Black Arrow Cyber Threat Briefing 02 September 2022

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • 79% Of Companies Only Invest in Cyber Security After Hacking Incidents

The British cyber security company Tanium published a survey on investments in digital protection in UK companies with alarming results: 79% of them only approve investments in cyber security after suffering a data breach; 92% experienced a data attack or breach, of which 74% occurred in 2021. Leadership reticence is also high, with 63% of leaders convinced cyber security is only a concern after an attack.

The complexity of the situation has grown with the digital transformation of work. If it streamlines many processes, it can also open up serious security gaps. A sensitive point is the “home office”: companies need effective solutions to eliminate gaps that may appear between employees’ computers (often shared devices) and the company’s internal network.

Putting in solutions is just the beginning of a necessary strategy and investment effort in virtual protection. Complex scams based on phishing, reverse engineering, and backdoor-type malicious programs (“planted” discreetly on a device and sometimes inactive for months) often combine real-world and virtual-world fraud.

The escalation of corporate data hijacking appears in this scenario. The most notorious case at a global level of such an incident, with a million-dollar ransom demand, was launched in 2021 on Colonial Pipeline. This US company paid $40 million to regain control over strategic data after fuel supplies through its pipelines to several states were threatened for days.

https://informationsecuritybuzz.com/infosec-news/79-of-the-companies-only-invest-in-cybersecurity-after-hacking-incidents/

  • Nearly Half of Breaches During First Half of 2022 Involved Stolen Credentials

According to a new report by Acronis, a Switzerland-based cyber security company, nearly half of breaches during the first six months of 2022 involved stolen credentials.

The goal of stealing credentials is to launch ransomware attacks. According to the report, these “continue to be the number one threat to large and medium-sized businesses, including government organisations.”

Attackers usually use phishing techniques to extract these credentials. In the first half of the year, over 600 malicious email campaigns made their way across the internet, of which 58% were phishing attempts and 28% featured malware.

Acronis also added that “as reliance on the cloud increases, attackers have homed in on different entryways to cloud-based networks.”

Additionally, cyber criminals now also target unpatched or software vulnerabilities to extract data, with a recent increase on Linux operating systems and managed service providers (MSPs) and their network of SMB customers.

The third vector spotted by Acronis was “non-traditional entry avenues” such as cryptocurrencies and decentralised finance (DeFi) systems.

https://www.itsecurityguru.org/2022/08/30/nearly-half-of-breaches-during-first-half-of-2022-involved-stolen-credentials/

  • Outdated Infrastructure Not Up to Today’s Ransomware Challenges

A global research commissioned by Cohesity reveals that nearly half of respondents say their company depends on outdated, legacy backup and recovery infrastructure to manage and protect their data. In some cases, this technology is more than 20 years old and was designed long before today’s multicloud era and onslaught of sophisticated cyber attacks plaguing enterprises globally.

Challenges pertaining to outdated infrastructure could easily be compounded by the fact that many IT and security teams don’t seem to have a plan in place to mobilise if and when a cyber attack occurs. Nearly 60% of respondents expressed some level of concern that their IT and security teams would be able to mobilise efficiently to respond to the attack.

These are just some of the findings from an April 2022 survey, conducted by Censuswide, of more than 2,000 IT and SecOps professionals (split nearly 50/50 between the two groups) in the United States, the United Kingdom, Australia and New Zealand. All respondents play a role in the decision-making process for IT or security within their organisations.

IT and security teams should raise the alarm bell if their organisation continues to use antiquated technology to manage and secure their most critical digital asset – their data.

Cyber criminals are actively preying on this outdated infrastructure as they know it was not built for today’s dispersed, multicloud environments, nor was it built to help companies protect and rapidly recover from sophisticated cyber attacks.

https://www.helpnetsecurity.com/2022/08/30/outdated-infrastructure-manage-data/

  • Ghost Data Increases Enterprise Business Risk

IT has to get its hands around cloud data sprawl. Another area of focus should be on ghost data, as it expands the organisation's cloud attack surface.

Cloud sprawl is a big issue for organisations, with business teams spinning up cloud systems and services on their own, often without IT oversight. That leads to cloud data sprawl as data is scattered across different environments. If IT doesn’t know about the cloud systems and services, then IT is also not managing the data being collected, processed, and stored there.

We all know about shadow IT, the systems and network devices in the organisation’s environment that IT is not managing. Similarly, shadow data refers to unmanaged data store copies and snapshots or log data that are not part of IT’s backup and recovery strategy. Researchers at Cyera estimate that 60% of the data security posture issues that are present in cloud accounts stem from unsecured sensitive data.

Then there is the problem of ghost data. When data gets deleted from cloud systems, it isn’t fully gone. Copies linger in backups or snapshots of data stores. Ghost data refers to those copies left behind after the original has been deleted, and Cyera’s recent analysis show that enterprises have quite a lot of it.

After scanning the three major cloud providers (Amazon Web Services, Azure, and Google Cloud), Cyera researchers found that over 30% of scanned customer cloud data stores are ghost data and more than 58% contain sensitive, or very sensitive, data. For example, researchers found unsecured database snapshots in non-production environments that contained sensitive customer data where the original database had been destroyed. Researchers also uncovered sensitive personal and authentication data in plain text where the production data and application were no longer in use.

Ghost data usually has no business value - the data was deleted for a reason - and having it around unnecessarily increases business risk. Attackers don’t care if they get their hands on the original sensitive information or the copy because to them, all data has value, regardless of the form it takes.

https://www.darkreading.com/edge-threat-monitor/ghost-data-increases-enterprise-business-risk

  • Detected Cyber Threats Surge 52% in 1H 2022

A leading cyber security vendor blocked 63 billion threats in the first half of 2022 alone, over 50% more than the same period a year ago.

The findings come from the Trend Micro 2022 Midyear Cybersecurity Report and illustrate the scale of the challenge facing network defenders.

Trend Micro highlighted the persistent threat posed by ransomware-as-a-service (RaaS) groups as one that will continue to cause major challenges for organisations in the years to come.

It said detections of prolific groups such as LockBit and Conti increased by 500% year-on-year in 1H 2022. Such groups will continue to adapt their tactics, techniques and procedures (TTPs) in the race for profits.

The report warned of a surge in threats targeting Linux systems, for example. It said detections of attacks on Linux servers and embedded systems grew 75% year-on-year in the first half of 2022. Both SMBs and larger organisations are now a target, it claimed.

Many RaaS groups exploit vulnerabilities as a primary attack vector. Their job is getting easier as the number of published common vulnerabilities and exposures (CVEs) continues to grow strongly.

Trend Micro’s Zero Day Initiative published advisories on 944 vulnerabilities in the first half of 2021, a 23% year-on-year increase. The number of critical bug advisories it published soared by 400% over the same period.

https://www.infosecurity-magazine.com/news/detected-cyberthreats-surge-52-in/

  • An Interview with Initial Access Broker Wazawaka: ‘There Is No Such Money Anywhere as There is in Ransomware’

Last April, a ransomware group threatened to expose police informants and other sensitive information if the Washington, D.C. Metropolitan Police Department did not pay a demand.

The brazen attack was the work of a gang known as Babuk, which in early 2021 gained a reputation for posting stolen databases on its website from victims that refused to pay a ransom. Just days after it tried to extort the Metropolitan Police Department, Babuk announced it was closing its ransomware affiliate program, and would focus on data theft and extortion instead.

Earlier this year, cyber security journalist Brian Krebs uncovered details about one man behind the operation named Mikhail Matveev, who was also connected to a number of other groups and identities, including the handle ‘Wazawaka.’ According to Krebs, Matveev had become more unhinged than usual, “publishing bizarre selfie videos” and creating a Twitter account to share exploit code.

Matveev talked to Recorded Future about his interaction with other hackers, details about ransomware attacks he’s been involved in, and how he settled on the name Babuk.

Click the link below for the full interview but the long and short is ransomware has created a criminal ecosystem the likes of which the world has never seen.

https://therecord.media/an-interview-with-initial-access-broker-wazawaka-there-is-no-such-money-anywhere-as-there-is-in-ransomware/

  • Cyber Crime Underground More Dangerous Than Organisations Realise

Kela, a cyber threat intelligence specialist, found in a new study of some 400 security pros in the US that organisations are more at risk from the “cyber crime underground” than they realise.

The Israel-based company surveyed security team members responsible for gathering cyber crime threat intelligence daily to better understand if they’re proactively scanning the dark web and other cyber crime sources, what tools they’re using and the gaps they see in their cyber crime threat intelligence approach. Nearly 60% of the respondents do not believe their current cyber crime prevention is effective, the results showed.

Here are the study’s key findings:

  • 69% are concerned about threats from the cyber crime underground.

  • 54% wouldn’t be surprised to find their organisation’s data on the cyber crime underground.

  • Only 38% believe that they’re very likely to detect it if it was released.

  • 48% have no documented cyber crime threat intelligence policy in place.

  • Only 41% believe their current security program is very effective.

  • 49% are not satisfied with the visibility they have of the cyber crime underground.

  • Of the 51% who were satisfied with their visibility into the cyber crime underground, 39% were still unable to prevent an attack.

  • Additional training and proficiency in cyber crime intelligence investigations is the most needed capability.

https://www.msspalert.com/cybersecurity-research/cybercrime-underground-more-dangerous-than-organizations-realize-threat-intelligence-firm-warns/

  • New Ransomware Group BianLian Activity Exploding

A new ransomware group operating under the name BianLian emerged in late 2021 and has become increasingly active since.

The threat actor already has twenty alleged victims across several industries (insurance, medicine, law and engineering), according to a research paper from US cyber security firm Redacted, published on September 1, 2022. The majority of the victim organisations have been based in Australia, North America and the UK.

