Ransomware and the Cyber Crime Ecosystem
Ransomware has been the biggest development in cyber crime. Ransomware’s defining feature is that it encrypts data on victims’ systems until a payment is made. Since IT systems are now ubiquitous, ransomware attacks can be truly devastating for victims and their customers, which is why it remains the most acute cyber threat for UK businesses and organisations. A new white paper published by the NCSC and the National Crime Agency examines how the tactics of organised criminal groups (OGCs) have evolved as ransomware and extortion attacks have grown in popularity. It’s particularly aimed at security professionals and resilience sector leads who need to be aware of changes in cyber criminal activity to better protect their systems and inform security policy. Since 2018, businesses have been getting better at preparing for and responding to ransomware attacks. At the same time, OCGs have been adapting their business models to maximise payouts. For example, ransomware victims in addition to being locked out of their systems now have the additional worry of their sensitive data being leaked online, and with it face the risks of reputational damage. They could also face large fines under laws such as UK GDPR and the Data Protection Act 2018. As well as the actual ransomware malware (such as Lockbit or ALPHV), there are a number of enabling services, platforms, distributors and affiliates that are key to conducting a ransomware attack. It’s this wider criminal ecosystem that is the main focus of the paper. The white paper is the latest addition to a series of NCSC publications that address the continued threat from ransomware. Crucially, implementing NCSC guidance will interrupt the majority of attacks, which is why we encourage system owners and technical staff to visit the NCSC’s pages on ransomare, which includes guidance on how organisations can defend themselves from ransomware attacks. The deployment of ransomware relies on a complex supply chain, so focussing on specific ransomware strains can be confusing at best, and unhelpful at worst. We hope that the publication of this white paper shines a light on the motivations of the threat actors further upstream, who are ultimately driving the monetisation of ‘ransomware as a service’, and other extortion attacks.
Mitigating Cybersecurity Risks In Business Communications
The connection between cybersecurity and business communications is undeniably critical in the current digital landscape. With growing reliance on digital platforms, companies are at a higher risk of cyber threats that can jeopardize data and disrupt services. This highlights the importance of strong security in all business communication. Effective communication technologies are crucial but bring challenges in keeping information safe. One essential strategy to boost security and efficiency is implementing advanced systems like telephone system CRM intergration. This not only strengthens communication but also streamlines business operations. Best Security Practices For Safe Communications Communication security is more than just technology; it includes smart practices in all areas of business communication. Building and regularly updating a solid cybersecurity framework is essential to protect your business. Enhancing your cybersecurity posture also means adopting new technologies and embedding security-conscious habits into your company’s culture. Here are some essential practices to consider: Regular software and hardware updates: Ensure all communication tools and systems are up-to-date with the latest security patches. Outdated systems are more vulnerable to attacks. Comprehensive staff training: Regularly train staff on cybersecurity best practices and threat recognition. Team members should understand their role in maintaining communication security. Robust authentication protocols: Implement strong authentication measures like two-factor or multi-factor authentication, especially for accessing sensitive data and systems remotely. Encrypted communication channels: Use encryption for emails, phone calls, and messaging to protect data from interception. Incident response plan: Have a clear cyber incident response plan and test it regularly with cyber table top exercises for responding to cybersecurity incidents quickly and with minimal damage. To effectively reduce risk and build trust, businesses must consistently apply best practices in cybersecurity. Staying alert and adaptable is crucial, as complacency is a significant vulnerability in this field. Continuous improvement in security measures is essential to tackle current and future threats. Here are the essential practices for securing email communications: Implement email encryption: Encrypting emails is crucial in safeguarding sensitive information against unauthorised access or interception. Deploy anti-phishing tools: Utilise advanced anti-phishing software to detect and block malicious emails, reducing the risk of phishing attacks. Educate staff on phishing scams: Conduct cybersecurity training sessions for staff members to recognize and handle phishing attempts and other email-based threats. Strict access controls: Establish stringent access controls for email accounts, ensuring only authorised personnel can access sensitive information. Regularly update email systems: Keep email systems updated with the latest security patches and software updates to defend against new threats. Use spam filters effectively: Employ and fine-tune spam filters to reduce the influx of potentially harmful emails. Here are several vital practices for enhancing mobile communication security: Secure messaging apps: Encourage using secure, encrypted messaging apps for internal and external communications to protect data from interception. Regular device updates: Ensure that all mobile devices used for business purposes are regularly updated with the latest security patches and software updates. Mobile Device Management (MDM) solutions: Use MDM solutions to control and protect mobile devices, which include features such as erasing data if a device is lost or stolen remotely. Strong authentication for device access: Use strong passwords, biometrics, or multi-factor authentication for accessing mobile devices, adding an extra layer of security. Training on mobile security: Educate staff members about the risks associated with mobile communications and best practices for maintaining security, such as avoiding public Wi-Fi for business transactions and recognizing potential threats. Implementing measures to secure mobile communications is essential for overall cybersecurity. These steps help businesses reduce risks linked to mobile device use and maintain secure and efficient communication. Adapting to the evolving cybersecurity landscape requires constant vigilance and proactive measures, particularly in the mobile domain, where the blend of personal and professional use presents unique challenges.
