Cyber Defence Report - June 2020

Home working continues to be the new normal and our Security Operations Team has been kept busy with cyber incidents caused by the lack of control organisations now have with users working outside the office, sometimes on non-corporate issued devices.

A survey of 2,000 UK SME employees working from home in April has found that only 9% had checked whether their anti-virus software had been updated,  18% are working from unprotected devices, and only 26% have access to IT support from their employer.

Increased remote working means more workers are using video conferencing tools to replace office meetings. Despite this, the survey found that only 23% of employees had received guidance on how to use platforms like Zoom and Microsoft Teams securely.

Last month, the NCSC and the CISA warned, in a joint advisory, that both APT groups and cyber criminals are likely to attack newly deployed remote access or remote working infrastructure in efforts to exploit the coronavirus pandemic.

If you haven’t already seen these, CyberGuard has released two guides designed to help businesses implement secure remote working and provide advice when bringing devices back into the office:

Remote Working Checklist:

Back to Work Security Checklist:

Cyber criminals will go to any length. This week, the media reported that organisations involved in constructing emergency hospitals during the coronavirus pandemic have been hit by cyber-attacks.

CyberGuard is committed to helping the NHS and businesses that are deemed essential during this pandemic. Over the last two months we have been providing free Security Operation Centre services and Incident Response to NHS Trusts, helping them with detection and protection.

I’m sure, like me, many of you are hoping to get a break over the Summer. I haven’t booked a flight yet, which may be good news after EasyJet revealed that they had suffered a cyber-attack. Details on the attack are still not clear but EasyJet said that the email address and travel details of approximately 9 million customers were accessed. Credit card details of 2,208 customers were also accessed.

Ransomware continues to be a big problem for IT departments, and we have seen a number of news stories about some of the larger ransomware groups such as Maze, REvil and Dopplepaymar increase their activity. 

In a series of tweets, Microsoft’s Security Intelligence Team stressed that it’s more important for organisations to focus on the way in which the attack is delivered than the malicious payload. Ransomware is one of the biggest threats that businesses face, and our Threat Intelligence team spend a lot of time creating and modifying detection rules to the ever-changes tactics these groups use.

An interesting report from Sophos on the State of Ransomware reported the following headlines:

  • 26% of ransomware victims whose data was encrypted got their data back by paying the ransom
  • 56% of businesses whose data was encrypted got it back via backups
  • 84% have cyber security insurance, but only 64% had ransomware cover
  • 29% of incidents occurred via file download / email with malicious links and 9% via Remote Desktop RDP

With only 26% paying we are starting to see a shift in tactics used to increase the likelihood of payment.

Grubman Shire Meiselas & Sacks, one of the top entertainment law firms in the US, was recently the target of a ransomware attack. Not only did the attacker (REvil) encrypt all of their servers, they also stole 756 gigabytes of data and then set the ransom to $42 million and threatened to release "dirty laundry" on President Donald Trump if the money is not paid.

Watch this space.

Talking of our Security Operations Team, we continue to grow the team both in numbers and our capabilities. Over the next couple of months, we will introduce our new SOC Manager, Sean Tickle. Sean brings a wealth of experience running SOC’s and hopefully will become a key figure in our objective of building a world-class security team.

If you are looking for things to do while we are still in lockdown then I can recommend a very good cyber-related podcast called Darknet Diaries by Jack Rhysider. There are currently 64 episodes and they cover a whole range of attacks and stories. 

Episode 62 (Cam) features Sean in his former role.

Stay safe
Paul Colwell, Technical Director