We round up reporting and research from across the web about the latest security news. This month: cryptomining attacks increase, data breaches rise in Ireland, the business cost of ransomware revealed, UK local authorities come under attack from cybercriminals, NotPetya blame laid at Russia’s door, and automated security makes inroads.
Tales from the crypto
A spate of cryptomining attacks are exploiting computing systems to make money for criminals. But is this just a nuisance or a worrying sign of something bigger? There are increasing reports of infections and some high-profile victims. A page on the LA Times’ site hosted hidden code that exploited visiting users’ system resources to mine for cryptocurrency. A Tesla cloud account was compromised, before the carmaker rectified the breach. eWeek reported a similar infection at an unnamed European water utility – apparently the first such occurrence on SCADA systems.
So is this mining software benign, or malicious? It hijacks devices, which potentially affects CPU performance and battery life. What’s more, mobiles and Macs are not immune. As this excellent summary by the UK National Cyber Security Centre notes, cryptojacking does not take any money from victims. “The only impact on affected users’ computers was that they temporarily had minor performance loss and reduced battery power,” it said. But as Brian Honan warned recently, this involves criminals infecting websites. They could easily have inserted ransomware or some other malicious code instead.
Once more unto the breach
The Data Protection Commissioner recorded 2,795 valid data security breaches, and lodged and handled 2,642 complaints in 2017. The number of breaches was up 25.7 per cent on the previous year, and complaints almost doubled on 2016 levels. Most breaches (59 per cent) related to unauthorised disclosures. The majority were in the financial sector, and 6 per cent of all reported cases were in the telecoms sector. The latter figure was 25 per cent higher than in 2016. Network security compromises increased from 23 to 49, and usually included ransomware and malware attacks, the Register reported. Last year, there were 19 data breaches involving multinational companies in Ireland.
The details come from the DPC’s annual report, which also includes results of an investigation into handling of confidential records in hospitals. That investigation will lead to a report with recommendations on better privacy controls, which the commissioner will give to every hospital in the State. The Government public services card project also came in for scrutiny. The annual report outlines concerns the DPC had over how Facebook and Twitter collect potentially sensitive location data. The DPC’s website has a summary of the main points, and the full report is available as a PDF.
No doubt ransomware was one of the highest-profile types of security incident over the past two years. A new survey from Datto puts this into perspective. It estimates that European SMEs lost a combined €80.5 million between 2016 and 2017 on downtime caused by ransomware infections. The average ransom request ranged between €395 and €1,589. Infosecurity Magazine led with the figure 5 per cent of all SMEs had a ransomware infection last year. Some 21 per cent of SMEs paid up, but 18 per cent said they never got their data back. Fewer than one-third of victims reported the but to law enforcement. Possibly the most telling stat of all is that 94 per cent of victims were using antivirus products. The fact they succumbed to infection just the same suggests that training, not technology, remains one of the most effective deterrents.
Anarchy in the UK
Cyber attacks against local authorities in Britain are rising, with more than 95 million attacks over five years. This translates to 37 attempted breaches every minute. Between 2013 and 2017, at least a quarter of UK councils experienced an actual security breach. Big Brother Watch, a civil liberties and privacy watchdog, discovered this based on Freedom of Information requests. A high number of councils that had experienced an incident did not subsequently report it. Also troubling is the discovery that 75 per cent of local authorities do not give staff mandatory security awareness training, and 16 per cent provide no training at all. The 66-page report suggests it’s the growing volume personal data these agencies accumulate that makes them an attractive target.
The blame game
In an unprecedented move, US and UK governments have blamed Russia for last year’s NotPetya ransomware which caused an estimated €1.2 billion in damages worldwide. Originally targeting Ukrainian national infrastructure, the malware spread widely and affected many high-profile companies and public agencies across the world. The UK referred to its National Cyber Security Centre finding that Russia’s military was “almost certainly” responsible for the attack. The NCSC described the attack as “destructive” because it was never designed to be decrypted like common ransomware. It’s rare for Governments to make official statements like this. Attribution is a thorny problem in security research. It’s often very hard to prove because attackers have many technical means at their disposal for hiding their tracks.
Automatic for the people
Automation technology is finding its way into growing numbers of security operations. Cisco’s 2018 annual cybersecurity report found 39 per cent of organisations say they use it. Martin Roesch, Chief Architect in Cisco’s Security Business Group, told eWeek: “If you want to make use of a lot of security data quickly, you have to make use of a fair amount of automation.” Another finding is that organisations are using more products from a wider group of vendors, and that 53 per cent host more than half their infrastructure in the cloud. As for threats, the report said burst attacks grew in complexity and frequency during 2017, while insiders posed a disproportionately high level of risk. The full report includes these stats and more, along with recommendations for improving security, and is available to download here.