news201127

Ransomware pandemic

The past year has seen a surge in ransomware attacks, with the total cost estimated to be at least $1 billion - and probably a lot higher - according to Group-IB. Most (60%) were in the US, with 20% in Europe (mainly the UK, Germany and France). The actual cost is probably far higher because many attacks aren't reported. Group-IB's report (R) also highlights the growing underground market for selling access to corporate networks and the startling rise in phishing attempts. The report warns that "criminals implement new tools with more enthusiasm and much faster than many companies" and it urges organisations to adopt proactive defence measures. In particular, it stresses the importance of establishing a password policy - and implementing training to ensure it's followed. We urge everyone not to underestimate the threat from ransomware. A comparatively new ransomware variant, known as Egregor, has been racking up multiple victims and appears to be spreading from the US to the rest of the world, including the UK.

Threats

Black Friday: Criminals and other scumbags are almost as enthusiastic about Black Friday as retailers are. Vade Secure estimates 10% to 15% of Black Friday emails are malicious. The UK National Cyber Security Centre has warned about the risks and has updated guidance for online shoppers.

Zoom: A "massive" phishing campaign is using a fake Zoom invite to lure recipients into handing over their Microsoft credentials. Bleeping Computer

Doorbells: Wireless-connected doorbells are far less 'smart' than they should be, according to Which? It found vulnerabilities in 11 models for sale on Amazon and eBay.

Back to work: Attack uses fake internal company memo about plans for a return to office-based working. Abnormal Security

You're fired: A nasty variant targets employees by telling them they've been terminated. National Law Review

Among Us: Another warning about the prevalence of fake apps trying to take advantage of the popularity of Among Us. Researchers found more than 60 examples, most of which take the authentic game and repackage it to earn revenue through adverts. Promon

Office 365: Attack uses email to informs recipient that three messages have been blocked and provides a link to "Recover Messages". Abnormal Security

Freedom of Information

The British government has been accused of operating an "Orwellian" unit designed to obstruct Freedom of Information requests. A report by openDemocracy describes how the unit, based in the Cabinet office, gives advice to other departments "to protect sensitive information", and collates lists of journalists with details about their work. FOI requests should be ‘applicant-blind’ (ie the identity of the applicant shouldn't matter), but openDemocracy says government departments and public bodies have been referring ‘sensitive’ requests from journalists and researchers to the 'Clearing House'. While sharing the names of requesters may be commonplace, it doesn't mean it's lawful and, as Conservative MP, David Davis, has said, it's "certainly against the spirit" of the Freedom of Information act.

Workplace surveillance

How would you like to be monitored by a tool that produces a 'productivity score' based on the number of emails you send or the degree to which you take part in Yammer? That's what Microsoft 365 offers - and privacy campaigners are deeply unimpressed. One said, it turns Microsoft 365 into a "full-fledged workplace surveillance tool". A Microsoft video shows how the technology works, and the company says it's designed to build a "more resilient business" rather than "monitoring employee work output and activities". It's certainly true that much of the information could be very useful in resolving frustrations such as slow email or misconfigured apps. But, despite features designed to protect privacy, we'd be flabbergasted if in some cases it isn't used to monitor individual productivity.

Breaches galore

A bad week for big companies, as GoDaddy, Sophos and Spotify all fessed up to security incidents. At domain registrar, GoDaddy, employees were (once again) successfully attacked through social engineering and phishing as part of a campaign against cryptocurrency exchanges. As reported by cybersecurity journalist, Brian Krebs, the attacks enabled criminals to change a small number of domain names. That meant email and web traffic could be redirected to fake sites. Cybersecurity outfit, Sophos, told ZDNet that an access permission issue had exposed information about "a small subset" of customers. And Spotify is reported to be resetting the passwords of up to 350,000 accounts that were breached as the result of a credential-stuffing attack (which tries out multiple credentials until a working combination is found).

Bombed

Hilariously, a Dutch journalist managed to join a "secret" video conference of EU defence ministers after most of the entry code was posted on Twitter. RTL journalist, Daniël Verlaan, warned the Dutch government about the issue, but was told there was no risk because participants were verified before being allowed to join. Verlaan decided to see if that was true. "I entered the URL, clicked okay and saw a screen asking for a pin code. The first five I knew, I entered them and added a '1,' then a '2' and eventually I bumped into the meeting," he told Politico. As Boris Johnson demonstrated in March, it's well worth double-checking Twitter posts to make sure they don't contain anything sensitive.

In brief

Poor show: Well that went well. Like many others, you might have tried to use the UK government's postcode checker to find out the coronavirus restrictions in your area. If you did, you'll know it didn't work (because the servers ran out of memory). Solution? Take the whole site down. Congratulations.

Camera fine: The Belgian data protection regulator has fined a couple €1,500 for using surveillance cameras to film a public road and private property. GBA

Spoofed: Creating fake copies of websites is one of the favourite tricks used by attackers. Now the FBI is warning that their sites are being targeted, with multiple domain names being registered in an attempt to fool users. Password Managers will help protect against this technique.

Brexit: As the end of the UK's transition period approaches, researchers have warned that UK organisations face costs of up to £1.6 billion if a data sharing agreement with the EU isn't reached. NEF/UCL

Amazon WiFi: Amazon Echo owners in the US are about to be opted into a new service that uses their internet connections to create neighbourhood networks. The idea is to provide resilient connectivity in case of interruptions and to extend coverage for Amazon devices. Initially, 'Sidewalk' will only be available in the US. BBC

Apple: Another reminder that, while Apple's new M1-powered devices may offer excellent performance, that's not much use if they can't run your preferred apps. As Forbes reports, that's often the case. It's also worth bearing in mind that there are rumours that Apple is planning new MacBooks with a completely refreshed design.

Tesla: Researchers in Belgium took just minutes to steal a Tesla Model X by exploiting vulnerabilities in the car’s keyless entry system. The equipment costs about $200. YouTube

MeWe: You may have heard of Parler, which has become a refuge for Trump supporters who have deserted Twitter and Facebook. Now comes MeWe, which has grown even faster with 1.4 million downloads in November. Fortune (R)

Laser: Last year, researchers managed to use laser pointers to remotely control voice assistants, including Amazon Alexa and Google Home. This year, they're planning to show how their technique can be used to take control of security cameras. Intriguingly, while they know the approach works, they have yet to understand why. Dark Reading

Updates

A reminder about the critical importance of installing updates when vulnerabilities are discovered. Last year, Fortinet warned about an issue affecting its Fortinet VPNs - and repeated the warning at regular intervals. Despite this, many systems remained unpatched and the result is a set of stolen credentials for almost 50,000 installations belonging to banks, telecoms, and government organizations around the world. Bleeping Computer

MobileIron: Urgent warning from UK National Cyber Security Centre that state-backed attackers are actively using a vulnerability in the mobile device management solution to access networks across government, healthcare and other sectors. The issue was addressed by an update in June.

VMware: Workarounds published for critical command injection vulnerabilities in Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector products.

Old Windows: Unofficial patch available through ACROS Security’s 0patch service for a previously unknown vulnerability in Windows 7 and Windows Server 2008 R2.

TikTok: Update to address two issues that could have allowed attackers to take over accounts with a single click for users who signed-up via third-party apps.

FFT news digest November 27 2020