Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label NCSC. Show all posts
TLS
C2 Chinese Hackers Chinese Threat Actors Cyber Attacks Malware Attack NCSC Sophos TLS

NCSC Unveils “Pigmy Goat” Malware Targeting Sophos Firewalls in Advanced Chinese Cyberattack

 

The National Cyber Security Centre (NCSC) recently disclosed the presence of a Linux malware, “Pigmy Goat,” specifically designed to breach Sophos XG firewall devices. This malware, allegedly developed by Chinese cyber actors, represents a significant evolution in network infiltration tactics due to its complexity and advanced evasion methods. 

This revelation follows Sophos’ recent “Pacific Rim” reports, which detail a five-year campaign involving Chinese threat actors targeting network devices at an unprecedented scale. Among the identified tools, “Pigmy Goat” stands out as a rootkit crafted to resemble legitimate Sophos product files, making it challenging to detect. This strategy is known to use stealth by masking its identity within commonly named system files to evade basic detection protocols. “Pigmy Goat” enables threat actors to establish persistent, unauthorized access to the target’s network. Using the LD_PRELOAD environment variable, it embeds itself in the SSH daemon (sshd), allowing it to intercept and alter incoming connections. 

The malware seeks specific sequences called “magic bytes” to identify backdoor sessions, which it redirects through a Unix socket, thereby concealing its presence from standard security monitoring. Once a connection is established, it communicates with command and control (C2) servers over TLS. The malware cleverly mimics Fortinet’s FortiGate certificate, blending into networks where Fortinet devices are prevalent, to avoid suspicion. This backdoor offers threat actors multiple capabilities to monitor, control, and manipulate the network environment. Through commands from the C2, attackers can remotely open shell access, track network activity, adjust scheduled tasks, or even set up a SOCKS5 proxy, which helps them remain undetected while maintaining control over the network. These actions could allow unauthorized data access or further exploitation, posing significant threats to organizational cybersecurity. 

The NCSC report aligns “Pigmy Goat” with tactics used in “Castletap” malware, which cybersecurity firm Mandiant has linked to Chinese nation-state actors. The report’s insights reinforce concerns over the evolving sophistication in state-sponsored cyber tools aimed at infiltrating critical network infrastructure worldwide. Detection and prevention of “Pigmy Goat” are crucial to mitigating its impact. The NCSC report provides tools for identifying infection, including file hashes, YARA rules, and Snort rules, which can detect specific sequences and fake SSH handshakes associated with the malware. 

Additionally, monitoring for unusual files and behaviours, such as encrypted payloads in ICMP packets or the use of ‘LD_PRELOAD’ within the sshd process, can be effective. These insights empower network defenders to recognize early signs of compromise and respond swiftly, reinforcing defences against this sophisticated threat.
Read more »
US Space Industry
Aerospace Cyber Attacks Cyberattacks NCSC new technologies satellite infrastructure space-based assets US Space Industry

U.S. Intelligence Reports: Spies and Hackers are Targeting US Space Industry


U.S. intelligence agencies have recently issued a warning against foreign spies who are targeting the American space industry and executing cyberattacks against the country’s satellite infrastructure.

The U.S. Office of the Director of National Intelligence's National Counterintelligence and Security Center (NCSC) issued a bulletin on August 18, alerting the public that foreign intelligence agencies may use cyberattacks, front companies, or traditional espionage to gather sensitive data about American space capabilities or cutting-edge technologies. The threat also mentions the employment of counter space technologies, such as hacking or jamming of satellites, to interfere with or harm American satellite systems.

As noted by the NCSC bulletin, foreign intelligence agencies "recognize the importance of the commercial space industry to the U.S. economy and national security, including the growing dependence of critical infrastructure on space-based assets." 

A set of guidelines is provided in the statement to assist private enterprises in minimizing any potential harm that these espionage attempts may create. The warning comes as funding for the U.S. space sector is rising rapidly with America’s satellite infrastructure expanding at an unparalleled rate.

NCSC further mentions a number of ways that foreign intelligence can seek to gain access to space agencies, to get hold of their insights and new technologies. Some of these methods appeared innocent enough, such as approaching space industry professionals at conferences or getting in touch with them through online forums to get information.

Other methods were more linked to ‘business dealings,’ through which foreign intel agencies frequently try to obtain access to sensitive information by investing in space companies through joint ventures or shell companies, or by buying their way into the supply chain that American aerospace companies rely on for the sourcing of parts and materials.

Some of the other methods mentioned were more explicit in nature, like carrying out cyberattacks or breaching private networks to steal intellectual property.

Moreover, the NCSC's bulletin warned the private space sector and stated that foreign intelligence agencies can compromise American national security by "collecting sensitive data related to satellite payloads, disrupting and degrading U.S. satellite communications, remote sensing and imaging capabilities," and targeting American commercial space infrastructure during interstate hostilities.  

