IP Clarity is pleased to announce our Cyber Essentials Certificate, our business is fully compliant with the UK Government Cyber Essentials Assurance Scheme. For further information please contact us.
see July 6, 2021—KB5004945 (OS Builds 19041.1083, 19042.1083, and 19043.1083) Out-of-band (microsoft.com) Patch your PCs, Laptops and Servers now. Microsoft still has some work to do but most current Win 10 versions have patch and Microsoft is working to provide patches soon for remaining versions.
IPClarity is pleased to announce appointment by Threatlocker to Gold Partner, IP Clarity will be the first Gold Partner in Scotland. A new website is launched for all Zerotrust security from Threatlocker, zerotrust.scot
Please visit https://www.zerotrust.scot
The NCSC's weekly threat report is drawn from recent open source reporting at 17th July 2020
Russian attacks on COVID-19 vaccine development exposed
This week, the NCSC exposed an ongoing campaign of malicious activity targeting coronavirus vaccine research and development globally.
The UK, supported by the US and Canada, revealed that the threat group, APT29, has exploited organisations involved in the response to the pandemic. The NCSC assesses that APT29, also named “the Dukes” or “Cozy Bear” almost certainly operate as part of Russian intelligence services.
The group uses a variety of tools and techniques to target organisations to steal valuable information using custom malware known as ‘WellMess’ and ‘WellMail’.
WellMess and WellMail have not previously been publicly associated to APT29.
The full advisory is available to download from the NCSC website.
Microsoft, SAP and Cisco: critical security updates released
Microsoft has released the July 2020 Security Update. It features several security patches including fixing a critical remote code execution (RCE) vulnerability affecting the Microsoft Windows DNS Server (CVE-2020-1350).
If you are unable to applying the update quickly, a temporary workaround is detailed in the vulnerability report CVE-2020-1350.
SAP has released the July 2020 Security Update. It includes several security patches including fixing critical vulnerabilities in NetWeaver AS JAVA (LM Configuration Wizard) (CVE-2020-6287).
Cisco has released a security update for the Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance. These vulnerabilities, if exploited, could result in a number of security issues including system compromise.
Update to the UK decision on high risk vendors
The government has this week announced the requirement for all Huawei technology to be removed from the UK’s 5G network by 2027, following on from additional US sanctions imposed against Huawei announced in May 2020.
Due to amendments made by the US, the NCSC has revised its advice on how to manage the presence of high risk vendors (HRVs) in the UK’s telecommunications networks.
A collection of NCSC publications relating to Huawei, 5G, and new US sanctions is available. This includes a blog post written by the NCSC’s Technical Director, Dr Ian Levy, explaining the work behind the updated technical and security analysis. There is also an explainer detailing the advice behind the NCSC’s guidance on Huawei, what's changed and what it means for the UK.
Researchers unmask video conferencing images
Users of video conferencing platforms have been warned against posting images of conference calls on social media.
A team of researchers from Ben-Gurion University (BGU) conducted a study on the images of participants from meetings in Zoom, Microsoft Teams, and Google Meet. The research revealed that image processing algorithms and web-based text recognition allowed the researchers to identify personal features such as gender, age, and usernames.
As images can be cross referenced with social media data this poses a risk to the privacy and security of users.
When working from home it's important to maintain your privacy and security when attending video conference calls. The NCSC has published guidance for individuals and organisations on how to use video conferencing platforms securely.
Twitter cyber attack and NCSC guidance
On Thursday evening, various Twitter accounts belonging to high profile US celebrities and brands were hacked to post tweets that linked to a cryptocurrency investment scam.
Twitter posted a thread saying that hackers compromised its internal systems and tools to carry out this attack. To mitigate the impact, Twitter locked the verified accounts that were compromised, although full access has now been restored.
While this appeared to be an attack on Twitter, rather than individual users, we would urge people to always be wary of requests for money or sensitive information over social media.
The NCSC’s official statement on this attack is available on the website, and our guidance for organisations on protecting published content and advice on generally staying secure online may also be helpful.
Bank targeted in successful ‘Jackpotting’ attack
A bank in Antwerp has become the country’s first known victim of a successful 'jackpotting' attack.
'Jackpotting' is a type of attack, where cyber criminals install malicious software at ATM’s resulting in large cash deposits being forced out of the machines by the hackers.
The thieves attempted the same type of attack in two other areas of the country by either making a physical connection by USB or compromising and exploiting the software installed in cashpoint machines using specially designed malware.
When a product is no longer supported by its developer, there are limits on the measures that will be effective in protecting against new threats. Over time, new vulnerabilities will be discovered that can be exploited by relatively low-skilled attackers.
Although there is no way to completely protect against malware attacks, organisations should adopt the ‘defence in depth' strategy to increase the difficulty of a breach in security and reduce successful attacks by cyber criminals.
Major cyber attack on Twitter being reported by various new outlets, celebrity Twitter accounts taken over and messages sent out requesting money.
What is unusual is that it appears that Twitter employees have succumbed to Social Engineering and allowed the Hackers to access their own staff Twitter Admin accounts and thus gain direct control over the main Twitter core systems.
This is indeed very serious and concerning for all Twitter users,
please check the advice from Twitter and reset your password immediately, make sure you have 2 factor authentication switched on. This must be done for all Twitter Personal and Business accounts.
If you have reused your Twitter password anywhere else, change that too to a different password.
Be aware of potential scams from Twitter, any messages asking for money or linking to external websites, please check before you click.
The UK National Cyber Security Centre has published guidance on this:
An NCSC statement on the reported attack on Twitter (16th July 2020)
We are aware of a cyber attack on Twitter and have reached out to the company.
While this appears to be an attack on the company rather than individual users, we would urge people to treat requests for money or sensitive information on social media with extreme caution.
The NCSC has recently produced guidance for organisations on protecting what they publish on social media, and more widely we would remind people of our advice on staying secure through measures such as strong passwords and turning on two-factor authentication (2FA).
Further information
The company has published a thread that is updating users about the incident. At 3.38am they tweeted to say they have locked accounts that were compromised and will restore access to the original account owner only when they are certain they can do so securely.
Twitter have said that they detected what they believe to be a co-ordinated social engineering attack by people who successfully targeted some of their employees with access to internal systems and tools. The NCSC has published advice for developers here and on protecting management interfaces here.
The company has said the attackers used this access to take control of many highly-visible accounts and tweet on their behalf.
Microsoft have confirmed CVE-2020-1350 Vunerability in Windows Server DNS and released an urgent / critical patch for all Windows Server that are running DNS Server, this has the potential to be remotely exploited and is considered very urgent that all Windows Server Operator Patch this NOW.
Here is what Microsoft say:
July 2020 Security Update: CVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server
MSRC / By MSRC Team / July 14, 2020 / DNS, MSRC, Windows, Worm
Today we released an update for CVE-2020-1350, a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft’s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected.
Wormable vulnerabilities have the potential to spread via malware between vulnerable computers without user interaction. Windows DNS Server is a core networking component. While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible.
If applying the update quickly is not practical, a registry-based workaround is available that does not require restarting the server. The update and the workaround are both detailed in CVE-2020-1350.
Customers with automatic updates turned on do not need to take any additional action.
NCSC Weekly Threat Report 26th June 2020
Action Fraud reveals cost of online fraud during lockdown
A report from Action Fraud has revealed that over 16,000 people fell victim to online shopping and auction fraud during lockdown. The UK’s fraud and cyber crime reporting centre say that they have received reports of online shopping fraud totaling £16.6million in losses.
See full report here:
https://www.ncsc.gov.uk/report/weekly-threat-report-26th-june-2020
This is a joint advisory from the United Kingdom’s National Cyber Security Centre (NCSC) and the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA).
Note
This is a fast-moving situation and this advisory does not seek to catalogue all COVID-19 related malicious cyber activity. You should remain alert to increased activity relating to COVID-19 and take proactive steps to protect yourself and your organisation.
This advisory provides information on exploitation by cyber criminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice.
The NCSC and CISA are working with law enforcement and industry partners to disrupt or prevent these malicious COVID-19 themed cyber activities. We have published a non-exhaustive list of COVID-19 related IOCs via the following links:
The full advisory is available for download here and below.
COVID-19 exploitation
An increasing number of malicious cyber actors are exploiting the current COVID-19 pandemic for their own objectives. In the UK, the NCSC has detected more UK government branded scams relating to COVID-19 than any other subject. Although, from the data seen to date, the overall levels of cyber crime have not increased, both the NCSC and CISA are seeing a growing use of COVID-19 related themes by malicious cyber actors. At the same time, the surge in home working has increased the use of potentially vulnerable services, such as Virtual Private Networks (VPNs), amplifying the threat to individuals and organisations.
APT groups and cyber criminals are targeting individuals, small and medium businesses and large organisations with COVID-19 related scams and phishing emails. This advisory provides you with an overview of COVID-19 related malicious cyber activity. It offers practical advice that individuals and organisations can follow to reduce the risk of being affected. The IOCs provided within the accompanying .csv and .stix files of this advisory are based on analysis from CISA, NCSC, and industry.
Downloads
Advisory: COVID-19 exploited by malicious cyber actors
A joint advisory issued by the NCSC and CISA regarding COVID-19 being exploited by malicious cyber actors.
PDF 612 KB 11 PAGES
UK and US issue joint report about COVID-19 exploitation
The COVID-19 pandemic is being increasingly exploited by malicious cyber actors and advice has this week been issued by both the UK and the US.
A report, jointly published by the NCSC and the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), provides information on exploitation by cyber criminals and advanced persistent threat (APT) groups of COVID-19. It also includes a list of indicators of compromise (IOCs) for detection as well as mitigation advice.
The data suggests that cyber crime has now increased, but both the NCSC and CISA have seen an increase in the user of COVID-19 related themes. The threat of cyber crime has also increased due to an increase in home working which has led to the use of more vulnerable services such Virtual Private Networks (VPNs).
Individuals, small businesses and large organisations are at risk of COVID-19 scams and phishing messages, but the advisory offers some practical advice about how to protect you and your business from these types of attack.
You can read the full advisory here, but you may also find the following guidance for businesses useful:
And for individuals and families:
Microsoft Exchange admins urged to immediately patch critical flaw
In a blog post this week, cyber security firm Rapid7 revealed that over 350,000 Microsoft Exchange servers exposed on the internet haven’t been patched against the CVE-2020-0688 post-auth remote code execution vulnerability. This comes despite Microsoft issuing a patch for the vulnerability on February 22nd.
The remote code extension bug can be exploited by hackers to take over Microsoft Exchange servers using the stolen credentials of any associated user. When patching the flaw earlier this year, Microsoft tagged it with an "Exploitation More Likely" exploitability index assessment – suggesting that taking advantage of the flaw would be particularly attractive to hackers.
With 350,000 Exchange servers accounting for over 80% of those exposed on the internet, admins are being urged to ensure that their servers are patched. This should entail verifying the update’s deployment on any server with the Exchange Control Panel (ECP) enabled and checking for any signs of compromise.
Guidance on patching can be found in the NCSC’s Small Business Guide, but these other pieces of advice may also be helpful: