FFT news digest August 28 2020

Hackers for hire

Some extraordinary tales about the lengths attackers are prepared to go in order to secure access to their targets. In one case, a Russian is accused of flying to the US to offer a $1 million bribe to an employee at Tesla's Gigafactory to infect its network with malicious software. Prosecutors allege the man was the key player in a plot to steal data and extort millions of dollars in return for not disrupting Tesla's operations. He was arrested after the employee apparently got cold feet (though only after a blow-out visit to Lake Tahoe). Meanwhile, Bitdefender has details of an attack that targeted a luxury real-estate broker in the US. A specially-designed plugin for Autodesk 3ds Max was used to infiltrate the company and steal a range of information. Bitdefender warns cyber criminal groups are becoming more like mercenaries and will continue to sell their services to the highest bidder.

Threats

Vishing: US agencies are warning about a widespread campaign using phone calls to try to persuade employees to hand over their network credentials. FBI / CISA via KrebsonSecurity

AWS: Most Amazon phishing attacks target consumers, but organisations using Amazon Web Services are also at risk (as we know because we are among those inundated with fake invoice notifications). KnowBe4

GDPR: North Korean campaign targeted a system administrator with a fake Linkedin job advert using a General Data Protection Regulation theme. F-Secure

WhatsApp: Beware of messages from contacts asking for a 6-digit code. It's designed to hijack your account in a scam that was around last year and has resurfaced. Mishcon de Reya

Teams: A reminder to only download apps from official sources. Attackers have worked out how to modify the Teams installer so that it not only installs the app but also allows malicious software to be downloaded. Panda Security

Google Drive: A vulnerability in the 'Manage Versions' feature could be exploited by attackers to distribute malicious files disguised as legitimate documents. The Hacker News

Outlook: Fake email warns of account issues and tries to persuade user to enter email credentials on a phishing page that resembles a real Outlook Web Access portal. Naked Security

Box: Phishing campaign used legitimate Box page with Microsoft 365 branding to try to steal account credentials. Armorblox

Predictions

Multi-factor authentication has been the top security investment during the pandemic, according to new data from Microsoft. A survey of nearly 800 business leaders from around the world underlines the speed of digital transformation sparked by the coronavirus. "Providing secure remote access to resources, apps and data" has been the biggest challenge, with more than half those interviewed saying they are speeding up the deployment of 'Zero Trust' capabilities. (As its name suggests, a Zero Trust approach assumes nothing can be trusted until proved otherwise). But, as Microsoft says, "Technology alone cannot keep pace with the threats and demands facing businesses and their largely remote workforces. Human security expertise is at a premium with more than 80% of companies adding security professionals in response to COVID-19."

Media targeted

Credential stuffing attacks against the media sector have grown substantially during the coronavirus pandemic, according to Akamai. The tactic uses large databases of stolen usernames and passwords and tries to find a working combination for targeted services. Needless to say, it's often successful because people use the same password for multiple accounts. Info security reports that, in the first quarter of 2020, Akamai figures showed publishing was the sector most targeted by this type of attack due to a surge in popularity for news content about COVID-19. One defence is for media companies to limit the number of login attempts they allow. But the most effective protection is to avoid reusing passwords. It's time-worn advice, but a Password Manager does make you a great deal safer. 

Case study

Australian regulators are taking a financial advice company to court for failing to maintain a "reasonable standard" of cybersecurity. The Australian Securities and Investment Commission cited a rich selection of deficiencies, including 90% of desktops without up-to-date antivirus software, no email filtering, no offsite backups, and passwords and other security details stored in text files on the server desktop. A consultant was brought in, identified a number of problems (including "no discernible cybersecurity policies"), and made a series of recommendations which were promptly ignored. Obviously, this is an extreme example - but it's a good reminder not to assume that people can't act like idiots (because clearly they can). Even basic precautions like those provided by the UK's National Cyber Security Centre can help weed out idiocies before it's too late.

Tracking

Google's own engineers were worried about the company's practice of secretly tracking people's movements even when they didn't want to be followed, according to court documents in a consumer fraud case. The insight stems from a lawsuit brought against Google by Arizona's attorney general. The files reveal the concern inside Google after an Associated Press investigation uncovered what it was up to. "The current User Interface feels like it is designed to make things possible, yet difficult enough that people won’t figure it out," one employee said. Meanwhile, over at Facebook there are loud complaints that new privacy rules being introduced by Apple will reduce advertising revenues. The changes will require apps to ask users for permission to collect data about their devices and track them round the internet. "This is not a change we want to make, but unfortunately Apple’s updates to iOS14 have forced this decision," Facebook said.

In brief

Iranian government attackers impersonated journalists from Deutsche Welle and the Wall Street Journal earlier this year. They contacted targets via LinkedIn, and set up WhatsApp calls to win their trust, before sharing links to phishing pages and malicious files. Clearsky

With President Trump giving every sign that he will refuse to accept the result of November's election if he doesn't like it, Facebook is working out what its response should be. One option is a “kill switch” to shut off political adverts after the election since it doesn't police them for truthfulness. New York Times ($)

A Freedom of Information request has revealed the paltry number of fines issued to UK organisations which failed to pay the data protection fee. Between 2015 and the introduction of the GDPR in 2018, there were just 16 successful prosecutions. Whatdotheyknow

The British army is reported to be considering replacing tank regiments with cyber capabilities. The Register quotes a defence analyst's reaction, "When Putin sends tanks rolling across the eastern European border I'll be interested to see how much effect the 101st Hacking Division has against the heavy artillery." The Times (£)

MIT researchers have figured out how to use wireless radio signals to track what someone is doing without the need to video them. MIT hopes to sell RF-Diary to hospitals and assisted living facilities. You can imagine some other customers who might be quite interested... MIT

Updates

Cisco: More updates, this time for the NX-OS and rated 'High' severity.

IBM: Reminder to check patch has been applied to Db2 editions 9.7, 10.1, 10.5, 11.1, and 11.5.

Office 365: Public preview availability of Application Guard which is designed to protect users from malicious files. Initially available to enterprise users (and by default it's turned off).

MS Word: New transcription feature (starting with Word for the Web) allows users to record conversations directly in Word and have them transcribed automatically.

Chrome: Version 85 was released in the stable version with 20 security fixes inside, including patches for 14 vulnerabilities disclosed by external researchers.

Firefox: Version 80 for Windows, macOS, and Linux includes new features, as well as security and bug fixes.

Windows: Microsoft says coronavirus pandemic las led it to postpone the scheduled end of service date for Enterprise, Education, and IoT Enterprise editions of Windows 10, version 1803 to May 11, 2021.

FCP X: Includes new features designed to support remote workflows.

Pulse Secure: Connect Secure and Policy Secure users should ensure they are running version 9.1R8 which addresses security vulnerability in earlier releases.

Tails: Version 4.10 fixes "many" security vulnerabilities, as well as a number of known issues with USB devices.

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217