The US Government, via the Cyber security and Infrastructure Security Agency (CISA), has issued a list of the top 10 routinely exploited vulnerabilities. It lists CVE numbers for the most common attack vectors during the period 2016-2019, as well as looking at some of those cropping up frequently so far in 2020. In what will come as a surprise to no-one, Microsoft's Object Linking and Embedding (OLE) technology features heavily. This is used to enable embedded content between applications such as Word and Excel and is often subverted to create maliciously crafted documents that are sent as email attachments. OLE technology was also used in the top three threats associated with nation-state attack groups in China, Iran, North Korea and Russia. After OLE, the Apache Struts web framework was the next-most-exploited technology. Unfortunately, many organisations do not seem to be getting the message about software vulnerabilities. CISA notes that in December 2019, Chinese state-backed hackers were still exploiting a vulnerability (CVE-2012-0158) that the agency had assessed as being their most-used vector back in 2015. “This trend suggests that organisations have not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective,” the agency says. In 2020, many attackers seem to be going after unpatched flaws in virtual private networks systems – notably in products from Citrix and Pulse Secure. There's more information here: www.us-cert.gov/ncas/alerts/aa20-133a.
With many employees now working from home due to the Covid-19 pandemic, cyber criminals are putting a lot of effort into attacking remote desktop protocol (RDP) applications. RDP is used to allow people to log into a computer and use it remotely, or to receive technical support at a distance. According to McAfee, the number of RDP ports exposed to the Internet grew from three million to 4.5 million in the period from January to March 2020. This has been matched by an increase in attacks against RDP ports and a boom in the sale of stolen credentials on hacker marketplaces. Kaspersky has also seen a massive uptick in RDP attacks, especially brute-force login attempts. “As far as we can tell, following the mass transition to home working, they logically concluded that the number of poorly configured RDP servers would increase, hence the rise in the number of attacks,” the company says in a new report. For example, in the US, brute-force attacks against Internet-facing RDP servers have increased from 200,000 per day in early March to more than 1,200,000 during mid-April. The Kaspersky report is here: https://bit.ly/2LAIa4U.
A company that supplies important services to the UK power grid has been hit with a cyber attack. The strike against Elexon, which monitors supplies to the grid and reconciles payments between energy companies, did not have an affect on the electrical supply, but it could have had an impact on the financial mechanisms in the market. Elexon hasn’t revealed many details, other than that the attack affected internal systems and laptops, but it looks as though it might have been a ransomware infection that was largely contained before it could do too much damage. There's more information here: https://bit.ly/2Ze1ugk.
The Israeli National Cyber-Directorate (INCD) has advised organisations working in the energy and water supply sectors in the country to change passwords for all systems with connections to the Internet. With any systems where that's not possible, they should take them offline pending the implementation of tighter security. Similar alerts were issued by Israel's Computer Emergency Response Team (CERT) and by the government Water Authority. The latter told firms to change credentials, “with emphasis on operational systems and chlorine control devices in particular”. The alerts were prompted by a report sent to the Government by cyber security firm ClearSky, which has been tracking an Islamist group's activities on social media. The group, Jerusalem Electronic Army, often posts screenshots from attacks it claims to have made against targets, including Israeli universities and government systems. However, there have been no confirmed reports of successful intrusion at water treatment and supply companies.
Microsoft's Digital Crimes Unit (DCU) has succeeded in taking down a 400,000-strong botnet that was being controlled by a single Internet of Things (IoT) device – an LED light control console. The botnet was being used for activities such as phishing campaigns, malware distribution, ransomware payload delivery and the launch of distributed denial of service (DDoS) attacks. As much as 1TB of malicious data was being sent out per week. Working with Taiwan's Ministry of Justice Investigation Bureau (MJIB), the DCU tracked down a single IP being used as a command and control server. This turned out to be a compromised Internet-enabled lighting console. By shutting down this device, the botnet has effectively been taken offline. There's more information here: https://bit.ly/2AGeu4f.
The REevil (aka Sodinokibi) ransomware group, which appears to have stolen large amounts of data from US law firm Grubman Shire Meiselas & Sacks (GSMLaw), is claiming that its haul includes significant amounts of “dirty laundry” on US President Donald Trump. Most of the stolen data relates to celebrities in the entertainment industries, and the group has already published samples relating to Lady Gaga and others. GSMLaw responded to the demand for a $42m ransom, and the specific threat to Trump by saying that the FBI has classed this action as ‘terrorism’ and that “negotiating with or paying a ransom to terrorists is a violation of federal criminal law”. This has prompted the REevil group to release 169 emails on the dark web which it claims is the “most harmless information”. However, the emails appear to have nothing to do with Trump.
The targets of distributed denial of service (DDoS) attacks have shifted somewhat to reflect life during a pandemic, according to research by Kaspersky. The most targeted resources in the first quarter of 2020 have been the websites of medical organisations, delivery services and gaming and educational platforms. Some of these attacks could be political or nation-state backed. For example, in mid-March attackers made an unsuccessful attempt to disable the website of the US Department of Health and Human Services (HHS), probably with the aim of preventing visitors from obtaining official data about the pandemic. At the same time, cyber actors were busy spreading misinformation on social networks and via text and email about the introduction of a nationwide quarantine in the US. An attack on the Paris-based group of hospitals Assistance Publique-Hôpitaux de Paris meant that remote hospital workers were unable to use software and email for some time. Other attacks were more likely to have been purely criminal, such as those against food delivery services Lieferando (Germany) and Thuisbezorgd (Netherlands). Online gaming platforms, which have been under heavy load during lockdowns, also came in for attack, including Battle.net, Eve Online and Wargaming. There's more information here: https://bit.ly/3bIw70b.
French authorities claimed to have taken down an international network involved in the ‘jackpotting’ of ATMs. This is where malware is inserted into the machines so that money mules can make them disburse all the cash they hold. The hacking group is believed to have been involved in 19 such incidents in France, which paid out E280,000. Now, Paris prosecutor Remy Heitz has announced that two suspects from the “Russian-speaking community” have been charged and are being held in custody.