Weekly Briefing. July 1 st 2016 NOT PROTECTIVELY MARKED

Transcription

1 Weekly Briefing July 1 st 2016

2 Current Threats Whaling attacks Advice Apocalypse Ransomware Advice Symantec Incident Reports - South West Ransomware - Chippenham Miscellaneous CiSP Cyber Crime Threats Shared

3 Whaling attacks The SWRCCU has recently identified an increase in the number of whaling attacks targeting companies in the region. A whaling attack is a type of spear-phishing attack and involves targeting high level executives, CEOs and CFOs with forged s asking for urgent payments. Usually the s are spoofed so that they appear to come from a trusted colleague or business partner. Last month a CEO of an Austrian aircraft parts manufacturer was sacked after losing the company 31million in a whaling attack (the CFO also lost their job). Spear-phishing attacks target all industries and are on the increase as cyber criminals use large databases of personal information and automated tools to personalise these s on a mass scale.

4 Whaling attacks To reduce the chances of becoming a victim of this type of offence please consider the following: Employee awareness Finance, payroll and human resources departments should be alert to these scams as nearly 50% target the CFO and 25% target HR inboxes. Messages often ask employees to keep things confidential and bypass normal approval channels employees should be suspicious if they receive a request for unusual information or wire transfer via . Practical steps Check the reply-to and return path address (in spoofed s this will differ from the from address and show the suspect s address). Always call to confirm the request with the requester. Follow/ establish policies relating to dual authorisation before large payments can be made.

5 Apocalypse Ransomware One of the latest trends in ransomware is to leverage the Remote Desktop Protocol (RDP) to infect targeted machines. Apocalypse ransomware was first identified in May but has since evolved. It exploits weak passwords on insecurely configured Windows servers running the Remote Desktop Service. The SWRCCU have investigated attacks which have utilised RDP to gain access to networks. Through RDP the malware can brute force its way into a computer, while attackers can interact with the compromised system as if they had physical access to it. By infecting a system, the ransomware checks whether the default system language is set to Russian, Ukrainian or Belarusian, and terminates itself if it is. If not, the malware encrypts files and appends.securecrypted to the filename.

6 RDP Ransomware To reduce the chances of becoming a victim of this type of attack please consider the following: The most important line of defence is a proper password policy that is enforced for all user accounts with remote access to the system. Password policies should include things such as complexity, length, account lockout, and maximum password age. Use IP address based restrictions to allow access to these services from trusted networks only. Install and configure HIPS IDS and IPS systems can detect and prevent the communication attempts that the malware uses to create the public and private encryption keys required to encrypt the data. Disable Remote Desktop or Terminal Services completely if not required. Deploy and maintain a comprehensive backup solution this is the fastest way to regain access to your critical files. Backups should take place not only for files housed on a server, but also for files that reside locally on a workstation. If a dedicated piece of backup software is not an option, simply copying your important files to some sort of removable media and then removing that media from the system will provide a safeguard.

7 Symantec / Norton Vulnerabilities This week computer security company Symantec has patched eight security vulnerabilities discovered in its own security software. Researchers at Google s Project Zero informed Symantec of multiple critical vulnerabilities which they said were as bad as it gets. Symantec advise that fixes are currently in place, and updates are now available for customers to install. Advice It is recommended Symantec customers using products such as Norton Antivirus update their software as soon as possible in order to patch these vulnerabilities.

8 Ransomware Chippenham We have received a report of a ransomware attack affecting a school based in Chippenham. A demand of 2000 was requested for the data to be decrypted. Advice Make sure you have anti-virus software installed and ensure it is up-to-date and running in real time. Keep browsers, operating systems, Adobe and other applications up-to-date and patched against vulnerabilities. Backups are an absolute necessity in protecting your data. Back files up regularly, store the backups on external storage and physically disconnect the storage from the computer and network between backups. Ensure you verify the backups. There are many fake s with malicious attachments circulating the internet. If you receive an uninvited containing an attachment then do not open it unless you are sure of its origin. Beware of unsolicited s asking you to click on links. In the unfortunate case of infection, pull the plug on the computer and internet access. Do not pay the ransom as a first response - report to Action Fraud as soon as possible. The SWRCCU advises against the payment of ransom demands. This is for three reasons: - You are not guaranteed to get your data de-crypted. - Further extortion demands may follow. - It encourages further attacks against other victims.

9 CiSP - Cyber Crime Threats Shared The Cyber Security Information Sharing Partnership (CiSP), which is run by CERT- UK, is an information sharing platform used to share and publish cyber crime threat information. The aim of the platform is to allow members to take remedial action and modify their organisations to prevent cyber attacks. If you would like to join the CiSP then please sign up at and contact us as we can sponsor you. Our South West Regional node has now been launched and we welcome you to join our group. This is a place for all businesses and individuals based in the South West to share threat intelligence and updates surrounding cyber security.

10 This document has been given the protective marking of NOT PROTECTIVELY MARKED and may be disseminated outside law enforcement with no restriction. If you know anyone else who would like to receive this, please send us their e- mail address and we will add them to the distribution list. If you would like to be removed from the list please send an to the address below to let us know. Any comments or queries please South West Regional Cyber Crime Unit at: