The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.
Not again. 700 million LinkedIn users’ data is being sold on RaidForums.
PrintNightmare exploit. Researchers publish proof-of-concept exploit code on Twitter.
Doing time. US court sentences FIN7 hacker, Andrii Kolpakov, to seven years in prison.
Wiped clean. Zero-day vulnerability affecting My Book Live devices.
Nobelium returns. Nobelium hackers launch new campaign against Microsoft’s customer support.
Cyber risk and insurance. Research report details future trends, regulations, and recommendations.
700 million LinkedIn users’ data being sold on hacking forum
A user on RaidForums has advertised the sale of data from 700 million LinkedIn users. The data includes dates of birth, gender, phone numbers, physical addresses, and email addresses. Researchers have reviewed the data and can confirm its authenticity.
The user claims to have obtained the data through the exploitation of LinkedIn’s API. LinkedIn has stated that this is not a data breach and does not include private member data.
SO WHAT? The published information will be valuable to threat actors looking to conduct identity theft or social engineering attacks. Consider updating your LinkedIn password and stay aware of scams and phishing attempts over the coming weeks.
Researchers publish zero-day exploit for Windows Print Spooler vulnerability
Researchers have leaked a proof-of-concept exploit code on Twitter for a zero-day vulnerability. The exploit is for a remote code execution vulnerability affecting Windows Print Spooler, dubbed PrintNightmare.
Attackers can leverage PrintNightmare to take remote control of a company’s Windows domain and deploy malware across its network. Despite its swift removal from Twitter, the exploit and write-up continue to circulate platforms such as GitHub.
SO WHAT FOR THE SECURITY TEAMS? Until a patch becomes available, organisations must disable the spooler service immediately, particularly on any domain controller system.
FIN7 hacker Kolpakov to serve seven years in US prison and pay USD 2.5 million in restitution
A US court has sentenced Ukrainian national Andrii Kolpakov for his role in the FIN7 hacking group. Kolpakov was a high-level FIN7 member until his arrest in Spain in June 2018.
FIN7 targets companies with malware campaigns designed to steal customer payment card data that is then used or sold for profit. Victims include hundreds of US companies – mainly in the restaurant, gambling, and hospitality industries – as well as companies in the UK, Australia, and France.
SO WHAT? Although prosecution of criminal hacking group members represents a success for law enforcement, such groups are resilient. FIN7 itself has previously continued its operations despite the arrests of key members.
Zero-day vulnerability allows remote wipe of My Book Live devices
A zero-day vulnerability affecting Western Digital My Book Live NAS devices allowed a threat actor to perform a factory reset on devices. This resulted in the devices being wiped and users losing all their data.
My Book Live went out of support in 2015, making it unlikely that a patch will be provided for this vulnerability. Instead, Western Digital has recommended that users prevent their devices from being publicly accessible over the internet.
SO WHAT? Ensure your organisation is aware of the different internet-facing devices on its networks. Any devices that are out of support and not receiving patches should not be internet-facing.
Nobelium conduct new campaign against Microsoft
Nobelium hackers, the threat group behind the SolarWinds attack, have launched a new campaign against Microsoft’s customer support system. The hackers leveraged password spraying and brute-force attacks to infiltrate a Microsoft machine.
The hackers deployed information-stealing malware onto the Microsoft customer support machine. Microsoft contained the incident by removing access and securing the device. Any customers affected have been notified.
SO WHAT? The use of credential stuffing and password spraying by sophisticated and unsophisticated threat groups will continue. Basic cyber security hygiene such as MFA and zero-trust architecture are effective mitigation measures.
Royal United Services Institute’s (RUSI) recommendations
Cyber has become a greater focus of national security and insurance regulation in the UK. In its latest paper on cyber insurance and cyber risk management, RUSI’s first recommendation is a collective industry-wide agreement on a minimum set of cyber security controls that insureds should meet. For small to medium size UK businesses (11-250 employees), the minimum recommended controls are the National Cyber Security Centre's (NCSC) Cyber Essentials.
SO WHAT? If you are a UK enterprise, consider conducting a NCSC Cyber Essentials test to benchmark your organisation’s readiness against the minimum standard.