Top news stories this week
- Your attack was delivered. UK’s Royal Mail suspends overseas deliveries following cyber attack.
- Patch, patch, patch! Rackspace confirms ransomware attack was result of unpatched vulnerability.
- Password123. Thousands of weak passwords used by US federal agency staff cracked in security audit.
- The future is now? Chinese researchers claim to have broken RSA encryption using quantum computing.
- Experian hacked. Identity thieves access credit reports through URL vulnerability.
- Frequent flyers. Air France-KLM notify customers of data breach.
S-RM’s Incident Response team has observed Lorenz using a 5-month-old web shell as a way into a victim’s network.
Read more about our observations in last week's special edition of the Cyber Intelligence Briefing.
1. Critical infrastructure: Royal Mail suspends overseas post due to cyber attack
On Thursday, the UK’s postal service Royal Mail suspended overseas postal deliveries amid serious disruption caused by a suspected ransomware attack. Domestic post is unaffected and the incident has been reported to the National Cyber Security Centre and National Crime Agency.
Separately, air travel in the US earlier this week was suspended following a system outage at the Federal Aviation Administration. While there is no evidence so far that the outage was the result of a cyber attack, a former NATO commander described the incident as a “wake up call”.
So what?
All organisations should prepare for unplanned system outages, including as a result of a cyber incident. Well-practiced disaster recovery, business continuity, and incident response plans can significantly reduce operational downtime and recovery costs.
2. Hard lessons from Rackspace about the importance of patching
Cloud service provider Rackspace, who suffered a ransomware attack in December, confirmed that it was the result of an unpatched privilege escalation vulnerability in the company’s hosted Microsoft Exchange Server environment. Rackspace had decided not to patch and relied on mitigation measures due to concerns over service disruption.
Separately, Microsoft’s first Patch Tuesday of the year includes fixes for 98 flaws, plus one for an actively exploited zero-day elevation of privilege vulnerability. Of the flaws, 11 are marked as 'critical' as they allow for security bypassing and remote code execution.
So what?
Threat actors continuously seek to exploit novel and emerging vulnerabilities. While patching can cause service disruption in the short term, an effective risk management process should weigh this up against the potentially devastating impact of a cyber attack.
3. Thousands of weak passwords cracked during US federal agency audit
An internal audit of the US Department of the Interior revealed significant weaknesses in their existing password policies. A total of 18,271 account password hashes were cracked using a proprietary password cracking tool, with 14,000 passwords retrieved within the first 16 minutes. The agency’s password policy allowed the use of common dictionary phrases and keyboard patterns which are easy to crack. 5% of the passwords included some variation of the word ‘password’.
So what?
A robust password with minimum requirements for length and complexity is just one element of secure identity management. Organisations should also explore additional technical defences and organisational process such as multi-factor authentication and single sign-on systems to reduce reliance on passwords.
4. Chinese researchers claim to have cracked RSA encryption algorithm
Last week, researchers in China claimed to have used quantum computing to break the RSA encryption algorithm, which is widely used for secure online communications. Researchers have subsequently expressed scepticism over the claims which have yet to be verified.
So what?
Whether true or not, the research shines a light on the implications that advances in quantum computing will have for how we keep communications private. It is important to be aware of this evolving security trend and be cognizant of changes that will need to be made to current encryption algorithms.
5. Experian URL vulnerability exploited by identity thieves
Experian, the credit monitoring giant, had a critical vulnerability in its website exploited that allowed attackers access to credit monitoring reports. By modifying the URL during the identity verification process, attackers could trick the Experian website into giving them access to any user's credit report.
So what?
Organisations should ensure they practice good cyber hygiene to protect customer’s sensitive data. Regular penetration testing of websites and web applications is an important part of this.
6. Hacked customer accounts at Air-France-KLM frequent flyer programme
European airline Air France-KLM is notifying customers of their Flying Blue loyalty programme that some accounts have been breached and their personal information has now been exposed. The compromised data includes names, email addresses, phone numbers, and latest transactions.
So what?
Following an account breach, users should change their passwords to a new, unique, and complex alternative that is not used on other online platforms.