DROWN vulnerability

Executive summary

A newly discovered OpenSSL security vulnerability, dubbed DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), enables a 20 year old and long deprecated security protocol, Secure Sockets Layer (SSLv2), to be used to attack modern websites.

An attack exploiting this could decrypt secure HTTPS communications, which can be used to protect sensitive data in transit between your browser and the server. It is estimated that at least one-third of all websites could be…

Link: DROWN vulnerability
Source: NCSC Alerts

Weekly Threat Report 11th August 2017

Steganography is becoming increasingly popular

According to the cyber security company Kaspersky Lab, steganography is becoming increasingly popular with cyber actors and is used to conceal malware, data exfiltration and for command and control (C&C) communications. 

Steganography is the technique of concealing data within other, seemingly innocuous, information. In a digital context, it generally refers to hiding data within a media file. Image files are the most common, but…

Link: Weekly Threat Report 11th August 2017
Source: NCSC Reports

Weekly Threat Report 21st April 2017

Hajime – What is the intent of this IoT Botnet?

In October 2016 the security research group at Rapidity Networks discovered a new malware, called Hajime, with similarities to the Mirai botnet: it targets Internet of Things (IoT or internet-connected) devices by scanning the Internet for devices with network vulnerabilities and attempts to connect to them using known default username/password combinations. According to Symantec, Hajime is believed to have infected between 130, 000 and…

Link: Weekly Threat Report 21st April 2017
Source: NCSC Reports

Weekly Threat Report 16th December 2016

Successful take-down of DDoS for hire service

Recent joint international law enforcement operations have resulted in the arrests of 34 suspected users of for-hire Distributed Denial of Service (DDoS) attack services. Twelve of the arrests were made in the UK, following a National Crime Agency (NCA)-led operation. The operation targeted Netspoof, an organisation which offered stresser packages to disable web servers and websites by flooding them with enormous volumes of internet traffic….

Link: Weekly Threat Report 16th December 2016
Source: NCSC Reports

Weekly Threat Report 1st December 2017

Imgur compromise

Image-sharing website Imgur has been alerted to a security breach in which the email addresses and passwords of 1.7 million users worldwide were compromised in 2014. Investigations are ongoing but in a public blog post, the company’s CEO has  said that, although passwords were hashed using SHA-256 at the time, users should still take precautions such as using a different password for every site and application.

The website does not hold any other personal data on…

Link: Weekly Threat Report 1st December 2017
Source: NCSC Reports

Weekly Threat Report 23rd March 2018

Money laundering valued at up to $200 billion through cryptocurrencies

A joint report between Surrey University and researchers at security vendor Bromium estimates that the proceeds of cyber crime make up to 8-10% of total illegal profits laundered globally, believed to be valued at up to $200 billion.

The report surmises that virtual currencies such as Bitcoin are becoming the primary tool used by criminals to launder proceeds. While Bitcoin has long been viewed as the criminal’s…

Link: Weekly Threat Report 23rd March 2018
Source: NCSC Reports

GlibC Vulnerability affecting Linux

What is it?

This vulnerability could allow a malicious actor to send specially crafted data to trigger a stack overflow in the getaddrinfo() function in the glibc DNS client resolver code (‘resolv/nss_dns’) and execute arbitrary code on the target system. The code will run with the privileges of the target application using the glibc library.

This vulnerability has been assigned CVE-2015-7547 (https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html) but was introduced in…

Link: GlibC Vulnerability affecting Linux
Source: NCSC Alerts

Weekly Threat Report 4th August 2017

Cyber incidents affecting airlines

Some North American airlines have issued statements regarding cyber security incidents in recent days. There is currently no evidence to suggest that these incidents are connected but these examples highlight the prevalence of such activity:

Virgin airlines detected unauthorised 3rd party access to their databases containing employee and contractor data in March 2017, including corporate credentials. In addition, over 100 individuals may have had further…

Link: Weekly Threat Report 4th August 2017
Source: NCSC Reports

Weekly Threat Report 7th April 2017

Threat to Managed Service Providers

A major cyber campaign against Managed Service providers has been detected that may present risks to organisations using outsourced IT services. Please see the following report for further details. Further information can also be found via the Cyber-Security Information Sharing Partnership (CISP) forum.

Media references to terrorist cyber capability

There have been numerous reports on the recently imposed restrictions on electronic devices larger than a…

Link: Weekly Threat Report 7th April 2017
Source: NCSC Reports

Weekly Threat Report 9th December 2016

Infected routers vulnerable to further attacks?

A small number of TalkTalk and Post Office domestic Wi-Fi routers are reportedly vulnerable to a new variant of the Mirai malware known as ‘Annie’. The denial of service experienced by TalkTalk and Post Office customers last week is said to have been an unintended consequence of the attacker, who goes by the name ‘BestBuy’. The attack sought to infect vulnerable routers with ‘Annie’.

Recently, BestBuy also…

Link: Weekly Threat Report 9th December 2016
Source: NCSC Reports