Cybersecurity Threats and Vulnerabilities 2018
Throughout 2017 the cyber war continued to rage bringing us well-publicised ransomeware outbreaks such as WannaCry, Petya, NotPetya and Bad Rabbit. Despite there being no major headline grabbing incidents reported in mainstream media to date in 2018, cybersecurity risks are still escalating.
We have collated the most notable threats for the first quarter of 2018. Threats include;
- Phishing campaigns
- Cyber-enabled petrol scams
- The worlds largest cryptocurrency heist
- The largest reported DDoS attack
- CCleaner update.
‘Meltdown’ and ‘Spectre’ vulnerabilities to microprocessors
Reports of new security flaws affecting microprocessors called ‘Meltdown’ and ‘Spectre’ surfaced in January. Processors in most devices employ a range of techniques to speed up their operation, and the vulnerabilities allow some of these techniques to be abused to obtain information about areas of memory not normally visible to an attacker. As a result, normally difficult actions – such as recovering passwords – are theoretically made easier.
We would advise all organisations and home users continue to protect their systems from threats by installing patches as soon as they become available.
Cyber-enabled fraud: an increasing threat for 2018
Media reporting highlighted an alleged attempt by hackers to steal funds from Russian bank Globex. The hackers appear to have used legitimate credentials to access the SWIFT international payment system to attempt fraudulent wire transfer requests valued at 55 million roubles (c. £700,000).
This attempted theft highlights that poor end user security is still a problem for some global financial institutions. Increasingly, cyber thieves are attempting to harvest legitimate login credentials, and then commit fraudulent activity using the accesses that these legitimate credentials provide.
Cyber attack forces US hospital offline
The Jones Memorial Hospital in the US state of New York was hit by a cyber attack in January impacting some of its information services. The hospital stated that they used standard computer downtime procedures in response, and they believe no patients’ financial or medical information has been compromised.
The exact cause of the incident was not revealed, although similarities can be drawn to previous ransomware attacks against healthcare providers in the US.
“Typosquatting” is still big business
Typosquatting (also known as cybersquatting or url hijacking) is the deliberate act of registering misspelt popular website domains, to capitalise on internet users accidently typing incorrect characters for a website address into the address bar of a web browser.
Instead of visiting the correct website, users will be taken to an alternative website intended for a variety of malicious purposes, including the theft of personal information, fraud and the installation of malicious software.
The issue of typosquatting is not new but can seriously impact individual users as well as businesses, organisations and government websites across the globe.
Always double check url spellings before accessing a website. It is also advisable to bookmark favourite websites and, if in doubt, check url spellings in a popular search engine to make sure they are correct.
Netflix “brandjacking” highlights increasing sophistication of phishing campaigns
A “brandjacking” phishing campaign aimed at Netflix subscribers was identified by cyber security experts earlier this year.
The campaign utilised multiple phishing techniques. Subscribers received emails requesting that login details and credit card data be updated via a portal. Once the details were entered the subscriber was shown a fake verified by VISA page and then redirected to the real Netflix login page. Phishing campaigns are becoming increasingly sophisticated.
Two-factor authentication usage
It is estimated fewer than 10 per cent of Gmail users enable Two-Factor Authentication (2FA).
The benefit of 2FA is that it provides an extra layer of security. The user has to provide standard login details of a password and username and also something that only that user has access to. This might be a physical token, keyfob device, fingerprint, facial recognition or SMS confirmation via mobile phone.
Increased attention in attacks against 2FA systems (e.g. SMS interception for high value bitcoin users) and its usability could degrade how it is perceived and trusted in the long term, which could result in a lower uptake of the service. As one of the core methods of securing online accounts it is important that users trust 2FA and find it relatively user-friendly.
Using 2FA makes the compromise of online accounts much more difficult than using just passwords and can be very effective against guessed or compromised passwords, which was behind the success of the recent targeting of the UK Parliament.
Cyber-enabled petrol scam uses industry insiders
Media reporting has highlighted an innovative cyber-enabled scam involving petrol pumps across Russia.
With the collusion of staff, criminals reportedly siphoned fuel off into empty tanks at the targeted petrol stations. Meanwhile, malware on the petrol stations’ computer systems was used to display false data on the amount of fuel dispensed to customers, with each customer unknowingly receiving between 3% and 7% less fuel than they paid for. The stolen fuel was then sold separately and off the books by the criminals who pocketed the profits.
The malware used was reportedly ‘nearly impossible to detect’, though Russian authorities recently disrupted the scam when they arrested the alleged creator of the malware, Denis Sayev.
This attack represents an evolution of previously known attacks on payment systems, which have directly targeted the payment card data itself. With the global roll-out of improved protections (chip & pin), we expect to see continued innovation by criminal elements getting financial benefit from fraudulent access to payment systems.
Meanwhile, it is possible this type of cyber-enabled crime will constitute an emerging threat globally during 2018.
World’s largest cryptocurrency heist
In February Coincheck reporting that hackers had stolen 523 million NEM (XEM) cryptocurrency (approx. £376.5 million). Coincheck is Japan’s largest Bitcoin exchange and deals with various other cryptocurrencies.
Coincheck have reassured customers that they would reimburse any losses. They are reporting that at present the attack methods deployed by the hackers are unknown and that the NEM had been stored in a ‘hot wallet’. Hot wallets are connected to the internet and are therefore vulnerable to cyber criminals, whereas cold wallets are small devices that hold your sum of cryptocurrency and are not connected to the internet. Some people even keep them locked in safes.
This heist highlights the security issues surrounding storing cryptocurrency in online exchanges, which can be vulnerable to attack rather than a hardware-based solution or personal wallet.