Read more »
NCSC
ANSSI Cyber Attacks Data protection Hackers-for-hire Law Firms NCSC

Hackers for Hire Going After Law Firms, Alert French and UK Watchdogs

Hackers for hire targeting law firms

According to French and British authorities, law firms are increasingly targeted by mercenary hackers hired to steal data that could affect legal disputes. Reports from the UK's National Cyber Security Centre (NCSC) and France's cyber watchdog agency ANSSI emphasize the different digital dangers law firms face.

Mercenary hackers are on the rise

The cyber watchdog authorities of France and the United Kingdom documented a range of digital challenges law firms face in recent publications, including those posed by ransomware and hostile insiders. Both emphasized the risks presented by mercenary hackers hired by litigants to steal sensitive info from their adversaries in court.

The consequences on legal firms

The increasing number of mercenary hackers targeting law firms threatens the credibility of legal cases. These hackers can tip the scales in favor of their clients by collecting essential data from competing parties. It breaks down the legal system's fairness and has significant consequences for persons involved in legal disputes.

Law firms must take precautions to safeguard themselves against these dangers. Examples of this are implementing effective cybersecurity measures and teaching personnel to spot and avoid typical cyber risks. Firms must also closely monitor their networks for signs of penetration and respond fast to any breaches.

The increase in hackers-for-hire targeting law firms is a concerning trend that must be addressed. Law firms must take precautions to protect themselves from these threats, while authorities must seek to stop these criminal acts. Only through collaboration can we maintain the integrity of our legal system and safeguard it from these grave cyber attacks.

How users may defend themselves

1. Maintain software updates: Check that your operating system and all software have the most recent security patches.

2. Use strong passwords: For all accounts, use unique, complicated passwords, and enable two-factor authentication whenever possible.

3. When opening emails, use caution: Open emails from unknown senders with caution, and avoid clicking on links or attachments in emails.

4. Make a backup of your data: Back up important files regularly to an external hard drive or a cloud storage service.

5. Use antivirus software: Install and keep up-to-date trusted antivirus software on your devices.


Read more »
Ransomware
cyber attack Cyber Attacks Cyberwarfare Nation-State Attack NCSC NHS Ransomware

Russians Hackers May Have Breached NHS Trust With 2.5 Million Patients

 

Intelligence authorities are currently engaged in an investigation into a suspected cyber attack targeting a prominent NHS trust, which serves a vast patient population of 2.5 million individuals. This incident involves a notorious group specializing in ransomware attacks, who have asserted that they possess significant volumes of sensitive data extracted from Barts Health NHS Trust. 

The attackers have issued a deadline of Monday, after which they intend to publicly disclose the pilfered information. On Friday, a group known as BlackCat or ALPHV made a statement asserting that they have successfully breached the security of the targeted organization, gaining unauthorized access to sensitive employee information such as CVs and financial data, including credit card details. 

Additionally, they claimed to have obtained confidential documents pertaining to individuals' identities. The exact nature of the information involved in the incident remains uncertain, including whether it includes patient data or if the hacking group has effectively infiltrated the trust's systems. 

Nevertheless, the situation introduces the possibility that private data belonging to the extensive patient population of approximately 2.5 million individuals served by Barts Health NHS Trust may be exposed on the dark web. In response to these developments, the trust, which encompasses six hospitals and ten clinics in East London, expressed its immediate commitment to conducting a thorough investigation into the claims. 

BlackCat emerged onto the radar in 2021 and has gained a reputation as one of the most advanced malware operations to date. According to reports, the group responsible for BlackCat managed to infiltrate approximately 200 organizations during the period spanning November 2021 to September 2022. 

The gang's modus operandi involves employing various extortion techniques against their victims. These tactics include issuing individualized ransom demands, which encompass requests for decryption keys to unlock infected files, threats of publishing stolen data, and warnings of launching denial of service attacks. 

According to sources at The Telegraph, The National Cyber Security Centre (NCSC), which operates under the purview of GCHQ, is actively involved in the ongoing investigation. Ransomware attacks employ specialized software to either extract sensitive data from the victim or restrict their access to it. 

In certain instances, the attackers employ encryption techniques to lock the targeted files, subsequently demanding a ransom in exchange for providing the decryption key. In 2017, the NHS experienced a significant and widespread impact from the global "Wannacry" ransomware attack, resulting in a temporary halt of operations within the healthcare system. 

The severity of the situation necessitated the urgent transfer of critical patients from affected hospitals to alternative facilities. Notably, the hacking group did not make any mention of an encryption key in their communication. 

Experts in the field have put forward a hypothesis that this omission could potentially indicate that the gang has not encrypted the pilfered information. Instead, they might be employing a strategy commonly seen in such cases, aiming for a swift payment from the targeted organization. This tactic has become increasingly prevalent in recent times.
Read more »
Ukraine
Cyber Security CyberFirst National Cyber Security Centre NCSC Ukraine

Ukraine’s Cyber-Defenses Have Been Exemplary, Says Lindy Cameron


It has always been a necessary task to defend one’s digital life in order to secure critical systems and services. In recent years, the UK has witnessed a range of online threats, varying from ransomware threats, and online frauds, to the cybersecurity risks that the country garnered with the return of war in Europe.

