians and especially companies with visible public-facing operations – anything that might generate panic among the public, suggest democratic policy makers are weak, undermine the West’s resolve to support Ukraine, or provoke a widespread feeling of vulnerability.

Ukraine provides some clues as to Russian strategy, but the NCSC emphasises that espionage attacks can often involve gaining access for no specific purpose – and (for example: obtaining privileged administrator access to systems) are simply a contingency for the future.

 

Organisations that plan ahead suffer less pain

Official advice is clear: organisations that prepare even the most basic disaster-contingency plans recover more quickly and suffer much less financial pain in the event of a cyber attack.

Even very simple crisis management steps like agreeing ‘who is in charge’ in advance, confirming ‘where are the backups’, and keeping printed copies of essential preparations for an emergency, all help radically minimise the damage, disruption and time to recovery.

However, this too comes with an NCSC warning: five years of IT improvement won’t be squeezed into your crisis remediation – better to have a roadmap for improving your cybersecurity as part of your existing business plans.

 

EDR is a Must

Forensic engines included in modern Endpoint Detection & Response (EDR) software help provide rapid information about the scale of hacks during incident response – this provides essential time for first responders to mitigate further threats, limit damage, and give the NCSC information about the threat to others.

The NCSC argues that British resilience will rely not just on small organisations across the country remaining vigilant, but gathering a wider pool of information on the centre’s behalf – the grassroots feeds into the ‘bigger picture’ of national security, and defending the UK is a team effort.

Services like the Signpost Cyber Incident Service now allow smaller organisations to report cyber attacks centrally.

 

Ransomware is THE threat.

NCSC guidance, right from the top of the organisation’s CEO remains the same:

“Even with a war raging in Ukraine, the biggest global cyber threat we still face is ransomware” – Lindy Cameron, NCSC CEO, June 2022.

 

Useful Links:

  • NCSC Early Warning System – Early Warning helps organisation investigate cyber attacks on their network by notifying them of malicious activity that has been detected in information feeds
  • NCSC Exercise in a Box – A free online tool which helps organisation find out how resilience they are to cyber attacks & practice their response in a safe environment.
  • Incident Management – cyber incident response plan NCSC guidance to create your own cyber incident response plan
  • The UK National Cyber Strategy – setting out five key pillars in the UK’s Cyber Planning.

 

For cyber security and technical expertise, please contact our team today.


Police swoop on ‘DDoS-for-Hire’ Operations

UK & Dutch police have helped lead an international operation with Europol to take down one of the World’s biggest DDoS-for-hire services, webstresser.org.

The UK’s National Crime Agency and their Dutch Police counterparts announced the success of ‘Operation Power Off’ – which saw the seizure of infrastructure believed to be linked with criminal activity based in the UK, Netherlands and Germany, and the arrest of individuals as far afield as the UK, Spain, Canada, Croatia, Italy, Australia and Hong Kong by at least a dozen different law enforcement agencies.

On the other side of the Atlantic, the Department of Justice announced an additional six arrests by the FBI, with a further 48 domains seized as part of a criminal investigation into DDoS-for-hire operations.

webstresser

According to Europol, Webstresser is estimated to have let over 136,000 customers launch more than four million Distributed Denial of Service (DDoS) attacks on targets for as little as £11, overwhelming websites and online services with traffic and knocking them offline. Although DDoS for hire services often pose as genuine ‘stress-test’ tools, users with very little technical knowledge were able to order attacks on unrelated targets – choosing between ‘Bronze’ ‘Silver’ and ‘Platinum’ packages.

The service was thought to be responsible for cyber attacks on at least seven major UK banks in November 2021, as well as numerous other businesses and government departments around the world. The BBC reports UK police have raided an address in Bradford, in connection with last year’s attacks on UK banks in particular.

Jaap van Oss, the Dutch Chair of the Joint Cybercrime Action Taskforce (J-CAT) praised the joint cooperation by law enforcement agencies to finally take Stresser offline.


NCSC releases 2022 Cyber Security Breaches Survey

The National Cyber Security Centre (NCSC) has released its annual ‘Cyber Security Breaches Survey’.

The survey is used to inform government policy on digital security, educate British businesses, and ensure UK cyber space remains safe.

Data collected across over 2,400 business and 850 charities produced some startling statistics concerning the ever-looming threat of cyber-attacks infiltrating UK businesses’ digital footprint.

The report discovered that 39% of UK businesses detected an incoming cyber-attack during 2021. Phishing attacks made up a fifth of all threats identified – the most frequent type of malicious attack.

Organisations also revealed that ransomware was being recognised as a serious digital threat with 56% of businesses stating they have installed or will be introducing a company policy to not pay ransoms to cyber criminals.

