Tag Archives: attack

New Intel AMT Security Issue Lets Hackers Gain Full Control of Laptops in 30 Seconds

It’s been a terrible new-year-starting for Intel.

Researchers warn of a new attack which can be carried out in less than 30 seconds and potentially affects millions of laptops globally.

As Intel was rushing to roll out patches for Meltdown and Spectre vulnerabilities, security researchers have discovered a new critical security flaw in Intel hardware that could allow hackers to access corporate laptops remotely.

Finnish cyber security firm F-Secure reported unsafe and misleading default behaviour within Intel Active Management Technology (AMT) that could allow an attacker to bypass login processes and take complete control over a user’s device in less than 30 seconds.

AMT is a feature that comes with Intel-based chipsets to enhance the ability of IT administrators and managed service providers for better controlling their device fleets, allowing them to remotely manage and repair PCs, workstations, and servers in their organisation.

The bug allows anyone with physical access to the affected laptop to bypass the need to enter login credentials—including user, BIOS and BitLocker passwords and TPM pin codes—enabling remote administration for post-exploitation.

In general, setting a BIOS password prevents an unauthorised user from booting up the device or making changes to the boot-up process. But this is not the case here.

The password doesn’t prevent unauthorised access to the AMT BIOS extension, thus allowing attackers access to configure AMT and making remote exploitation possible.

Although researchers have discovered some severe AMT vulnerabilities in the past, the recently discovered issue is of particular concern because it is:

  • easy to exploit without a single line of code,
  • affects most Intel corporate laptops, and
  • could enable attackers to gain remote access to the affected system for later exploitation.

“The attack is almost deceptively simple to enact, but it has incredible destructive potential,” said F-Secure senior security researcher Harry Sintonen, who discovered the issue in July last year.

“In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

According to the researchers, the newly discovered bug has nothing to do with the Spectre and Meltdown vulnerabilities recently found in the microchips used in almost all PCs, laptops, smartphones and tablets today.

Here’s How to Exploit this AMT Issue

To exploit this issue, all an attacker with physical access to a password (login and BIOS) protected machine needs to do is reboot or power-up the targeted PC and press CTRL-P during boot-up, as demonstrated by researchers at F-Secure in the above video.

The attacker then can log into Intel Management Engine BIOS Extension (MEBx) with a default password.

Here, the default password for MEBx is “admin,” which most likely remains unchanged on most corporate laptops.

Once logged in, the attacker can then change the default password and enable remote access, and even set AMT’s user opt-in to “None.”

Now, since the attacker has backdoored the machine efficiently, he/she can access the system remotely by connecting to the same wireless or wired network as the victim.

Although exploiting the issue requires physical access, Sintonen explained that the speed and time at which it can be carried out makes it easily exploitable, adding that even one minute of a distraction of a target from its laptop is enough to do the damage.

Attackers have identified and located a target they wish to exploit. They approach the target in a public place—an airport, a café or a hotel lobby—and engage in an ‘evil maid’ scenario,” Sintonen says.

Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn’t require a lot of time—the whole operation can take well under a minute to complete.

Along with CERT-Coordination Center in the United States, F-Secure has notified Intel and all relevant device manufacturers about the security issue and urged them to address it urgently.

Meanwhile, users and IT administrators in an organisation are recommended to change the default AMT password of their device to a strong one or disable AMT if this option is available, and never leave their laptop or PC unattended in a public place.

Hackers Targeting Servers Running Database Services for Mining Cryptocurrency

database-hacking

Security researchers have discovered multiple attack campaigns conducted by an established Chinese criminal group that operates worldwide, targeting database servers for mining cryptocurrencies, exfiltrating sensitive data and building a DDoS botnet.

The researchers from security firm GuardiCore Labs have analyzed thousands of attacks launched in recent months and identified at least three attack variants—Hex, Hanako, and Taylor—targeting different MS SQL and MySQL servers for both Windows and Linux.

The goals of all the three variants are different—Hex installs cryptocurrency miners and remote access trojans (RATs) on infected machines, Taylor installs a keylogger and a backdoor, and Hanako uses infected devices to build a DDoS botnet.

So far, researchers have recorded hundreds of Hex and Hanako attacks and tens of thousands of Taylor attacks each month and found that most compromised machines are based in China, and some in Thailand, the United States, Japan and others.

To gain unauthorized access to the targeted database servers, the attackers use brute force attacks and then run a series of predefined SQL commands to gain persistent access and evade audit logs.

What’s interesting? To launch the attacks against database servers and serve malicious files, attackers use a network of already compromised systems, making their attack infrastructure modular and preventing takedown of their malicious activities.

hacking-mysql-mssql-database

For achieving persistent access to the victim’s database, all three variants (Hex, Hanko, and Taylor) create backdoor users in the database and open the Remote Desktop port, allowing attackers to remotely download and install their next stage attack—a cryptocurrency miner, Remote Access Trojan (RAT) or a DDoS bot.

“Later in the attack, the attacker stops or disables a variety of anti-virus and monitoring applications by running shell commands,” the researchers wrote in their blog post published Tuesday. 

“The anti-virus targeted is a mixture of well-known products such as Avira and Panda Security and niche software such as Quick Heal and BullGuard.”

Finally, to cover their tracks, the attackers deletes any unnecessary Windows registry, file, and folder entry using pre-defined batch files and Visual Basic scripts.

Administrators should check for the existence of the following usernames in their database or systems in order to identify if they have been compromised by the Chinese criminal hackers.

  • hanako
  • kisadminnew1
  • 401hk$
  • Guest
  • Huazhongdiguo110

To prevent compromise of your systems, researchers advised administrators to always follow the databases hardening guides (provided by both MySQL and Microsoft), rather than just having a strong password for your databases.

“While defending against this type of attacks may sound easy or trivial—’patch your servers and use strong passwords’—we know that ‘in real life’ things are much more complicated. The best way to minimize your exposure to campaigns targeting databases is to control the machines that have access to the database,” the researchers advised. 

“Routinely review the list of machines that have access to your databases, keep this list to a minimum and pay special attention to machines that are accessible directly from the internet. Every connection attempt from an IP or domain that does not belong to this list should be blocked and investigated.”

Hacker Hijacks CoinHive’s DNS to Mine Cryptocurrency Using Thousands of Websites

Hacker Hijacks CoinHive's DNS to Mine Cryptocurrency Using Thousands of Websites

When yesterday I was reporting about the sudden outbreak of another global ransomware attack ‘Bad Rabbit,’ I thought what could be worse than this?

Then late last night I got my answer with a notification that Coinhive has been hacked — a popular browser-based service that offers website owners to embed a JavaScript to utilise their site visitors’ CPUs power to mine the Monero cryptocurrency for monetisation.

Reportedly an unknown hacker managed to hijack Coinhive’s CloudFlare account that allowed him/her to modify its DNS servers and replace Coinhive’s official JavaScript code embedded into thousands of websites with a malicious version.

https://coin-hive[.]com/lib/coinhive.min.js

Hacker Reused Leaked Password from 2014 Data Breach

Apparently, hacker reused an old password to access Coinhive’s CloudFlare account that was leaked in the Kickstarter data breach in 2014.

“Tonight, Oct. 23th at around 22:00 GMT our account for our DNS provider (Cloudflare) has been accessed by an attacker. The DNS records for coinhive.com have been manipulated to redirect requests for the coinhive.min.js to a third party server.” Coinhive said in a blog post today.

“This third-party server hosted a modified version of the JavaScript file with a hardcoded site key.”

As a result, thousands of sites using coinhive script were tricked for at least six hours into loading a modified code that mined Monero cryptocurrency for the hacker rather than the actual site owners.

“We have learned hard lessons about security and used 2FA [Two-factor authentication] and unique passwords for all services since, but we neglected to update our years old Cloudflare account.”

Your Web-Browsers Could Be Mining Cryptocurrencies Secretly for Strangers

Coinhive gained media attention in last weeks after world’s popular torrent download website, The Pirate Bay, caught secretly using this browser-based cryptocurrency miner on its site.

Immediately after that more than thousands of other websites also started using Coinhive as an alternative monetisation model by utilising their visitors’ CPU processing power to mine digital currencies.

Even hackers are also using Coinhive like services to make money from compromised websites by injecting a script secretly.

Well, now the company is also looking ways to reimburse its users for the lost revenue due to breach.

How to Block Websites From Hijacking Your CPU to Mine Cryptocoins

Due to concerns mentioned above, some Antivirus products, including Malwarebytes and Kaspersky, have also started blocking Coinhive script to prevent their customers from unauthorised mining and extensive CPU usage.

You can also install, No Coin Or minerBlock, small open source browser extensions (plug-ins) that block coin miners such as Coinhive.

Bad Rabbit: New Ransomware Attack Rapidly Spreading Across Europe

bad-rabbit-ransomware-attack

A new widespread ransomware attack is spreading like wildfire around Europe and has already affected over 200 major organisations, primarily in Russia, Ukraine, Turkey and Germany, in the past few hours.

Dubbed “Bad Rabbit,” is reportedly a new Petya-like targeted ransomware attack against corporate networks, demanding 0.05 bitcoin (~ $285) as ransom from victims to unlock their systems.

According to an initial analysis provided by the Kaspersky, the ransomware was distributed via drive-by download attacks, using fake Adobe Flash players installer to lure victims’ in to install malware unwittingly.

“No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. We’ve detected a number of compromised websites, all of which were news or media websites.” Kaspersky Lab said.

However, security researchers at ESET have detected Bad Rabbit malware as ‘Win32/Diskcoder.D‘ — a new variant of Petya ransomware, also known as Petrwrap, NotPetya, exPetr and GoldenEye.

Bad Rabbit ransomware uses DiskCryptor, an open source full drive encryption software, to encrypt files on infected computers with RSA 2048 keys.

bad-rabbit-ransomware

ESET believes the new wave of ransomware attack is not using EternalBlue exploit — the leaked SMB vulnerability which was used by WannaCry and Petya ransomware to spread through networks.

Instead it first scans internal network for open SMB shares, tries a hardcoded list of commonly used credentials to drop malware, and also uses Mimikatz post-exploitation tool to extract credentials from the affected systems.

The ransom note, shown above, asks victims to log into a Tor onion website to make the payment, which displays a countdown of 40 hours before the price of decryption goes up.

The affected organisations include Russian news agencies Interfax and Fontanka, payment systems on the Kiev Metro, Odessa International Airport and the Ministry of Infrastructure of Ukraine.

Researchers are still analyzing Bad Rabbit ransomware to check if there is a way to decrypt computers without paying ransomware and how to stop it from spreading further.

How to Protect Yourself from Ransomware Attacks?

Kaspersky suggest to disable WMI service to prevent the malware from spreading over your network.

Most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs.

So, you should always exercise caution when opening uninvited documents sent over an email and clicking on links inside those documents unless verifying the source to safeguard against such ransomware infection.

Also, never download any app from third-party sources, and read reviews even before installing apps from official stores.

To always have a tight grip on your valuable data, keep a good backup routine in place that makes their copies to an external storage device that isn’t always connected to your PC.

Make sure that you run a good and effective anti-virus security suite on your system, and keep it up-to-date.

Serious Crypto-Flaw Lets Hackers Recover Private RSA Keys Used in Billions of Devices

crack-encryption-keys

If you think KRACK attack for WiFi is the worst vulnerability of this year, then hold on…

…we have got another one for you which is even worse.

Microsoft, Google, Lenovo, HP and Fujitsu are warning their customers of a potentially serious vulnerability in widely used RSA cryptographic library produced by German semiconductor manufacturer Infineon Technologies.

It’s noteworthy that this crypto-related vulnerability (CVE-2017-15361) doesn’t affect elliptic-curve cryptography and the encryption standard itself, rather it resides in the implementation of RSA key pair generation by Infineon’s Trusted Platform Module (TPM).

Infineon’s Trusted Platform Module (TPM) is a widely-used, dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices and is used for secured crypto processes.

This 5-year-old algorithmic vulnerability was discovered by security researchers at Masaryk University in the Czech Republic, who have released a blog post with more details about the weakness as well as an online tool to test if RSA keys are vulnerable to this dangerous flaw.

ROCA: Factorization Attack to Recover Private RSA Keys

Dubbed ROCA (Return of Coppersmith’s Attack), the factorization attack introduced by the researchers could potentially allow a remote attacker to reverse-calculate a private encryption key just by having a target’s public key—thanks to this bug.

“Only the knowledge of a public key is necessary and no physical access to the vulnerable device is required,” the researchers said. “The vulnerability does NOT depend on a weak or a faulty random number generator—all RSA keys generated by a vulnerable chip are impacted.”

This could eventually allow the attacker to impersonate key owner, decrypt victim’s sensitive data, inject malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with the targeted computer.

ROCA Attack Exposes Billions of Devices to Attack

rsa-encryption-hacking

The ROCA attack affects chips manufactured by Infineon as early as 2012 and is feasible for key lengths, including 1024 and 2048 bits, which is most commonly used in the national identity cards, on PC motherboards to securely store passwords, in authentication tokens, during secure browsing, during software and application signing, and with message protection like PGP.

