'Trickbot' Banking Trojan

'Trickbot' Banking Trojan
Attacks designed to access online accounts, including bank accounts, in order to obtain personally identifiable information (PII).

A 'trojan' is a type of malware or virus disguised as legitimate software, that is used to hack into the victim's computer. Trickbot infections can be very damaging, as the malware can download new capabilities on to a victim's device without any interaction from the victim. Aside from the theft of PII as described above, these capabilities can allow attackers to gather detailed information about networks, and spread. In some cases, Trickbot is used to infiltrate a network, and once inside it's used to deploy other malware such as ransomware. 

Trickbot targets victims with well-crafted phishing emails, designed to appear as though sent from trusted commercial or government brands. These emails often contain attachments (or link to attachments) which victims are instructed to open, leading to their machine being exploited.

Advice

Spotting the signs of a possible Trickbot infection
Victims of Trickbot have observed a number of malicious activities, including:
  • Unauthorised access attempts to online accounts.
  • Successful, fraudulent bank transfer activity.
  • Unauthorised changes to their network infrastructure.
Protecting business and personal banking facilities (including where employees have accessed personal banking from work devices)
  • Consider changing passwords and memorable information for corporate, business, or personal internet banking facilities accessed from the infected network.
  • Review bank and credit card statements for suspicious activity, and report any findings to your bank.
  • Advise any employees who have accessed online banking facilities from the affected network to do likewise.
Antivirus
  • Running a full scan on all devices using up-to-date antivirus software, such as Windows Defender should detect and remove Trickbot infections.
  • Keep your antivirus up to date, and consider using a cloud-backed antivirus product that can benefit from intelligence which larger scale operations bring. Ensure that antivirus software is capable of scanning 'Microsoft Office macros' (these are often exploited in Trickbot attacks).
Keep up to date
  • Use the latest supported versions of operating systems and software, and apply security patches promptly.
Back up your data
  • Make sure you regularly back up your important data. These backups should not be connected to your network, or they'll be at risk of infection, just like any other device.
  • It's a good idea to test your backups to make they work too!
Multi-factor authentication (MFA)
  • Also known as 2-factor authentication (2FA), this involves supplying either an additional one-time code, or use of biometrics to further secure the login process. Most online services and accounts provide a 2FA/MFA option, so enable this wherever you can.
  • In general, authenticator apps are more secure than using SMS tokens, but if that's the only option available then it's better than nothing.
Security Monitoring
  • It pays to have some sort of monitoring in place so you have the data needed to detect and analyse network intrusions.
  • The more accurate information you have, the quicker you'll be able to recover from cyber incidents.
  • This will also reassure your customers, suppliers, investors and regulators that you've taken all measure necessary to protect your data and systems.
Network Segregation
Network segregation involves separating critical networks from less sensitive networks. You may not be responsible for implementing this, but it's a good concept to be aware for your organisation. 

Whitelisting apps
Instead of listing all the potential bad stuff you don't want to use (which is a lot nowadays!), it's simpler to create a short list of trusted applications and processes that are authorised to run. This is essentially what whitelisting is.

Reporting
You need to report cyber crime to Action Fraud, which is the UK's national cyber crime reporting portal. You can report through phone (0300 123 2040) or on their website at  https://www.actionfraud.police.uk

Reporting helps build intelligence for law enforcement, which can aid investigations as well as informational campaigns to prevent others from becoming victims.

Remember, Action Fraud operate a 24/7 live cyber reporting line for organisations! Further details at  https://www.actionfraud.police.uk/campaign/24-7-live-cyber-reporting-for-businesses

This advice is taken from the NCSC's Trickbot advisory on their website at https://www.ncsc.gov.uk/news/trickbot-advisory

Cyber Intelligence Report

CYBER INTELLIGENCE REPORT

NCSC Advisory: Trickbot

The National Cyber Security Centre has released guidance on how organisations can protect their networks from the 'Trickbot' banking trojan. Trickbot is an established banking trojan used in cyber attacks against businesses and individuals in the UK and overseas. Trickbot attacks are designed to access online accounts, including bank accounts, in order to obtain personally identifiable information (PII). In some cases, Trickbot is used to infiltrate a network, and then used to deploy other malware including ransomware and post-exploitation toolkits.

Read the advisory at https://www.ncsc.gov.uk/news/trickbot-advisory

Ransomware Roundup

Below we take a quick look at prevalent and emerging ransomware variants in the UK according to Action Fraud reports, along with some protective advice.

Dharma

Delivery Method: Phishing email/RDP
Typical Ransom Demand: Changes on how fast the victim gets in touch with suspects but usually around 1 BTC
Online Decryptor Keys: No

Once encrypted, two files are placed on the victim's desktop - "FILES ENCRYPTED.txt" and "INFO.hta". These contain the suspect email as well as instructions on how to purchase Bitcoins.

The ransomware uses asymmetrical encryption, generating both a public and private key during the encryption process (the public to encrypt the files and then the private key to decrypt them). 

There are currently no tools able to decrypt Dharma, with the remaining solutions being paying the ransom (not advised) or restoring files from a backup/system restore.

NFIB have observed a case of a victim paying a ransom demand of 5 Bitcoin (roughly £25,000) but not receiving a decryption key.

STOP

Delivery Method: Phishing email
Typical Ransom Demand: Between USD 300-600
Online Decryptor Keys: No

Once infected the ransomware encrypts victims' devices with AES and RSA-1024 encryption algorithms. It places a file on the victim's desktop called "!!!YourDataRestore!!!.txt".

It was previously seen usin the ".DJVU" extension however it now uses the original ".STOP" file extension.

The ransomware demands between $300-$600 and leaves two email addresses and a Bitmessage address for victims to get in touch with to get their files back.

There is currently no tool available to decrypt the data once it has been encrypted, therefore the only way of getting this back is to restore everything from a backup.

Cr1pt0r

Delivery Method: RDP
Typical Ransom Demand: Changes on how fast the victim gets in touch with suspects, reports have seen demands up to USD 1200
Online Decryptor Keys: No

Cr1pt0r is a ransomware targeting NAS (Network-attached storage) equipment exposed to the internet. 

It has been seen targeting vulnerabilities in old firmware. D-Link DNS-320 NAS models. 

Originally built to target Linux systems it can be modified to infect Windows devices.

Once infected the malware places two plain text files on the desktop. One text file is the ransom note called "_FILES_ENCRYPTED_README.txt" which gives information to the victim regarding how to pay the ransom and what the victim will get in return which is the file decryption key. The other text file is called "_cr1ptt0r_support.txt" and it stores the address of the website in the tor network. 

No specific extension is added to the locked files but what is added is an end of file marker "_Cr1ptT0r_"

There is currently limited open source information surrounding the ransomware at the moment but this could change as the ransomware becomes more prevalent. 

Points to consider:

Phishing

Ensure that your organisation is employing all of the necessary steps it can do to reduce the impact of phishing (NCSC guide at https://www.ncsc.gov.uk/guidance/phishing). Get creative with internal awareness campaigns and awareness sessions/training (e.g. use screenshots of phishing emails the company has received). Seek buy-in from senior management and from other departments within your company, and make use of the resources which are out there from organisations we often cite (e.g. NCSC, ActionFraud, CyberAware, Take Five, Europol, CPNI).


Backups
Create regular backups of your important files to an external hard drive, memory stick or online storage provider. It's important that backups are not left connected to your computer as ransomware infections can spread to those as well. As we always say, check that you have backups, check what's on those backups, and check that they actually work!

Updates
Always install updates as soon as is reasonably possible to do so. Make sure that all of your architecture (operating systems, applications, web frameworks, software packages etc. across all devices and services) consistently receive updates. 

Remote Desktop Protocol (RDP)
RDP vulnerabilities are being commonly exploited, so ensure that you are doing everything you can to secure against associated threats. This includes reviewing port security, access controls, defending against brute force attacks through strong authentication, or disabling RDP altogether if not needed. Other guidance can be found via https://www.ncsc.gov.uk/section/advice-guidance/all-topics

Should I pay the ransom?
The nationally recommended guidance is that victims of ransomware should not pay the ransom. This is for a number of reasons:
> There is no guarantee you will receive your data back.
> If criminals know that you have paid out previously, you may be at risk of being targeted again.
> Ransom payments fund criminality, and if criminals consistently receive funds then they will continue to employ those successful tactics.

Reporting
If you have been a victim of ransomware, please report the incident to Action Fraud. Typically, ransomware  attacks will be live incidents, so if this is the case you can make use of Action Fraud's 24/7 reporting function through phone at 0300 123 2040. More information can be found at https://www.actionfraud.police.uk/campaign/24-7-live-cyber-reporting-for-businesses

Reporting helps build intelligence for law enforcement which is vital to investigations, as well as informational campaigns. 

When reporting, it is hugely helpful to capture as much evidence as possible, including images of splash screens, linked email addresses, or linked Bitcoin/cryptocurrency wallets.

Current Threat - Digital Footprint

Digital Footprint


Term used to describe your unique traceable online activity on the internet.


Attackers use publicly available information about your organisation and staff to make their attacks more successful. This is often gleaned from your website and social media accounts.

There is a lot of scope to limit the amount of information you know you're sharing, in order to make it harder for attackers to better target you. Below, we outline a few steps that your organisation can take to stop being so forthcoming with important data.

Advice

Meet the team pages
Meet the team pages are a great way to add personality and help build the brand of a company. They can also be an absolute treasure trove for those with malicious intent. If an attacker knows the names, job roles, personals interests, email addresses of your employees, then they can use this to craft targeted phishing emails or perhaps inform password guessing techniques for individuals. Limit this information.

Social media
As above, there's a lot of information out there on social media. By its nature, LinkedIn can be very forthcoming with employer/employee details, but any social media can reveal a lot of information. Review what's available on these sites - do you need to post details about recent contracts won/suppliers and partners? How do you do this?

You don't have to scrub everything clean, but be aware of what you're putting out there, and how it might be used against you. 

What are others saying about you?
Be aware of what your partners, contractors and suppliers give away about you or your organisation online.

Try using multiple search engines to see what information you can find about yourself.

Use of employee credentials for 3rd party sites
This is specifically talking about using corporate email addresses to sign up for 3rd party services (e.g. Cloud storage providers, employee benefit schemes, open source software accounts). If these services are breached, and employees reuse passwords across accounts, then this can be a huge threat to your organisation. Leaked credentials like this can provide a simple way in for an attacker. In general, it's best to avoid using corporate emails to sign up to services where possible.


For developers...
We have seen a few cases where developers have left important credentials on code repositories, or even hard-coded into websites etc.

This can have very dire consequences for all parties involved, so make sure that this not being done.

Scratching the surface
We believe that there's a healthy level of paranoia when it comes to this sort of stuff. There are a number of other things which you can consider in order to reduce your digital footprint, but the important thing is to be aware of what information about you and your organisation is readily available online. The above points are some quick wins, further guidance and links can be found on the NCSC website (Tip 5 in that entry) at https://www.ncsc.gov.uk/collection/small-business-guide/avoiding-phishing-attacks

Reporting
Reporting helps build intelligence for law enforcement, which can aid investigations as well as informational campaigns to prevent others from becoming victims.

You need to report cyber crime to Action Fraud, which is the UK's national cyber crime reporting portal. You can report through phone (0300 123 2040) or on their website at https://www.actionfraud.police.uk

Remember, Action Fraud operate a 24/7 live cyber reporting line for organisations! Further details at https://www.actionfraud.police.uk/campaign/24-7-live-cyber-reporting-for-businesses

Current Threat - Critical Updates

Current Threat - Critical Updates

It's been a busy start to the year in terms of security updates, especially if you're a Microsoft user.


The end was nigh for Windows 7 as Microsoft offically stopped supporting the decade old operating system. What does this actually mean? Well, in short it means that any machines still using Windows 7 will from now on be less secure, as Microsoft will no longer be rolling out security updates. which fix known exploits.

Given the risks of running Windows 7, users should plan to replace it as soon as possible. If you are not in a position to do this, then you need to have some sort of a plan in place which deals with the risk of running an unsupported operating system.

Last week, Microsoft also released a patch for a core vulnerability which affected all versions of Windows. This vulnerability was disclosed by the United States National Security Agency, who alerted Microsoft so updates could be rolled out as a priority.

Frequently updating your software and hardware is one of the most important things that you can do to ensure that you are protected against cyber crime. The WannaCry incident in 2017 which severely affected the NHS was largely down to the number of devices running Windows XP which had not received sufficient updates.

Updates fix known vulnerabilities which can be exploited by malicious code. When an employee clicks on a link which downloads a piece of malicious software, or visits a website loaded with malware, or enables macros on a document, all of these attack methods are looking to exploit known software vulnerabilities which can often be prevented with up to date software. 

It's not really feasible to always drop everything you're doing and perform updates, but it's vital to make sure that they are carried out.

2020 Reboot

Your 2020 Reboot

Happy New Year! We hope you enjoyed the festive break, and managed to recharge your batteries ready for another year.

2019 saw some fantastic successes for law enforcement tackling cyber crime. There was another international crackdown on a spyware tool, the organised criminal network operating the 'GozNym' malware was dismantled, and here in the South West we led an international investigation which resulted in six arrests and put a stop to a multi-million pound cryptocurrency theft.


We will be doing our part to ensure that these successes continue this year. However, we also need you to make sure that you're doing all that you can to protect yourself against cyber crime. Below are some key things you can do to start 2020 off on the right track.

Advice

Nail the basics
The majority of the time in our investigations, the attacks (or at least the main fallout) could have been prevented if basic cyber security principles were in place and being executed. The National Cyber Security Centre's 'Small Business Guide' is a fantastic resource which is as relevant now as it ever has been. Following the advice in this guide will protect you against the majority of common cyber attacks. Find it at https://www.ncsc.gov.uk/collection/small-business-guide  

Know how to respond and recover to attacks
Unfortunately, it is now more a matter of when, not if, your organisation experiences some type of cyber incident. It was for this reason that the NCSC created the 'Response and Recovery' guide. You can find the guide at https://www.ncsc.gov.uk/collection/small-business-guidance--response-and-recovery

Security awareness is key
Training your staff effectively is absolutely essential to hardening your defences. If you're interested in more hands on presentations, workshops, or exercises, then get in touch with us! All of our sessions are free, we are always looking to engage with organisations, and we have fantastic contacts and networks which you can benefit from as well.

If you're looking for e-learning resources, then the NCSC has you covered again with their 'Top Tips For Staff' available at https://www.ncsc.gov.uk/blog-post/ncsc-cyber-security-training-for-staff-now-available


Get cyber security on your board's agenda
Boards are pivotal in improving the cyber security of their organisations. The 'Board Toolkit' from the NCSC was created to encourage essential discussions about cyber security to take place between the Board and your technical experts. Board members don't need to be technical experts, but they need to know enough about cyber security to be able to have a fluent conversation with their experts, and understand the right questions to ask. The toolkit is at https://www.ncsc.gov.uk/collection/board-toolkit

Keep up to date
There are a huge number of other sources where you can keep up to date with cyber security news. The NCSC, Action Fraud, CiSP and the Take Five campaign are just a few great examples of websites / social media accounts / alert services which are free to sign up to, and forward on to others. There are also a number of IT/security websites which you can include in RSS/news aggregator services if you use them. 

Reporting
Reporting helps build intelligence for law enforcement, which can aid investigations as well as informational campaigns to prevent others from becoming victims.

You need to report cyber crime to Action Fraud, which is the UK's national cyber crime reporting portal. You can report through phone (0300 123 2040) or on their website at https://www.actionfraud.police.uk

Remember, Action Fraud operate a 24/7 live cyber reporting line for organisations! Further details at https://www.actionfraud.police.uk/campaign/24-7-live-cyber-reporting-for-businesses

Seasonal Scams

Staying Safe Against Seasonal Scams

This time of the year is a treat for cyber criminals, as shoppers are rushing to bag last minute bargains, and employees are already mentally clocking out for the holidays.

A lot of you will have stuffed those stockings already, but fake websites and phishing emails promising truly 'unbelievable' offers will still be rampant. So with this in mind, we've highlighted 7 tips below to keep you safe in the run up to Christmas and beyond!

Advice

Stay up to date
Installing the latest software and app updates is an essential part of protecting yourself. Updates aren't just for exciting new features, they usually contain really important security fixes which can protect you against a number of attacks. Turn on automatic updates where you can!

Strong and separate passwords
Secure your accounts with a strong password - especially your email. Cyber criminals want to hack into your email account. They're looking for valuable information like bank details and logins for your other online accounts, but they'll also make use of things like your address or date of birth when trying to crack your passwords. So, you should have a strong password for your email. One that you don't re-use anywhere else. This way, even if an attacker manages to access your email, they won't also be able to log into your online bank account.
For more info, check out the NCSC's guidance on this at https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/use-a-strong-and-separate-password-for-email

Using a Password Manager
If you struggle to remember all of your passwords, the NCSC also recommend using a password manager. If you choose to do this, then make sure to choose a reputable one, and make sure the password for this is very secure!
For more info on this, check the NCSC guidance at https://www.ncsc.gov.uk/blog-post/what-does-ncsc-think-password-managers

Turn on Two-factor Authentication (2FA)
This may sound complicated, but it really isn't! 2FA is effectively a second password/passcode which is randomly generated and usually sent to your phone when logging in to an account. This means that unless attackers have access to your phone in some way, it is much more difficult for them to compromise accounts. Instructions for how to turn on 2FA can usually be found in the help sections of apps and service websites.

Take extra care over links 
Always be cautious over unsolicited links, in fact try to get out of the habit of following them if you can. For example, if an email is referencing your account and asks you to follow a link, then log into your account separately and check instead (i.e. don't use that link). The same applies for deals/coupons/vouchers, you should always look through other channels to verify information. Links could lead to fake websites designed to steal your information, money, or infect your devices with malicious software. 

Don't give away too much information
Normally online stores will ask for some information e.g. address, and some bank information to complete a purchase. If a store is asking for personal information which shouldn't be needed, such as where you went to school, or your mother's maiden name, then this could be a red flag that a purchase is not legitimate.

Also if you can avoid it, don't create an account unless you plan to use a site in the future. You can usually checkout as a guest.

When things don't feel right
If something doesn't add up, then take five and have a second look at what you're being asked to do. If you're concerned that you may be at risk of cyber crime, then close down your browser/app.

Report the details to Action Fraud. You can report through phone (0300 123 2040) or on their website at https://www.actionfraud.police.uk

Remember, Action Fraud operate a 24/7 live cyber reporting line for organisations! Further details at https://www.actionfraud.police.uk/campaign/24-7-live-cyber-reporting-for-businesses

By using this website you agree to our use of cookies to enhance your experience. I understand

Windows 7 EOL

On January 14th 2020 Windows 7 and Windows Server 2008 (inc.variants) reached End of Life and will no longer have release updates or security patches provided by Microsoft.

These systems will still work after this date, but your business may be exposed to emerging threats of new viruses and malicious attacks.

Please don’t hesitate to contact either Julie or Darryn on 01460271055 to discuss your concerns.