Information Technology

Hackney Council in north London says it has been the target of a serious cyberattack, which is affecting many of its services and IT systems.
The council said it is working closely with the National Cyber Security Centre, external experts and the Ministry of Housing, Communities and Local Government to investigate and understand the impact of the incident. It’s unclear exactly what form the cyberattack has taken or when it took place.”This investigation is at an early stage, and limited information is currently available. We will continue to provide updates as our investigation progresses,” said Philip Glanville, Mayor of Hackney.

SEE: Security Awareness and Training policy (TechRepublic Premium)
He said the current focus was on continuing to deliver essential frontline services, especially to the most vulnerable residents, “and protecting data, while restoring affected services as soon as possible.”However, he said that in the meantime, some council services may be unavailable or slower than normal, and that the council’s call centre was extremely busy.
“We ask that residents and businesses only contact us if absolutely necessary, and to bear with us while we seek to resolve these issues.”
A note on the Hackney Council website said: “Due to technical problems, you may experience difficulty accessing online services, such as One Account and payments today. We’re trying to fix this ASAP.” Attempts to reach the One Account log-in are met with the message: “The system you are attempting to access is undergoing scheduled maintenance and should be back soon.”
An NCSC spokesperson said: “We are aware of an incident affecting Hackney Borough Council. The NCSC is supporting the organisation and working with partners to understand the impact of this incident.” More

Come April 13 next year, home routers will have to meet new security requirements before they can be put up for sale in Singapore. These include unique login credentials and default automatic downloads of security patches. 
The new mandate is aimed at improving the security of these devices, which are popular targets amongst malicious hackers who are looking to breach home networks, according to industry regulator Infocomm Media Development Authority (IMDA). Stipulated as being part of the country’s Technical Specifications for Residential Gateways, the enhanced security requirements were finalised following an earlier consultation exercise that sought feedback from the public and industry. 
While these mandates are set to come into effect from 13 April 2021, home routers previously approved by IMDA will be allowed to remain on sale until October 12 next year.

Users of existing home routers will not need to change their current routers, but they are encouraged to purchase devices that are compliant with IMDA’s cybersecurity requirements for their next upgrade or replacement. Users should also regularly update their device firmware, the agency said. 
“Home routers are often the first entry point for cyber attacks targeting the public, as they form the key bridge between the internet and residents’ home networks,” IMDA said in a statement Monday. “[The] minimum security requirements for home routers [will] provide a safer and more secure internet experience for users, and strengthen the resilience of Singapore’s telecommunications networks.”
The government agency added that the move came amidst continued adoption of networked intelligent devices in homes, such as web cameras and baby monitors, which have given way to higher risks of cyber attacks that target such devices. It noted that Japan imposed similar requirements in April and the UK recently began to evaluate such requirements.
In Singapore, the enhanced security requirements include randomised and unique login credentials for each device, minimum password strength, disabling system services and interfaces that are deemed to be vulnerable, default automatic downloads of firmware updates for security patches, secure authentication of access to the device’s management interface, and validation of data inputs to the device to safeguard against remote hacking.
Wi-Fi home routers that comply with IMDA’s specifications would also meet Level 1 of the Cybersecurity Labelling Scheme, which was recently introduced by the Cyber Security Agency of Singapore. Home routers, as well as smart home hubs, that are assessed to be secure and compliant will bear these labels.
The labelling initiative is voluntary and comprises four levels of rating based on the number of asterisks, each indicating an additional tier of testing and assessment the product has gone through. The scheme aims to motivate manufacturers to develop more secure products, moving beyond designing such devices to optimise functionality and cost. 
Level one, for instance, indicates that a product meets basic security requirements such as ensuring unique default passwords and providing software updates, while a level four product has undergone structured penetration tests by approved third-party test labs and fulfilled level three requirements.
Singapore is hoping to rope in other Asean nations to recognise the Cybersecurity Labelling Scheme. 
Last week, Singapore unveiled its latest cybersecurity blueprint which focuses on digital infrastructures and cyber activities. The city-state also announced plans to set up a panel comprising global experts to offer advice on safeguarding its operational technology systems.
RELATED COVERAGE More

In the cyber-security field, the term OST refers to software apps, libraries, and exploits that possess offensive hacking capabilities and have been released as either free downloads or under an open source license.

OST projects are usually released to provide a proof-of-concept exploit for a new vulnerability, to demonstrate a new (or old) hacking technique, or as penetration testing utilities shared with the community.
Today, OST is one of the most (if not the most) controversial topics in the information security (infosec) community.
One one side, you have the people who are in favor of releasing such tools, arguing that they can help defenders learn and prepare systems and networks for future attacks.
On the opposing side, you have the ones who say that OST projects help attackers reduce the costs of developing their own tools and hiding activities into a cloud of tests and legitimate pen-tests.
An interactive map for OST usage
These discussions have been taking place for more than a decade. However, they have always been based on personal experiences and convictions, and never on actual raw data.
This is what Paul Litvak, a security researcher for cyber-security firm Intezer Labs, has tried to address earlier this month, in a talk at the Virus Bulletin security conference.
Litvak compiled data on 129 open source offensive hacking tools and searched through malware samples and cyber-security reports to discover how widespread was the adoption of OST projects among hacking groups — such as low-level malware gangs, elite financial crime groups, and even nation-state sponsored APTs.
The results were compiled in this interactive map.
The most popular OSTs
Litvak found that OSTs are broadly adopted across the entire cybercrime ecosystem. From famous nation-state groups like DarkHotel to cybercrime operations like TrickBot, many groups deployed tools or libraries that had been initially developed by security researchers but are now regularly used for cybercrime.
“We found [that] the most commonly adopted projects were memory injection libraries and RAT tools,” Litvak said.
“The most popular memory injection tool was the ReflectiveDllInjection library, followed by the MemoryModule library. For RATs [remote access tools], Empire, Powersploit and Quasar were the leading projects.”
The lateral movement category was dominated by Mimikatz — to nobody’s surprise.
UAC bypass libraries were dominated by the UACME library. However, Asian hacking groups appeared to have preferred Win7Elevate, most likely due to Windows 7’s larger regional installbase.
The only OST projects that weren’t popular were those implementing credential-stealing features.
Litvak believed they were not popular because of similar tools provided by black-hats on underground hacking forums, tools that come with superior features, which malware gangs chose to adopt instead of offensive tools provided by the infosec community.
Ways to mitigate broad OST abuse
But Litvak made even a more interesting observation. The Intezer Labs researcher said that OST tools that implemented complex features that required a deeper level of understanding to use were also rarely employed by attackers — even if their offensive hacking capabilities were obvious.
Going on this observation, Litvak argues that security researchers who wish to release offensive hacking tools in the future should also take this approach and introduce complexity into their code, to dissuade threat actors from adopting their toolsets.
If this isn’t possible, Litvak argued that security researchers should at least make their code unique by “sprinkl[ing] the library with special or irregular values” in order to allow easy fingerprinting and detection.
“For example, such an approach was adopted by the author of Mimikatz, where a generated ticket’s lifetime is left to 10 years by default – a highly irregular number,” Litvak said.
The researcher’s talk is also embedded below. A PDF version of his research is available here.
[embedded content] More

They’re hooking these things up to the company network? Quite bonkers.
Tech companies like to believe they’re inherently fascinating.

Everything they do carries with it a large portent of the future.
They perform research to back up their case, often coupled with a dramatic headline. 
This is a sample that just crossed my eyes. I mean, literally crossed my eyes: “IoT, Authentication and Cloud Services Drive Staggering Increase in PKI adoption and in Certificate Volume.” 
Naturally, I was staggered. So much so that I looked further. There were many numbers and many words, densely packed together.
I needed to concentrate. For this was the annual Global PKI and IoT Trends Study, performed by the Ponemon Institute on behalf of security company nCipher, which is now owned by Entrust. Which will surely soon be bought by a company called Enlighten, Enhance or, I don’t know, Enematronics.
Last year, I perused this study and offered the thought that IT and security professionals believe regular employees are just the worst.
Well, here we are again and things don’t seem to have got much better. More than 6,000 IT and security professionals were interviewed for this study and I detected that the understandably dry presentation concealed their rabid need to ululate in public and retrain as fire-eaters.
I also detected a touch of hypocrisy in at least one element of their beings.
I therefore asked John Grimm, Entrust’s vice president strategy for digital solutions, whether my suspicions had validity.
This study seems to reveal that IT people are being driven demented by the fact that they have no idea what sort of Internet of Things devices are being connected to their corporate networks.
What sort of employee does that? (My suspicions fall upon the people in sales and, well, senior executives who think they can do anything,)
Grimm explained: “This is often consumer devices that the user is using for convenience. An Alexa for verbal commands, a smartwatch for email on the go, a connected coffee pot to have coffee ready for the first worker in.”
How painfully modern to think that employees need Amazon’s Alexa to function at work. And a connected coffee pot? Is it too much trouble to make it on your own nut-milk latte when you get there? It seems not.
“The danger is that these devices aren’t typically secured by design,” Grimm told me. “They can basically be like an open door or window to the network that an attacker uses as a means to get on the network and look for more valuable resources — intellectual property, personal information, and more.”
Essentially, then, corporate IT departments are now making it a priority to find devices that careless or halfwitted employees have hooked up so that they can have an easy morning.
“Once IT teams prioritize discovery and employ tools to scan the network for such devices, they can decide whether to allow them to remain, blacklist them, or add security agents to them before allowing ongoing connectivity,’ Grimm told me.
At this point, I felt deep sympathy with the IT community, as they desperately try to keep corporations away from another embarrassing headline.
But then I noticed another oddity, one that was equally disturbing.
It seems that these IT professionals put securing delivery of patches and updates to IoT devices as their lowest priority. This despite the fact that they ranked altering the function of a device (say, by loading malware) as the biggest thing to fear.
I sensed Grimm might find this somewhat frustrating. Or even a touch hypocritical.
“It’s like replacing the tires on your car when the brakes aren’t working,” he told me. I thought I detected the rolling of eyeballs and the gritting of teeth.
I see swathes of hope in all this.
Employees remain perfectly human, failing to anticipate the most dramatic issues because they’re enthralled by the mundane things technology can do for them. (And goodness do they whine when the network is suddenly down for urgent maintenance.)
IT and security professionals are also perfectly human. They might seem like automatons, but they’re just as willfully inconsistent and maddeningly myopic as everyone else. More

In our tech-first a world is full digital transparency between couples actually required in a relationship? And how dangerous could our oversharing be?
If you are in a relationship, but are not married, do you share your passwords with your significant other? It seems that most Americans do.

A recent survey by British Virgin Islands-based VPN service provider ExpressVPN asked 1,506 American adults in an exclusive (non-married) relationship to find out their password sharing habits across social media platforms.
The survey showed that couples share a variety of passwords with each other, and they most commonly share within the first six months of dating.
The most commonly shared passwords between couples are for video streaming (78%), mobile devices (64%), and music streaming (58%). Almost half (47%) of Americans in a relationship share social media passwords and 38% share their personal email passwords.
Most services, apart from social media and mobile device accounts (which are shared most with family), are more commonly shared with a significant other than family or friends.
Respondents said that sharing passwords is most indicative of trust (70%), commitment (63%), intimacy (54%), marriage-material (51%), affection (48%), and vulnerability (47%).
Among those sharing video streaming services, Netflix (86%), Hulu (57%), and Amazon Prime Video (52%) are shared most with a significant other.
Millennials and Generation Z are also more likely to share passwords with their significant others across all platforms, as compared to older folks
Among people who do not share passwords with anyone, the most common objection is that the same username and password combination is often used for additional accounts
Overall, respondents are most concerned about personal data privacy in regard to sharing login information for mobile wallets (72%), personal email (68%) and social media accounts (68%).
Over one in four (26%) confess they have shared someone else’s login information for a video streaming account without their consent. Almost one in three (30%) say they have had their own login information used without their consent.).
Among respondents, men are more guilty than women of still secretly using an ex’s login information / password post-break up:
Express VPN

×
sharing-passwords-express-vpn-eileen-brown-zdnet.png

Over one in four (26%) currently use their ex’s game streaming services account and online news subscriptions (26%). A quarter (25%) access their ex’s photo sharing program, and food/grocery delivery sites.
Almost one in four (23%) currently access social media accounts, mobile wallets, music, and video streaming services and one in five access their ex’s personal email accounts.
One in four 25% of respondents confess to currently tracking an ex’s real-time location and 30% confess to secretly logging in to an ex’s social media account at least once, with 23% admitting to still doing so currently.
It is not surprising that over one in three (36%) of respondents indicate regret in sharing passwords with a significant other, either during the relationship or after a breakup—with men feeling more regretful than women (40% vs. 32%).
Harold Li, vice president, ExpressVPN said: “Unfortunately, password sharing can lead to risks beyond cybersecurity and potentially be used as a tool of coercive control or abuse in relationships.”
Swapping passwords is a 21st-century rite of passage in a relationship but it seems to be a slippery slope to digital mistrust and could pose a serious threat to personal privacy and cybersecurity. More

A simple technique has helped cybercrime gangs steal more than $22 million in user funds from users of the Electrum wallet app; a ZDNet investigation has discovered.
This particular technique was first seen in December 2018. Since then, the attack pattern has been reused in multiple campaigns over the past two years.
ZDNet has tracked down multiple Bitcoin accounts where criminals have gathered stolen funds from attacks they carried out over the course of 2019 and 2020, with some attacks taking place as recently as last month, in September 2020.
Reports from victims submitted to Bitcoin abuse portals reveal the same story.
Users of the Electrum Bitcoin wallet app received an unexpected update request via a popup message, they updated their wallet, and funds were immediately stolen and sent to an attacker’s Bitcoin account.

Looking at how cybercriminals are stealing funds, this technique works because of the inner workings of the Electrum wallet app and its backend infrastructure.
To process any transactions, Electrum wallets are designed to connect to the Bitcoin blockchain through a network of Electrum servers — known as ElectrumX.

Image: Peter Kacherginsky
However, while some wallet applications control who can manage these servers, things are different in Electrum’s open ecosystem, where everyone can set up an ElectrumX gateway server.
Since 2018, cybercrime gangs have been abusing this loophole to spin up malicious servers and wait for users to randomly connect to their systems.
When this happens, the attackers instruct the server to show a popup on the user’s screen, instructing the user to access an URL and download and install an Electrum wallet app update.

Image: SoberNight

Image: Peter Kacherginsky
Usually, this update download link is not for the official Electrum website, located at electrum.org, but to lookalike domains or GitHub repositories.
If users don’t pay attention to the URL, they eventually end up installing a malicious version of the Electrum wallet, which the next time the user tries to use will ask for a one-time passcode (OTP).
Normally, these codes are only requested before sending funds, and not at the Electrum wallet’s startup. If users enter the requested code —and most do, thinking they are using the official wallet— they effectively give official approval for the malicious wallet to transfer all of their funds to an attacker’s account.
Since December 2018, users have reported around ten Bitcoin accounts being used in what’s currently known as the “fake Electrum update scam.”
These wallets currently hold 1980 bitcoin, which is roughly just over $22 million in current currency. Taking into account the 202 bitcoin stolen in our original December 2018 report, this brings the total to more than $24.6 million stolen with one simple technique.
However, it must be said that a large chunk of these funds appear to have been stolen in one single incident in August, when a user reported losing 1,400 bitcoin (~$15.8 million) after updating an Electrum wallet.
Since this technique was first seen in late 2018, the Electrum team has taken several steps to mitigate this attack.
They first implemented a server blacklisting system on Electrum X servers to block malicious additions to their networks, and they also added an update preventing servers from showing HTML formatted popups to end users.
Nevertheless, a malicious server usually slips through the cracks here and there, and the attack still works very well for Bitcoin users still using older versions of the Electrum wallet app to manage funds. More

Ransomware operators are now turning to network access sellers in their droves to cut out a difficult step in the infection process. 

