Remote Support Customer Portal Contact us

Blog Post

Neu Cyber Threats – 1st April 2021

Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which, we here at Neuways, bring attention to the latest cybersecurity threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

Clop ransomware continues to bombard businesses of all shapes and sizes. The cyber criminals behind the malware have siphoned internal documents from the oil giant Shell, as well as publicly leaking some of the data to encourage payment of the ransom set.

If paid on-time, it would have meant that any files affected by Clop would be decrypted and prevent any documents leaking. However, the gang has now uploaded a selection of documents to its Tor-hidden website, including scans of employees’ US visas as well as a passport page and files from its American and Hungarian offices.

This kind of theft and intense pressure tactics is commonplace from cyber criminals and, in particular, the Clop gang. Recently they have been pursuing organisations that deployed vulnerable versions of a legacy file-transfer appliance, Accellion, which exploited the software to steal internal information, which seems to have links to this current data breach, as the company revealed it uses Accellion to securely transfer large data files.

Shell aren’t the only company to have been affected. Businesses of different sizes from IT, aerospace and marketing industries have been affected due to the Accellion vulnerability. Fortunately, it seems to be only the Accellion-related documents that have been breached, as opposed to the business’ entire IT system.

It appears as though Accellion became aware of a then zero-day security vulnerability in the product in mid-December, and subsequently scrambled to patch it. This first flaw was just one of many now patched zero-day bugs in the platform that Accellion discovered after they came under attack from cyber criminals. The problem is that many companies might still be using unpatched versions of Accellion.

It is good practice for a business to ensure any systems or software it uses to be fully patched at all times. If your system isn’t based on Microsoft Windows it can be tough for total coverage, and it usually requires manual updating to ensure the system is fully covered. If your business also uses Accellion or other file-transfer services, such as WeTransfer, then it might be time to consider alternative ways to share large files with colleagues. A system such as SharePoint allows for files and data to be shared with ease between colleagues with the same level of privileges and access. For example, a Sales team can have their own shared folder that links to individual documents as though it is a web address, giving them access in seconds, as opposed to using an external file-transfer service that could lead to shared documents being breached in future, as Shell, and others, have found out.

An update on recent Microsoft Exchange vulnerabilities has been issued by the National Cyber Security Centre. In early March 2021, Microsoft made it public that sophisticated actors had attacked a number of Exchange servers. In response, they released multiple security updates for affected servers, which does not impact Exchange Online.

The updates were released ahead of the usual monthly update cycle because four of the seven vulnerabilities have been used in ongoing attacks and had an urgent need to be fixed. A wide variety of cyber criminal groups were using automated tools to scan for Exchange servers where updates are not installed. The malicious software installed on vulnerable servers has also been exploited by groups using different ransomware to install malware on the network which can go on the exfiltrate company data.

The affected versions of Microsoft Exchange Server are:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

All UK organisations should update any affected versions of Microsoft Exchange Server immediately. If you are unsure about what version of Microsoft Exchange your business is running, please contact your Managed Service Provider as soon as possible.

COVID-19 related lockdowns and remote working are believed to be two factors that are contributing towards a rise in cyber attacks on businesses over the last 12 months, according to a survey. Over 2,000 office workers in Germany and the U.K. were contacted, to better understand cyber security practices among remote workers. It found that younger employees, as well as people caring for children or other family members reported more stress in their lives, which linked to riskier IT behaviours.

For example, 67% of employees under-30 admitted they use shadow IT (unsanctioned apps, services and equipment) to help them to perform certain tasks more easily, compared to just 27% of older workers. Also, 55% of the younger group reported making more mistakes when working from home, such as copying in the wrong people into emails – in comparison, only 17 percent of the over-30s reported such mistakes.

Nearly two-thirds of the younger group (63%) stated that distractions while working from home negatively impact decision-making, compared to 26 percent of older people. All of the above points could lead to IT issues. Shadow IT services might not be the most secure to be using alongside those permitted by an employer, while if the wrong person outside of an organisation receives an email, it could lead to further problems.

Stress has been found to affect the productivity levels and availability of employees. 70% of younger employees have trouble focusing because of their stress level, compared to 29% of older workers, and 77% said they feel the pressure to be available outside of normal working hours, compared to less than half (46%) of older workers.

Businesses are advised to try and provide better emotional and personal support for their employees, who may well be under an extreme level of stress at the moment. Through an increase in communication, individual employees can be less affected by the stress of lockdown and the lack of physical contact with colleagues. By communicating further, businesses can also help reduce the likelihood of mistakes and the need for some employees to use shadow IT to cut corners.

A new variant of the Phoenix CryptoLocker malware has been causing plenty of business disruption across the world.

The novel ransomware has forced businesses to be taken offline and experience significant downtime. It is believed that the attack causes network disruption and impacts systems such as corporate email. Cyptolockers are an often used ransomware type that immediately encrypts files on the machines they attack, demanding a ransom from victims in exchange for the solution to unlocking them.

The cyber criminals behind the activity are more than likely, Evil Corp, which recently resurfaced after taking a short hiatus from cyber criminal activity. The impact of the group’s latest attack was so serious that the victim disconnected its network ‘out of caution’, and is currently providing workarounds for employees so they can continue operating.

More than 15,000 devices on the network were encrypted – including those of employees working remotely who were logged onto the company’s VPN at the time—when they deployed the new ransomware. Attackers encrypted devices by appending the .phoenix extension to encrypted files and creating a ransom note named PHOENIX-HELP.txt.

The affected business is aiming to restore its systems through backups rather than paying the ransom demanded by attackers. A multi-layered Business Continuity and Disaster Recovery plan will give businesses a level of comfort and safety if they were to fall victim to a ransomware attack such as that issued by Evil Corp. It can give victims access to their secured, backed up company data within an hour of an attack or an outage of any kind.

Microsoft has confirmed a surge in malicious attacks targeting firmware is outpacing the amount of resources allocated towards cyber security spend from businesses.

A huge 80% of businesses reported ‘at least one firmware attack’ in the past two years but only 30% allocated any budget spend on firmware protection.

Microsoft commissioned a study of 1,000 enterprise security decisionmakers from around the world and the results confirmed that the bulk of current cyber security spend goes to applying patches, vulnerability scanning, and advanced threat protection products that can miss signs of infections below the operating system.

Firmware provides a fertile ground for cyber criminals to plant malicious code, with the survey results showing the growing awareness among decisionmakers to address this type of attack.

Microsoft said: “Firmware is emerging as a primary target because it is where sensitive information like credentials and encryption keys are stored in memory. Most devices don’t offer visibility into that level to ensure that attackers haven’t compromised a device prior to the boot process.

“Security teams are too focused on outdated “protect and detect” models of security and are not spending enough time on strategic, high-level work. Only 39% of security teams’ time is spent on prevention and they don’t see that changing within the next two years. The lack of proactive defence investment in kernel attack vectors is an example of this outdated model.”

As well as firmware attacks, Microsoft also identified a lack of automation as another reason for the disconnect between threat activity levels and cyber security investments.

82% of those surveyed reported that they don’t have the resources to allocate to more high-impact security work as they are spending too much time on lower-yield manual work like software and patching, hardware upgrades, and mitigating internal and external vulnerabilities.

Businesses should ensure their cyber security budgets are allocated correctly. By not allocating enough spend towards an area such as firmware protection, they can be leaving themselves vulnerable towards attacks from cyber criminals. It is always worth checking with cyber security experts to see if your budget is correctly spread across your business, and whether or not your business would be more safe with further investment.

FatFace pays out $2 million to Conti ransomware gang

And to finish this week’s Neu Cyber Threats update, is a cautionary tale from UK fashion retailer FatFace. Last week, the brand made headlines by issuing customers with an email update.

The communication detailed that in January 2021, an unknown third-party presence was found in its IT systems that may have compromised customer data. FatFace asked its customers to keep the cyber attack “strictly private and confidential”, and this week has reportedly paid a huge ransom of just under £1.5 million to the Conti ransomware gang responsible for the attack.

According to Computer Weekly, FatFace discussed with the Conti gang almost immediately after it had first been compromised in January – soon after its systems had been breached and customer details stolen. Interestingly, the report details the discussions had between the gang and victim, and it reads as a warning to all businesses as to the dangerous nature of these criminals.

Initially, the Conti gang looks to have demanded a ransom of 213 Bitcoin (just over £9 million) – which seems to have been determined by their belief that FatFace’s ransomware insurance would have covered them for up to £7.5 million. This is after they have pored over the stolen data from FatFace, that also includes their databases, traffic statistics and online sale numbers. Then, after negotiations continued between FatFace and Conti, the gang accepted a lower offer of $2.65 million.

Negotiation between FatFace and Conti ransomware gang. Source: Computer WeeklyThe gang went on to tell the FatFace contact that the initial breach occurred via a phishing attack on 10 January 2021. This initial compromise was used as an opportunity to gain admin rights and began spreading laterally through the network. This would’ve been through social engineered attacks originating from the initial compromise, which in turn allowed the hackers to send further phishing emails to FatFace employees, gaining more and more access with each person that was tricked into opening the phishing emails.

More than 200GB of data was reportedly exfiltrated from FatFace’s systems before systems were encrypted by the ransomware on January 17th. The ransomware gang even offered advice to the retailer’s IT team about how to protect its cyber security defences in order to avoid another attack in the future.

Neuways advises all businesses to take its cyber-security seriously. Through a multi-layered Business Continuity and Disaster Recovery plan, businesses can recover access to their data and systems in the event of not only a cyber attack, but a fire, flood, theft or other threat. Data can be restored within an hour and the business will not only not need to pay a huge ransom, as FatFace did, but they will be able to remain operational and not lose out on any trade as a result of the disaster they have faced.

Contact Neuways on 01283 753 333 or email hello@neuways.com to discuss how Business Continuity and Disaster Recovery plans can become the backbone of your business’ IT strategy.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.

217 / 220

    Download Our Business Continuity and Disaster Recovery Brochure

    Fill in the fields below and our brochure will be emailed to you.


     


      Download Our Brochure

      Fill in the fields below and our brochure will be emailed to you.

        Download Our Microsoft Dynamics 365 Business Central Brochure

        Fill in the fields below and our brochure will be emailed to you.

          Download Our MSP Brochure

          Fill in the fields below and our MSP brochure will be emailed to you.

          Download our NeuVue360 Brochure

            Download Our NeuVue360 Brochure

            Fill in the fields below and our brochure will be emailed to you.

            Request a callback

              Request a call back

                Request a call back
                close slider