Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• One Tenth of UK Staff Bypass Corporate Security

A new study from Cisco has found that a tenth of UK employees actively circumvent their organisation’s security measures.

The network technology company polled over 1000 UK professionals working for organisations that allow hybrid working, in order to better understand the potential security risks of the modern, flexible workplace.

The research has revealed that many hybrid workers do not see cyber security as their responsibility, with many actively finding workarounds or engaging in risky behaviours such as password reuse.

19% of employees said they reuse passwords for multiple accounts and applications, with only 15% using password managers.

The problem seems to stem from user friction in existing security measures. Only 44% of survey participants said they found it easy to securely access their IT equipment.

A majority said they would be willing to use biometric authentication, a reflection of how enterprise security is still catching up to consumer functionality.

https://www.itsecurityguru.org/2022/03/28/one-tenth-of-uk-staff-bypass-corporate-security/

• Majority Of Data Security Incidents Caused by Insiders

New research from Imperva has revealed that 70% of EMEA organisations have no insider risk strategy, despite 59% of data security incidents being caused by employees.

The shocking revelation comes as part of a wider study carried out by Forrester: Insider Threats Drive Data Protection Improvements. The study involved interviewing 150 security and IT professionals in EMEA.

An insider threat is defined by Imperva as originating from “inappropriate use of legitimate authorised user accounts” by either their rightful owner or a threat actor who has managed to compromise them.

The study found that insider threats were responsible for 59% of incidents impacting sensitive data in the past 12 months. This supports a previous Imperva analysis of the most significant breaches of the past five years, revealing that 24% were caused by either human error or compromised credentials.

https://www.itsecurityguru.org/2022/04/01/majority-of-data-security-incidents-caused-by-insiders/

• One-Third of UK Firms Suffer a Cyber Attack Every Week

Cyber attacks and related incidents at UK organisations continue their seemingly unstoppable upward trajectory, with new statistics from the Department for Digital, Culture, Media and Sport (DCMS) revealing that 31% of businesses and 26% of charity organisations now experience incidents on a weekly basis.

The data, contained in the annual cyber security breaches survey report, paints a stark picture of the scale of the threat facing the average organisation, and the urgent need to boost standards and defences.

It is vital that every organisation takes cyber security seriously as more and more business is done online and we live in a time of increasing cyber risk.  No matter how big or small your organisation is, you need to take steps to improve digital resilience.

Some 20% of businesses and 19% of charities said they had experienced a negative outcome as a direct consequence of an attack. The average cost of an attack, spread out across all organisations, now works out at £4,200, or £19,400 if only medium and large businesses are considered, although there is probably a vast amount of under-reporting, so the true figures are certainly higher.

Meanwhile, 35% of businesses and 38% of charities said they had experienced some kind of negative impact during the incident, such as service downtime.

https://www.computerweekly.com/news/252515288/One-third-of-UK-firms-suffer-a-cyber-attack-every-week

• Russia's Cyber Criminals Fear Sanctions Will Erase Their Wealth

Punitive economic sanctions over Russia's invasion of Ukraine had crooks discussing the best ways to adapt to the new reality.

Members of Russian-language underground forums are not immune to the latest news. Russia's invasion of Ukraine and subsequent economic sanctions against Moscow got forum users to discuss how to live in this new world they find themselves in.

According to a report by the Digital Shadows Photon team, dark web forums are teeming with questions on how to ensure the safety of funds held in Russia-based accounts.

One user sought advice on what to do with dollars held in a Russian bank, with others suggesting converting dollars to rubles for a few months.

"I hope you were joking about [holding the funds in rubles for] half a year? After half a year, your rubles will only be good for lighting a fire, they will not be good for anything else," a forum user responded.

https://cybernews.com/news/russias-cybercriminals-fear-sanctions-will-erase-their-wealth/

• 86% Of Organisations Believe They Have Suffered a Nation-State Cyber Attack

A new study by Trellix and the Center for Strategic and International Studies (CSIS) has revealed that 86% of organisations believe they have fallen victim to a nation-state cyber attack.

The research surveyed 800 IT decision-makers in Australia, France, Germany, India, Japan, the UK and US.

It has also been revealed that 92% of respondents have faced, or suspect they have faced, a nation-state backed cyber attack in the past 18 months, or anticipate one in the future.

