Threat assessment and trend analysis
Old Tricks, New Bot
In September, the National Cyber Security Centre was made aware of a new banking Trojan called TrickBot, targeting the customers of online financial institutions in Australia and New Zealand. The latest version has added functionality and has primarily targeted the UK. Once infected, the attackers use web browser injects and redirection attacks to harvest banking credentials. TrickBot is distributed through both malvertising and spam campaigns directed at businesses; it seems to be targeting the users of corporate online bank accounts.
Though sophisticated, these tactics aren’t new. Nor, according to security company Fidelis Cybersecurity, are the tactics alone in being re-used. The code reportedly bears striking resemblances to Dyre, the banking Trojan that successfully targeted large numbers of UK devices and disappeared in November 2015 following a Russian law enforcement raid.
Fidelis Cybersecurity suggests that that some of Dyre’s creators may have been subsumed into the new TrickBot team. It is also possible that the TrickBot group may have obtained the Dyre source code. At this stage it is unclear which, if either, is true.
TrickBot now appears to be fully operational; we assess it is likely that we will now see an increase in infections of this Trojan, filling the gap left by Dyre.
Backups limit the damage from ransomware
Ransomware is a growing global cyber security threat that can affect any organisation without appropriate defences. A number of UK public sector organisations have been affected over the last year and have experienced impacts on their services either directly or indirectly through the mitigations needed to handle the incident.
The NCSC is aware of recent open source reporting highlighting an example of how a victim organisation was able to restore its systems thanks to data backup procedures. While restoring the data reportedly still took several hours, the impact would have been far greater had there been no backup in place. Following the incident, the victim increased the frequency of its backup schedule from daily to hourly.
The NCSC website provides guidance to protect against ransomware <https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware>. While organisations should ensure they have fully tested backup solutions in place in order to limit the impact of a ransomware infection, backups should be considered a last resort. Ransomware is one of many types of malware, and the methods for its delivery are common to most other types. As such, it is important that backups are implemented in conjunction with strong enterprise security, in order to reduce the chances of infection in the first place.
Proliferation of fake retail apps
The New York Times reported that hundreds of fake retail apps had been discovered in recent weeks on the Apple iStore. The malicious apps began to appear as the retail sector started to gear up for the Christmas shopping season. It can be difficult to identify the apps as they often look almost identical to the legitimate app, and in some cases there is no legitimate app to compare them to. Malicious apps can pose a risk to consumers who are encouraged to enter their bank credentials, which are then stolen. Apps can also contain malware such as spyware, designed to harvest personal credentials, and ransomware, which locks a victim’s phone.
Many app stores have screening policies in place, but these are often designed to catch malware rather than fraudulent apps. Apple stated that it had removed the offending apps and that there was a process in place for consumers to flag fraudulent apps. However, this example highlights that cyber threats can impact all businesses, even those which do not currently have an online or app offering, as criminals can exploit their brand, resulting in reputational damage.
Enterprises may wish to consider limiting the apps their users can download to those that have been pre-approved, while consumers should consider the reputation of any new app before installing it.
Microsoft’s monthly Patch Tuesday was this week, so Windows and other Microsoft products dominate this summary. Microsoft released fourteen security bulletins for November, six of which were rated 'critical' and the remainder 'important'. All supported client and server versions of Windows are affected by at least one critical bulletin. In addition to Windows itself, Microsoft published updates affecting Microsoft Edge, Microsoft SQL Server, Office and other Microsoft products. In total, Microsoft patched 68 vulnerabilities, of which two were known to be being exploited.
Adobe released updates to Flash Player and Connect to fix ten vulnerabilities.
Updates were also released by Google for their Chrome browser, by Norton to fix an issue in their mobile security product, and for Citrix, Docker, Sophos, HPE, IBM and Cisco products.