Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which, we here at Neuways, bring attention to the latest cybersecurity threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

Google

Google alerts thousands to potential hacker attack

Google has alerted approximately 14,000 users that they had been the targets of Russian government sponsored hackers. The head of Google’s anti-hacker team, Shane Huntley, said that his team had sent an “above average” amount of warnings.

He said: “These warnings indicate users are targets and haven’t been compromised. The increased numbers in October come from a small number of widely targeted campaigns which were blocked.”

Huntley went onto say that the warnings were related to a recent phishing campaign that was specifically targeting a large volume of Gmail users by APT28. These threat actors are backed by the Russian government and are responsible for many high profile hacks from the last few years.

“100% of these emails were automatically classified as spam and blocked by Gmail,” Huntley said in a statement. “As we always do, we sent those people who were targeted government backed attacker warnings.”

Google has been sending these types of warnings since 2012. The idea is to tell “a small minority of users in all corners of the world” that they are being targeted by government hacking groups such as APT28 or others.google-warning.png

Such a statement essentially means that government hacking groups targeting Google users is now a part of life people should come to expect on the internet. But the sheer volume of cases in this instance and the fact that 14,000 users were all targeted by one group is what stands out. The campaign was global and targeted a broad group of people, across many different industries.

The bad news is that it seems that hackers are ramping up their attacks, while on the other hand, for now, the good news appears to be that Google is catching them, blocking the phishing emails, and alerting their targets. The company’s goal is to make people aware that they are targets, while also encourage them to increase their defences, such as using security keys instead of SMS or other less secure forms of multi-factor authentication, or enrolling in the company’s Advanced Protection Program.

“So why do we do these government warnings then?” Huntley said. “The warning really mostly tells people you are a potential target for the next attack so, now may be a good time to take some security actions.”

Neuways advises users to ensure they have the correct cyber security measures in place, such as multi-factor authentication and secure email filters, that will help prevent hackers from gaining access to their systems.

Windows 7 Extended Support

Rare Windows boot kit malware discovered

A rare Windows UEFI boot kit malware has been discovered, offering attackers a path to cyber-espionage.

Researchers have warned that the boot kit’s goal is to install a full featured backdoor on a target PC which, “supports a rich set of commands and contains various automatic data exfiltration capabilities, including document stealing, keylogging and monitoring of the victim’s screen by periodically taking screenshots.”

The UEFI (Unified Extensible Firmware Interface) is the embedded firmware component in computing chips responsible for securing the computing environment upon start up and loading the operating system. As such, it’s an ideal place to plant malware to ensure its persistence, since UEFI loads no matter what changes or restarts the OS goes through.

The new malicious bootkit, which researchers have named ESPecter, camps out on the EFI System Partition (ESP) portion of the embedded technology. The ESP contains the boot loaders or kernel images that UEFI uses to start installed OSes and various utilities at boot time.

Researchers said: “Attackers achieve execution in the early stages of the system-boot process, before the operating system is fully loaded. This allows ESPecter to bypass Windows Driver Signature Enforcement (DSE) in order to execute its own unsigned driver at system start up.”

The driver that injects other user-mode components into specific system processes, and those in turn are used to hook up with a command-and-control (C2) server. After that connection is made, attackers can commence downloading and running additional malware or executing various commands to take full control of the machine.

Interestingly, the researchers analysis of ESPecter shows that its beginnings stretch back to 2012 and using Master Boot Record (MBR) modification as its persistence method. However, development has been fairly dormant: since then, there have only been “insignificant changes” to the code until last year.

Researchers aren’t sure yet how it’s distributed, but once ESPecter finds its way onto a PC, it begins its UEFI infection by modifying a legitimate Windows Boot Manager binary. Researchers said: “In order to successfully drop its malicious payload, ESPecter needs to modify the Boot Manager in order to bypass integrity checks [that prevent execution of rogue bootkit elements].”

Boot Manager is responsible for finding an installed OS within the ESP and transferring the execution task for that OS to a kernel loader. That OS kernel loader then loads and executes the next component in the boot chain – the Windows kernel itself, which contains the linchpin DSE security check mentioned earlier.

Researchers said that they don’t know how ESPecter is specifically distributed, but regarding the initial compromise, it’s likely that it takes advantage of one of the various UEFI firmware vulnerabilities that allow disabling or bypassing Secure Boot.

Secure Boot is a security standard for PCs using UEFI that ensures that devices boot using only trusted software. For most computers, it’s the main barrier to compromise at the startup layer, and it must be disabled in order to successfully boot with a modified boot manager.