Whilst 58% of small and medium businesses disclosed to outsourcing their IT Support service, only 23% of surveyed businesses had a cybersecurity incident management strategy in place that is more advanced than a basic endpoint antivirus.

NCSC promote a blend of regular cyber security learning and training processes within your business to better inform the deployment of traditional cybersecurity software measures across all the organisation’s IT systems.

This multi-layered approach aims to counteract the report’s discovery that a lack of cyber technical expertise amongst UK businesses is to blame for threats going undetected.

Similarly, a company-wide policy of digital hygiene erodes the false assumption that managed cybersecurity strategies are a cost to the business rather than a strategic, protective investment.

31% of business admitted being attacked at least once a week showing that any weak link in an organisation’s cyber defence can have grievous financial implications.

To mitigate this, we recommend organisations follow the NCSC’s guidance and adopt Cyber Essentials and Cyber Essentials +. The scheme requires businesses to meet or exceed an assured set of security requirements each year to protect against common forms of online crime, technology dangers and digital threats.

It is estimated that a Cyber Essentials certification can reduce your organisation’s risk of a cyberattack by 98.5% – contact Lineal to assist with your organisation’s application and to help you meet the requirements for a successful certification or re-certification today.


Lineal awarded Cyber Essentials Plus Certificate

Lineal are proud to announce that we have officially achieved Cyber Essentials Plus certification.

Our operations passed a number of essential vigorous vulnerability tests of our cyber security with flying colours. Cyber Essentials Plus is the advanced level of certification offered by the government-accredited Cyber Essentials scheme; supported by the UK National Cyber Security Centre – a public facing arm of GCHQ.

The external audit of a sample of our systems saw a 100% pass rate across all PC and devices – thanks to the hard work of our in-house Cybersecurity team who worked tirelessly to ensure our success.

Attainment of CE Plus certification showcases our dedication to protect and respond to the needs of our customers. This allows us to not only have peace of mind about the high standard of Lineal’s cyber protection, but also presents opportunities for us to more effectively assist your business in achieving the Cyber Essentials certificate.

Hackers’ methods have evolved in recent years, leading to a huge rise in phishing and malware attacks with over 86% of businesses experiencing some form of cyber attack since 2017. The need for a comprehensive cyber security standards within your organisation has never been greater.

Suitable for businesses of all sizes and sectors, Cyber Essentials certification helps to demonstrate that your organisation takes cybersecurity and its clients’ data protection seriously – ensuring trust from your customers.

Contact us today to assist with your organisation’s application and ongoing compliance. You can refocus on your core business, safe in the knowledge experienced technicians will be able to help you meet the requirements for successful certification or re-certification.


Kaseya Clients Struck by Ransomware

More than a thousand organisations using Kaseya Remote Monitoring and Management (RMM) software are estimated to have been hit by ransomware over the weekend.

The supply chain attack, which was described as “colossal and devastating” by security research company Huntress, is believed to have been carried out by the same Russia-linked ‘REvil’ ransomware gang strongly-suspected of the recent ransomware attack on meat-packing corporation JBS.

Miami-based Kaseya’s ‘VSA’ product – which is used by Managed Service Providers to provide remote IT services to the systems of organisations worldwide, including endpoint and patch management – is believed to have been breached with an update that rolled-out ransomware to many of Kaseya’s own customers.

REvil themselves claim the total number of encrypted user endpoints around the world may be as high as one million, and have demanded an unprecedented ransom of $70m in Bitcoin (around £51m at current price.)

On Friday, Kaseya advised all customers to immediately shut down any on-premises Kaseya VSA servers, to prevent hackers shutting off administrative access for future fixes – and ignore any communication from hacking groups while an FBI investigation was ongoing. 

Access to Kaseya’s cloud-based SaaS services were initially shut down as a precaution, but has since been restored, and an endpoint detection tool has been published online here.

It is now believed that the exploit for Kaseya VSA had recently been highlighted by the Dutch Institute for Vulnerability disclosure, but early patches to rectify the problem had not yet been issued. In the 48 hours following the breach, more than 2,000 VSA severs were taken offline – suggesting that many organisations did heed warnings issued by the US Cybersecurity and Infrastructure Security Agency (CISA), the UK National Cyber Security Centre (NCSC) and others – although Swedish supermarkets, New Zealand schools and many others have had systems crashed by encrypted data.

Kaseya is published regular updates to its advisory page, here.

 

For Cyberscurity expertise and support, please contact our team today.


Updated: Phishing Email Examples

It’s 2021 but somehow the phishing email scams just keep coming.

You could almost miss the days when ‘Bill Gates’ would get in touch by email to offer you a shipment of diamonds. Modern email scams are much more sophisticated, the designs more convincing, and the payloads more dangerous – than ever.

Our advice remains the same:

  • Be wary of any unsolicited email or unknown contact.
  • Always look to see if an email is being sent from the correct domain.
  • Don’t open any unexpected or mystery attachment, or click links to unrecognised destinations.
  • If unsure, verify information with someone by asking via a communication method other than email (eg: by looking up a phone number separately from the email, and calling direct.)

Here’s our pick for some of the sneakiest our team have seen ‘in the wild’:

 

The Dodgy File Share (Deluxe Edition)

As useful as a crowbar in the arsenal of the burglar, cybercriminals have been using these ever since file sharing and collaboration apps took over the world – this one appeared even more persuasive for it’s nearly spot-on branding imitating a Microsoft 365 file share link.

But the Deluxe edition takes this scam to a whole new level – with just a mistaken click giving cybercriminals an automated account access, and even replying affirmatively to emails between users asking if these are genuine. Nasty.

fake file share email

 

The TV License

TV licensing is something many people buy once a year, often never receiving physical proof, and don’t think about much – making this a clever way to steal card details without arousing too much suspicion.

These often go the extra mile – making up fake customer numbers and renewal dates – to seem real, which can also identify the email as a scam if cross-referenced in your own records.

 

The Pandemic Phish

Cybercriminals don’t let little things like ethics get in the way of a good scam – with widespread public fear, and the NHS Covid vaccine roll-out in full swing, everything is an opportunity to hack accounts, steal information, or extort money.

Please be aware the real NHS will contact you via a combination of text message and/or post, and certainly won’t threaten you with the loss of your vaccine appointment if you don’t click a suspicious link.

fake nhs email

 

Divine Intervention

OK, perhaps not a threat to everyone – but it’s easy to imagine this inheritance scam prompting a click from someone more spiritually-minded. Technology aside, a compelling story is sometimes the most persuasive scam of all.

fake inheritance email

For Cybersecurity expertise and support, please contact our team today.


FragAttacks: how they can devastate your WiFi devices

A new set of fragmentation vulnerabilities have been discovered which have the capacity to affect all WiFi enabled devices dating back to 1997.

There have been 12 identified separate vulnerabilities discovered by New York University Abu Dhabi researcher Mathy Vanhoef, named FragAttacks (fragmentation and aggression attacks) which have a dangerous data exfiltration potential to gather information about the owner of a WiFi enabled device and export it to a within-range attacker or to run malicious code to compromise the device; bypassing WEP and WPA security protocols.

Vanhoef announced that more than 75 tested Wi-Fi devices are affected by at least one of the FragAttacks vulnerabilities, but a majority of the devices are impacted by multiple CVEs. These tested devices included Huawei, Google, Samsung and Apple for mobile devices; computers from Dell, Apple and MSI; Xiaomi and Canon IoT devices; Asus, Linksys and D-Link routers; and Aruba, Lancom and Cisco access points.

Furthermore, the identified CVEs had the capacity to erroneously reassemble fragments encrypted under different keys, process fragmented as full frames and not clear fragments from memory when (re)connecting to a network. These vulnerabilities are named ‘FragAttacks’ due to the issues on how the WiFi network dissipates and then reorders data for easier transmission before reassembly at the receiving endpoint device.

Despite the existence of these unearthed vulnerabilities, WiFi Alliance released a statement saying that “There is no evidence of these vulnerabilities being used against WiFi users maliciously” and suggests protection methods to users through downloading “routine device updates that enable the detection of suspect transmissions or improve adherence to security implementations”

The video below demonstrates how the 12 discovered vulnerabilities can be used as a stepping stone to launch advanced malware attacks:


7.5 Million at risk from out-of-date ISP routers

Consumer watchdog Which? have investigated 13 legacy router models supplied by leading UK internet service providers (ISPs) including EE, Sky, TalkTalk, Virgin Media and Vodafone – a report discovered that around 7.5 million internet users are at risk from out-of-date hardware.

Out of the 13 router models investigated, 9 presented pressing security flaws that are unlikely to be in compliance with upcoming UK government legislation around tackling the security of connected devices.

The new legislation is in response to government figures showing that 49% of UK residents have purchased at least one smart device since the start of the COVID-19 Pandemic. Due to this huge increased national scope of vulnerability to potential cyber-attacks, the proposed legislation will ban easy to guess default passwords across all, enforces policies to make it easier to report software bugs that can be exploited by hackers on legacy or modern hardware.

Kate Bevan, Which?’s Computing Editor, commented that “proposed new government laws to tackle devices with poor security can’t come soon enough – and must be backed by strong enforcement.” Which? are simultaneously pushing for increased transparency from ISPs about how customers automatically or manually update their routers and how they should actively upgrade existing customers who are identified as being in the ‘at risk’ category.

Of those 7.5 million affected, 6 million users currently possess ISP hardware that has not been updated since 2018 and a few instances even as far back as 2016 – meaning that these vulnerable devices have not received security updates for defence against the latest threats posed by cybercrime.

A cluster of three main problems with ISP legacy hardware were identified by Which? ranging from weak default passwords that allow cybercriminals unlimited access to a router from anywhere, a lack of firmware updates and a local network vulnerability issue with EE Brightbox 2 giving potential hackers full control of the router to install malware or malicious spyware.

In response, Virgin Media have openly rejected Which?’s report conclusions; saying that 9 out of 10 customers are using their latest router models and are benefiting from regular router security updates. This sentiment was mirrored by BT Group (owners of EE), TalkTalk and Vodafone who announced that the HHG2500 device included in the Which? report has not been supplied since August 2019.

Devices with weak default passwords: TalkTalk HG635, TalkTalk HG523a, TalkTalk HG533, Virgin Media Super Hub 2, Vodafone HHG2500, Sky SR101 and Sky SR102.

Routers affected by lack of updates: Virgin Media Super Hub, Virgin Media Super Hub 2, Sky SR101, Sky SR102, TalkTalk HG523a, TalkTalk HG533 and TalkTalk HG635.

Routers that passed the Which? security tests: BT Home Hub 3B, BT Home Hub 4A, BT Home Hub 5B and Plusnet Hub Zero 2704N


Facebook & Linkedin breaches hit 500 million users

Facebook and LinkedIn have both suffered massive data breaches, exposing the details of more than 533 million and 500 million user accounts respectively, it has been revealed.

Extensive leaked data from Facebook was reportedly found online by security researcher Alon Gal – including the personal information of 11 million UK users such as phone numbers, locations, birth dates and many email addresses.

It’s believed that the ‘hack’ may relate to a bug in Facebook’s friend-adding ‘Contact Importer’ tool which was fixed in September 2019. Previous breaches in 2017 fell before the introduction of GDPR, which Facebook argues absolved it of responsibility to notify users.

Questions still hover over the LinkedIn breach in particular, with the company claiming much of their data appears to have been aggregated from other sources, or (like Facebook) were perhaps not technically ‘hacked’ at all – but scraped in bulk from publicly visible parts of the popular professional website.

The huge cache of Linkedin data was thought to be on sale, after security researches found a 2 million user ‘sample’ advertised online.

A Facebook spokesperson told Reuters the social media platform will not inform users if their accounts were part of the breach, and Linkedin are yet to issue a statement on this point – although given that LinkedIn has around 740 million accounts in total, a clear majority of its users are likely affected.

Users of both platforms can check if their email addresses (and now phone numbers) were likely breached via either platform over at: https://haveibeenpwned.com/ – and are advised to update passwords as a precaution.

 

For IT Support and cybersecurity expertise, please contact our team today.


32,000 Microsoft Exchange servers still at risk from Hafnium cyber breaches

Microsoft has announced that up to 92% of all stand-alone Exchange servers have been patched, following a mass data breach by Chinese state-sponsored Hafnium cybercrime group.

A mass attack on zero-day Exchange servers through four security vulnerabilities was identified and exploited by Hafnium in early March. Those with at risk servers, according to Microsoft VP Tom Burt, are recognised as 400,000 on-premise Exchange servers belonging to multiple government and corporate data centres including defence contractors, schools and other entities globally.

Consequently, the ProxyLogon security fixes released on 2nd March have mitigated this number significantly with 92% of Exchange servers now protected under the new patches. Nevertheless, Microsoft states that around 32,000 servers remained unpatched and vulnerable to Hafnium cybercrime including theft of confidential sensitive data together with installation of ransomware and ‘corrupted web shells’, such as China Chopper, allowing unrestricted external access to the unpatched Exchange servers.

These security fixes are in conjunction with Microsoft’s Exchange on-premises mitigation tool (EOMT) which installs defender scripts and dependency downloads whilst automatically running the Safety Scanner; troubleshooting any identified problems on the Exchange servers.

However, the patches do not protect servers that have already been compromised from further exploitation, therefore Microsoft has advised that organisations administrators scan their stand-alone networks for potentially installed malicious software and scripts in addition to the scans of EOMT.

The attacks themselves have raised questions over the security maintenance of in-house email servers and adds weight to the growing adoption of cloud-based internet email.


Microsoft cautions against SMS 2FA

Microsoft have announced they will direct users away from SMS 2FA (‘text-based’ two-factor authentication) for security reasons.

Instead, the company will promote multi-factor authentication methods they consider to be more secure – including biometrics and secure authentication apps such as Microsoft Authenticator – for logging into Microsoft services such as Microsoft 365 and Azure.

SMS-based two-factor authentication, where the user typically receives a passcode text message to their smartphone that acts as a secondary confirmation of who they are, has been a staple of online banking and many other secure online services needing two-factor authentication (2FA) for over a decade.

However many now believes even SMS can be intercepted, and would rather sign users onto authenticator apps or issue secure keys with encoded passcode generation.

Official Microsoft statistics state that users who enable Multi-Factor Authentication (MFA) on their accounts to verify identity block 99.9% of all automated account breaches. Using SMS-based two-factor authentication should not ‘stop’ doing so (despite the flaws of SMS, any 2FA is better than none) but users should consider swapping to other methods.

We’ve talked before about the often-predicted ‘death of passwords’ – and possible scenarios for their phasing out, but in recent years a number of big tech firms, including Apple, Google and Microsoft have all suggested their long-term plans that seek to replace passwords with biometric or other forms of login.

However this modification to Microsoft’s advice will see more of a driving force behind MFA as specifically biometric, authenticator app or secure-key based, rather than relying on mobile networks for one-time passcodes.

 

For cybersecurity expertise and support, please contact out IT team today.


New macOS ransomware warning

Cybersecurity experts are warning against a prevalent new strain of macOS ransomware for Apple devices dubbed ‘EvilQuest’ – packaged alongside pirated versions of popular apps.

Like most ransomware, EvilQuest encrypts all the Apple user’s files and demands a $50 ransom for decryption within 72 hours.

While many Mac users believe malware for Apple devices does not exist – this is simply untrue. The newest strain comes after similar infections spreading between Mac users in recent years, including KeRanger and Patcher.

EvilQuest is also a more sophisticated effort than most attempts by cybercriminals: the app is correctly code signed, with a very convincing installer, and even overpowers the Mac versions of common antivirus softwares such as Norton, Kaspersky, Avast, McAffee and Bullguard.

The trojanised software known to be used to deliver EvilQuest to unsuspecting victims are torrent download versions of popular Apple macOS apps, examples of which include Little Snitch, Ableton Live and Mixed in Key 8 – a popular DJ software.

Among the important steps Mac users should take to reduce the risk of macOS ransomware are:

  • Keep a regular, organised regime of backups, offline and air-gapped from the device itself.
  • Only download Apps from reputable sources.
  • Consider whether utilities like Malwarebytes and RansomWhere are needed as extra precautions.

 

For IT Support and cybersecurity expertise, please contact our team today.


Lineal Hosts SW Police Cybersecurity Workshop

Local businesses recently gathered at Barnstaple Library for a special cybersecurity workshop organised by the South West Police Regional Cyber Crime Unit and Lineal Software Solutions Ltd.

Thirty participants from firms across the South West took part in a series of lego-based group exercises highlighting key concepts in cybersecurity, as they sought to protect a fictional utilities company from attack by common real-world cyber crime.

The winning team defended their company by spending their budget on the correct countermeasures at each stage of the exercise, and strategically limiting the damage from any breaches in security.

The South West Regional Organised Crime Unit (SW ROCU) is one of nine regional units across England and Wales that delivers specialist capabilities to target and disrupt serious and organised crime. Designed to raise awareness of coordinated digital threats, the cybersecurity workshop session is part of a new educational initiative being run by the Police right across the region.

Group exercises were followed by a short Q&A including advice for businesses on related topics including network best-practice, password policy, physical security, and the Government’s new Cyber Essentials certification.

Lineal’s Head of Technical Services, Matt Norris, explained: “We were to delighted to be able to organise the Cyber Crime Unit to run this very special workshop for local companies: we see cyber attacks becoming ever more sophisticated, and the SWRCCU takes a really positive and constructive approach to educating business owners about how to protect their organisations and employees.”

“Many businesses struggle to grapple with cybersecurity, but help and expertise is accessible.”

 

You can learn more about the South West Police Regional Cyber Crime Unit’s and their educational work across the South West online here.

For IT support and cybersecurity expertise, please contact Lineal today.


GandCrab ransomware defeated by Bitdefender decryption

Bitdefender have released a free decryption tool rescuing those affected by recent versions of GandCrab ransomware.

The free tool enables stricken users to recover data encrypted by various versions of GandCrab without paying a ransom to cybercriminals.

