Cyber_Bytes - Issue 55
Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.
Persistent Ransomware threats
Ransomware remains a persistent challenge for organisations despite the efforts of government agencies and cybersecurity professionals. In the first quarter of 2023, 838 organisations fell victim to ransomware attacks and were named on dark-web data-leak sites. Cyber professionals anticipate that ransomware attacks will continue to remain a key driver for cyber risk. This is due to the large financial gain which cybercriminals continue to reap from their relatively low efforts.
Reports suggest that the first quarter of 2023 saw a resurgence in the number of ransomware attacks. This was largely due to an increase in supply chain attacks, as cybercriminals pivot towards exploiting vulnerabilities in third-party vendors. This method enables threat actors to hit multiple targets in one attack (a form of cyber risk aggregation). It serves as an effective reminder that an organisation is only as secure as the weakest link in its supply chain.
Additionally, the enhanced organisation and resource management of cybercriminals means that they are continuously seeking out novel methods of refining their business models and techniques. This has led to the development of innovative ways to infiltrate systems and extort money from their victims. A good example of this is Ransomware-as-a-service (RaaS), whereby cybercriminals provide affiliated groups with all the technical advice and tools they need. Purchasers of these services are in turn supported by a host of ransomware attack services, including customer service hotlines, leak-websites, extortion negotiation and payment services. The average cost of a ransomware attack has reached the $4.5m mark in 2022, as per IBM’s Cost of a Data Breach Report.
Click here to read the Commercial Risk Online article.
Active Cyber Defence report published by the NCSC
The National Cyber Security Centre (NCSC) has produced its sixth annual report on findings from the Active Cyber Defence (ACD) programme. The report is part of the NCSC's commitment to transparency, and its aim to better understand the reality of cyber-attacks, as well as the efficacy of its products and services.
Despite the types of vulnerabilities being exploited by threat actors evolving over time, the NCSC's ACD initiatives continue to address enduring cyber security challenges. This is said to be achieved by sharing knowledge of threats, closing down vulnerabilities and responding to breaches. As the evolution of artificial intelligence continues to transform the landscape of cybersecurity, the NCSC is seeking to tackle challenges through increased automation. This is with a view towards generating the scale and reach required to tackle emerging cybersecurity threats.
Whilst ACD services were initially concentrated on building the cyber resilience of the public sector, the NCSC is now adopting a ‘whole of society’ approach. For example, its Early Warning service can now be accessed by all organisations. The service is designed to automatically inform an organisation of potential cyber attacks on their network, as soon as possible. Additionally, the NCSC is continuing its rollout of simple, free-to-use government services which can be used by organisations that might not have access to cyber security expertise.
Click here to read the NCSC's sixth annual report.
AI must have better Cyber Security according to CEO of the NCSC
Top cybersecurity officials have issued warnings surrounding the urgent need for cybersecurity to be built into AI systems. Implementing robust systems during the early stages of AI development will inevitably be key. Robert Hannigan, former head of the UK's GCHQ, has said that as the increasing automation of everyday activities grows in tandem with our dependence on AI, an attack on these AI-run systems could ultimately have a "devastating effect". For example, concerns have already emerged around the potential for AI systems to generate malicious code to hack into devices, write fake messages to be spread at a large scale across social media or formulate convincing emails in different languages for use in phishing attacks.
Experts are also fearful that companies who are competing to secure their position in a growing market will inevitably focus on getting their systems out for sale as fast as possible without considering the risks of misuse. Lindy Cameron, CEO of the NCSC, warned that "the scale and complexity of these models is such that if we don't apply the right basic principles as they are being developed in the early stages it will be much more difficult to retrofit security".
Whilst threat actors continue to seek out novel ways to utilise AI alongside malicious software to subvert traditional cybersecurity systems undetected, cybersecurity experts must correspondingly explore the potential use of AI in detecting these attacks.
Click here to read the BBC news article.
Microsoft to offer free cyber security tools following major hack
Microsoft is offering free cybersecurity tools to some government and commercial customers following criticism of the tech giant’s handling of a major hack that compromised US government email accounts. Coming under increasing pressure from US cybersecurity officials, Microsoft announced that it would provide free cloud security logs in the next few months.
Whilst these logs do not themselves prevent attacks, they can form a critical component of digital forensics and incident response in the aftermath of a cyber breach. Such logs help incident response teams to conduct more complete investigations which provide greater clarity around cyberattacks. This in turn contributes towards the improvement of systems aimed at thwarting future cyberattacks.
Lack of available logging has impacted high profile incidents in the past. For instance, a lack of logging was cited as complicating the investigation into the SolarWinds attack of 2020, which involved state-sponsored hackers installing malicious code in a software update from SolarWinds Corp to infiltrate US federal agencies and commercial companies.
Microsoft's usual business model has involved charging customers extra for access to these security logs. Microsoft's customer base and monopoly on data across the cybersecurity industry, means this decision will likely have a broad impact.
Click here to read the CNN news article.
Crimeware tool WormGPT: AI for BEC attacks
Cybercriminals have developed a generative AI tool called WormGPT designed to help grammatically challenged criminals craft convincing business email compromise (BEC) messages. The crimeware tool is being promoted across illicit online forums for use as a subscription-based model. The tools creators claim that the product has no ethical constraints and can be used to generate content for urgently soliciting funds from targeted victims as well as customisable malware code.
The FBI's Internet Crime Complaint Center reported a rise in BEC scams across 2022, totalling $2.7 billion in losses. This contrasts with figures of $2.4 billion in 2021 and $1.8 billion in 2020. According to Daniel Kelley, cybersecurity expert at SlashNext, the use of generative AI will help to democratise the execution of sophisticated BEC attacks. This will enable attackers with limited skills to use this technology and so broaden the existing spectrum of cybercriminals. Organisations should be alert to the trend of AI crimeware tools, which mimic human intelligence to complete illegal tasks.
Click here to read the full SC Media article.
London Borough found to misuse private information and breach the UK GDPR from accessing and sharing information about an individual's finances (Yae Bekoe v London Borough of Islington  EWHC 1668 (KB))
On 5 July 2023, a High Court awarded a Claimant, Mr Bekoe, £6,000 for misuse of private information and breach of the provisions of the UK GDPR.
The factual background to the claim was that in 2015, London Borough of Islington (the 'LBI') commenced possession proceedings against Mr Bekoe for possession of property belonging to his deceased neighbour. During these proceedings, LBI disclosed to the court evidence of Mr Bekoe's bank accounts, mortgage accounts and mortgage balances.
Mr Bekoe claimed that LBI had misused his private and confidential information and brought a claim against LBI for misuse of private information and breach of rights under the UK General Data Protection Regulation ("GDPR") as a result of significant delay in responding to a Subject Access Request and alleged destruction of his data by LBI.
The Judge upheld the claim and noted that Mr Bekoe had a reasonable expectation of privacy in relation to his financial details. It was held that LBI had misused Mr Bekoe's private information and breached several provisions of the UK GDPR.
Click here to read the full judgment.
Government and industry meet to progress the fight against fraud
A Joint Fraud Taskforce ('JFT') meeting took place on 11 July 2023 to consider tackling fraud and protect the public from scams, following the commitments made in the Fraud Strategy which was published on 3 May 2023.
Committee members discussed the growing volume of fraud originating on social media platforms and the development of an online fraud charter which will ensure that tech companies take action to block scams, make it easier to report frauds and ensure that fraudulent content is removed swiftly.
The development of a cross-government anti-fraud public awareness campaign was also on the agenda to consider the best way to streamline messages to the public in respect of fighting against fraud.
The security minister also called for tech firms to implement stronger measures to tackle fraud ahead of the Online Safety Bill.
Click here to read the Home Office news story.