InfoSec Round-Up: June 5th 2020

Play Video

REvil Ransomware, Apple Bug Bounty & UK Gov Contact Tracing

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

This week we are looking at the $100,000 Apple bug bounty, ongoing contact tracking security concerns and REvil strikes again. Welcome to the Hut Six Infosec Round-Up.

Security Researcher Receives $100k Apple Bug Bounty

Security researcher Bhavuk Jain has been awarded an impressive $100,000 by Apple, after discovering a zero-day bug in the company’s third party-sign in technology, ‘Sign in with Apple’

The critical flaw, which was originally discovered in April, could have allowed attackers to takeover Apple user accounts, and put third-party app users at serious risk.

Having been being reported to Apple, an internal investigation determined that though this exploit had not led to any misuse, or account compromise, the company did decided the flaw was serious enough to warrant a $100k ‘bug bounty’.

Jain, who works full-time as a bug bounty hunter, has also discovered flaws in other well-known tech platforms, including Pinterest, Facebook, Yahoo and Google.

Apple, like many other companies, invites external researchers to submit their work and discoveries, offering bounties of up to $1 million for the most serious of flaws.

Contact-Tracing Security Concerns Mount

As security researchers criticise the ease with which scammers could exploit methods of contact, concerns grow over the UK’s Covid-19 ‘Test and Trace’ program.

Designed to gather data on those reporting coronavirus symptoms, relatively simple methods of spoofing calls and texts could be used by social engineers and phishers hunting for the personal or sensitive information of unsuspecting members of the public.

Along with issues of anonymity, data retention and physical staffing issues, the program has already faced several public setbacks.

With pandemic related scam calls and texts already in progress, much of this specific concern hinges on the government asking the public to anticipate calls in which they are expected to hand over potentially sensitive information. 

Though the official information provided by the UK government makes note of what will and will not be asked for by contact tracers, at this particularly sensitive time, there is seemingly little that citizens can do to verify legitimacy.

As always, the advice remains that sensitive information, such as bank account details, passwords, and other private data, is never shared with unverified parties, and any scams are reported to the appropriate authorities.

Reporting Scams

Emails: NCSC’s Suspicious Email Reporting Service (SERS)

Calls of Text: UK’s Action Fraud

For the latest information on the Test and Trace program please check the government’s official advice, a link to which is provided below.

Test and Trace: https://www.gov.uk/guidance/nhs-test-and-trace-how-it-works

Ransomware Attackers Publish Elexon Passports

Following a hack which took place on the 14th of May, cyber criminals have published passport information stolen from the UK utilities company, Elexon.

Attributed to the international ransomware-as-a-service (RaaS), known as the REvil, or Sodinokibi, a cache of around 1,200 files have been published on the cyber-criminals Tor webpage.

Responsible for a plethora of recent ransomware attacks, including the new year’s Travelex heist and celebrity law firm attack, this strain of ransomware is thought to have, in the last several years, generated upwards of $2 billion in ill-gotten gains.

Though the reason for the passport data being published remains unclear, Elexon, stated publicly that core services remain unaffected by the cyber-attack. Whilst also reassuring stakeholders that as they “do not hold any customer level data, there is no risk to the public.”

If you are interested in finding out more about Hut Six’s information security awareness training, follow the links below or if you have any questions, please contact us.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.

Featured

Social Engineering Methods

Why Social Engineering Works

What Social Engineering Methods do attackers use to get your personal information? Blog by Information Security Awareness Training provider Hut Six Security

Data Protection by the Numbers

What Year Was the Data Protection Act Introduced?

What Year Was the Data Protection Act Introduced? Blog by Information Security Awareness Training provider Hut Six Security.

InfoSec Round-Up: May 29th 2020

InfoSec Round-Up: May 29th 2020 - Hut Six

GitLab Phishing, Red Cross Cybersecurity, and easyJet Lawsuit - Infosec Round Up, May 29th 2020

Data Protection Principles

How Does the Data Protection Act Protect your Rights?

How Does the Data Protection Act Protect your Rights? Blog by information security awareness training provider Hut Six Security.

Ransomware Explained

How a Ransomware Attack Works

Knowing how a ransomware attack works is the key to avoiding them and the damage they can pose to your organisation. Blog by Hut Six Security.

Hut Six Staff Snippets: Handling Sensitive Information

Hut Six Staff Snippets: Handling Sensitive Information - Hut Six

Luke talks about his favourite Information Security tutorial, Handling Sensitive Information. Information Security video by Hut Six Security.

InfoSec Round-Up: May 22nd 2020

InfoSec Round-Up: May 22nd 2020 - Hut Six

Cryptomining hijack, EasyJet Hack and NHS Failing audits - InfoSec Round-Up, May 22nd 2020

Recognising Phishing Attacks

4 Ways of Recognising Phishing Attacks in 2020

Ways of recognising phishing attacks to ensure your organisation stays secure. Blog by information security awareness training provider Hut Six Security.

Data Protection Act's Eight Principles

What are the Eight Principles of the Data Protection Act?

What are the Eight Principles of the Data Protection Act? Why has this changed to seven in the DPA 2018? Blog by Hut Six Security.

Hut Six Staff Snippets: Encouraging a Secure Culture

Hut Six Staff Snippets: Encouraging a Secure Culture - Hut Six

Kayleigh talks about her favourite Information Security tutorial, Encouraging a Secure Culture, which explains the importance of building a secure culture.