Cyber Lessons from the British Library

The British Library has published its lessons learned from the devastating cyber attack that struck in October 2023.

In an eighteen-page report which shows an impressive commitment to transparency, but makes for painful reading, the organisation details how it was compromised by the Rhysida ransomware group during a traumatic timeline of events. In a subsequent press release, the Library also states it hopes other institutions will learn from its findings in the wake of a ‘deeply damaging criminal attack.’

Unfortunately, the report makes clear that in response to tighter security standards, the organisation ceased to be Cyber Essentials Plus certified in 2022, pending replacement of some older systems. In section six, sixteen ‘lessons learned’ form the basis of its future plans and guidance to other organisations:

  • Enhance network monitoring capabilities
  • Retain on-call external security expertise
  • Fully implement multi-factor authentication: Multi-factor authentication needs to be in place on all internet-facing endpoints, regardless of any technical difficulties in doing so.
  • Enhance intrusion response processes
  • Implement network segmentation
  • Practice comprehensive business continuity plans
  • Maintain a holistic overview of cyber-risk
  • Manage systems lifecycles to eliminate legacy technology
  • Prioritise remediation of issues arising from legacy technology
  • Prioritise recovery alongside security
  • Cyber-risk awareness and expertise at senior level
  • Regularly train all staff in evolving risks
  • Proactively manage staff and user wellbeing
  • Review acceptable personal use of IT
  • Collaborate with sector peers
  • Implement Government standards, review and audit policies and processes regularly

The exact origin of the hack – which took Library systems offline for months – is unconfirmed, in part due to the scale of the destruction. However the Library’s independent security investigators believe the original breach was caused by either a spear-phishing, brute force or other credential compromise. This allowed hackers access to a remote session on a terminal server that was not yet subject to Multi-Factor Authentication for a user to login.

From there, around 600GB of data (or half a million documents) were exfiltrated, with searches for sensitively-named content such as ‘passport’ and ‘confidential’. Backup copies of twenty-two databases were also made, and removed from the network. Ransomware was also deployed, and the encrypted data used for attempted extortion.

At several points Rhysida are believed to have made their own actions difficult to track – deleting log files and destroying servers to prevent a swift recovery. In a classic ‘double-extortion’ the group also leaked employee and customer data for auction on the dark web in November, with a starting value of 20 Btc (then approximately £600,000). The British Library insists that in line with guidance given by the National Cyber Security Centre, no attempt was made to communicate with the attackers, nor any ransom paid.

The Rhysida ransomware group are also reported to, or have claimed responsibility for, hacks carried out in Chile, Portugal, Kuwait and the United States in the latter half of 2023. Cyber security professionals believe the hackers are Russian-speaking, although evidence is limited.

Lengthy and costly, the cleanup effort has clearly been difficult. The report details that the Library convened Gold and Silver level crisis-management committees, with both private sector and UK state cyber security assistance – although senior staff at the BL were at one point forced to communicate via an emergency WhatsApp call in the absence of official systems. The Library’s main catalogue, containing more than 36-million records, only returned online in ‘read-only’ format in January, and the report states ‘Many staff have been unable to perform significant parts of their roles’ (for more than 3 months.)

The Financial Times have speculated that the recovery costs may eventually total over £7m, which would represent around 40% of the institution’s known financial reserves, although the Library’s Chief Executive, Sir Roly Keating, told the BBC it was too early to calculate the true value.

 

For cyber security expertise and assistance, please contact our team today.


Lineal Launches Trust Centre

We’ve launched a new online Trust Centre aimed at demonstrating Lineal’s commitment to Cyber Security and data privacy.

We take our role as your trusted IT provider extremely seriously, and we hope the trust centre will show what we’re doing to maintain the highest of industry standards.

Available online to anyone at any time, our trust centre acts as a transparent dashboard showing our current compliance standards, risk profile and cyber security best practices. In addition to reviewing our key policies, we’ve detailed what we do to keep staff, data and systems safe – across numerous areas including endpoint protection, network security, backup, infrastructure, app and information control.

Our intention is that the trust centre gives our customers confidence in our dedication to good cyber hygiene, and acts as a useful reference resource when our clients are dealing with 3rd-party supply-chain assurances, industry frameworks and insurance providers.

