September 2022 Newsletter
Posted By: Mark Wednesday 12th October 2022 Tags: Advanced Persistent Threat, AI, APT, Artificial Intelligence, cyber attacks, cyber aware, Cyber Safe, Cyber Security, email scam, malware, Newsletter, phishing, ransomware, technology, trojanThis month, we look at Advanced Persistent Threats; warn about Energy Bill Support phishing Scams and the rise in credential stuffing; examine new security features in Windows 11; find out how a failed Holiday Inn ransomware attack became vindictive; and discuss whether AI art is rendering Human creatives obsolete.
The Rise Of Advanced Persistent Threats
Once the domain of nations targeting other nations, Advanced Persistent Threats (APT) are becoming more prevalent in the corporate business world, giving cybersecurity teams nightmares at the thought of an ongoing attack going undetected and stealing the company’s valuable information.
What is an Advanced Persistent Threat?
An Advanced Persistent Threat is a sophisticated and sustained cyberattack that occurs when an intruder gains unauthorised access to a computer network and establishes a long-term undetected presence to steal data over an extended period of time. While it has typically been the tactic of a nation state or state-sponsored group when attacking another nation, it is being seen more often as a major threat to businesses.
They are carefully planned and require a well-funded and experienced team of hackers to carry out such a stealthy, and extended cyberattack under the radar of the targets security measures.
How Do Advanced Persistent Threats Begin?
Successful APT attacks can generally be divided into three stages: infiltration of the network, expansion of the presence/access, and then undetected extraction of accumulated data.
Crowdstrike goes into further detail:
Stage 1: Infiltration
In the first phase, advanced persistent threats often gain access through social engineering techniques. One indication of an APT is a phishing email that selectively targets high-level individuals like senior executives or technology leaders, often using information obtained from other team members that have already been compromised. Email attacks that target specific individuals are called “spear-phishing”.
The email may seem to come from a team member and include references to an ongoing project. If several executives report being duped by a spear-phishing attack, start looking for other signs of an APT.
Stage 2: Escalation and Lateral Movement
Once initial access has been gained, attackers insert malware into an organization’s network to move to the second phase, expansion. They move laterally to map the network and gather credentials such as account names and passwords in order to access critical business information.
They may also establish a “backdoor” – a scheme that allows them to sneak into the network later to conduct stealth operations. Additional entry points are often established to ensure that the attack can continue if a compromised point is discovered and closed.
Stage 3: Exfiltration
To prepare for the third phase, cybercriminals typically store stolen information in a secure location within the network until enough data has been collected. They then extract, or “exfiltrate” it without detection. They may use tactics like a denial-of-service (DoS) attack to distract the security team and tie up network personnel while the data is being exfiltrated. The network can remain compromised, waiting for the thieves to return at any time.
Examples Of Advanced Persistent Threats
Some of the most well-known Advanced Persistent Threats include:
Stuxnet: A worm that attacked Iran’s Nuclear program back in 2010. Considered to be one of the most sophisticated pieces of malware ever detected.
GhostNet: A Chinese linked APT discovered in 2009 and spread around more than 10 countries.
WickedPanda: One of the most prolific Chinese APT campaigns, starting in the mid-2010s to now.
CozyBear: Russian linked APT from around 2008, with malware campaigns targeting government, energy, science and tech sectors of various nations.
Reaper: Early 2010s North Korean linked APT that targeted known software vulnerabilities.
There are many more and some are known by multiple names.
Defending Against Advanced Persistent Threats
Crowdstrike lists a number of solutions for helping to defend against the threat of APTs.
Sensor Coverage. Organizations must deploy capabilities that provide their defenders with full visibility across their environment to avoid blind spots that can become a safe haven for cyber threats.
Technical Intelligence. Leverage technical intelligence, such as indicators of compromise (IOCs), and consume them into a security information and event manager (SIEM) for data enrichment purposes. This allows for added intelligence when conducting event correlation, potentially highlighting events on the network that may have otherwise gone undetected.
