InfoSec Round-Up: June 5th 2020

Play Video

REvil Ransomware, Apple Bug Bounty & UK Gov Contact Tracing

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

This week we are looking at the $100,000 Apple bug bounty, ongoing contact tracking security concerns and REvil strikes again. Welcome to the Hut Six Infosec Round-Up.

Security Researcher Receives $100k Apple Bug Bounty

Security researcher Bhavuk Jain has been awarded an impressive $100,000 by Apple, after discovering a zero-day bug in the company’s third party-sign in technology, ‘Sign in with Apple’

The critical flaw, which was originally discovered in April, could have allowed attackers to takeover Apple user accounts, and put third-party app users at serious risk.

Having been being reported to Apple, an internal investigation determined that though this exploit had not led to any misuse, or account compromise, the company did decided the flaw was serious enough to warrant a $100k ‘bug bounty’.

Jain, who works full-time as a bug bounty hunter, has also discovered flaws in other well-known tech platforms, including Pinterest, Facebook, Yahoo and Google.

Apple, like many other companies, invites external researchers to submit their work and discoveries, offering bounties of up to $1 million for the most serious of flaws.

Contact-Tracing Security Concerns Mount

As security researchers criticise the ease with which scammers could exploit methods of contact, concerns grow over the UK’s Covid-19 ‘Test and Trace’ program.

Designed to gather data on those reporting coronavirus symptoms, relatively simple methods of spoofing calls and texts could be used by social engineers and phishers hunting for the personal or sensitive information of unsuspecting members of the public.

Along with issues of anonymity, data retention and physical staffing issues, the program has already faced several public setbacks.

With pandemic related scam calls and texts already in progress, much of this specific concern hinges on the government asking the public to anticipate calls in which they are expected to hand over potentially sensitive information. 

Though the official information provided by the UK government makes note of what will and will not be asked for by contact tracers, at this particularly sensitive time, there is seemingly little that citizens can do to verify legitimacy.

As always, the advice remains that sensitive information, such as bank account details, passwords, and other private data, is never shared with unverified parties, and any scams are reported to the appropriate authorities.

Reporting Scams

Emails: NCSC’s Suspicious Email Reporting Service (SERS)

Calls of Text: UK’s Action Fraud

For the latest information on the Test and Trace program please check the government’s official advice, a link to which is provided below.

Test and Trace: https://www.gov.uk/guidance/nhs-test-and-trace-how-it-works

Ransomware Attackers Publish Elexon Passports

Following a hack which took place on the 14th of May, cyber criminals have published passport information stolen from the UK utilities company, Elexon.

Attributed to the international ransomware-as-a-service (RaaS), known as the REvil, or Sodinokibi, a cache of around 1,200 files have been published on the cyber-criminals Tor webpage.

Responsible for a plethora of recent ransomware attacks, including the new year’s Travelex heist and celebrity law firm attack, this strain of ransomware is thought to have, in the last several years, generated upwards of $2 billion in ill-gotten gains.

Though the reason for the passport data being published remains unclear, Elexon, stated publicly that core services remain unaffected by the cyber-attack. Whilst also reassuring stakeholders that as they “do not hold any customer level data, there is no risk to the public.”

If you are interested in finding out more about Hut Six’s information security awareness training, follow the links below or if you have any questions, please contact us.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.

Featured

Social Engineering Methods

Why Social Engineering Works

What Social Engineering Methods do attackers use to get your personal information? Blog by Information Security Awareness Training provider Hut Six Security

Data Protection by the Numbers

What Year Was the Data Protection Act Introduced?

What Year Was the Data Protection Act Introduced? - 2018, however it has seen some changes as enforcements have increased.

Data Protection Principles

How Does the Data Protection Act Protect your Rights?

How Does the Data Protection Act Protect your Rights? Blog by information security awareness training provider Hut Six Security.

Ransomware Explained

How a Ransomware Attack Works

Knowing how a ransomware attack works is the key to avoiding them and the damage they can pose to your organisation. Blog by Hut Six Security.

Hut Six Staff Snippets: Handling Sensitive Information

Hut Six Staff Snippets: Handling Sensitive Information - Hut Six

Luke talks about his favourite Information Security tutorial, Handling Sensitive Information. Information Security video by Hut Six Security.

Recognising Phishing Attacks

4 Ways of Recognising Phishing Attacks in 2020

Ways of recognising phishing attacks to ensure your organisation stays secure. Blog by information security awareness training provider Hut Six Security.

Data Protection Act's Eight Principles

What are the Eight Principles of the Data Protection Act?

What are the Eight Principles of the Data Protection Act? Why has this changed to seven in the DPA 2018? Blog by Hut Six Security.

Hut Six Staff Snippets: Encouraging a Secure Culture

Hut Six Staff Snippets: Encouraging a Secure Culture - Hut Six

Kayleigh talks about her favourite Information Security tutorial, Encouraging a Secure Culture, which explains the importance of building a secure culture.

Remote Work - the New Normal?

The Age of Remote Work

4 Key Information Security Risks for remote work during lockdown. Blog from Information Security Awareness training provider Hut Six Security.

Top 10 Essential Information Security Awareness Training Topics for Employees

Top 10 Essential Security Awareness Training Topics - Hut Six

Top Cyber Security Awareness Training Topics · Phishing · Web Safety · Passwords · Malware · Mobile Devices · Wi-Fi · Social Engineering · Encryption · Backups · Sensitive Information.

Speak to us about your Cyber Awareness