[BreachExchange] UK Cybersecurity Center Issues 'The Dark Overlord' Alert

[Audrey McNeil]

https://www.databreachtoday.com/blogs/the-dark-overlord-alert-issued-by-uk-
cybersecurity-center-p-2559

Want to stop the latest cybercrime bogeyman? Then for the umpteenth time,
put in place well-known and proven strategies for repelling online attacks.

That's one takeaway from a recent threat report issued by Britain's
National Cyber Security Center. Based on open source reporting, the alert
calls out a trio of attack campaigns: phishing emails that pretend to be
speeding tickets but which instead deliver malware; attackers using stolen
or fraudulently obtained digital certificates to "sign" malware; and the
cybercrime-extortion group known as the "The Dark Overlord," which
continues to hack into organizations' websites, hold data for ransom and
cause chaos.

The Dark Overlord is especially pernicious, as seen by how the group has
shaken down Hollywood studios, leaked data stolen from healthcare clinics
as well as threatened schoolchildren's parents in Montana and Iowa, leading
some school districts to suspend classes (see Cyber Ransom Group Hits Soft
Targets: US Schools).

"The group has a history of hacking organizations to obtain sensitive
information before demanding money in exchange for not leaking it into the
public domain," according to the alert from NCSC, which includes Britain's
computer emergency response team, CERT-UK. "They leak snippets of data to
the media to encourage them to report on their activity. This is aimed at
'proving' that a breach has taken place, and increases the pressure on the
victim to pay the ransom."

Wake-Up Call

NCSC is using the group's attacks to issue a wake-up call for any
organization that stores sensitive data.

"Any organization that deals with sensitive personal information (e.g.
medical institutions, law firms) is at a higher risk of being targeted and
owes a particular duty of care to its clients because of the risk of severe
emotional distress if client data is made public," NCSC says. "Whilst
evidence of the stolen data is often provided, the volume and sensitivity
of the data may be exaggerated to maximize impact."

This isn't just "be a good citizen" advice. While NCSC doesn't name-drop
the EU's General Data Protection Regulation, enforcement begins in May
2018, when regulators can begin to impose massive fines on breached
organizations that didn't have proper cybersecurity practices in place (see
Think GDPR Won't Apply to You? Think Again).

Déjà Vu Redux

But we've been here before. The Dark Overlord, which is being investigated
by the FBI and no doubt other law enforcement agencies, is the latest in a
long line of online adversaries that can be blocked if only organizations
would put in place basic, essential information security defenses.

In 2010, it was Anonymous, followed by LulzSec - motto: "Laughing at your
security since 2011!" - and Lizard Squad, among many, many others.

If there's one commonality between attacks old and new, it's that so many
flaws exploited by attackers could have been fixed in advance. Security
experts have long warned about the need to find and eradicate SQL infection
flaws, which attackers have been exploiting for years to dump
internet-connected databases. Nevertheless, London-based telecommunications
giant TalkTalk was hacked in 2015 via a SQL injection attack against a
database that lacked patches released in 2012 that would have protected it
(see Solve Old Security Problems First).

As the famous comment attributed to Joshua Corman goes: "The Anonymous
attacks hold up a mirror to our neglect."

Don't Fear Self-Proclaimed Dark Overlords

But Anonymous did get more organizations thinking about cybersecurity, and
The Dark Overlord will no doubt do so again. If this helps not-yet-hacked
firms and especially the small businesses that The Dark Overlord seems to
favor, so much the better (see Hollywood Studio Hit By Cyber Extortion
Says: 'Don't Trust Hackers').

Studying recent attacks by the group, NCSC singles out the need to use
unique, strong passwords, to never share them and to store them using a
password manager.

"Breaches can impact systems that have not been breached if a user has a
shared password between the services," NCSC warns.

This is great, longstanding advice that all end users, organizations and
government agencies should follow (see Parliament Pwnage: Talk Weak
Passwords, Not 'Cyberattack').

4 Bogeyman Defenses

But organizations need to be doing more. Security experts' gold standard in
"if you do nothing else, then at least do this handful of things" comes
from the Australian Signals Directorate. In 2011, the ASD listed these as
being the top 4 mitigation strategies for repelling targeted cyber
intrusions:

- Using application whitelisting;
- Patching applications and operating systems;
- Using the latest versions of applications and operating systems;
- Minimizing administrative privileges.

"No single mitigation strategy is guaranteed to prevent cybersecurity
incidents," ASD says. Even so, "at least 85 percent of the adversary
techniques used in targeted cyber intrusions which ASD has visibility of
could be mitigated by implementing [those] mitigation strategies."

Since 2013, all Australian government organizations have had to comply with
those strategies. But if more organizations did so, the world would be an
even safer place (see Hacker Steals Joint Strike Fighter Plans in
Australia).

Organizations that want to further improve their odds of repelling attacks
can look to the ASD's recently revised and complete "Strategies to Mitigate
Cybersecurity Incidents"recommendations, listing 37 mitigation strategies
as well as evaluating potential user resistance to each one, upfront cost
as well as ongoing costs. The ASD has also listed which strategies excel
for combating targeted cyber intrusions, ransomware and external
adversaries who destroy information, and malicious insiders who steal
information or destroy information.

Organizations that implement the ASD's recommendations - even the ASD Top 4
- stand a good chance of repelling targeted cyber intrusions by the like of
The Dark Overlord and its inevitable descendants. Organizations that
continue to fail to heed these warnings get to be tomorrow's
cybercrime-bogeyman victim.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171107/36ec44e9/attachment.html>