Criminals are developing more sophisticated ways to dupe unsuspecting victims online, including by posing as representatives of law firms, fire and emergency services, and airports, according to a new report from the United Kingdom’s cyber defense agency.
The annual report from the National Cyber Security Centre, which was established in 2016, focuses on threats to the United Kingdom. But it will be of interest to U.S. officials as well because it shows an evolution and escalation in malicious activity, particularly by national adversaries.
Iran, China, Russia and North Korea were all singled out in the NCSC’s report as the top hostile nations to British security. Those countries generally top U.S. officials’ list of bad actors, as well.
And as in the United States, foreign governments are targeting the political system in the U.K. To combat foreign interference, the British have taken an arguably more assertive approach than their American counterparts. The NCSC meets with U.K. political parties every three months and gives regular advice to members of Parliament, the report said.
“During the local elections (March 2019) and European elections (May 2019), the NCSC provided guidance, informed by comprehensive cyber threat assessment, on risks and advice on protecting systems and people to political parties,” the report explained. The center monitors known adversaries that are targeting parties and individual politicians, and then shares details and “tailored advice.”
That kind of “active defense,” with the government constantly sharing threat indicators with companies and other targeted organizations, is at the heart of the British cybersecurity strategy, which the report describes as “deliberately interventionist and comprehensive,” backed by nearly 2 billion pounds in funding.
While admittedly spare in details about the center’s claimed operational successes (“sometimes transparency has its limits,” the center’s CEO Ciaran Martin wrote in the introduction), the report argues that active defense has made a measurable difference.
For example, the British worked with airlines targeted by a group known as Chafer, which has been linked to Iran and “has a history of targeting global organisations for bulk personal data sets.” The center helped airlines identify potential risks on their networks and “offered mitigation advice,” the report says.
Martin touted the center’s success increasing the number of threat indicators it shares tenfold, to more than 1,000 per month, and the speed of sharing those indicators “from days to seconds.”
The NCSC handled 658 individual incidents over the past year and provided support to nearly 900 victim organizations, the report said.
Officials argue that their more active posture, which includes directly contacting Web hosts when the government spots malicious activity, has led to a dramatic reduction in the number of phishing and other malicious websites. The report says that 98 percent of phishing URLs — more than 177,000 — discovered by a “takedown service” were successfully removed. The majority were taken down within 24 hours.
As of August, the United Kingdom accounts for 2.1 percent of “visible global phishing attacks,” down from 5.3 percent in June 2016, the NCSC said.
The center has also gone after consumer fraud where it intersects with critical infrastructure. In one incident, criminals tried to send more than 200,000 emails claiming to be from a U.K. airport, using a nonexistent government email address, offering recipients a monetary refund. The center detected the suspicious domain name and the email providers never delivered the messages, the report said.
In the case where fraudsters posed as a legitimate emergency-services company, the British blocked 150,000 emails sent from a nonexistent Internet domain.
The British are looking to expand their active defense strategy. The report cites plans for an automated system that acts on information from the public to remove malicious sites; a new “Internet Weather Centre” that would draw on multiple data sources to improve awareness of the overall threat picture; and a new Web-based tool that would let public-sector and critical national infrastructure providers scan their own networks and devices for vulnerabilities, the report said.
PINGED, PATCHED, PWNED
PINGED: Senate Minority Leader Charles E. Schumer (D-N.Y.) and Sen. Tom Cotton (R-Ark.) wrote a letter asking U.S. intelligence officials to assess whether Chinese-owned social media company TikTok poses a threat to national security, my colleagues Tony Romm and Drew Harwell report. The duo is concerned that the increasingly popular app could be a “potential target of foreign influence campaigns like those carried out during the 2016 election on U.S.-based social media platforms.”
Schumer and Cotton are just the latest lawmakers to express concerns that the Chinese-owned company's U.S. operations may be influenced by the Chinese government. They questioned whether Chinese law could compel the company to share the locations and other data of U.S. users or to “support and cooperate with intelligence work controlled by the Chinese Communist Party.” Researchers have raised concerns that the app continues to censor content critical of the Chinese government in the United States, Tony and Drew reported earlier this year.
“We are not influenced by any foreign government, including the Chinese government,” TikTok responded in a blog post yesterday. The company outlined that all U.S. user data is stored in the United States and Singapore, and is not subject to Chinese law. The company also says it has never been asked to remove any content by the Chinese government and “would not do so if asked.”
Sen. Marco Rubio (R-Fla.) raised similar national security concerns earlier this month when he called for the Treasury Department to review the acquisition of U.S.-based Musical.ly by ByteDance, TikTok's parent company.
PATCHED: Sens. Elizabeth Warren (D-Mass.) and Ron Wyden (D-Ore.) want the Federal Trade Commission to investigate whether tech giant Amazon violated federal law — but not for the reason you might think. The pair wants is going after Amazon for failing to secure servers that were ultimately hacked in a breach that exposed the personal data of 100 million Capital One customers in March.
The senators claim the vulnerability the hacker exploited had been widely discussed by cybersecurity researchers for more than five years and that Amazon received an email warning the company in mid-2018 about the vulnerability. They claim that Amazon's failure to act on it could constitute an “unfair business practice.” The FTC requires companies to have a policy for receiving and addressing cybersecurity vulnerabilities flagged by third parties.
“Although Amazon's competitors addressed the threat of [server side request forgery] attacks several years ago, Amazon continues to sell defective cloud computing services to businesses, government agencies, and to the general public,” they wrote in a letter to FTC Chairman Joseph Simons. “As such, Amazon shares some responsibility for the theft of data on 100 million Capital One customers.” (Amazon founder and CEO Jeff Bezos owns The Washington Post).
“The letter’s claim is baseless and a publicity attempt from opportunistic politicians,” Amazon told CNBC in a statement, explaining that the hacker gained access first through a misconfigured firewall at Capital One and only attacked the cited Amazon Web Services vulnerability later.
Paige A. Thompson, the hacker indicted in August for allegedly breaching the server containing data from Capital One and 30 other companies, was a former AWS employee. No other clients reported breaches, and after the attack Amazon started to take more proactive measures to notify customers of potentially misconfigured firewalls, AWS Chief Information Security Officer Stephen Schmidt wrote to Wyden in August.
PWNED: Hackers have ramped up cyberattacks on more than a dozen human rights organizations around the globe, including high-profile targets such as the United Nations and UNICEF, according to a report from researchers at anti-phishing firm Lookout released yesterday. Researchers couldn't identify who was behind the attacks or whether their motivations were financial, but the phishing attempts point to a growing trend of attacks on nongovernmental agencies.
To dupe employees of the organizations to give up their login and passwords, hackers created look-alike sites that closely mirrored official login pages for the organizations. At least six of the pages still have active SSLs, a domain feature that indicates to a user that a Web page is protected with encryption, adding to an appearance of authenticity.
“The motive of the attack is to compromise Okta and Microsoft credentials to gain access to these accounts, which could be used for further attacks or intelligence gathering,” Jeremy Richards, principal security researcher at Lookout, told Catalin Cimpanu at ZDNet. Richards said he couldn't speculate whether the attackers were state-sponsored.
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
— Coming up:
- The Senate Homeland Security and Governmental Affairs Committee will host a hearing examine supply chain security, global competitiveness, and 5G on Thursday at 10 a.m.