Considering the changes in the entire cybersecurity landscape over the past year, the UK needs a whole-of-society response to combat the ever-evolving online threats, risks, and vulnerability, in order to secure the nation’s online status. 

Working with allies and partners in both the public and private sectors, the National Cyber Security Centre (NCSC) has contributed to a significant effort to increase our country's resilience at each level. Along with reflecting on significant achievements and challenges faced over the past, its Annual Review sheds light on what can we learn from the past year to combat the threats and perplexities that lie ahead. 

The invasion of Ukraine was one of the biggest problems for cybersecurity. While Russia's harsh and devastating war aimed to change the world's physical geography, its effects were felt everywhere, including in cyberspace. 

“While Russia’s brutal war has sought to redraw the physical map, its consequences have been felt in cyberspace,” says Lindy Cameron, CEO of the National Cyber Security Centre. 

NCSC, as a part of GCHQ, could monitor cybersecurity threats and has cautioned of increased cyber risks because of Russian hostility from the beginning of 2022. It has additionally published expert guidelines to aid organizations strengthen their defenses, and has collaborated extensively with partners to make sure that vital enterprises, infrastructure, and society as a whole are as robust as possible. 

Ransomware continues to present one of the greatest risks to UK businesses and organizations, and we have already witnessed the adverse repercussions that attacks may have on operations, finances, and reputations of organizations, resulting in the widespread wreck for consumers. 

The NCSC has published expert guidance to aid organizations to take measures to secure themselves online and continues to urge CEOs to take the matter seriously and should not be left to the technical experts. 

Since last year, NCSC has helped contain hundreds of thousands of upstream cyberattacks, while as well reinforcing preparedness for the same. Moreover, helping organizations and institutions gain a better understanding of the nature of threats, risks, and vulnerabilities downstream. 

By addressing these challenges, NCSC ensures the UK to emerge as a global cyber-power in the future. Its overall plan for doing so is outlined in the National Cyber Strategy, which acknowledges that thriving cyber skill and growth in the ecosystem is important to maintain this advantage and support the diversity of talent at its core. 

In the past year, initiatives like CyberFirst have collaborated with thousands of young people from all across the country, while NCSC has supported businesses for Startup programs, generating hundreds of millions of pounds in investments. 

“This is a source of great optimism for me and my team as we look ahead to 2023. But cybersecurity is a team sport and it is only through mobilising the whole of society that we can achieve our goal of making the UK a safe place to live and work online,” adds Cameron.  

Read more »
User Privacy
Cyber Crime NCSC NSA Software Supply Chain Attack User Privacy

UK Issued New Cybersecurity Guidelines on Emerging Supply Chain Attacks

A surge in the number of instances has prompted cyber security experts to issue a fresh warning about the danger of supply chain hacks. Businesses have been advised by the UK's cybersecurity agency to take additional precautions against supply chain assaults. In response to what it claims to be a recent increase in supply chain threats, the National Cyber Security Center (NCSC) has produced fresh advice for enterprises.

Although the advice is applicable to businesses in all industries, it was released in collaboration with the Cross-Market Operational Resilience Group (CMORG), which promotes the enhancement of the operational resilience of the financial sector. The advice, which is intended to assist medium-sized and larger enterprises, evaluates the cyber risks of collaborating with suppliers and provides confirmation that mitigation techniques are in effect for vulnerabilities related to doing business with suppliers.

The 2020 hack on SolarWinds' software build system, the 2021 ransomware attack on Kaseya clients, and the 2017 NotPetya attack via a Ukraine accounting program are a few notable recent incidents. President Joe Biden of the United States issued an executive order to improve cybersecurity in response to SolarWinds.

In a document titled 'Defending the Pipeline' published by NCSC in February, the agency recommended businesses and programmers use continuous integration and delivery (CI/CD) to automate software development. The CEO of NCSC ranked ransomware as the top cyber danger in October of last year, while also warning that supply chain concerns will persist for years.

The new guidance is assisted medium and bigger enterprises in "evaluating the cyber risks of collaborating with suppliers and gaining assurance that mitigations are in place," according to NCSC in an announcement.

According to the UK government's report on security breaches in 2022, more than half of companies, big and small, contract out their IT and cybersecurity needs to outside companies. However,  s evaluated the dangers posed by immediate suppliers. These respondents claimed that the importance of cybersecurity in procurement was low.

According to Ian McCormack, NCSC deputy director for government cyber resilience, supply chain attacks represents a significant cyber danger to organizations and incidents can have a significant, ongoing effect on companies and customers.

The advice is broken down into five stages that address why businesses should care about supply chain cybersecurity, how to identify and protect one's private data when developing an approach, how to apply the approach to new suppliers, how to apply it to contracts with current suppliers, and continuous improvement.

