UK Government Laptop Losses Increases by 400%- Comment

The UK’s Ministry of Justice (MoJ) has seen laptop losses soar by 400% over the past three years, according to new Freedom of Information (FOI) data.

The combined figure for laptops, PCs, mobile phones and tablets saw a 55% increase in losses from 2017/18 to last year, when they reached 354 in total.

The Department for Education (DfE) reported 91 devices lost or stolen in 2019, whilst NHS Digital has lost 35 to date in 2019.

A separate FOI report from MobileIron earlier this year revealed that 508 mobiles and laptops were lost or stolen from eight government departments between January 2018 and April 2019.

The full story can be found here:

Saryu Nayyar, CEO of Gurucul comments:


“Unfortunately, lost or stolen devices are problems that any large organisation will face. Endpoints such as laptops boost user productivity, but they are also commonly used as an entry point into an organisation during a cyberattack. When a laptop goes missing, so does the sensitive information which exists in its files, which could lead to a data breach if the device falls into the wrong hands.

The best way to reduce your exposure to such risks is by proactively planning for just such an incident. That means establishing an incident response plan to follow in the event a laptop is stolen.  

But it also means having the right cybersecurity solutions in place. For example, behaviour-based security analytics technology can identify unusual user or device behaviour that could be indicative of a cyberattack or insider threat so that IT can intervene before a data breach occurs.”



Amazon’s Blink Smart Security Cameras Open to Hijack- Comment

It has been reported that Amazon’s Blink security cameras are open to hijack. The flaws could enable attackers without access to the devices to view camera footage, listen to audio output and hijack the device for use in a botnet, Tenable researchers disclosed on Tuesday. Amazon has been notified of the flaws and is rolling out patches. Overall, seven CVEs were disclosed in Blink. The most serious vulnerability is a command injection flaw stemming from the sync module update (CVE-2019-3984), which exists in Blink’s cloud communication endpoints for providing updates to devices or obtaining network information.

Commenting on this, Jonathan Kudsen, senior security strategist at Synopsys, said The Internet of Things (IoT) continues to be a fertile breeding ground for network vulnerabilities. IoT devices are a perfect storm in terms of cybersecurity, as manufacturers are typically trying to achieve maximum functionality with the absolute minimum time and investment. 

One way to save money (in the short term!) and get products to market fast is to skimp on security, both in the product design phase as well as implementation and testing. Another way is to make heavy use of open source components, which can have their own vulnerabilities that get exposed in your product.
In the long term, of course, neglecting security during product development always ends in tears–or in this case, bad headlines. The long term consequences of ignoring security will always outweigh the short term gains. Savvy manufacturers use a Secure Development Life Cycle (SDLC) to minimise their risk when creating software products.”




Undervolting allows attacks on Intel’s secure enclaves

Researchers at the University of Birmingham have identified a weakness in Intel’s processors: by undervolting the CPU, Intel’s secure enclave technology becomes vulnerable to attack.

Modern processors are being pushed to perform faster than ever before – and with this comes increases in heat and power consumption. To manage this, many chip manufacturers allow frequency and voltage to be adjusted as and when needed – known as ‘undervolting’ or ‘overvolting’. This is done through privileged software interfaces, such as a “model-specific register” in Intel Core processors.

An international team of researchers from the University of Birmingham’s School of Computer Science along with researchers from imec-DistriNet (KU Leuven) and Graz University of Technology have been investigating how these interfaces can be exploited in Intel Core processors to undermine the system’s security in a project called Plundervolt.

New results, released today and accepted to IEEE Security & Privacy 2020, show how the team was able to corrupt the integrity of Intel SGX on Intel Core processors by controlling the voltage when executing enclave computations – a method used to shield sensitive computations for example from malware. This means that even Intel SGX’s memory encryption and authentication technology cannot protect against Plundervolt.

Intel have already responded to the security threat by supplying a microcode update to mitigate Plundervolt.

David Oswald, Senior Lecturer in Computer Security at the University of Birmingham, says: “To our knowledge, the weakness we’ve uncovered will only affect the security of SGX enclaves. Intel responded swiftly to the threat and users can protect their SGX enclaves by downloading Intel’s update.”

The work was funded by the Engineering and Physical Sciences Research Council (EPSRC) and by the European Union’s Horizon 2020 research and innovation programme.