On Monday, Accenture’s Cyber Threat Intelligence (CTI) team released new research on emerging cybersecurity trends, including an investigation into the nature of relationships between ransomware operators and exploit sellers. 
According to Accenture senior security analysts Thomas Willkan and Paul Mansfield, buying network access points and already compromised ways to infiltrate a target system are rising in popularity, including the purchase of stolen credentials and vulnerabilities. 
During attacks, ransomware operators must first find an entry point into a network. Compromised employee accounts, misconfigurations in public-facing systems, and vulnerable endpoints may all be used to deploy this particular family of malicious code, leading to the encryption of files, disks, and a demand for payment in return for a decryption key. 
See also: COVID-19 pandemic delivers extraordinary array of cybersecurity challenges
It is hard to estimate how many successful ransomware attacks have taken place this year. Europol believes that these specific attacks often go unreported, with only major incidents — such as the recent death of a woman in need of urgent care who was forced to divert from Duesseldorf hospital due to a ransomware infection — becoming public knowledge. 
Paying a ransom these days can reach six-figure sums, or more, depending on the target and their estimated worth. Now, ransomware groups are seeking to cut out the initial access stage of an attack, speeding up the process — and potentially the opportunity for illicit revenue.
Network access sellers typically develop an initial vulnerability and then sell their work in underground forums for anywhere between $300 and $10,000. 
The majority of network access offerings in the underground will include the target by industry and the type of access, ranging from Citrix to Remote Desktop Protocol (RDP), and may also document the number of machines detected on the network. 
CNET: How social networks are preparing for a potential October hack-and-leak
“Since the start of 2020 and the emergence of the now-popular “ransomware with data theft and extortion” tactics, ransomware gangs have successfully utilized dark web platforms to outsource complicated aspects of a network compromise,” the researchers say. “A successful ransomware attack hinges on the development and maintenance of stable network access which comes with a higher risk of detection and requires time and effort. Access sellers fill this niche market for ransomware groups.”
As of September this year, Accenture has tracked over 25 persistent network access sellers — alongside the occasional one-off — and more are entering the market on a “weekly basis.” 
Many of the sellers are active on the same underground forums haunted by ransomware groups including Maze, NetWalker, Sodinokibi, Lockbit, and Avaddon. 
Sellers have now begun touting their offerings on single forum threads, rather than separate posts, and RDP remains a popular option for network access. In an interesting twist, rather than sell-off a zero-day vulnerability to one seller, some traders are using these unpatched bugs to exploit numerous corporate networks and sell access to threat actors in separate bundles to generate additional revenue. 
TechRepublic: COVID-19 budgets, data security, and automation are concerns of IT leaders and staff
Citrix and Pulse Secure VPN clients are also being mentioned in adverts. 
“Network access sellers are taking advantage of remote working tools as more of the workforce works from home as a result of the COVID-19 pandemic,” Accenture says. “This symbiotic relationship [sellers and cyberattackers] facilitates continuous targeting of government and corporate entities and streamlines the network compromise process, allowing cyber criminals to act quicker and more efficiently.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The impact of ransomware continues to grow. According to data from global investigations firm Kroll, ransomware was the most most common security issue it has being called in to deal with in 2020, while ransomware attacks accounted for over one-third of all cases up to September.
And here’s how attackers are getting in: in nearly half (47%) of the ransomware cases Kroll has investigated, gangs used the open remote desktop protocol, a tool that has been used by many companies to help staff work from home, but which can also give attackers a way in if it is not correctly secured. 
More than a quarter (26%) of cases were traced back to a phishing email, and a smaller number used particular vulnerability exploits (17%), including — but not limited to — Citrix NetScaler CVE-2019-19781 and Pulse VPN CVE-2019-11510. This was followed by account takeovers, at 10%. 

How are ransomware gangs getting into organisations?
Image: Kroll
Kroll said it had seen three sectors struck especially hard this year: professional services, healthcare, and technology and telecoms. That’s in contrast to recent data from IBM, which suggested that manufacturing, the professional services sector and government were the most likely to be hit.
Ryuk, Sodinokibi and Maze were the top three ransomware variants causing problems in 2020, according to Kroll, comprising 35% of all cyber-attacks. Ransomware tends cycle through periods of activity before going quiet again, as the developers work to upgrade it before returning to action. As such, Kroll said it had seen a resurgence in Ryuk attacks recently.
Many ransomware variants are now stealing copies of corporate data and threatening to publish it: specifically, by downloading between 100gb and 1tb of proprietary or sensitive data to maximize the pressure to pay the ransom. Kroll said 42% of its cases with a known ransomware variant were connected to a ransomware group actively exfiltrating and publishing victim data. 
In some cases, ransomware gangs have been reneging on promises to delete data after the first ransom is paid and demanding a second payment, it warned. Gangs can also up the pressure in different ways: Maze claims that credentials harvested from non-paying victims will be used for attacks against the victims’ partners and clients, while one of Kroll’s healthcare clients found that the gang had sent emails directly to their patients threatening to expose their personal health data.
Beyond ransomware, Kroll said business email compromise (BEC) remained a top threat for organisations and was involved in 32% of cases, followed by unauthorised access to systems.
Devon Ackerman, head of incident response at Kroll North America, said: “We have seen a predictable surge in cyber-attacks so far in 2020 as the COVID-19 pandemic has given malign actors increased opportunities to cause havoc. The ongoing evolution of ransomware creators is constantly shifting the goalposts for those trying to defend data and systems, so vigilance must remain at the top of CIO’s to do list.”
Making it harder for ransomware gangs to gain that initial access is probably the best way of protecting your organisation from attack, which means ensuring that essential security steps are taken. This includes blocking any unnecessary RDP access, securing all remote access with strong two-factor authentication, ensuring that all software is patched and up to date, as well as ensuring that staff are trained to spot phishing emails. 
Having up-to-date backups that are not connected to the corporate network is also recommended. More