The latest news from SWCRC

June 2022

Welcome to our latest edition. Some months are a bit quiet… this one, despite the Jubilee, isn’t. We’ve a host of content for you, starting with the usual (important!) list of things to look out for if you want to stay safe. But we also have details of forthcoming events which may genuinely be of interest. From our next webinar with its fascinating insight into how hackers track you down and trick you, to a supply chain event being run by one of our cyber collaborators, and a chance to say hi in person at the Gloucestershire business show, there should be something of interest for all.

There’s also a free tool you can use to check out the security of those that you do business with (of particular interest to our larger members, we hope) and a thought-provoking piece from Securious, one of our trusted partners. As ever, we hope it’s of use, and if it isn’t, we hope you tell us. As ever, we’re here to help, and you can reach us with your thoughts, queries and feedback at enquiries@swcrc.co.uk.

Threat assessment

If you’re using Zoom, a phone, or Facebook, we might have something of interest for you this month. And if not, then we cater for minorities too, so read on for other snippets that might protect you.

First up, Zoom. Check it’s updated? They recently released a fix for six vulnerabilities which could be exploited by sending a message through Zoom chat to allow remote code execution. No user interaction was necessary. Zoom does now have auto-update working on Mac and Windows, but if you were an early adopter, you may have to manually update to get as far as the auto-update version. You need to be running at least version 5.10.0; if you click on your profile icon at the top right of the Zoom window, you should see an option to check for updates.

Phones and Facebook. Downloaded any apps recently? There’s a piece of malware called ‘facestealer’ which will cause a fake Facebook login page to appear on your phone after you’ve installed an unrelated app. Your credentials are then relayed back to the cybercriminals. Trend Micro recently found a list of 200 apps which hosted this code. Perhaps unhelpfully, they’ve not published a full list of the affected apps, although they were far from minority interest, with some installed over 100,000 times. The main ones were Daily Fitness OL, Enjoy Photo Editor, Panorama Camera, Photo Gaming Puzzle, Swarm Photo, and Business Meta Manager. According to TrendMicro, 42 of the 200 infected apps fall under the VPN category, 20 are camera apps, and 13 are photo editing apps. All affected apps have now been removed from the Google Play store so our advice is check if any recently installed apps have unaccountably disappeared, and if they have, you might like to delete them too. As ever, if you think an account like Facebook has been compromised, change your passwords, and implement two factor authentication security on the settings.

As an important aside, we’re increasingly seeing reports about mobile device vulnerabilities, and if you have mobile devices linked to your own business use, you need to recognise that they’re another route in. In a thought-provoking blog, Google have recently noted an increase in zero-day vulnerabilities, which are the ones that we’re all unprotected against until the good guys spot them, fix them, and release an update. In practical terms, this means that you need a phone whose operating system is current, and promptly updated. As some commentators have noted, some manufacturers are quicker than others. Consider that when you buy your next phone for the business.

If you’re an IT professional, you’ll be interested by this month’s attack on your community (if you’re not, you might want to skip this para). Someone created a proof of concept (PoC) for two vulnerabilities, tracked as CVE-2022-24500 and CVE-2022-26809. The GitHub-hosted content was however fraudulent; it executed and deployed a Cobalt Strike backdoor onto the victim machines. More information here; of course, cybersecurity insiders are particularly valuable targets, because if criminals can rifle through your data there’ll be some great leads for them. In a similar vein, open-source code repositories have this month been targeted – not for the first time - when a package named “pymafka” was uploaded to Python Package Index (PyPI), a popular registry for developers managing python applications.This was effectively a typosquatting attack, mimicking the “pykafka” package, and over 300 users apparently went on to download script that facilitated communication back to a Chinese IP address.

If you’re not in IT, maybe you’re in education? This month there has been allegation of vulnerability in a wordpress plugin entitled ‘school management’ which helps schools send notifications, manage attendance and undertake other school business. This is a paid package, and researchers says that it contains a vulnerability which enables the remote execution of malicious code. Weblizar, the publisher, dispute this, but as the argument continues, our advice is to ensure that youre updated to version 9.9.7 or later. Because everyone seems to agree that’s safe. Simple fix!

There’s anecdotal suggestion of a rise in ‘sextortion’ attempts, where individuals are sent an email alleging that compromising pictures, or data about their internet habits has been found. The criminals threaten to release this data to employers, friends and family unless a ransom is paid. Often, these emails are purely speculative: you can find advice about what to do on the National Cyber Security Centre site.

