Costly mistakes

In early August, there was news of a data breach at the Police Service of Northern Ireland (PSNI), which mistakenly shared a spreadsheet online in response to a Freedom of Information request, revealing the personal details of police officers and civilian staff members including surname, first initial, rank or grade, where they were based and the unit they worked in. The request was for a summary of the total number of officers and staff at all ranks across the organisation, but a member of staff mistakenly included the source data in the response. This was publicly available for a few hours before it was removed at the request of PSNI. Police officers in Northern Ireland have been targeted by republican paramilitary groups and the breach therefore caused deep concern among PSNI officers and their families, with the terrorism threat level in the region categorised as severe.

There had been a previous data breach in July in which a laptop and documents identifying more than 200 staff members were stolen from a private vehicle. These incidents highlight the responsibility and duty of care that employers have to safeguard and protect their employees’ personal data, particularly in high-risk roles. 

Exploitation of old vulnerabilities

Threat actors are taking advantage of the fact that organisations do not always patch their systems timely to address known vulnerabilities. According to a joint advisory issued by the UK National Cyber Security Centre and its allies, more than half of the top 12 routinely exploited vulnerabilities in 2022 also appeared in the previous year’s list. 

While there may be a perception that attackers would prefer to exploit new vulnerabilities that organisations may be less aware of and would have had less time to address, the advisory presents evidence that older vulnerabilities are also attractive as code to exploit the vulnerabilities is often publicly available, meaning less time and effort is required to exploit the vulnerabilities.

As highlighted in the guidance, it is important for organisations to have good vulnerability and threat management, including tools and processes to identify and prioritise vulnerabilities and to patch those that present significant risks quickly. When using vendor supplied software, it is critical to be comfortable with how vendors manage vulnerabilities in their products and to ensure there is good engagement, including a process to be notified of vulnerabilities, incidents and availability of patches.

Democracy under threat?

The UK Electoral Commission provided a public notification that it had been the subject of a cyber attack. According to the notification, the registers contained the names and addresses of anyone registered as an overseas voter, anyone registered to vote in Great Britain between 2014 and 2022, and anyone registered in Northern Ireland in 2018. 

Although some of this data may already have been in the public domain, there are concerns that it can be combined with other publicly available data for activities such as profiling individuals. Some reports point to suspicion that the attack could be linked to hostile state actors, such as Russia.

Threat actors can gain unauthorised access to systems and remain undetected for an extended period. Implementing strong network monitoring tools can help to detect threats more quickly. The UK National Cyber Security Centre has developed a guide on Building a security operations centre to help organisations set up a security monitoring capability in line with their level of threat and available resources.

Another social engineering attack

Microsoft’s Threat Intelligence team has published a blog to notify its users of targeted social engineering over Microsoft Teams. It is believed to be the work of a Russia-based group it tracks as Midnight Blizzard (previously Nobelium) and the motive is believed to be espionage.

The attack targets small businesses in the government, non-government organisations, IT services, technology, discrete manufacturing and media sectors. The target organisations’ Microsoft 365 tenants are compromised and used to create new domains that appear to be technical support entities. They then use Teams messages masquerading as a technical support or security team to contact victims and get them to enter their Multi Factor Authentication (code into the Microsoft Authenticator app on their mobile device, granting the threat actor a token to access their Microsoft 365 account. 

As with any social engineering lures, organisations are encouraged to remind users of security best practices to and reinforce that any authentication requests not initiated by the user should be treated as malicious. The blog also provides additional technical recommendations for organisations to implement to reduce the risk of the threat.

Got an interesting cyber story for us? Email techfac@icaew.com.