Welcome to our monthly Cyber Intelligence Report. In this edition we'll be looking at a case involving network intrusion of a software development company, outlining guidance around Cloud Security, and we share some more general online resources from social media and highlights from the Cyber Information Sharing Partnership (CiSP).
Industry: Software Development
Point of Entry: Network Intrusion through leaked credentials
Apparent Objective: Steal sensitive data 

A software development company who specialise in creating websites and applications suffered a network intrusion. The unauthorised access to their network resulted in the theft of intellectual property in the form of software code for their products being compromised. One of these products included a code hosting and project management tool for software development teams.

Once access had been gained to this database, the source code for all of the products worked on for the past 5 years had been exfiltrated. Also included within the data was a small collection of personal data belonging to an independent school.
How did this happen?
The suspects used stolen credit cards to attempt to make purchases for their software. A number of the purchases were stopped by the bank, but unfortunately two were successful. This resulted in the victim sending the software and license key to the attackers. Once this had been done, they were able to use it indefinitely, and the company didn't have the ability to remotely deactivate the software once it had been sold.

It's likely the attackers purchased the software as they already held other compromised data, which when used together with the purchased software and license key allowed them access to the victims' database software.
The Investigation
Research eventually focused on GitHub, a leading software development platform where people often publish open source projects. As GitHub has such a large collection of open source software in their library, attackers will often conduct searches for accidentally leaked keys and passwords. Sure enough, a review of GitHub revealed that two API keys used by the suspects had been leaked.

API keys are effectively a form of authentication, in that they can verify the origin of requests. When a service accepts a user, they are assigned a unique value (API key), and this is checked every time a request is made. If an attacker can obtain the developer's API key, they would then have access to the company's internal communications and files.

In this case, the API key for a company account had been available online since 2013. The investigation identified that an old employee within the company had accidentally put an API key into the source code of open source software that was published. It's believed that the attackers conducted multiple search terms within GitHub and were able to identify this compromised data.

The investigation identified a number of email addresses, IP addresses and alias names which had been used by the suspects and extensive intelligence enquiries were completed. It was identified that the suspect used public Wi-Fi and VPNs to hide their identity, and all indications are that the offenders had gone to great lengths to conceal their identities and location.

The investigation concluded having identified the route of infection and ensuring that the data was removed from GitHub. In addition, extensive research was conducted on the open and dark web to see if any of the data had been leaked, with assistance obtained from the NCCU and no evidence was found that the data was further leaked. Full intelligence gleaned from the investigation was shared with international partners and protective measures were put in place to ensure that the likelihood of further intrusions was significantly reduced.
Protection Advice
In circumstances such as this, there are a number of protect advice points which could prevent your business falling victim to such an attack.

User Access Controls
Once an employee has left the company, are they still able to access critical data?

Remote deactivation
Make sure that you have the ability to remotely deactivate software once sold.

Do not include credentials within publicly accessible code
Ensure that API keys and sensitive information are not included within any publicly published code. If you're using online hosting platforms such as GitHub, check their documentation on how to remove credentials from publicly accessible repositories (e.g.

Access Controls
Another recommendation is that developers should not be using administrator accounts. Generated keys should be restricted to specific roles and privileges which an application needs. A clear process should be established for how unique keys/tokens are generated, audited, and removed.
Cloud Security: Things to Consider
Cloud based services have exploded in popularity, with the expectation being that the majority of businesses will be using them in the coming years. Although there can be huge security benefits associated with moving to a good cloud service, there are some principles which should be adhered to in order to reap those benefits. These are discussed below:
> Supply Chain Security

You should be evaluating cloud service providers to the same level of standards as any other part of your supply chain. Consider the following points:

- How is your information shared with other parties?

- What security requirements do you have in place, and do they have the same stipulations?

- How does the supplier evidence that their software/hardware has not been tampered with? (e.g. the Cyber Essentials scheme, relevant kite marks and standards)
> Audit Information 

You should be given access to the audit information of your data and services. This is crucial, as you should have the ability to identify whether there has been any unauthorised access to your digital property. You should be aware of:

- What information you will be given (e.g. the format, retention period).

- How useful the information will be in the event of any misuse or investigatory concerns.
> Inspecting Data Centres

Ideally, you should be able to actually inspect the data centres of your cloud service provider. To make this more achievable, it can be a good idea to stipulate that data be stored within the country of operation (if possible). Look out for:

- Resilience to environmental hazards, such as risk of flooding, power outages, or other structural damage.

