Welcome to the latest edition of the Cyber Safe Cyber Threats Updates, a weekly series in which we bring attention to the latest cyber attacks, scams, frauds, and malware including Ransomware, to ensure you stay safe online.
Electoral Commission failed basic security test before hack
In a recent development, it has been revealed that the UK’s Electoral Commission failed a fundamental cyber-security test around the same time hackers gained unauthorised access to its systems. Here’s a concise overview of the situation:
The Cyber Essentials Audit
A whistleblower disclosed that the Electoral Commission received an automatic fail during a Cyber Essentials audit (which Neuways always offer), a government-backed initiative to promote essential cyber-security best practices.
Audit Failures
The Commission encountered several issues during the audit in 2021, including the use of outdated and potentially insecure software on staff laptops and the use of unsupported iPhones for email communication.
Potential Impact on the Hack
While it’s not confirmed whether these security lapses directly facilitated the hacking, experts suggest they could have played a role. Regardless, the failures highlight weaknesses in the Commission’s overall cyber-security posture.
Ongoing Investigations
The Information Commissioner’s Office (ICO) is investigating the cyber-attack urgently. The hack exposed sensitive data from the electoral register, raising privacy concerns.
Commitment to Improvement
The Electoral Commission stated that it did not apply for Cyber Essentials certification in 2022 but remains committed to enhancing its cyber-security in collaboration with the National Cyber Security Centre.
In conclusion, the Electoral Commission’s failure in a basic cyber-security audit during the hacking incident raises significant concerns about data security and governance. Ongoing investigations will provide more insights into the breach’s implications for UK voter privacy and electoral integrity.
Source: https://www.bbc.co.uk/news/technology-66709556
Massive MOVEit Breach Impacts Over 1,000 Organisations and 60 Million Individuals Worldwide
In a shocking cyber attack that sent shockwaves across the globe, Russia’s notorious Cl0p gang exploited a zero-day SQL injection vulnerability to breach Progress Software’s MOVEit Transfer app on May 27, 2023. The fallout from this breach has left over 1,000 organisations and approximately 60 million individuals in its wake, with the UK being significantly affected among other nations.
The UK’s Brush with the MOVEit Breach
One of the first victims to fall prey to this cyber onslaught was Zellis, a prominent payroll services provider with a high-profile clientele that included British Airways, the BBC, and Aer Lingus. Unfortunately, these renowned organisations could not evade the data breaches unleashed by Cl0p’s malicious attack.
As the days unfolded, it became evident that this breach had far-reaching consequences, extending beyond borders and industries. Multinational corporations, educational institutions, financial service providers, and even government entities were among the victims. Organisations such as Shell, Ernst & Young, and Johns Hopkins University grappled with the breach’s aftermath.
A Global Menace
However, the initial list of victims was only the tip of the iceberg. Cl0p announced that it had plundered data from “hundreds of companies” and wielded the threat of exposing sensitive information unless a ransom was paid. True to their word, the gang initiated data leaks on their dark web portal on June 14, with more leaks following in the subsequent weeks.
The enormity of this breach is now confirmed, impacting over 1,000 organisations and a staggering 60 million individuals worldwide. It’s important to note that there may be some overlap among affected individuals.
Supply-Chain Cyber Security Challenges
Progress Software has faced the daunting task of mitigating the damage and fortifying its system against future attacks. Yet, zero-day vulnerabilities make them particularly challenging to defend against. The company has acted swiftly to patch the exploited vulnerability and identify other critical weaknesses in MOVEit Transfer.
However, this incident underscores the grim reality that organisations must acknowledge—security risks in information technology are almost inevitable, especially when third parties are involved. Recent research reveals that over 60% of US businesses have experienced a software supply chain threat in the past year.
Furthermore, supply-chain compromises, where data breaches originate through attacks on business partners, are even more severe than direct attacks. According to IBM’s Cost of a Data Breach Report 2023, business partner supply chain compromises cost 11.8% more and take 12.8% longer to identify and contain than other types of breaches.
Mitigating Risks with ISO 27001
While risks may be inevitable, they can be mitigated. The international standard for information security management, ISO 27001, offers a risk-based approach to information security that can be employed to secure an entire supply chain. This approach can provide organisations with valuable tools to protect their data and minimise the impact of potential breaches.
In these turbulent times of escalating cyber threats, organisations, both in the UK and worldwide, must prioritise robust security measures and adhere to international standards to safeguard sensitive information and maintain the trust of their stakeholders.
Outdated Windows 7 PC Breach Exposes UK Military Data: Lessons in Cybersecurity Vigilance
A recent cyber security incident affected the United Kingdom, attackers gained access to sensitive military data through a surprising entry point: a Windows 7 PC belonging to a high-security fencing firm, Wolverhampton-based Zaun. While the breach didn’t result in the theft of classified information, it raises serious concerns about the security of critical infrastructure and the importance of keeping software and hardware up to date.
