The NCSC's weekly threat report is drawn from recent open source reporting at 17th July 2020

Russian attacks on COVID-19 vaccine development exposed

This week, the NCSC exposed an ongoing campaign of malicious activity targeting coronavirus vaccine research and development globally.

The UK, supported by the US and Canada, revealed that the threat group, APT29, has exploited organisations involved in the response to the pandemic. The NCSC assesses that APT29, also named “the Dukes” or “Cozy Bear” almost certainly operate as part of Russian intelligence services.

The group uses a variety of tools and techniques to target organisations to steal valuable information using custom malware known as ‘WellMess’ and ‘WellMail’.

WellMess and WellMail have not previously been publicly associated to APT29.

The full advisory is available to download from the NCSC website.

Microsoft, SAP and Cisco: critical security updates released

Microsoft has released the July 2020 Security Update. It features several security patches including fixing a critical remote code execution (RCE) vulnerability affecting the Microsoft Windows DNS Server (CVE-2020-1350).

If you are unable to applying the update quickly, a temporary workaround is detailed in the vulnerability report CVE-2020-1350.

SAP has released the July 2020 Security Update. It includes several security patches including fixing critical vulnerabilities in NetWeaver AS JAVA (LM Configuration Wizard) (CVE-2020-6287).

Cisco has released a security update for the Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance. These vulnerabilities, if exploited, could result in a number of security issues including system compromise.

Update to the UK decision on high risk vendors

The government has this week announced the requirement for all Huawei technology to be removed from the UK’s 5G network by 2027, following on from additional US sanctions imposed against Huawei announced in May 2020.

Due to amendments made by the US, the NCSC has revised its advice on how to manage the presence of high risk vendors (HRVs) in the UK’s telecommunications networks.

A collection of NCSC publications relating to Huawei, 5G, and new US sanctions is available. This includes a blog post written by the NCSC’s Technical Director, Dr Ian Levy, explaining the work behind the updated technical and security analysis. There is also an explainer detailing the advice behind the NCSC’s guidance on Huawei, what's changed and what it means for the UK.

Researchers unmask video conferencing images

Users of video conferencing platforms have been warned against posting images of conference calls on social media.

A team of researchers from Ben-Gurion University (BGU) conducted a study on the images of participants from meetings in Zoom, Microsoft Teams, and Google Meet. The research revealed that image processing algorithms and web-based text recognition allowed the researchers to identify personal features such as gender, age, and usernames.

As images can be cross referenced with social media data this poses a risk to the privacy and security of users.

When working from home it's important to maintain your privacy and security when attending video conference calls. The NCSC has published guidance for individuals and organisations on how to use video conferencing platforms securely.

Twitter cyber attack and NCSC guidance

On Thursday evening, various Twitter accounts belonging to high profile US celebrities and brands were hacked to post tweets that linked to a cryptocurrency investment scam.

Twitter posted a thread saying that hackers compromised its internal systems and tools to carry out this attack. To mitigate the impact, Twitter locked the verified accounts that were compromised, although full access has now been restored.

While this appeared to be an attack on Twitter, rather than individual users, we would urge people to always be wary of requests for money or sensitive information over social media.

The NCSC’s official statement on this attack is available on the website, and our guidance for organisations on protecting published content and advice on generally staying secure online may also be helpful.

Bank targeted in successful ‘Jackpotting’ attack

A bank in Antwerp has become the country’s first known victim of a successful 'jackpotting' attack.

'Jackpotting' is a type of attack, where cyber criminals install malicious software at ATM’s resulting in large cash deposits being forced out of the machines by the hackers.

The thieves attempted the same type of attack in two other areas of the country by either making a physical connection by USB or compromising and exploiting the software installed in cashpoint machines using specially designed malware.

When a product is no longer supported by its developer, there are limits on the measures that will be effective in protecting against new threats. Over time, new vulnerabilities will be discovered that can be exploited by relatively low-skilled attackers.

Although there is no way to completely protect against malware attacks, organisations should adopt the ‘defence in depth' strategy to increase the difficulty of a breach in security and reduce successful attacks by cyber criminals.