NCSC – Weekly Threat Report 28th July 2017
NotPetya’s continuing impact on businesses
Businesses that fell victim to the NotPetya ransomware attack in June are warning of financial consequences and continuing disruption.
The potential impacts of a cyber breach to business have long been known: they may include lost sales, share price declines, reputational damage, regulatory fines for data losses, and clean-up costs. Businesses usually quote one large estimate when commenting on a cyber breach’s cost. However, in NotPetya’s wake, some businesses have provided more detailed breakdowns that highlight the attack’s tangible and financial costs.
The consumer goods company Reckitt Benckiser says some operations will not be fully restored until next month and partially attributes a fall in sales to NotPetya. FedEx Corp says it may not be able to recover all services in its TNT Express division. Other companies report that the attack will impact upcoming quarterly sales figures.
The disclosures come as other high-profile business victims are counting the cost of previous data breaches. The owner of the Ashley Madison dating site has offered $11m to settle lawsuits from US users claiming financial loss and identity fraud from the 2015 breach. Yahoo’s disclosure of a second large data breach delayed the acquisition of its core Internet business by US telecoms firm Verizon, which eventually paid around £280m less than originally agreed. More recently, shares in Italian bank UniCredit fell following disclosure of a cyber breach.
NCSC/NCA’s report ‘The Cyber Threat to UK Business 2016/2017’ offers advice on mitigating against cyber threats.
Ursnif now sniffs out sandboxes
The banking trojan Ursnif has been updated to include new anti-sandbox features. It can now detect whether a mouse pointer is being moved, helping it to determine whether it is running on a virtual machine or on a real machine operated by a user. It also appears to now be able to extract contacts and passwords from the Mozilla Thunderbird email client. This new version has been seen in a recent Ursnif campaign, but a previously observed version of Ursnif from March 2017 also contained some anti-sandbox functionality.
Ursnif has existed for several years. Its code was incorporated in the Gozi banking trojan, which itself was spun off into Neverquest/Vawtrak. Its creators have a history of adding new detection-evasion techniques to Ursnif, such as making it one of the first banking trojans to use Tor to hide its communications with command and control servers.
Despite Ursnif’s advanced evasion techniques, it still relies on phishing emails. Its senders try to bypass spam filters by password-protecting an attachment which comprises Word documents with malicious macros. The email is crafted to trick victim into using a password, included in the email’s body text, to open the attachment.
It remains important for members of the public to be vigilant with emails. Organisations can also help to protect themselves with the guidance provided in the NCSC’s ‘10 Steps to Cyber Security’.
Cyber scammers clone university website
On 20 July, Newcastle University advised students that it was aware of a website fraudulently using the university’s brand as part of an online scam.
Marketing itself as ‘Newcastle International University’, the website contains dozens of sub-pages purporting to offer academic programmes. It reportedly encourages prospective students to provide their credit card details to apply for courses. The website also requests personal information including passport numbers and employer details.
Despite the website’s well-constructed nature and professional finish, there are a few clues that it is a scam. Most (though by no means all) UK universities and higher educational institutions tend to use the .ac.uk web domain, unlike the website. Similarly, its name, ‘Newcastle International University’, is a further clue that it is not affiliated with the official university.
This scam targets prospective students, and particularly international students, looking to secure places with UK institutions for the coming academic year. However, it’s not just recruitment scams students need to be aware of when applying for a place at university. Last year, Action Fraud reported a phishing campaign targeting students with the promise of an education grant from the Department of Education.
Such scams may indicate a wider trend of global brands, including UK universities, being targeted by cyber criminals. NCSC assesses that this trend is likely to increase in the future.
Massive data breach in Sweden causes controversy
Sweden’s Transport Agency (Transportstyrelsen, TS) has reportedly suffered a serious data exposure which is likely to include personally identifiable information (PII) and confidential government data. Citizens may be at risk of identity theft, fraud and other criminal activity from malicious actors. The breach was reportedly the result of management errors and inadequate safeguards.
TS is said to have outsourced its database and network management via IBM Sweden to vendors in Romania and the Czech Republic, with unauthorised and uncleared personnel being given access to vast amounts of sensitive data. Reports claim that the entire database was uploaded by TS to inadequately secured cloud servers and was sent unencrypted to marketers.
This incident highlights the fact that outsourcing IT contracts does not also outsource risk. Outsourcing without adequate security safeguards can leave data vulnerable, risking financial and reputational repercussions for both the data owner and the third party. Aggregating vast amounts of data in a single place and storing it in plain text could also provide opportunities for exploitation by unauthorised individuals.
UK institutions and businesses could similarly be at risk if they fail to adequately protect information. It is essential for data owners to consider the risk to information held across their supply chain. The NCSC provides guidance on using Cloud Services.