Cybersecurity News of the Month - June 2022

Welcome to the second in our monthly instalment of “Cyber Security News of the Month”. In this blog, we take a look back at last month's cyber security breaches, cyber security awareness and hot topic of the month.

Be sure to subscribe to our monthly newsletter to receive the latest cyber security news and advice.

Latest Cyber Security Breaches

1. Yodel parcel delivery service disrupted by cyberattack

UK based delivery service company, Yodel, faced disruptions due to a cyberattack in June. Details of the incident have yet to be published but the attack has caused delays in the distribution of parcels and tracking orders online.

Hints of a cyber security incident
eBay sellers were the first to be informed of the incident through a private message noting that the company was “working through the nature and full impact of the cyber incident.” Customers awaiting package deliveries were heavily impacted and unable to use Yodel's tracking system or customer services which were offline according to reports.

Yodel Update: "We are writing to update you on the service outage that has been affecting our operations over the weekend. We have a live investigation underway and can confirm that part of Yodel’s systems have been affected by a cyber incident"

— Adam Smith (@Adam_Smith_PHD) June 21, 2022

Working to get its systems back online

The company launched an investigation into the incident, in addition to working on getting the systems back online. The investigation was led by their internal IT division and supported by an external IT forensics group. “Yodel would like to sincerely apologise to their clients and their customers for any disruption this incident may have caused, and reassure them that the team are working around the clock to resolve this incident”, Yodel’s spokesperson said. The delivery service assured its customers that no personal information was accessed during the cyber incident as it does not hold or process such data. In a post regarding the service disruption, Yodel has advised its clients to avoid responding to any unsolicited communications asking for personal information or referring to web pages requiring such information.

2. Municipality of Palermo, Italy shuts down systems in light of cyber attack

On June 2nd, the municipality of Palermo in Italy suffered a cyber attack which impacted a number of operations and services to both citizens and tourists visiting the area. The impacted systems included public video surveillance management, the police operations centre and online portals. In addition, the cyber attack made it impossible to communicate or request any service that relies on the digital systems and tourists visiting the area were unable to access online bookings for museum and theatre tickets, or confirm reservations at sports facilities.

Indications of a ransomware attack
Paolo Petralia Camassa, councillor for innovation in Palermo, stated that when the attack was discovered, systems were shut down and isolated from the network.

Update on the incident

On June 12th, the ransomware attack was confirmed and a list outlining a number of documents taken from the IT structure of the municipality was shared. The documents outlined contained sensitive health information, identity documents including drivers licences and residential information of Palermo citizens. Palermo is home to about 1.3 million people, the fifth most populous city in Italy. The area is visited by another 2.3 million tourists every year.

3. Germans Green Party report cyber incident

In early June, Germany’s Green Party confirmed a cyberattack affected its IT systems. The attack affected the party’s intranet IT system, “Grüne Netz” , where it exchanges confidential information. It also affected email accounts including two government ministers, Annalena Baerbock and Robert Habeck and party co-leaders Omid Nouripour and Ricarda Lang.

The party spokesperson stated that “more than these email addresses are affected. It is about emails with the domain ‘@gruene.de’.” The spokesperson declined to say whether German government officials were also affected.

The party also noted that their network logs showed no signs of the increased traffic volumes that would point to the theft of a large amount of data. The investigation into the cyber incident is ongoing.

4. Ready meal distributor Apetito disrupted by cybersecurity attack

Apetito, a UK ready meal distributor, has had its services disrupted following a sophisticated cybersecurity incident.

The company CEO stated that Apetito was unable to fulfil orders on June 30 following the cyber incident which took place over the weekend. The attack has impacted hospitals, care homes, schools, childcare facilities and vulnerable people across the country.

The extent of the attack
Customers were advised that deliveries were expected to run normally on the Monday after the attack as orders had already been picked before the incident occured.

In response to the attack, a plan was put in place to test “a limited number of deliveries from a manual system” and if this proved successful, would be extended further.

The company's subsidiary Wiltshire Farm Foods, who deliver frozen ready meals, managed to make a limited number of local deliveries but were unable to take any orders via phone, through the website or the app. Fulfilment of orders was expected to resume from the 4th of July.

The extent of the breach
Apetito have stated that they are confident that their customers payment card data has not been compromised as these details are not held in house.