The flaw also weakens the security of government and corporate computers protected using Infineon’s cryptographic library and chips.

Majority of Windows and Google Chromebook devices developed by HP, Lenovo and Fujitsu are amongst those affected by the ROCA attack.

“We found and analyzed vulnerable keys in various domains including electronic citizen documents, authentication tokens, trusted boot devices, software package signing, TLS/HTTPS keys and PGP,” the researchers said. 

“The currently confirmed number of vulnerable keys found is about 760,000 but possibly up to two to three magnitudes more are vulnerable.”

More Details, Testing Tool, and Patches

The security researchers have released a brief blog post about the flaw, which includes a number of tools for detection, mitigation and workarounds.

The vulnerability was discovered and reported to Infineon Technologies in February this year and the researchers will present their full findings, including the factorization method, on November 2nd at the ACM Conference on Computer and Communications Security.

Their research paper, titled “The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli” (ROCA), will also be released after their presentation.

So, companies and organisations have enough time to change affected encryption keys before the details of how this vulnerability works and could be exploited are released.

Major vendors including InfineonMicrosoft, Google, HP, Lenovo, and Fujitsu have already released the software updates for their relevant hardware and software as well as guidelines for a mitigation of this vulnerability.

“Some Windows security features and potentially third-party software rely on keys generated by the TPM (if available on the system),” according to a Microsoft advisory. “Microsoft is releasing Windows security updates to help work around the vulnerability by logging events and by allowing the generation of software based keys.”

Therefore, users are strongly recommended to patch their devices as soon as possible—AGAIN!

Powered by WPeMatico

8 More Chrome Extensions Hijacked to Target 4.8 Million Users

chrome-extention-hacking

Google’s Chrome web browser Extensions are under attack with a series of developers being hacked within last one month.

Almost two weeks ago, we reported how unknown attackers managed to compromise the Chrome Web Store account of a developer team and hijacked Copyfish extension, and then modified it to distribute spam correspondence to users.

Just two days after that incident, some unknown attackers then hijacked another popular extensionWeb Developer‘ and then updated it to directly inject advertisements into the web browser of over its 1 million users.

After Chris Pederick, the creator of ‘Web Developer’ Chrome extension that offers various web development tools to its users, reported to Proofpoint that his extension had been compromised, the security vendor analysed the issue and found further add-ons in the Chrome Store that had also been altered.

According to the latest report published by the researchers at Proofpoint on Monday, the expanded list of compromised Chrome Extensions are as below:

  • Chrometana (1.1.3)
  • Infinity New Tab (3.12.3)
  • CopyFish (2.8.5)
  • Web Paint (1.2.1)
  • Social Fixer (20.1.1)

Proofpoint researcher Kafeine also believes Chrome extensions TouchVPN and Betternet VPN were also compromised in the same way at the end of June.

In all the above cases, some unknown attackers first gained access to the developers’ Google web accounts by sending out phishing emails with malicious links to steal account credentials.

Once the attackers gained access to the accounts, either they hijacked their respective extensions and then modified them to perform malicious tasks, or they add malicious Javascript code to them in an attempt to hijack traffic and expose users to fake ads and password theft in order to generate revenue.

In the case of the Copyfish extension, the attackers even moved the whole extension to one of its developers’ accounts, preventing the software company from removing the infected extension from the Chrome store, even after being spotted compromised behaviour of the extension.

“Threat actors continue to look for new ways to drive traffic to affiliate programs and effectively surface malicious advertisements to users,” researchers concluded. “In the cases described here, they are leveraging compromised Chrome extensions to hijack traffic and substitute advertisements on victims’ browsers.” 

“Once they obtain developer credentials through emailed phishing campaigns, they can publish malicious versions of legitimate extensions.”

At this time, it is unclear who is behind the hijackings of Chrome Web extensions.

The best way to protect yourself from such attacks is always to be suspicious of uninvited documents sent over a phishing email and never click on links inside those documents unless verifying the source.

Powered by WPeMatico

Gmail for iOS Adds Anti-Phishing Feature that Warns of Suspicious Links

gmail-phishing-alert

Phishing — is an older style of cyber-attack but remains one of the most common and efficient attack vectors for attackers, as a majority of banking malware and various ransomware attacks begin with a user clicking on a malicious link or opening a dangerous attachment in an email.