And in terms of trends and patterns for you.

So-called ‘wiper malware’ seems to be on the increase, with six new variants identified this year. This is against a backdrop of the Russia-Ukraine invasion, and the malware in question doesn’t seek to exact a monetary ransom, it aims to disrupt particularly critical infrastructure. It’s not particularly discriminating and has already impacted on countries sympathetic to Ukraine. A joint advisory notice from national cyber authorities was issued in late April setting out sound cyber defence in the face of the conflict, and the good news is, it prioritises relatively simple fixes. Keep your systems updated, implement multi-factor authentication, check and monitor your risky services like remote desktop protocol, and train your users. Talk to us about anything you’re unsure of.

An interesting report from the authorities has also summarised the main ways in which they’re seeing criminals get initial entry to your systems. They are using

Public-facing applications: applications such as a website or a database that accept inputs from users over the internet. Due to being exposed to the internet and typically set up to have a high level of availability to the public, is what makes this attack vector attractive to a threat actor.
External Remote Services: This includes services such as VPNs or cloud-based services. Since services are remote, the authentication is dealt with remotely too. This enables an attack vector that threat actors will look to exploit in order to establish their own access.
Phishing: can involve a threat actor sending malicious attachments, URLs or even legitimate URLs that host user produced content (think Dropbox or Canva) and it is that content that is in fact malicious. These campaigns are becoming increasingly more sophisticated to avoid intrusion detection/prevention rules. A lot of the time, compromised email accounts or Microsoft exchange servers are used to help convince the network of being a valid sender address.
Trusted relationships: for example, targeting the real victim via, managed service providers, contractors, infrastructure contractors or law firms. After gaining initial access to this secondary entity threat actors will look to pivot to their intended target. This is often also called a Business Email Compromise (BEC).
Valid accounts: A threat actor may begin their campaign by searching for or buying user credentials to an active account.

Again, the key mitigations include a number of simple fixes. Change default passwords, remove user access when people leave, implement multi-factor authentication and strong passwords, use anti-malware solutions and ensure you’re updating regularly.

Finally, a couple of breaches to be aware of this month. With all breaches, our advice is (i) beware of unsolicited contact from someone purporting to be the breached company: it may be a criminal who simply has your account details (ii) change passwords associated with the account, and on any other accounts using the same password (iii) implement multi-factor authentication for your logins.

Data from clients of SuperVPN, GeckoVPN and ChatVPN has reportedly come available on the darkweb. This affects 21 million people. Names, full addresses and billing details have been compromised.

And wedding registry site Zola has been compromised, resulting in the details of 3000 people being breached, including their usernames and passwords. A number of accounts have reportedly been drained as a result of the attack. We’d hope that if you’re affected, someone has already made contact.

As threats such as ransomware continue to grow, Securious CEO Pete Woodward explains why visibility of what’s going on across your network is now not just possible, but a fundamental part of staying secure.

First, a quick (true) story as an example

A new client approached us wanting to achieve Cyber Essentials Plus, which requires a qualified third party (in this case Securious) to conduct an audit to verify their answers to questions about their compliance.

They had answered ‘yes’ when asked whether all their devices were running supported operating systems. But when we ran a vulnerability scan, we realised that wasn’t the case. In fact, the scan identified some major areas of weakness that left them wide open to attack…

And that’s when we saw it. They weren’t just wide open to attack – they were mid-attack. Ransomware had been installed across all the devices, including the servers. All it would take for the ransomware to trigger was one device to reboot. This was a terrifying position to be in because it would encrypt all their files unless a ransom was paid.

We immediately halted the audit, removed our scanners and informed the business of their critically precarious position. They called an incident response team, who ran ransomware removal software and fortunately, they escaped unscathed. But it was a close call. The organisation didn’t suffer losses because we managed to catch it in time, but they’re lucky. What were the chances that they’d have an audit at the exact moment the ransomware was lying dormant, ready to be triggered and deployed?

And that’s the problem with ‘static’ cyber security

Cyber criminals don’t care about accreditations or pentest reports. They care about vulnerabilities that, in their hands, can become opportunities. This means that it’s all well and good achieving cyber security certificates and accreditations - they serve a purpose for sure, especially in helping prove to external parties that you take security seriously. However, they only ever consider a single point in time and a small number of factors. They never provide assurance that you won’t be hit by a cyber attack - they just give reassurance that, at a particular time, you achieved a certain level of preparedness.

And that’s a problem for businesses genuinely looking to prevent cyber attacks, rather than simply prove they have put basic measures in place to meet compliance or accreditation requirements. They’re trying to implement solutions without an accurate understanding of what their issues are in the first place. On top of this, there’s so much information available with so many different dashboards that it’s virtually impossible to separate what matters from the noise.

The good news: a new generation of cyber security products can help fix these issues

Using a System Information and Event Monitoring (SIEM) solution, which gives you full visibility of your environment and makes it easy to see what’s happening and identify any suspicious activity.
Artificial intelligence is increasingly being used to tackle threats that haven’t ever been seen before. This means you can, for example, stop ransomware from getting into your email inboxes even before the type of attack has been recognised and blocked by traditional systems.
There are now affordable services that make it easy to monitor what’s being said about you on the deep and dark web, like confidential data being sold or fraudulent claims being made. These services enable you to take action where required and protect your organisation's data and reputation.

Concluding thoughts…

Cyber security is moving into a new era thanks to technological advances and this means companies, regardless of their size, can have unprecedented levels of visibility against live threats to their network and devices. It’s an exciting time but sadly the criminals don’t stand still either. However, you can bet the companies that fail to take advantage of the new generation of solutions will be the most vulnerable.

If you’d like to learn more and make sure you stay ahead of the pack, send an email to us at info@securious.co.uk or check out our new generation of cyber security products and services on our website. We can provide full visibility of your environment, monitoring your network and systems around the clock and alerting you to suspicious activity as it happens. See more on our managed detection and response page.

Cyber Beat Podcast - Maritime Cyber Security

Ross Brown this week talks to Craig Wooldridge of IASME about maritime cyber security.

You can find the podcasts on Spotify or Google Podcasts.

Podcast Episide 15

SWCRC is delighted to be supporting the Gloucester Business Show at Cheltenham town hall on 29 and 30 June this year. The event has a real focus on supporting smaller businesses, and has recognised that cyber is one of the key areas where they probably need some help. If you’re in the area, we’d love to see you there.

There are two sessions of particular note. On the 29th we’ll be key participants at the main venue’s midday session, “Cyber Security: are you disconnected?”. Along with other presenters, we’ll be looking to give practical advice that can really help. No question too small (or too big!).

On day two, there’s a more technically focused piece in the Drawing Room, for technical experts to come together and talk about issues or challenges. We know that a number of our members fit exactly this profile, and we hope to meet some of you. More detail about the show and its overall programme can be found HERE.

We have been collaborating for a while now with a company called Crossword Cybersecurity.

They’ve been talking to us about the important issue of protecting not just yourself, but also your supply chain. We’re strongly supportive of this, because we know that a recent survey showed that 93% of larger companies were breached last year via the smaller companies that they work with.

To support us, Crossword have provided a free product which you can find on our website at www.swcrc.co.uk/offers. Their tool, Rizikon, can be used to assess your own organisation’s compliance against various cyber security standards like cyber essentials, but can also be sent out to your suppliers, asking them to evidence their own security status. The tool helps you track responses and, through its built-in dashboards, get a clear overview of your risk level. Crossword are happy to provide an introductory chat about the tool if you want to use it, and it even includes some basic tools about attack surface management, so you can see how vulnerable you would be to a hacker. The full version of the tool contains a number of other question sets relating to organisational risk, but we’re hugely grateful to them for making this bespoke and focused version available to SWCRC clients free of charge. Worth taking a look, particularly for our larger businesses; and of course, if you spot smaller companies in your chain who need better protection, do point them in our direction so that we can start to educate them.

If supply chain security is something that’s been occupying your mind, you might be interested in a webinar which Crossword are running later this month. It’s on 23 June at 11am and will be looking to share some hints and tips about how to get safer. Link here.

Dates for your diary

June 22nd 0815 - 0845 Cereal and Cyber

Our third webinar for SWCRC members (and guests) - and it's another good one. Criminals use social engineering tactics because it is easier to exploit people's trust than it is to discover ways to get round your firewalls and systems. Join us for a brief excursion into the mind games played by hackers.

Sign up HERE

June 29th 12 noon Cyber Security; are you disconnected?

The Gloucestershire Business Show is on June 29 & 30th with a packed programme of talks, including us. We're taking part in a panel discussion on cyber security along with leading industry figures. Do get your tickets for the show HERE.