Search
Close this search box.

Become Cyber Safe – 7th September 2023

Table of Contents

[fusion_builder_container type=”flex” hundred_percent=”no” equal_height_columns=”no” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” background_position=”center center” background_repeat=”no-repeat” fade=”no” background_parallax=”none” parallax_speed=”0.3″ video_aspect_ratio=”16:9″ video_loop=”yes” video_mute=”yes” border_style=”solid” margin_top=”1px” flex_align_items=”center” flex_justify_content=”flex-start”][fusion_builder_row][fusion_builder_column type=”1_1″ type=”1_1″ layout=”1_1″ background_position=”left top” border_style=”solid” border_position=”all” spacing=”yes” background_repeat=”no-repeat” margin_top=”0px” margin_bottom=”0px” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” center_content=”no” last=”true” hover_type=”none” first=”true” background_blend_mode=”overlay” min_height=”” link=””][fusion_text]

Welcome to the latest edition of the Cyber Safe Cyber Threats Updates, a weekly series in which we bring attention to the latest cyber attacks, scams, frauds, and malware including Ransomware, to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:


Electoral Commission failed basic security test before hack

In a recent development, it has been revealed that the UK’s Electoral Commission failed a fundamental cyber-security test around the same time hackers gained unauthorised access to its systems. Here’s a concise overview of the situation:

The Cyber Essentials Audit

A whistleblower disclosed that the Electoral Commission received an automatic fail during a Cyber Essentials audit (which Neuways always offer), a government-backed initiative to promote essential cyber-security best practices.

Audit Failures

The Commission encountered several issues during the audit in 2021, including the use of outdated and potentially insecure software on staff laptops and the use of unsupported iPhones for email communication.

Potential Impact on the Hack

While it’s not confirmed whether these security lapses directly facilitated the hacking, experts suggest they could have played a role. Regardless, the failures highlight weaknesses in the Commission’s overall cyber-security posture.

Ongoing Investigations

The Information Commissioner’s Office (ICO) is investigating the cyber-attack urgently. The hack exposed sensitive data from the electoral register, raising privacy concerns.

Commitment to Improvement

The Electoral Commission stated that it did not apply for Cyber Essentials certification in 2022 but remains committed to enhancing its cyber-security in collaboration with the National Cyber Security Centre.

In conclusion, the Electoral Commission’s failure in a basic cyber-security audit during the hacking incident raises significant concerns about data security and governance. Ongoing investigations will provide more insights into the breach’s implications for UK voter privacy and electoral integrity.

Source: https://www.bbc.co.uk/news/technology-66709556


Massive MOVEit Breach Impacts Over 1,000 Organisations and 60 Million Individuals Worldwide

In a shocking cyber attack that sent shockwaves across the globe, Russia’s notorious Cl0p gang exploited a zero-day SQL injection vulnerability to breach Progress Software’s MOVEit Transfer app on May 27, 2023. The fallout from this breach has left over 1,000 organisations and approximately 60 million individuals in its wake, with the UK being significantly affected among other nations.

The UK’s Brush with the MOVEit Breach

One of the first victims to fall prey to this cyber onslaught was Zellis, a prominent payroll services provider with a high-profile clientele that included British Airways, the BBC, and Aer Lingus. Unfortunately, these renowned organisations could not evade the data breaches unleashed by Cl0p’s malicious attack.

As the days unfolded, it became evident that this breach had far-reaching consequences, extending beyond borders and industries. Multinational corporations, educational institutions, financial service providers, and even government entities were among the victims. Organisations such as Shell, Ernst & Young, and Johns Hopkins University grappled with the breach’s aftermath.

A Global Menace

However, the initial list of victims was only the tip of the iceberg. Cl0p announced that it had plundered data from “hundreds of companies” and wielded the threat of exposing sensitive information unless a ransom was paid. True to their word, the gang initiated data leaks on their dark web portal on June 14, with more leaks following in the subsequent weeks.

The enormity of this breach is now confirmed, impacting over 1,000 organisations and a staggering 60 million individuals worldwide. It’s important to note that there may be some overlap among affected individuals.

Supply-Chain Cyber Security Challenges

Progress Software has faced the daunting task of mitigating the damage and fortifying its system against future attacks. Yet, zero-day vulnerabilities make them particularly challenging to defend against. The company has acted swiftly to patch the exploited vulnerability and identify other critical weaknesses in MOVEit Transfer.

However, this incident underscores the grim reality that organisations must acknowledge—security risks in information technology are almost inevitable, especially when third parties are involved. Recent research reveals that over 60% of US businesses have experienced a software supply chain threat in the past year.

Furthermore, supply-chain compromises, where data breaches originate through attacks on business partners, are even more severe than direct attacks. According to IBM’s Cost of a Data Breach Report 2023, business partner supply chain compromises cost 11.8% more and take 12.8% longer to identify and contain than other types of breaches.