Russia and China were identified as the most likely suspects behind said attacks. 39% of organisations that believe they have been hit with a nation-state cyber attack believe Russia were the perpetrators.

https://www.itsecurityguru.org/2022/03/29/86-of-organisations-believe-they-have-suffered-a-nation-state-cyberattack/

• Multiple Hacking Groups Are Using the War in Ukraine as A Lure in Phishing Attempts

Hostile hacking groups are exploiting Russia's invasion of Ukraine to carry out cyber attacks designed to steal login credentials, sensitive information, money and more from victims around the world.

According to cyber security researchers at Google's Threat Analysis Group (TAG), government-backed hackers from Russia, China, Iran and North Korea, as well as various unattributed groups and cyber criminal gangs, are using various themes related to the war in Ukraine to lure people into becoming victims of cyber attacks.

In just the last two weeks alone, Google has seen several hacking groups looking to take advantage of the war to fulfil their malicious aims, whether that's stealing information, stealing money, or something else.

https://www.zdnet.com/article/google-multiple-hacking-groups-are-using-the-war-in-ukraine-as-a-lure-in-phishing-attempts/

• 4 Ways Attackers Target Humans to Gain Network Access

Since the day we started receiving email, we hope that our antivirus or endpoint protection software alerts us to problems. In reality, it often does not. When technology fails, it’s likely because the attacker made an end run around it by targeting humans. Here are four ways they do it:

1. The targeted human attack

2. Fraudulent wire transfer email

3. Tricking users into handing over credentials

4. Bypassing multi-factor authentication

https://www.csoonline.com/article/3654850/4-ways-attackers-target-humans-to-gain-network-access.html#tk.rss_news

• Security Incidents Reported to FCA Surge 52% in 2021

The number of cyber security incidents reported to the UK’s financial regulator surged by over 50% last year after a significant increase in cyber-attacks, according to new figures from Picus Security.

The security vendor submitted Freedom of Information (FoI) requests to the Financial Conduct Authority (FCA) to compile its latest report, Cyber Security Incidents in the UK Financial Sector.

The 52% year-on-year increase in “material” security incidents reported to the FCA seems to have been driven by cyber-attacks, which comprised nearly two-thirds (65%) of these reports.

Picus Security claimed that the rest are likely explained by “system and process failures and employee errors.”

In addition, a third of incident reports were about corporate or personal data breaches, and a fifth involved ransomware.

Picus Security explained that to qualify as a material incident, there needs to have been a significant loss of data, operational IT outages, unauthorized IT access, and/or an impact on a large number of customers.

https://www.infosecurity-magazine.com/news/security-incidents-reported-fca/

• NCSC Suggests Rethinking Russian Supply Chain Risks

The National Cyber Security Centre (NCSC) of the UK has urged organisations to reconsider the risks associated with “Russian-controlled” parts of their supply chains.

Ian Levy, technical director of the NCSC argued that “Russian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB), and the pressure to do so may increase in a time of war. We also have hacktivists on each side, further complicating matters, so the overall risk has materially changed.”

Levy has suggested that while there is currently nothing to suggest that the Russian state intends to force commercial providers to sabotage UK interests, that doesn’t mean it will not happen in the future.

https://www.itsecurityguru.org/2022/03/30/ncsc-suggests-rethinking-russian-supply-chain-risks/

• 25% Of Workers Lost Their Jobs in The Past 12 Months After Making Cyber Security Mistakes: Report

For business leaders, there is never a good time for their employees to make mistakes on the job. This is especially true now for workers who have anything to do with the cyber security of their companies and organisations. Given the growing risks of cyber attacks across the world and the increased threats posed by Russia in the aftermath of their invasion of Ukraine, these are certainly perilous times.

Indeed, a new study released by email security company Tessian found that one in four employees (26%) lost their job in the last 12 months after making a mistake that compromised their company’s security.

According to the second edition of Tessian’s Psychology of Human Error report, people are falling for more advanced phishing scams—and the business stakes for mistakes are much higher.

