Cyber Security Newsletter Week 5
Tesco Website and app back up after hack attempt
Tesco's website and app are now up and running again, following a service outage that began on Saturday. The retail giant's services had crashed after what Tesco said were attempts "to interfere with our systems". The possible hack at Britain's biggest supermarket began with shoppers unable to order goods and track deliveries. Tesco initially said there was "an issue", but in a Sunday update said there had been deliberate disruption. The supermarket later confirmed on Twitter that its groceries website and app were back up and running, but it was temporarily using a "virtual waiting room" to manage the high volume of traffic. The scale of the problem, and whether the issue was nationwide or only in certain areas, remained unclear on Sunday night. Shoppers complained over the weekend about a lack of information, with many wanting to know how to cancel orders and whether they can get money back. Another customer, Rebecca, from North Wales, got a delivery of 120 Pepsi drinks on Sunday instead of her order. Tesco has faced previous hacks. In 2014 about 2,000 customer accounts were deactivated amid fears login details were compromised, and there was also a cyber-attack on the supermarket's bank arm. But the problem is becoming more common globally. Earlier this year, international meat manufacturer JBS had to shut down about 25% of its operation. And large swathes of US fuel supply were closed after a ransomware attack on Colonial Pipeline. Few sectors have escaped the attention of cyber-criminals, with airlines, banks, universities, local authorities, utilities and tech giants such as Microsoft all having faced attacks on their computer systems. Tesco spokesperson said: "There is no reason to believe that this issue impacts customer data and we continue to take ongoing action to make sure all data stays safe.
Solutions:
• Awareness Training (Mimecast) – Understanding the risks retail shops may face
• Consultancy Service (Contact Cyber team) – Establish Control over the security of stores
• Review and Monitor (Contact CSOC) – Continuous improvement
Iran blames foreign country for cyberattack on petrol station
Iran has said a foreign country was behind a cyberattack that paralysed its petrol distribution network on Tuesday. A group called itself Predatory Sparrow claimed it carried out the hack, but Iran's top internet policy-making body blamed an unnamed "state actor". The hackers also hijacked digital billboards on highways in the capital Tehran and elsewhere, making them display a message saying: "[Supreme Leader Ayatollah Ali] Khamenei, where is our fuel?". Only 5% of the country's 4,300 petrol stations had been reconnected by Wednesday morning, a spokeswoman for the National Iranian Oil Products Distribution Company (NIOPDC) told state media. However, almost 3,000 were able to sell fuel "offline" at the unsubsidised price. Most people depend on subsidised fuel in Iran, whose economy has been badly damaged by years of US sanctions, as well as government mismanagement and corruption. The president also claimed that "vigilance" by Iranian authorities had prevented the hackers from taking advantage of the situation. The attackers added that it had warned Iran's emergency services personnel in advance and had chosen not to exploit a vulnerability that would have caused "very long-term damage". The group also announced that it was behind a cyberattack on Iran's rail network in July, which caused message boards at stations to incorrectly show trains as delayed or canceled. The attack hit an intranet-based system that lets motorists buy subsidized fuel with government-issued smart cards, causing long queues at petrol stations.
Solutions:
• Vulnerability Scanning (CSOC)
• Data protection
• Ransomware protection
Hackers had a second go at Sepa during cyber attack
Hackers responsible for a cyber-attack on Scotland's environmental watchdog tried to sabotage efforts to fix the problem, a new report has revealed. The Scottish Environment Protection Agency (Sepa) had more than 4,000 digital files stolen in the incident. But it has also been revealed Sepa's cyber incident response plan was inaccessible during the incident. This was because the report - along with the watchdog's disaster recovery plan - was stored on the servers affected by the attack and there was no offline version or hard copy available, according to independent consultants Azets. Azets also found staff initially responded to the attack at about 00:01 on 24 December but attempts to escalate the problem to other Sepa officials were not successful until about 08:00. The hackers made attempts to "compromise Sepa systems as the team endeavoured to recover and restore back-ups", a separate review found, but a Police Scotland review said Sepa "was not and is not a poorly protected organisation". There were three copies of Sepa's data stored at two separate locations, with one copy stored offline. Sepa has restored most of its key services, such as flooding forecasting since the cyber-attack and is now building new IT systems to run them. The organisation had a strong culture of resilience, governance, incident and emergency management and worked effectively with Police Scotland and others. Sepa rejected a ransom demand for the attack, which was claimed by the Conti ransomware group, and the stolen files were then released on the internet.
Solutions:
• Backups (Contact Cyber Team)
• Ransomware Protection
• Web Protection and Email protection
Routing error caused network outage
South Korean telecom service provider KT Corp said a widespread outage on Monday was due to a "routing error" and not a cyber-attack as initially suspected. KT earlier said it suspected a distributed denial-of-service (DDoS) attack brought down the network, & police said they were investigating. "We initially assumed it was a DDoS (attack) due to traffic overload, but after close analysis, we determined the cause as a routing error”. Services were restored more than an hour after the outage began
Solutions:
• Review and Monitoring
• Cyber Consultancy
• DDoS prevention
Microsoft warns over uptick in password spraying attacks
Cyber attackers aren't just looking for software flaws, supply chain weakness, and open RDP connections. The other key asset hackers are after is identities, account details that will give them access to other internal systems. Microsoft observed an emerging Iranian hacking group using password spraying against Israeli & US critical infrastructure targets operating in the Persian Gulf. Microsoft estimates that more than a third of account compromises are password spraying attacks, even though such attacks have a 1% success rate, unless organisations use 'password protection' to avoid bad passwords. Instead of trying many passwords against one user, they try to defeat lockout and detection by trying many users against one password.
Two main password spray techniques:
- the first of which it calls 'low and slow'. Here, a determined attacker deploys a sophisticated password spray using "several individual IP addresses to attack multiple accounts at the same time with a limited number of curated password guesses."
- The other technique, 'availability and reuse', exploits previously compromised credentials that are posted and sold on the dark web. State-sponsored hackers and cyber criminals are going after identities with password spraying, a low-effort and high-value method for the attacker, says Microsoft's Detection and Response Team (DART).
Solutions:
• Consultancy (Malicious emails and password attacks)
• Multi Factor Authentication (MFA)
• Regular password updates and patching
Tesco's website and app are now up and running again, following a service outage that began on Saturday. The retail giant's services had crashed after what Tesco said were attempts "to interfere with our systems". The possible hack at Britain's biggest supermarket began with shoppers unable to order goods and track deliveries. Tesco initially said there was "an issue", but in a Sunday update said there had been deliberate disruption. The supermarket later confirmed on Twitter that its groceries website and app were back up and running, but it was temporarily using a "virtual waiting room" to manage the high volume of traffic. The scale of the problem, and whether the issue was nationwide or only in certain areas, remained unclear on Sunday night. Shoppers complained over the weekend about a lack of information, with many wanting to know how to cancel orders and whether they can get money back. Another customer, Rebecca, from North Wales, got a delivery of 120 Pepsi drinks on Sunday instead of her order. Tesco has faced previous hacks. In 2014 about 2,000 customer accounts were deactivated amid fears login details were compromised, and there was also a cyber-attack on the supermarket's bank arm. But the problem is becoming more common globally. Earlier this year, international meat manufacturer JBS had to shut down about 25% of its operation. And large swathes of US fuel supply were closed after a ransomware attack on Colonial Pipeline. Few sectors have escaped the attention of cyber-criminals, with airlines, banks, universities, local authorities, utilities and tech giants such as Microsoft all having faced attacks on their computer systems. Tesco spokesperson said: "There is no reason to believe that this issue impacts customer data and we continue to take ongoing action to make sure all data stays safe.
