Report

Weekly Threat Report 16th December 2016

Created:  16 Dec 2016
Updated:  16 Dec 2016
This report is drawn from recent open source reporting.

Successful take-down of DDoS for hire service

Recent joint international law enforcement operations have resulted in the arrests of 34 suspected users of for-hire Distributed Denial of Service (DDoS) attack services. Twelve of the arrests were made in the UK, following a National Crime Agency (NCA)-led operation. The operation targeted Netspoof, an organisation which offered stresser packages to disable web servers and websites by flooding them with enormous volumes of internet traffic. Stressers and booters are tools for stress testing servers which can be misused to conduct DDoS attacks. Netspoof offered attack services for as little as £4.

DDoS-for-hire is a growing threat, accounting for an increasing proportion of DDoS attacks reported to law enforcement. The availability and low cost of these services is attractive to both novices and professional cyber criminals. Motivations for DDoS attacks include extortion, commercial advantage, reputation building, curiosity and simple malice. Disruption to a company's website can result in potential loss of revenue, additional cyber security costs and reputational damage.

Ukrainian critical national infrastructure targeted in destructive cyber attack

It has been reported that Ukraine’s finance and banking system was severely disrupted following a cyber attack on the 6th December. The computer networks of the Ukrainian Finance Ministry and Treasury were both impacted. Payment systems were disrupted for two days and payments were suspended on 7th December. The incident is the most serious reported destructive cyber attack in Ukraine since a December 2015 cyber attack against electricity providers in western Ukraine left parts of the country temporarily without electricity.

In both incidents, critical national infrastructure was targeted using Killdisk malware, which destroys data, files and computers and renders operating systems unbootable. This is significant as it appears that, unusually for an attack against the banking industry, there is no reporting of money being stolen but rather that the aim was to have a destructive effect.

SWIFT Warning

SWIFT, the global payment messaging system, was reported to have recently warned users of an increased cyber threat to its systems, describing the threat as 'very persistent, adaptive and sophisticated - and here to stay'.

In October 2016, an average of 26 million messages were transmitted between financial institutions via SWIFT per day. The system is an attractive target for actors seeking to fraudulently access vast amounts of money, as evidenced by the theft of $81m from Bangladesh Central Bank in February this year.

SWIFT's message highlights the continuation of the threat to customers as threat actors are said to be 'suspected of trying to replicate the modus operandi of the Bangladesh attackers'. SWIFT reportedly stated that attacks had evolved, with attackers refining their methods following a tightening of SWIFT’s security after the February attacks. 

2013 breach of one billion Yahoo account details

Yahoo has said that, in August 2013, an unauthorised third party stole data associated with more than one billion user accounts, making this the largest data breach reported to date. Yahoo believes that the breach is separate from the incident which impacted 500 million user accounts, disclosed on September 22, 2016.

The stolen data reportedly included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted and unencrypted security questions and answers. There is no suggestion that passwords in clear text, payment card or bank account details were stolen.

Breached data is often sold on the online criminal marketplace. Personal data can be used by criminals to access other accounts held by the victim, or even to create convincing phishing emails. Yahoo customers who use the same passwords and security questions for other accounts should change these immediately. 

Further advice about resetting passwords can be found on the Cyber Aware website, and practical advice relating to the Yahoo breach is available at the Action Fraud website.  

Vulnerabilities summary

Microsoft released twelve updates this week, including CVE-2016-7279 (<https://technet.microsoft.com/library/security/ms16-145> , <https://technet.microsoft.com/library/security/ms16-144> ), which was found and disclosed by the National Cyber Security Centre (NCSC). Six were rated critical and six important. These updates affected all supported versions of Windows as well as Internet Explorer and Edge browsers. Several of these vulnerabilities had previously been disclosed but were not known to have been used in attacks.

Apple fixed 97 vulnerabilities in total across macOS/OS X, iTunes, Safari and iCloud, along with additional updates relating to their iOS mobile platform. Among these was CVE2016-7615 (https://support.apple.com/en-gb/HT207425), also found and disclosed by NCSC.

Adobe saw fixes across nine different product lines to fix 31 vulnerabilities, including a zero-day in Flash Player that Adobe claimed was being used to actively target attacks against Internet Explorer users on Windows.

Elsewhere Mozilla updated Firefox, Red Hat saw updates for Single Sign-On and JBoss, the Linux Kernel saw an update to fix a race condition, Apache TomCat saw a Cache bug fix and there were updates from Cisco affecting FireSIGHT, their Email Security Appliance, Emergency Responder, Unified Communications Manager, IOS, Telepresence and others.

Netgear have not yet issued an official fix for the vulnerabilities affecting some of their router models. A Beta has been made available but Netgear have warned users installing the Beta to expect mixed results.

Was this report helpful?

We need your feedback to improve this content.

Yes No