In a joint announcement with Europol, Romanian Police and other law-enforcement agencies, the cybersecurity provider detailed how a team of experts were recently able to gain access to the GandCrab control server, and access decryption keys for the ransomware that would allow safe recovery of data.

Blackhat developers behind GandCrab have claimed to have exploited more than $2 billion in ransom payments worldwide, and appeared to have enjoyed mocking the cybersecurity industry’s attempts to bring them to justice.

GandCrab became the latest nasty ransomware threat in January 2018 – following a disturbing trend of businesses and organisations worldwide struck by malicious encryption software.

Bitdefender’s previous attempts to quash the ransomware resulted in new versions being released by cyber criminals, but the latest recovery of private keys resulted in GandCrab’s developers announcing their ‘retirement’ – allegedly having exploited more than $150m in personal profit over five major versions of the ransomware.

Bitdefender’s recovery tool and instructions for use is available for download from the Bitdefender Labs here. In order to use the tool successfully, affected users must have a working internet connection and at least one copy of the ‘ransom note’ file present on the affected device.

 

For cybersecurity expertise and support, contact our team today.


773 Million Email Addresses Breached Online

Online Security breach website HaveIBeenPwned.com has detected the largest online breach of email addresses to date – nearly 773 million unique emails.

The 87GB of breached personal data, publicised by Microsoft Regional Director and cybersecurity expert Troy Hunt, was spotted last week via online file-hosting website MEGA under the ominous name “Collection #1”, and has now been removed.

The data itself, believed to be a terrifying aggregation of a large number of previous smaller data breaches, also contained more than 21 million identifiable plain-text passwords.

More than 140 million of the email addresses identified have never been seen before by HaveIBeenPwned.com, suggesting some of the personal data may originate from as yet undiscovered breaches.

Those affected by the breach are advised to change their passwords immediately, to prevent criminals potentially exploiting the data to access other online services where the user has registered with identical login credentials.

You can check if your email(s) (and potentially passwords) have been breached among the 773 million by clicking here.

For IT support and cybersecurity expertise, contact Lineal about your requirements today.


Are you in the 46%? Studying 2017’s UK Govt. Cyber Security Report

DCMS has published this year’s 2017 UK Government Cyber Security Report, suggesting a staggering 46% of businesses have been hit by a cyber security breach in the past year.

The average cost of a cyber security breach is reported to be £1,570, although larger businesses (of which 68% reported falling victim) show figures of £20,000 or higher.

The polling, conducted by research institute Ipsos Mori, suggests businesses are increasingly seeking external IT or security advice as insurance against potential losses – particularly basic training for non-specialist staff and information on specific threats to their industry.

Certain positives jump out: basic technical standards laid out in the Government’s ‘Cyber Essentials’ scheme have been rolled out by half of all firms (although this was always a low bar, and the report admits that fewer than one in twenty firms have referred to public sector sources for security advice)

More encouragingly, the most common cyber breaches all involve an element of preventable human error: those reporting a breach in cyber security cited the most common cause as staff clicking links in fraudulent emails (72%) with other typical risks including viruses, spyware & ransomware (33%) and impersonation (27%.)

Specific dangers identified included:

  • Less than 40% of businesses have segregated WiFi networks, or any rules for encrypting personal data.
  • More than 70% do not have any input from someone responsible for IT security at a senior level.
  • Only 20% have run any kind of cyber security training in the last 12 months.

 

With the planned changes next year brought about by the introduction of the General Data Protection Regulations (GDPR), the potential costs associated with a data breach could be set to rise. Having measures in place to mitigate this risk well in advance is sound advice.

 

For IT Security support and advice, contact Lineal today: 01271 375999


Fake DVLA Emails: Tracing a Trojan Scam

Continuing our recent series on email phishing trickery including fake invoices and Apple ID theft, this week we discovered a new scam involving a fake communication claiming to be from the Driver & Vehicle Licensing Agency (DVLA).

You haven’t sent them your vehicle details: but never fear, enter them below and avoid a hefty ‘1000 GBP’ fine. Never mind that your garage should have organised a V5 document for you, just click the link and type in your details. This couldn’t be a scam? Right?

We set Lineal’s security trainee Lewis on the fake DVLA emails case – who found that the email links to a private (non Gov.uk) web-page with a extensive bit of PHP code running in the background. A classic Trojan, this webpage invited you to download your casefile – and likely something dangerous along with it.

trojan

Despite poor grammar, the format matched a GOV.UK page quite closely and the ‘official’ nature of the styling might easily have tricked unsuspecting motorists.

Avoiding the page itself, Lewis completed an HTTPS lookup on the domain hosting the fake web page – but found two servers running the same scam. The email itself appeared to be routed via the USA, in an effort to mask the attacker(s) identity.