The breach, which occurred in early August 2023, was orchestrated by the LockBit Ransom group. Although Zaun asserted that no classified documents were stored or compromised on the system, the attackers could exfiltrate approximately 10GB of data, some of which has been published on the Dark Web.
Zaun, a supplier specialising in high-security perimeter fencing, is approved for government use through the Centre for the Protection of National Infrastructure (CPNI). This incident is a stark reminder to all enterprises and organisations about the importance of maintaining security throughout their supply chains, no matter how obscure the connection may seem.
The attack targeted a Windows 7 PC used to run software for one of Zaun’s manufacturing machines. Windows 7, released in 2009, had its extended support discontinued in 2023. This highlights the significance of keeping both software and hardware up to date to mitigate cybersecurity risks.
In response to the breach, Zaun promptly notified the National Cyber Security Centre (NCSC) and the UK’s Information Commissioner’s Office (ICO), demonstrating a commitment to transparency and cooperation in addressing cybersecurity incidents.
This incident is a cautionary tale for organisations across the UK and beyond. It underscores the need for robust cyber security measures, including regular software and hardware updates, threat monitoring, and proactive risk management. As cyber threats evolve, vigilance remains paramount to safeguarding sensitive data and national security.
Source: https://www.theregister.com/2023/09/04/zaun_breach_windows_7/
Beware of ULEZ Scams: Dodgy Websites Target UK Drivers Paying Charges
In recent weeks, UK drivers have been put on high alert as scams related to the Ultra Low Emission Zone (ULEZ) have come to light. Which?, a leading consumer organisation, has uncovered a series of unofficial websites that are tricking unsuspecting drivers into paying unnecessary charges. This is a concerning issue that requires vigilance and awareness from all motorists.
The ULEZ Scam Epidemic
Which? has issued a stern warning to drivers, cautioning them to avoid ULEZ scams that prey on individuals attempting to pay the ULEZ charges. This revelation comes hot on the heels of a previous warning about rogue advertisers exploiting Google to deceive people seeking to pay for parking online.
The Mayor of London, Sadiq Khan, clarified that Transport for London (TfL) is not affiliated with third-party websites accepting ULEZ payments. TfL collaborates with search engine companies like Google to eliminate unofficial websites from their listings.
Identifying Unofficial ULEZ Websites
Drivers must exercise caution when paying ULEZ charges online. One victim reported paying to a company named ‘Ulezpayservice,’ mistakenly believing it to be the official TfL website. After providing personal and financial information, they discovered that ‘Ulezpayservice’ had taken £17.50 from their account and had set up a continuous payment authority, allowing them to accept recurring payments.
The official ULEZ charge, as established by TfL, is £12.50. It’s crucial to avoid falling victim to these fraudulent websites.
Dodgy ULEZ Payment Sites on Google
One concerning aspect of this issue is the prevalence of dodgy websites advertising on Google. These misleading sites often appear at the top of search results when individuals attempt to pay for parking or ULEZ charges.
Which? uncovered two identical websites, ‘ulez.emission[dot]london’ and ’emissioncharge[dot]london,’ when searching for ‘pay for ULEZ’ or ‘ULEZ.’ These advertisements consistently appear above the official TfL website, potentially confusing unsuspecting drivers. Both adverts have been reported to Google.
Other deceptive websites, such as ’emissioncharge[dot]uk’ and ‘ulezpayservice[dot]uk,’ were also identified. These websites, which reference themselves as “Ulezpayservice,” have received numerous negative reviews on Trustpilot, with claims that they do not transfer payments to TfL.
Google Takes Action
Upon flagging these ads to Google, the tech giant confirmed that it has taken measures to address the issue. Google maintains strict policies governing the types of ads and advertisers on its platforms, and any ads violating these policies are promptly removed.
TfL emphasised that payments for road user charging schemes should only be made through the official TfL website. Unfortunately, internet search engines do not consistently prioritise the official TfL webpage in their search results, leading users to unofficial payment sites that may overcharge.
Denial from ULEZ Payment Websites
In response to concerns raised by Which?, the companies operating these dubious websites denied setting up recurring payments. They asserted that all prices are one-off and processed through their payment provider, Stripe. Customers must provide their vehicle registration details and travel dates and agree to a disclaimer confirming that they are paying a third party.
Stay Vigilant and Informed
As these ULEZ scams persist, UK drivers must remain vigilant and informed. To avoid falling victim to fraudulent ULEZ payment websites, always use the official TfL website when making payments. Be cautious when clicking on online ads, especially when they appear above the official TfL site in search results.
The battle against these scams requires collaboration between consumers, authorities, and tech companies. Raising awareness and reporting suspicious websites are essential to protecting UK drivers from ULEZ-related fraud.
——————————————————————————————————————————
Contact Neuways to help your business become
Cyber Safe
If you need any assistance with cyber security assistance, then please contact Neuways and we will help you where we can. Just get in touch with our team today.