The US intelligence agency, NSA, released its software supply chain recommendations last month with a focus on developers. New standards for the purchase of software were also released in the same month by the US Office of Management and Budget.
Read more »
NCSC
AML Cyber Security Machine learning NCSC

UK Government Releases New Machine Learning Guidance


Machine Learning and NCSC

The UK's top cybersecurity agency has released new guidance designed to assist developers and others identify and patch vulnerabilities in Machine Learning (ML) systems. 

GCHQ's National Cyber Security Centre (NCSC) has laid out together its principles for the security of machine learning for any company that is looking to reduce potential adversarial machine learning (AML). 

What is Adversarial Machine Learning (AML)?

AML attacks compromise the unique features of ML or AI systems to attain different goals. AML has become a serious issue as technology has found its way into a rising critical range of systems, finance, national security, underpinning healthcare, and more. 

At its core, software security depends on understanding how a component or system works. This lets a system owner inspect and analyze vulnerabilities, these can be reduced or accepted later. 

Sadly, it's difficult to deal with this ML. ML is precisely used for enabling a system that has self-learning, to take out information from data, with negligible assistance from a human developer.

ML behaviour and difficulty to interpret 

Since a model's internal logic depends on data, its behaviour can be problematic to understand, and at times is next to impossible to fully comprehend why it is doing what it is doing. 

This explains why ML components haven't undergone the same level of inspection as regular systems, and why some vulnerabilities can't be identified. 

According to experts, the new ML principles will help any organization "involved in the development, deployment, or decommissioning of a system containing ML." 

The experts have pointed out some key limitations in ML systems, these include:

  • Dependence on data: modifying training data can cause unintended behaviour, and the threat actors can exploit this. 
  • Opaque model logic: developers sometimes can't understand or explain a model's logic, which can affect their ability to reduce risk.
  • Challenges verifying models: it is almost impossible to cross-check if a model will behave as expected under the whole range of inputs to which it might be a subject, and we should note that there can be billions of these. 
  • Reverse engineering models and training data can be rebuilt by threat actors to help them in launching attacks. 
  • Need for retraining: Many ML systems use "continuous learning" to improve performance over time, however, it means that security must be reassessed every time a new model version is released. It can be several times a day. 

In the NCSC, the team recognises the massive benefits that good data science and ML can bring to society, along with cybersecurity. The NCSC wants to make sure these benefits are recognised. 








Read more »
Wiper
Cyber Attacks DDOS Attacks EU Malicious Files NCSC Russia-Ukraine War Spyware Attack Wiper

Russia Dubbed as the "Centre" of European-wide Cyber-Attacks

 

Since the beginning of Russia's invasion of Ukraine, the EU, UK, US, and other allies have recognized that Russia has been behind a wave of cyber-attacks. The most recent distributed denial-of-service (DDoS) attack on Viasat's commercial communications network in Ukraine, which occurred on the same day that Russia launched its full-fledged invasion, had a greater impact across Europe, disrupting wind farms and internet users. 

The outage on Viasat affected almost one-third of bigblu's 40,000 users throughout Europe, including Germany, France, Hungary, Greece, Italy, and Poland, according to Eutelsat, the parent company of bigblu satellite internet service. The incident impacted wind farms and internet users in central Europe, creating outages for thousands of Ukrainian customers. 

In the regard, the key statements by the West are as follows:

  • The European Union said that Russia was behind the strike, which occurred "one hour before" the invasion of Ukraine. 
  • Estonia: The member of the European Union went even further. With "high certainty," the country blamed the hack on Russia's military intelligence arm, saying it had "gone counter to international law." 
  • The United Kingdom's National Cyber Security Centre is "almost convinced" that Russia was behind the Viasat attack, according to the UK, citing "new UK and US intelligence." Meanwhile, the report said that "Russian Military Intelligence was probably certainly involved" in defacing Russian websites and releasing damaging spyware.
The main aim, according to the joint intelligence advisory, was the Ukrainian military. "Thousands of terminals have been destroyed, rendered useless, and are unable to be restored," according to Viasat. Russian military intelligence was likely certainly engaged in the January 13 attacks on Ukrainian official websites and the distribution of Whispergate harmful malware, according to the UK's National Cyber Security Centre (NCSC). 

"This is clear and alarming proof of an intentional and malicious attack by Russia against Ukraine, which had huge ramifications for ordinary people and businesses in Ukraine and across Europe," Foreign Secretary Liz Truss said. 

In the past Russian criminals hijacked the updater system of Ukrainian accounting software provider MEDoc in June 2017, infecting MEDoc users with the wiper virus NotPetya. The evidence suggests that Wiper malware infected several Ukrainian government networks again in 2022, and Gamaredon attacks targeted roughly 5,000 entities, including key infrastructure and government departments.

NCSC director of operations Paul Chichester addressed why the attribution was being done now, two and a half months after the occurrence, at a press conference at CYBERUK 2022. "We execute attributions in a process-driven manner; accuracy is extremely essential to us," he explained. Collaboration with international bodies such as the EU and the Five Eyes adds to the length of time it took to provide this material. 

