Cyber Lessons from the British Library

The British Library has published its lessons learned from the devastating cyber attack that struck in October 2023.

In an eighteen-page report which shows an impressive commitment to transparency, but makes for painful reading, the organisation details how it was compromised by the Rhysida ransomware group during a traumatic timeline of events. In a subsequent press release, the Library also states it hopes other institutions will learn from its findings in the wake of a ‘deeply damaging criminal attack.’

Unfortunately, the report makes clear that in response to tighter security standards, the organisation ceased to be Cyber Essentials Plus certified in 2022, pending replacement of some older systems. In section six, sixteen ‘lessons learned’ form the basis of its future plans and guidance to other organisations:

  • Enhance network monitoring capabilities
  • Retain on-call external security expertise
  • Fully implement multi-factor authentication: Multi-factor authentication needs to be in place on all internet-facing endpoints, regardless of any technical difficulties in doing so.
  • Enhance intrusion response processes
  • Implement network segmentation
  • Practice comprehensive business continuity plans
  • Maintain a holistic overview of cyber-risk
  • Manage systems lifecycles to eliminate legacy technology
  • Prioritise remediation of issues arising from legacy technology
  • Prioritise recovery alongside security
  • Cyber-risk awareness and expertise at senior level
  • Regularly train all staff in evolving risks
  • Proactively manage staff and user wellbeing
  • Review acceptable personal use of IT
  • Collaborate with sector peers
  • Implement Government standards, review and audit policies and processes regularly

The exact origin of the hack – which took Library systems offline for months – is unconfirmed, in part due to the scale of the destruction. However the Library’s independent security investigators believe the original breach was caused by either a spear-phishing, brute force or other credential compromise. This allowed hackers access to a remote session on a terminal server that was not yet subject to Multi-Factor Authentication for a user to login.

From there, around 600GB of data (or half a million documents) were exfiltrated, with searches for sensitively-named content such as ‘passport’ and ‘confidential’. Backup copies of twenty-two databases were also made, and removed from the network. Ransomware was also deployed, and the encrypted data used for attempted extortion.

At several points Rhysida are believed to have made their own actions difficult to track – deleting log files and destroying servers to prevent a swift recovery. In a classic ‘double-extortion’ the group also leaked employee and customer data for auction on the dark web in November, with a starting value of 20 Btc (then approximately £600,000). The British Library insists that in line with guidance given by the National Cyber Security Centre, no attempt was made to communicate with the attackers, nor any ransom paid.

The Rhysida ransomware group are also reported to, or have claimed responsibility for, hacks carried out in Chile, Portugal, Kuwait and the United States in the latter half of 2023. Cyber security professionals believe the hackers are Russian-speaking, although evidence is limited.

Lengthy and costly, the cleanup effort has clearly been difficult. The report details that the Library convened Gold and Silver level crisis-management committees, with both private sector and UK state cyber security assistance – although senior staff at the BL were at one point forced to communicate via an emergency WhatsApp call in the absence of official systems. The Library’s main catalogue, containing more than 36-million records, only returned online in ‘read-only’ format in January, and the report states ‘Many staff have been unable to perform significant parts of their roles’ (for more than 3 months.)

The Financial Times have speculated that the recovery costs may eventually total over £7m, which would represent around 40% of the institution’s known financial reserves, although the Library’s Chief Executive, Sir Roly Keating, told the BBC it was too early to calculate the true value.

 

For cyber security expertise and assistance, please contact our team today.


Lockbit Taken Offline By National Crime Agency

Ransomware provider LockBit has been taken offline by a joint operation involving law enforcement agencies from eleven countries.

As of the 20th February, a banner on LockBit’s website declares that the site is now under the control of the UK’s National Crime Agency, part of a coordinated operation to take down the group’s ‘command and control’ infrastructure.

Authorities from the NCA, the FBI, Europol and others from around the world swooped on a number of individuals believed to be involved with Lockbit – making arrests in Poland, Ukraine, and in the United States. Two further named individuals are believed to be Russian nationals.

The combined operation (‘Operation Cronos’) also froze more than two hundred cryptocurrency accounts, took down 34 servers and closed 14,000 rogue accounts.

operation cronos banner from lockbit's website

LockBit made headlines as one of the world’s most successful ‘Ransomware-as-a-service’ providers: offering a toolkit any would-be cyber criminal could use to launch their own cyber extortion operation, demanding more than $120m in ransoms for unlocking encrypted data.

The group behind LockBit, which first emerged on Russian forums in 2020, did not respond to Reuters following requests for comment, but published messages on an encrypted messaging app stating it has backup servers not yet ‘touched’ by law enforcement. Investigations by police in numerous countries also revealed copies of stolen data the group claimed to have deleted after negotiating ransom payments.

More than 1,700 organisations are believed to have been compromised by LockBit, many of which are now listed online – and include Royal Mail, the NHS, Boeing and ICBC, China’s largest bank, among many others.

Decryption tools have so far been released to victims of LockBit in 37 languages, as part of the ‘No More Ransom’ project, with UK authorities pledging to reach out to organisations affected by the ransomware.

 

For Cyber Security expertise and assistance, please contact our team today.


Lineal Launches Trust Centre

We’ve launched a new online Trust Centre aimed at demonstrating Lineal’s commitment to Cyber Security and data privacy.

We take our role as your trusted IT provider extremely seriously, and we hope the trust centre will show what we’re doing to maintain the highest of industry standards.

Available online to anyone at any time, our trust centre acts as a transparent dashboard showing our current compliance standards, risk profile and cyber security best practices. In addition to reviewing our key policies, we’ve detailed what we do to keep staff, data and systems safe – across numerous areas including endpoint protection, network security, backup, infrastructure, app and information control.

Our intention is that the trust centre gives our customers confidence in our dedication to good cyber hygiene, and acts as a useful reference resource when our clients are dealing with 3rd-party supply-chain assurances, industry frameworks and insurance providers.

Furthermore, we hope that a detailed overview of the cyber security strategy employed by Lineal acts as a model for others, and a useful template for the kind of organisational transition our own team can help your organisation pursue successfully.

Those measures are backed by important standards: Lineal is an ISO 9001 & 27001 accredited organisation, Cyber Essentials and Cyber Essentials Plus Certified – with reviews of our status undertaken by Cybersmart, Microsoft, Alcumus and Huntress.

 

For Cyber Security expertise and support, please contact our team today.


Google & Yahoo Tighten Email Rules: What to Expect

Major email providers including Google, Yahoo and AOL are set to tighten rules on incoming email – making accounts more secure against SPAM and demanding more of bulk senders who want to see their emails delivered.

Google and Yahoo alone represent more than two billion email accounts, many of them belonging to individual consumers for personal use. Estimates suggest around 70% of these have no protection against domain spoofing.

Until recently, even many basic security protocols such as SPF (checking whether email header and ‘sent from’ address match) were not enforced on major email platforms such as gmail – allowing fraudulent emails to unsuspecting users. This made phishing emails easier to circulate, harder to detect, and has been recognised as one of the biggest enablers for cyber security attacks.

DKIM – a protocol that signs both the real domain and email with a cryptographic signature that email clients can cross-reference for authenticity – is also often absent, with email providers increasingly looking to demand better standards from email senders.

From February 2024, bulk email senders must adhere to the following requirements outlined by Google and Yahoo:

 

New Sender Rules

SPF & DKIM Enforced – Business and organisations that need their emails to be delivered safely will have to add SPF & DKIM settings to their domains and mail servers that verify whether emails purporting to be from them are genuine, and have not been tampered with. Without checks in place, Gmail and Yahoo may reject those emails altogether.

Easy Unsubscription – bulk emails must offer ‘one-click’ unsubscribe options for recipients, making it easy for email recipients to opt-out of repeated unwanted messages, and keep clutter under control.

DMARC, the most challenging of the requirements, will be enforced for bulk email senders sending more than 5,000 emails per day, aimed at preventing rapid phishing scams and other mass attempts at fraudulent communications.

 

For those communicating with the public, the changes are likely to prove crucial, and IT managers need to prepare carefully to ensure their emails continue to be trusted.

 

For Cyber Security assistance and expertise, please contact our team today.


Ransomware Case File 2023

Each year new cyber threats appear to circulate online, and 2023 has certainly been no exception. For cyber criminals, it’s business as usual… right?

Not quite. Over time certain new patterns emerge that are important for cyber security researchers to identify, and these can help protect businesses and organisations in the future. So what can we learn from this year’s crop of nasty ransomware strains?

 

Akira

akira ransomware

First spotted around April 2023, Akira ransomware appears to be one of the better-organised criminal efforts to extract payments from victims.

Suitable for multiple operating systems and sporting a green-and-black ransom note aesthetic Sophos describes as ‘Retro’, Akira is a professional effort that should give pause for thought.

Disabling many security settings to give itself more lateral movement on systems, the infection also tries to destroy backups to hinder the user, and has a ransom note written in (relatively) good quality English with a host of supporting infrastructure to help the hacker leverage a bigger payout.

The threat actor(s) behind Akira were known to exploit an existing VPN vulnerability to spread the ransomware, but had used stolen credentials purchased online from third-party data breaches to get started – in what has become a common pattern of low level breaches by third-parties supplying the more serious cyber crime via online black markets.

 

MedusaLocker

medusalocker ransomware

Originating back in 2019, this nasty ransomware has been through a string of variants with the most recent strain popping up in September 2023 to hit a major European health organisation.

MedusaLocker is an example of ‘Ransomware-as-a-Service’ – anybody can purchase and launch their own version, with a typical ransom being around $12,000. Like legal software companies, the developers behind Medusa even offer their customers a Support Helpdesk!

More recent variants have moved over to ‘double-extortion’ style attacks, where the hacker not only compromises the data, but threatens to leak a copy online, which is more likely to compel healthcare and public-sector organisations holding very private information on behalf of the public to pay the ransom demand.

 

Black Hunt

blackhunt ransomware

Targeting Windows environments, this ransomware looks relatively traditional, but may show the shape of things to come.

It can be spread both by email and via drive-by downloads on malicious websites that purport to give away free software or content, and for a special trick, immediately tries to terminate other processes on the user’s machine to speed up how quickly it can corrupt data – getting ahead of efforts to slow it down.

Curiously the ransomware searches for a specific text file called ‘Vaccine.txt’, which is likely a safety mechanism used by the original developers to protect their own systems against the dangerous infection.

The Group behind Black Hunt also use a tactic becoming increasingly popular among cyber criminals – publicly naming their victims in a perverse online ‘Hall of Fame’ – as a warning to others.

 

Our Verdict:

Keeping your data, staff and systems safe from ever-evolving ransomware infections means instilling good cyber-hygiene among your organisation, backed by a cyber security strategy that covers a range of areas including; endpoint protection, identify security, perimeter defence and user awareness training among others. Learn more here. 

 

For Cyber Security Expertise and Support, please contact our team today.


The Secure Email Standard

The NHS have updated their ‘secure email standard’ which other organisations are expected to follow.

First published in 2016, the minimum standards for email security are designed to protect NHS staff and systems against supply-chain attacks caused by weaknesses in the cyber security of third-parties.

The standard anticipates that one of the biggest risks to the NHS originates with the rest of us: outside organisations, who need to be trusted not to put the health service in danger via email compromise.

There are two ways to meet the NHS secure email standard:

1. Implement an existing compliant service such as NHSmail, Microsoft 365 or Google Workspace [and follow configuration guidelines for that service.]

2. Demonstrate your own [email] service is compliant with the secure email standard by following the NHS secure email accreditation process.

For those using the biggest platforms – NHSmail, Microsoft 365 or Google Workspace, the to-do list of requirements are simpler and include such steps as ensuring there is a process for notifying the NHS if you have been breached, policies and procedures for using mobile devices, risk assessment, documented policies and universal use within the organisation.

There are also a set of specific configuration settings which the NHS has documented for Microsoft 365 and Google Workspace, which you can learn more about here.

For organisations operating their own mail servers or other email systems, the requirements are more extensive, and require the organisation to manually achieve DCB1596 certification with documented evidence that their setup meets the NHS Secure Email Standard. This applies to organisations hosting their own Exchange, hybrid configurations, and other lesser-known business email platforms.

 

For cyber security assistance and support, please contact our team today.


Zoom to use your calls to train AI

Zoom has introduced revisions to its Terms of Service that have sparked significant controversy over user privacy.

It appears that Zoom may begin using calls between millions of users around the world to train AI products. The updated terms contain two standout sections, 10.2 and 10.4, which hold considerable implications for the extent to which Zoom can leverage user data. These segments specify Zoom’s entitlements to gather and utilise “Service Generated Data,” encompassing telemetry data, product usage information, diagnostic data, and analogous content collected in conjunction with users’ use of Zoom’s services or software.

Explicitly specified in Zoom’s revised policy is its exclusive ownership over Service Generated Data. This dominion extends to the company’s prerogatives to alter, disseminate, process, exchange, retain, and warehouse said data “for any purpose, within the limits and parameters stipulated by applicable law.”

“…You agree to grant and hereby grant Zoom a perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights required or necessary to redistribute, publish, import, access, use, store, transmit, review, disclose, preserve, extract, modify, reproduce, share, use, display, copy, distribute, translate, transcribe, create derivative works, and process Customer Content and to perform all acts with respect to the Customer Content, including AI and ML training and testing.”

Of particular concern is the overt declaration of the company’s right to employ this data for the training and enhancement of machine learning and artificial intelligence systems, with the inclusion of algorithm and model refinement. This particular clause raises the question of a lack of opt-out alternatives, something that is bound to fuel intense debate about user-generated consent and individual privacy.

