Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which, we here at Neuways, bring attention to the latest cybersecurity threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

 

Neu Cyber Threats

Energy Giant Shell Is Latest Victim of Accellion Attacks

Clop ransomware continues to bombard businesses of all shapes and sizes. The cyber criminals behind the malware have siphoned internal documents from the oil giant Shell, as well as publicly leaking some of the data to encourage payment of the ransom set.

If paid on-time, it would have meant that any files affected by Clop would be decrypted and prevent any documents leaking. However, the gang has now uploaded a selection of documents to its Tor-hidden website, including scans of employees’ US visas as well as a passport page and files from its American and Hungarian offices.

This kind of theft and intense pressure tactics is commonplace from cyber criminals and, in particular, the Clop gang. Recently they have been pursuing organisations that deployed vulnerable versions of a legacy file-transfer appliance, Accellion, which exploited the software to steal internal information, which seems to have links to this current data breach, as the company revealed it uses Accellion to securely transfer large data files.

Shell aren’t the only company to have been affected. Businesses of different sizes from IT, aerospace and marketing industries have been affected due to the Accellion vulnerability. Fortunately, it seems to be only the Accellion-related documents that have been breached, as opposed to the business’ entire IT system.

It appears as though Accellion became aware of a then zero-day security vulnerability in the product in mid-December, and subsequently scrambled to patch it. This first flaw was just one of many now patched zero-day bugs in the platform that Accellion discovered after they came under attack from cyber criminals. The problem is that many companies might still be using unpatched versions of Accellion.

It is good practice for a business to ensure any systems or software it uses to be fully patched at all times. If your system isn’t based on Microsoft Windows it can be tough for total coverage, and it usually requires manual updating to ensure the system is fully covered. If your business also uses Accellion or other file-transfer services, such as WeTransfer, then it might be time to consider alternative ways to share large files with colleagues. A system such as SharePoint allows for files and data to be shared with ease between colleagues with the same level of privileges and access. For example, a Sales team can have their own shared folder that links to individual documents as though it is a web address, giving them access in seconds, as opposed to using an external file-transfer service that could lead to shared documents being breached in future, as Shell, and others, have found out.

Microsoft vulnerabilities exploitation – updated advice

Neu Cyber Threats

An update on recent Microsoft Exchange vulnerabilities has been issued by the National Cyber Security Centre. In early March 2021, Microsoft made it public that sophisticated actors had attacked a number of Exchange servers. In response, they released multiple security updates for affected servers, which does not impact Exchange Online.

The updates were released ahead of the usual monthly update cycle because four of the seven vulnerabilities have been used in ongoing attacks and had an urgent need to be fixed. A wide variety of cyber criminal groups were using automated tools to scan for Exchange servers where updates are not installed. The malicious software installed on vulnerable servers has also been exploited by groups using different ransomware to install malware on the network which can go on the exfiltrate company data.

The affected versions of Microsoft Exchange Server are:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

All UK organisations should update any affected versions of Microsoft Exchange Server immediately. If you are unsure about what version of Microsoft Exchange your business is running, please contact your Managed Service Provider as soon as possible.

Employee Lockdown Stress May Spark Cybersecurity Risk

COVID-19 related lockdowns and remote working are believed to be two factors that are contributing towards a rise in cyber attacks on businesses over the last 12 months, according to a survey. Over 2,000 office workers in Germany and the U.K. were contacted, to better understand cyber security practices among remote workers. It found that younger employees, as well as people caring for children or other family members reported more stress in their lives, which linked to riskier IT behaviours.

For example, 67% of employees under-30 admitted they use shadow IT (unsanctioned apps, services and equipment) to help them to perform certain tasks more easily, compared to just 27% of older workers. Also, 55% of the younger group reported making more mistakes when working from home, such as copying in the wrong people into emails – in comparison, only 17 percent of the over-30s reported such mistakes.