Furthermore, we hope that a detailed overview of the cyber security strategy employed by Lineal acts as a model for others, and a useful template for the kind of organisational transition our own team can help your organisation pursue successfully.

Those measures are backed by important standards: Lineal is an ISO 9001 & 27001 accredited organisation, Cyber Essentials and Cyber Essentials Plus Certified – with reviews of our status undertaken by Cybersmart, Microsoft, Alcumus and Huntress.

 

For Cyber Security expertise and support, please contact our team today.


3CX Hit by SmoothOperator

3CX, one of the world’s best known telephony applications, has been rocked by a devastating supply-chain attack that is infecting end-users.

The breach, designated ‘SmoothOperator’ is believed to affect both the 3CX Desktop app and PMA, 3CX’s recommended replacement. Once the trojanised payload is delivered to the 3CX end-user, it interacts with popular web browsers such as Chrome, Edge, Firefox and Brave – likely in an attempt to steal user data, including browser history, down the line.

In a video released earlier today – SentinelOne demonstrated the forensic detection of SmoothOperator which has risen dramatically in recent days. A sample of how the powerful endpoint security software blocks the threat can be seen in the video below.

Security analysts are rumoured to have discovered links to Labyrinth Collima, a North Korean Lazarus Group offshoot from Bureau 121 of the DPRK’s ‘Reconnaissance General Bureau.’ 3CX is believed to be in use by more than 12 million daily users around the world, among more than 600,000 organisations.

Managed detection and response specialists Huntress have published a wide-ranging report on the breach with a difficult verdict for organisations using 3CX:

“We anticipate that 3CX will not complete a root cause analysis of this incident for some time, and users should look for alternative telephony mechanisms for the foreseeable future.”

 

Remediation: organisations using 3CX are advised to…

1. Enforce mandatory password resets for all users.
2. Reset passwords for any web-based accounts which might have suffered credential harvesting via the user’s browser, and have multi-factor authentication (MFA) enabled for those accounts.
3. Invalidate any persistence tokens used for Microsoft 365, Google Workspace and other accounts that might allow automatic login without MFA.
4. Enable high security risk conditional access if using Microsoft Azure.

 

For Cyber Security expertise and assistance, please contact our team today.


Dangerous New Outlook Exploit Triggers Automatically

Microsoft have acknowledged a critical new zero-day vulnerability with Outlook, that does not require any user interaction with an email to be triggered.

Reported by the Ukrainian Computer Emergency Response Team (CERT) to Microsoft and graded 9.8/10 on the severity scale according the NIST, the exploit is believed to have already been used by a “Russia-based threat actor” in attacks against European targets across government, transport, energy and military sectors.

The exploit (CVE-2023-23397) abuses the way Microsoft Outlook attempts to follow links in emails to retrieve remote content, even before they’re opened or viewed in the preview pane – allowing a remote attacker’s server to request authentication via an old technology known as NTLM, and automatically receive poorly encrypted username and password details from Outlook. NTLM was officially retired by Microsoft after Exchange 2003, but the technology remains available in current versions.

This is dangerous because with a username, password and corresponding email address, hackers have effectively completed a credential theft without any interaction from the end user. Many users use their email account as a single-sign on for other applications, putting numerous other services at risk.

CVE-2023-23397 is not yet fully documented however Microsoft believe the vulnerability occurs “when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat-actor controlled server. No interaction is required.” Once a connection is made, the server sends the user a new technology LAN manager (NTLM) negotiation message which is relayed for authentication – none of which requires the user to even view the email itself.

The exploit affects only the Microsoft Windows version of the Outlook Desktop client. Outlook for Mac, the Outlook Web & Mobile Apps (as well as Outlook.com) are not affected – since these do not support NTLM authentication. Estimates vary but Outlook is said to be used by over 400 million users worldwide, in its various forms.

System administrators are advised to urgently patch with the latest Outlook updates from Microsoft within 24 hours.

Where this is not possible, system administrators are advised to add users to the Protected Users Security Group (blocking NTLM), or Block TCP 445/SMB outbound from network firewalls or via VPN settings, cutting off any NTLM authentication messages at the perimeter of your network. In both cases, Microsoft warn this may affect other services from working correctly.

 

For Cyber Security expertise and support, please contact Lineal’s Cyber Security Team today.


Home PC Hack Topples LastPass

LastPass have confirmed that a hack on a staff member’s home PC led to a massive cyber security breach on the company.

The second stage of the attack used data stolen in LastPass’s August breach, cross-referenced with other stolen information, to launch a targeted sting on one of their DevOps engineers – installing a key logger on the staff member’s home PC which resulted in the loss of yet more data.

LastPass confirmed the attacker was able to steal the user’s master password, gaining access to corporate vault resources and shared folders. In the process, encrypted notes and decryption keys needed to access LastPass production backups based in Amazon Web Services (AWS) – cloud-based storage and critical database backups were also compromised.

Since the August 2022 breach, when LastPass source code was stolen, the company has admitted the breach also saw the theft of account usernames, hashed passwords, and some Multi-Factor Authentication (MFA) settings belonging to end users.

Unfortunately LastPass also acknowledged that saved URL for each password entry was unencrypted, giving potential attackers an obvious clue to the purpose of each set of credentials.

The breach highlights the way remote working culture has introduced significant new digital risks – such as the danger of home users accessing work data, resources and applications on devices that sit ‘outside’ of company cyber security protections.

LastPass is believed to be used by over 85,000 businesses and 30 million end users.

 

For Cyber Security Expertise & Support, please contact our team today.

Managed Cyber Security


Your Official Briefing

We recently attended a special event about the danger of Russian cyber aggression against the UK: here’s the latest guidance from the UK National Cyber Security Centre.

 

Be prepared for changes to Russian strategy

A feared ‘firestorm’ of wholesale attacks on the digital infrastructure of the UK and Ukraine’s other Western allies hasn’t arrived, but the NCSC urges Russia remains extremely unpredictable.

Intelligence agencies are now concerned Russia may launch a new cyber attacks on the West this year, partly as compensation for Russian ground war failures.

Rates of cyber attacks on UK organisations remain ‘steady’, with some very serious incidents reported – and the NCSC has emphasised before how Russian cyber attacks on satellite networks and banking systems in Ukraine have spilled over into multiple countries.

We do know that behind the scenes a number of UK organisations have been carefully briefed to prepare for Russian cyber attacks over the past year – and a ‘handful’ of cyber incidents each year are serious enough to require COBRA meetings.

 

Yes, REALLY unpredictable

Russian strategic aims are often inconsistent. Boldness and risk-taking are known to be favoured in Russian high command – which itself encourages reckless cyber operations, experimental techniques and surprise attacks – but also corners-cut and operational errors.

Much like the Russian ground offensive, many of the most aggressive Russian cyber attacks – such as the widespread use of destructive Wiper malware – appear to have been ‘front-loaded’ during March/April, preparing for a quick victory which did not materialise even as Ukrainian systems have been hardened.

Far less technical attacks also appear to have crept into the mix – alongside a curious quality gap in the actual work of Russian operatives, as if threat actors are being supplemented by other personnel. Recent incidents have highlighted the names of known Russian intelligence officers visible within the code of malware, and fascinating research by Mandiant even suggests attempts by the GRU to recruit assistance from amateur hacktivist volunteers via covert pro-Russian Telegram channels.

However, the NCSC emphasises that ineptitude or failure is not a barrier to the further attacks by Russia – the individuals behind the attacks are shameless, and cyber attacks remain a convenient way to highlight weaknesses from policy makers in other countries.

Essentially ‘nothing is off-limits’ – an approach that is also exacerbated by the internal competition between Russian service branches, with the FSB, FDR, GRU and others often seeking to outdo each other.

 

Who is a target in the UK?

Past experience suggest Russian cyber operations often include a key psychological element – following infamous KGB tradition.

As a result, the Russian military likes to target ‘pressure points’ in particular: critical infrastructure, the energy sector, transport, media organisations, senior politicians and especially companies with visible public-facing operations – anything that might generate panic among the public, suggest democratic policy makers are weak, undermine the West’s resolve to support Ukraine, or provoke a widespread feeling of vulnerability.

Ukraine provides some clues as to Russian strategy, but the NCSC emphasises that espionage attacks can often involve gaining access for no specific purpose – and (for example: obtaining privileged administrator access to systems) are simply a contingency for the future.