In regards to personally identifiable information (PII), they are seeking to establish if this has been compromised. As of yet, an update on this has not been published.

In a statement made by Paul Freeston, CEO of Apetito UK, he said “Our crisis management team is meeting multiple times each day to review progress, direct resources and respond to emerging issues”, he continued, adding that Apetito would continue providing updates at least daily.

“I would like to thank our customers and other contacts who are being so supportive during this issue. Our team continues to work tirelessly on the recovery and I am very grateful for their amazing efforts.”

Cybersecurity Awareness

Facebook Business pages targeted by chatbot phishing campaign

A social-engineering campaign bent on stealing Facebook account credentials and victim phone numbers is targeting business pages through a campaign that incorporates Facebook's Messenger chatbot feature.

These attacks typically start as an email claiming that the users' page will be terminated in 48 hours due to a violation of Facebook's policies.

The sender, purporting to be from Facebook's support team, claims to be giving users a chance to appeal, and offers an "Appeal Now" button to click directly from the email. Through this, instead of the usual link click and download prompt, the link leads to a tech-support type channel asking for information you would typically expect tech support to ask for including name, email address and phone number.

Once the information is submitted, a pop-up window appears asking for the victims' passwords.

When complete, all of the data collected is sent directly to the malicious actor's database and the victim is redirected to Facebooks's official Help Centre.

Phishing Attacks Hit An All Time High - 1 million attacks in Q1 2022

According to the Q1 2022 report by the Anti Phishing Working Group (APWG), the first quarter of the year saw phishing attacks hit a record high, exceeding 1 million for the first time.

Phishing attacks on the financial sector, including banks accounted for 23.6% of phishing attacks in the first quarter. The financial sector was followed closely by SaaS and Webmail at 20.5%.

Latest report on cyber threats to sports organisations within the UK

The latest report by the National Cyber Security Centre on 'Cyber Threat to Sports Organisations' notes that cyberattacks against sports organisations are very common, with 70% of those surveyed experiencing at least one attack per year. This is significantly higher than the average across UK businesses.

30% of sports organisations in the UK have recorded over 5 cybersecurity incidents in the past 12 months, with 70% having experienced at least one cyber incident.

The cost per incident varied considerably from under €583 (£500) through to over €116,708 (£100,000). The average cost was more than €11,670 (£10,000) per incident.

Hot Topic of the Month

Security researchers at RedHunt Labs have seemingly uncovered over 1.6 million secrets leaked by websites, including 395,000 exposed by a million of the most popular domains.

What are web application secrets?
Web Application builds at any scale can be a difficult task. There are often a myriad of moving parts to enable the simplest functionality within a web application. Due to the complexities of software development around web app development, developers tend to embed secrets within the application source code. As this source code increases, developers often fail to redact the sensitive information prior to deploying it to production. This can include API keys, cryptographic or other credentials within the Javascript files in the client-side source code.

Exposing the secrets of a website
Researchers at RedHunt Labs undertook a non-invasive probe of millions of website home pages in an attempt to understand the cyber security posture of the internet as a whole.

Commenting on the experiment, security researcher Pinaki Mondal, stated that, “The number of secrets exposed via the front end of hosts is alarmingly huge. Once a valid secret gets leaked, it paves the path for lateral movement amongst attackers, who may decide to abuse the business service account leading to financial losses or total compromise”.

The first scans focused primarily on one million websites which have a large amount of traffic. The results concluded that 395,713 secrets were discovered, of which 77% were related to Google services including:

• Google reCAPTCHA - Accounted for over half of the secrets discovered.
• Google Cloud
• Google OAuth

The second set of scans focused on approximately 500 million hosts which resulted in 1,280,920 secrets discovered, of which the main secrets came from:

• Stripe
• Google reCAPTCHA
• Google Cloud
• Amazon Web Services (AWS)
• Facebook

Javascript
From the scans, researchers discovered that 77% of exposures occurred in the frontend Javascript files.

In the majority of cases, the Javascript files were served through the website content delivery networks (CDN) with Squarespace's content delivery network resulting in the majority of exposures at 197,000.

The problem is said to result from the complexities of the “software development lifecycle. As the code-base enlarges, developers often fail to redact the sensitive information before deploying it to production”.

How to secure your web applications

Daire Kennedy, security consultant at Secora, recently discussed the most frequently encountered web application vulnerabilities and how you can remediate it. Read the full blog, here.