Zoom justifies these measures as indispensable for delivering services to patrons, supporting the services, and enhancing its range of offerings including software and other products. Nevertheless, the implications inherent in these clauses are all-encompassing, particularly as they seemingly permit Zoom to harness customer data for any purpose associated with the activities or processes detailed in section 10.3.

Remarkably, Zoom has not issued any comments regarding these amendments yet. While Zoom’s motivations may center on elevating their platform and providing an improved experience, the extent and profundity of these adjustments are likely to cause disquiet among numerous users, particularly security and privacy advocates, thereby prompting inquiries into how their data is being leveraged.

 

For more software expertise and support, please contact our team today


2023 Cyber Breaches Survey

The 2023 Cyber Breaches Survey has been released, highlighting key findings about the state of the UK’s cyber health.

This year’s study found that cyber security breaches and attacks remain a common threat, with 32% of businesses and 24% of charities recalling any breaches or attacks within the last 12 months – but with cyber security taking a back seat in the minds of many, falling behind economic issues like inflation.

In more positive news, a majority of businesses and charities have a broad range of measures in place, with the most common being endpoint security software (75%), cloud backups (70%), restricted admin rights (67%) and network firewalls (66%).

However general cyber hygiene may actually be getting worse. The report also highlights that the routine avoidance of relatively unsophisticated threats needs greater attention over more advanced hacking, with smaller businesses in particular losing ground in some very fundamental areas, including:

Use of password policies (79% in 2021, vs. 70% in 2023)
Use of network firewalls (78% in 2021 vs. 66% in 2023)
Restricting admin rights (75% in 2021, vs. 67% in 2023)
Security updates within 14 days (43% in 2021, vs. 31% in 2023).

A mere three-in-ten businesses have undertaken any kind of cyber security risk assessment – again showing low scores among smaller firms and driven in most cases by either changes at board level or the demands of customers – corresponding to an increase in businesses reporting checks on their own suppliers.

“Taken together, these findings highlight an increasing cyber hygiene challenge among small to medium enterprises (SMEs) in the post-pandemic era.”

Fewer than four-in-ten businesses have cyber security insurance, just 21% have an incident response plan, and only 14% of businesses are even aware of the NCSC’s important Cyber Essentials Scheme. A mere 9% successfully adhere to ISO 27001 standards.

In particular, the survey highlighted the food and hospitality sectors, entertainment and the construction sectors for reporting low take-up of cyber security measures. The UK’s largest businesses generally report higher scores across all areas, with the exception of patch management (44%) and restricting access to organisation-owned devices (31%).

Among the 11% of businesses that have suffered cyber crime in the last 12 months, the annual (mean) cost of an incident is now estimated to be approximately £15,300 per victim.

 

For Cyber Security advice and expertise, please contact our team today.


End of an Era for Windows Server 2012

Windows Server 2012 and Server 2012 R2 will be declared end of life (EOL) as of 10th October 2023, after which the operating system will receive no new security updates.

This leaves organisations using Server 2012 with several options:

– Re-license and migrate to a newer operating system if hardware supports it.
– Migrate those server workloads into a cloud platform like Microsoft Azure.
– Replace those server workloads with web-based applications.
– Purchase new server hardware with a supported operating system.
– Purchase specialist Extended Security Updates (ESUs) until 2026.

Which option to choose depends on where a business is their replacement/hardware lifecycle, budgets and changing workplace requirements. For some, a move to a newer version of Windows Server (2016, 2019 or 2022) is still possible, but this isn’t the only option. Don’t forget to check out Lineal’s handy flow chart on what to do when faced with the choice of replacing a server.

How and when to replace servers is a complex question, and businesses increasingly have far more cloud-based and software-as-a-service (SaS) choices available than a decade ago. Bundled services like Microsoft 365 have increasingly replaced the on-premises Exchange server, the file server and more for many small organisations – making the heavy capital investment for a server impractical. In the face of increasing hardware and energy costs, running on onsite server also looks increasingly expensive.

In some ways the end of Server 2012 represents the end of an era – in 2012, server sales were just beginning to recover from the financial crash. A decade on, both PC and small volume server sales look bumpy, while the largest server manufacturers appear to be focusing ever more sales attention on the data centre market – where there is growing appetite for enterprise hardware driven partly by the hosting and increasing consumption of those same cloud services.

For many small businesses in particular, a Server 2012 box may have turned out to be the last on-premises server they would ever purchase.

 

For Technical support and expertise, please contact our team today.


