Category: NCSC

CCleaner supply chain compromise

A version of the widely used utility software CCleaner has reportedly been delivering malware via a recent software update. This tactic of targeting through supply chains, exploiting the trust between consumers and suppliers, provides wide scope for infection, as illustrated by the case of NotPetya malware which spread via Ukrainian accounting software.

Avast, the parent company of CCleaner developers Piriform, initially reported that 2.27 million…

Link: Weekly Threat Report 22nd September 2017
Source: NCSC Reports

Android app malware

According to IT security company Check Point, as many as 36 million Android devices may have been infected with ad-click malware. The malware, dubbed Judy, is reported to have been present in approximately 50 apps in Google’s play store, but the total number of infections cannot be accurately determined as it is not known for how long the apps have been malicious.

Those responsible generate money through ad-clicks – in this instance Judy silently imitated a…

Link: Weekly Threat Report 2nd June 2017
Source: NCSC Reports

Polish banks in watering hole attack

The Polish financial sector has been hit by what is being described as the most serious incident in the history of Polish banking. A web server of the Polish financial regulator Komisja Nadzoru Finansowego (KNF) was probably compromised in early October 2016, but it wasn’t until early February that Polish banks noticed unusual network activity and unauthorised files on several workstations. Investigations revealed that the KNF website had been used…

Link: Weekly Threat Report 13th February 2017
Source: NCSC Reports

Threat assessment and trend analysis

 

Dresscode Masquerading as Legitimate Android App

Risk of Trojanised Android apps

A family of mobile malware known as ‘Dresscode’ has been masquerading as legitimate Android apps since April, according to cybersecurity researchers. Over 3000 apps with embedded Trojans, including games, skins and phone optimisation tools, have been identified on sale from Android app stores, including 400 in the Google Play store alone.

How dresscode works

Once…

Link: Weekly Threat Report 10th October 2016
Source: NCSC Reports

Meltdown and Spectre – Updated Advice

Malware making use of Meltdown and Spectre, the two CPU vulnerabilities highlighted back in January, is now being seen in the wild. Security researchers are reporting they have seen over 140 malware samples based on the proof of concept code. Whilst there have not been instances of Meltdown and Spectre actually being leveraged to compromise a system, it is a timely reminder that miscreants will take published security vulnerabilities and weaponise…

Link: Weekly Threat Report 9th February 2018
Source: NCSC Reports

Executive summary

On 15 August 2016, CERT-UK was made aware of a list of exploits posted online. These exploits are targeted at vulnerabilities in software found in Cisco switches, routers and firewall products, Fortinet’s Fortiguard, Watchguard and TopSec. Whilst Fortninet and Watchgaurd determined the vulnerabilities were patched years ago, of the two Cisco vulnerabilities, one has been confirmed as a zero-day.

Vulnerabilities – Cisco

The two vulnerabilities affecting Cisco…

Link: Multiple vulnerabilities in various products
Source: NCSC Alerts

Phishing scam targeting UK university students

Media reporting earlier this month highlighted a warning by Action Fraud of a phishing campaign against university students. The scam involves fake emails claiming that the Student Loans Company have suspended the victim’s account. Victims are asked to provide credentials and bank account details, which is used to carry out identity theft and fraud. 

Cyber criminals often seek to exploit seasonal events, such as the start of…

Link: Weekly Threat Report 15th September 2017
Source: NCSC Reports

Russian government reaction to cyber criminals

This week Russia revealed it had arrested a cyber crime gang in November last year for a campaign that raised nearly USD900, 000. The gang was nicknamed ‘Cron’ after the malware it used, which infected over a million Android mobile devices of Russian bank customers. Users unwittingly downloaded the malware via fake mobile banking apps, pornography and e-commerce programmes. The ‘Cron’ gang exploited a Russian bank service…

Link: Weekly Threat Report 26th May 2017
Source: NCSC Reports

Shamoon 2

The Saudi Arabian Government warned on 23 January that the destructive wiper malware Shamoon 2 had been detected on its government networks.

Shamoon 2 is an updated version of Shamoon, the disk-wiping malware that disabled thousands of computers at Saudi state-linked energy company Saudi Aramco in 2012.

The Saudi authorities are reporting on these latest compromises publicly and have provided reassurance that the damage is currently limited and mitigation is in place.

The re-…

Link: Weekly Threat Report 3rd February 2017
Source: NCSC Reports

Threat assessment and trend analysis

Yahoo Data Breach largest on record 

The scale of the 2014 Yahoo data breach has been exposed as Yahoo have confirmed that over 500 million accounts have been compromised. Data leaked includes names, email addresses, telephone numbers, dates of birth and encrypted passwords and is believed to be the biggest public breach of personal data ever recorded. Yahoo have stated that the attack was “state-sponsored”, although this has been…

Link: Weekly Threat Report 29th September 2016
Source: NCSC Reports