Report

Weekly Threat Report 11th May 2018

Created:  11 May 2018
Updated:  11 May 2018
NCSC Threat Report
This report is drawn from recent open source reporting

UK cyber criminal pleads guilty to selling customer credentials on the Dark Web

A cyber criminal who hacked into the online networks of at least 200 companies worldwide recently pleaded guilty to multiple offences in court.

Grant West, 25, who operated under the pseudonym ‘Courvoisier’, was detained in September 2017 following a two-year investigation by Scotland Yard. He was arrested on a train whilst logging on to his dark web marketplace account.

Southwark Crown Court heard that from at least 2015, West hacked into the online networks of Sainsburys, Asda, Apple, Uber, Ladbrokes, JustEat, Argos and others.

The data of thousands of customers was then stolen and used in spear-phishing scams to dupe customers into revealing their credit and debit card details, login credentials and email addresses.

The customer credentials were then sold on the dark web marketplace and used by other cyber criminals to make illegal purchases. Although hacking of the company websites was the major enabler of this cyber criminal activity, the spear-phishing emails ultimately led to customers unwittingly divulging their personal banking details which were then used to steal their money.

Internet users should consider NCSC advice on phishing.

Companies should look at the 10 Steps to cyber security: Network Security section for guidance on how to make online networks more secure.

Twitter Passwords Exposed

Twitter has urged its users to change their passwords after a software bug exposed their login details.

The bug saw usernames and passwords written in plain text and stored in an internal log before being encrypted.

Twitter discovered and fixed the error and have since apologised for their mistake, advising all 330 million users to change their passwords as a precautionary measure.

Despite login credentials being made visible by the bug, Twitter are confident that no details have been compromised.

It is important to manage passwords effectively; never use the same password for important accounts such as banking, work accounts or cloud storage. If your password is exposed on one platform it’s possible that criminals or other threat actors might attempt to use that information in the hope of compromising others.

The NCSC has written a blog around password re-use, and advice to help individuals create strong passwords is available on the Cyber Aware website.

Equifax breach Part 1: Four in five companies still using vulnerable Struts software

According to a recent report by Sonatype, four in five companies have failed to patch a vulnerable component of the Apache Struts application building software package, used by thousands of business and enterprise customers to power many of their websites.

The 2017 Equifax breach of over 146 million records was attributed to a failure to patch the vulnerable component.

The Sonatype report shows that 10,801 organisations, including 57% of the Fortune Global 100 companies, downloaded vulnerable versions of Struts or its components between March 2017 and February 2018 despite patched versions being available. Only one in five companies are no longer using vulnerable versions of the software.

According to Juniper Networks another networking security company, known vulnerabilities were the leading cause of data breaches during 2016, accounting for 44% of incidents.

While there can be legitimate reasons for downloading older versions of software – reproducing environments, diagnosing regression issues and development use cases – users should avoid using continuity of applications and network connectivity as an excuse for failing to patch known vulnerabilities in a timely manner.

NCSC guidance remains that for production environments users should use the latest versions of software to ensure known vulnerabilities are addressed. Where this is not possible, robust and proactive mitigations must be employed so that access to known vulnerable applications is minimised.

The NCSC website features advice and guidance for Patch Management, and readers should also follow the NCSC 10 steps to Cyber Security.

Equifax breach Part 2: Further details published

Late last week, Equifax published further details regarding the 2017 hack.

Whilst the total number of US individuals affected has not increased, the ongoing audit has identified details of records stolen, including:

  • 146.6 million names
  • 146.6 million dates of birth
  • 145.5 US social security numbers
  • 99 million addresses
  • 209,000 payment cards (number and expiry date)
  • 20.3 million phone numbers
  • 1.8 million email addresses

Equifax stated that “the additional detail provided does not identify additional consumers affected, and does not require additional consumer notifications”.

There was no clarification on records relating to non-US citizens including the 693,665 UK consumers who had sensitive data exposed.

Previous NCSC reporting on the Equifax breach.

Please also see the NCSC advice and guidance for Equifax customers.

Anti-theft software exploited by state actor

Research by Arbor Networks has alleged that a capable state actor has hijacked software that protects users if their computers are stolen.

The software, called LoJack, allows administrators to remotely lock, locate and remove files from stolen computers.

Its main customers are corporate IT-related firms that need to protect information from exploitation. It is often installed by default. However, the actor has re-configured the software for malicious use to maintain persistent access to targeted devices and communicate with command-and-control servers that the actor operates.

Most anti-virus packages cannot detect when LoJack has been hijacked, or do not recognise the hijacked version as malicious.

Previous research as far back as 2009 has publicised that Lojack could be exploited.

However, not all computers that use LoJack are vulnerable to compromise and data exfiltration – the attacker needs to gain initial access to the machine before they can deploy the hijacked version of LoJack to maintain persistence.

Was this report helpful?

We need your feedback to improve this content.

Yes No