AIT fraud: What you need to know
SMS and telephone guidance updated to address the rise in Artificial Inflation of Traffic (AIT). The rise in Artificial Inflation of Traffic (AIT) is leaving many businesses out of pocket. To counter this growing threat, we’ve updated our SMS and telephone best practice guidance, which is designed to help organisations, and their customers reduce exposure to SMS and telephone-related fraud. AIT is a technique used by criminals that generates large volumes of fake traffic through apps or websites. In a typical AIT scenario: a fraudster uses a bot to create large numbers of fake accounts the fake accounts trigger a one-time passcode (OTP) SMS message to mobile numbers during multi-factor authentication (MFA) the fraudster partners with a rogue party in the mobile ecosystem (an operator or aggregator) to intercept the AIT, but never actually delivers messages to the end user together, the fraudster and the rogue party claim the profit This type of fraud can cause substantial financial cost to businesses. Elon Musk summarised how the issue had impacted X (formerly known as Twitter) last December, where he explained that “Twitter was being scammed to the tune of 60 million dollars a year for SMS texts.” Since the NCSC’s SMS and telephone best practice guidance was originally published in January 2022, AIT fraud has increased, mainly for two reasons: Application to person (A2P) SMS costs have risen, increasing the potential profit of AIT fraud. AIT is not regulated by common SMS agreements and regulations. There are even companies that openly advertise their ability to defraud businesses by AIT, offering to impersonate hundreds of popular brands. The overriding priority for your SMS procurement process should be security. Our guidance explains how you can protect your business and mitigate the risk of AIT fraud, without resorting to drastic measures such as charging users to use MFA by SMS. As always, we welcome feedback on this guidance. You can contact us via our social media and normal contact channels.
Potentially hundreds of UK law firms affected by cyberattack on IT provider CTS
CTS, a managed service provider (MSP) for law firms in the United Kingdom, is urgently investigating a cyberattack that has disrupted its services potentially leaving hundreds of British law firms unable to access their case management systems. The company announced on Friday that it was experiencing a service outage which has impacted a portion of the services we deliver to some of our clients, and confirmed the outage was caused by a cyber incident. The UK government is closely monitoring the company’s situation, according to a government spokesperson. It is not known how many of the company’s clients are affected, although a report byToday’s Conveyancer estimated between 200 and 80 would be unable to access phone, emails, or case management systems.CTS said it was working closely with a leading global cyber forensics firm to help us with an urgent investigation into the incident and to assist us in service restoration. The company said it was confident it would be able to restore services but cautioned it could not give a timeline for full restoration, and pledged to communicate directly with the clients who were affected. The hack comes just weeks after the British government failed to introuduce promised legislation that would have required MSPs to increase their cybersecurity protections. MSPs are an attractive and high value target for malicious threat actors, and can be used as staging points through which threat actors can compromise the clients of those managed services, the government warned when it announced the new laws.
UK and US develop new global guidelines for AI Security
New guidelines for secure AI system development will help developers of any systems that use AI make informed cyber security decisions at every stage of the development process. Agencies from 18 countries, including the US, endorse new UK developed guidelines on AI cyber security. Guidelines for Secure AI System Development, led by GCHQ’s National Cyber Security Centre and developed with US’s Cybersecurity and Infrastructure Security Agency, build on AI Safety Summit to establish global collaboration on AI. In testament to the UK’s leadership in AI safety, agencies from 17 other countries have confirmed they will endorse and co-seal the new guidelines. The guidelines aim to raise the cyber security levels of artificial intelligence and help ensure that it is designed, developed, and deployed securely. The new UK led guidelines are the first of their kind to be agreed globally. They will help developers of any systems that use AI make informed cyber security decisions at every stage of the development process, whether those systems have been created from scratch or built on top of tools and service provided by others. The guidelines help developers ensure that cyber security is both an essential pre-condition of AI system safety and integral to the development process from the outset and throughout, known as a ‘secure by design’ approach. The guidelines are broken down into four key areas – secure design, secure development, secure deployment, and secure operation and maintenance, complete with suggested behaviours to help improve security. The product will be officially launched this afternoon at an event hosted by the NCSC, at which 100 key industry, government and international partners will gather for a panel discussion on the shared challenge of securing AI. Panellists include Microsoft, the Alan Turing Institute and UK, American, Canadian, and German cyber security agencies. These guidelines are intended as a global, multi-stakeholder effort to address that issue, building on the UK Government’s AI Safety Summit’s legacy of sustained international cooperation on AI risks.
EU Cybersecurity exercise for EU elections
To evaluate and strengthen current working methods ahead of the 2024 elections, EU institutions have organised a cybersecurity exercise today. National and EU partners tested their crisis plans and possible responses to potential cybersecurity incidents affecting the European elections. The exercise is part of the measures being implemented by the European Union to ensure free and fair elections in June 2024. It took place in the European Parliament and was organised by the European Parliament’s services, the European Commission and the EU Agency for Cybersecurity (ENISA). The drill allowed participants to exchange experiences and best practices, and will help them enhance their capacity to respond to cybersecurity incidents as well as to contribute to the update of existing guidelines and good practices on the cybersecurity of technology used in the election process. All is in place to ensure that European citizens can trust the EU electoral process. Risks to elections can take various forms from information manipulation and disinformation to cyber-attacks that compromise infrastructures. Based on various scenarios featuring potential cyber-enabled threats and incidents, the exercise allowed participants to: Deepen their knowledge of the level of critical aspects of European elections, including an assessment of the level of awareness among other stakeholders (e.g. political parties, electoral campaign organisations and suppliers of relevant IT equipment); Enhance cooperation between relevant authorities at national level (including elections authorities and other relevant bodies and agencies, such as cybersecurity authorities, Computer Security Incident Response Teams (CSIRTs), Data Protection Authorities (DPAs), authorities dealing with disinformation issues, as well as at EU level, such as the Commission services in charge of enforcement of the Digital Services Act (DSA); Verify existing EU Member States’ capacity to adequately assess the risks related to the cybersecurity of European elections, promptly develop situational awareness and co-ordinate communication to the public; Test existing crisis management plans as well as relevant procedures to prevent, detect, manage and respond to cybersecurity attacks and hybrid threats, including disinformation campaigns; Identify all other potential gaps as well as adequate risk mitigation measures which should be implemented ahead of the European Parliament elections.
Why Defenders Should Embrace a Hacker Mindset
Today’s security leaders must manage a constantly evolving attack surface and a dynamic threat environment due to interconnected devices, cloud services, IoT technologies, and hybrid work environments. Adversaries are constantly introducing new attack techniques, and not all companies have internal Red Teams or unlimited security resources to stay on top of the latest threats. Many organizations take a conventional approach to vulnerability management, documenting their assets and identifying associated vulnerabilities, often on a rigid schedule. One of the problems with the current strategy is that it compels defenders to think in lists, while hackers think in graphs. Malicious actors start with identifying their targets and what matters to them is to find even a single pathway to gain access to the crown jewels. 1) Understand Attackers Tactics Adopting a hacker’s mindset helps security leaders anticipate potential breach points and build their defense. This starts with a realistic understanding of the techniques malicious actors use to get from A to Z. This means that defenders must prepare for brute force attacks, loaders, keyloggers, exploit kits, and other rapidly deployable tactics. Security teams must also evaluate their responses to these tactics in real-world scenarios. Testing in a lab environment is a good start, but peace of mind only comes when directly evaluating production systems. Similarly, simulations are informative, but teams must go a step further and see how their defenses stand up to penetration tests and robust emulated attacks. 2) Reveal Complete Attack Paths, Step by Step No vulnerability exists in isolation. Hackers almost always combine multiple vulnerabilities to form a complete attack path. As a result, security leaders must be able to visualize the “big picture” and test their entire environment. By identifying the critical paths attackers could take from reconnaissance through exploitation and impact, defenders can prioritize and remediate effectively. 3) Prioritize Remediation Based on Impact Hackers typically look for the path of least resistance. This means that you should address your exploitable paths with the most impact first. From there, you can work your way through incrementally less-likely scenarios as resources allow. Leaders should also consider the potential business impact of the vulnerabilities they need to remediate. For example, a single network misconfiguration or a single user with excessive permissions can lead to many possible attack paths. Prioritizing high-value assets and critical security gaps helps you avoid the trap of spreading your resources too thin across your entire attack surface. 4) Validate the Effectiveness of Your Security Investments Testing the real-world efficacy of security products and procedures is critical. For instance – is your EDR properly detecting suspicious activity? Is the SIEM sending alerts as expected? How fast does your SOC respond? And most importantly, how effectively do all of the tools in your security stack interact together? These tests are essential as you measure your efforts.
Australia declares nationally significant cyber incident after port attack!
Australia’s biggest ports operator, which has been the target of a cyber-attack, has begun gradually restarting its operations, but key exports could be subject to prolonged delays. DP World Australia closed its Sydney, Melbourne, Brisbane and Fremantle port operations after detecting the breach on Friday, leaving cargo and containers stuck on the docks. The company disconnected its internet, which stopped ongoing unauthorised access to its network. This also resulted in key systems linked to its port operations not functioning normally. The nature of the outage has not been divulged and the National Cyber Security Coordinator has promised restoring services is the priority, with attribution a task for another day. On Sunday DP World advised that interruptions will stretch for a number of days, rather than weeks. The government has not yet identified the perpetrators of the cyber attack, which caused the firm to disconnect its ports from the internet. DP World said it halted internet connectivity at its ports on Friday to prevent any ongoing unauthorised access to its network. Going offline meant trucks had been unable to transport containers in and out of the affected sites. The resumption of service on Monday is the first step towards tackling the attack on its network. DP World said it was still in the process of investigating the disruption and guarding its systems against cyber attacks. Australia has seen a rise in cyber attacks since late 2022. Earlier this year, the Albanese government announced plans to overhaul its cybersecurity laws, and set up an agency to coordinate responses to intrusions. The government is expected to release details on its proposed rules next week which will likely tighten reporting requirements for companies.
Cyber attack hits council computer systems!
A suspected ransomware attack has caused significant disruption to IT systems at Western Isles local authority, Comhairle nan Eilean Siar. The council said access to its systems had been affected. The Scottish government and computer company Dell have been helping Comhairle nan Eilean Siar deal with the situation. In a ransomware attack, hackers use malicious software to scramble and steal an organisation’s computer data. The attack comes after the Scottish Environment Protection Agency (Sepa) had thousands of digital files stolen in cyber attack in 2020. In February this year, Audit Scotland said that some public money had been written off as a result, but the full financial impact was still unknown. A ransomware attack uses a type of software designed to disrupt or gain access to a computer system. The information is then encrypted making it difficult for a user to access their files or the information may be deleted or leaked. A group behind the attack may then demand money – a ransom – for return of the data or to prevent it being leaked. These types of attacks are not uncommon. In 2021, the Scottish Environment Protection Agency had more than 4,000 digital files stolen. And even tech firms are at risk. Last year Edinburgh-based Rockstar Games, creator of Grand Theft Auto, had footage and details of an unreleased game leaked online, with hackers threatening to release more unless a deal was reached. The advice to companies is not to pay a ransom as this might make them a target in the future and is no guarantee that data will be returned.
UK and US host international dialogue to advance cyber support for groups that strengthen democracy
Agency heads from nine countries share insights and approaches to help improve collective cyber resilience of global democracy. UK and US cyber chiefs convene international partners to discuss the heightened threat that groups central to our democratic societies face online. The head of the National Cyber Security Centre has co-chaired a meeting with international partners to discuss how democracies can help defend communities at higher risk of being targeted online. Communities identified as being at higher risk include individuals working in politics, including elected officials such as MPs, journalists, academics, lawyers, dissidents, and those sanctioned by foreign states. The dialogue, which has been set up by CISA as part of its High-Risk Community Protection initiative, saw participants brief about their existing efforts to protect civil society groups online, exchange insights into the threat landscape and agree to continue collaborating. The UK is committed to working with partners to ensure cyberspace remains a safe and prosperous place for everyone. A range of cyber security guidance, including practical advice for high-risk individuals, such as those working in politics can be found on the NCSC website. NCSC highlighted how commercial cyber intrusion tools – or spyware – have almost certainly been used by some states in the targeting of individuals such as journalists, human rights activists, political dissidents and opponents and foreign government officials. The participants in this first Strategic Dialogue on the Cyber Security of Civil Society Under Threat of Transnational Repression have agreed to meet in future to continue addressing the shared challenges of transnational repression.
