With less than half the breached records of August, September can be considered a “quiet” month in comparison, with “just” 35.5million records breached across 88 incidents, in comparison to 97million in August. Here’s the top stories from the month…
Australian Telecommunications giant suffers 10million record breach
On the last day of September, it was revealed that Australian Telecommunications giant Optus, has suffered a breach, exposing the details of 10million customers or approximately 40% of the Australian population. The breach includes current and former customers’ data was stolen – including names, birthdates, home addresses, phone and email contacts, and passport and driving licence numbers.
VMWare Global Incident Response Threat Response
The global threat report from VMWare has highlighted some interesting trends in the global cyber landscape. Trending threats include:
🔀 An increase in “lateral movement” with hackers gaining access to a system through one area (such as cloud storage), but moving laterally to other parts of the system in a bid to avoid detection. Now happening in 25% of cases
🤫 A rise in deepfake accounts of 13%, with 78% being delivered as phishing scams via email.
📈 A rise in attacks since the Ukraine conflict started
⬆️ A rise in zero day attacks, exploiting known vulnerabilities (up 11%)
🔗 23% of attacks now originate through an API connection.
Microsoft Teams exploit serves as important reminder for staff training
A vulnerability in the use of GIFs via Microsoft Teams can enable threat actors to access your systems. The flaw means cybercriminals are attaching malware to what appear to be harmless GIF image files, but which in reality will distribute illicit commands, and harvest company data, in the event that they are clicked. These attacks get through because the method of delivery makes them harder for security systems to spot. Staff are falling victim because the files look to originate within the company and are therefore automatically trusted. It highlights the value of cyber training, and we’ve detailed the full issue in our blog +
4 in 5 businesses have suffered a cloud related incident
According to a new report from Venafi, 81% of businesses have suffered a Cloud Security incident in the last twelve months, with 45% suffering at least four incidents in the same timeframe. Of those surveyed, businesses typically had 41% of their operations and applications in the cloud, a trend that is growing. Other stats from the survey include hijacking of accounts equate to 35% of issues, and malware accounts for 31%, while nation state attacks account for 26% of attacks. Read the full report +
Hackers are using WeTransfer to spread malware
Hackers are using the free file transfer system WeTransfer to disguise malware as “legitimate” files transferred by the site. Typically, these scams use a legitimate email address that has been compromised, to then send files with engaging titles like “proof of payment”. Clicking the link downloads the Lampion virus, which is capable of stealing sensitive data such as bank login details and passwords. Quality antivirus and security measures can help mitigate these risks, but staff cyber training is also essential.
Wall Street fines highlight importance of personal device policy
Some of Wall Street’s biggest companies have been fined in a breach of financial regulations, after it was identified that staff members discussed deals and trades on their personal devices and apps. The fines, totalling £1.7billion, were levied on the basis that these communications do not meet the record keeping obligations of financial transactions.
While relevant to the financial markets of the US, these fines serve as a reminder to businesses to audit and understand the use of personal devices within their businesses. What devices can and do connect to your network, and how do you validate behaviours and actions. Could personal devices be putting your business at risk? Speak to our team on 01453 700 800 about an audit to evaluate the extent of your network, your potential security risks, and appropriate mitigations.
Data Privacy doesn’t just include capture and storage; it includes disposal too.
It has emerged that the U.S. Securities and Exchange Commission (SEC) has fined Morgan Stanley $35 million, after they exposed the data of 15 million customers. The records were left vulnerable after the company disposed of hard drives and servers, but did not carry out basic security measures. This video from ESET explores the issue, and the story serves as an essential reminder of having an end-to-end data management process.
Uber hack highlights the growth in lateral cyber attacks
Mid-September, ride-hailing app Uber has been hacked, with a breach that appears to have affected their internal systems. The attack did not compromise the ability to hail a cab, but has created some issues with internal systems. This attack is the perfect example of a growing number of lateral cyber attacks, where hackers breach one system and use the access to breach another part of the system. In Uber’s case, a hacker compromised the messaging app Slack, before using it to move laterally into the rest of the system.
Revolut hit by a cyberattack, compromising the personal data of 50,000 users
British Fintech company Revolut has confirmed that a highly sophisticated attack led to the breach of users data “for a short time”. The unauthorised third party accessed data, including 32,000 customer records (approximately 0.16% of the customer base) in addition to the details of 18,000 incomplete customer records, from individuals that had started the sign-up process, but not completed it.