Warnings over vulnerabilities found in Natus Medical devices features in this month’s cyber security industry round-up, alongside news that seven of the UK’s main banks were hit by targeted cyber-attacks in 2017. Meanwhile, Microsoft has put a number of AI business deals on hold over fears that its technology could by exploited for nefarious purposes.

Natus Neuroworks devices found open to hijacking 

Vulnerabilities have been uncovered in the Natus Neuroworks platform that could make it possible for hackers to remotely access devices running the software.

Security researchers from Cisco Talos, the vendor’s threat intelligence outfit, has discovered “multiple” potential exploits affecting equipment from Natus Medical, including electroencephalogram (EEG) machines used for recording brain activity.

Four of the five vulnerabilities identified on the Natus Xltek NeuroWorks 8 software allowed hackers to execute code on the target device so it could be hijacked, while a fifth enabled hackers to crash the device using a denial-of-service attack.

Talos said in a blog post that it had worked with Natus to resolve the vulnerabilities through a firmware update.

Half of UK businesses need to buck up security

Almost half of UK businesses are falling victim to cyber security breaches that could largely be avoided through basic steps, according to data from the UK Government.

The Cyber Security Breaches 2018 report from the Department for Digital, Culture, Media and Sport (DCMS) revealed that four in ten (43%) organisations were hit by security breaches in the past 12 months.

Meanwhile, two in 10 – or 19% – charities suffered a cyber security breach or attack in the same period.

The most common vector for breaches was through fraudulent emails which tried to lure victims into giving up sensitive information or click on dangerous links.

The survey concluded that a “huge proportion” of organisations were leaving themselves open to attack through a lack of basic security awareness.

For example, a quarter of charities were found to not be updating software or malware protections, while a third of businesses did not provide staff with guidance on passwords.

Ciaran Martin, CEO of the National Cyber Security Centre, said that companies could “significantly reduce their chances of falling victim by following simple cyber security steps to remove basic weaknesses.”

GWR derailed by cyber-attack

Great Western Railway customers were advised to change their passwords after the train company suffered from a cyber-attack.

The firm said around 1,000 accounts were compromised during the breach in mid-April, although it claimed that no financial information was encrypted and had therefore not been exposed.

GWR said the attack had likely been carried out using details harvested from other online sources to target internet users with poor password habits.

However, a spokesperson added that the success rates for the unauthorised login attempts had been “extremely low”.

“Sadly, it is the kind of attack that is experienced on a daily basis by businesses across the globe and is a reminder of the importance of good password practice,” they said.

“We have acted quickly and decisively with our partners to protect our customers’ data and have taken clear steps to stop it happening again.”

Microsoft terminates potential rogue AI deals

Microsoft is reported to have cut ties with a number of clients interested in its artificial intelligence (AI) technology due to fears over how it might be put to use.

Eric Horvitz, director of Microsoft Research Labs, said “significant sales have been cut off” after its AI and Ethics in Engineering and Research reviewed some protective customers’ plans for its Microsoft Cognitive Services portfolio and other machine learning services, reports V3.

Horvitz told the website that Microsoft was employing a stricter vetting process for AI business deals in order to ensure its tech was put to use “in a responsible, trusted and ethical manner.”

$15 web service costs banks £100,000s 

A $15 web service was used to launch cyber-attacks against major UK banks, costing them hundreds of thousands of pounds in operational costs.

Seven of the UK’s biggest banks – including Barclays, Lloyds, Santander and HSBC – were the victims of a distributed denial of service (DDOS) attack in November 2017 that forced some to shut down systems, leaving some customers unable to access banking services.

Details of the incident were revealed by the National Crime Agency (NCA), which managed to end the attack following a major operation that included the Dutch National Police, Police Scotland and Europol.

The attacks were linked to webstresser.org, which the NCA said could be rented for as little as $14.99 – approximately £11 – to direct huge volumes of web traffic at target domains to overload and disable them.

Jo Goodall, senior investigating officer at the NCA, said: “A significant criminal website has been shut down and the sophisticated crime group behind it stopped as a result of an international investigation involving law enforcement agencies from eleven countries.

“Over the last year we have seen how cyber-attacks have real-world consequences; resulting in actual physical harm as well as causing reputational and financial damage to businesses of all sizes.

“The cyber threat is constantly evolving and we are improving our tactics and capabilities in response. But businesses and individuals must report cyber-crime – the earlier people report, the quicker we are able to assess new methodologies and limit the damage they can have.”