|
|
|
Threat Assessment and Cyber News September 2023 |
|
We’re delighted to
send you our latest threat and news update, all of which aims to keep you
safer. It’s a quiet one. We’re not sure if that’s because the cybercriminals
have been sunning themselves (unlikely..?), or simply that those who monitor
them are taking a breather. As ever, we’ve included what we feel are the
relevant headers from the last month. We try hard to indicate the bits that are
relevant to small and sole traders, but also that might help some of our larger
and more technically-aware community members. Enjoy. |
|
What's Happening?
A
number of ‘trend’ reports have come out over the last month, helping you
understand what to look out for. The headlines:
A number of ‘trend’ reports have
come out over the last month, helping you understand what to look out for. The
headlines:
- If you’re wary of attachments
(well done!) it’s HTML and compressed (.zip) files that are most frequently
being used to circulate viruses right now. Office documents, less so. Javascript,
PDF and .txt files are also worth extra vigilance, according to analysis by
VirusTotal. If you get something unsolicited, it’s always worth checking with
the sender by phone first. Today, we were sent someone’s CV, unsolicited, by a
recruitment agency we’d not had previous contact with. Curiosity didn’t
get the better of us. Would the same be true of you and all your team?
- Phishing emails (with attachments/
links), and simple scams, are probably the things to be most on your guard for
at the moment, judging by a report from cyber company Avast. By ‘scam’ we mean
simply telling fibs – perhaps sending you a personal email to say that we’ve
compromised your organisation’s data. Or that we’ve used your camera to film
you doing compromising things. Pay us some money, please, ideally without
checking?
- The world of cybercrime is getting
busier. One response company (Rapid7)
noted a 69% increase in business in the first half of this year. They assess
that lots of the breaches are down to simple things. Like not having
multi-factor authentication in place. Or having easily-guessed passwords. Which
is why we always say: no matter how complicated this stuff sounds, you can do
little things that will make a huge difference.
If you want to find out more, you can access the reports either via the hyperlinks below, or by putting a few of the relevant words directly into your search engine.
RAPID7 Mid Year Threat Report 2023
Avast Q2/2023 Threat Report - Avast Threat Labs
https://assets.virustotal.com/reports/2023emerging.pdf |
|
|
|
Image from the VirusTotal analysis
Showing you not just which attachments are being misused most frequently, but also how that’s changed over time. |
|
|
Pop Up Windows
Are you a bit wary of pop up windows in your browser? Hope
so. You might not know, but it’s possible to configure the content of these
entirely… so that, for example, a fake web address is shown at the top. So I
could take you to – for example – a very legitimate looking login page for your
accounts. These ‘browser in browser’ attacks can lure you into clicking
somewhere that downloads something, or just giving up your credentials. This
month we spotted details of an attack using TripAdvisor popups. It demanded a
ransom to let you back into your systems, but when analysed, there was no way
for the criminals to see which victims had made a payment. Which makes it
unlikely that they’d ever actually take the effort to restore your data.
More
detail and some screenshots here. https://www.bleepingcomputer.com/news/security/knight-ransomware-distributed-in-fake-tripadvisor-complaint-emails/
|
|
|
NCSC Early Warning Service
Are you registered for the National Cyber Security Centre’s
early warning service? Worth looking at – they’ll let you know if their
investigators find something being widely exploited which they can see your
systems would be vulnerable to. Details here. https://www.ncsc.gov.uk/information/early-warning-service
. We mention this because this month they also co-authored a report into the
most commonly-exploited vulnerabilities of 2022. Found via the link below,
although it’s a primarily technical read and aimed at those who manage
security. What’s striking is that some of the entries are unchanged since the
previous year – in other words, people haven’t applied updates, and are therefore still being attacked. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a
|
|
|
Shadow IT
We wanted to signpost some new National Cyber Security Centre guidance on ‘shadow IT’, which you can find via your search engine or at https://www.ncsc.gov.uk/guidance/shadow-it. Shadow IT is, broadly speaking, unmanaged devices or services – things you might not know are using your network. It could be the internet-linked devices that a staff member or building manager has brought in, it could be unmanaged services like unapproved messaging services with no monitoring in place, or external cloud storage services to share files with third parties. Many of us find workarounds when IT doesn’t work for us, and that presents a risk. It’s worth reading the guidance, and looking at what ‘shadow IT’ you might have in place in your business or charity. As the article makes clear, you’ll only reduce this risk if you engage fully with your users, understanding and responding to what they need, and not blaming them. |
|
|
Macros
Are you still careful when a file asks you to enable macros? Good. It’s happening less now, because Microsoft have taken some preventive measures, but this used to be a great way for criminals to bring malicious software onto your network. If you’re a bit more technical, you’ll be interested in this report which sets out how PDF documents are now being generated to look like word documents, and bypassed anti-macro protections. If you’re not , that’s fine - just keep on being circumspect!
https://securityaffairs.com/150012/hacking/maldoc-in-pdf-attack.html
|
|
|
|
|
Last Chance!
Thanks to all who recently completed our survey.
We’re really grateful.
We’re going to be arranging some webinar content about how to respond to a cyber attack, because that was a consistent ‘ask’ from you. We’ve also sent individual information to a bunch of people who said that they didn’t know enough about Cyber Essentials, or the Police Cyber Alarm scheme, and we’re shortly reshaping our website so that you can find our previous content (webinars/ blogs/ guidance) more easily. If there’s more you need, you can always drop us a line, but we’d love it if you were able to take five minutes to complete our short survey here. It really does help. Also, we feel quite reassured that we’re on the right track, because 70% of you say that we’re an excellent source of information, and 90% of you say you’re likely or very likely to recommend us. Thank you so much.
|
|
|
|
One For The Experts
Lastly, one for the experts. CVE-2023-3519 is a code injection vulnerability affecting Citrix NetScaler servers, and resulting in unauthenticated remote code execution. It is now being reported that a threat actor has compromised around 2,000 servers. The vulnerability was a so-called ‘zero day’, and in the period before patches were applied, it appears that webshells have been deployed and systems remain vulnerable. If you are running one of these servers, it is certainly worth checking your own situation: a scanner for indicators of compromise has been developed by Mandiant and citrix, and is available here https://github.com/mandiant/citrix-ioc-scanner-cve-2023-3519. |
|
|
New Collaboratiuon with Ratcliffes Insurance Brokers
SWCRC is delighted to announce a collaboration with Ratcliffes
Insurance Brokers, of Cheltenham, who are supporting us in our efforts to look
after cyber resilience across the region. They have a vested interest in
regional Cyber security having headed up their local Chamber of Commerce for 30
years, with a growing number of technology companies from the Cheltenham region
coming to their door.
We know that insurance can be an important part of your business
protection, and we are always keen to forge links with local companies who can
provide services which complement our own offer, and we think that there is a
synergy with our work and that of cyber insurers like Ratcliffes.
Ratcliffes are a Cheltenham-based company, set up in 1976 and with a proud
history of personal service for their clients. They have a range of cyber
insurance products available, and can help and support you through the
application process, ensuring that you have the right cover in an area which
can be daunting, and complicated. They are more than happy to speak to and
answer questions on cyber matters with no obligations at all, as well as for
other insurance services, and you can contact them on cyber@ratcliffes.co.uk
.
Whilst SWCRC doesn’t recommend individual suppliers directly, we think
that it’s very much worth you considering whether you have the right levels of
protection in place. Ratcliffes are happy to offer a free consultation to any
SWCRC members and you can find out more about the company and their offer at
https://www.ratcliffes.co.uk/general-insurance/cyber-liability-insurance/
.
|
|
|
|
Newsletter from South West Police RCCU
Click the logo to download the latest newsletter from the RCCU.
|
|
|
|
This email was sent by South West Cyber Resilience Centre. © 2023 South West Cyber Resilience Centre. Joint Emergency Services Building, Wimborne Road, Poole, Dorset, BH15 2BP
Contact us: enquiries@swcrc.co.uk
If you want to stop receiving these monthly threat assessments, please update your preferences.
If you no longer wish to be a member of SWCRC you can unsubscribe |
|
|
|