NHS outplays Ransomware since the massive Wannacry infection

A new investigation claims that the UK’s National Health Service (NHS) has taken a remarkable stride in its cybersecurity since the WannaCry ransomware attack. According to the latest figures, it has been found that the healthcare service provider has suffered only six ransomware attacks since 2017. In total, the NHS has suffered 209 successful ransomware attacks since 2014 but there was a dramatic improvement since 2017. The report was compiled after surveying 245 NHS Trusts, with 184 responding and 50 refusing to hand over the information requested. A review after the destructive WannaCry attack had revealed that none of the 80 NHS organizations had applied the Microsoft update patch advised by NHS Digital’s CareCERT bulletin. This had left a majority of Microsoft Windows 7 devices infected. Following the attack, the government had made 22 essential recommendations to improve the cybersecurity of NHS Trusts. This included mandatory cyber awareness training for staff and increased investments into security its operations. Since the attack, Windows 7 too has largely gone out of support.


The UK enacts law to fortify Security Posture of IoT Devices

The U.K. government recently introduced new legislation to protect millions of users of internet-connected devices from the threat of cyber hacks. The new law is a joint effort of the Department for Digital, Culture, Media, and Sport (DCMS) and National Cyber Security Centre (NCSC). The law will work to improve the security standards of the consumer Internet of Things (IoT). It will ensure all consumer smart devices manufacturers in the U.K to adhere to the three rigorous security requirements. According to DCMS, the sale of connected devices has been on the rise and there will be 75 billion internet-connected devices from televisions and cameras to home assistants and their associated services in homes around the world by the end of 2025. Digital Minister Matt Warman said “Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety. It will mean robust security standards are built-in from the design stage and not bolted on as an afterthought.” Nicola Hudson, Policy and Communications Director at the NCSC, said, “It will give shoppers increased peace of mind that the technology they are bringing into their homes is safe and that issues such as pre-set passwords and sudden discontinuation of security updates are a thing of the past.” The Government is reportedly working with international bodies to ensure that the guidelines drive a consistent, global approach to IoT security. Meanwhile, it aspires to further—and soon—develop legislation that effectively protects consumers, and which is implementable by industry while supports their long term growth.


NSA Releases Guidelines to improve Cloud Security

The National Security Agency (NSA) has released new guidelines to help organizations improve the security of data stored on the cloud. The guidelines include mitigation techniques for cloud vulnerabilities other than the identification of cloud security components, threat actors and more. With the release of the guideline, NSA hopes that organizations can gain perspective on cloud security principles while addressing cloud security considerations to assist with cloud service procurement. The guide is designed both for the organizational leadership team and technical staff. According to the guide, cloud vulnerabilities can be divided into four categories: misconfiguration, poor access control, shared tenancy flaws, and supply chain vulnerabilities. Managing risks in the cloud is a responsibility on the shoulders of cloud service providers (CSPs). Thus, CSPs should deploy the right countermeasures to help customers harden their cloud resources. Security in the cloud is a constant process and customers should also continually monitor their cloud resources and work to improve their security posture.


H&M probed over Alleged snooping on their own Employees

H&M came under the radar of data protection for unlawfully collecting and storing personal information about employees, including their illnesses. A hard drive containing around 60GB of very personal information on the employees from the site was found by a data protection team. The drive had data that revealed “detailed and systematic” records on employees’ health, from bladder weakness to cancer. It also had information about their private lives from family disputes or holiday experiences. The records were accessible to all company managers, which implies that the employees were being comprehensively spied on “in a way that’s unparalleled in recent years.” An official from H&M expressed its “honest regret” on the incident and said that the firm is pursuing this case as “very seriously.” As per reports, H&M is fully cooperating with data protection officials and has taken a number of measures in response to the incident. Possible fines for H&M would be decided in the coming weeks.


Emotet Gang attempts to infect Japanese targets with the scare of Coronavirus

A group of researchers reported a malspam campaign disguised as notifications to provide more details on preventive measures against coronavirus infections, which is currently an epidemic in China. The emails are disguised to look like its sent on behalf of disability welfare service provider and public health centers to gain the confidence of the readers. The attackers were, in fact, distributing Emotet payloads via attachments in the emails. The attachments promise to provide preventive measures against coronavirus infections for Japanese citizens. The scam has been observed in various prefectures from Japan, including Gifu, Osaka, and Tottori. Usually relying on spam emails, Emotet actors attempt to trick their prospective recipients into opening email attachments, which, when opened, result in the download and installation of the malware.


Edited and compiled by cyber security specialist James Aguilan.