Mitigating Risks with ISO 27001

While risks may be inevitable, they can be mitigated. The international standard for information security management, ISO 27001, offers a risk-based approach to information security that can be employed to secure an entire supply chain. This approach can provide organisations with valuable tools to protect their data and minimise the impact of potential breaches.

In these turbulent times of escalating cyber threats, organisations, both in the UK and worldwide, must prioritise robust security measures and adhere to international standards to safeguard sensitive information and maintain the trust of their stakeholders.

Source: https://www.itgovernanceusa.com/blog/moveit-breach-over-1000-organizations-and-60-million-individuals-affected

Outdated Windows 7 PC Breach Exposes UK Military Data: Lessons in Cybersecurity Vigilance


A recent cyber security incident affected the United Kingdom, attackers gained access to sensitive military data through a surprising entry point: a Windows 7 PC belonging to a high-security fencing firm, Wolverhampton-based Zaun. While the breach didn’t result in the theft of classified information, it raises serious concerns about the security of critical infrastructure and the importance of keeping software and hardware up to date.

The breach, which occurred in early August 2023, was orchestrated by the LockBit Ransom group. Although Zaun asserted that no classified documents were stored or compromised on the system, the attackers could exfiltrate approximately 10GB of data, some of which has been published on the Dark Web.

Zaun, a supplier specialising in high-security perimeter fencing, is approved for government use through the Centre for the Protection of National Infrastructure (CPNI). This incident is a stark reminder to all enterprises and organisations about the importance of maintaining security throughout their supply chains, no matter how obscure the connection may seem.

The attack targeted a Windows 7 PC used to run software for one of Zaun’s manufacturing machines. Windows 7, released in 2009, had its extended support discontinued in 2023. This highlights the significance of keeping both software and hardware up to date to mitigate cybersecurity risks.

In response to the breach, Zaun promptly notified the National Cyber Security Centre (NCSC) and the UK’s Information Commissioner’s Office (ICO), demonstrating a commitment to transparency and cooperation in addressing cybersecurity incidents.

This incident is a cautionary tale for organisations across the UK and beyond. It underscores the need for robust cyber security measures, including regular software and hardware updates, threat monitoring, and proactive risk management. As cyber threats evolve, vigilance remains paramount to safeguarding sensitive data and national security.

Source: https://www.theregister.com/2023/09/04/zaun_breach_windows_7/

Beware of ULEZ Scams: Dodgy Websites Target UK Drivers Paying Charges

In recent weeks, UK drivers have been put on high alert as scams related to the Ultra Low Emission Zone (ULEZ) have come to light. Which?, a leading consumer organisation, has uncovered a series of unofficial websites that are tricking unsuspecting drivers into paying unnecessary charges. This is a concerning issue that requires vigilance and awareness from all motorists.

The ULEZ Scam Epidemic

Which? has issued a stern warning to drivers, cautioning them to avoid ULEZ scams that prey on individuals attempting to pay the ULEZ charges. This revelation comes hot on the heels of a previous warning about rogue advertisers exploiting Google to deceive people seeking to pay for parking online.

The Mayor of London, Sadiq Khan, clarified that Transport for London (TfL) is not affiliated with third-party websites accepting ULEZ payments. TfL collaborates with search engine companies like Google to eliminate unofficial websites from their listings.

Identifying Unofficial ULEZ Websites

Drivers must exercise caution when paying ULEZ charges online. One victim reported paying to a company named ‘Ulezpayservice,’ mistakenly believing it to be the official TfL website. After providing personal and financial information, they discovered that ‘Ulezpayservice’ had taken £17.50 from their account and had set up a continuous payment authority, allowing them to accept recurring payments.

The official ULEZ charge, as established by TfL, is £12.50. It’s crucial to avoid falling victim to these fraudulent websites.

Dodgy ULEZ Payment Sites on Google

One concerning aspect of this issue is the prevalence of dodgy websites advertising on Google. These misleading sites often appear at the top of search results when individuals attempt to pay for parking or ULEZ charges.

Which? uncovered two identical websites, ‘ulez.emission[dot]london’ and ’emissioncharge[dot]london,’ when searching for ‘pay for ULEZ’ or ‘ULEZ.’ These advertisements consistently appear above the official TfL website, potentially confusing unsuspecting drivers. Both adverts have been reported to Google.

Other deceptive websites, such as ’emissioncharge[dot]uk’ and ‘ulezpayservice[dot]uk,’ were also identified. These websites, which reference themselves as “Ulezpayservice,” have received numerous negative reviews on Trustpilot, with claims that they do not transfer payments to TfL.

Google Takes Action

Upon flagging these ads to Google, the tech giant confirmed that it has taken measures to address the issue. Google maintains strict policies governing the types of ads and advertisers on its platforms, and any ads violating these policies are promptly removed.

TfL emphasised that payments for road user charging schemes should only be made through the official TfL website. Unfortunately, internet search engines do not consistently prioritise the official TfL webpage in their search results, leading users to unofficial payment sites that may overcharge.

Denial from ULEZ Payment Websites

In response to concerns raised by Which?, the companies operating these dubious websites denied setting up recurring payments. They asserted that all prices are one-off and processed through their payment provider, Stripe. Customers must provide their vehicle registration details and travel dates and agree to a disclaimer confirming that they are paying a third party.

Stay Vigilant and Informed

As these ULEZ scams persist, UK drivers must remain vigilant and informed. To avoid falling victim to fraudulent ULEZ payment websites, always use the official TfL website when making payments. Be cautious when clicking on online ads, especially when they appear above the official TfL site in search results.

The battle against these scams requires collaboration between consumers, authorities, and tech companies. Raising awareness and reporting suspicious websites are essential to protecting UK drivers from ULEZ-related fraud.

Source: https://www.which.co.uk/news/article/ulez-scams-drivers-targeted-by-dodgy-websites-when-paying-charges-ayYsE3A2kKd3?

——————————————————————————————————————————

Contact Neuways to help your business become

Cyber Safe

If you need any assistance with cyber security assistance, then please contact Neuways and we will help you where we can. Just get in touch with our team today.

[/fusion_text][/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

Want to keep up with our blog?

Get our most valuable tips right inside your inbox, once per month!

Latest IT News & Insights
Work Password Example - why you need a password manager
The most hacked passwords in 2024 and how to protect yourself
These are the most hacked passwords in 2024, learn today how you can protect your business and foster...
Read More
Early patching in Cyber Security
The Importance of Early Patching
Combat against cyber threats with early patching in cyber security.
Read More
Zero Patch updates - Cyber security vulnerability spotted - Neuways urge businesses to act.
Biggest Microsoft Patch Tuesday in years fixes four zero-days, five critical bugs
Discover how the latest Microsoft Patch Tuesday update addresses 142 vulnerabilities, including four...
Read More
Cyber security offered by Neuways in Derby
Businesses pressing ahead with AI regardless of Concerns
Businesses are ignoring concerns re: AI for data tracking. Neuways advise on how to foster a cyber security...
Read More
Cybersafe
What is Credential Stuffing and how can it affect your business?
Defend your business against credential stuffing attacks thanks to Managed Cyber Security services from...
Read More
Cyber secure culture within the business
6 ways to foster a Cyber Secure culture within your company
95% of cyber security issues traced to human error. Here is how to foster a cyber secure culture within...
Read More
Apple devices holding company data could be a security flaw in your business. Photo by Aurich Lawson.
Why it's important to control what apps go into devices that hold company data
If you supply employees with work devices holding company data, managers need to be able to control what...
Read More
Beware of Fake Free WiFi netowrks.
Beware of Fake Free WiFi Networks
Fake free WiFi networks allow cyber criminals to gain access and steal personal data. Use a secure WiFi...
Read More

Frequently Asked Questions

As a leading IT and technology provider, we offer three core services, all of which have additional add-ons. We offer Managed IT Support, Business Central implementation and consultation, as well as Managed Cyber Security. Call us on 01283 753333 if you are interested in any of our services.

Contact us

Support: 01283 753300

Business Development: 01283 753333

Purchasing: 01283 753322

Admin and Accounts: 01283 753311

Email: hello@neuways.com

Managed IT support is a comprehensive solution where an expert IT provider, like Neuways, handles your technology infrastructure. This includes proactive monitoring, maintenance, cyber security, and support.

Yes we do. Your business needs Cyber Security due to the increasing number of cyber threats that are affecting businesses in all industries. If your business has data and technology systems implemented, you will need Managed Cyber Security.

We can help you conduct Cyber Audits to assess whether your business would gain Cyber Essentials and Cyber Essentials Plus Certification. Our dedicated departments work with your team to assess how much work is required before you gain Cyber Essentials Plus certification. We will then provide advice and consultation on what aspects you need to change within your business before providing a quote on how we can assist your company become Cybersafe.

Yes we can. We have our own dedicated Microsoft Dynamics 365 Business Central teams who work to ensure that we can implement the right systems and solutions into your website that are absolute right for you. Our experienced business consultants have worked all over the world for organisations operating on a global scale. 

Exclaimer Pro is a dynamic email signature that helps clients to switch and change around email signatures so that clients are able to advertise different offers and brands to a variety of email recipients. Administrators can also manage user emails internally, meaning the user does not have to touch their own email signature.

We offer Managed Security Training to help employees spot email phishing attacks, spear phishing attacks and vishing attacks. We also help train clients on how to use the various pieces of software we provide to clients, like Exclaimer Pro, Business Central and Cybersafe software.

We are a Managed IT Support provider based in Derby, East Midlands. However, we cover so many areas including the whole of the UK, Europe, and America. We are always willing to travel and send our expert technicians to ensure you have the best experience. 

Got a question?

Reach out
& Connect

Please enable JavaScript in your browser to complete this form.
Name