Service Provider. Partnering with a best-of-breed cybersecurity firm is a necessity. Should the unthinkable happen, organizations may require assistance responding to a sophisticated cyber threat.
A Web Application Firewall (WAF) is a security device designed to protect organizations at the application level by filtering, monitoring and analyzing hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS) traffic between the web application and the internet.
Threat Intelligence. Threat intelligence assists with threat actor profiling, campaign tracking and malware family tracking. These days, it is more important to understand the context of an attack rather than just knowing an attack itself happened, and this is where threat intelligence plays a vital role.
Threat Hunting. Many organizations will find the need for 24/7, managed, human-based threat hunting to accompany their cybersecurity technology already in place.
Effective cyber security measures should include things like email filtering, endpoint protection, access control and traffic/user monitoring.
Even when an Advanced Persistent Threat is discovered and the immediate threat seems to have been nipped in the bud, there’s always the possibility that hackers have left backdoors in your system that they can use to return at a later date. Traditional basic cyber defences, such as antivirus software or a standard firewall won’t necessarily protect against these types of attacks.
LaneSystems offers a range of cyber security services to keep your business safe. If you’re a company in the North East of England, get in touch today to protect your precious systems and data.
Energy Bill Support Phishing Scams
As the cost of energy rises to crisis levels for many in the UK, the opportunity has grown for cyber-criminals looking to take advantage of the search for financial help and a cheaper deal.
Phishing & Smishing Campaigns
A spate of phishing text messages and emails are currently in circulation, purporting to be from the likes of regulator, Ofgem, offering ways to quickly claim £400 energy rebate in return for entering your bank details. The scammers are also offering special discount tariffs, or claiming to be the government and giving out £200,000 to random eligible people such as pensioners, the disabled, or those on low incomes.
Phishing For Your Personal Information
These phishing and smishing messages direct people towards fake websites to enter personal details, and also attempts to convince people to set up direct debits for receiving the payments.
Citizens Advice is reporting that millions more people have been targeted by scammers as the general cost-of-living crisis takes hold. They have found that more than three-quarters of surveyed adults in the UK say they’ve been targeted by a scammer this year – a 14% increase compared to this time last year.
Citizens Advice and the Consumer Protection Partnership have launched their annual Scams Awareness campaign to help people protect themselves from opportunistic scammers.
Don’t Respond To Phishing & Smishing Messages
Ofgem, is warning people not to give out any personal details in order to claim the rebate, as the money will be automatically applied. Ofgem has also asked energy suppliers to be clearer on potential customer fraud on their websites.
An Ofgem spokesperson said: “It is alarming that vulnerable customers are being preyed upon in this way when people are already struggling so much.”
As we warn every month, be alert for any suspicious correspondence in your texts and emails. If there are any doubts about contents of a message, don’t reply to the message or use the numbers or addresses provided in them. Get in touch directly with the organisation it claims to be from, using the details provided on their official website.
It’s always worth noting that banks and other official government sources will never ask you to supply personal information via email or text.
Ofgem recommends reporting the scam to Action Fraud, the reporting centre for fraud and cyber-crime in England, Wales and Northern Ireland. In Scotland, contact Police Scotland on 101.
If you have given any of your personal information like your bank details, contact your bank immediately for help.
Credential Stuffing On The Rise
Bleeping Computer, this month, reported that credential stuffing attacks have become so prevalent in the first quarter of 2022 that traffic surpassed that of legitimate login attempts from normal users in some countries.
What Is Credential Stuffing?
Credential Stuffing is a cyber attack where user credentials, or login information, taken from a data breach of one service are then used on other unrelated websites, apps, and online services to gain access to those accounts.
This type of attack takes advantage of the commonplace use of “password recycling”, where people have used the same username/email address and password combination to access multiple other sites. The attacks are carried out uses bots to scale the attempts quickly across many login targets.
Credential stuffing is on a record pace
Okta reports on the growing threat of credential stuffing this year.
2022 has already delivered the two largest such credential stuffing attacks we have ever witnessed, and across all industries, credential stuffing accounts for 34% of overall traffic/authentication events on our platform. While most industries experienced a credential stuffing rate of less than 10% of login events, in several cases — Retail/eCommerce (more than 80%), Financial Services, and Entertainment — these attacks represented the majority of login attempts.
