Hacks & Tips V8

Hacks & Tips V8

This month’s Hacks & Tips Bulletin places a spotlight on cyber security to reflect the latest trends of data breaches versus hacks.

Data Privacy

The implications of the Blackbaud Ransomware Attack

As discussed last week, Blackbaud asserted that hackers were unable to access encrypted data in the recent ransomware attack, but how many businesses and 3rd Sector organisations have fully understood the risk posed by the compromise of the unencrypted data?

For instance, the compromise of records relating to a person’s donation history could reveal information about their disposable income and their propensity to support good causes. It may also reveal information that the donor would not want HMRC to know!

Under the GDPR, responsibility for making risk-based assessments for the purposes of notifying the ICO or data subjects rests with the data controller, not Blackbaud. Potentially, significant fines could be handed down by the ICO for failing to do so!

The difference between Data Privacy and Data Security

We are not going to reinvent the wheel, instead we will cite an area of this article (https://www.zdnet.com/article/data-privacy-and-data-security-are-not-the-same/) explaining the difference between #DataPrivacy & #DataSecurity:

“This overlap can cause confusion, leaving companies who focus just on data security with the false impression that, by default, data privacy also is protected. This is not the case. Unlike data security, which focuses on protecting an organization’s data from theft or corruption (like during a ransomware attack), data privacy is more granular. To ensure data privacy, organizations must understand, track, and control things like who is authorized to access the data and where the data is stored — in a GDPR-compliant cloud, for example.

A good example of differences between data privacy and data security was the harvesting of 87 million Facebook user profiles by the now-defunct political consulting firm Cambridge Analytica during the 2016- 17 US presidential election, said Joshua Kail, a communications consultant who ran agency-side PR for Cambridge Analytica until it shut down in May 2018. Even though the data was secure, Facebook abused its own privacy policy and a 2011 FTC consent decree regarding the use of user data.”

Consumers take to the courts where Supervisory Authorities fail to be proactive

Consumers are taking to the courts when Supervisory Authorities fail to protect the privacy of their data https://www.politico.eu/article/have-a-gdpr-complaint-skip-the-regulator-and-take-it-to-court/.

Marriot International faces a class action in London’s High Court: https://www.theguardian.com/business/2020/aug/19/marriott-international-faces-class-action-suit-over- mass-data-breach

We will explore this in more depth in our next Bulletin.

Cyber Security

The following graph highlights the significant spike in cyber incidents over the last 3 months, these only represent the reported incidents, the actual numbers will be far higher.

The Botnet resurgence

We frequently hear about high-profile security breaches where an attacker specifically targeted a company to steal information or to damage the business. However, the reality for most organisations is that most cyber-attacks are automated, with the cyber criminal’s favourite weapon being the botnet.

Botnets are networks made up of remote-controlled computers, or “bots.” These computers have been infected with malware that allows them to be remotely controlled. Some botnets consist of hundreds of thousands — or even millions — of computers. If one or more of your company’s computers are part of a botnet, it is infected with a type of malware. The bot contacts a remote server — or just gets into contact with other nearby bots — and waits for instructions from whoever is controlling the botnet. This allows an attacker to control a large number of computers for malicious purposes.

Computers in a botnet may also be infected with other types of malware, like keyloggers that record your financial information and send it to a remote server, or ransomware that may be triggered at a later point in time. What makes a computer part of a botnet is that it is being controlled remotely along with many other computers. The botnet’s creators can decide what to do with the botnet later, direct the bots to download additional types of malware, and even have the bots act together.

Botnet malware are designed to self-replicate

Botnets primarily use e-mail to infect a host and then to self-perpetuate. Emotet, which is a botnet strain that has been active since 2015, and is one of the top botnets active on the internet at the moment, relies on the victim clicking on a link or opening an attachment in a phishing attack to infect the victim’s computer.

Tip: Employee security awareness remains the first defence against being infected by malware through phishing e-mails. Make sure your staff are aware of the risk and are trained to spot and deal with phishing e-mails appropriately.