The study also found that:

• Two-fifths (40%) of employees sent an email to the wrong person, with almost one-third (29%) saying their business lost a client or customer because of the error

• Over one-third (36%) of employees have made a mistake at work that compromised security and fewer are reporting their mistakes to IT.

https://www.forbes.com/sites/edwardsegal/2022/03/29/25-of-workers-lost-their-jobs-in-the-past-12-months-after-making-cybersecurity-mistakes-report/?sh=d47cdfa49b26

• Attackers Compromise 94% of Critical Assets Within Four Steps of Initial Breach

New research from XM Cyber analysing the methods, attack paths, and impacts of cyber attacks has discovered that attackers can compromise 94% of critical assets within just four steps of initial breach points. The hybrid cloud security company’s Attack Path Management Impact Report incorporates insights from nearly two million endpoints, files, folders, and cloud resources throughout 2021, highlighting key findings on attack trends and techniques impacting critical assets across on-prem, multi-cloud, and hybrid environments.

The findings showed that 75% of an organisation’s critical assets are open to compromise in their current security state, while 73% of the top attack techniques used last year involved mismanaged or stolen credentials. Just over a quarter (27%) of most common attack techniques exploited a vulnerability or misconfiguration.

https://www.csoonline.com/article/3655633/attackers-compromise-94-of-critical-assets-within-four-steps-of-initial-breach.html

• UK Spy Chief Warns Russia Looking for Cyber Targets

A UK intelligence chief warned that the Kremlin is hunting for cyber targets and bringing in mercenaries to shore up its stalled military campaign in Ukraine.

Jeremy Fleming, who heads the GCHQ electronic spy agency, praised Ukrainian President Volodymyr Zelenskyy’s “information operation” for being highly effective at countering Russia’s massive disinformation drive spreading propaganda about the war.

While there were expectations that Russia would launch a major cyber attack as part of its military campaign, Fleming said such a move was never a central part of Moscow’s standard playbook for war.

“That’s not to say that we haven’t seen cyber in this conflict. We have — and lots of it,” Fleming said in a speech in Canberra, Australia, according to a transcript released in London on Wednesday.

He said GCHQ’s National Cyber Security Centre has picked up signs of “sustained intent” by Russia to disrupt Ukrainian government and military systems.

“We’ve seen what looks like some spillover of activity affecting surrounding countries,” Fleming said. “And we’ve certainly seen indicators which suggest Russia’s cyber actors are looking for targets in the countries that oppose their actions.”

He provided no further details. He said the UK and other Western allies will continue to support Ukraine in beefing up its cyber security defences.

https://www.securityweek.com/uk-spy-chief-warns-russia-looking-cyber-targets

Threats

Ransomware

• Ransomware Payments Hitting New Records In 2021 - Help Net Security

• UK Ransomware Attacks Double In Past Year, Expert Insight - Information Security Buzz

• Ransomware, Endpoint Risks Are Top Concerns for DFIR Professionals | CSO Online

• Not Enough Businesses Have A Formal Ransomware Plan In Place - Help Net Security

• Ukraine, Conti, and the law of unintended consequences | CSO Online

• FBI Investigating More than 100 Ransomware Variants - Infosecurity Magazine

• Precursor Malware Is an Early Warning Sign for Ransomware (darkreading.com)

• Cyber Blackmail Gains Traction in Ransomware Hijackers' Tool Set - MSSP Alert

• Services Giant Admits $42m Fallout from Ransomware Attack - Infosecurity Magazine

• Hive Ransomware Uses New 'IPfuscation' Trick to Hide Payload (bleepingcomputer.com)

• Shutterfly, Hit By Conti Ransomware Group, Warns Staff Their Data Has Been Stolen • Graham Cluley

• FBI: Ransomware Attacks Are Piling Up The Pressure On Public Services | ZDNet

BEC – Business Email Compromise

• FBI Disrupts BEC Cyber Crime Gangs Targeting Victims Worldwide (bleepingcomputer.com)

Phishing & Email Based Attacks

• Calendly Actively Abused in Microsoft Credentials Phishing (bleepingcomputer.com)

• Phishing Attacks: Malicious URLs May Outpace Email Attachment Risks - MSSP Alert

• Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware (thehackernews.com)

• Phishing uses Azure Static Web Pages to impersonate Microsoft (bleepingcomputer.com)

Other Social Engineering

• 5 Old Social Engineering Tricks Employees Still Fall For, And 4 New Gotchas | CSO Online

