InfoSec Round-Up: June 5th 2020
REvil Ransomware, Apple Bug Bounty & UK Gov Contact Tracing
This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.
This week we are looking at the $100,000 Apple bug bounty, ongoing contact tracking security concerns and REvil strikes again. Welcome to the Hut Six Infosec Round-Up.
Security Researcher Receives $100k Apple Bug Bounty
Security researcher Bhavuk Jain has been awarded an impressive $100,000 by Apple, after discovering a zero-day bug in the company’s third party-sign in technology, ‘Sign in with Apple’.
The critical flaw, which was originally discovered in April, could have allowed attackers to takeover Apple user accounts, and put third-party app users at serious risk.
Having been being reported to Apple, an internal investigation determined that though this exploit had not led to any misuse, or account compromise, the company did decided the flaw was serious enough to warrant a $100k ‘bug bounty’.
Jain, who works full-time as a bug bounty hunter, has also discovered flaws in other well-known tech platforms, including Pinterest, Facebook, Yahoo and Google.
Apple, like many other companies, invites external researchers to submit their work and discoveries, offering bounties of up to $1 million for the most serious of flaws.
Contact-Tracing Security Concerns Mount
As security researchers criticise the ease with which scammers could exploit methods of contact, concerns grow over the UK’s Covid-19 ‘Test and Trace’ program.
Designed to gather data on those reporting coronavirus symptoms, relatively simple methods of spoofing calls and texts could be used by social engineers and phishers hunting for the personal or sensitive information of unsuspecting members of the public.
With pandemic related scam calls and texts already in progress, much of this specific concern hinges on the government asking the public to anticipate calls in which they are expected to hand over potentially sensitive information.
Though the official information provided by the UK government makes note of what will and will not be asked for by contact tracers, at this particularly sensitive time, there is seemingly little that citizens can do to verify legitimacy.
As always, the advice remains that sensitive information, such as bank account details, passwords, and other private data, is never shared with unverified parties, and any scams are reported to the appropriate authorities.
Calls of Text: UK’s Action Fraud
For the latest information on the Test and Trace program please check the government’s official advice, a link to which is provided below.
Test and Trace: https://www.gov.uk/guidance/nhs-test-and-trace-how-it-works
Ransomware Attackers Publish Elexon Passports
Following a hack which took place on the 14th of May, cyber criminals have published passport information stolen from the UK utilities company, Elexon.
Attributed to the international ransomware-as-a-service (RaaS), known as the REvil, or Sodinokibi, a cache of around 1,200 files have been published on the cyber-criminals Tor webpage.
Responsible for a plethora of recent ransomware attacks, including the new year’s Travelex heist and celebrity law firm attack, this strain of ransomware is thought to have, in the last several years, generated upwards of $2 billion in ill-gotten gains.
Though the reason for the passport data being published remains unclear, Elexon, stated publicly that core services remain unaffected by the cyber-attack. Whilst also reassuring stakeholders that as they “do not hold any customer level data, there is no risk to the public.”
If you are interested in finding out more about Hut Six’s information security awareness training, follow the links below or if you have any questions, please contact us.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
What Social Engineering Methods do attackers use to get your personal information? Blog by Information Security Awareness Training provider Hut Six Security
What Year Was the Data Protection Act Introduced? Blog by Information Security Awareness Training provider Hut Six Security.
GitLab Phishing, Red Cross Cybersecurity, and easyJet Lawsuit - Infosec Round Up, May 29th 2020
How Does the Data Protection Act Protect your Rights? Blog by information security awareness training provider Hut Six Security.
Knowing how a ransomware attack works is the key to avoiding them and the damage they can pose to your organisation. Blog by Hut Six Security.
Luke talks about his favourite Information Security tutorial, Handling Sensitive Information. Information Security video by Hut Six Security.
Cryptomining hijack, EasyJet Hack and NHS Failing audits - InfoSec Round-Up, May 22nd 2020
Ways of recognising phishing attacks to ensure your organisation stays secure. Blog by information security awareness training provider Hut Six Security.
What are the Eight Principles of the Data Protection Act? Why has this changed to seven in the DPA 2018? Blog by Hut Six Security.
Kayleigh talks about her favourite Information Security tutorial, Encouraging a Secure Culture, which explains the importance of building a secure culture.