Cyber_Bytes - Issue 52
Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.
Russia-linked hackers a threat to UK infrastructure
Oliver Dowden, a minister in the Cabinet Office, has warned that Russia-aligned hackers are seeking to "disrupt or destroy" Britain's critical national infrastructure. The head of the National Cyber Security Centre (NCSC), Lindsey Cameron, has raised similar concerns, warning that the UK is not doing enough to protect its infrastructure from cyber threats.
The NCSC has issued an official threat alert to critical businesses, warning of the unpredictability of independent hackers who are "not subject to formal state control" and are primarily ideologically motivated, as opposed to seeking financial gain.
With a significant rise in cyber activity across Ukraine following the ongoing conflict with Russia, UK government agencies are preparing for a scenario where threat actors look to expand their efforts outside of the region. In response to these emerging threats, UK policymakers are considering plans to introduce cyber resilience targets for critical sectors such as UK energy and water suppliers as well as bringing private sector businesses working on critical infrastructure into the scope of resilience regulations.
Following recent malware attacks such as the 2017 NotPetya virus which infiltrated IT systems across more than 60 countries, governments across the globe must remain increasingly vigilant of emerging cyber threats.
Click here to read the BBC news article.
Royal Mail Ransomware Negotiation Analysis
Cyber security consultants, STORM Guidance have produced a detailed report analysing the negotiation transcript released by LockBit in the wake of its ransomware attack on Royal Mail International (Royal Mail). The attack caused a notable outage and delays across the UK. The key findings from the transcript revolve around the lack of formal negotiation techniques used by those negotiating on behalf of Royal Mail as well as the emotiveness of the negotiators.
LockBit's release of the Royal Mail ransom transcript is likely a retaliatory attempt to cause Royal Mail as much damage as possible. This is following what STORM Guidance refer to as the potentially "antagonising" approach taken in the negotiation. Reducing the risk of antagonising can be achieved through short, polite, and specific posts with careful wording and attention to posting cadence.
STORM have issued a warning to companies engaging negotiators when faced with a ransomware attack as many providers of ransomware negotiation services are not formally trained. This could pose a risk. An untrained ransom negotiator might potentially make mistakes that result in unnecessary loss such as the early release of breached data or the victim being exposed to further attacks by an antagonised threat actor.
Click here to read STORM's article. You can then download the full report by following the simple instructions on STORM's website.
Ransomware Driving SOC Modernization Requirements
A new global research study has explored the direct impact of ransomware threats on the investment decisions of organisations regarding their Security Operations Centres (SOCs). The report follows a global survey of 1,203 security professionals from eight countries across a dozen industries.
More than 58% of respondents said that their SOC spends a large proportion of its time responding to ransomware and supply chain attacks. With a rise in ransomware threats increasing the need for automation across the sector, many respondents are now focusing their efforts on leveraging industry-leading detection, prevention, visibility, and automation technologies. The report proposes that modernisation in the realm of SOCs will be focused across specific areas such as deploying new detection capabilities with better efficacy and looking for ways to augment staffing by contracting for managed services.
Managed Detection and Response (MDR) services have been earmarked as a key tool for the future, helping to remove the burden and arduous process of alert triaging and prioritization which in turn gives time back to security teams to conduct remediation and focus on other priorities.
Click here to read the full Cybereason report.
Windows zero-day vulnerability exploited in ransomware attacks
Tech giant Microsoft has issued a software update remedying a zero-day vulnerability in the Windows Common Log File System (CLFS). The vulnerability was being actively exploited by cybercriminals to escalate privileges and deploy ransomware payloads.
Security researchers warned that the Nokoyawa ransomware gang has used other exploits targeting the CLFS driver since June 2022, with similar yet distinct characteristics, linking them all to a single exploit developer. Industries targeted by the threat actors include retail and wholesale, energy, manufacturing, healthcare, and software development. The use of zero-day attacks by cybercrime groups illustrates their growing sophistication. Organisations should remain alert and ensure that their systems are running the most up-to-date software versions.
Click here to read the full Bleeping Computer post.
Study shows how fast AI can crack passwords
Security experts have issued warnings over the security risks being posed by new generative AI services. Password Generative Adversarial Network (PassGAN) uses machine learning algorithms instead of having to run manual password analysis on leaked password databases. These PassGANs generate password guesses after autonomously learning the distribution of passwords by processing previous real-world security breaches.
In a recent study published by Home Security Heroes, PassGAN processed a list of over 150,000 credentials and was able to crack 51% of all common passwords in less than one minute, 65% in less than an hour, 71% in less than a day, and 81% in less than a month. With growing concerns amongst industry experts, Microsoft announced its new Security Co-pilot suite that will help security researchers protect against malicious use of modern technology.
The following key tips on password security remain more relevant than ever:
- Use at least 12 (and ideally 18+) characters or more, with upper and lowercase letters as well as numbers and symbols. All passwords with 18 characters that include both letters and numbers were found to be safe from AI cracking for now.
- Use non-SMS based two-factor authentication / multi-factor authentication.
- Use auto-generated passwords where possible.
- Refrain from re-using passwords across accounts.
- Refrain from using public Wi-Fi, especially for banking and similar accounts.
Finally, do not enter any of your real passwords if using an AI tool to test the strength of your own passwords. This follows wider concerns around inputted "prompts" remaining visible to server hosts.
Click here to read the full 9to5Mac article.
"Operation Cookie Monster": International police action seizes dark web market
International law enforcement agencies have seized a sprawling dark web marketplace referred to as "Genesis Market" (Genesis) in a multinational crackdown dubbed "Operation Cookie Monster." The site, which the U.S. Treasury believed to operate from Russia, was popular amongst cybercriminals. Domains belonging to the organisation have now been seized by the FBI, with around 120 arrests made and almost 100 pieces of "preventative activity."
Britain's National Crime Agency (NCA) has estimated that the service hosted around 80 million credentials and digital fingerprints stolen from more than 2 million people. Genesis specialised in the sale of digital products, with a particular focus on "browser fingerprints" harvested from computers infected with malicious software. These fingerprints often included credentials, cookies, internet protocol addresses and other browser or operating system details which criminals could use to bypass anti-fraud solutions such as multi-factor authentication or device fingerprinting.
The closure of this marketplace will likely contribute to a significant reduction in cybercriminal activity and highlights the need for continued international co-operation between countries in the fight against criminal cyber activity.
Click here to read the full Reuters article.