Cyber_Bytes - Issue 45

Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

Reverse proxy phishing is on the rise

EvilProxy is an example of a reverse-proxy phishing-as-a-service platform (PaaS) that purports to help users steal authentication tokens to defeat multi-factor authentication processes of large organisations, at a fee. The service allows low-skill threat actors, who don’t necessarily know how to set up reverse proxies, a low-cost option for stealing otherwise well-protected internet accounts.

The process of reverse proxy phishing involves intercepting session cookies on servers between the intended victim and a genuine authentication endpoint, such as a company’s login form. Threat actors can then utilize this intercepted authentication cookie to log in to the site as the user, circumventing multi-factor authentication measures that have been enabled.

EvilProxy appears to be intended as a service directly to hackers, even offering instructional videos. Payments for the PaaS services are made individually using Telegram.

Click here to read the Dataconomy article.

Cyber-attack hits hotel chain

The parent company of Holiday Inn, Intercontinental Hotels Group (IHG) confirmed "unauthorised access" to its technology systems as of 5 September 2022. IHG, which also manages Crowne Plaza and Regent hotels issued a statement within 24 hours confirming booking channels and other applications were affected and that it was investigating and working to restore its systems. IHG also made the relevant notifications to regulators.

Several users took to social media to complain about difficulties faced when using IHG booking services. Though IHG did not specify loss of customer data, much of the user commentary and speculation pointed to tell-tale signs of a ransomware attack impacting customers. In 2017 the hotel chain dealt with a three-month security breach affecting over 1,200 US franchised hotels.

Click here to read the BBC article.

Stricter cybersecurity rules on the horizon for EU digital product makers

New draft EU proposals, introduced on 8 September, are intended to reduce hacking risks in a range of products, from home appliances and wearable devices to software and computers. The proposed legislation will exclude medical devices and cars which are regulated by other laws.

The draft rules have listed 38 critical technology products which will be required to obtain cybersecurity assessments from an independent body, these include password managers, firewalls, industrial internet-of-things devices, and smart meters. Under the proposed plans 90% of companies will be able to self-certify. Manufacturers that do business in the EU will also be required to provide regular security patches and updates for the shorter of the product's lifetime or 5 years after going to market. In the spirit of transparency there will also be a new requirement to produce a software bill of materials listing the components of each product to help more easily track security vulnerabilities. Products with digital parts will need to display labels saying they comply with the new rules and stating how long cyber support will be provided. Under proposed rules, companies that break the rules would face fines of up to 15 million euros, or 2.5% of global revenue.

Industry players have reacted negatively to news of the proposed legislation. Nils Scherrer, a manager in digitization at ZVEI, an association of German electrical and digital companies, said complying with the proposed legislation would be a "massive undertaking" with increased costs and administration for companies. Paolo Falcioni, director general of Applia, a Brussels-based association for home appliance makers called the development, "essentially a time-to-market restriction,” as third-party security reviews have the potential to stall product launches.

Consumer supporters welcomed the proposals, calling for expansion of the critical technology products list covered, citing heightened risks to consumers from hackers gaining access to their common everyday products. Thierry Breton, EU commissioner called the legislation a breakthrough, making Europe the first continent to propose required cybersecurity assessments for software.

Click here to read the full article by Wall Street Journal.

UK’s financial sector sees new wave of Distributed Denial of Service, (DDoS) attacks

DDoS attacks accounted for 25 per cent of all hacking incidents reported to the Financial Conduct Authority (FCA) in the first half of the year compared to just four per cent in 2021. Hackers appear to be relying on the losses threatened by immediate interruption, in the hope that companies may be willing to pay ransoms to restore access to services, if they assess the ransom payments to be less than the cost of losing any business.

Cybersecurity experts attribute these increases to a shift in the priorities of state-backed hackers who now prefer targeting critical infrastructure.

Click here to read the full City AM article.

ICO publishes guidance on privacy enhancing technologies (PETs)

PETs are technologies that help organisations share and use people’s data responsibly, lawfully, and securely, including by minimising the amount of data used and by encrypting or anonymising personal information.

The ICO has released draft guidance on PETs shedding light on ways companies can put a data protection by design approach into practice.

As part of the ICO’s draft guidance on anonymisation and pseudonymisation, the ICO explains the types of PETs currently available along with their different benefits in aiding compliance with data protection law. A key benefit is that PETs can assist with the analysis of personal data without a controller sharing it, or a processor having access to it. This ability to share, link and analyse data can provide valuable insights while ensuring compliance. The ICO is still seeking feedback to help improve its final guidance.

Common use cases for PETs are already seen in the anti-money laundering space and in the healthcare sector to drive better health outcomes. The ICO encourages more collaboration to analyse personal data in a privacy preserving manner. The UK government's efforts in harnessing the potential for technology to tackle global societal changes are also being matched in the US with both nations offering prize challenges to successful collaborators.

The extent of the collaborative effort needed from organisations is further highlighted in the ICO's call for industry led codes of conduct and certification schemes, to help organisations use PETs responsibly and to help PET developers and providers build technology with data protection and privacy at the forefront.

The outcomes of further discussions and consultations will likely impact the final guidance, so this is a development for all organisations to keep an eye on.

Click here to read the full ICO press release.