This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

NCSC Battles COVID19 Threats

In an annual report, the UK’s National Cyber Security Centre (NCSC) revealed that over 25% of incidents it responded to were coronavirus related.

Covering the period from September 2019 to August 2020, the organisation responded to a total of 723 incidents, 194 of which related to the virus.  The agency also disclosed that it had foiled around 15,354 ‘campaigns’ that had used the coronavirus as a “lure” in phishing and malware attacks.

In the report, the agency noted “protecting healthcare was the NCSC’s top priority”, as well as warning of the rising threat of ransomware, having handled more than three times as many ransomware incidents than in the preceding year.

Referencing the recent “damaging and disruptive” Redcar and Cleveland Council ransomware incident, we also learnt that “the UK is not the most heavily targeted country, predominantly because British victims are traditionally less likely to pay the ransom than those from other parts of the world.”

The new CEO of the National Cyber Security Centre, Lindy Cameron stated in the report: “The NCSC is looking firmly ahead to the future… there is a lot to do but the NCSC is committed to playing a leading role across the cyber security community.”

Marriott Fined £18.4m by ICO

The hotel chain Marriott International has been slapped with an £18m fine by the UK’s Information Commissioner’s Office (ICO) for a data breach which exposed the information of millions of guests.

Occurring in 2014, though only discovered and reported in November 2018, the unknown attacker breached approximately 339 million guest records, around 7 million belonging to UK residents.

The ICO’s investigation noted that “there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems”, with breached data including names, email addresses and unencrypted passport numbers.

Originally stating their intention to fine the hotel chain £99m, the ICO again took into consideration the economic climate, before settling upon a final penalty of £18.4m.

Information Commissioner, Elizabeth Denham, stated on the matter: “Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

Capcom Security Breach

Japanese game developer Capcom has revealed that, over the weekend, they have fallen victim to a cyberattack, affecting business operations and email systems.

Creator of such classics as Resident Evil, Street Fighter and Dino Crisis, the company announced via a public statement that the attack occurred in the early hours of November 2nd, confirming unauthorised internal network access carried out by a third party.

Conducting its own investigation, and working with the police, many details regarding the attack remain undisclosed, though some speculate that the company may have suffered a ransomware attack.

In late October, a member of the REvil ransomware syndicate stated that the criminal enterprise had breached a “major gaming company” and would announce details soon. It is not known at this time if this is related. 

Expressing its “deepest regret”, Capcom also noted that there is presently “no indication that any customer information was breached.” Adding, “this incident has not affected connections for playing the company’s games online or access to its various websites.”

75,000 Files Found on eBay USB Drives

Cyber security researchers have uncovered around 75,000 files, including tax returns, contracts and bank statements, from 100 USB drives purchased from auction site eBay.

Part of a project led by James Conacher, an Abertay post-graduate student, researchers used “publicly available tools” to retrieve information from the second-hand storage devices, finding only 32 out of 100 to be properly wiped.

Designed to better understand the risks surrounding pre-owned USB devices, researchers were able to extract partial files from 26 drives and every single file from the remaining 42, much of which was deemed to be of a highly sensitive nature.

Though the research efforts did not uncover any trace of malicious software, the findings do highlight the threat to information security that USB devices and poor data practices can present.

Professor of Cyber Security at the university, Karen Renaud described the findings as “extremely concerning”, adding “an unscrupulous buyer could feasibly use recovered files to access sellers’ accounts if the passwords are still valid, or even try the passwords on the person’s other accounts given that password re-use is so widespread.”

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.