 

Organisations that plan ahead suffer less pain

Official advice is clear: organisations that prepare even the most basic disaster-contingency plans recover more quickly and suffer much less financial pain in the event of a cyber attack.

Even very simple crisis management steps like agreeing ‘who is in charge’ in advance, confirming ‘where are the backups’, and keeping printed copies of essential preparations for an emergency, all help radically minimise the damage, disruption and time to recovery.

However, this too comes with an NCSC warning: five years of IT improvement won’t be squeezed into your crisis remediation – better to have a roadmap for improving your cybersecurity as part of your existing business plans.

 

EDR is a Must

Forensic engines included in modern Endpoint Detection & Response (EDR) software help provide rapid information about the scale of hacks during incident response – this provides essential time for first responders to mitigate further threats, limit damage, and give the NCSC information about the threat to others.

The NCSC argues that British resilience will rely not just on small organisations across the country remaining vigilant, but gathering a wider pool of information on the centre’s behalf – the grassroots feeds into the ‘bigger picture’ of national security, and defending the UK is a team effort.

Services like the Signpost Cyber Incident Service now allow smaller organisations to report cyber attacks centrally.

 

Ransomware is THE threat.

NCSC guidance, right from the top of the organisation’s CEO remains the same:

“Even with a war raging in Ukraine, the biggest global cyber threat we still face is ransomware” – Lindy Cameron, NCSC CEO, June 2022.

 

Useful Links:

  • NCSC Early Warning System – Early Warning helps organisation investigate cyber attacks on their network by notifying them of malicious activity that has been detected in information feeds
  • NCSC Exercise in a Box – A free online tool which helps organisation find out how resilience they are to cyber attacks & practice their response in a safe environment.
  • Incident Management – cyber incident response plan NCSC guidance to create your own cyber incident response plan
  • The UK National Cyber Strategy – setting out five key pillars in the UK’s Cyber Planning.

 

For cyber security and technical expertise, please contact our team today.


Macro Misadventure Minimised

Microsoft have altered how macros activate in Microsoft Office files, in an effort to improve users’ cyber security.

Macros, which allow office files to run sequences of commands, can be used to automate simple tasks – but also maliciously by hackers as a mechanism of attack.

Macro-based hacks have been around since the late 1990s, but remain surprisingly effective. Users are commonly asked to open unexpected email attachment and authorise the macro to see its mystery contents, allowing the macro to introduce malware onto the system. In effect, users authorise the hack themselves.

Instead of the old yellow ‘Security Warning’ labelled with an instant ‘Enable Content’ button users previously saw when using Microsoft Office applications, files will now prompt with a red ‘Learn More’ button, and users will be forced to see guidance on using macros securely, before being able to enable the content.

 

macro warning


macro warning

 

This small move – which was originally rolled out, rolled back, and then rolled out again – has been part of a slow clampdown on macros that has lasted more than two decades. Over the years macro functionality has steadily had more restrictions applied – in 2003 IT admins could require macros to have a trusted certificate (more like software applications) and as of 2013, could block macros by default.

But Microsoft hopes this simple firebreak will nudge us to think twice, and stop (potentially millions) of people from endangering themselves and their technology with a click.

Human nature continues to catch out many users curious about mystery documents – particularly since only a small fraction of Microsoft Office users are even aware of Microsoft 365’s powerful automation features.

 

For IT support and expertise, please contact our team today.


Phishing emails – how to teach others to avoid being hooked

Phishing emails that attempt to steal sensitive information or defraud funds are a growing threat to small businesses – and the root cause of roughly 90% of business cyber attacks.

Educating your staff to be wary of clicking on a suspicious email is arguably one of the simplest and most effective cyber-security practices for small businesses. But how should you approach this?

 

Nobody is Immune

There’s no telling when or where a phishing email will arrive at your business, and any single compromised computer might be a cyber-criminals ‘way-in’ to the company – so a good place to start is the idea that it is everyone’s responsibility to watch out for suspicious emails.

Phishing email traffic is estimated to have increased by around 65% last year, and approximately 30% of those phishing emails get opened by IT users.

You’re the CEO of a global multi-national conglomerate? Then you’re MORE, not less likely to be targeted. Such ’Spear Phishing’ attacks are often highly specific to key individuals, aiming squarely at users with privileged information, responsibility over finances or higher levels of access.

