Search This Blog

Showing posts with label UK. Show all posts

In 2021, the UK Government was Plagued by Hundreds of Spam Emails

 

The UK government was reportedly bombarded with billions of phishing emails last year, with large numbers of questionable and fraudulent links being clicked on by staff. Comparitech recently published a report on these fraudulent emails and got responses in the sort of freedom of information requests from 260 government agencies. 

According to Comparitech, 764,331 government employees got a total of 2.7 billion fraudulent emails, averaging 2,399 per employee. However, this indicates that the emails were most likely flagged as malicious and prohibited by the relevant government agency. 

In 2021, personnel opened 0.32 percent of malicious emails on average, with 0.67 percent of these events resulting in employees clicking on potentially dangerous links, as per research. According to Comparitech, this might suggest some UK government employees clicked on 57,736 questionable links last year. The firm reiterated whether any FOI responses have been unclear - were ignored to avoid overestimating this amount. 

357 million fraudulent emails were received by NHS Digital's 3,996 employees, amounting to 89,353 mails per employee. Other essential infrastructure services, such as railway supplier Network Rail Limited, received 223 million malicious emails, or 5,033 emails per employee, while tax authority HM Revenue & Customs received 27.9 million spam emails, or 415 emails per employee. 

In other cases, the researchers' attempts to better grasp the government's ransomware threat were hampered by respondents' lack of transparency. "One government department reported in 2021 it had identified 97 data theft over just 30 days. Seventy-one government agencies were also glad to announce why they had not been hit by ransomware in 2021 the remaining 187 didn't say whether or not they had. In 2021, only two government agencies disclosed it had been the victims of a successful ransomware attack," said Paul Bischoff of Comparitech.

This New Russian Cyclops Blink Botnet Targets ASUS Routers

 

Nearly a month after it was discovered that the malware used WatchGuard firewall appliances as a stepping stone to obtaining remote access to infiltrated networks, ASUS routers have been the target of a budding botnet known as Cyclops Blink. 

The botnet's primary objective is to develop an infrastructure for additional attacks on high-value targets, according to Trend Micro, given that none of the compromised hosts belongs to vital organisations or those that have an obvious value on economic, political, or military espionage. 

Cyclops Blink has been identified by intelligence services in the United Kingdom and the United States as a replacement framework for VPNFilter, a malware that has targeted network equipment, especially small office/home office (SOHO) routers and network-attached storage (NAS) devices. 

Sandworm (aka Voodoo Bear), a Russian state-sponsored actor has been linked to both VPNFilter and Cyclops Blink. It has also been tied to several high-profile cyberattacks, including the 2015 and 2016 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack, and the 2018 Olympic Destroyer attack on the Winter Olympic Games. 

The complex modular botnet, c language, affects a variety of ASUS router types, with the company admitting that it is working on a patch to handle any potential exploitation. –  
  • GT-AC5300 firmware under 3.0.0.4.386.xxxx
  • GT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC5300 firmware under 3.0.0.4.386.xxxx
  • RT-AC88U firmware under 3.0.0.4.386.xxxx
  • RT-AC3100 firmware under 3.0.0.4.386.xxxx
  • RT-AC86U firmware under 3.0.0.4.386.xxxx
  • RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
  • RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
  • RT-AC3200 firmware under 3.0.0.4.386.xxxx
  • RT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
  • RT-AC87U (end-of-life)
  • RT-AC66U (end-of-life), and
  • RT-AC56U (end-of-life)
Apart from employing OpenSSL to encrypt connections with its command-and-control (C2) servers, Cyclops Blink also includes specific modules that can read and write from the devices' flash memory, allowing it to persist and survive factory resets. A second reconnaissance module acts as a medium for exfiltrating data from the hacked device to the C2 server, while a file download component is responsible for retrieving arbitrary payloads through HTTPS. Although the exact form of initial access is unknown, Cyclops Blink has been affecting WatchGuard and Asus routers in the United States, India, Italy, Canada, and Russia since June 2019. 

A law firm in Europe, a medium-sized entity producing medical equipment for dentists in Southern Europe, and a plumbing company in the United States are among the impacted hosts. Because of the infrequency with which IoT devices and routers are patched and the lack of security software, Trend Micro has warned that this might lead to the establishment of "eternal botnets."

The researchers stated, "Once an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying, or anything else that the attacker wants to do. In the case of Cyclops Blink, we have seen devices that were compromised for over 30 months (about two and a half years) in a row and were being set up as stable command-and-control servers for other bots."

DDoS Assaults on Ukrainian Banking Elite has Resumed Yet Again


Cyberattacks took down Ukrainian official and bank websites, prompting the government to declare a statewide state of emergency amid growing fears that Russian President Vladimir Putin could launch a full-scale military invasion of Ukraine. The websites of Privatbank (Ukraine's largest bank) and Oschadbank (the State Savings Bank) were also blasted in the onslaught and brought down Ukrainian government sites as well, according to Internet monitor NetBlocks. 

"At around 4 p.m., another massive DDoS attack on the state commenced. We have relevant data from several banks," stated Mykhailo Fedorov, Minister of Digital Transformation, who also mentioned the parliament website had been hacked. Hackers were prepared to conduct big attacks on government organizations, banks, and the defense sector, as Ukrainian authorities said earlier this week. 