Such cyber action aims to demoralize the public and degrade essential infrastructure. The perceived difficulties of precisely attributing the attack to any single aggressor is a benefit of conducting the earliest stages of kinetic activity in cyberspace. Putin has been emphatic in his denial of any Russian government participation in the attacks.
Read more »
Supply Chain
Cyber Security NCSC Researcher Risks Russia Supply Chain

NCSC Suggests to Reconsider Russian Supply Chain Risks

 

One of the UK's top security agencies has encouraged the public sector, critical infrastructure (CNI), and other institutions to rethink the hazards of any "Russian-controlled" elements of their supply chain. 

There is no evidence that the Russian government is preparing to compel private providers to harm UK interests, according to Ian Levy, technical director of the National Cyber Security Centre (NCSC). That doesn't rule out the possibility of it happening or happening in the future, he continued. 

"Russian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB), and the pressure to do so may increase in a time of war. We also have hacktivists on each side, further complicating matters, so the overall risk has materially changed. The war has proven many widely held beliefs wrong and the situation remains highly unpredictable. In our view, it would be prudent to plan for the possibility that this could happen. In times of such uncertainty, the best approach is to make sure your systems are as resilient as you can reasonably make them,” Levy argued. 

All UK public sector organisations, those supplying services to Ukraine, CNI enterprises, organisations performing the activity that could be regarded as being in opposition to Russian interests, and high-profile institutions whose compromise would be a PR success for the Kremlin are all covered by the new NCSC guidelines. 

Levy continued, “You may choose to remove Russian products and services proactively, wait until your contract expires (or your next tech refresh), or do it in response to some geopolitical event. Alternatively, you may choose to live with the risk. Whatever you choose, remember that cybersecurity, even in a time of global unrest, remains a balance of different risks. Rushing to change a product that’s deeply embedded in your enterprise could end up causing the very damage you’re trying to prevent.” 

Even those companies which aren’t likely to be a target should remember that global sanctions could impact the availability of any Russian technology services. There was some good news from the NCSC. Levy said individuals using Kaspersky products could continue to do so relatively safely. He claimed that “massive, global cyber-attacks” are unlikely to be launched due to the conflict.
Read more »
United Kingdom
Cyber Security IT system NCSC security measures United Kingdom

In Q2 2022, NCSC Plans to Launch a New Assurance Scheme for IR and SimEx

 

In Q2 2022, the National Cyber Security Centre (NCSC) plans to implement a new assurance scheme for incident response (IR) and simulated exercises (SimEx), which might be a game-changer in the security sector. This will essentially result in the standardization of IR and SimEx across the board, as well as the expansion of commercial reach, opening up new markets for assured suppliers. Previously, the NCSC only offered the Cyber Incident Response (CIR) Service – shortly to be renamed CIR Level 1 – to UK Central Government and major corporations with complex IT systems that were regarded to have "national significance" networks. 

The new CIR service will dramatically broaden its reach to include local businesses, major businesses, and SMEs, while the new Cyber Incident Exercising Service will target large and medium organizations, as well as central and regional UK government. Because of the scope of the undertaking, the NCSC aims to hire Assured Scheme Partners to assess and onboard Assured Service Providers to police the scheme. 

The government agency is presently selecting its Assured Scheme Partners, with whom it will collaborate to develop the operating model and define how it will execute its technical standards across both services. 

SimEx can range from simple desktop exercises to full-fledged simulations, allowing corporate teams to respond to a given attack scenario. They could take the shape of a ransomware or phishing assault, DDoS simulation, or sensitive data being released on the dark web. A simulated exercise's purpose is to practise, analyze, or enhance the IR plan, so the true learning comes from how effectively the incident response process functions. 

Although it is unclear how the new Cyber Incident Exercising Service can support this wide range of activities, the NCSC has announced that it will include table-top and live-play formats. It will likely provide a sliding scale of increasingly complicated services, bringing much-needed clarity to the market. 

One of the main difficulties with SimEx today is that once the business considers testing its IR, prices may quickly escalate, so a formal framework with multiple techniques would help teams know precisely what they've signed up for and how much bang for their buck they're getting. 

Rather than the organization blindly investing in technology and presuming that its policies are being followed, these tests evaluate the effectiveness of security protocols by using attack scenarios that the organization is likely to face in the current threat landscape, informing the business of what is/isn't working and where the disparities are so that future spend can be focused.
Read more »
Privacy
COVID-19 COVID-19. E-Commerce NCSC Online Shopping Privacy

NCSC Urges Customers to Stay Aware About Scams On E-commerce Platforms

 

National Cyber Security Centre (NCSC) made a final request to customers prior to the busiest weekend before Christmas, to be aware of fraud and data theft attacks. The GCHQ agency requested customers to secure their devices, be informed about unsolicited messages, and reduce the size of information they input into online shopping websites and e-commerce websites. As per the banking body of UK Finance, around €22 bn was spent online on Christmas shopping last year because of the Covid-19 pandemic. 

