NCSC Threat Report Poster

NCSC Threat Report – 22nd December 2022

NSA publish threat hunting report to detect exploitation of Citrix ADC vulnerabilities

The National Security Agency (NSA) in the US has, with its partners, published a report to help network defenders detect suspicious activity in Citrix ADC environments.

This follows NSA findings that the APT5 threat actor has demonstrated capabilities against the Citrix Application Delivery Controller (ADC). The report includes behavioural checks in logs and YARA signatures.

Threat actors are known to regularly exploit vulnerabilities to gain unauthorised access to networks of interest, as the NCSC and international partners have highlighted previously in a joint advisory.

The NCSC has guidance on vulnerability management for organisations.

End of support for Windows 8.1 is close

Organisations and users are reminded that support for the Microsoft operating system Windows 8.1 will end on 10 January 2023. When support ends, a vendor no longer releases updates. Running out-of-support operating systems presents a real security threat.

Microsoft also recently confirmed that, for this reason, its browser Edge version 109 and WebView2 Runtime version 109 – to be released on 12 January 2023 – will be the last versions to support Windows 8.1, as well as Windows 7 and 8.

Google had already announced it would end support for its Chrome browser on Windows 7, Windows 8/8.1 in February 2023.

The NCSC has advice for organisations on keeping software up to date and managing obsolete products.

Researchers offer supply chain lessons to remember

Researchers at Jscrambler, an application security company, have described how attackers took advantage of an old domain and code to launch supply chain attacks over many years.

In 2010 a company called Cockpit offered a free service for analytics and marketing. E-commerce sites using the service incorporated the third-party JavaScript code into their sites. But when Cockpit ended the service four years later, many companies using it never removed the code from their sites.

Cyber criminals took control of the now unused domain and where the code was still in place, input their own code to monitor data inputs, and even added additional data fields onto webpages to ask for personal data.

Once on victim networks, the attackers were then able to steal customer data and tailor their malware to facilitate further attacks.

You can read Jscrambler’s cautionary tale on their website, but it’s an important reminder to check your logs and any web-based supply-chain links you may be using.

The NCSC’s ‘How to assess and gain confidence in your Supply Chain cyber security’ is another good piece of guidance to bookmark for the new year.

Organisation warns of potential for phishing lures after an attack

Following a ransomware attack affecting its hosted Microsoft Exchange environment, the US cloud provider Rackspace has cautioned customers to be extra alert to phishing emails that may try to exploit news of the attack.

Cyber attackers are always looking for new phishing lures and this is another example of how attackers could take advantage of an event in the news.

Phishing emails continue to be a much-used attack vector. The NCSC has phishing guidance for organisations and has also recently published a blog on technical measures that organisations can take to significantly reduce the chance of phishing attacks, while also reducing the burden of responsibility on users not to click.

Recent posts