Cyber_Bytes Issue 61

Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

NCSC reports on AI's role in escalating ransomware threats

The National Cyber Security Centre (NCSC) has issued its two-year predictions related to the growing threat posed by the use of artificial intelligence (AI) in ransomware attacks. In a recent report, the NCSC highlights the increasingly sophisticated use of AI by cybercriminals to perpetrate ransomware attacks, signalling a concerning evolution in cyber warfare.

Some key areas where AI is predicted to make its mark are:

• Enhancing social engineering methods by creating convincing interactions with victims;
• Assisting threat actors with identifying high-value assets for examination and exfiltration, intensifying the damage inflicted by ransomware attacks;
• By employing AI-driven techniques, attackers can create more convincing and targeted phishing campaigns, increasing the likelihood of successful breaches; and
• Assisting threat actors with malware and exploit development, vulnerability research and lateral movement.

While the adoption of AI in cyber operations has traditionally been limited to well-resourced and highly skilled threat actors, the NCSC warns that the commoditisation of AI-enabled tools could lower the barrier to entry for less sophisticated cybercriminals. This trend poses significant challenges for cybersecurity professionals tasked with defending against evolving threats.

In response to these emerging risks, the NCSC emphasises the importance of proactive measures and collaboration across sectors to improve cyber resilience. By staying vigilant and implementing robust cybersecurity strategies, organisations can better defend against the escalating threat posed by AI-driven ransomware attacks.

Click here to read the NCSC's report.

EU lawmakers ratify political deal on artificial intelligence rules

The European AI Act has been ratified as a provisional agreement by two key groups of lawmakers in the European Parliament ahead of a vote by the legislative assembly in April. The AI Act aims to set guidelines for AI technology used across multiple industries, from cars, to airline, to police services.

The legislation will also regulate foundational or generative artificial intelligence (AI) models, such as Microsoft-backed OpenAI. However, Big Tech firms remain concerned about the ambiguous language in some of the Act's requirements and the impact it may have on innovation.

The UK Government has recently confirmed that it is currently not intending to regulate AI specifically and will devolve responsibility to existing regulators.

Click here to read the full Thompson Reuters article.

Global Operation Disrupts LockBit Ransomware Group

In a coordinated effort led by international law enforcement agencies, a major operation claims to have caused a significant blow to the notorious LockBit ransomware group. The operation, dubbed "Operation Cronos", involved collaboration between the UK's National Crime Agency, the Federal Bureau of Investigation, Europol, and several other countries' authorities.

LockBit, is believed to be one of the world's largest criminal ransomware groups, whose activities have had far-reaching consequences, with high-profile attacks, including the UK's Royal Mail in January 2023.

Operation Cronos seized control of LockBit's infrastructure, including servers containing victim data, its leak site, communication servers, and file-share servers. Additionally, 11,000 domains associated with LockBit and its affiliates were seized.

The operation also resulted in the arrest of two LockBit actors in Poland and Ukraine, as well as the issuance of three international arrest warrants and five indictments by French and US authorities. One of the most significant achievements of Operation Cronos was the retrieval of decryption keys, allowing global law enforcement agencies to develop tools to recover files encrypted by LockBit ransomware.

However, cybersecurity experts remain cautious about the long-term impact of the takedown. While the operation might have dealt a blow to LockBit, the group has shown resilience in the past, and appears to be still functioning to at least some degree.  We have advised on ransomware claimed to be LockBit after the takedown and understand that the LockBit leak site is back up on the dark web. 

Click here, here and here to read news articles by the BBC, Infosecurity Magazine and the Insurance Journal respectively.  

ICO Greenlights Legal Services Certification Scheme

The Information Commissioner’s Office (ICO) has given the green light to a new certification scheme tailored for legal service providers tasked with processing personal data. This move, introduced under the UK GDPR, aims to improve data protection standards and enhance trust among consumers.

Emily Keaney, ICO Deputy Commissioner, highlights the significance of such schemes in ensuring adherence to data protection standards, particularly for entities like law firms and barristers’ chambers which can handle large amounts of sensitive personal data.

According to Keaney, participation in the certification scheme provides legal service providers with assurance of their commitment to data protection principles, streamlining the assessment process for third-party data processors. Additionally, it offers clients peace of mind, demonstrating a firm’s dedication to safeguarding their personal information and upholding robust information security practices.

The newly approved scheme marks the fifth set of UK GDPR certification criteria approved by the ICO. In summary, firms will need to comply with the following requirements:

• Develop and implement a comprehensive data protection training program for all staff, overseen by the Data Protection Officer (DPO).
• Establish procedures for handling complaints and conduct regular data protection audits, taking corrective actions as needed.
• Assess risks and implement measures to protect data in all processing activities, maintaining a register of risks and measures.
• Conduct Data Protection Impact Assessments (DPIA) before processing high-risk data, documenting assessments and regularly reviewing them.
• Document policies for all data processing activities, ensuring they follow a standard format, are easily accessible and are regularly updated using a change control policy.

Click here to read the ICO's statement.

Solicitor fined for failing to spot Friday afternoon cyber fraud

A solicitor agreed to pay £26,000 in fines and costs following orders by the Solicitors Disciplinary Tribunal (SDT) for failure to verify a clearly suspicious change of bank details of a client, which amounted to a payment diversion fraud. The solicitor also failed to inform their client of the payment diversion fraud promptly.

The incident involved interception of a conveyancing transaction email change by a subtle email address change. The payment diversion fraud involved £290,000 being transferred to a fraudulent account with the bank raising concerns about the recipient account two weeks later. The solicitor only became aware of the incident at this point.

Emphasising prevention, the SRA advises solicitors to train staff, educate clients, verify contact details and promptly report suspicious transactions.

Click here to read the full Law Society article. 

NCSC publishes vulnerability management guidance

The National Cyber Security Centre (NCSC) has published guidance on vulnerability management. The NCSC points out that all systems contain vulnerabilities which may take the form of a configuration issue for system administrators to resolve, software defects to be resolved by a vendor update, or a vulnerability which the vendor is unaware exists. The NCSC suggests that vulnerability management should be seen as a process to assess how well an organisation’s software update process and security controls are performing.

The guidance sets out five principles to help organisations create an efficient vulnerability management process:

1. Policy to apply updates by default, preferably automatically
2. Identify what systems and software are in place
3. Triaging and prioritising vulnerabilities
4. Take responsibility for risks of not updating
5. Verify and regularly review vulnerability management processes

Click here to read the full guidance.

The Growing Threat of Cyberattacks in the Automotive Industry: Protecting EV Charging Networks

Recent findings from cybersecurity firm Upstream reveal a surprising 295 cybersecurity incidents in the automotive and mobility sector in 2023 alone. Most of these attacks were orchestrated by malicious actors, posing a significant threat to the security of mobility assets worldwide.

The rise of electric vehicles (EVs) has further compounded these risks, as modern vehicles, especially those with electric drivetrains, increasingly rely on software-driven systems, leaving them susceptible to a new wave of cyber threats.

Michael Austin, Senior Research Analyst for EVs and Mobility at Guidehouse Insights, highlights the disruptive nature of car hacks, emphasising that even minor incidents could have profound impacts on individuals’ lives.

In a recent development, concerns have been raised about the security of EV charging networks. The Office for Product Safety and Standards in Britain issued a warning regarding the vulnerability of an internet-connected home EV charger, which, if abused, could disrupt the UK's critical national infrastructure.

Richard Breavington, Partner and head of the Cyber and Tech insurance team at RPC, emphasises the need for a holistic approach to cybersecurity. He explains, “Today’s story highlights that cybersecurity vulnerabilities are not always localised to computers and software,” highlighting the necessity of comprehensive cybersecurity strategies that encompass all aspects of automotive technology.

Click here to read the Autoweek news article.