13 January 2023

7 min read

UK’s Royal Mail suspends overseas deliveries following cyber attack | Cyber Intelligence Briefing: 13 January

January 2023
UK’s Royal Mail suspends overseas deliveries following cyber attack | Cyber Intelligence Briefing: 13 January placeholder thumbnail

Top news stories this week

  1. Your attack was delivered. UK’s Royal Mail suspends overseas deliveries following cyber attack.
  2. Patch, patch, patch! Rackspace confirms ransomware attack was result of unpatched vulnerability.
  3. Password123. Thousands of weak passwords used by US federal agency staff cracked in security audit.
  4. The future is now? Chinese researchers claim to have broken RSA encryption using quantum computing.
  5. Experian hacked. Identity thieves access credit reports through URL vulnerability.
  6. Frequent flyers. Air France-KLM notify customers of data breach.
 

S-RM’s Incident Response team has observed Lorenz using a 5-month-old web shell as a way into a victim’s network.

Read more about our observations in last week's special edition of the Cyber Intelligence Briefing.

 


 

1. Critical infrastructure: Royal Mail suspends overseas post due to cyber attack 

On Thursday, the UK’s postal service Royal Mail suspended overseas postal deliveries amid serious disruption caused by a suspected ransomware attack. Domestic post is unaffected and the incident has been reported to the National Cyber Security Centre and National Crime Agency. 

 Separately, air travel in the US earlier this week was suspended following a system outage at the Federal Aviation Administration. While there is no evidence so far that the outage was the result of a cyber attack, a former NATO commander described the incident as a “wake up call”. 

So what?

All organisations should prepare for unplanned system outages, including as a result of a cyber incident. Well-practiced disaster recovery, business continuity, and incident response plans can significantly reduce operational downtime and recovery costs.  

 


 

Cyber Security Insights Report

 

2. Hard lessons from Rackspace about the importance of patching

Cloud service provider Rackspace, who suffered a ransomware attack in December, confirmed that it was the result of an unpatched privilege escalation vulnerability in the company’s hosted Microsoft Exchange Server environment. Rackspace had decided not to patch and relied on mitigation measures due to concerns over service disruption

Separately, Microsoft’s first Patch Tuesday of the year includes fixes for 98 flaws, plus one for an actively exploited zero-day elevation of privilege vulnerability. Of the flaws, 11 are marked as 'critical' as they allow for security bypassing and remote code execution. 

So what?

Threat actors continuously seek to exploit novel and emerging vulnerabilities. While patching can cause service disruption in the short term, an effective risk management process should weigh this up against the potentially devastating impact of a cyber attack.

 


 

3. Thousands of weak passwords cracked during US federal agency audit

An internal audit of the US Department of the Interior revealed significant weaknesses in their existing password policies. A total of 18,271 account password hashes were cracked using a proprietary password cracking tool, with 14,000 passwords retrieved within the first 16 minutes. The agency’s password policy allowed the use of common dictionary phrases and keyboard patterns which are easy to crack. 5% of the passwords included some variation of the word ‘password’. 

So what?

A robust password with minimum requirements for length and complexity is just one element of secure identity management. Organisations should also explore additional technical defences and organisational process such as multi-factor authentication and single sign-on systems to reduce reliance on passwords.

 


 

4. Chinese researchers claim to have cracked RSA encryption algorithm 

Last week, researchers in China claimed to have used quantum computing to break the RSA encryption algorithm, which is widely used for secure online communications. Researchers have subsequently expressed scepticism over the claims which have yet to be verified.  

So what?

Whether true or not, the research shines a light on the implications that advances in quantum computing will have for how we keep communications private. It is important to be aware of this evolving security trend and be cognizant of changes that will need to be made to current encryption algorithms.

 


 

5. Experian URL vulnerability exploited by identity thieves

Experian, the credit monitoring giant, had a critical vulnerability in its website exploited that allowed attackers access to credit monitoring reports. By modifying the URL during the identity verification process, attackers could trick the Experian website into giving them access to any user's credit report. 

So what?

Organisations should ensure they practice good cyber hygiene to protect customer’s sensitive data. Regular penetration testing of websites and web applications is an important part of this.

 


 

6. Hacked customer accounts at Air-France-KLM frequent flyer programme

European airline Air France-KLM is notifying customers of their Flying Blue loyalty programme that some accounts have been breached and their personal information has now been exposed. The compromised data includes names, email addresses, phone numbers, and latest transactions.

So what?

Following an account breach, users should change their passwords to a new, unique, and complex alternative that is not used on other online platforms. 

 

Cyber Intelligence Briefing

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.

Authors

Kyle Schwaeble
Kyle Schwaeble
Senior Associate, Cyber Security

Kyle Schwaeble is a senior associate on S-RM’s cyber security team, bringing expertise in incident response management and, particularly, the secure restoration and recovery from cyber incidents such as ransomware attacks and business email compromises. In addition to his incident response work, Kyle has also supported multinational clients with their security transformation programmes, advising on the development and implementation of new technological, procedural, and cultural security controls.  

Kyle joined S-RM in 2019, initially working as an analyst in the Corporate Intelligence team, where he supported various corporate and diligence investigations. He holds a BCom(LLB) from Stellenbosch University in South Africa and is GSEC certified. 

James Tytler
James Tytler
Associate, Incident Response

James Tytler is an associate in S-RM’s incident response team. In addition to responding to a wide range of cyber security incidents, he also supports clients with cyber threat intelligence services.

Before joining S-RM’s cyber security team, James worked at a London-based corporate intelligence firm, where he specialised in Middle Eastern subjects.

James has a BA in Arabic and Persian from the University of Cambridge, and an MA in International Security from Sciences Po Paris. He speaks fluent French.

Kyle Schwaeble
Kyle Schwaeble

Senior Associate, Cyber Security

James Tytler
James Tytler

Associate, Incident Response

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.