InfoSec Round-Up: February 5th

Play Video

SolarWinds Flaws, Ransomware Attack & Oxfam Breach

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

UK Research and Innovation Ransomware

UK Research and Innovation (UKRI), a national science and research funding agency, has been hit with an apparent ransomware attack against its Brussels-based UK Research Office (UKRO) and its BBSRC extranet.

Noting that they cannot confirm whether any data was extracted from their systems, the organisation has not explicitly mentioned ‘ransomware’, with the UKRI simply describing the incident as a “cyber attack [resulting] in data being encrypted by a third party.”

Having temporarily switched off some of its web-facing services, the UKRO is a subscription service used by around 13,000 academics to find funding opportunities and share information regarding EU-funded research projects, though reportedly does not contain any sensitive personal data.

Regarding the affected extranet, the organisation noted that data potentially compromised does contain information relating to peer review activity and grant applications, and in some instances contains data relating to expense claims.

In an announcement, the UKRI stated, “We do not yet know whether any financial details have been taken, but we will endeavour to contact panel members to advise on personal protection against possible fraud in this situation.” Adding, “If we do identify individuals whose data has been taken, we will contact [them] as soon as possible.”

Further SolarWinds Vulnerabilities

Following one of the most significant supply chain attacks in history, security researchers have discovered several more vulnerabilities in SolarWinds products.

The three vulnerabilities discovered range in their seriousness, with the most severe of which allowing a remote, unprivileged actor to take control of the company’s Orion platform.

Discovered by security researchers at Trustwave, the flaws are not believed to have been exploited by malicious actors or reported “in the wild”.

With these three vulnerabilities being swiftly patched, users now being urged to update their software prior to the exploits being made public on the 9th of February.

The infamous initial attack, which was described by Microsoft President Brad Smith as a “mass indiscriminate global assault”, was allegedly concocted by Russian state hackers and was designed to infiltrate organisations networks, including many government agencies across the world.

In a summary of their research, Security Research Manager Martin Rakhmanov noted, “Trustwave reported all three findings to SolarWinds, and patches were released in a very timely manner. We want to thank SolarWinds for their partnership during the disclosure process. We recommend that administrators upgrade as soon as possible.”

Oxfam Database for Sale

Following a suspected data breach, Oxfam Australia is investigating the claim that a hacker is selling a database stolen from the charity.

Reportedly containing information relating to 1.7 million people, the database contains names, email addresses, phone numbers and donation amounts given to the Oxfam International affiliate.

Purportedly being put up for sale on a hacker forum some time last week, the details of how the attack occurred have yet to be confirmed.

Having reported the suspected breach to the Australian Cyber Security Centre (ACSC) and the relevant data authority, Oxfam Australia has yet to confirm what data was potentially accessed and how many people have been affected.

In a statement, the charity noted, “Launching the investigation and ascertaining key facts have been our priorities, but this is a complex issue and inquiries are in their early stages”, adding “We are committed to communicating quickly to our supporters once the facts have been established, and we will provide updates as we learn more.”

Thank you for reading this edition of InfoSec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.

Featured

ISO 27001 Security Awareness Training

Preparing for ISO 27001 with Information Security Awareness Training

Information Security Awareness Training and ISO 27001 blog by information security awareness training provider Hut Six Security

Information Security Focus for 2021

Information Security Resolutions for the New Year: Part Two

Information Security Resolutions for the New Year: Part Two. Information security for 2021 blog post by Hut Six Security.

Information Security Resolutions 2021

10 Information Security Resolutions for the New Year: Part One

Information security in 2021: blog by Information security awareness training and phishing simulation provider Hut Six Security.

ISO 27001 vs SOC 2: What is the difference?

ISO 27001 vs SOC 2 Certification - Hut Six

ISO 27001 vs SOC 2 Certifications - what's the difference? SOC 2 is a type of audit report focusing on security controls. ISO27001 is a compliance standard focused on high level information security.

Top 5 Breaches 2020

The Five Biggest Breaches and Hacks of 2020

The Five Biggest Breaches and Hacks of 2020. Information Security blog by Information Security Awareness provider Hut Six Security.

SOC 2 Compliance Security Awareness Requirements

Preparing for SOC 2 Compliance - Hut Six

Preparing for SOC 2 Compliance. What are the 5 Trust Service Principles? Security · Availability · Processing Integrity · Confidentiality · Privacy

Securing Work from Home

Top 10 Security Tips for Remote Work

Top 10 Security Tips for Remote Work. Securing Work from Home blog image by Information Security Awareness Training provider Hut Six Security.

Business Case for Security Awareness Training

Building a Business Case for Information Security Awareness Training

Building a Business Case for Information Security Awareness Training blog by Information Security Awareness Training provider Hut Six.

Zero Trust Security

How Zero Trust Works

How Zero Trust Works - Zero Trust Security blog by Information Security Awareness Training provider Hut Six Security.

Writing a Cyber Job Specification

How to Write a Cyber Job Specification

How to Write a Cyber Job Specification: Finding the Best Cybersecurity Talent. Cyber blog by Information Security Awareness solution provider Hut Six Security.