Email awareness applies to anyone and everyone with access to email, so training efforts to make your company secure need to apply up and down the hierarchy.

 

Use Examples

Getting hands-on with real examples of phishing emails is the single best way to immunise your team against being caught out. Cybersecurity companies increasingly recognise the ‘human’ factor as the most critical ’threat vector’ – put simply, there’s (ultimately) no substitute for human intuition about what might be suspicious.

Show your team key warning signs to look out for – suspicious email addresses in the email header, bad grammar, or links to dodgy URLs that display when you hover your mouse pointer over them.Fortunately ‘Fake bank’ or ’Nigerian Oil Minister’ type scams have become quite notorious over the last decade, so even the least tech-savvy user will soon catch on to the idea that if an email seems odd, it’s worth checking before clicking or typing-in any sensitive details.

Lineal have published examples of some particularly dangerous phishing emails we’ve encountered, here.

 

Defeatism is Expensive

Studies suggest many IT users increasingly feel that cyber-security breaches are inevitable, and that there’s ‘nothing they can do.’ This security ‘fatigue’ is partly the fault of cybersecurity providers, who have bombarded companies with this idea.

Avoid this mindset. Yes, 76% of companies reported being the victim of a phishing attack in 2017, but 24% did not. Those exemplary organisations will (at least partly) be making their own luck with good working practices, cybersecurity training for users, and strong IT security.

Defeatism also ignores that not all cybersecurity breaches are created equal – a breach could result in a negligible cost to recover a single PC, or cripple a major organisation worldwide, as NotPetya ransomware did to Maersk Shipping in 2017. Under GDPR, the scale of the fines issued by the Information Commissioner’s Office are directly related to the severity of the breach.

The lesson is clear: limiting your organisation’s exposure to attack also limits the potential ‘scale’ of the damage. Never surrender!

 

Do Your Part

It’s helpful to be able to show you’re also investing in your users’ safety at work – that you’re leading by example. Fortunately, there are many ways to reinforce end-user security when using email:

Cloud-based email hosting services (such as Microsoft Office 365) include multiple layers of spam filter as standard, which prevents the end-user ever coming into contact with a considerable volume of suspicious communication, and usually represents greater security than would be typical for your own on-site Exchange Server.

More secure antivirus providers (such as ESET) maintain their own lists of suspicious websites likely to be imitations used for phishing important credentials (such as bank details) and blocking these when encountered.

Email filtering services, such as the excellent Barracuda, are an inexpensive security bolt-on to work email that can dramatically cut down on each person’s day-to-day exposure to dodgy emails. Barracuda Phishline is also available as an automated training service – building a program of dummy phishing emails that can be used to raise awareness among your staff. Clever!

 

 


Technology firms rush to fix WPA2 KRACK

Technology firms are urgently issuing fixes for the WPA2 KRACK (Key Reinstallation Attack) thought to compromise the WPA2 encryption used in most WiFi routers and other wirelessly enabled devices.

The exploit, discovered and published by Mathy Vanhoef, a Belgian security expert for Imec-Distrinet, Ku Leuven, has caused serious alarm amongst cybersecurity professionals due to the widespread use of WPA2 across millions of items of networked hardware around the World.

Vanhoef’s website, detailing how the the WPA2 KRACK works, demonstrates on video how an unfortunate Android smartphone can be tricked into re-installing an all-zero encryption key, which makes de-crypting data transmitted from the device possible. 

Security guidance remains to continue using WPA2 (rather than reverting to an older encryption standard) and to install the latest WPA2 KRACK security updates from manufacturers as soon as they are available.

A number of key technology vendors were notified in August, giving them some time to prepare. Microsoft are reported to have adjusted “how Windows verifies windows group key handshakes” to fix the issue. Apple and Android are yet to specify exactly when patches will be available, although both are understood to be working on a secure fix to be made available in coming weeks. The more responsive hardware developers, including Cisco and Ubiquiti, yesterday began issuing guidance and new firmware for their wireless equipment.

The Wi-Fi Alliance, the international organisation dedicated to developing Wi-Fi technology, have essentially argued that there is no need to panic. There is no evidence of the extremely serious hack being deployed outside test conditions (yet) – although it’s probably only a matter of time before someone attempts to do so. Because Wi-Fi relies on physical range, it’s likely this could target public Wi-Fi and other easily accessible networks. For this reason, users are (as always) reminded not to use public networks for sensitive tasks, such as online banking.

It’s clear from the increased publicity surrounding the discovery that major vendors of network equipment will be under pressure to issue the required WPA2 KRACK security patches.

However, the underlying vulnerability also threatens a wide range of wirelessly connected internet-of-things (IOT) devices – including everything from CCTV to smart-fridges – such that it’s unclear just how widespread this latest security flaw will actually prove.

For IT support and cybersecurity expertise: get in touch with Lineal today.


Are you in the 46%? Studying 2017’s UK Govt. Cyber Security Report

DCMS has published this year’s 2017 UK Government Cyber Security Report, suggesting a staggering 46% of businesses have been hit by a cyber security breach in the past year.

The average cost of a cyber security breach is reported to be £1,570, although larger businesses (of which 68% reported falling victim) show figures of £20,000 or higher.

The polling, conducted by research institute Ipsos Mori, suggests businesses are increasingly seeking external IT or security advice as insurance against potential losses – particularly basic training for non-specialist staff and information on specific threats to their industry.

Certain positives jump out: basic technical standards laid out in the Government’s ‘Cyber Essentials’ scheme have been rolled out by half of all firms (although this was always a low bar, and the report admits that fewer than one in twenty firms have referred to public sector sources for security advice)

More encouragingly, the most common cyber breaches all involve an element of preventable human error: those reporting a breach in cyber security cited the most common cause as staff clicking links in fraudulent emails (72%) with other typical risks including viruses, spyware & ransomware (33%) and impersonation (27%.)

Specific dangers identified included:

  • Less than 40% of businesses have segregated WiFi networks, or any rules for encrypting personal data.
  • More than 70% do not have any input from someone responsible for IT security at a senior level.
  • Only 20% have run any kind of cyber security training in the last 12 months.

 

With the planned changes next year brought about by the introduction of the General Data Protection Regulations (GDPR), the potential costs associated with a data breach could be set to rise. Having measures in place to mitigate this risk well in advance is sound advice.

 

For IT Security support and advice, contact Lineal today: 01271 375999


Webcam and Microphone Security for Beginners

Who’s watching you? The nagging feeling that your webcam might be spying on you is not paranoia: someone may be.

For plugin webcams and microphones, it’s best to unplug when not in use, as once hacked these can become a dangerous weapon in the hands of cyber criminals.

‘Built in’ integrated webcams, like those found on laptops and other portable devices are more difficult to secure, as many do not even include a safety light displaying when the camera is recording, and there’s no guarantee this will indeed light if your webcam is hacked anyway.

The obvious solution (if you don’t intend to use your webcam or microphone) is to place a small piece of electrical tape over it (Mark Zuckerberg Style) and block the view of any potential snoopers. For a slightly neater solution, Ebay will sell you a correctly sized Webcam Sticker for around £3.

However if you actually need to use your webcam, this will quickly become inconvenient and messy.

If you instead wish to Monitor your webcam against intrusion, ESET security sofware for Windows is a smart purchase. Newer versions, such as the excellent ESET Internet Security, include webcam security, allow you to set rules for when your webcam can be accessed and notifying you if a program attempts to access it.

eset webcam security

For Mac Users, a free webcam and microphone monitoring tool named Oversight can be a useful free addition. This handy software is one of Objective-See’s set of Mac security products aimed at giving users visibility over what processes their Mac is running.

webcam alert

As we’ve noted before, smartphones bring a huge number of security risks, including both a personal microphone which is constantly listening on Android and iOS, GPS tracking of your location, frequent connection to public WiFi networks and often both front and rear-facing cameras.

The safest bets here are the obvious ones: invest in a smartphone antivirus software, keep your phone’s contents locked behind a PIN code, don’t install unknown apps and don’t connect to any unknown WiFi networks which might give hackers an access route for your microphone or camera(s.)

On Android you can also review your phone’s audio recordings and GPS tracking of your location for Google via Google My Activity and Google Location History.

Stay safe!

 

For IT security advice and assistance, contact Lineal today.