• Fraudsters Use 'Fake Emergency Data Requests' To Steal Info • The Register

Malware

• A Third of Malware Infections Used Log4Shell- IT Security Guru

Mobile

• Russian-Linked Android Malware Records Audio, Tracks Your Location (bleepingcomputer.com)

• Malware Disguised As Cryptocurrency Wallets Used To Steal From iOS and Android Users (androidpolice.com)

IoT

• Wyze Cam Flaw Lets Hackers Remotely Access Your Saved Videos (bleepingcomputer.com)

Organised Crime & Criminal Actors

• Sanctions Hitting Russian Cyber-Criminals Hard - Infosecurity Magazine

• Secret World of Pro-Russia Hacking Group Exposed in Leak - WSJ

• UK Police Charges Two Teenagers for Their Alleged Role in Lapsus$ Group - Security Affairs

• LAPSUS$ Hacks Globant. 70GB of Data Leaked from IT Firm (bitdefender.com)

• Man Linked to Multi-Million Dollar Ransomware Attacks Gets 66 Months In Prison For Online Fraud | ZDNet

Cryptocurrency/Cryptomining/Cryptojacking

• How CISOs can Mitigate Cryptomining Malware (trendmicro.com)

• Ronin Blockchain Hit With $620 Million Crypto Heist - IT Security Guru

Insider Risk and Insider Threats

• Yale Finance Director Stole $40m In Computers to Resell • The Register

• Making Security Mistakes May Come With A High Price For Employees - Help Net Security

Fraud, Scams & Financial Crime

• How To Avoid Investment Scams On Social Media, As 25% Of UK Victims Are Youths Online - Information Security Buzz

• Europol Dismantles Massive Call Centre Investment Scam Operation (bleepingcomputer.com)

• Scammers Turn Attention to Hard-Up Students • The Register

• Emily Maitlis Opens Up About Terrifying Bank Scam: ‘I Feel Sick’ | The Independent

Supply Chain

• A Large-Scale Supply Chain Attack Distributed Over 800 Malicious NPM Packages (thehackernews.com)

Denial of Service DoS/DDoS

• DDoS Attacks Becoming Larger And More Complex, Finance Most Targeted Sector - Help Net Security

• Number of DDoS Attacks in 2021 Reached 9.75 Million - Help Net Security

• Beastmode Botnet Boosts DDoS Power With New Router Exploits (bleepingcomputer.com)

Passwords & Credential Stuffing

• What Is Credential Stuffing? And How To Prevent It? Security Affairs

Spyware, Espionage & Cyber Warfare

Russian Invasion of Ukraine

• Anonymous Targets Oligarchs' Russian Businesses - Security Affairs

• With War Next Door, EU is Warned on Cyber Security Gaps | SecurityWeek.Com

• Ukraine Intelligence Leaks Names of 620 Alleged Russian FSB Agents - Security Affairs

• Russian Credential Thieves Target NATO, European Military • The Register

• Viasat Confirms Satellite Modems Were Wiped with AcidRain Malware (bleepingcomputer.com)

• Internet Provider to Ukrainian Military Hit With Major Cyber Attack - WSJ

• GhostWriter APT Targets State Entities of Ukraine with Cobalt Strike Beacon - Security Affairs

• Hacked WordPress Sites Force Visitors to DDoS Ukrainian Targets (bleepingcomputer.com)

• Russia Facing Internet Outages Due to Equipment Shortage (bleepingcomputer.com)

• Anonymous Is Working On A Huge Data Dump That Will Blow Russia Away - Security Affairs

• Phishing Campaign Targets Russian Govt Dissidents With Cobalt Strike (bleepingcomputer.com)

• Leaked Hacker Logs Show Weaknesses of Russia’s Cyber Proxy Ecosystem | CSO Online

• Russian Aviation Authority Switches to Paper After Losing 65TB of Data | CyberNews

• Anonymous Hacked Russian Thozis Corp, But Denies Attacks on Rosaviatsia - Security Affairs

• ZTE Whistleblower: Chinese Companies Will Sell to Russia • The Register

Nation State Actors

Nation State Actors – Russia

• UK Spy Boss Warns About Russia-China Tech Collaboration • The Register

• UK Cyber Security Centre Advises Review of Russian Tech • The Register

• You're Going To See Russian Activity Directed Against Government And Military Capabilities: Fmr. NSA director (cnbc.com)

• Russia Ranks Top For State-Linked Online Misinformation • The Register

• Google: Russian phishing attacks target NATO, European military (bleepingcomputer.com)

• Russian Spies Unmasked In Embarrassing Blow For Vladimir Putin (telegraph.co.uk)

Nation State Actors – China

• Chinese Hackers Deep Panda Return With Log4Shell Exploits, New Fire Chili Rootkit | ZDNet

• China APT Group Uses COVID-19, Russia in Phishing Scams • The Register

Vulnerabilities

• CISA Adds 66 Vulnerabilities to 'Must Patch' List | SecurityWeek.Com

• Apple Rushes Out Patches for Two 0-days Threatening iOS and macOS Users | Ars Technica

• Zero-day Attacks Doubled in 2021 - Infosecurity Magazine

• Chrome Browser Gets Major Security Update | SecurityWeek.Com

• Critical SonicOS Vulnerability Affects SonicWall Firewall Appliances (thehackernews.com)

• Log4JShell Used to Swarm VMware Servers with Miners, Backdoors | Threatpost

• Experts Warn Defenders: Don't Relax on Log4j | SecurityWeek.Com

• Google Chrome, Microsoft Edge Updated to Close Security Hole • The Register

• RCE Bug in Spring Cloud Could Be the Next Log4Shell, Researchers Warn | Threatpost

• Spring4Shell: No need To Panic, But Mitigations Are Advised - Help Net Security

• Sophos Firewall Affected by A Critical Authentication Bypass Flaw - Security Affairs

• CVE-2022-1162 Flaw in GitLab Allowed Threat Actors To Take Over Accounts - Security Affairs

• Trend Micro Fixed High Severity Flaw In Apex Central Product Console - Security Affairs

• Zyxel Urges Customers To Patch Critical Firewall Bypass Vulnerability | ZDNet

• QNAP Warns of OpenSSL Infinite Loop Vulnerability Affecting NAS Devices (thehackernews.com)

Sector Specific

Health/Medical/Pharma Sector

Washington Health District Suffers Another Data Breach - Infosecurity Magazine (infosecurity-magazine.com)

Hive Ransomware Group Claims Partnership HealthPlan of California Data Breach | CSO Online

LockBit Victim Estimates Cost of Ransomware Attack To Be $42 Million (bleepingcomputer.com)

Retail/eCommerce

Shopping Trap: The Online Stores’ Scam That Hits Users Worldwide - Security Affairs

Automotive

Automaker Cyber Security Lagging Behind Tech Adoption, Experts Warn | Threatpost

CNI, OT, ICS, IIoT and SCADA

The Spectre of Stuxnet: CISA Issues Alert on Rockwell Automation ICS Vulnerabilities | ZDNet

Reports Published in the Last Week

• Cyber Security Breaches Survey 2022 - GOV.UK (www.gov.uk)

• Psychology of Human Error 2022 | Research Report | Tessian

• 2022 Attack Path Management Impact Report (xmcyber.com)

Other News

• Protecting Your Organisation Against a New Class of Cyber Threats: HEAT (darkreading.com)

• Why Do Organisations Need To Prioritize Cyber Resiliency? - Help Net Security

• How Security Complexity Is Being Weaponized (darkreading.com)

• In Charts: Cyber Security Risks And Companies’ Readiness | Financial Times (ft.com)

• CISA Warns of Attacks Against Internet-Connected UPS Devices | CSO Online

• New UK Study Shows Just 1/3rd Of Orgs Use MFA Auth, Practice Cyber Compliance - Information Security Buzz

• Hackers Posing as Police Convinced Apple and Meta to Share Basic Subscriber Info (softpedia.com)

• Exploring the Intersection of Physical Security and Cyber Security (darkreading.com)

• The Current State Of Enterprise Backup And Recovery - Help Net Security

• Why Metrics Are Crucial To Proving Cyber Security Programs’ Value | CSO Online

• COVID Bounce: A Massive 2021 Resurgence of Cyber Threats - Help Net Security

• Rapid7 Finds Zero-Day Attacks Surged In 2021 (techtarget.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.