Tracing both IPs seperately led back to the same address in Germany, registered under two different names which could either be part of an organisation (or more likely) both assumed identities stolen from others fallen victim to the scam.

German privacy law prevents Google StreetView from being completed across most of the country, so an aerial view of an unknown industrial building on the outskirts of Lippstadt was a close as we could get to sourcing the suspicious email itself.

Clearly a sophisticated operation, fake DVLA emails like this highlight the growing technical ability of online scammers and the need for solid IT security precautions.

 

For IT Security advice and support, contact Lineal today: 01271 375999


4 Smartphone security threats you need to avoid:

smartphone security

We increasingly live in a mobile dominated world in which Smartphone sales have skyrocketed whilst traditional PC sales have stalled. With portable devices likely to be the future of many people’s IT use – we’ve put together a few of the main smartphone security threats you need to be aware of.

 

  • Mobile Phishing & Fake Apps

Phishing websites which pretend to be your bank in order to get your personal or financial details have been around for many years, but for few people imagine that this is also a big risk on their smartphone.

Fake apps are the most obvious modern incarnation of this scam. IT security specialist ESET recently showed that a popular app like Prisma spawns multiple fakes online, downloaded unwittingly over 1.5 million times before being pulled from Google Play, with many containing harmful malware which attempt to steal personal information.

Don’t attempt to download an anticipated app before it’s official release date, as it’s likely you’ll be downloading a fake. Avoid downloading apps from unknown third-party websites, check the comments for warnings from other users, and invest in mobile antivirus to intercept downloaded threats to your smartphone security.

 

  • Old-fashioned Theft

In addition to fitting in your pocket, your phone contains a staggering amount of personal information about you which makes theft a real danger – everything including your personal details and those of friends/family, your emails, GPS coordinates of places you regularly visit and more: all stored on the device.

Home Office research suggests iPhones are the device most likely to be stolen – perhaps reflecting the Apple smartphone’s high value, quality and distinctive branding.

In addition to setting numeric pin codes on every device to prevent the danger of theft, tracking and lifesaving wiping tools like are strongly advised.

 

  • Public Wi-Fi Networks

With the proliferation of portable devices, many businesses, particularly in retail, offer public Wi-Fi hotspots to customers.

The problem with this is that you’re sharing a network with… whom? Terrifying free tools like [Redacted – obviously] and [Redacted] allow anyone on a shared public network to view insecure websites you visit, and snoop on any keystroke you type.

Not every public Wi-Fi network is a security nightmare, but it’s sensible to avoid using public Wi-Fi to do anything sensitive, such as online banking. A 4G data connection or simple telephone banking is the easiest alternative if you’re on a mobile phone, and likely to be more secure than a public Wi-Fi Network.

It should probably go without saying that you shouldn’t connect to entirely unrecognised, unsecured or unknown Wi-Fi networks either. For obvious reasons.

 

  • Being Personally Targeted

The problem with the wider shift to portable devices is that we carry our workplace into the outside world. Many of us expect complete access to our business data on our smartphone (as we would on our PC) wherever we are.

But carrying your work phone outside work means you’re also outside the protection of in-house IT security software and firewalls.

A simple phishing email can easily be targeted to you outside working hours when you’re ‘off-guard’, and the potential loss of confidential company data could be devastating.

Of course, many of the best IT security software providers now offer Android & iOS smartphone versions of their antivirus software – so why not extend your business’ IT security to your smartphone?

 

For IT support and security guidance – contact Lineal today.


Fake Invoices – Don’t enable document malware!

fake invoices

This week’s IT security alert from Lineal – fake invoices which ask users to run a dangerous piece of code.

The example above comes from a fake Word document emailed with a typical text line, such as ‘Please check this invoice’ or ‘Double check my numbers for me’, to an unsuspecting user.

Upon opening, the document appears to load a popup from Office 2016 prompting the user to ‘Enable Content’ for compatibility purposes, before they can view the detail of the ‘invoice.’

In fact, the display is just an image within the word file, and the ‘Enable Content’ content button instead runs a piece of Visual Basic code downloading unknown malware from the internet.

The scam relies on users’ curiosity at the unusual $1999.00 charge, and upon reaching a user still running an outdated version of Microsoft Office.

 

Several measures can be taken to prevent this kind of attack:

  • Don’t click any popup that doesn’t visibly pop ‘open’ in Microsoft and don’t ‘Enable Content’ you can’t see in a document.
  • Consider an email filtering service like Barracuda – in the above example, Barracuda had recognised this email as malicious and stripped the code from the document before placing it in the correct email inbox for the intended recipient.

