FFT news digest Sep 23 2022

Uber

We said that last week's breach of Uber's internal systems looked bad and it was. In fact, the details that have since emerged are truly gruesome - but they do provide some great cautionary lessons.

What happened
Uber has been reticent about exactly what happened but it's clear that the attacker accessed much, if not most, of Uber's critical IT infrastructure including its Amazon Web Services, Slack and G Suite accounts, its security dashboards, and its bug bounty platform. Uber says a contractor's account was compromised, probably after one of their devices was infected with malicious software that obtained their credentials. The attacker then purchased the stolen password on the dark web and made repeated attempts to log in to the contractor's account. Each attempt generated a two-factor authentication request and it appears the contractor eventually approved one, probably just to stop the stream of prompts.

The lessons
The fact that Uber went on a hiring spree following the incident might raise questions about the security resources it had in place prior to the attack. After all, this isn't its first major breach (indeed it's accused of trying to cover up a huge incident in 2016). But the key lesson centres on multi-factor authentication (MFA). We are firm believers in the importance of implementing this, while recognising that it's not a magic bullet. Indeed, as it has become more widely used, attackers have become increasingly adept at defeating it. The bottom line is that any form of MFA is better than nothing, but only one specific implementation is resistant to attack. KnowBe4 has a detailed article on the subject and maintains a list of "phishing-resistant" solutions.

Epidemic
We would urge organisations to take this threat seriously. Just this week, news emerged of multiple organisations falling victim to data breaches. They include American Airlines, the makers of Grand Theft Auto, and the financial technology company, Revolut. The group claiming responsibility for the attack on Uber has been linked to similar incidents at Microsoft, Samsung, Cisco and Okta. Above all, it's absolutely essential that everyone understands the risks attached to poor password security. 

Threats

Phishing: The latest data on phishing reveal a new record, with increases in the amount of Business Email Compromise and attacks involving social media, voice calls and text messages. The figures for the second quarter of this year show a four-fold increase compared to early 2020. This risk really shouldn't be underestimated. Anti-Phishing Working Group

Energy: The UK’s National Cyber Security Centre (NCSC) has warned that fraudsters are sending emails and SMS texts urging homeowners to sign up for a discount on their energy bills.

Zoom: Watch out for fake Zoom sites. They're being used to fool users into downloading malicious software that can steal banking data, IP addresses, and other information. Cyble

Typosquatting: Lookalike web addresses are a substantial risk, as analysis of the Sniffies dating site has shown. A researcher found 50 examples that were simple spelling variations. Malwarebytes

Pirates: A reminder to avoid pirated copies of software and games. They're being used to distribute a tool that can steal users’ browser credentials, harvest recent online activity and hijack browser searches to display ads. VMware

Newsfeeds: A malicious advertising campaign is using the news feed in Microsoft's Edge browser to redirect users to technical support scams. Malwarebytes

LinkedIn: A campaign in Slovakia is exploiting a LinkedIn Premium feature called Smart Links to direct users to a phishing page that harvests credit card information. The link is embedded in an email that purports to be from the country's postal service. Cofense

Telegram: Wired explores what it calls Telegram's "doxxing problem." It says the nature of the platform makes it easy for users to crowdsource attacks by posting a target and encouraging followers to find or share private information about them.

Credential stuffing: This type of attack takes advantage of people reusing the same password across multiple sites. Once a password is lost or stolen, it can be tried out against other accounts. It's become so widespread that in some countries, credential stuffing exceeds legitimate login attempts. It's absolutely essential not to reuse passwords. Okta

Threat analysis

VMware's respected annual threat report highlights ransomware and lateral movement as key issues, while warning that security teams are experiencing burnout because of the pressures they face. Lateral movement is key, VMware says, because the technique takes advantage of a "troubling" lack of visibility into cloud storage platforms. Its report draws on feedback from 125 security and incident response experts, 65% of whom say attacks have increased since Russia invaded Ukraine. More positively, 87% reported being able to disrupt cyber attacks sometimes or very often. The report provides a vivid picture of the ongoing battle between attackers and defenders and, more importantly, captures the key threats that we should all consider.

Incident report

Attacks are inevitable, so the key is how an organisation responds to them. This week, LastPass provided an example of how it should be done. The password manager company was breached last month when attackers gained access to its development environment and stole some source code. In its report, LastPass admits what it doesn't know, including the precise way one of its developer's endpoints (i.e. computer, phone or tablet) was compromised. It provides reassurance that its live environment wasn't affected (because of physical separation) and explains why it's confident no user passwords were compromised (because it doesn't have access to them). 

In brief

Old drives: Morgan Stanley is to pay a £35 million fine after leaving sensitive customer information on hard drives that were sold at auction. The information was unencrypted. (Morgan Stanley's profits for the three months to June were $12 billion.)

Glasses: Researchers from the US and China have demonstrated that wearing glasses on a video call can reveal sensitive information through reflections in the lenses.

TikTok: 33% of users say they regularly get their news from TikTok. In 2020, the figure was 22%. Pew Research Center

Denmark: The Danish Data Protection Agency has concluded that Google's web analytics tool cannot be used lawfully without implementing supplementary measures to protect people's personal data. Otherwise, it says organisations must stop using it.

Domain shadowing: This is the practice of compromising the details of a legitimate domain and setting up malicious sub-domains that are used to fool users. Palo Alto Networks says the practice is unexpectedly widespread and domain owners should regularly check their DNS records.

Deepfake audio: Researchers have come up with a way to detect fake audio. It involves creating a model of a real 'vocal tract' and analysing whether the audio in question could have been created by it. The Conversation

IRL: Brian Krebs has the story of how cybercrime bleeds into real life. A Florida teenager working for a cryptocurrency crime group was kidnapped by a rival gang. It beat him up and held a gun to his head while demanding a $200,000 ransom. This is far from unique. As Motherboard reports, members of SIM swapping groups have graduated from hijacking phone numbers to offering to assault targets in return for payment. (A "full" beating resulting in the victim coughing up blood goes for $1,000.)

This is a condensed version of the email our clients receive. You can subscribe to receive the full digest.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2022 Full Frame Technology - All Rights Reserved