May 2022 Newsletter
Posted By: Mark Sunday 5th June 2022 Tags: business support, cyber attacks, cyber aware, Cyber Safe, Cyber Security, IT services, Newsletter, technologyThis month we look at the continued rise in cyber attacks, how to keep your business cyber safe, a warning about hackers pre-hijacking accounts, a new scam warning involving chatbots, a look into the safety of driverless cars, and we have job vacancies.
Cyber Attacks Continue To Rise
This month saw security experts, Arkose Labs, release their Q2 2022 State of Fraud & Account Security report, which highlights the global growth of cyber fraud in the first quarter of the year.
After analysing billions of interactions with financial, ecommerce, travel, social media, gaming, and entertainment services — logins, registrations and payments — it concluded that 1-in-4 accounts created were fake accounts for the purpose of frauds and scams.
Bot-driven Cyber Attacks
The first quarter of 2022 has seen ‘consistently higher’ bot-oriented attacks than the average seen throughout 2021, driven by large-scale scraping and credential stuffing attempts. These bots are becoming harder to detect because of more complex automated attack signatures that are better at copying human behaviour.
The top targeted fintech and gaming sectors, however, are still seeing human fraudsters accounting for as much as 35% of incoming traffic. Companies in the financial, technology and gaming industries also see 88% of all cyber attacks versus all other industries combined.
Cyber Attacks Are A Lucrative Business
The report notes a huge growth in cybercriminals since lockdown. Newcomers to the game are making up to £15,000 per month, while the more established players are pulling in millions per year – more than FTSE 100 Executives.
It claims that the number of career fraudsters has increased tenfold since 2019, and outnumbers the cybersecurity workforce. An estimated 15 million fraudsters compared to 4.19 million cybersecurity workers.
Cybersecurity Ventures estimates that the global cybercrime industry will reach more than $10 trillion by 2025.
Asia & Europe Home To Most Cyber Attacks
The top five nations for cyber attacks are US, India, China, the UK, and Vietnam, originating a reported 60% of attacks. 40% of attacks come from Asia, with 1-in-3 coming out of Europe. The UK saw ~52 million attacks on online business during this first quarter of 2022.
Staying Safe From Cyber Attacks
All businesses need to be aware of the potential damage of a cyber attack on their business, and should be prepared for the worst. LaneSystems offers a range of cyber security, data recovery and backup services to mitigate the effects of cybercrime. Contact us for further help.
We’re Hiring
We are currently recruiting for an Infrastructure Engineer and a 3rd Line Technician to join our growing and successful support team. You will become part of our friendly team of support technicians providing first class IT support to our widely varied client portfolio. These industries include but are not limited to engineering, construction, accountancy and auto mechanical engineering.
Industry certifications from Microsoft or Cisco are desired, as would be a Computer Science related degree. Hands on experience in an IT support role of 5 years+ is also preferred.
For further details of the roles, and how to apply, check the links below.
Infrastructure Engineer
3rd Line Technician
Joint Alert About Staying Cyber Safe
A checklist of common exploits, and best practices to mitigate the chances of a cyber attack, has been issued as a joint alert from the cybersecurity authorities in the United States, Canada, New Zealand, Netherlands, and the United Kingdom.
While unpatched software vulnerabilities are regularly exploited, initial network access is often gained via security misconfigurations.
From the CISA website:
Malicious cyber actors often exploit the following common weak security controls, poor configurations, and poor security practices to employ the initial access techniques.
Multifactor authentication (MFA) is not enforced
MFA, particularly for remote desktop access, can help prevent account takeovers. With Remote Desktop Protocol (RDP) as one of the most common infection vector for ransomware, MFA is a critical tool in mitigating malicious cyber activity. Do not exclude any user, particularly administrators, from an MFA requirement.
Incorrectly applied privileges or permissions and errors within access control lists.
These mistakes can prevent the enforcement of access control rules and could allow unauthorized users or system processes to be granted access to objects.
Software is not up to date.
Unpatched software may allow an attacker to exploit publicly known vulnerabilities to gain access to sensitive information, launch a denial-of-service attack, or take control of a system. This is one of the most commonly found poor security practices.
Use of vendor-supplied default configurations or default login usernames and passwords.
Many software and hardware products come “out of the box” with overly permissive factory-default configurations intended to make the products user-friendly and reduce the troubleshooting time for customer service. However, leaving these factory default configurations enabled after installation may provide avenues for an attacker to exploit. Network devices are also often pre-configured with default administrator usernames and passwords to simplify setup. These default credentials are not secure—they may be physically labeled on the device or even readily available on the internet. Leaving these credentials unchanged creates opportunities for malicious activity, including gaining unauthorized access to information and installing malicious software. Network defenders should also be aware that the same considerations apply for extra software options, which may come with preconfigured default settings.
Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorized access.
During recent years, malicious threat actors have been observed targeting remote services. Network defenders can reduce the risk of remote service compromise by adding access control mechanisms, such as enforcing MFA, implementing a boundary firewall in front of a VPN, and leveraging intrusion detection system/intrusion prevention system sensors to detect anomalous network activity.
Strong password policies are not implemented.
Malicious cyber actors can use a myriad of methods to exploit weak, leaked, or compromised passwords and gain unauthorized access to a victim system. Malicious cyber actors have used this technique in various nefarious acts and prominently in attacks targeting RDP.
Cloud services are unprotected.
Misconfigured cloud services are common targets for cyber actors. Poor configurations can allow for sensitive data theft and even cryptojacking.
Open ports and misconfigured services are exposed to the internet.
This is one of the most common vulnerability findings. Cyber actors use scanning tools to detect open ports and often use them as an initial attack vector. Successful compromise of a service on a host could enable malicious cyber actors to gain initial access and use other tactics and procedures to compromise exposed and vulnerable entities. RDP, Server Message Block (SMB), Telnet, and NetBIOS are high-risk services.
Failure to detect or block phishing attempts.
Cyber actors send emails with malicious macros—primarily in Microsoft Word documents or Excel files—to infect computer systems. Initial infection can occur in a variety of ways, such as when a user opens or clicks a malicious download link, PDF, or macro-enabled Microsoft Word document included in phishing emails.
Poor endpoint detection and response.
Cyber actors use obfuscated malicious scripts and PowerShell attacks to bypass endpoint security controls and launch attacks on target devices. These techniques can be difficult to detect and protect against.
It’s a never-ending battle to stay safe from the dangers of cyber attacks, and the cyber security setup of your business should be of the highest priority. LaneSystems offers Cyber Essentials and Cyber Essentials Plus Certification, the National Cyber Security Centre’s scheme for encouraging organisations to follow good practice with information security. Contact us to see how Cyber Essentials will benefit your business.
Hackers Can Pre-Hijack Online Accounts
Cyber Security Researchers, this month, published a research paper warning of the dangers of pre-hijacking – where hackers steal your online account before you’ve even registered it. A number of common services are vulnerable to the attack vector and people should be aware.
Of the seventy-five popular online services analysed by researchers, thirty-five were found to be vulnerable to at least one method of account pre-hijacking attack. That list includes popular social media, cloud storage, video conferencing, and blogging services.
How Pre-Hijacking works
As noted by Bleeping Computer: “For a pre-hijacking attack to work, the hacker needs to know a target’s email address, which is relatively easy through email correspondence or via the numerous data breaches that plague companies daily.
“Next, an attacker creates an account on a vulnerable site using the target’s email address and hopes that the victim dismisses the notification that arrives in their inbox, deeming it spam. Finally, the attacker waits for the victim to create an account on the site or indirectly tricks them into doing it.”
Five Methods Of Pre-Hijacking
The research lays out five methods of attack open to cyber criminals attempting to pre-hijack somebody’s account. The Classic Federated Merge (CFM), an Unexpired Session Attack (US), the Trojan Identifier (TID), an Unexpired Email Exchange Attack (UEC) and the non-verifying Identity provider (IdP) attack (NV).
In the Classic-Federated Merge Attack, the victim’s email address is used to first create an account . When the victim later comes to create an account using the same email address, the service merges these two accounts insecurely, leaving the attacker also with access to the account.
In the Unexpired Session Identifier Attack the victim’s email address is again used to create an account and then a script maintains an ongoing active session. When the victim “recovers” the account using the same email address, the attacker keeps account access because the attacker’s session is still left active.
With the Trojan Identifier Attack, it’s a mixture of the two methods mentioned above.
According to the paper: “The attacker creates a pre-hijacked account using the victim’s email address, but then associates the account with the attacker’s IdP account for federated authentication. When the victim resets the password (as in the Unexpired Session Attack), the attacker can still access the account via the federated authentication route,”
An Unexpired Email Change Attack begins with the attacker setting up an account using the victims email address before changing it to their own address, with the service sending a verification URL to the attacker’s email address. The attacker waits to confirm the change after the victim has recovered the account and started using it.
Finally, HelpNetSecurity describes how the Non-Verifying IdP Attack works: “The attacker leverages an IdP that does not verify ownership of an email address when creating a federated identity -> The attacker creates an account with the target service and waits for the victim to create an account using the “classic” route -> If the service incorrectly merges the two accounts based on the email address, the attacker can access the victim’s account.”
Researchers, Andrew Paverd and Avinash Sudhodanan, said: “The impact of account pre-hijacking attacks is the same as that of account hijacking. Depending on the nature of the target service, a successful attack could allow the attacker to read/modify sensitive information associated with the account (e.g., messages, billing statements, usage history, etc.) or perform actions using the victim’s identity (e.g., send spoofed messages, make purchases using saved payment methods, etc.).”
Although the tested vulnerable services, such as Dropbox, Instagram, LinkedIn, WordPress.com, and Zoom, were notified and should have implemented fixes, there are likely many more untested sites out there with similar vulnerabilities. Be aware of the issue and enable multi-factor authentication on any accounts you set up, as that should solve unexpired session problems.
Phishing Websites Using Chatbots To Steal Info
Trustwave cybersecurity researchers have reported a phishing campaign pretending to be a customer support chatbot for DHL.
As with all phishing scams, a fake email is sent, this time related to the attempted delivery of a parcel. The email contains a link to a PDF containing some more details alongside a further link to the fake website. The PDF link is a method used to bypass any email security software.
Once on the scam site you find the chatbot waiting to ‘help’ you. It’ll give a bit of information about the package, along with a photo of it, and then ask a bunch of questions where you give away personal information, then DHL account login information, and finally credit card info when it asks for payment ‘to cover the shipping costs’.
Increasingly Sophisticated Scams
As TechRadar notes: “Whoever is behind this campaign has really put some effort into it. Before giving away their DHL login information, victims will have to pass a fake captcha page. Once they enter their card data, the payment gateway will first check the validity of the card. Afterwards, the user gets redirected to a one-time password (OTP) page, where they’ll have to enter a code received via SMS.“
Always be careful with incoming emails containing links and/or attachments. Phishing attempts are becoming ever more sophisticated so always check with others in your business if a notification seems genuine. If something comes in from a company or service you actually use, call your usual contact at the place, or go directly to their customer services rather than using any link or number sent in an email.
Are Driverless Cars Safe?
The Automobile Association of America (AAA) has recently released the results of tests carried out on Level 2 driver assisted tech in cars available to the public. The cars in question are a 2021 Hyundai Santa Fe with Highway Driving Assist; a 2021 Subaru Forester with EyeSight; and a 2020 Tesla Model 3 with Autopilot. Level 2 is highest of the five autonomous driving levels available to buy, and covers technology that require drivers to maintain alertness at all times so that they are able to seize control from the computer when needed.
The AAA used a foam dummy, car, and, cyclist, to assess the crash avoidance capability of their active driving assist (ADA) systems in various scenarios. They checked how the cars respond to slow-moving cars or cyclists ahead of them in the same lane. Then, how they responded to oncoming cars crossing the centre line on the road. Finally, they were assessed on how they responded to cyclists crossing their lane of travel.
Problems With Complex Driving Scenarios
All three performed perfectly well when following any slow-moving traffic in the same lane, with no collisions happening. However, things went down-hill when it moved to dealing with oncoming cars crossing into their lane. From the fifteen test runs, all ended in a head-on collision, with only one test result – of the Tesla 3 – seeing the car reduce its speed a little. The cyclist test fared slightly better, but still saw five of the fifteen bikes being hit. Worryingly, these tests were carried out at what the AAA calls “unrealistically low vehicle speeds”. The ADA vehicles were travelling at 15mph, while the oncoming vehicle was doing 25mph.
Greg Brannon, AAA’s director of automotive engineering, said the tests highlight the potential danger to users.
“The failure to spot a crossing bike rider or an oncoming vehicle is alarming,”
“A head-on crash is the deadliest kind, and these systems should be optimized for the situations where they can help the most.”
“Drivers tell us they expect their current driving assistance technology to perform safely all the time,” Brannon said. “But unfortunately, our testing demonstrates spotty performance is the norm rather than the exception.”
As National Law review notes: These cars are often marketed as ‘driverless’, so is it any wonder when human drivers act more like passive passengers when they operate them? None of these driverless cars are entirely self-driving, so labeling them ‘driverless’ is misleading.
A 2018 AAA survey found that 40% of consumers believed names like “Autopilot” indicated the vehicle was capable of fully autonomous driving. The latest results point towards current ADA systems being completely unsuitable for unsupervised driving.