Currently, with the rise of the Omicron variant, 2021 probably experienced a similar pattern, risking more customers vulnerable online. The attacks may come in many forms, it may include phishing emails having fake shipping details, and fake warnings about hacked accounts or fake gift cards which require the user to share personal details in order to use the offers. Customers may also be contacted through social media messages and emails having "unbelievable" offers for popular discount gift items, like electronics. Once the customer falls for these tricks, he loses his money along with banking details and personal information, which is stolen by the hackers. 

As per NCSC, the urge to buy last moment presents during a festival may be a reason that customers fall victim to such attacks easily. In order to be safe, users can follow some practical steps like having a strong password on websites before placing an order. It is advised to use strong, unique passwords with two-factor authentication for every account, especially banking, email and payment services. Online customers are also advised to avoid unsolicited notifications, particularly messages linked to suspicious websites, and platforms that depend on payment with a credit card. 

Lastly, customers should log in as guests while making a purchase to avoid revealing too much personal information. As per NCSC, "if you think your credit or debit card has been used by someone else, let your bank know straight away so they can block anyone using it. Always contact your bank using the official website or phone number. Don't use the links or contact details in the message you have been sent or given over the phone."
Read more »
United Kingdom
Cyber Attacks Cyber Security Incidents NCSC United Kingdom

Gloucestershire Council's Website is Being Disrupted due to a Cyber Attack

 

Since the incident on December 20, Gloucester City Council has been attempting to repair some of its online services. The council's online revenue and benefits areas, as well as planning and customer service, are all affected. It pleaded for patience while the services were restored and invited users to email it directly if they had any problems. In addition, the council is collaborating with the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC) to resolve the problem. 

Gloucester City Council is the city authority for the city of Gloucester, which is divided into 18 wards and has 39 councilors elected to serve on the City Council. There were 22 Conservative councilors, 10 Labour councilors, and 7 Liberal Democrat councilors following the 2016 election. The current composition consists of 18 Conservatives, 9 Liberal Democrats, 8 Labour, and 1 independent. 

Residents are also unable to use interactive online application forms used to claim housing benefits, council tax support, test and track support payments, or discretionary housing payments. The problem appears to be so significant that other councils in Gloucestershire, as well as government organizations, are said to have blocked emails from the city council. According to the Local Democracy Reporting Service, the council's planning application website is also unavailable as a result of the attack. 

Those checking in are presently unable to read planning application details or submit comments via the online portal, and the council is unable to email or post plans to customers. The council claims it is doing everything possible to ensure that customers can still contact them, with the primary focus being on dealing with urgent customer matters. Meanwhile, work is being done to bring systems back online once it is deemed safe to do so. 

A spokesperson from Gloucester City Council said: “Through the course of December 20, we became aware that some of our IT systems had been affected by a cyber incident. As a result of the incident, there is currently disruption to some systems and services. We are doing all we can to make sure customers can still contact us but we do ask people to be patient."

"We have been actively working with the National Cyber Security Centre and the National Crime Agency to understand more about the nature of the attack and minimize the impact," he added. Our priority for the next several days will be to handle critical customer issues and to continue working with national agencies to bring our systems back online as fast and safely as possible, he concluded.
Read more »
UK
Cyber Attacks Cyber Threats Ireland NCSC Transport Sectors UK

NCSC Alerts of Cyber Threats to Ireland's Energy, Telecoms and Transport Sectors

 

One of the UK's leading cyber officials has cautioned of a rising threat to Ireland's cross-border telecoms, energy, and transportation infrastructure while praising the UK's continued close cooperation 

Lindy Cameron, CEO of the National Cyber Security Centre (NCSC), mentioned that the two countries had "shared cyber interests" and a strong bilateral partnership while speaking remotely at an Institute of International and European Affairs (IIEA) event in Dublin. 

This will become increasingly crucial, as per given the potential of increased cyber-threats affecting both Northern Ireland and its southern neighbor.

“Energy security for Northern Ireland is based on gas pipelines and electrical interconnectors to both Great Britain and across the border, including the Single Electricity Market. The energy sector is dependent on operational technology — connected systems that monitor and control automated industrial processes — to function effectively and efficiently,” Cameron explained. 

Cameron noted that it is a real possibility that this reliance on operational technology and the interconnected nature of the energy supply network on the island of Ireland combines to create a potential target for cyber-attacks.

Other probable concerns include a ransomware attack on the rail link between Belfast and Dublin, collectively operated by Northern Ireland Railways and Irish Rail, she noted. 

Cameron cautioned state actors are a constant concern that might exhibit themselves in the telecoms industry – where targets could be compromised to facilitate spying in other sectors as well as sources of consumer and communications data in and of themselves. 

She further added, “Some managed service providers that operate in Northern Ireland provide services both sides of the border. It is, therefore, a realistic possibility that a cyber-attack on a telecoms provider could impact services to both of our countries.” 

“The governments of both UK and Ireland have been clear that they will not tolerate malicious cyber activity, and we have and will publicly call out state-level attacks.” 

These dangers are no longer theoretical: in May, the Irish Health Service was targeted by a very destructive ransomware attack, which Cameron claimed put patients' lives in jeopardy. 

Following the incident, the NCSC collaborated closely with its Irish partners, however, the threat actors themselves handed over the decryption key after a few days as a "public relations move".
Read more »
Vodafone
Android Cyber Security NCSC Spyware Vodafone

Flubot can Spy on Phones and can Gather Online Banking Details

 

Experts cautioned that a text message scam infecting Android phones is expanding across the UK. The message, which appears to be from a parcel delivery company and instructs users to download a tracking program, is actually a malicious piece of spyware. Flubot can seize over smartphones and spy on phones in order to collect sensitive data, such as online banking information. Vodafone, the network provider, said that millions of text messages had now been transmitted through all networks. 

Flubot is the name of malicious malware that attacks Android devices. Flubot is distributed by cybercriminals through SMS messages that include links to download websites for a bogus FedEx program (in at least three languages, including German, Polish, and Hungarian). These websites download a malicious APK file (Android Package File) that installs the banking malware Flubot. 

“We believe this current wave of Flubot malware SMS attacks will gain serious traction very quickly, and it's something that needs awareness to stop the spread," a spokesman said. Customers should "be extra cautious about this specific piece of malware,” he said, and avoid clicking on any links in text messages. 

Later, the National Cyber Security Centre (NCSC) provided guidelines on the threat, with instructions on what to do if you accidentally accessed the attacker's program. "If users have clicked a malicious link it's important not to panic - there are actionable steps they can take to protect their devices and their accounts," the NCSC said in a statement. The ransomware may also send further text messages to the contacts of an infected person, aiding its propagation. 

"The seriousness of these malicious text messages is underlined by Vodafone making the decision to alert its customers," said Ben Wood, chief analyst at CCS Insight. "This has the potential to become a denial-of-service attack on mobile networks, given the clear risk that a rogue application can be installed on users' smartphones and start spewing out endless text messages. The broader risk for users is a loss of highly sensitive personal data from their phones," he added. 

Although text message scams pretending to be from a package delivery company are popular, they have mainly focused on phishing, which involves tricking the recipient into filling out a form with personal information such as bank account numbers.
Read more »
Vulnerabilities and Exploits
Fortinet NCSC User Security VPN Vulnerabilities and Exploits

NCSC Warns of Exploited VPN Servers: Here are the Safety Tips to Fix Your VPN

 

The UK’s Nationwide Cyber Safety Centre (NCSC) has published a new advisory warning that cybercriminals as well as Advanced Persistent Threat (APT) actors are actively searching for unpatched VPN servers and trying to exploit the CVE-2018-13379 susceptibility.

According to NCSC, a significant number of organizations in the UK have not fixed a Fortinet VPN vulnerability found in May 2019, resulting in the credentials of 50,000 vulnerable VPNs being stolen and revealed on a hacker forum. As such, the NCSC recommended organizations that are using such devices to assume they are now compromised and to start incident management procedures, where security updates have not been downloaded.

“The NCSC is advising organizations which are using Fortinet VPN devices where security updates have not been installed, to assume they are now compromised and to begin incident management procedures. Users of all Fortinet VPN devices should check whether the 2019 updates have been installed. If not, the NCSC recommends that as soon as possible, the affected device should be removed from service, returned to a factory default, reconfigured, and then returned to service,” NCSC stated.

Safety tips for users & organizations 

The first step is to check whether the 2019 update is installed on all Fortinet VPN devices or not. If not, the NCSC recommends installing it as soon as possible. Secondly, the corrupt devices should be removed from service, returned to a factory default, reconfigured, and then restored to service. 

While fixing the security loophole, organizations should examine all connected hosts and networks to detect any further attacker movement and activities. Anomalous connections in access logs for the SSL VPN service may also indicate the use of compromised credentials. Organizations should then make it a high priority to upgrade to the latest FortiOS versions to prevent reinfection. 

"The security of our customers is our first priority. For example, CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019, July 2020, and again in April 2021 strongly recommending an upgrade," a Fortinet spokesperson told ZDNet.
Read more »
UK
Cyber Attacks Cyber Criminals education sector NCSC Ransomware UK

Ransomware Attacks Targeting UK’s Education Sector Increased, says NCSC

 

According to the warning by GCHQ's cybersecurity arm, NCSC, there has been a substantial spike in the number of ransomware attacks targeting the education sector over the last month, just as schools were getting ready to resume in-person classes. 

Ransomware attacks on the UK education sector have been on the rise, according to a new report. This includes developments seen in August and September 2020, along with attacks that have occurred since February 2021. It also offers mitigation recommendations to help in the defense of this sector. 

According to the report, senior leaders must recognize the magnitude of the threat and the ability of the ransomware to cause serious harm to their organizations in terms of information exposure and access to important services. 

Ransomware encrypts servers and files, making it impossible for businesses to provide services. Cybercriminals are anticipating that the need for schools and colleges to provide instruction would lead to target organizations succumbing to extortion requests and paying a bitcoin ransom in return for the decryption key required to recover the network. More importantly, cybercriminals have begun to warn that if the ransom is not paid, they will disclose confidential data taken from the network during the attack. Many elevated cases have arisen in which cybercriminals have carried out their attacks by exposing confidential data to the public, mostly via the darknet's “name and shame” websites. 

"In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing," the agency said. 

Ransomware attacks can be crippling to businesses, taking a considerable period for victims to recover and restore vital services. These activities can also be high-profile in nature, gaining a lot of attention from the public and the media. 

There are many ways for ransomware attackers to gain entry to a victim's network. Remote Desktop Protocol (RDP) is one of the most commonly used protocols for remote desktop activities, according to the NCSC, allowing staff to access their office desktop computers or servers from a remote device over the internet. Ransomware attackers often use insecure RDP and virtual private networks (VPN) configurations to gain initial access to victims' computers. 

"This is a growing threat and we strongly encourage schools, colleges, and universities to act on our guidance and help ensure their students can continue their education uninterrupted", says NCSC. 

To protect against malware and ransomware threats, the NCSC suggests that businesses must adopt a "defense in depth" technique. Having an effective plan for vulnerability management and deploying security fixes, protecting remote web services with multi-factor encryption, and installing and activating anti-virus programs are all cybersecurity guidelines for schools, colleges, and universities to secure their networks from ransomware attacks. 
Read more »
User Data
Chinese Firms Cyber Security NCSC U.S. healthcare User Data

Chinese Firms Infiltrate into U.S. Healthcare Data

 

The gulf between the two most powerful nations has widened after the United States National Counterintelligence and Security Center (NCSC) revealed that Chinese firms have secured access to U.S. healthcare data by collaborating with universities, hospitals, and various other research organizations.

According to the reports of the agency the People’s Republic of China (PRC) has successfully managed to infiltrate the US healthcare data, including genomic data via a variety of sources both legal and illegal. The agency also claimed that by securing access to the U.S. healthcare data, China is expanding the growth of its Artificial Intelligence and precision medicine firms.

NCSC wrote in a fact sheet that “for years, the People’s Republic of China (PRC) has collected large healthcare data sets from the U.S. and nations around the globe, through both legal and illegal means, for purposes only it can control. The PRC’s collection of healthcare data from America poses equally serious risks, not only to the privacy of Americans but also to the economic and national security of the U.S.”.

According to the agency, China’s access to the US healthcare and genomic data have raised serious concerns regarding the privacy and national security of the United States, there has been an escalation in the efforts of China during the Covid-19 pandemic with Chinese biotech firm offering Covid-19 testing kits to the majority of the nations and setting up 18 test labs in the past six months, allegedly as part of an attempt to secure health data. 

The agency wrote, “the PRC understands the collection and analysis of large genomic data sets from diverse populations helps foster new medical discoveries and cures that can have substantial commercial value and advance its precision medicine industries”.

The Chinese government is using health data and DNA as a weapon to suppress and control its own people, in the Xinjiang province of China the Uighur population had been forced to give fingerprints, blood groups, and other private data.
Read more »
NCSC
cyber espionage Hacking Malware. NCSC

Prevalent Cyber threat group targets UK

As of late a well-known hacking group attempted is as yet trying to focus on the UK with an updated version of malware intended to install itself into the compromised systems and stealthily conduct surveillance. Within the most recent year, the group seems to have been especially centered on diplomatic targets, including consulates and embassies. 

Both the Neuron and Nautilus malware variations have already been credited to the Turla advanced persistent threat group, which is known to routinely carry out cyber-espionage against a range of targets, including government, military, technology, energy, and other business associations and commercial organisations. 

It basically targets Windows mail servers and web servers; the Turla group conveys uniquely made phishing emails to trade off targets in attacks that deploy Neuron and Nautilus in conjunction with the Snake rootkit. By utilizing a combination of these tools, Turla can increase diligent system access on compromised systems, giving secretive access to sensitive data or the capacity to utilize the system as an entryway for carrying out further attacks. 

However the UK's National Cyber Security Centre (NCSC) - the cyber security arm of GCHQ - has issued a notice that Turla is conveying another variant of Neuron which has been altered to sidestep disclosure. 

Alterations to the dropper and loading mechanisms of Neuron have been composed in such a way so as to avoid the malware being detected, enabling its pernicious activities to proceed without being intruded. 

While the creators of Neuron have additionally attempted to change the encryption of the new version, now configuring various hardcoded keys as opposed to simply utilizing one. In the same way as other of alternate changes, it's probably that these have been carried out to make detection and decryption by network safeguards more troublesome. 

At all might be the situation it is believed that the National Cyber Security Centre doesn't point to work by Turla being related with a specific danger on-screen character - rather alluding to it as:
                                 "A predominant digital danger group focusing on the UK".

Read more »
Subscribe to: Posts (Atom)