NCSC - Weekly Threat Report 20th October 2017 @ncsc #cybersecurity

This report is drawn from recent open source reporting.

KRACK – a fundamental flaw in Wi-Fi security

Security researchers from Belgium have found that the majority of Wi-Fi connections are potentially vulnerable to exploitation because of a fundamental weakness in the wireless security protocol – WPA2. The exploit is called “KRACK”, which is short for Key Reinstallation Attack. Reports suggest that at most risk are Linux operating systems, Internet of Things (IoT) devices and 41% of Android devices. However, many of these, especially IoT devices, may never get patched.

For further detail on this flaw, please see our KRACK guidance and the latest blog.

Swedish transport networks hit by DDoS attacks

Media reported last week that trains were delayed in Sweden after the transport sector was successfully targeted by a series of DDoS attacks. On 11 October, two communication service providers serving the Swedish Transport Administration (Trafikverket) were hit by a DDoS attack, reportedly causing the Trafikverket’s train management system to go down for several hours. Consequently, manual procedures had to be used to handle rail traffic, resulting in delays for the rest of the day. The company also had to resort to using Facebook to keep customers updated as its email system and website were also unavailable. The following day, DDoS attacks targeted the Swedish Transport Agency (Transportyrelsen) and a public transport operator serving Western Sweden (Västtrafik). The impact of these attacks was less severe, briefly affecting web services including ticket booking.

Some media reports speculate that a state-linked actor may have been responsible, however investigations into the incidents continue. Overall, the case highlights how transport firms can be impacted by attacks on third party service providers (in this case, Trafikverket’s communication service providers).

Cyber-enabled intimidation of NATO personnel in Baltics

According to open source reporting, advanced surveillance techniques (possibly including drone monitoring and/or IMSI grabbing) are being used to pull data from personal smartphones of NATO personnel despite warnings not to use them following previous incidents. There are accounts of personnel then being approached in public by individuals who convey details pulled from smartphones – in one example details about the personnel’s family.

This is not the first time NATO personnel operating in Europe have reported call interference or unusual behaviour by their mobile phones. Mobile devices operating over the public telephone system are susceptible to exploitation including interception of communications or tracking of the user. The capability to mount operations against personal electronic devices, including the use of rogue cell towers is within technical and financial reach of well-resourced threat actors. However, the more recent reporting is different as exploitation of devices has been followed up by personal approaches.

It is almost certain that personal mobile devices will increasingly become targets for a wide range of threat actors due to the amounts of personal information they hold, which is useful for espionage, targeting and criminal purposes. Personal mobiles are susceptible to a range of compromise vectors and have widely varying levels of cyber hygiene. This threat could expand beyond NATO personnel to businesses operating in the region or individuals traversing these areas on business or personal trips.

National Cyber Security Centre Threat Report