news200703

Ransomware alive, kicking

Ransomware is alive and well, and making a nuisance of itself. The BBC published details of the negotiations which led to the University of California San Francisco paying a $1.14m ransom to regain access to encrypted data. Malwarebytes reports on a new, powerful ransomware strain designed to attack Mac users. And Proofpoint says it has seen a recent rise in the number ransomware attacks being distributed by email, with hundreds of thousands of messages sent every day. Criminals use a range of lures to trick people into opening them, including subject lines related to coronavirus. The past month has seen a slight increase in email-based attacks that try to install ransomware directly, rather than installing a download utility first. Proofpoint says this follows a long, relatively quiet period and warns it may herald the return of large-scale ransomware campaigns last seen in 2018. As always, the best protection against ransomware is to have tried and tested backup solutions. UCSF got its data back, but paying the ransom is no guarantee of that.

Contact tracing

The UK is looking at positioning the revamped version of its troubled contact tracing app as “PPE in your pocket”, according to the Financial Times. The paper, which has proved accurate in previous reporting, says the app will include a map designed to warn people about areas with a large number of infections, a countdown timer to help people track an enforced period of self-isolation, and barcodes to enable offices and restaurants to know if someone with the virus had visited them. Meanwhile, a survey suggests that 60% of people in the UK are willing to sacrifice privacy for a robust contact tracing system that can prevent the spread of the virus. The UK's data protection regulator has now published (very) rudimentary guidance to businesses which are being asked to record the details of customers. Elsewhere, Singapore began issuing wearable contact tracing tokens to elderly people who are not digitally connected and who are at higher risk from the coronavirus.

Scumwatch

Business Email Compromise: There was a 200% increase in BEC attacks focused on invoice or payment fraud from April to May 2020. Abnormal Security
FakeSpy: Android app masquerades as legitimate postal app. In the UK, users are instructed to download a fake version of the Royal Mail app designed to control SMS messages and steal sensitive data. Cybereason
DNSSEC: phishing campaign targets bloggers and website owners with emails pretending to be from their hosting provider offering to upgrade their domain to use secure DNS. Sophos
Dropbox: New scam uses a fake Dropbox Transfer page to try to steal Microsoft 365 credentials. KnowBe4
Passports: Fake HMRC phishing scam targets self-employed workers to try to obtain passport number, home address, bank account details. Griffin Law
Remote Desktop Protocol: Beware of brute force attacks attacks targeting remote desktop protocol connections used with Windows devices. Number has steadily increased, rising to 100,000 incidents per day in April and May. ESET
Github: Twitter thread provides perfect example of a cleverly-designed phishing email, and the value of a password manager. Glenn Maddern

The Chinese threat

A rash of stories this week should leave no-one in any doubt about the scale, reach and threat of Chinese cyber 'activities'. On Thursday, Trustwave published details of tax payment software that a Chinese bank requires corporations to install to operate in China. The catch; as well as processing local tax payments, the software installs "a well-hidden and powerful backdoor that surrenders full remote command and control of the victim system to an unknown adversary". Shortly after the report was published, Trustwave says the backdoor was removed. In a report entitled 'Did a Chinese Hack Kill Canada’s Greatest Tech Company?', Bloomberg recounts the story of Nortel and China's "vacuum cleaner approach" to stealing the company's intellectual property. And Lookout has details of a 7-year surveillance campaign by a "Chinese threat actor" that targeted the Uyghur ethnic minority. The existence of such activities is hardly surprising. As Lookout reports, the four Android surveillanceware tools are elements of much larger campaigns that have been active for years.

Routers

Echoing our frequent warnings about home routers, the US Cybersecurity and Infrastructure Security Agency has issued an alert about vulnerabilities in Netgear products. It urges users to ensure devices are up-to-date and to replace end-of-life devices. The agency points to the increase in remote working and urges organisations to consider the risk that router vulnerabilities present to business networks. The scale of the problem facing Netgear was revealed six months ago when researchers identified vulnerabilities in 79 models. Netgear has now issued updates for 28 of them - although fixes were supposed to be released by June 15. However, some models are end-of-life and those will never be fixed. It would be hard to overstate the importance of keeping routers up-to-date. When updates for a device cease, it's time to replace it - even if it's still working perfectly well.

Head in the clouds

People forced to work remotely because of the COVID-19 pandemic say they're more conscious of their organisation's cybersecurity policies, but they're still happy to break them if they think they need to. The good news; 85% claimed they take IT instructions seriously, according to Trend Micro's survey of more than 13,000 remote workers in 27 different countries. Less good; some respondents described official solutions as "nonsense" and said they would use unapproved solutions to get things done. "This is a recipe for shadow IT and escalating levels of cyber-risk. It also illustrates that current approaches to user awareness training are falling short. In fact, many employees seem to be aware of what best practice looks like, they just choose not to follow it," Trend Micro says.

In brief

There have been hundreds of arrests across Europe after French law enforcement broke into a secure communications platform allegedly used by organised crime gangs. It appears investigators found a way to install malicious software on the specialised phones used by the platform. Motherboard Europol

One of the biggest studies into the re-use of passwords analysed more than a billion leaked credentials; it found one in 142 passwords is "123456". Depressingly, it also found an unexpectedly high number of 'good' complex passwords being reused. Ata Hakçıl

Sound and fury after the TikTok app was found to be copying the contents of the clipboard which meant it could identify a user's precise location (among other things). Despite the excitement,TikTok is hardly alone in this (hello LinkedIn). Mysk

A revealing account about the Financial Times' investigation into failed German payment processor, Wirecard. "At times, I thought I was going mad," said the journalist working on the story who endured years of cyber attacks. Citizen Lab has details of the way in which hackers for hire pursued those involved in the investigation. FT ($)

Among those enjoying a silver lining from COVID-19 are makers of "bossware", which enables companies to keep an eye on those working remotely. The Electronic Freedom Foundation has a summary of the solutions and their extensive capabilities. EFF

If you use a voice assistant, you've probably experienced it leaping into action unexpectedly. The problem is more widespread than previously thought, with more than 1,000 phrases shown to wake them up inadvertently. Ruhr-Universität Bochum

As the deadline for requesting an extension to the Brexit transition period passed, data protection experts warned that organisations need to prepare for the possibility of a no-deal scenario. According to one study, around 75% of the UK’s international data flows are with the EU. Disruption would be “extremely damaging,” it says. UCL

Investment bank, Goldman Sachs, created an eponymous font which anyone can use, as long as it doesn't involve any criticism of Goldman Sachs. Predictably, Twitter promptly saw the font being used to do exactly that. Twitter

Updates

Palo Alto Networks: Urgent warning about range of firewalls and enterprise VPN appliances. US Cybersecurity and Infrastructure Security Agency warns that foreign attackers are likely to exploit a newly disclosed, critical vulnerability that enables a device to be taken over without authentication.

Microsoft: Emergency updates for Windows 10 and Windows Server 2019 to address vulnerabilities that could be exploited through a specially crafted image file. Unusually, updates were issued via Microsoft Store to ensure they would be applied automatically.

Windows 10 file recovery: Microsoft has released a file recovery app designed to undelete files on a hard drive or on removable media.

Magento: A reminder that Magento 1.x reached end of life on June 30 and no more updates will be released for Magento Commerce 1.14 and Magento Open Source 1. This means the more than 100,000 existing installs are no longer PCI DSS compliant.

Google: G Suite mobile and desktop apps need to be updated before August 12, 2020 to ensure they continue working.

Firefox: Version 78.0.1 issued to fix problems with Firefox 78 which resulted in numerous issues including the disappearance of search engines and failure to auto-complete web addresses.

Tails: Version 4.8 includes important security updates.

Tenda: Warning that Homeplug devices have several security vulnerabilities. No updates available at present, but users advised to ensure they change weak, default password.

Cisco: Security issues reported in Series Smart Switches, Series Managed Switches and Series Stackable Managed Switches. Updates available, but some devices are end-of-life and will not receive patches.

F5: A Cross-Site Scripting (XSS) vulnerability exists in the BIG-IP Configuration utility. Fixes for some, but not all, versions are available.

Zimbra: 9.0.0 “Kepler” Patch 4 and 8.8.15 “James Prescott Joule” Patch 11 issued.

FFT news digest July 3 2020