SSSCIP and other national cybersecurity authorities in Ukraine are currently "working on countering the assaults, gathering and evaluating information." According to the Computer Emergency Response Team of Ukraine (CERT-UA), the attackers used DDoS-as-a-Service platforms and numerous bot networks, including Mirai and Meris, to carry out the DDoS attacks on February 15th. The DDoS attacks were traced to Russia's Main Directorate of the General Staff of the Armed Forces on the same day, according to the White House. 

"We have technical information indicating ties the Russian main intelligence directorate, or GRU," Deputy National Security Advisor for Cyber Anne Neuberger stated. "Known GRU infrastructure was spotted delivering huge volumes of communication to Ukraine-based IP addresses and domains." 

Neuberger went on to say as, despite the "limited impact," the strikes can be considered as "setting the framework" for more disruptive attacks, which could coincide with a possible invasion of Ukraine's territory. 

The UK government also blamed Russian GRU hackers for the DDoS strikes last week which targeted Ukrainian military and state-owned bank websites. Following a press release from Ukraine's Security Service (SSU), which also had its website hacked, the country was attacked by a "huge wave of hybrid warfare." The SSU announced earlier this month so, during January 2022, it stopped over 120 cyberattacks aimed at Ukrainian governmental entities.

ICO Struck by 2650% Rise in Email Attacks in 2021

 

The UK's Information Commissioner's Office (ICO) reported a whopping 2650% spike in email attacks in 2021, as per official numbers acquired by the Parliament Street think tank following a Freedom of Information request, 

Email attacks on the UK's privacy and data protection regulator increased from 150,317 in January to 4,135,075 in December, according to the findings. For each month last year, the data refers to the volume of phishing emails discovered, malware detected and prevented, and spam detected and blocked by the ICO. 

The majority of the attacks were caused by spam emails, which increased by 2775 % from January to December. During this time, the number of phishing emails climbed by 20%, while malware increased by 423 percent. 

In December, the statistics revealed a significant increase in email attacks, with 4,125,992 spam messages, 7886 phishing emails, and 1197 malware cases. This increase is likely to be linked to the Omicron variant's rapid spread in the UK at the end of the year, with threat actors able to use issues like testing and immunizations as bait. This is in addition to the Christmas scams that proliferate in the build-up to the holidays. 

Edward Blake, area vice president EMEA of Absolute Software, commented: “Cyber-attacks are targeting organizations across the globe at an alarming rate, once again reminding businesses of the need to re-evaluate and revamp their security protection if it is not up to scratch. Cybersecurity is not just about protecting endpoints via anti-malware or email cybersecurity solutions. While these are important, there are now a variety of access points for cyber-criminals to capitalize on that IT leaders need to be aware of. These include vulnerable unpatched applications and network vulnerabilities, stolen or illegally purchased log-in credentials or even by hacking unprotected smart devices.” 

Barracuda Networks' manager, Steven Peake, expressed similar concerns, saying: “The pandemic continues to be a catalyst for opportunistic cyber-criminals to try and prey on unsuspecting, vulnerable people. Our recent research showed a 521% surge in COVID-19 test-related phishing attacks, so it is hardly surprising to see major organizations, such as the ICO, hit by such a high volume of threats as they represent lucrative targets. Phishing emails, malware, and spam, in particular, account for a large proportion of the threats these organizations face, so they need to implement measures to protect themselves. These cyber-attackers aren’t going anywhere anytime soon.” 

As part of its plans to reform the country's data sector, the UK government announced plans to revamp the ICO's structure last year.

UK Foreign Office Suffered ‘Serious Cyber Security Incident’

 

A "serious incident" compelled the Foreign Office of the United Kingdom to seek immediate cybersecurity assistance. A recently released public tender document confirmed the incident. According to a document released on February 4, the Foreign, Commonwealth and Development Office (FCDO) sought "urgent business support" from its cybersecurity contractor, BAE Applied Intelligence, 

The FCDO paid the company £467,325.60 — about $630,000 — for its services after issuing a contract for "business analyst and technical architect support to assess an authority cyber security incident" on January 12, 2022, according to the notice. However, the incident's facts, which had not previously been made public, remain unknown. 

The document stated, “The Authority was the target of a serious cyber security incident, details of which cannot be disclosed. In response to this incident, urgent support was required to support remediation and investigation. Due to the urgency and criticality of the work, the Authority was unable to comply with the time limits for the open or restricted procedures or competitive procedures with negotiation.” 

The Stack was the first to report on the BAE contract. According to an FCDO's spokesperson who did not give their name stated that the office does not comment on security but has measures in place to detect and protect against potential cyber events. Further queries about the incident, such as whether classified information was accessed, were declined by the spokesperson. 

TechCrunch also contacted the United Kingdom's data protection authority to see if the event had been reported, but is yet to hear back. The announcement of the apparent incident came only days after the British Council, an institution that specialises in international cultural and educational opportunities, was found to have suffered a severe security breach. Clario researchers discovered 144,000 unencrypted files on an unsecured Microsoft Azure storage server, including the personal and login information of British Council students. 

Following an investigation by the UK's National Cyber Security Center, Wilton Park, a Sussex-based executive agency of the FCDO, was hit by a cyberattack in December 2020, which revealed that hackers had access to the agency's systems for six years, though there was no proof that data had been stolen.

SPAR Stores Hit by Cyberattacks In UK

 

The SPAR retail has been compelled to shut down a few of its convenience stores in Britain after a cybersecurity breach on its IT systems. The cyberattack happened on Sunday, currently being investigated by Lancashire Police. SPAR consists of around 2600 stores placed across the UK. Due to the incident, 330 SPAR stores in England (North) couldn't finalize the payments, made using debit or credit cards. The attack also stopped the shops from using their stock control systems and their accounting. 

Meanwhile, some of the stores remained closed due impact of the attack, few of the stores have started running but currently taking only cash payments. "There has been an online attack on our IT systems which is affecting stores' ability to process card payments, meaning that a number of SPAR stores are currently closed. We apologize for any inconvenience, we are working as quickly as possible to resolve the situation," SPAR said in a tweet. A SPAR store located in Hull University campus in Yorkshire was one of the targets affected by the attack and had to be closed. 

Stores presented at other locations in Yorkshire and Lancashire were also affected by the attack. SPAR disclosed on social media that the company suffer an online attack on the IT systems of its main wholesaler, James Hall, and Co. Ltd, of Preston in Lancashire. BBC reports "question for James Hall is now the one all cyber attack victims dread - shall we pay criminals to get our shops back online? But of course, for the hundreds of thousands of Spar customers affected by the hack, the more pressing question is when will their local stores open again." 

The James Hall company site was closed during the time of publication. "Due to a major & widespread IT failure across the entire Northern SPAR network, all Northern SPAR stores will be closed for an unknown period of time," said SPAR Ribchester.

Norton Research Shows That Almost 42% of UK Gamers Have Encountered Cyber-Attack

 

Regardless of whether casual or diehard, gamers polled in the UK said that they would rather spend their time playing video games than attending a sporting event or concert (72%), going on a date (72%), or reading a book (68 % ). 

The 2021 Norton Cyber Safety Insights Report: Special Release – Gaming & Cybercrime, undertaken by The Harris Poll among more than 700 UK adults who as of now play online games, discovered that even more than two in five UK gamers (42 percent) have encountered a cyberattack on their gaming account or gadget. Nearly four in five (78 percent) of the those polled say they have been monetarily impacted as a direct consequence, losing an average of £145. 

The study also revealed remarkable conclusions about gamer-to-gamer cyber risks as well as the extents gamers would go to win. More than a quarter of British gamers polled (28%) are at least slightly likely to hack into a friend's, family member's, or romantic partner's gaming account if they knew that it would give a competitive benefit in an online video game. This perception is much more pronounced among hardcore gamers, with approximately half of those polled (48 percent) simply stating they are at least somewhat likely, highlighting serious gamers' tenacity to win. 

“These findings are jarring, but there are some gamers out there that will do whatever it takes to win,” said BigCheeseKIT, gamer, and Twitch streamer. “I’ve learned that when you’re gaming online, it’s so important to be mindful of who you are friends with online and what information you share when gaming online. While this is especially true for professional gamers who have that public profile, it’s clear this goes for any online gamer.” 

The competitive spirit pervades all sorts of gamers, from casual to diehard. If they knew it would give them a competitive advantage, nearly half of UK gamers polled (43 percent) said that they are at least somewhat probable to exploit loopholes or technical problems in a game, and nearly one-third (34 percent) would download cheats to their gaming account or systems, pay to take possession of some other user's gaming account (30 percent), or hack into a spontaneous player's gaming account (29 percent ). 

“Scammers know that – for both experienced and casual gamers – cheats, skins, and limited edition items are highly sought after,” said Armin Buescher, Technical Director at NortonLifeLock. “Offering these competitive boosts is a perfect opportunity to share malicious links or trick gamers into downloading malware that, if successful, can rob players of their gaming profile, personal information, or more. Having security that specifically helps protect against these threats can give players peace of mind so they can focus on the enjoyment of the game itself.”

Labour Party Hit By A Cyber Attack

 

The Labour Party has been impacted by a "cyber incident" affecting the data of its representatives and members. On October 29, Labour stated it was informed by a third-party business that managed membership data on its behalf that they had been impacted by the incident. 

The Labour Party is a British political party that has been defined as a coalition of social democrats, democratic socialists, and trade unionists. The Party is located on the political spectrum's center-left. As a result, "a significant quantity" of party data was "rendered inaccessible on their systems". 

The issue is being investigated by the Information Commissioner's Office and the National Cyber Security Centre. Labour wrote in a recent statement that it was collaborating with both the authorities, as well as the National Crime Agency, to figure out what occurred. 

The company also stated that it had been "working closely and on an urgent basis with the third party to understand the full nature, circumstances and impact of the incident" but that its data systems remained untouched. 

Labour is yet to divulge the identity of the third party, the overall scope of the event, or the sort of data compromised. However, it specifically stated that the issue involved data submitted to the party by "members, registered and affiliated supporters, and other individuals who have provided their information". Notably, the Labour Party's remark is ambiguous and raises many problems for party members. 

The NCSC stated that it was aware of the situation and also was supporting Labour. It advised everyone “who thinks they may have been the victim of a data breach to be especially vigilant against suspicious emails, phone calls or text messages.”

The NCA acknowledged that it was conducting the criminal probe and stated that its investigations were in their early stages. “We are working closely with partners to mitigate any potential risk and assess the nature of this incident,” a spokesperson said. 

This was not the first time that Labour has been harmed by a cyberattack. Last year, it was revealed that a cybercriminal acquired donor information from a third-party source named Blackbaud between February and May. Names, email addresses, phone numbers, and donation amounts were among the data obtained.

HM Treasury of UK Received Five Million Malicious Emails in Past Three Years

 

Her Majesty’s Treasury, the UK government department answerable for the country’s financial policy, has been hit by almost five million destructive email assaults in the previous three years, according to official figures. 

A Freedom of Information (FoI) request submitted by the think tank Parliament Street revealed that 4,870,389 phishing, malware and spam emails concentrating on HM Treasury were effectively blocked in this period. This comprised 1,271,207 malicious email attacks from October 2018 to September 2019, 1,918,944 between October 2019 to September 2020, and 1,680 from October 2020 to September 2021. 

The information comes as Chancellor Rishi Sunak prepares to ship the United Kingdom govt’s annual budget, which is anticipated to incorporate pledges around cybersecurity, such as funding to minimize the digital skills gap. 

The figures highlight the escalating determination of threat actors to access and steal confidential government information. Earlier this week, Parliament Street disclosed that more than 126 million malicious emails had been fired at House of Commons inboxes this year, a 358% increase at the overall figure for 2020. However, there was no specific data on how many threats slipped past email filters over this period. 

The number of malicious emails blocked by HoC filters in 2018 was 15.7 million, which surged to nearly 30.3 million in 2019, but then dropped again to almost 28 million in 2020. With 126.4 million malicious emails recorded up to September this year, Parliament Street believes the total for 2021 could reach as high as 150 million.

“The ever-present cyber threat facing public sector organizations is not going to disappear any time soon. In fact, recent trends indicate that cyber-attacks are likely to become more sophisticated, and criminals will find new ways to breach systems, disrupt apps and websites, and steal sensitive data,” Chris Ross, SVP International for Barracuda Networks, said. 

“This is why it is imperative the organizations defend themselves from all angles, with web application firewalls, to protect cloud infrastructure and network, email inbox defense software, to help defend against the onslaught of phishing attacks targeting employees, and a third-party data backup solution, to protect data and organizations against the growing ransomware threat,” he added.

UK Based Firms, Voip Unlimited, And Voipfone Under DDoS Attack

 

Users of Voipfone's UK business broadband and Voice-over-Internet-Protocol (VoIP) services have reported to ISPreview.co.uk that the supplier has been facing massive service interruptions for the past couple of days, that also seems to be the consequence of a Distributed Denial of Service (DDoS) attack against their system applications. 

Likewise, South Coast-based Voip Unlimited had also reported that it has been bombarded with a "colossal ransom demand" after being struck by a prolonged and large-scale DDoS attack. They believe that it was launched by the Russian cybercriminal organization REvil. 

On September 2nd, it reported that "services are operational ... however the attacks are still ongoing." 

However, at this point, it remains unclear whether any additional UK Internet Telephony Service Providers (ITSP) have also been affected or not. Nevertheless, the UK Comms Council – the industry association which represents ITSPs – has alerted customers well about cyberattacks and reminded them to implement "appropriate DDoS mitigation strategies." 

Mark Pillow, MD of Voip Unlimited, informed that the business accepts "full responsibility of the availability of our services to our clients" and that they feel "extremely sorry for all inconvenience caused." 

He further explained: "At 2 pm 31st August, Voip Unlimited's network was the victim of an alarmingly large and sophisticated DDoS attack attached to a colossal ransom demand." 

DDoS attacks usually function by flooding a target server or end-user with data requests from numerous internet-connected devices (often malware-infected machines/botnets, etc.), causing the designated destination to crash or experience substantial performance issues until the bad traffic ceases. These attacks might potentially reveal additional vulnerabilities that hackers can abuse. 

A number of VoIP Unlimited's networks suffered "intermittent or total loss of internet connectivity services" as a result of the attack, however, clients utilizing its Voip Unlimited Ethernet and Broadband services are thought to have been mostly unharmed. 

"UK Comms Council has communicated to us that other UK SIP (Session Initiation Protocol) providers are affected and identified them as a criminal hacking organization called REvil who appear to be undertaking planned and organized DDoS attacks against VoIP companies in the UK," Pillow added. 

The sheer magnitude of the attack is yet unknown, but according to an email sent by Voipfone on Tuesday and obtained by El Reg, the firm's services were "intermittently disrupted by a DDoS attack" over the Bank Holiday weekend, flooding its system with phony traffic from tens of thousands infected devices. 

It is quite noticeable that the users have now become extremely upset as a result of their inability to access vital digital telecommunication services upon their return to work following the August Bank Holiday weekend. 

In a statement, chair of Comms Council UK Eli Katz told, "Comms Council UK is aware of the Denial of Service attacks currently targeting IP-based communications service providers in the UK and that a small number of our members have been impacted. We have communicated the issue to our membership and are continuing to liaise closely with them to share further information and support as the situation develops." 

Likewise, an alleged DDoS attack on Iran's telecommunications networks in February caused a substantial disturbance, wiping out around 25% of the country's internet connectivity and triggering an early outage of mobile and fixed-line services.

NCSC Alerts of Cyber Threats to Ireland's Energy, Telecoms and Transport Sectors

 

One of the UK's leading cyber officials has cautioned of a rising threat to Ireland's cross-border telecoms, energy, and transportation infrastructure while praising the UK's continued close cooperation 

Lindy Cameron, CEO of the National Cyber Security Centre (NCSC), mentioned that the two countries had "shared cyber interests" and a strong bilateral partnership while speaking remotely at an Institute of International and European Affairs (IIEA) event in Dublin. 

This will become increasingly crucial, as per given the potential of increased cyber-threats affecting both Northern Ireland and its southern neighbor.

“Energy security for Northern Ireland is based on gas pipelines and electrical interconnectors to both Great Britain and across the border, including the Single Electricity Market. The energy sector is dependent on operational technology — connected systems that monitor and control automated industrial processes — to function effectively and efficiently,” Cameron explained. 

Cameron noted that it is a real possibility that this reliance on operational technology and the interconnected nature of the energy supply network on the island of Ireland combines to create a potential target for cyber-attacks.

Other probable concerns include a ransomware attack on the rail link between Belfast and Dublin, collectively operated by Northern Ireland Railways and Irish Rail, she noted. 

Cameron cautioned state actors are a constant concern that might exhibit themselves in the telecoms industry – where targets could be compromised to facilitate spying in other sectors as well as sources of consumer and communications data in and of themselves. 

She further added, “Some managed service providers that operate in Northern Ireland provide services both sides of the border. It is, therefore, a realistic possibility that a cyber-attack on a telecoms provider could impact services to both of our countries.” 

“The governments of both UK and Ireland have been clear that they will not tolerate malicious cyber activity, and we have and will publicly call out state-level attacks.” 

These dangers are no longer theoretical: in May, the Irish Health Service was targeted by a very destructive ransomware attack, which Cameron claimed put patients' lives in jeopardy. 

Following the incident, the NCSC collaborated closely with its Irish partners, however, the threat actors themselves handed over the decryption key after a few days as a "public relations move".

Cisco Smart Install Protocol is Still Being Exploited in Cyber-Attacks

 

Five years after Cisco issued its first warning, the Smart Install protocol is still being utilized in assaults, and there are around 18,000 internet-exposed devices that might be targeted by hackers. Smart Install is a plug-and-play configuration and image-management technology from Cisco that allows new switches to be deployed with zero-touch. Smart Install can be extremely important to organizations, but it can also be a significant security concern. 

A Smart Install network consists of a group of networking devices known as clients that are served by a common Layer 3 switch or router that serves as a director. You can use the Zero-Touch Installation process in a Smart Install network to install new access layer switches without the help of the network administrator. The director acts as a central management point for client switch images and configuration. When a new client switch is added to the network, the director immediately recognizes it and determines which Cisco IOS image and configuration file should be downloaded. 

The function remains enabled and can be accessed without authentication once a device has been set up via Smart Install. Malicious actors have been able to remotely target devices with Smart Install enabled, including reloading devices, loading a new operating system image, and running arbitrary commands with elevated privileges. 

After an exploitation tool was made public in 2016, Cisco issued a warning on the misuse of Smart Install. In 2017 and 2018, the company sent more alerts, identifying hundreds of thousands of vulnerable devices, including those in critical infrastructure organizations. In 2018, it was revealed that hacktivists targeted the Smart Install function in assaults on Cisco switches in Iran and Russia as part of an ostensibly pro-US attack, as well as a state-sponsored cyberespionage group affiliated to Russia. 

In 2016, the number of networking equipment vulnerable to Smart Install assaults surpassed 250,000, but by 2018 it had reduced to 168,000. The Shadowserver Foundation is still keeping track of the number of potentially susceptible devices, reporting that almost 18,000 are currently online, including many in North America, South Korea, the United Kingdom, India, and Russia. 

Last month, Lumen Technologies' Black Lotus Labs cybersecurity unit discovered that a hacktivist group had compromised at least 100 internet-exposed routers belonging to both public and private sector entities, most of which were based in the United States.

Russian Actors Change Techniques After UK and US Agencies Expose Them

After the western agencies outed their techniques, Russian actors from the APT29 group responded to the expose by using a red-teaming software to get into the victim's network as a trusted pentesting exercise. Currently, NCSC (National Cyber Security Centre) of UK and the US have alarmed, that the SVR is currently exploiting vulnerabilities that are critical rated (a dozen of them) which also include RCEs in devices that range from VMware virtualization to Cisco's routers, as well as the famous Pulse Secure VPN flaw, along with other equipment. 

"The NCSC, CISA, FBI, and NSA publish advice on detection and mitigation of SVR activity following the attribution of the SolarWinds compromise," says the NCSC website. It found a case where the spies look for verification credentials in mails, which included passwords and PKI keys. Quite similar to MI6 with a bit of GCHQ, the SVR is a foreign intelligence agency of Russia and is as popular among the cybersecurity realm as APT29. 

Last month, UK and US agencies came together to expose the group's techniques, allowing cybersecurity research around the world to have a glance at the lethal state-sponsored attackers that might've attacked their network infrastructure. After finding the NCSC report, the SVR actors have changed their TTP to avoid getting further caught and also to escape any preventive measures that network defenders might've placed. Besides this, the group is also pretending to be an authorized red-team pentester, to avoid getting caught. The actors also got into GitHub and installed Sliver, an open-source red-teaming platform, to keep their access active. 

The Russian actors have become more active in exploiting these vulnerabilities. NCSC, in its blogpost, warned smart City infrastructure, public operators, to be alert of suspicious state-sponsored actors that intend to steal data. "Why the sudden focus on smart streetlights and all the rest of it? The risk in smart cities is the direct control of operational technology; industrial equipment such as CCTV, streetlights, and access control systems. We understand at least one UK council is removing some smart city gear after having thought of the wisdom of installing it," reports the Register.

Online Learning of University of Hertfordshire Disrupted Due to a Major Cyber-Attack

 

By now it's a well-known fact that most of the students are relying on online learning and video-conferencing apps due to the ongoing global pandemic, the University of Hertfordshire in the UK has suffered a major cyber-attack that has eventually disrupted its online learning. 

According to a ZDNet report, the cyber-attack has affected all of its IT systems, including Office 365, Teams and Zoom, local networks, Wi-Fi, email, data storage, and VPN. The university reported the hit by attackers on Wednesday, resulting in the cancellation of all online classes on Thursday and Friday. 

“As a result, all online teaching will be canceled today (Thursday 15 April), and we understand that this may impact students being able to submit assignments. We want to reassure our students that no one will be disadvantaged as a consequence of this. Any in-person, on-campus teaching may still continue today, if computer access is not required, but students will have no on-site or remote access to computer facilities in the LRCs [learning resource centres], labs or the university Wi-Fi. We apologize for the inconvenience this situation has caused and will continue to keep you updated,” the university spokesperson stated.

However, the University of Hertfordshire had not formally disclosed the nature of the attack, or even whether it had been hit by ransomware. Unfortunately, there has been a sharp rise in ransomware attacks targeting academic institutions – both schools and universities in the last year, partly as a result of additional vulnerabilities brought about by the shift to online learning during COVID-19. Last year in the UK, Newcastle and Northumbria Universities experienced ransomware incidents, causing significant disruption.

Jérôme Robert, director at Alsid, said universities are starting to become aware that they are prime targets. “The sheer size of the student and faculty at a university – in Hertfordshire’s case nearly 28,000 people – makes it incredibly difficult to secure and manage the IT estate,” he added. 

“Think of the huge volume of new joiners and leavers each year at universities. IT teams somehow have to manage that process of creating, deleting, and managing all those accounts. It’s a never-ending operation to keep all of that neat and tidy, and any oversights, such as old accounts not being closed down, present risk. On top of this, higher education is currently at heightened risk because of the increase of network activity and general complexity of enabling hybrid learning,” he further told.

University of Hertfordshire Hit by Cyberattack

 

The University of Hertfordshire has become the most recent victim of a spate of digital assaults against academic institutions after a significant incident knocked all its systems offline. The assault on its network is perceived to have started before 10pm on Wednesday 14 April, and the university’s IT teams are right now attempting to restore services. 

The university Wi-Fi network was taken down along with the email system and the university’s student portal. Since the assault students have additionally reported that they have not been able to access Office 365 services, such as Teams, just as other universities paid for services such as Canvas and Zoom.

In a statement, the university said: “As a result, all online teaching will be canceled today (Thursday 15 April), and we understand that this may impact students being able to submit assignments. We want to reassure our students that no one will be disadvantaged as a consequence of this.” 

“Any in-person, on-campus teaching may still continue today, if computer access is not required, but students will have no on-site or remote access to computer facilities in the LRCs [learning resource centres], labs or the university Wi-Fi. We apologize for the inconvenience this situation has caused and will continue to keep you updated,” they added.

The UK's National Cyber Security Center has been cautioning for quite a while of increased targeting of academic institutions – both schools and universities – especially from ransomware groups, and recently updated its own guidance on the subject to mirror the current high assault volumes.
 
Educational bodies are considered easy targets by cybercriminals since they regularly come up short on the resources to secure their information satisfactorily, hold a lot of personal information, and may come under more public pressure to pay a ransom. 

Jérôme Robert, director at Alsid, said universities are starting to become aware that they are prime targets. “The sheer size of the student and faculty at a university – in Hertfordshire’s case nearly 28,000 people – makes it incredibly difficult to secure and manage the IT estate,” he said. 