 

For IT Security advice and guidance – speak to Lineal today.


Zepto Cryptolocker Alert: Lineal intercepts dangerous zero-day threat with ESET Antivirus

Zepto

Yesterday Lineal’s team successfully rescued a client from a new ‘zero-day’ Cryptolocker Virus which nearly destroyed many of their files.

The dangerous variation of the ‘Zepto’ cryptolocker, only identified online during the last 24 hours, is believed to be a brand new threat originally derived from ‘Locky’ ransomware.

An employee at one of Lineal’s IT support clients recently opened an email containing an infected file – a malicious piece of obfuscated code written in Visual Basic scripting language. The installed Zepto cryptolocker began encrypting the company’s files, readying to demand a heavy ransom.

In a coordinated attack, an outside user also forced access to our client’s server, instructing it to begin sending fake Barclays ‘phishing’ emails, attempting to criminally capture banking details.

Our team caught both threats early, forcefully locking out the intruder in mid-session, identifying the employee who introduced the threat, and quarantining the infection with ESET’s business endpoint security. 

Lineal then notified ESET about Zepto to help with future identification, having avoided the need to restore all the clients files from backup at great disruption.

The landscape of online security threats is rapidly changing, and Cryptolocker variants have spread quickly in recent months.

In this case Lineal’s rapidly responding team and professional security software helped our client dodge the huge potential losses from the security breach – and highlighted how vital it is that organisations of all sizes take proactive steps to protect their IT from hostile intrusion.

 

For IT security advice and support, contact Lineal today.


Bloxx announces discontinuation of products

bloxx

Bloxx to become part of Akamai Technologies

Web filtering provider Bloxx have announced that they will be ceasing support for their products and services, following a shock email from the company’s Chief Executive.

The move comes as part of a cash deal takeover bid by cloud services firm Akamai Technologies, announced on 2nd November 2015, and will see an end to the sale of all Bloxx products.

Bloxx has a good reputation in the UK and beyond for delivering a strong feature set in their appliances that are used to filter online content delivered in sensitive environments. Their products are commonly implemented by educators, healthcare providers, local authorities and businesses.

Although existing contracts will be honoured, those who have invested in physical Bloxx hardware may well find the lifespans are now limited, with little indication of whether Akamai will offer suitable replacements.

Bloxx’s impressive record has drawn the attention of national media before, with the Edinburgh based-company receiving hate mail from teenagers unable to access restricted websites on school computers even with a range of proxies.

With online security stories dominating the news in recent weeks, wider awareness of the need for web, social media and email monitoring is likely to only increase demand for such products. It remains to be seen whether interested parties will consider a cloud-based offering from Akamai to be sufficient, especially when it comes to security and bandwidth management.

Need help with online content filtering and network security for your organisation? Speak to Lineal today: call 01271 375999 or email [email protected]


Cyber Crime hits the headlines

16844922351_ec30a1b111_z

Cyber crime is finally set to become the UK’s most common crime type, following inclusion in the latest crime figures from the Office for National Statistics (ONS).

This re-classification comes only days after news headlines emerged that an Eastern European crime group successfully used ‘Dridex’ malware to steal over £20m from UK bank accounts via thousands of infected PCs in the UK.

Cyber criminals are increasingly mounting more organised attacks on businesses, small and large – last year even U.S banking giant J.P Morgan suffered unfortunate press and a sudden plunge in its share price when digital thieves stole the personal information and contact details of more than 76 million customers.

The 2015 National Strategic Assessment from the National Crime Agency estimates that losses due to cyber crime in the UK now amount to a staggering £16 billion annually. The NCA also asserted that the theft of large amounts of private companies’ data still faces ‘considerable under reporting.’

Nowhere is this more threatening than for those in the financial services industry, where both reputations for reliability and access to funds make IT security of paramount importance, requiring compliance with the strictest procedures for identity validation, network safety and fraud detection.

All businesses need to be prepared for the future, where cyber crime is likely to become more sophisticated and UK companies may be expected to demonstrate greater data protection measures. This week Microsoft promoted it’s Financial Services Compliance program in connection with Office 365 – making assurances (aimed squarely at businesses in the financial sector) of direct access to staff and resources to ensure that Microsoft Office cloud services comply with financial security regulations.

Greater awareness of cyber crime amongst Government figures, the media and the public can only be a good thing, but ultimately it still remains very much up to the individual to ensure their IT systems are secure – before the worst happens.

 

More than 70% of businesses fail after significant data loss. Lineal can install a range of security measures to safeguard your business IT systems and data – enquire today via: http://www.lineal.co.uk/contact/

 

More from Lineal News

Flickr: GotCredit