Phishing has evolved than ever before in the past few years – which is why it remains one of those threats that we have been combating for many years.

We have seen phishing campaigns that are so convincing and effective that even tech-savvy people can be tricked into giving away their credentials to hackers. And some that are “almost impossible to detect” and used to trick even the most careful users on the Internet.

To help combat this issue, Google has introduced a security defence for it’s over a billion users that will help users weed out phishing emails from their Gmail inbox.

Google has rolled out new anti-phishing security checks for its Gmail app for iPhone users that will display a warning about potential phishing attempts when users click on a suspicious link from within the app on their iPhone or iPad.

This new feature will take nearly two weeks before it is available everywhere.

According to the tech giant, when a user clicks on a link that Google thinks could be suspicious, they will be displayed a pop-up, warning of an untrusted nature of the website they are attempting to visit.

Suspicious link
This link leads you to an untrusted site. Are you sure you want to proceed to example.com?

If the user ignores this first warning and continue, the Gmail app will display another warning with more detailed information about the suspected malicious website that the company finds it to be a malicious phishing page.

Warning – phishing (web forgery) suspected

The site you are trying to visit has been identified as a forgery, intended to trick you into disclosing financial, personal or other sensitive information.

You can continue to example.com at your own risk.

A similar feature has already been made available in the Gmail app for Android since May of this year.

Although the feature would surely not detect every phishing attempt that could compromise your credentials, we believe it will help users combat such attacks to much extent.

So, always exercise caution over what links you click mentioned in your emails or attachments you open.

Additionally, Gmail users need to enable two-factor authentication, so even if attackers have access to your credential, they will not be able to proceed further without your phone or the USB cryptographic key in order to access your account.

Powered by WPeMatico

IPS as a Service Blocks WannaCry Spread Across the WAN

cato-network-wannacry

One of the most devastating aspects of the recent WannaCry ransomware attack was its self-propagating capability exploiting a vulnerability in the file access protocol, SMB v1.

Most enterprises defences are externally-facing, focused on stopping incoming email and web attacks. But, once attackers gain a foothold inside the network through malware, there are very few security controls that would prevent the spread of the attack between enterprise locations in the Wide Area Network (WAN).

This is partly due to the way enterprises deploy security tools, such as IPS appliances, and the effort needed to maintain those tools across multiple locations.

It’s for those reasons Cato Networks recently introduced a context-aware Intrusion Prevention System (IPS) as part of its secure SD-WAN service. There are several highlights in this announcement that challenge the basic concept of how IT security maintains an IPS device and sustains the effectiveness of its protection.

Cato Networks is a cloud-based, SD-WAN service provider that uniquely integrates network security into its SD-WAN offering.

The Cato IPS is fully converged with Cato’s other security services, which include next generation firewall (NGFW), secure web gateway (SWG), URL filtering, and malware protection.

With the IPS roll out, Cato continues its march towards providing secure networking everywhere while simplifying the overall IT stack for the enterprise.


Cato Networks IPS as a Service

With IPS as a service, Cato takes care of the work previously spent managing and maintaining the IPS appliances including sizing, capacity planning, patching, and signature management.

These are a complex task because IPS appliance performance is impacted by the mix of encrypted and unencrypted traffic and the number of active attack signatures.

Normally, IT professionals must spend time carefully calculating the effectiveness of a signature and its performance impact to avoid slowing-down traffic due to IPS appliance overload.

Cato addresses both issues. The Cato IPS leverages its elastic cloud platform to inspect any mix of encrypted and unencrypted traffic in real-time.

The decision of which signatures to deploy is made by the experts of Cato Research Labs. They consider the relevancy of the threat and the best way to describe it to the system. Often, an existing signature may already cover a specific attack vector.

New Kind of Signatures With Context-Aware Protection

cato-network

The Cato IPS has another unique capability. Because it operates in the same software stack as all other network and security services and within a cloud network, it can access a rich set of context attributes.

This forms a foundation for very sophisticated signatures that are hard to compose with stand-alone IPS devices. The use of rich context makes Cato IPS signatures more accurate and more effective.

Context attributes include the application being accessed and the client being used to access it, user identity, geolocation, IP and domain reputation, the file type exchanged, and DNS activity associated with the session.

Cato shared on its blog how Cato IPS stopped the spread of the Wannacry ransomware across sites, and how Cato IPS detected command-and-control communication at one of its customer locations.

Interestingly, the IPS can extend its protection across sites and users without the need to deploy distributed appliances, another benefit of the system.

If you are a distributed enterprise and constraint by your ability to support a complex networking and security environment, Cato’s approach can improve your security posture while keeping overhead to a minimum.

Disclosure: This is a sponsored post from Cato Networks, and it is really coming at a great time because we were just thinking to share with you about how to prevent Wannacry like attacks from spreading across the enterprise networks.

Powered by WPeMatico

Hackers Behind WannaCry Ransomware Withdraw $143,000 From Bitcoin Wallets

wannacry-ransomware-bitcoin-cashout

The cyber criminals behind the global WannaCry ransomware attack that caused chaos worldwide have finally cashed out their ransom payments.

Nearly three months ago, the WannaCry ransomware shut down hospitals, telecom providers, and many businesses worldwide, infecting hundreds of thousands of computers in more than 150 countries, encrypting files and then charging victims $300-$600 for the keys.

WannaCry was really bad, as the nasty ransomware forced the British NHS (National Health Service) to shut down hospitals and doctor’s surgeries, and infected a Spanish telecommunications company and Russian mobile operator, among much more.

Even a month after the outbreak, the WannaCry ransomware was found infecting systems at Honda Motor Company, forcing the factory to shut down its production, and 55 speed and traffic light cameras in Victoria, Australia.

Overall, the hackers behind WannaCry made $140,000 in Bitcoins from the victims who paid for the decryption keys—but for almost three months, they did not touch three of their wallets where victims were instructed to send ransom payments.

wannacry-ransomware-bitcoin-cashout

wannacry-ransomware-bitcoin-cashout

However, the WannaCry hackers started cashing out their cryptocurrencies on Wednesday night.

According to a Twitter bot tracking WannaCry ransom payments, only 338 victims paid the $300 in Bitcoin that totalled $140,000.

On Wednesday night, this money was withdrawn in 7 different payments within 15 minutes, although it is not clear where the money is being sent, or how the attacker will use it.

If you are unaware, we recently reported about Google’s research on how cyber criminals and ransomware hackers cash out their stolen or looted cryptocurrencies via cryptocurrency exchanges that are involved in money laundering.

Last week, even German authorities arrested an alleged operator of the popular BTC-e Bitcoin exchange on charges of laundering over $4 billion in Bitcoin for culprits involved in hacking attacks, tax fraud and drug trafficking without identifying them.

The identity behind the WannaCry ransomware is still unknown, though some researchers traced back WannaCry to a state-sponsored hacking group called Lazarus in North Korea, while other believed the perpetrators might be Chinese.

The WannaCry epidemic was using self-spreading capabilities by leveraging leaked NSA’s SMBv1 exploit, called EternalBlue, to infect vulnerable Windows computers, particularly those using older versions of the operating system.

While most of the affected organisations have now returned to normal, law enforcement agencies across the world are still on the hunt.

Powered by WPeMatico

UK Parliament Hit by Cyberattack, Up to 90 MPs’ E-mail Accounts Hacked

uk-houses-of-parliament-emails-hacked

A cyber attack has hit the email system of UK Houses of Parliament on Friday morning that breached at least 90 emails accounts protected by weak passwords belonging to MPs, lawmakers, and other parliamentary staff.

Meanwhile, as a precaution, the Security service has temporarily shut down the remote access (outside the Westminster) to its network to protect email accounts.

Liberal Democrat Chris Rennard has advised on Twitter that urgent messages should be sent by text message.

“We have discovered unauthorized attempts to access accounts of parliamentary networks users and are investigating this ongoing incident, working closely with the National Cyber Security Centre,” the spokesperson said.

“Parliament has robust measures in place to protect all of our accounts and systems, and we are taking the necessary steps to protect and secure our network.”

The authorities found less than 1% of parliament’s 9,000 email addresses had been compromised using the brute-force attack that lasted for more than 12 hours.

But if the emails were successfully accessed, experts believe and have warned that politicians could be at risk of blackmail or terror attacks.

It is unclear who is responsible for the attack, but the breach has happened just two days after the passwords of British cabinet ministers and officials were reportedly being sold online by hackers on Russian underground forums.

However, most UK officials suspect Russia and North Korea for the British Parliament cyber-attack.

“We are continuing to investigate this incident and take further measures to secure the computer network, liaising with the Britain’s National Cyber Security Centre (NCSC).” spokeswoman said.

Powered by WPeMatico