Account takeover attacks with stolen credentials are one of the most common and costly cyber threats. Entire marketplaces exist to sell lists of user credentials leaked in third-party breaches […] Reusing passwords across sites increases the risk of an attack and makes it more difficult for organizations to prevent fraudulent access to user accounts.
How To Prevent Credential Stuffing
Enable Multi-Factor Authentication when possible. It’s not perfect, but it’s still one of the best security defences out there. Companies should review and implement the best, most appropriate, type of MFA for their needs.
Don’t reuse the same username and password across multiple logins. Also check whether any of your login accounts have ever been involved in a data breach. Antivirus companies generally offer this facility now, or there are the websites such as haveibeenpwned.com
Use a decent password manager to set up and maintain unique and complex logins to all your different accounts.
LaneSystems can keep your data and access credentials secure. Contact us for help keeping your business cyber safe.
Windows 11 Ups Their Password Protection
Windows 11 22H2 has been released, and continues Microsoft’s emphasis on ramping up the security.
Amongst the updates is a new security feature called Enhanced Phishing Protection that warns users when they enter their Windows password in insecure applications or on websites.
Based upon the Microsoft Defender SmartScreen infrastructure, to alert the end users that websites or applications are attempting to steal credentials, there are features available without the need for additional Windows or Microsoft 365 licensing, but it’s beneficial to have these for enhanced features and extra logging and reporting functionality.
It will alert end users that websites or applications are attempting to steal credentials, and can also warn users if they re-use a corporate credential in another application or web site. These warnings are handy, as they can alert if you’re entering details in to a reported phishing website or other reported malicious app. It will also warn when you’re entering your passwords into insecure apps on your own machine, such as Notepad, Wordpad, Microsoft apps, etc.
Bleeping Computer tested these features and concluded:
Overall, this is an excellent new security feature for Windows users, and it is strongly recommended that you use it to protect yourself from phishing attacks and from saving your passwords in insecure files.
However, there is still plenty of room for improvement, with Microsoft needing to expand the security feature to support more browsers and applications.
Alongside Enhanced Feature Protection, other feature introductions and updates include, Smart App control, Vulnerable driver blocklist, Credential protection, Admin lockout, and other things to manage a zero-trust environment.
The full breakdown of 22h2 features is noted on the Microsoft website.
Holiday Inn Data Wiped “For Fun”
Earlier this month, global hospitality bigwig, InterContinental Hotels Group (ICH), owner of the Holiday Inn, Crowne Plaza and Regent brands, was hit by a cyberattack that compromised systems and disrupted operations such as their booking channels and other applications.
In a filing to the London Stock Exchange, ICH wrote:
Unauthorised Access To Technology Systems
InterContinental Hotels Group PLC (IHG or the Company) reports that parts of the Company’s technology systems have been subject to unauthorised activity. IHG’s booking channels and other applications have been significantly disrupted since yesterday, and this is ongoing.
IHG has implemented its response plans, is notifying relevant regulatory authorities and is working closely with its technology suppliers. External specialists have also been engaged to investigate the incident.
IHG is working to fully restore all systems as soon as possible and to assess the nature, extent and impact of the incident. We will be supporting hotel owners and operators as part of our response to the ongoing service disruption. IHG’s hotels are still able to operate and to take reservations directly.
A further update will be provided as and when appropriate.
It was reported that just over 4,000 InterContinental Hotels Group users and 15 of its 325,000 employees were compromised in the attack.
Failed Ransomware Attack Turns Vindictive
The BBC reported that hackers got in touch via Telegram to give information about the whats and whys of their recent cyber attack on Intercontinental Hotels Group. Hackers have told the BBC they carried out a destructive cyber-attack against Holiday Inn owner Intercontinental Hotels Group (IHG) “for fun”.
The hackers, a couple from Vietnam, claimed that they decided to delete large amounts of data once their attempts at a ransomware attack were blocked.
“Our attack was originally planned to be a ransomware but the company’s IT team kept isolating servers before we had a chance to deploy it, so we thought to have some funny [sic]. We did a wiper attack instead”.
The initial access to systems was gained via a successful phishing attack. An employee was tricked into downloading a malware infected email attachment that in turn allowed the capture of their two-factor authentication code.
They were then, reportedly, able to access highly sensitive parts of IHG’s computer systems after finding that the password for gaining access to their internal password vault was simply ‘Qwerty1234’, although IHC disputes that this was the password used.
“The username and password to the vault was available to all employees, so 200,000 staff could see. And the password was extremely weak”.
An incredibly weak password, like Qwerty1234, regularly appears on the lists of most commonly used passwords worldwide.
Cyber-security specialist, Rik Ferguson, said:
“When it comes to defenses, these must include good password practices, but using a password that is Qwerty1234 is not an example of this.
Cyber Security CISO, Jordan Schroeder, said:
“This goes to show that resilience should always be the priority. Stopping attackers getting into systems must be the focus because once they are in, organizations then have very little control over what will happen to their data next.
“Instead, implement strong, unique passwords, implement MFA, use Privileged Access Management (PAM) to protect key accounts, deploy layered security to prevent lateral movement, and train employees regularly on phishing and cybercrime.”
IHG says customer-facing systems are returning to normal but that services may remain intermittent. Hotel owners said they dealt with angry customers whose reservations were lost due to the cyberattack, with members estimating losses of $30,000-$75,000 each.
Is Art Dead?
There’s usually little controversy when a submission to the Colorado State Fair’s digital arts competition wins first prize, however, last month’s winner generated much debate when it was revealed that the entry was generated using Midjourney, an artificial intelligence program that can turn text descriptions into images.
James M Allen, a Colorado video game designer, entered the winning entry, Theatre D’opera Spatial, into the Emerging Digital Artists category, where he picked up the $300 prize. He says he made it clear to state fair officials that his art was created through AI when he dropped the piece off. The judges claimed that they were unaware of the AI generation but said they’d still have given first prize to the piece of art, if they had known, anyway. So, the quality of its work was plausible enough to fool human judges.
Smithsonian magazine writes: Allen created Theatre D’opera Spatial by entering various words and phrases into Midjourney, which then produced more than 900 renderings for him to choose from. He selected his three favorites,then continued adjusting them in Photoshop until he was satisfied. He boosted their resolution using a tool called Gigapixel and printed the works on canvas.
The result caused dismay to many professional artists, and it opened up the debate about whether AI can be an artist. AS the BBC reports, some artists were already fearful that a new breed of AI image generator could take their jobs, and take a free ride on the years spent learning their craft.
Movie and Game concept artist, RJ Palmer, tweeted: “This thing wants our jobs, it’s actively anti-artist”. Another wrote: “This sucks for the exact same reason we don’t let robots participate in the Olympics.” Yet another said: “This is the literal definition of ‘pressed a few buttons to make a digital art piece’. AI artwork is the ‘banana taped to the wall’ of the digital world now”. Allen fanned the flames by posting the retort: “This isn’t going to stop. Art is dead, dude. It’s over. AI won. Humans lost.”
However, as The Boar reports:
As provocative as the statement may be, it is also true that technology required a human to manipulate it. Although art-generating AI now exists in various states of sophistication, Allen didn’t just type in “sci-fi art” or whatever and get a prize-winning piece back. He clarified that he spent weeks generating hundreds of images and fine-tuning them until he produced three that he liked enough to submit to the competition.
Artist, John Lewis, said:
“Midjourney is a text-based generator but the user doesn’t really have a great deal of control over the output. It’s more of a random image generator, albeit with some really cool art styles built in. You can guide it but you can’t control it or fine tune it. Midjourney is a lot of fun, and as a quick ideas generator it’s great, certainly just as useful as a Google image search, but to claim the user is an artist, or that there is any real skill involved in using it is a bit misleading.”
Will AI eventually take over all creative and more complex jobs, or is it simply another tool to be used?