Digital forensics firm targets new markets after £1.3m funding round

Cyan Forensics – the Edinburgh-based start-up whose technology helps police investigators to find evidence faster – has secured a further £1.3m from a consortium of investors.

The funding, which has come from Triple Point Investment Management, Mercia,  SIS Ventures, the Scottish Investment Bank and private investors, will support the company’s expansion and allow it to target new markets in Northern Europe. It follows its recent contract with the UK’s Home Office, which will see the technology being used by the Child Abuse Image Database (CAID) and rolled out to police forces nationally.

Cyan Forensics’ digital analysis tool can find terrorist handbooks or child sexual abuse material on devices within minutes, minimising forensic analysts’ time and allowing police to make decisions quickly and confidently. It can also help social media companies and cloud providers to find and block harmful content.

The company has recently signed a partnership with the National Centre for Missing and Exploited Children in the US and been named as a winner of the prestigious PitchGovTech competition at the GovTech Summit in Paris.

A spin-out from Edinburgh Napier University, Cyan Forensics was founded in 2016 by Bruce Ramsay, a former police forensic analyst and now the company’s CTO, and Ian Stevenson, the CEO. Mercia backed the company from its inception, and has worked with the team to attract other investors. The latest funding round brings the total raised so far to £2.8m.

Ian Stevenson, CEO of Cyan Forensics, said:We’re excited to have raised the funds which will now allow Cyan Forensics  to deliver the next stage in our significant growth plan. We’re grateful to our existing investors for their continued confidence and support, and delighted to welcome the new investors joining us on this journey. A key focus will be expanding our reach within the UK as a result of our partnership with the Home Office and into international markets.”

Marcus Henderson, Investment Director with Mercia, said: “Cyan Forensics’ technology addresses some of the major challenges facing police and society – such as how to detect terrorist activity and child sexual abuse and prevent the spread of harmful content in the age of social media and the internet. The company has already achieved some major milestones and this investment will help it scale up its operations.”

Rob Halliday, Fund Manager with SIS Ventures, said: “Cyan Forensics’ mission is to deliver scalable technology to help law enforcement, social media and cloud companies detect, block and restrict distribution of harmful digital content and protect vulnerable groups. The business is extraordinarily well positioned for significant growth and impact creation over the next 18 months and SIS Ventures is looking forward to sharing and supporting that journey.”

Ian McLennan, Partner with Triple Point Investment Management, said: “Our Impact EIS Service is delighted to be part of this investment round in Cyan Forensics which is a splendid example of a growth business that is ‘doing well by doing good’ within our Children & Young People investment theme.”

Kerry Sharp, Director, Scottish Investment Banks, said: “Cyan Forensics is another fantastic example of how ground-breaking research originating in Scotland’s leading academic institutions is being used to tackle global issues. This latest round of investment will enable the company to further develop its cutting-edge technology and grow its business as it helps law enforcement adapt to the digital age.”



Group-IB presents its annual report on global threats to stability in cyberspace at CyberCrimeCon in Singapore

Group-IB, a Singapore-based cybersecurity company that specializes in preventing cyberattacks, has presented its annual “Hi-Tech Crime Trends 2019/2020” report at CyberCrimeCon conference in Singapore. According to Group-IB’s experts, the most frustrating trend of 2019 was the use of cyberweapons in military operations. The report describes attacks on various industries and critical infrastructure facilities, as well as campaigns aimed at destabilization of the Internet in certain countries. The report examines attacks conducted for espionage and sabotage purposes by the most notorious cybercriminal groups and state-sponsored attackers. In total, 38 different state-sponsored threat actors were active throughout review period, including seven new ones.

Compared to its predecessors, the sixth “Hi-Tech Crime Trends” report is the first to contain chapters devoted to the main industries attacked and covers the period from H2 2018 to H1 2019, as compared to the period from H2 2017 to H1 2018. Group-IB analysts highlight the key high-tech crime trends and conclude that 2019 heralds a new era of cyberattacks.