“Think of the huge volume of new joiners and leavers each year at universities. IT teams somehow have to manage that process of creating, deleting, and managing all those accounts. It’s a never-ending operation to keep all of that neat and tidy, and any oversights, such as old accounts not being closed down, present risk. On top of this, higher education is currently at heightened risk because of the increase of network activity and general complexity of enabling hybrid learning.” Robert added.

$571 Million to be Paid over Bitcoin Scam

 

The Commodity Futures Trading Commission on 26th March 2021 declared that the U.S. District Court for the Southern District of New York entered a default judgment against Benjamin Reynolds, purportedly of Manchester, England, finding that he worked a fake plan to request bitcoin from members of the public and misappropriated customers of bitcoin. This case was brought in connection with the Division of Enforcement's Digital Assets Task Force. 

The Commodity Futures Trading Commission (CFTC) is an independent agency of the US government made in 1974, that controls the U.S. derivatives markets, which incorporates futures, swaps, and certain kinds of options. The expressed mission of the CFTC is to promote the integrity, strength, and energy of the U.S. derivatives markets through sound guidelines. After the financial crisis of 2007–08 and since 2010 with the Dodd-Frank Wall Street Reform and Consumer Protection Act, the CFTC has been changing to carry more transparency and sound regulation to the multi-trillion dollar swaps market. 

Between May 2017 and October 2017, Reynolds utilized a public site, different social media accounts, and email communications to request at least 22,190.542 bitcoin, esteemed at around $143 million at that point, from in excess of 1,000 clients around the world, including at least 169 people living in the U.S. 

In addition to other things, Reynolds dishonestly addressed to clients that Control-Finance exchanged their bitcoin deposits in virtual currency markets and utilized particular virtual currency dealers who created ensured trading benefits for all clients. He likewise developed a detailed affiliate marketing network that depended on deceitfully encouraging to pay outsized referral profits, rewards, and bonuses to urge clients to allude new clients to Control-Finance. Truth be told, Reynolds made no trades for clients' benefit, procured no trading benefits for them, and paid them no referral rewards or bonuses. While Reynolds addressed that he would return all bitcoin deposits to clients of Control-Finance by late October 2017, he never did and rather held the deposits for his very own utilization. Clients lost most of the entirety of their bitcoin deposits because of the scheme.

The court's March 2, 2021 order expects Reynolds to pay almost $143 million in compensation to defrauded clients and a civil monetary penalty of $429 million.

Ransomware Attacks Targeting UK’s Education Sector Increased, says NCSC

 

According to the warning by GCHQ's cybersecurity arm, NCSC, there has been a substantial spike in the number of ransomware attacks targeting the education sector over the last month, just as schools were getting ready to resume in-person classes. 

Ransomware attacks on the UK education sector have been on the rise, according to a new report. This includes developments seen in August and September 2020, along with attacks that have occurred since February 2021. It also offers mitigation recommendations to help in the defense of this sector. 

According to the report, senior leaders must recognize the magnitude of the threat and the ability of the ransomware to cause serious harm to their organizations in terms of information exposure and access to important services. 

Ransomware encrypts servers and files, making it impossible for businesses to provide services. Cybercriminals are anticipating that the need for schools and colleges to provide instruction would lead to target organizations succumbing to extortion requests and paying a bitcoin ransom in return for the decryption key required to recover the network. More importantly, cybercriminals have begun to warn that if the ransom is not paid, they will disclose confidential data taken from the network during the attack. Many elevated cases have arisen in which cybercriminals have carried out their attacks by exposing confidential data to the public, mostly via the darknet's “name and shame” websites. 

"In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing," the agency said. 

Ransomware attacks can be crippling to businesses, taking a considerable period for victims to recover and restore vital services. These activities can also be high-profile in nature, gaining a lot of attention from the public and the media. 

There are many ways for ransomware attackers to gain entry to a victim's network. Remote Desktop Protocol (RDP) is one of the most commonly used protocols for remote desktop activities, according to the NCSC, allowing staff to access their office desktop computers or servers from a remote device over the internet. Ransomware attackers often use insecure RDP and virtual private networks (VPN) configurations to gain initial access to victims' computers. 

"This is a growing threat and we strongly encourage schools, colleges, and universities to act on our guidance and help ensure their students can continue their education uninterrupted", says NCSC. 

To protect against malware and ransomware threats, the NCSC suggests that businesses must adopt a "defense in depth" technique. Having an effective plan for vulnerability management and deploying security fixes, protecting remote web services with multi-factor encryption, and installing and activating anti-virus programs are all cybersecurity guidelines for schools, colleges, and universities to secure their networks from ransomware attacks. 

Taxpayers Personal Data Exposed Online in the UK

 

Different local councils in the UK have conveyed SMS to a huge number of citizens to encourage them to cover outstanding sums. The messages contained links to online databases that facilitated lists of different citizens whose information shouldn't be available to any other person. Lamentably, there was no security or any type of verification to keep the leak from occurring, so a large number of UK taxpayers have had their complete names, home addresses, and outstanding debts exposed.

The blunder was the work of Telsolutions Ltd., an organization that has given the contact and communication services to the local councils, which was contracted to urge tax defaulters to pay up. This is a typical strategy that is trailed by private and public entities around the world. Other than the psychological repercussions for the recipients of these messages, there is also the danger of data exposure.  

Other than SMS, the council tax services likewise use emails and surprisingly recorded voice messages. The entirety of this makes the space for tricksters to move in also, as taxpayers having to deal with official communications with their state through third-parties is the ideal setting for trickery. The information of this exposure reached The Register, who checked and affirmed that the information was indeed accessible via the sent short links. The entirety of the shared URLs have been taken offline now as both Telsolutions and some of the authorities were informed about the mistake. However, as the UK press webpage affirms, web crawlers have already caught some of these public entries, empowering individuals to search others and see their addresses, tax debts, etc.

After investigating the enumerable URLs, it was found that London's Bexley Council, a client of the Telsolutions service, had implemented no authentication at all. Anybody could unreservedly see the full details of an alleged tax defaulter in the borough without proving their identity. To see the data of another taxpayer, the recipient should have simply followed the URL from the SMS, modify the alphanumeric characters, and click a button labeled "proceed". 

Altogether, apparently, 14 councils have followed the same erroneous method after trusting the particular service provider. That incorporates Barnet, Bexley, Brighton, Cardiff, Coventry City, Greenwich, Lambeth, Redbridge, Southampton City, and Walsall.

15 Schools in The UK Were Compromised due to Cyber Attack

 


Fifteen schools in the UK were unable to offer online learning as a result of cyberattacks. The schools affected by the cyberattack are located in Nottinghamshire and are part of the Nova Education Trust co-operative. 

On Wednesday, some of the schools announced problems via social media with the need to suspend the IT networks due to the cyber attack, according to the local publication, Nottinghamshire Live. On Wednesday morning, the attack was first discovered – causing the trust to turn off every device as a manner of caution. They added that the central IT team continues to investigate the possible consequences of the attack. The Nova Education Trust stated that a perpetrator of danger was able to reach the central network infrastructure of the organization and all telephone, e-mail, and website communications had to be removed during an inspection. 

Because of pandemic- isolation measures, students in England are still studying remotely. The schools are due to reopen on 8 March, and only a small group of students, such as the children of key workers, are actually attending school. Each school was also instructed to temporarily close its systems during the investigation. Some schools already have published notices throughout the social media advising students not to use any of their programs. 

Typical remote learning could not be provided by the 15 schools that had been affected by the central cybersecurity incident and educators were unable to upload teaching materials. Some colleges, however, have turned towards SMS messages, temporary telephone numbers, and Microsoft Teams to try and minimize lesson interruptions. The event and school systems have been down for a few days, but IT teams are still trying to restore functions in all of these schools. While the person responsible for this event is not yet identified, it is an indication of how computer systems can be compromised by all types of cyberattacks. 

The co-operative noted in a later statement that the incident had already been registered to the ICO and Education Department. The National Cybersecurity Centre is also investigating this attack. The Nova Education Trust suggested that teachers and administrative personnel disregard any suspected communications relevant to this incident in the form of a safety precaution. 

"The incident has been reported to the Department for Education and the Information Commissioner's Office (ICO), and the trust is currently working with the National Cyber Security Centre (NCSC) and additional security professionals to resolve the matter," Nova Education Trust said. "All trust employees have been advised to take the necessary precautions."

Data Analytics Agency Polecat Held To Ransom After Server Exposed 30TB Of Records

 


On October 29, 2020, the Wizcase CyberResearch Team which was lead by Ata Hakcil has discovered that the server ‘Elasticsearch’ which is being owned by Polecat company, displayed about 30TB of record data on the website without any authentication required to access the records or any other form of encryption in place. 

A UK-based data agency ‘Polecat’ that provides “a combination of advanced data analytics and human expertise, [to help] the world’s largest organizations achieve reputation, risk, and ESG (environmental, social, and governance) management success” its official website reads. 

Researchers team had found records dating back to 2007 containing important information including employees’ usernames and passwords, social media records, around 6.5 billion tweets, and around one billion posts that generated from independent websites and blogs. 

Polecat’s cyber research team ‘Chase Williams’ has reported its discovery in a blog post which has been published on First March of 2021. 

The public information collected by the Polecat organization is gleaned on a foundation of daily happening events including subjects such as Covid-19, politicians, firearms, racism, and healthcare. Polecat was warned by the Wizcase research team about the data ransom on October 30 and the first of November 2020. Nevertheless, it just takes some seconds for an open unsecured server or bucket to be traced and exploited by malicious actors – and this took place a day after the researcher’s findings. 

“On October 30, a Meow attack was launched against the database. Meow attacks replace database indexes with the suffix ‘gg-meow’, leading to the destruction of swathes of data” Wizcase said. 

Additionally, it added “approximately half of the firm’s records were wiped, and then in a second wave a further few terabytes of information were deleted. At this point, roughly 4TB remained in the server. Most of these records were then destroyed and a ransom note was spotted by the researchers that demanded 0.04 Bitcoin (BTC) – roughly $550 at the time – in return for the files’ recovery”. 

Wizcase research team has warned against these types of scams by saying that it is very essential to note that these types of cyberattacks are usually automated and sent to many unprotected open databases.