Apart from installing various other strains of malware, Emotet also harvests the victim’s e-mail contacts and e-mail content, which is then used to automatically craft and send believable phishing e-mails to a new set of victims, thereby self-perpetuating the malware.

Tip: make sure your user’s devices are always up to date with the latest security patches. Encourage users to follow this practice for their home networks as well, particularly where staff now routinely work from home.

It also harvests any saved usernames and password in the user’s web browser, which it relays to the botnet controller. These credentials are often sold on the darknet and may lead to all manner of accounts being compromised, including any personal accounts the victim may have accessed using the infected computer.

Tip: make sure your user’s devices are always up to date with the latest security patches. Encourage users to follow this practice for their home networks as well, particularly where staff now routinely work from home.

Emotet will also reach out to other computers on the victim’s network, for example the office or home network, to find other vulnerable computers to infect.

Tip: make sure your user’s devices are always up to date with the latest security patches. Encourage users to follow this practice for their home networks as well, particularly where staff now routinely work from home.

IT / Security teams should be cognisant of both ingress and egress of connections and data.

Tip: When you mention command and control a possible tip could be “Malware can remain dormant for significant periods of time before malicious action is taken by an attacker. During this time, it is the egress of information to the C2 server which is indicative of compromise. Don’t be an organisation that becomes overly focused on perimeter security and overlook data that could reveal an existing compromise”.

Botnets also target Cloud services

Tip: the most effective way to protect your cloud services from these types of attacks is to enable two-step verification for all user accounts, also known as multi-factor authentication or MFA. All major Cloud services now offer this type of functionality, and it should therefore be turned on wherever this is available.

The move to Cloud services have not gone unnoticed by the malware writers. Botnets such as Emotet are often directed to try to break into Microsoft 365 and Google Mail user accounts, either using ‘password spray’ attacks over a period of many months to try to guess user account passwords, or by using verified user details harvested by through other malware or phishing attacks.

If the botnet successfully breaks into a user’s Cloud service account, it will replicate contacts and e-mails and use this information to self-perpetuate through phishing e-mails.

The link between Botnets and Business E-mail Compromise

Tip: if you are unlucky enough to suffer a Business Email Compromise, and a legitimate user’s account was used to perpetrate the attack, always investigate how the attacker managed to get hold of the user’s login details. This may indicate that you are the target of a botnet or have been compromised and is part of a botnet.

Conclusion

Botnets are the scourge of the internet, and a threat most organisations who use the internet as part of their day-to-day business do fall foul of at some point. Make sure you are not an easy target, as botnets are indiscriminate in which victims they target.

The National Cyber Security Centre (NCSC) 2 weeks ago stated, “Doing nothing is no longer an option – raise your cyber defences!” ‘https://www.ncsc.gov.uk/guidance/white-papers/common-cyber-attacks-reducing- impact

Information Security

Social Media account takeovers by Cyber Extortionists

In mid-August, a small company in the South-East of England had their Instagram account hacked and taken over by a cyber-criminal. The company had spent 7 years building up around 29,000 followers on the social media platform, and it formed an integral part of their marketing strategy.

Shortly after the account was hacked, the company received a disturbing message from the attacker – if they did not pay a ransom amount within 2 hours, the account will be systematically deleted. The company refused to pay the ransom and notified Instagram of the account compromise. The attackers were true to their word and deleted their account, and unfortunately it may not be recoverable by Instagram.

Ultimately, the company did the right thing by not engaging with the hackers, as there’s no guarantee of getting the account back, the money will be used to fund further crime, and it will paint a big target on the company’s back as a ‘payer’.

It is impossible to put a monetary value on the loss of a social media account, however, in today’s world it is a key ingredient in the marketing strategy for most organisations and deserves to be protected from this type of threat.