- Sufficient physical controls. These could be temperature regulation systems, or fire extinguishing measures as examples.
> Equipment Disposal

All equipment potentially containing your data needs to be identified at the end of its life, and properly disposed of.
> Operational Security

You should have an accurate picture of the assets which make up your desired service. This includes:

- What changes will affect which of your services, and how those changes will be administered - including timescales.

- What vulnerabilities are present with the provider's currently utilised assets.

What backup procedures are utilised by the provider? Are there multiple options and failsafes available?
> Incident Management Plans

It's impossible to guarantee there will be no disruptive incidents to your provider's service. For this reason, its imperative that your provider has an effective Incident Management Plan. You should know what this looks like in practice, where responsibilities lie, at what stage you will be notified, and how involved you need to be.
> Personnel Security

Are the provider's staff vetted to a suitable level? How many of those staff have access to your information and service? These are the sorts of questions you should be bearing in mind when discussing this area.
> Secure Development

Services should be designed and developed to identify and mitigate threats to their security. This should apply at all different levels including development, testing, and deployment.
> Secure User Management

Your provider should make the tools available for you to securely manage your users of their service. This refers to authentication to control dashboards and other constituent parts where access controls can apply. Where possible, the 'principle of least privilege' should be used (i.e. users should be given the least amount of access to be able to do their job).
> External Interface

All external facing services, particularly those which accept connections from any location, are more exposed to attacks. These services need stronger authentication and access controls employed. Encryption can be another consideration (e.g. is data encrypted only after reaching the cloud? How and where will the encryption keys be stored?)
> Data Isolation

There are more than a few case studies circulating the web where poorly configured cloud services have resulted in users being granted access to other organization's data. To reduce the potential for this risk, consider requesting that your data be held on a standalone machine (Note: this option is typically more expensive than other options).
> Service Level Agreements (SLA)

All of the above points should be defined in a Service Level Agreement (SLA) between you and the provider. This should detail responsibilities and liabilities for various circumstances. For example, what happens to the data if the provider goes out of business?

It should also be said that, as all of these principles are fairly broad, you need to consider the specifics of your organisation's needs, and outline these in the SLA accordingly.
European Cyber Security Awareness Month will be kicking off in October! This global initiative will cover a different theme for each week, including Practicing Basic Cyber Hygiene, Recognising Cyber Scams, Expanding Digital Skills and Education and Emerging Technologies and Privacy. Find out more about the campaign, including what's gone on in the past, at
Charity Fraud Awareness Week
October is shaping up to be a busy month, alongside ECSAM is the Charity Fraud Awareness week courtesy of CFA. Monday is Cyber Fraud day, so if the campaign is applicable to you, then please support the initiative. Information can be found at
Highlights from CiSP
The Cyber information Sharing Partnership (CiSP) is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and dynamic environment, increasing situational awareness and reducing the impact on UK business. Below are a few highlights summarising the breadth of topics that feature regularly on the platform.

Spammers Make Mistakes Too
A interesting insight into how some phishing emails are crafted was shared by a CiSP user. An attacker accidentally sent through an entire email template which had failed to execute its code correctly, leaving a garbled collection of various phrases/extortion claims/ransom demands. Apart from providing admins with useful metadata for blocking future extortion attempts, the template is a great opportunity to remind users that often these emails are not targeted, and employ 'spray and pray' intimidation tactics. You can find an excerpt below:

Computer Software Service Fraud

CiSP users have reported a new twist on tech support scams. Attackers have been masquerading as legitimate companies and offering to fix supposedly faulty routers or broadband - nothing particularly new here. However, they have then gone on to provide fake websites with their contact details on as evidence that they are who they say they are. Remember, if you're ever in doubt as to whether contact is genuine, always independently look up the official contact details and go through that route to verify claims.

If you're a South West based business or organisation, and want access to threat information and the opportunity to engage in relevant discussions around cyber security, please get in touch with us through email or social media and we can sponsor your CiSP application.
Got a minute?
We're constantly seeking feedback on our work, and are keen to hear from anyone with a view of what we do, what we could do better and what we can do to help. With this in mind, we have included a quick survey link below. We would greatly appreciate if you can spare the time to offer your opinion on the Intelligence Report as a newsletter. Thank you.

Survey Link via SurveyMonkey can be found here:
Subscribe to this mailing list
Copyright © 2018 SW Regional Cyber Crime Unit, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp