Category: NCSC

New banking trojan discovered

Security researchers have discovered a new trojan targeting customers of banks, payment card providers, mobile service providers, payroll, webmail and e-commerce sites. Known as IcedID, the malware uses web browser manipulation techniques to trick users into entering their login credentials and payment authorisation details into malicious webpages. The malware affects systems infected by the highly persistent Emotet banking trojan that hijacks computers to form…

Link: Weekly Threat Report 17th November 2017
Source: NCSC Reports

NotPetya’s continuing impact on businesses

Businesses that fell victim to the NotPetya ransomware attack in June are warning of financial consequences and continuing disruption.

The potential impacts of a cyber breach to business have long been known: they may include lost sales, share price declines, reputational damage, regulatory fines for data losses, and clean-up costs. Businesses usually quote one large estimate when commenting on a cyber breach’s cost. However, in NotPetya…

Link: Weekly Threat Report 28th July 2017
Source: NCSC Reports

Criminals target US healthcare sector

The cyber division of the FBI recently issued an alert warning of criminal activity targeting File Transfer Protocol (FTP) servers operating in ‘anonymous’ mode, associated with the US medical and dental facilities.

The criminals involved are reportedly motivated by the potential to access protected health information (PHI) and personally identifiable information (PII). This data is then used by criminals to extort healthcare business owners…

Link: Weekly Threat Report 31st March 2017
Source: NCSC Reports

Mirai targets router vulnerability

On Sunday 27th November 900,000 Deutsche Telekom customers were impacted by an attack from an adapted version of the Mirai worm. The attack resulted in customers being unable to connect to the Internet. This was followed by reports on Thursday 1st December that 100,000 Post Office customers had been similarly impacted as were UK customers of the Internet Service Provider (ISP) TalkTalk. The attack used the Mirai code, which scans and comprises IoT devices…

Link: Weekly Threat Report 2nd December 2016
Source: NCSC Reports

Increase in HTTPS phishing attacks

Over the past few years website owners have been encouraged to adopt HTTPS website domains rather than HTTP. With HTTPS, data in transit is encrypted; this provides additional security for transiting data, such as login credentials, which may contain information of use to attackers.

HTTPS domains are verified by SSL Certificate Authorities, who issue and authenticate certificates. The padlock symbol in the URL field links to the certificate provider’s…

Link: Weekly Threat Report 15th December 2017
Source: NCSC Reports

Recent data breaches: GWR and Sodexo

Great Western Rail has advised customers to change their passwords after unauthorised attempts to access GWR.com accounts. The attack likely used password data harvested from other areas of the internet. GWR confirmed that around 1,000 users have been directly affected.

Separately, the facilities management company Sodexo confirmed a targeted attack on its cinema voucher platform Filmology. As the breach resulted in unauthorised access to payment card…

Link: Weekly Threat Report 13th April 2018
Source: NCSC Reports

Dating apps may put users’ personal data at risk

Researchers at Kaspersky Labs report that several popular online dating apps suffer from vulnerabilities in securing personal data. Users may be at risk of being deanonymized with their locations trackable and personally identifiable information (PII) in danger of being intercepted. Attackers could use the data for a variety of malicious purposes.

Poor security during data transmission is a common problem. For example, some apps upload…

Link: Weekly Threat Report 10th November 2017
Source: NCSC Reports

New SMB protocol exploit effective against most windows operating systems 

An EternalSynergy based exploit has now been developed which can compromise newer (unpatched) versions of Windows. The original ETERNALSYNERGY exploit released by The Shadow Brokers in April exploited an SMB protocol vulnerability, CVE-2017-0143, to allow attackers to inject code onto Windows machines but only worked on versions up to Windows 8.

A security researcher has now modified and upgraded ETERNALSYNERGY…

Link: Weekly Threat Report 21st July 2017
Source: NCSC Reports

Yahoo breach indictments

The FBI has indicted four individuals for unauthorised access to Yahoo’s networks. According to the indictment, two were alleged cyber criminals and two were members of Russia’s Federal Security Service (FSB) who “conspired to protect, direct, facilitate and pay criminal hackers to collect information through computer intrusions in the USA and elsewhere”.

The intrusion into Yahoo’s networks, and the group’s subsequent exploitation…

Link: Weekly Threat Report 24th March 2017
Source: NCSC Reports

ATMS in Europe targeted by cyber criminals

The cyber security firm, Group-IB, recently published a report on Cobalt, a suspected criminal group, that has been using a novel method to steal money from banks across Europe, including the UK, via ATMs.  According to Group-IB, Cobalt target banking organisations by using spear-phishing emails with malicious attachments that exploit software vulnerabilities. Once an attachment is opened the attackers can move through a bank’s network and…

Link: Weekly Threat Report 25th November 2016
Source: NCSC Reports