FBI Warn Against Public Charging

The FBI has cautioned smartphone users to avoid public USB ports due to the risks of malware delivered by public charging stations. The Denver FBI office, through CNBC on Twitter, stated that public charging stations in hotels, airports, and shopping centers are all susceptible to opportunistic malware attacks.

According to the FBI, malicious individuals have discovered that public USB ports can be adapted to “inject malware and monitoring software onto devices.” As a result, users should bring their own charger and USB cord while in public and use an electrical outlet for charging instead of a public USB port if possible.

Using a public USB port to transfer malware to a device, such as a computer, tablet, or smartphone, allows hackers to obtain sensitive data on the device, such as usernames and passwords, hijack email accounts, steal funds from online accounts, and much more.

While Apple’s iPhones and Macs possess a USB security feature that disables data transfer through the Lightning port when the device has been locked for over an hour, this feature does not prevent malware installation when the device is in use and connected to a public port.

To safeguard against this potential method of attack, the recommended solution is to bring your own USB cable to charge in public spaces. The FBI has issued a comparable warning on its website, cautioning individuals against using free charging stations, using public Wi-Fi for sensitive transactions, opening suspicious documents, utilizing the same password for all accounts, and clicking unsolicited links in text messages and emails.

 

For cyber security expertise and support, please contact our team today.


3CX Hit by SmoothOperator

3CX, one of the world’s best known telephony applications, has been rocked by a devastating supply-chain attack that is infecting end-users.

The breach, designated ‘SmoothOperator’ is believed to affect both the 3CX Desktop app and PMA, 3CX’s recommended replacement. Once the trojanised payload is delivered to the 3CX end-user, it interacts with popular web browsers such as Chrome, Edge, Firefox and Brave – likely in an attempt to steal user data, including browser history, down the line.

In a video released earlier today – SentinelOne demonstrated the forensic detection of SmoothOperator which has risen dramatically in recent days. A sample of how the powerful endpoint security software blocks the threat can be seen in the video below.

Security analysts are rumoured to have discovered links to Labyrinth Collima, a North Korean Lazarus Group offshoot from Bureau 121 of the DPRK’s ‘Reconnaissance General Bureau.’ 3CX is believed to be in use by more than 12 million daily users around the world, among more than 600,000 organisations.

Managed detection and response specialists Huntress have published a wide-ranging report on the breach with a difficult verdict for organisations using 3CX:

“We anticipate that 3CX will not complete a root cause analysis of this incident for some time, and users should look for alternative telephony mechanisms for the foreseeable future.”

 

Remediation: organisations using 3CX are advised to…

1. Enforce mandatory password resets for all users.
2. Reset passwords for any web-based accounts which might have suffered credential harvesting via the user’s browser, and have multi-factor authentication (MFA) enabled for those accounts.
3. Invalidate any persistence tokens used for Microsoft 365, Google Workspace and other accounts that might allow automatic login without MFA.
4. Enable high security risk conditional access if using Microsoft Azure.

 

For Cyber Security expertise and assistance, please contact our team today.


Dangerous New Outlook Exploit Triggers Automatically

Microsoft have acknowledged a critical new zero-day vulnerability with Outlook, that does not require any user interaction with an email to be triggered.

Reported by the Ukrainian Computer Emergency Response Team (CERT) to Microsoft and graded 9.8/10 on the severity scale according the NIST, the exploit is believed to have already been used by a “Russia-based threat actor” in attacks against European targets across government, transport, energy and military sectors.

The exploit (CVE-2023-23397) abuses the way Microsoft Outlook attempts to follow links in emails to retrieve remote content, even before they’re opened or viewed in the preview pane – allowing a remote attacker’s server to request authentication via an old technology known as NTLM, and automatically receive poorly encrypted username and password details from Outlook. NTLM was officially retired by Microsoft after Exchange 2003, but the technology remains available in current versions.

This is dangerous because with a username, password and corresponding email address, hackers have effectively completed a credential theft without any interaction from the end user. Many users use their email account as a single-sign on for other applications, putting numerous other services at risk.

CVE-2023-23397 is not yet fully documented however Microsoft believe the vulnerability occurs “when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat-actor controlled server. No interaction is required.” Once a connection is made, the server sends the user a new technology LAN manager (NTLM) negotiation message which is relayed for authentication – none of which requires the user to even view the email itself.

The exploit affects only the Microsoft Windows version of the Outlook Desktop client. Outlook for Mac, the Outlook Web & Mobile Apps (as well as Outlook.com) are not affected – since these do not support NTLM authentication. Estimates vary but Outlook is said to be used by over 400 million users worldwide, in its various forms.