Tip: Make sure you use strong passwords for your social media accounts – where available use two-step verification (Two Factor Authentication) to access these platforms. Do not use common credentials across different social media platforms. Where you use third parties to manage your social media presence, make sure their security practices are sufficient to protect the accounts from takeover.

If your organisation is at risk of a targeted attack or industrial espionage, a new study has found that a third of small and medium-sized German companies have been the victim of industrial espionage https://www.dw.com/en/germany-third-of-small-and-mid-sized-companies-have-been-hacked/a- 46617555, discourage your employees from using social media. Targeted phishing or smishing attacks or phone engineering attacks (Twitter) tend to be more successful if cyber-criminals harvest social media data.

What can we learn from the Twitter Hack?

Background

In mid-July, Twitter revealed that crackers had used a technique called “phone spear phishing,” allowing them to target the accounts of 130 people including CEOs, celebrities, and politicians. The crackers successfully took control of 45 accounts and used them send tweets promoting a basic bitcoin scam. The hackers, Twitter wrote in a post-mortem blog post about the incident, had called up Twitter staffers    using false identities, tricked them into giving up credentials that gave the attackers access to an internal

company tool that let them reset the passwords and two-factor authentication setups of targeted user accounts.

But Twitter is not the only organisation to have been affected by this clever scam. Dozens of companies including banks, cryptocurrency exchanges, and web-hosting firms amongst other industries have been hit by these social engineering attacks.

The Threat:

  • These young English speaking crackers are doing their research scraping intel from social media including LinkedIn and using other data-collection tools to map out company org charts, find new and inexperienced employees—some even starting their very first day on the job—and convincingly impersonating IT staff to trick them.
  • With so many employees still working remotely social engineering has become a more powerful attack tool.
  • Many organisations are not prepared for these types of well-coordinated attacks.
  • The crackers typically use a VoIP service that allows them to spoof for example the phone number of an organisation such as an IT Providers

This video demonstrates just how easy it is:

https://youtube.com/watch?v=PWVN3Rq4gzw%3Ffeature%3Doembed

Actions:

  • Train your staff from the Executives, to Personal Assistants, IT Support to admin and do it regularly to impart a Cyber and Information Security Aware Culture.
  • Control of Information Leakage – if your organisation is at high risk an acceptable use of social media policy, be clear and mindful about what information employees can share on Social Media. Conduct a cyber security risk assessment against the overall strategy of social media use.
  • Ensuring one employee has access to too much-privileged access to admin accounts, confidential or sensitive information and intellectual property.

Uber ex-security boss accused of covering up cyber-attack

Uber suffered a data breach in 2016 that exposed the details of 57 million Uber drivers and passengers. Uber admitted to paying a group of hackers $100,000 to delete the data that was stolen. The data breach and ransom payment were covered up, and only revealed in 2017, leading Uber to pay $150 million settlement claims by all 50 US states. The Chief Information Security Officer was fired and is now facing criminal charges of obstruction of justice on the basis of his approval of the payment to the hackers, and disguising the payment as a “bug bounty” reward, typically used to reward security researchers who disclose vulnerabilities so these can be fixed.

Whilst the security breach above took place in the US, there are lessons to be learnt from this incident for all company senior staff. If you suspect a security breach, make sure that it is investigated thoroughly so the full extent of the incident can come to light. Do not try to hide the security breach – it has happened and needs to be dealt with in a responsible manner by the organisation. Any judgement will consider how the company dealt with the incident and the steps it has taken to minimise the impact and prevent re-occurrence.

Cyber security attacks occur daily, and becoming a victim is no longer a remote possibility. Make sure your organisation is prepared to face an incident through tested response plans, clear roles and responsibilities and unwavering resolve to address the incident head-on.

If you would like any help with Business Continuity, Data Privacy or Cyber or Information Security or need help with Incident Response and Forensics, please contact us:

CONTACT US

Call: 44 (0) 20 7566 4000

Email: info@clearcomm.org

Web: clearcomm.org

Leave a comment