The UK also saw its first reported case of a physical robbery-related to Bitcoin, whereby armed masked men burst into the home of a cryptocurrency trader in Moulsford, Oxfordshire. The intruders threatened violence if he didn’t transfer funds to a Bitcoin wallet. Whilst the amount transferred is unknown or even confirmed as successful, it is another instance of the security issues surrounding cryptocurrencies and their perceived lack of danger. Readers are reminded that these incidents are few and far between, but should be mindful that cryptocurrencies are not exempt, nor safe from being targeted by criminals.
Domain name hijacking on managed services provider
Domain hijacking is a form of theft where the attacker takes control of a domain name without the consent of the original registrant. Hijacking can happen because of security flaws or due to the domain name’s rental period expiring. In February, a major US managed services provider had three of its domain names hijacked, shutting off email and websites for many of the company’s clients. The company hosts more than 100,000 websites and 40,000 managed technology accounts, mostly for small and medium-sized enterprises (SMEs).
After taking control of the domain names, the hacker replaced the customer login page with a web chat service. Customers were then tricked into chatting to the perpetrator instead of being able to access their control panel.
Domain hijacking has been a problem for many years, but this is likely to be one of the largest in terms of scale of websites potentially affected. Domain hijacking could potentially have significant negative implications for any company/organisation that has a web presence. Attackers could replace a company’s website, or web application, with an identical replica site designed to trick visitors into entering login credentials or personal information, thereby potentially helping to facilitate fraud. Malicious software could also be uploaded onto visitors’ computers. Managed service providers are likely to be a higher priority target of domain hijacking due to the potential access and damage they could cause to their clients.
Organisations can protect themselves against domain hijacking in several ways, including:
- Locking the domain using a web service to guard against unauthorised domain transfers
- Ensuring all of domain name contacts have valid contact information
- Setting the domain to auto-renew each year
Cloud security – FedEx data leak from AW
Media reports that scanned documents containing the identity details of up to 120,000 people have been freely available on a misconfigured Amazon Web Services, Simple Storage Service (AWS S3) server used by the shipping company FedEx. Cloud storage providers have previously been associated with a large scale data breach at Verizon.
Where cloud storage services are breached the ultimate reason almost always appears to be poor security configuration. Ensuring that good security practices are followed by all users and providers of cloud services would, therefore, prevent most breaches.
Smartphone malware on the increase
Cyber security company Trend Micro issued its annual Mobile Threat Landscape report in February. The number of unique mobile malware samples detected by the company increased by 415% from 2016 to 2017.
Previously, identified threats had mostly affected Android users downloading mobile apps from unofficial third-party stores but, according to the report, for the first time Google’s official mobile app store, Google Play, was significantly affected too.
Ransomware and banking malware were the major threats and are likely to pose a growing problem in 2018. Mobile ransomware detections were highest in China, followed by Indonesia, India and Japan, with banking malware detections highest in Indonesia and India.
Symantec also reported this month that it had found eight apps infected with the Sockbot malware on Google Play. The malware can add compromised devices to a botnet and potentially perform DDoS attacks. Symantec’s estimate of potential victims ranges from 600,000 to 2.6 million devices with US users appearing to be the main target.
Apple was also affected and, although it exerts more control over apps added to its app store, Trend Micro report that many applications infected with adware and other unwanted functionality found their way to the company’s app store.
On a more positive note, the clear majority of mobile ransomware that Trend Micro spotted last year was not as capable as desktop versions of the malware and less than 1% of it ended up infecting end user devices. Nevertheless, the increased threat is leading to a stronger approach to mobile security including initiatives on mobile vulnerability research and proactive coordination between vendors and platforms.
Largest reported DDoS attacks mitigated
The largest ever reported Distributed Denial of Service (DDoS) occurred in early March 2018, according to Netscout Arbor. A peak of 1.7 Terabits per second (Tbps) was recorded, although the attack was mitigated. This followed a recent attack against GitHub on 28 February, with a peak of 1.35 Tbps. The largest known attack previously took place in 2016 against the US DNS provider DYN, which peaked at 1.2 Tbps.
The method used for these attacks is known as a ‘memcached server DDoS’. Memcached servers store data in memory that applications may need access to on external databases. Large companies often use memcached servers to help speed up and assist in dealing with large demands on their services. When memcached servers are openly accessible over the internet via User Data Protocol (UDP), they can be utilised to significantly amplify data.
The attackers ‘ping’ a server with a small packet of data in order that memcached servers reply with a response to the victim which is up to fifty thousand times the original packet size. If there are no mitigations such as filtering or management of networks, this could easily cause a service to go offline. In the attack against GitHub, there has since been reporting of a ransom made in the data payload, demanding a payment of 50 Monero (worth approx. $15 000).
These latest DDoS attacks were mitigated, but further attacks may occur.
Cyber security company Avast continues to investigate the 2017 supply chain attacks involving clean-up tool CCleaner. For a month last summer, Advanced Persistent Threat (APT) attackers are reported to have maliciously modified versions of CCleaner and CCleaner Cloud at source, before being downloaded by 2.27 million customers worldwide. The attackers then selected a small number of high profile technology and telecommunications companies to receive a secondary payload.
Avast’s ongoing investigation has now revealed that CCleaner developer Piriform (acquired by Avast in July) was probably compromised as early as March 2017, although no information is given about the original attack vector.
The investigation also points to a possible third stage of the malware that may have been distributed via the CCleaner attack: once on the Piriform network, the attackers deployed a tool known as Shadowpad, which included keylogging and password stealing functionality, as well as other tools, to allow them to progress their attack remotely. The same tool may have been deployed to those customers who received the secondary payload.