Italian jailed for NHS bomb threats

Emil Apreda, an Italian national living in Berlin, has been convicted by a Berlin court after attempting to extort £10 million worth of bitcoin from the NHS by making bomb threats targeted at a hospital in the UK. The 33 year old Apreda initially sent an email including the threat and ransom demand on the 12th April 2020, in an attempt to remain anonymous Apreda utilised the TOR network to send the email and claimed to be from the far-right group Combat18.

To prevent any form of attack on the NHS in the height of the Covid-19 pandemic and identify the individual responsible the NCA launched a high-priority investigation guided by specialist cyber crime officers. As well as investigating the criminal responsible for these threats NCA officers, together with Counter Terrorism specialists and staff responsible for Critical National Infrastructure, worked alongside the NHS who took measures to increase security at hospitals.

He has now been convicted by Berlin courts.
'Cyber Action Plan' to help increasingly digital small businesses stay secure from rising threats

Bespoke advice to help small businesses combat rising online threats is being offered through a state of the art digital tool launched on the 26th February by the UK’s leading cyber security experts.

As part of the cross-government Cyber Aware campaign, GCHQ’s National Cyber Security Centre (NCSC) has created the Cyber Action Plan to help micro businesses and sole traders securely navigate the increasingly digital landscape they operate in.
To help increase their digital defence, micro businesses and sole traders are being encouraged to complete a short questionnaire at that generates a personalised list of actions linked to the Cyber Aware behaviours.
Microsoft accuses China over email cyber-attacks

After attacks on its mail server software, Microsoft has accused Chinese state sponsored cyber espionage group Hafnium.

Microsoft has stated that the malicious actors were ‘highly skilled and sophisticated’ and that the attack utilised four previously undetected vulnerabilities in different versions of the software.
Denial of Service Attacks

DoS, or Denial of Service, attacks are one of the most common yet difficult types of attack to address. Most DoS attack aim to flood a target with so much traffic that the system simply cannot respond or crashes and thus preventing access for legitimate users. Targeted services often include emails, websites, remote working services and online accounts- for this reason DoS attacks can cost organisations not only money but time.


The most DoS common attacks include:

SYN Flood: where adversary requests the target machine to connect and communicate. The connection process requires 3 distinct steps (a '3-way handshake'), but the attacker’s machine fails to complete these steps. Instead sending more and more requests to connect, leaving the server in a metaphorical limbo and unavailable for legitimate users.

Smurf Attack: where the malicious system asks the targeted machine whether they are experiencing any communication problems and whether data is being received in a timely manner, this is known as an ICMP or ‘ping’ request. The attack is successful because the adversary generates hundreds of these ping requests from fake systems and the targeted machine crashes when attempting to reply to them all.

Teardrop: When someone wants to send information to another computer over the internet, the message is broken down into tiny fragments of data known as ‘packets’. These packets contain information so that the recipient machine, can reassemble them into the original message.  In a teardrop attack, a cyber criminal will 'fudge' these packets so that the receiving machine gets overwhelmed and crashes.

Exploits: Web pages are stored on web servers such as Apache or IIS, these web servers run security checks and lead you to the website you requested. However, if the web servers software is outdated or has some sort of vulnerability a malicious actor can use this to launch an ‘exploit’ that will knock the server offline.

Other DoS attacks may include account take overs or RF (radio-frequency)
 interference which includes the use of radio jammers to interfere with your Wi-Fi.

DDoS Attacks

A Distributed Denial of Service, or DDoS, attack occurs when many machines (known as bots) collaborate to attack a targeted system. These bots themselves are computers that have been taken over, and are as much a victim as the target of the DDoS. A DDoS attack allows for many more requests to bombard the target system, subsequently increasing the power of the attack as well as the difficulty of identifying the source.
Signs of a DoS attack
  • Abnormally slow network performance when opening files or accessing websites.
  • The unavailability of certain websites or cloud service.
  • A considerable increase of spam emails
How to prepare for a DoS Attack

Understand your Service
Understand how your service can be overloaded or exhausted. Find out whether you, or your supplier) are responsible for:
  • Network connectivity. The network links between your service and your users (or between components in your service) could be saturated by illegitimate traffic.
  • Compute the amount of computing resource available to service legitimate requests can be overwhelmed by a surge in malicious sessions.
  • Storage. An attacker may attempt to consume your available storage capacity.
Upstream Defences
Ensure your service providers are ready to deal with resource exhaustion in places where they are uniquely placed to help.
The NCSC recommend you:
  • Understand the DoS mitigations that your ISP can enable on your account
  • Consider deploying a Content Delivery Network, for web-based services
  • Understand when your service providers might limit your network access to protect their other customers.
  • Consider using multiple service providers for some functionality.
Build to About DoS and DDoS attacks allow scaling
To deal with attacks which can't be handled upstream (or only once detected and blocked), make sure your service can rapidly scale. Ideally, you can scale all aspects of your application and infrastructure. Cloud-native applications can be automatically scaled using the cloud providers' APIs. In private data centres, automated scaling is possible using modern virtualisation, but this will require spare hardware capacity to deal with the additional load.

Define your response plan
Design your service so that when attacked, it can continue to operate, albeit in a degraded fashion.
We recommend your plan includes:
  • graceful degradation
  • dealing with changing tactics
  • retaining administrative access during an attack
  • having a scalable fall-back plan for essential services
Test and Monitor your Services
Gain confidence in your defences by testing them, and ensure you can spot when attacks start by having the right tools in place.
Thinking you are well prepared for DoS attacks is not the same as knowing. Test your defences so you know the types (and volume) of attacks you are able to defend. System monitoring will help you spot attacks when they begin, and analyse your response while it's underway.

Ryuk Ransomware Updated With 'Worm-Like Capabilities'

The unique ransomware Ryuk has been updated and now is equipped with the ability to spread itself between systems inside of an infected network.

The worm-like Ryuk sample was discovered during an incident response managed by The French National Agency for the Security of Information Systems (ANSSI) earlier this year.

A Botnet Campaign that Uses Blockchain Transactions to Stay Hidden

A novel cryptomining botnet has been observed utilising Bitcoin blockchain transitions to mask their C2 IP addresses and defeat takedown attempts. Akamai first spotted a Bitcoin wallet address being used in new variants of cryptomining malware in December 2020.

The adoption of this unique technique is predicted to grow in popularity in the near future.
Vendor Quickly Patches Serious Vulnerability in NATO-Approved Firewall

A critical vulnerability was discovered in Genua Genugate firewall that had the potential to aid threat actors, once they have gained access into an organisations network, to log into the devices admin panel as any user regardless of the password they use.

German company Genua claims that its Genugate firewall is the only in the world to have received a ‘high resistant’ rating from the German government and claims it is compliant with NATO’s ‘NATO Restricted’ and the EU’s ‘Restreint UE/EU Restricted’ requirements for data protection.

The vulnerability was quickly patched.
Compromised Website Images Camouflage ObliqueRAT Malware

ObliqueRAT malware, spread by emails, are now making use of steganography and camouflaging its payloads as inconspicuous image files hidden on compromised websites.  The RAT has been operational since 2019 and is spread via emails with malicious Microsoft documents attached, previously, payloads were embedded into the documents.

Researchers warn that this new technique has aided ObliqueRAT operators to avoid detection during the malware attack targeting various organisations in South Asia.
What can we offer you?
Get in Touch
Click here to subscribe to the Cyber Crime Sentinel Newsletter!

Cyber Choices: Virtual School and Education Events

Join our online webinars aimed at schools and educational organisations for advice and support on how we can help young people make informed cyber choices and use their cyber skills in a legal way.

Please note: All participants are screened before being invited to the event. Please use your corporate school email address when registering.

Cyber Aware - Training for staff: Sports Organisations

Join our monthly online webinars aimed at sports organisations and discover the latest attacks businesses are facing, the social engineering tactics being used to gain data and the latest awareness training that staff need to know.

Please note: All participants are screened before being invited to the event. Please use your corporate sports email address when registering.

If you think you may have been the victim of fraud or cybercrime and incurred a financial loss or have been hacked as a result of responding to a phishing message, you should report this to Action Fraud 

Spotted a suspicious email? If you have received an email which you’re not quite sure about, forward it to the Suspicious Email Reporting Service (SERS):

Alternatively you can call 0300 123 2040
to report and obtain advice about fraud or cyber crime
Our lives are relying on technology more every day. Join us each week for your bitesize cybersecurity podcast. In this increasingly technical world we deliver non-technical cyber news, and identify the current threats we’re facing.


The WMCRC work with local Universities and Police forces in Staffordshire, West Midlands, West Mercia and Warwickshire to provide you access to the latest information on emerging cyber threats, criminal trends and best practice to protect your business.
Apple Podcast
Copyright © 2021 West Midlands Regional Cyber Crime Unit, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp