Cyber Security Newsletter Week 4

DDoS attacks are becoming more prolific and more powerful

A report warns about a rise in DDoS attacks as cyber criminals get more creative with ways to make campaigns more disruptive. There's been a rise in distributed denial of service (DDoS) attacks in recent months in what cybersecurity researchers say is a record-breaking number of incidents. There were 5.4 million recorded DDoS attacks during the first half of 2021 – a figure that represents an 11% rise compared with the same period last year. During the first half of 2021, there have been several attacks using between 27 and 31 different vectors, plus an attacker can switch between them to make the attack harder to disrupt. DDoS attacks have become more effective during the past year due to the added reliance on online services. Disruption to services that people are relying on in both their professional and personal lives has the potential to have a significant impact. 

A DDoS attack is a crude but effective form of cyberattack that sees attackers flood the network or servers of the victim with a wave of internet traffic that's so large that the infrastructure is overwhelmed by the number of requests for access, slowing down services or taking them fully offline and preventing legitimate users from accessing the service at all.

Solutions:
• DDoS prevention
• Vulnerability Scanning
• Consultancy Service and awareness training

CMA CGM Cyber-attack crushed

Giant Group, the umbrella company that has thousands of contractors on its books, has been targeted by a "sophisticated cyber-attack that floored systems and left workers out in the cold. The attack happened last Wednesday and forced the outfit known to many as Giant Pay- to shut down its whole network, including its phone and email systems, as well as its IT infrastructure. The incident blew up last week when contractors, many of whom work in IT, were unable to contact the company or carry out payroll-related tasks. Giant Group went on to imply that its reticence to share information was down to the nature of the attack, saying it had shared updates as soon as it was advised that it was "safe to do so." The company also confirmed that it had made interim payments to more than 8,000 contractors who are paid for work they do with other companies and organisations via the payroll services provider. It is not clear if everyone who is due money has been paid, or if they have received their full amount.

Solutions :
• Email Protection (Mimecast)
• Awareness Training (Mimecast & Consultancy)
• Update and patching

VMware vCenter deployments under attack as enterprises urged to update systems

Attackers are actively exploiting a critical vulnerability in VMware vCenter Server that exposes vulnerable enterprise networks to the risk of infiltration. The arbitrary file upload flaw (CVE-2021-22005) – one of a raft of vCenter vulnerabilities addressed by software updates released on September 21 – can be abused regardless of configuration settings, says VMware. On the same day, threat intelligence firm Bad Packets reported that it had indeed detected “mass scanning activity” against its VMware honeypots. VMware updated its security advisory on the same day to acknowledge that in-the-wild exploitation had been detected. CISA has urged organizations with vulnerable installations to update their systems as soon as possible and apply a temporary workaround provided by VMware in the meantime. VMWare boasts a massive 500,000 customer base globally, VMware’s popularity among enterprises, many of which can be slow to update their systems, nevertheless makes its server virtualization technologies compelling targets for attackers.

Solutions:
• Vulnerability Scanning/ Penetration Testing
• Data/ endpoint Protection
• Regular updates and patching

Gaming platforms face a major threat from BloodyStealer

The trojan aims to steal gamers’ account data across multiple gaming platforms such as Epic Games Store, EA Origin, and Steam. this new trojan has been targeting gaming platforms to harvest gaming account-related details. Since its discovery, BloodyStealer has already targeted users based in Latin America, Asia Pacific, and Europe. The information stealer is being sold using private channels to VIP members of underground forums, where the subscription model is priced at USD $40 for a lifetime license or less than $10 per month. Logs, accounts, and in-game goods are gamerelated assets that are being sold on the darknet for an attractive price or offer. The high demand for such information in the black market could be the reason behind this attack campaign. BloodyStealer comes with detection evasion, along with malware analysis protection. In addition, it has various capabilities. It can steal sessions from clients such as Bethesda, GOG, VimeWorld, Steam, Epic Games, Telegram, and Origin. Furthermore, it can steal files from the desktop (.txt) and the uTorrent client. It can gather and steal a wide range of sensitive info, such as passwords, cookies, bank cards, sessions from multiple apps, and more. It can collect logs from the memory. It is equipped with logging protection and reverse engineering protection mechanisms.

BloodyStealer appears to be an advanced malware with a plethora of capabilities. It comes with anti-detection techniques that make it more lucrative for cybercriminals. Though it is targeting only gaming accounts, it has the potential to expand its scope to other industries as well.

Solutions:
• Website/ Email Protection (App Stores, web links, downloads)
• Ransomware protection
• Set complicated passwords and regularly update

Apple Pay Visa Contactless hack

Large unauthorised contactless payments can be made on locked iPhones by exploiting how an Apple Pay feature designed to help commuters pay quickly at ticket barriers works with Visa. In a video, researchers demonstrated making a contactless Visa payment of £1,000 from a locked iPhone. Apple said the matter was "a concern with a Visa system". Visa said payments were secure and attacks of this type were impractical outside of a lab. "Express Transit" is an Apple Pay feature which enables commuters to make quick contactless payments without unlocking their phone, for example touching-in and touching-out at a London Underground ticket barrier. In very simple terms - and with many key details deliberately omitted- the attack works like this: - a small commercially available piece of radio equipment is placed near the iPhone, which tricks it into believing it is dealing with a ticket barrier - at the same time an Android phone running an application developed by the researchers is used to relay signals from the iPhone to a contactless payment terminal, this could be in a shop or one the criminal’s control
- because the iPhone thinks it is paying a ticket barrier, it doesn't need to be unlocked
- meanwhile the iPhone's communications with the payment terminal are modified to fool it into
thinking the iPhone has been unlocked and a payment authorised, allowing high value transactions to be made without entering a PIN, fingerprint or using Face ID
The researchers also tested Samsung Pay, but found it could not be exploited in this way.
They also tested Mastercard but found that the way its security works prevented the attack.