“The past three years have clearly shown just how fast threats in cyberspace are escalating,” says Dmitry Volkov, Group-IB CTO and the Head of Threat Intelligence. “While 2017 was the year of WannaCry, NotPetya, and BadRabbit ransomware epidemics, 2018 revealed a lack of preparedness for side-channel attacks and threats related to microprocessor vulnerabilities. As for 2019, it has become the year of covert military operations in cyberspace. Conflicts between states have taken on new forms, and cyber activities play a leading role in this destructive dialogue. Researchers worldwide are gradually shifting their focus from financially motivated cybercriminals to state-sponsored threat actors. Groups acting in the national interest fly under the radar for many years. Only a few such incidents have become known, but most indicate that the critical infrastructure of many countries has already been compromised. This means that a peaceful existence is no longer possible while being out of touch with cybersecurity. The latter cannot be ignored by any state, corporation, or individual.”

Confrontation between states: espionage and sabotage

In 2019, cybersecurity became a heavily debated topic in politics. The Venezuela blackout, open military operations in cyberspace between conflicting states, and targeted destabilization of the Internet in certain countries have all set extremely dangerous precedents that could lead to social and economic damage and destabilize the situation in the affected states.

Throughout the second half of 2018 and the first half of 2019, cybersecurity experts identified numerous previously unknown state-sponsored groups. Group-IB researchers focused on 38 active hacker groups, of which seven were new cyberespionage groups. One of the groups, called RedCurl, was uncovered by Group-IB in late 2019. The threat actor mainly targets insurance, consulting, and construction companies. The group’s distinctive features are the high quality of their phishing attacks and the use of legitimate services, which makes it very difficult to detect its malicious activity in companies’ infrastructures.

Many APT groups analyzed in the report have been conducting their operations for several years and gone unnoticed for a long time. Some groups attack similar targets, which leads to competition between them and means that their actions are detected quicker. One of the trends related to the active confrontation between attackers has been hacking back, i.e. when attackers become the victims of hacking. Today, private companies cannot legally conduct such operations.

Internet destabilization at state level

In the past, scenarios in which a country could be disconnected from the Internet seemed unrealistic, yet they are becoming increasingly likely. Disrupting the Internet in a certain country requires long-term preparation, but Group-IB’s analysis of attacks described in its report proves that it is technically feasible. Domain name registrars are part of a country’s critical infrastructure. Disrupting their work affects the Internet, which is why registrars are targeted by state-sponsored threat actors. The past months have shown that the most dangerous hacks involved DNS hijacking, which helped attackers manipulate DNS records for MITM attacks. Researchers also mention traffic manipulations and BGP hijacking attacks, during which threat actors intercept routes and redirect the network traffic of certain prefixes of an autonomous system (IP address pools) through the threat actor’s equipment. The most common objective of such attacks is cyberespionage and disruption of major telecommunications companies’ work.

The telecommunications sector: Are providers ready for 5G?

In its report, Group-IB describes nine groups (APT10, APT33, MuddyWater, HEXANE, Thrip, Chafer, Winnti, Regin, and Lazarus) that posed a major threat to the telecommunications sector during the period investigated. The telecom industry has become a key target for state-sponsored attackers. If they manage to compromise a telecommunications company, they can then also compromise its customers for surveillance or sabotage purposes.

The development of 5G networks will create new threats to this industry. The architectural features of 5G (compared to 1/2/3/4G), such as superfast data transfers and other advantages of the new technology, are mainly implemented using software rather than hardware platforms. This means that all threats to server and software solutions are becoming relevant to 5G network operators. Such threats, including traffic manipulation and DDoS attacks, will become much more frequent and effective due to the large number of insecure devices connected and wide bandwidth. The same can be said of BIOS/UEFI-related attacks, side channel attacks, and supply chain attacks.

In the coming years, the cybersecurity level of 5G market players will be a factor that determines their market share. Cybersecurity problems faced by a 5G platform provider will give other providers a competitive advantage. Many telecom operators are Managed Service Providers and provide security services to government and commercial organizations. Threat actors will attack operators to penetrate the networks they protect.

The energy sector: Hidden threats

The “Hi-Tech Crime Trends 2019” report describes seven groups (LeafMiner, BlackEnergy, Dragonfly, HEXANE, Xenotime, APT33, and Lazarus) that usually carry out attacks for espionage purposes. Yet in some cases, their attacks involved shutting down energy infrastructures or certain facilities in various countries. For example, in 2019, Lazarus attacked a nuclear organization in India, which led to the power plant’s second unit being shut down. The atypical choice of victim indicates that military departments of rival countries may have been interested in these attacks. From the times of Stuxnet, the Middle East has been the main testing ground for tools used in attacks on energy organizations. Compromising IT networks using traditional techniques and malware — including living off the land attacks — is the main vector for penetrating isolated segments of OT networks.

With the exception of the above-mentioned example, the tools used by these groups remain under the radar. In recent years, only two frameworks capable of affecting processes were detected: Industroyer and Triton (Trisis). Both were found as a result of an error on the part of their operators. It is highly likely that there is a significant number of similar undetected threats. Among attacks that are typical of the energy industry, Group-IB experts highlight supply-chain attacks conducted through software and hardware vendors. Management companies are attacked first and then used to penetrate networks belonging to energy companies.

The financial sector: the “Big Russian Three” goes global

Hacking banks around the world is the prerogative of Russian-speaking hackers: they still make up the majority of attacking groups. In 2018, a new group called SilentCards from Kenya joined the “Big Russian Three” (Cobalt, MoneyTaker, and Silence, all Russian speakers) and the North Korean group Lazarus. Cobalt, Silence, and MoneyTaker continue to be the only owners of Trojans that can control ATM dispensers. However, over the period investigated, Silence was the only threat actor that carried out attacks through ATMs. Silence and SilentCards used card processing, while Lazarus used SWIFT (two successful thefts in India and Malta amounting to $16 million in total).

From the aforementioned groups, only the North Korean APT Lazarus uses a theft method called FastCash. Silence reduced the use of phishing mail-outs, instead purchasing access to targeted banks from other groups (in particular TA505). As of today, SilentCards has poor technical skills (compared to other groups) and therefore carries out successful targeted attacks only on banks in Africa.

After using Russia as a testing ground, the Russian-speaking groups continued their expansion by multiplying their attacks outside the country. Since July 2018, attacks have been conducted in: India (twice by Silence and once by Lazarus), Vietnam (Lazarus), Pakistan (Lazarus), Thailand (Lazarus), Malta (twice by Lazarus), Chile (Lazarus and Silence), Kenya (SilentCards), Russia (twice by MoneyTaker, twice by Cobalt, and once by Silence), and Bulgaria (Cobalt and Silence). Silence also carried out single attacks in Costa Rica, Ghana, and Bangladesh.

According to Group-IB’s forecasts, in order to withdraw money, these groups will continue to carry out attacks on card processing systems and use Trojans for ATMs. They will shift their focus away from SWIFT. Lazarus will remain the only group to steal money through SWIFT and ATM Switch. Infrastructure disruption to cover tracks will be the final stage of successful attacks. SilentCards may remain local and focus on African banks; the group is likely to expand its list of targets by attacking other industries. Its main vector will be blackmailing as part of ransomware attacks.

Bank card compromise, carding, and data leaks

In recent years, threat actors have been gradually abandoning sophisticated banking Trojans, attacks on banking customers have become increasingly simpler from a technical point of view, and each direct theft has caused less damage. The number of active banking Trojans for PCs is continuously decreasing worldwide except for Brazil, where their use is developing locally. In the past year, cybersecurity specialists detected four new POS Trojans, used mainly in attacks on retailers in the United States and, to a lesser extent, in Spanish-speaking countries.

Over the period investigated, the carding market size grew by 33% to reach $879,680,072. The number of compromised cards released on underground forums increased from 27.1 million to 43.8 million. The average price for raw card data (card number, expiration date, cardholder name, address, CVV) rose from $9 to $14, while the average price for a dump (magnetic stripe data) fell from $33 to $22. The lowest price is usually set for compromised data stolen from US banks; on average, they cost $8-10 for up-to-date raw card data and $16-24 for dumps. The average price of raw card data stolen from European banks is much higher and amounts to $18-21; the cost of dumps is $100-120. Bank card data stolen in APAC countries is also sold at a high price on the carding market: the average price for textual data is $17-20, while the price for a dump is $80-124.

Bank card dumps continue to make up around 80% of the carding market. Over the period investigated, cybersecurity specialists detected 31.2 million dumps put up for sale, i.e. 46% more than last year. The sale of raw card data is also on the rise, with a 19% growth. The largest bank card data leaks are related to compromises of US retailers. The United States is far ahead and comes first, with 93% of all cards compromised. Middle Eastern countries (Kuwait, Pakistan, the UAE, and Qatar) together account for 2.38% in this ranking. It is believed that the increase in the number of compromised cards in the region was caused by Lazarus attacks in late 2018 and early 2019.

In 2019, JS-sniffers became a point of growth as regards the volume of raw card. This year, Group-IB detected 38 different JS-sniffer families. Their number continues to grow. There are now more JS-sniffers than banking Trojans. In terms of JS-sniffer-related attacks, the United States is first again, with UK banks coming second. This is mainly due to the attack on British Airways in late 2018, which resulted in more than 300,000 bank cards being compromised. As a result, a $229 million fine was imposed on British Airways for data leaks. JS-sniffers will mainly affect countries where the 3D Secure system is not widely used.

Phishing remains one of the key methods used by criminals to steal bank card data. Competition is growing in this segment: financial phishers began using panels for managing web injects and the autofill function. Such panels have previously been used in banking Trojans. Phishing kit developers began devoting more attention to self-defense. They blacklist cybersecurity vendors’ subnets and hosting providers, show phishing content only from the IP addresses of the region where their victims are located, redirect users to legitimate websites, and check anomalous user agents.

About Group-IB

Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks, online fraud, IP protection and high-profile cyber investigations. Group-IB’s Threat Intelligence system has been named one of the best in class by Gartner, Forrester, and IDC. Group-IB’s technological leadership is built on the company’s 16 years of hands-on experience in cybercrime investigations around the world and 60 000 hours of cyber security incident response accumulated in one of biggest forensic laboratory and a round-the-clock center providing a rapid response to cyber incidents—CERT-GIB. Group-IB is a partner of INTERPOL, Europol, and has been recommended by the OSCE as a cybersecurity solutions provider.
Group-IB’s experience, threat hunting & intelligence have been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyber threats.
Our mission is to protect clients in cyberspace using innovative products and services.

For further information, please contact:
Sergei Turner
Communications Manager
+65 3159-3798
Twitter | LinkedIn



One of the biggest data centre providers in the US hit by ransomware attack

CyrusOne, one of the biggest data centre providers in the US, has suffered a ransomware attack, ZDNet has learned.

CyrusOne is currently working with law enforcement and forensics firms to investigate the attack and is also helping customers restore lost data from backups.

The incident took place yesterday and was caused by a version of the REvil (Sodinokibi) ransomware.

This is the same ransomware family that hit several managed service providers in June, over 20 Texas local governments in early August, and 400+ US dentist offices in late August.

You can read the full story here:

Saryu Nayyar, CEO of Gurucul comments:

“The specifics of this attack are still not entirely clear, so the lessons learned are still to be identified. However, the majority of ransomware attacks are the result of well-known, preventable vulnerabilities. Known vulnerabilities are an easy path for an intruder to take to get into an organisation. But it’s apparent that many organisations still aren’t minding the cybersecurity basics and that’s why ransomware attacks continue to be launched – and continue to succeed. But good basic security practices can mitigate against ransomware and limit the impact of these attacks.

There are steps that organisations can take to protect themselves against ransomware, such as adopting a zero trust security method, having a regular backup routine, and implementing an established process for patching against known security vulnerabilities. The next step is to invest in modern cybersecurity solutions with machine learning algorithms that can identify anomalous behaviours in real-time, before an attacker can strike.”



OpenBSD patches authentication bypass, privilege escalation vulnerabilities- Comment

It has been reported that OpenBSD has patched four vulnerabilities including privilege escalation flaws and a remotely exploitable authentication bypass.

Commenting on this, Jonathan Knudsen, senior security strategist at Synopsyssaid “Eric Raymond famously said “given enough eyeballs, all bugs are shallow.” What he meant was that if you have enough developers examining your software for enough time, eventually nearly all bugs will be found and fixed. While this is probably true, it’s the enough eyeballs part that is difficult. OpenBSD is estimated to contain nearly three million lines of code. How many eyeballs do you need for that? How much time?

Using automated tools can reduce the amount of manual work that is needed to keep risk acceptably low. Techniques such as source analysis and fuzz testing assist the development team in finding and fixing bugs before release. Given the complexity of OpenBSD and many other projects, it is hardly surprising that new vulnerabilities, sometimes serious, continue to be found. The lesson to be learned is that updating your systems is critically important. When vulnerabilities like this become widely known, you must update your systems promptly, because attackers will be in just as much of a hurry to exploit the vulnerability.”