System administrators are advised to urgently patch with the latest Outlook updates from Microsoft within 24 hours.

Where this is not possible, system administrators are advised to add users to the Protected Users Security Group (blocking NTLM), or Block TCP 445/SMB outbound from network firewalls or via VPN settings, cutting off any NTLM authentication messages at the perimeter of your network. In both cases, Microsoft warn this may affect other services from working correctly.

 

For Cyber Security expertise and support, please contact Lineal’s Cyber Security Team today.


Home PC Hack Topples LastPass

LastPass have confirmed that a hack on a staff member’s home PC led to a massive cyber security breach on the company.

The second stage of the attack used data stolen in LastPass’s August breach, cross-referenced with other stolen information, to launch a targeted sting on one of their DevOps engineers – installing a key logger on the staff member’s home PC which resulted in the loss of yet more data.

LastPass confirmed the attacker was able to steal the user’s master password, gaining access to corporate vault resources and shared folders. In the process, encrypted notes and decryption keys needed to access LastPass production backups based in Amazon Web Services (AWS) – cloud-based storage and critical database backups were also compromised.

Since the August 2022 breach, when LastPass source code was stolen, the company has admitted the breach also saw the theft of account usernames, hashed passwords, and some Multi-Factor Authentication (MFA) settings belonging to end users.

Unfortunately LastPass also acknowledged that saved URL for each password entry was unencrypted, giving potential attackers an obvious clue to the purpose of each set of credentials.

The breach highlights the way remote working culture has introduced significant new digital risks – such as the danger of home users accessing work data, resources and applications on devices that sit ‘outside’ of company cyber security protections.

LastPass is believed to be used by over 85,000 businesses and 30 million end users.

 

For Cyber Security Expertise & Support, please contact our team today.

Managed Cyber Security


Your Official Briefing

We recently attended a special event about the danger of Russian cyber aggression against the UK: here’s the latest guidance from the UK National Cyber Security Centre.

 

Be prepared for changes to Russian strategy

A feared ‘firestorm’ of wholesale attacks on the digital infrastructure of the UK and Ukraine’s other Western allies hasn’t arrived, but the NCSC urges Russia remains extremely unpredictable.

Intelligence agencies are now concerned Russia may launch a new cyber attacks on the West this year, partly as compensation for Russian ground war failures.

Rates of cyber attacks on UK organisations remain ‘steady’, with some very serious incidents reported – and the NCSC has emphasised before how Russian cyber attacks on satellite networks and banking systems in Ukraine have spilled over into multiple countries.

We do know that behind the scenes a number of UK organisations have been carefully briefed to prepare for Russian cyber attacks over the past year – and a ‘handful’ of cyber incidents each year are serious enough to require COBRA meetings.

 

Yes, REALLY unpredictable

Russian strategic aims are often inconsistent. Boldness and risk-taking are known to be favoured in Russian high command – which itself encourages reckless cyber operations, experimental techniques and surprise attacks – but also corners-cut and operational errors.

Much like the Russian ground offensive, many of the most aggressive Russian cyber attacks – such as the widespread use of destructive Wiper malware – appear to have been ‘front-loaded’ during March/April, preparing for a quick victory which did not materialise even as Ukrainian systems have been hardened.

Far less technical attacks also appear to have crept into the mix – alongside a curious quality gap in the actual work of Russian operatives, as if threat actors are being supplemented by other personnel. Recent incidents have highlighted the names of known Russian intelligence officers visible within the code of malware, and fascinating research by Mandiant even suggests attempts by the GRU to recruit assistance from amateur hacktivist volunteers via covert pro-Russian Telegram channels.

However, the NCSC emphasises that ineptitude or failure is not a barrier to the further attacks by Russia – the individuals behind the attacks are shameless, and cyber attacks remain a convenient way to highlight weaknesses from policy makers in other countries.

Essentially ‘nothing is off-limits’ – an approach that is also exacerbated by the internal competition between Russian service branches, with the FSB, FDR, GRU and others often seeking to outdo each other.

 

Who is a target in the UK?

Past experience suggest Russian cyber operations often include a key psychological element – following infamous KGB tradition.

As a result, the Russian military likes to target ‘pressure points’ in particular: critical infrastructure, the energy sector, transport, media organisations, senior politicians and especially companies with visible public-facing operations – anything that might generate panic among the public, suggest democratic policy makers are weak, undermine the West’s resolve to support Ukraine, or provoke a widespread feeling of vulnerability.

Ukraine provides some clues as to Russian strategy, but the NCSC emphasises that espionage attacks can often involve gaining access for no specific purpose – and (for example: obtaining privileged administrator access to systems) are simply a contingency for the future.