Nearly two-thirds of the younger group (63%) stated that distractions while working from home negatively impact decision-making, compared to 26 percent of older people. All of the above points could lead to IT issues. Shadow IT services might not be the most secure to be using alongside those permitted by an employer, while if the wrong person outside of an organisation receives an email, it could lead to further problems.

Stress has been found to affect the productivity levels and availability of employees. 70% of younger employees have trouble focusing because of their stress level, compared to 29% of older workers, and 77% said they feel the pressure to be available outside of normal working hours, compared to less than half (46%) of older workers.

Businesses are advised to try and provide better emotional and personal support for their employees, who may well be under an extreme level of stress at the moment. Through an increase in communication, individual employees can be less affected by the stress of lockdown and the lack of physical contact with colleagues. By communicating further, businesses can also help reduce the likelihood of mistakes and the need for some employees to use shadow IT to cut corners.

Insurance Giant CNA Hit with Novel Ransomware Attack

A new variant of the Phoenix CryptoLocker malware has been causing plenty of business disruption across the world.

The novel ransomware has forced businesses to be taken offline and experience significant downtime. It is believed that the attack causes network disruption and impacts systems such as corporate email. Cyptolockers are an often used ransomware type that immediately encrypts files on the machines they attack, demanding a ransom from victims in exchange for the solution to unlocking them.

The cyber criminals behind the activity are more than likely, Evil Corp, which recently resurfaced after taking a short hiatus from cyber criminal activity. The impact of the group’s latest attack was so serious that the victim disconnected its network ‘out of caution’, and is currently providing workarounds for employees so they can continue operating.

More than 15,000 devices on the network were encrypted – including those of employees working remotely who were logged onto the company’s VPN at the time—when they deployed the new ransomware. Attackers encrypted devices by appending the .phoenix extension to encrypted files and creating a ransom note named PHOENIX-HELP.txt.

The affected business is aiming to restore its systems through backups rather than paying the ransom demanded by attackers. A multi-layered Business Continuity and Disaster Recovery plan will give businesses a level of comfort and safety if they were to fall victim to a ransomware attack such as that issued by Evil Corp. It can give victims access to their secured, backed up company data within an hour of an attack or an outage of any kind.

Neu Cyber Threats

Microsoft: Firmware Attacks Outpacing Security Investments

Microsoft has confirmed a surge in malicious attacks targeting firmware is outpacing the amount of resources allocated towards cyber security spend from businesses.

A huge 80% of businesses reported ‘at least one firmware attack’ in the past two years but only 30% allocated any budget spend on firmware protection.

Microsoft commissioned a study of 1,000 enterprise security decisionmakers from around the world and the results confirmed that the bulk of current cyber security spend goes to applying patches, vulnerability scanning, and advanced threat protection products that can miss signs of infections below the operating system.

Firmware provides a fertile ground for cyber criminals to plant malicious code, with the survey results showing the growing awareness among decisionmakers to address this type of attack.

Microsoft said: “Firmware is emerging as a primary target because it is where sensitive information like credentials and encryption keys are stored in memory. Most devices don’t offer visibility into that level to ensure that attackers haven’t compromised a device prior to the boot process.

“Security teams are too focused on outdated “protect and detect” models of security and are not spending enough time on strategic, high-level work. Only 39% of security teams’ time is spent on prevention and they don’t see that changing within the next two years. The lack of proactive defence investment in kernel attack vectors is an example of this outdated model.”

As well as firmware attacks, Microsoft also identified a lack of automation as another reason for the disconnect between threat activity levels and cyber security investments.

82% of those surveyed reported that they don’t have the resources to allocate to more high-impact security work as they are spending too much time on lower-yield manual work like software and patching, hardware upgrades, and mitigating internal and external vulnerabilities.

Businesses should ensure their cyber security budgets are allocated correctly. By not allocating enough spend towards an area such as firmware protection, they can be leaving themselves vulnerable towards attacks from cyber criminals. It is always worth checking with cyber security experts to see if your budget is correctly spread across your business, and whether or not your business would be more safe with further investment.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.