The good news for businesses is that by keeping PCs up-to-date and correctly configured, they can help thwart an ESPecter attack from being successfully carried out. Neuways advises updating PCs with security patches and updates as soon as they are issued by the provider. This is one of the key factors to a safe and secure IT system.

Microsoft report record DDoS attack

Microsoft has reported the largest DDoS attack in history, saying its Azure cloud service mitigated a 2.4 terabytes per second (Tbps) distributed denial of service attack at the end of August.

Amir Dahan, Senior Programme Manager for Azure Networking, said the attack was carried out using a botnet of approximately 70,000 bots primarily located across the Asia-Pacific region, such as Malaysia, Vietnam, Taiwan, Japan, and China, as well as the United States, with the target identified as “an Azure customer in Europe.”

DDoS attacks see hackers flood websites with far more traffic than the sites are used to. This is designed to take the site down and cause the victim either or temporary or indefinite downtime.

This record-breaking DDoS attack came in three short waves, across just ten minutes, with the first coming in at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps. However, Dahan said that Microsoft successfully mitigated the attack without Azure going offline.

Prior to Microsoft’s disclosure, the previous DDoS record was held by a 2.3 Tbps attack that Amazon’s AWS division mitigated in February 2020. Dahan said the largest DDoS attack that hit Azure prior to the August attack was a 1 Tbps attack the company saw in Q3 2020, while this year, Azure didn’t see a DDoS attack over 625 Mbps all year.

Just days after Microsoft mitigated this attack, a botnet called ‘Meris’ broke another DDoS record — the record for the largest volumetric DDoS attack. According to researchers, the operators of the Meris botnet launched a DDoS attack of 21.8 million requests per second (RPS) in early September.

It is unclear if the Meris botnet was behind the attack detected and mitigated by Microsoft in August. With DDoS attacks just one type of weapon within the arsenal of cyber criminals, it is important businesses prepare themselves for being the next victim. Through a robust Business Continuity and Disaster Recovery plan, businesses can ensure that frameworks are in place to allow for as little disturbance as possible, in the event of a cyber attack.

Contact the BCDR experts at Neuways today on 01283 753 333 or email hello@neuways.com to protect your business today.

National Cyber Security Centre warns UK businesses of cyber danger

UK businesses are being warned of the various dangers posed by cyber attacks – with attacks reliant upon a ransom being “the most immediate danger”, according to the head of the National Cyber Security Centre (NCSC).

Lindy Cameron said her agency and the National Crime Agency had assessed that Russia-based cyber criminals, and its neighbours, were responsible for most of the “devastating” ransomware attacks against the UK and its businesses.

Speaking at the Chatham House Cyber 2021 conference, Cameron warned that not enough organisations were prepared for the threats posed or tested their cyber defences. Increasingly in recent cases, criminal gangs have also threatened to release some of the data they have access to publicly.

Last year, Hackney Borough Council was hit by one large cyber attack which led to significant disruption to services and IT systems going down for months. Ireland’s Health Service Executive also suffered a significant attack this year, leading to months of disrupted appointments and services.

Ransomware attacks have noticeably risen since the COVID-19 pandemic began, as office workers were sent home, giving cyber criminals more of an opportunity to bombard home workers with phishing scams.

While there had been some signs that Russian-linked activity dipped over the summer, cyber security experts believe much of that may be to do with the hackers taking their summer break as opposed to any shift away from the highly profitable business model.

Cameron said “Ransomware will continue to be attractive while organisations remain vulnerable and are willing to pay.” She emphasised what Neuways want to make clear to businesses: paying ransoms simply emboldens cyber criminal groups – it encourages them to keep going and disrupting businesses.

As well as improving its defences, Cameron added that the UK would aim to deliver a “sustained, proactive” campaign to disrupt those harming the country, including ransomware gangs. This would include a range of techniques including the newly established National Cyber Force which can carry out offensive hacking operations.

In a wide-ranging speech, Cameron said the pandemic continued to cast a shadow over cyber-security and was likely to do so for years to come. She said: “Malicious actors continue to try and access COVID-related information, whether that is data on new variants or vaccine procurement plans. Some groups may also seek to use this information to undermine public trust in government responses to the pandemic. And criminals are now regularly using Covid-themed attacks as a way of scamming the public.”

Neuways advises businesses to not pay ransoms if they are the subject of a cyber attack. The money that you would be forced to hand over to cyber criminals would be far better applied in preventative cyber security measures for your business. By paying to retrieve access to your systems and data, you are signalling to cyber criminals that you are willing to fund their operations.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.