Solutions:
• Awareness Training (Mimecast) – Understanding the risks retail shops may face
• Consultancy Service (Contact Cyber team) – Establish Control over the security of stores
• Review and Monitor (Contact CSOC) – Continuous improvement
Iran blames foreign country for cyberattack on petrol station
Iran has said a foreign country was behind a cyberattack that paralysed its petrol distribution network on Tuesday. A group called itself Predatory Sparrow claimed it carried out the hack, but Iran's top internet policy-making body blamed an unnamed "state actor". The hackers also hijacked digital billboards on highways in the capital Tehran and elsewhere, making them display a message saying: "[Supreme Leader Ayatollah Ali] Khamenei, where is our fuel?". Only 5% of the country's 4,300 petrol stations had been reconnected by Wednesday morning, a spokeswoman for the National Iranian Oil Products Distribution Company (NIOPDC) told state media. However, almost 3,000 were able to sell fuel "offline" at the unsubsidised price. Most people depend on subsidised fuel in Iran, whose economy has been badly damaged by years of US sanctions, as well as government mismanagement and corruption. The president also claimed that "vigilance" by Iranian authorities had prevented the hackers from taking advantage of the situation. The attackers added that it had warned Iran's emergency services personnel in advance and had chosen not to exploit a vulnerability that would have caused "very long-term damage". The group also announced that it was behind a cyberattack on Iran's rail network in July, which caused message boards at stations to incorrectly show trains as delayed or canceled. The attack hit an intranet-based system that lets motorists buy subsidized fuel with government-issued smart cards, causing long queues at petrol stations.
Solutions:
• Vulnerability Scanning (CSOC)
• Data protection
• Ransomware protection
Hackers had a second go at Sepa during cyber attack
Hackers responsible for a cyber-attack on Scotland's environmental watchdog tried to sabotage efforts to fix the problem, a new report has revealed. The Scottish Environment Protection Agency (Sepa) had more than 4,000 digital files stolen in the incident. But it has also been revealed Sepa's cyber incident response plan was inaccessible during the incident. This was because the report - along with the watchdog's disaster recovery plan - was stored on the servers affected by the attack and there was no offline version or hard copy available, according to independent consultants Azets. Azets also found staff initially responded to the attack at about 00:01 on 24 December but attempts to escalate the problem to other Sepa officials were not successful until about 08:00. The hackers made attempts to "compromise Sepa systems as the team endeavoured to recover and restore back-ups", a separate review found, but a Police Scotland review said Sepa "was not and is not a poorly protected organisation". There were three copies of Sepa's data stored at two separate locations, with one copy stored offline. Sepa has restored most of its key services, such as flooding forecasting since the cyber-attack and is now building new IT systems to run them. The organisation had a strong culture of resilience, governance, incident and emergency management and worked effectively with Police Scotland and others. Sepa rejected a ransom demand for the attack, which was claimed by the Conti ransomware group, and the stolen files were then released on the internet.
Solutions:
• Backups (Contact Cyber Team)
• Ransomware Protection
• Web Protection and Email protection
Routing error caused network outage
South Korean telecom service provider KT Corp said a widespread outage on Monday was due to a "routing error" and not a cyber-attack as initially suspected. KT earlier said it suspected a distributed denial-of-service (DDoS) attack brought down the network, & police said they were investigating. "We initially assumed it was a DDoS (attack) due to traffic overload, but after close analysis, we determined the cause as a routing error”. Services were restored more than an hour after the outage began
Solutions:
• Review and Monitoring
• Cyber Consultancy
• DDoS prevention
Microsoft warns over uptick in password spraying attacks
Cyber attackers aren't just looking for software flaws, supply chain weakness, and open RDP connections. The other key asset hackers are after is identities, account details that will give them access to other internal systems. Microsoft observed an emerging Iranian hacking group using password spraying against Israeli & US critical infrastructure targets operating in the Persian Gulf. Microsoft estimates that more than a third of account compromises are password spraying attacks, even though such attacks have a 1% success rate, unless organisations use 'password protection' to avoid bad passwords. Instead of trying many passwords against one user, they try to defeat lockout and detection by trying many users against one password.
Two main password spray techniques:
- the first of which it calls 'low and slow'. Here, a determined attacker deploys a sophisticated password spray using "several individual IP addresses to attack multiple accounts at the same time with a limited number of curated password guesses."
- The other technique, 'availability and reuse', exploits previously compromised credentials that are posted and sold on the dark web. State-sponsored hackers and cyber criminals are going after identities with password spraying, a low-effort and high-value method for the attacker, says Microsoft's Detection and Response Team (DART).
Solutions:
• Consultancy (Malicious emails and password attacks)
• Multi Factor Authentication (MFA)
• Regular password updates and patching