december 11 th 2015 intelligence briefing not protectively marked
DESCRIPTION
Investigation Update – Malware Attack The South West Regional Cyber Crime Unit are currently investigating a malware attack on a large public sector organisation based in the Avon and Somerset force area. Thousands of spam s were received every day over an eight day period, each containing a malicious attachment. The s appear to be sent to employees randomly. The attachments are suspected to contain a variant of the Dridex malware, although this is still to be confirmed. A member of staff first noticed the attack after they tried to open the attachment and then shortly after noticed unusual activity on their computer. No financial loss or stolen data has been reported. Any organisation suffering similar attacks should report it via Action Fraud in order for investigative actions to be considered and to enable an accurate picture of the scale of the threat to be developed. Detailed descriptions of the s received and any linked IP addresses will be posted on the CiSP when recovered. NOT PROTECTIVELY MARKEDTRANSCRIPT
December 11th 2015
Intelligence Briefing
NOT PROTECTIVELY MARKED
Current ThreatsSWRCCU Investigation Update
Malware Attack DDoS Extortion Demand Phishing Email
MiscellaneousDDoS Attacks Increase by 180%CiSPNew non-protectively marked briefing
NOT PROTECTIVELY MARKED
Investigation Update – Malware Attack The South West Regional Cyber Crime Unit are currently investigating a malware attack on a large public sector organisation based in the Avon and Somerset force area. Thousands of spam emails were received every day over an eight day period, each containing a malicious attachment.
The emails appear to be sent to employees randomly. The attachments are suspected to contain a variant of the Dridex malware, although this is still to be confirmed.
A member of staff first noticed the attack after they tried to open the attachment and then shortly after noticed unusual activity on their computer. No financial loss or stolen data has been reported.
Any organisation suffering similar attacks should report it via Action Fraud in order for investigative actions to be considered and to enable an accurate picture of the scale of the threat to be developed.
Detailed descriptions of the emails received and any linked IP addresses will be posted on the CiSP when recovered.
NOT PROTECTIVELY MARKED
Investigation Update – Malware Attack (cont)
The SWRCCU has reported on Dridex many times over the last year. Media reporting suggested that the Dridex infrastructure had been disrupted but we are continuing to see Dridex infections targeting organisations and businesses throughout the South West.
In order to reduce the chances of becoming a victim of this banking malware please consider:
Have anti-virus installed and up-to-date. Keep operating systems up-to-date and patched. Ensure software is up-to-date, for example internet browsers, Java and Adobe. Restrict the type of websites staff/ you can access. Prevent employees from using their own devices at work eg USB devices Remove any banking Smartcard from the reader when you are not conducting a transaction,
logging on or making amendments as a system administrator. Log out from online banking when finished with banking tasks. Look out for unusual prompts at login. Change passwords often. Ideally organisations should utilise a stand alone machine for all online banking kept separate
from their email platform.
NOT PROTECTIVELY MARKED
Investigation Update – DDoS Extortion DemandWe are currently investigating a Distributed Denial of Service (DDoS) extortion demand on a company based in Bath. The company suffered a DDoS attack of up to 17.5 Gbps and lasting 80 minutes. An email was then received by the company demanding a payment of 20 Bitcoins (BTC) accompanied by a threat to DDoS the website again if payment was not made. It was threatened that failure to pay would also result in the demand increasing to 40 BTC followed by a further increase of 1 BTC per hour until the extortion demand was met.The victim did not meet the demand and no further attack took place. Another threatening email was received repeating the original demand.The ‘Armada Collective’ claimed responsibility for the attack in the first e-mail. They are a well known Organised Crime Group specialising in this type of attack.
What to do in this situation:Report the attack asap to Action Fraud and do not pay any demands.Keep a record of any emails received from the attackers and any sent in reply.If you run a popular website or web service, you may want to consider using a cloud based DDoS protection service. A number are available commercially.
NOT PROTECTIVELY MARKED
Investigation Update – Phishing EmailWe have had a report of a phishing attempt on a business based in Plymouth, Devon.The emails purported to be from the CEO of the company and were directed to the Finance Department. They received the email on two occasions, both times whilst the CEO was away from the office.The emails contained a request for money to be paid on his behalf to an unconnected bank account.
Prevention Do not click or open unfamiliar links in emails or on websites.Check the legitimacy of the email with the company that has supposedly sent it. It is a good idea to find a telephone number for them independently from the email as the phone number provided may be fake or go straight to the suspect. Ensure you have up-to-date anti-virus software and perform regular scans. If you have clicked or activated the link you should seek professional advice from a reputable company.Be aware of any financial requests via email. People can easily pose as management in emails – call the person if in doubt.
NOT PROTECTIVELY MARKED
DDoS Attacks Increase by 180% Compared to a Year AgoAkamai has been seeing greater numbers of denial of service attacks every quarter, and the upward trend continued in the most recent quarter.Although recent DDoS attacks were on average smaller and shorter, they still posed a significant cloud security risk.Attacks are being fuelled by the easy availability of DDoS-for-hire sites that identify and abuse exposed Internet services, such as SSDP, NTP, DNS, CHARGEN and even Quote of the Day.The online gaming sector was hit particularly hard by DDoS attacks in Q3 2015, accounting for 50% of the recorded DDoS attacks. Gaming was followed by software and technology, which suffered 25% of all attacks. Online gaming has been the most targeted industry for more than a year. (http://www.net-security.org)
NOT PROTECTIVELY MARKED
CiSP - 30,000 Individual Cyber Crime Threats Shared
The Cyber Security Information Sharing Partnership (CiSP), which is co-run by the National Crime Agency and Cert-UK, has flagged and shared the details of 30,000 cyber crime threats.
The customised alerts that are sent out allow members to take remedial action and modify their organisations to prevent cyber attacks.
If you would like to join the CiSP then please sign up at www.cert.gov.uk/cisp and contact us as we can sponsor you.
A regional South West CiSP is being planned which will launch March 2016; more details will be shared in due course.
NOT PROTECTIVELY MARKED
Additional Briefing Dissemination
This document has been given the protective marking of NOT PROTECTIVELY MARKED and may be disseminated outside law enforcement with no restriction.
If you know anyone else who would like to receive this, please send us their e-mail address and we will add them to the distribution list.
Any comments or queries please email South West Regional Cyber Crime Unit at:
[email protected] 372 2446
NOT PROTECTIVELY MARKED