Weekly Threat Report 25th August 2017

Created:  25 Aug 2017
Updated:  25 Aug 2017
NCSC building with logo
We would like your feedback on the Weekly Threat Report. Please send us your thoughts, suggestions and queries using our 'Contact Us' page.
This report is drawn from recent open source reporting.

Data breach affects NHS administrative information

An individual affiliating themselves with the hacktivist collective Anonymous claims to have stolen UK NHS patient data. The attacker claims to have exploited unpatched vulnerabilities in software provided by SwiftQueue, a vendor responsible for managing a number of hospital appointment booking systems.

SwiftQueue have confirmed an unauthorised party accessed 32,501 lines of administrative data. This is likely to include personally identifiable information (PII) on individuals including names, telephone numbers and email addresses. It is possible that the breach exposed a small amount of more sensitive personal data, although no medical information was held on the system.

When third parties are responsible for aggregating and storing large data sets they become an attractive target for criminal activity. This is primarily due to the large amounts of data that can be stolen in a single attack. Third parties have previously been targeted in this way across UK industry.  The need to conduct due diligence on the cyber security practices of third parties is essential to mitigate against these sorts of attacks.

This incident coincides with findings from the fraud prevention service Cifas on a record 89,000 cases of identity fraud reported in the first six months of this year. Identity fraud typically involves criminals pretending to be someone they are not to steal money, buy items or take out loans. Data breaches such as this make life easier for fraudsters who first seek PII on individuals to conduct fraudulent activity.

Removing IT accesses from former employees

A survey released in July 2017 by researchers at OneLogin of 500 US IT decision makers revealed concerning findings on processes for removing IT accesses from former employees.

Nearly half of respondents were reportedly aware of former employees who retained access to corporate accounts after leaving, and in a quarter of cases, employees remained active more than a week after departure. Most concerningly, in a quarter of cases, respondents did not know how long accounts had remained inactive. 

We have written previously about publicly reported examples from the US of disgruntled ex-employees exploiting privileges to cause disruption. In 2014, a former sys admin caused a US paper manufacturing company $1.1 million worth of damage by using network accesses to influence Industrial Control Systems (ICS). Separately, a former engineer used corporate software to disable meter reading equipment at several US water utility companies. Had such accesses been removed, such damage would have likely been prevented.

Former employees’ retention of previously legitimate accesses may also offer an opportunity for threat actors, such as cyber criminals or states, seeking to recruit insiders. A study released earlier this year noted increased efforts by cyber criminals to use the dark web to recruit insiders.

The survey noted the growing number of applications being used within organisations, presenting an increased overhead compared with the smaller number of tools used previously. However, failure to implement proper deprovisioning processes (or single-sign on) is likely to be a false economy. The cost of a consequent data breach may be significant, and could include remediation costs, fines or commercial impact. Furthermore, where accesses pertain to operational technology systems such as ICS, there may be an impact on production, incurring further cost, as well as potential safety issues.

The study and examples noted above are from the US, but UK companies are likely to face the same challenges. The NCSC provides guidance on managing user privileges.

Downturn in exploit kit market

In mid-August, adverts for a new exploit kit were seen on Russian-language hacking forums. The exploit kit is known as ‘Disdain’ and was being made available for rent for certain time periods for a fee, e.g. $1,400 for a month. It appears to be a rehash of open source code from the Sundown/BEPS exploit kit, which was leaked in March 2017. The exploits mentioned in Disdain’s advert are mainly older browser and Adobe Flash exploits, all of which have patches available. It is not certain that Disdain will be able to establish itself as an effective option for cyber criminals.

However, it is still notable that Disdain has appeared at all, given that there has been a significant downturn in the exploit kit market, with very few new exploit kits appearing since the takedown of Angler in 2016. Other exploit kits such as Sundown and Neutrino have dropped off or ceased activity.

A number of factors are likely to have contributed to the decline of exploit kits. For example, the availability of suitable browser exploits has decreased. Adobe Flash, a key target for exploitation, will reach its end-of-life by 2020 and browsers such as Chrome, Firefox and Edge have already moved to minimise support for the plugin. This makes it harder for exploit kits to remain an effective method of compromising victim machines, whilst also impacting on the profitability of running an exploit kit.

However, exploit kits remain a potent tool for cyber criminals and still represent a threat, especially if security updates are not regularly applied. Even rudimentary exploit kits like Disdain can still have a real impact.

Cryptocurrencies defrauded at Initial Coin Offerings

In recent months, there have been two highly publicised cases of cybercriminals defrauding cryptocurrency Initial Coin Offerings, apparently using simple website and email exploits.

ICOs allow investors to buy a newly released cryptocurrency. In many ways ICOs are similar to Initial Public Offerings (IPOs) on stock markets, but unlike IPOs they are unregulated, making them potentially more risky for investors.

In these instances, attackers gained access to the website and email accounts of organisations coordinating the ICOs, and changed the payment addresses to ones they control. Would-be investors inadvertently sent money to criminals rather than the ICO.

As investment in cryptocurrency becomes increasingly mainstream, ICOs will become more attractive targets for attackers. Such cases also emphasise that overall security is only as good as its weakest link: attackers won’t attempt complex attacks on cryptographic blockchains if they can achieve similar results by simple website or email exploits.

Ukraine’s Central Bank warns of new malware threat

On 18 August, Ukraine’s central bank informed state-owned and private lenders of a new malware spread by opening email attachments of word documents.  The bank shared details of the malware’s features as well as indicators of compromise, urging banks to put in place precautionary measures to prevent possible infection. The malware had not been detected by any anti-virus systems, meaning banks and other institutions could be vulnerable to attack if they were not fully patched.

This new threat comes at a time when Ukrainian institutions are still recovering from the effects of the NotPetya attack on 27 June which affected many Ukrainian government agencies and businesses before spreading beyond Ukraine through corporate networks of multinationals. As with NotPetya, this malware has the potential indirectly to affect any UK institutions with a presence in Ukraine or if the malware spreads through connected networks to the UK and other countries. Although Kiev’s central bank has been working hard with the government-backed Computer Emergency Response Team (CERT) and police to improve the defences of the Ukrainian banking sector, the appearance of this new malware is a reminder of the constant need to review and upgrade cyber defences against an ever-evolving threat.


The Cyber Security Information Sharing Partnership (CiSP) is a great way of learning more about threat information as well as engaging with industry and government counterparts. Follow the link below for more information.

Join CiSP

Was this report helpful?

We need your feedback to improve this content.

Yes No