 

Organisations that plan ahead suffer less pain

Official advice is clear: organisations that prepare even the most basic disaster-contingency plans recover more quickly and suffer much less financial pain in the event of a cyber attack.

Even very simple crisis management steps like agreeing ‘who is in charge’ in advance, confirming ‘where are the backups’, and keeping printed copies of essential preparations for an emergency, all help radically minimise the damage, disruption and time to recovery.

However, this too comes with an NCSC warning: five years of IT improvement won’t be squeezed into your crisis remediation – better to have a roadmap for improving your cybersecurity as part of your existing business plans.

 

EDR is a Must

Forensic engines included in modern Endpoint Detection & Response (EDR) software help provide rapid information about the scale of hacks during incident response – this provides essential time for first responders to mitigate further threats, limit damage, and give the NCSC information about the threat to others.

The NCSC argues that British resilience will rely not just on small organisations across the country remaining vigilant, but gathering a wider pool of information on the centre’s behalf – the grassroots feeds into the ‘bigger picture’ of national security, and defending the UK is a team effort.

Services like the Signpost Cyber Incident Service now allow smaller organisations to report cyber attacks centrally.

 

Ransomware is THE threat.

NCSC guidance, right from the top of the organisation’s CEO remains the same:

“Even with a war raging in Ukraine, the biggest global cyber threat we still face is ransomware” – Lindy Cameron, NCSC CEO, June 2022.

 

Useful Links:

  • NCSC Early Warning System – Early Warning helps organisation investigate cyber attacks on their network by notifying them of malicious activity that has been detected in information feeds
  • NCSC Exercise in a Box – A free online tool which helps organisation find out how resilience they are to cyber attacks & practice their response in a safe environment.
  • Incident Management – cyber incident response plan NCSC guidance to create your own cyber incident response plan
  • The UK National Cyber Strategy – setting out five key pillars in the UK’s Cyber Planning.

 

For cyber security and technical expertise, please contact our team today.


2023: New Rules for Cyber Essentials

Each year GCHQ’s National Cyber Security Centre issue stricter new rules for business and organisations looking to secure UK Cyber Essentials (CE) and Cyber Essentials Plus (CE+) Certification.

Continuing themes from last year, there are now tighter rules on account access, thin clients, device firmware, remote desktops, antivirus/EDR solutions and more. Despite the success of the Cyber Essentials scheme, the past year has seen some notable cyber attacks on British organisations, and renewed calls for cyber security vigilance.

We’ve compiled a summary to help organisations prepare for what revisions are coming down the line in April.

 

Multi-Factor or Else.

Even sooner than many expected, Cyber Essentials will now require not only Administrators to have Multi-Factor Authentication enabled – but all end-user accounts as well, across all platforms. Previously exemptions were granted for services without this option available, now that gap closes.

Instead, where a service doesn’t support MFA this will now be declared a non-conformity, bringing digital services fully into line with the rules enforced on UK online banking, and even applying to school children – right down to reception-age.

That’s likely to pose a challenge for companies (and particularly schools) using any software or web services which don’t yet offer MFA – so many organisations may need to look at augmenting their IT setups with 3rd-party MFA solutions like Cisco Duo.

 

Don’t forget the Firmware!

Software version controls now extend to hardware device firmware – with the definition clarified to specifying “firewall and router firmware” in particular – which was always essential, given the perimeter nature of these devices. In a rare step back, firmware on servers, PCs and other devices has been removed from the scope.

 

Device Clarifications

The NCSC has admitted third-party devices have been a point of confusion – and has published a revised table clarifying which devices are within the scope of Cyber Essentials. Updates will apply only to devices which are not domain-joined, or when unlocked have limited access to data (smartphones, handheld scanners etc.) If the a vendor does not allow configuration to see CE standards, the application may use the vendor defaults without incurring a non-conformity.

Given that the definition partly rests on who owns the device in question, we predict more changes in future years.

CE device rules for 2023

 

Not Just Any Anti-Malware

Antivirus solutions no-longer need to be ‘Signature-based’ – since the best EDR solutions don’t rely on signature-based detection of threats anyway. CE+ audits will include extra tests to verify that anti-malware software is effective (beyond simple EICAR tests) and application allow-listing is being encouraged.

 

Scoring Changes

Minor/Major non-conformities have been merged with a single Non-Conformity mark. Any applicant receiving three non-conformities will receive an instant failure. Corrective actions must now be completed within two days, despite some exceptions are available for larger organisations.

However, unsupported operating systems become an unfortunate immediate triple-word score: the presence of any unsupported operating system within the scope is an automatic fail.

 

For Cyber Security and Cyber Essentials expertise, please contact our team today.


Farewell to Windows 7/8

Extended Support for Windows 7 and Windows 8.1 officially ends as of January 2023.

The older operating systems will no longer receive any security patches or technical updates from Microsoft, which poses a compliance risk to businesses and organisations.

Mainstream support for Windows 7 originally ended in early 2020, although some Enterprise users could choose to purchase an ‘Extended Security Update’ (ESU) program for an additional three years.

Ever since then, Microsoft has regularly urged users to upgrade to Windows 10, and later Windows 11 on PCs with TPM security built into their chipset.

Windows 7 was originally released in 2009 and became an overnight success, selling over 100 million copies within six months. As of September 2022, a staggering 11% of traditional PCs are somehow still estimated to be running Windows 7 globally.

Windows 8 suffered a more checkered history: originally developed with a touchscreen-friendly tile display designed to be similar across PCs, tablets and the ill-fated Windows Mobile – many users found the new user interface confusing, continuing the mysterious curse of alternate-versions of Windows being a flop.

Microsoft Edge 109 will also be the last version of the web browser that will be considered supported for Windows 7 and 8, with a similar change expected from Google within Google Chrome.

Now the World officially waves goodbye to Windows 7/8.1, and any users still stuck on the old versions are faced with the choice of either purchasing a licensing upgrade for their old PC if their hardware permits it, or replacing their device entirely with a newer Windows 10/11-based model.

 

For Operating System expertise and support, please contact our team today.


Police swoop on ‘DDoS-for-Hire’ Operations

UK & Dutch police have helped lead an international operation with Europol to take down one of the World’s biggest DDoS-for-hire services, webstresser.org.

The UK’s National Crime Agency and their Dutch Police counterparts announced the success of ‘Operation Power Off’ – which saw the seizure of infrastructure believed to be linked with criminal activity based in the UK, Netherlands and Germany, and the arrest of individuals as far afield as the UK, Spain, Canada, Croatia, Italy, Australia and Hong Kong by at least a dozen different law enforcement agencies.

On the other side of the Atlantic, the Department of Justice announced an additional six arrests by the FBI, with a further 48 domains seized as part of a criminal investigation into DDoS-for-hire operations.

webstresser

According to Europol, Webstresser is estimated to have let over 136,000 customers launch more than four million Distributed Denial of Service (DDoS) attacks on targets for as little as £11, overwhelming websites and online services with traffic and knocking them offline. Although DDoS for hire services often pose as genuine ‘stress-test’ tools, users with very little technical knowledge were able to order attacks on unrelated targets – choosing between ‘Bronze’ ‘Silver’ and ‘Platinum’ packages.

The service was thought to be responsible for cyber attacks on at least seven major UK banks in November 2021, as well as numerous other businesses and government departments around the world. The BBC reports UK police have raided an address in Bradford, in connection with last year’s attacks on UK banks in particular.

Jaap van Oss, the Dutch Chair of the Joint Cybercrime Action Taskforce (J-CAT) praised the joint cooperation by law enforcement agencies to finally take Stresser offline.


Macro Misadventure Minimised

Microsoft have altered how macros activate in Microsoft Office files, in an effort to improve users’ cyber security.

Macros, which allow office files to run sequences of commands, can be used to automate simple tasks – but also maliciously by hackers as a mechanism of attack.

Macro-based hacks have been around since the late 1990s, but remain surprisingly effective. Users are commonly asked to open unexpected email attachment and authorise the macro to see its mystery contents, allowing the macro to introduce malware onto the system. In effect, users authorise the hack themselves.

Instead of the old yellow ‘Security Warning’ labelled with an instant ‘Enable Content’ button users previously saw when using Microsoft Office applications, files will now prompt with a red ‘Learn More’ button, and users will be forced to see guidance on using macros securely, before being able to enable the content.

 

macro warning


macro warning

 

This small move – which was originally rolled out, rolled back, and then rolled out again – has been part of a slow clampdown on macros that has lasted more than two decades. Over the years macro functionality has steadily had more restrictions applied – in 2003 IT admins could require macros to have a trusted certificate (more like software applications) and as of 2013, could block macros by default.

But Microsoft hopes this simple firebreak will nudge us to think twice, and stop (potentially millions) of people from endangering themselves and their technology with a click.

Human nature continues to catch out many users curious about mystery documents – particularly since only a small fraction of Microsoft Office users are even aware of Microsoft 365’s powerful automation features.

 

For IT support and expertise, please contact our team today.