The research team has given no attribution yet but believes the threat actor “represents a group of individuals who are very skilled in network penetration but are relatively new to the extortion/ransomware business.”

BianLian uses a custom toolkit, including homemade encryptors and encryption backdoors. Both, as well as the command-and-control (C&C) software the hackers use, are written in Go, an increasingly popular programming language among ransomware threat actors.

Troublingly, the Redacted team of researchers has found evidence that BianLian is likely now trying to up their game.

https://www.infosecurity-magazine.com/news/new-ransomware-group-bianlian/

  • Can Your Passwords Withstand Threat Actors’ Dirty Tricks?

Password security hinges on the answer to that seemingly simple question. Unfortunately, you can’t know the answer until you’ve engaged a ruthless penetration tester to find out if your environment can stand up to the frighteningly good password cracking skills of today’s most nefarious hackers.

The whole purpose of hiring skilled penetration testers (“pentesters”) is to find out if your environment is truly impenetrable — and if it’s not, exactly how you should shore up your defences. Good pentesters and red teamers spend their time trying to simulate and emulate the real bad actors. After all, what’s the point of pressure-testing your IT infrastructure if you don’t use the same pressure that you’ll face in the real world?

You should “train like you fight.” Without sparring, how can you expect to jump into a boxing ring and go a few rounds with a skilled boxer? That’s the entire point of goal-based penetration testing and red/purple team engagements that simulate real-world threat actors.

Password cracking will continue to evolve – and so should your penetration testing tactics and plans. By the time you get to your fourth or fifth round with a quality pentesting consultancy, your risk mitigation will have dramatically improved — which means you’ll be able to move on to the next stage of security maturity.

https://www.helpnetsecurity.com/2022/08/30/stand-up-to-password-cracking/

  • Ransomware Gangs’ Favourite Targets

Barracuda released its fourth-annual threat research report which looks at ransomware attack patterns that occurred between August 2021 and July 2022.

For the 106 highly publicised attacks our researchers analysed, the dominant targets are still five key industries: education (15%), municipalities (12%), healthcare (12%), infrastructure (8%), and financial (6%). The number of ransomware attacks increased year-over-year across each of these five industry verticals, and attacks against other industries more than doubled compared to last year’s report.

While attacks on municipalities increased only slightly, the analysis over the past 12 months showed that ransomware attacks on educational institutions more than doubled, and attacks on the healthcare and financial verticals tripled. Many choose not to disclose when they get hit.

This year, researchers dug in deeper on these highly publicised attacks to see which other industries are starting to be targeted. Service providers were hit the most, and ransomware attacks on automobile, hospitality, media, retail, software, and technology organisations all increased as well.

Most ransomware attacks don’t make headlines, though. Many victims choose not to disclose when they get hit, and the attacks are often sophisticated and extremely hard to handle for small businesses.

As ransomware and other cyber threats continue to evolve, the need for adequate security solutions has never been greater. Many cyber criminals target small businesses in an attempt to gain access to larger organisations. As a result, it is essential for security providers to create products that are easy to use and implement, regardless of a company’s size.

Additionally, sophisticated security technologies should be available as services, so that businesses of all sizes can protect themselves against these ever-changing threats. By making security solutions more accessible and user-friendly, the entire industry can help to better defend against ransomware and other cyber attacks.

https://www.helpnetsecurity.com/2022/08/31/ransomware-attack-patterns/

  • Tentacles of ‘0ktapus’ Threat Group Victimise 130 Firms

Over 130 companies were tangled in sprawling phishing campaign that spoofed a multi-factor authentication system.

Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that resulted in 9,931 accounts at over 130 organisations being compromised. The campaigns are tied to focused abuse of identity and access management firm Okta, which gained the threat actors the 0ktapus moniker, by researchers.

The primary goal of the threat actors was to obtain Okta identity credentials and multi-factor authentication (MFA) codes from users of the targeted organisations. These users received text messages containing links to phishing sites that mimicked the Okta authentication page of their organisation.

114 US-based firms were impacted, with additional victims of sprinkled across 68 additional countries. The full scope of the attack is still unknown but the 0ktapus campaign has been incredibly effective, and the full scale of it may not be known for some time.

The 0ktapus attackers are believed to have begun their campaign by targeting telecommunications companies in hopes of winning access to potential targets’ phone numbers.

While unsure exactly how threat actors obtained a list of phone numbers used in MFA-related attacks, one theory researchers posit is that 0ktapus attackers began their campaign targeting telecommunications companies.

https://threatpost.com/0ktapus-victimize-130-firms/180487/

  • Organisations Are Spending Billions on Malware Defence That’s Easy to Bypass

Last year, organisations spent $2 billion on products that provide Endpoint Detection and Response, a relatively new type of security protection for detecting and blocking malware targeting network-connected devices. EDRs, as they're commonly called, represent a newer approach to malware detection. Static analysis, one of two more traditional methods, searches for suspicious signs in the DNA of a file itself. Dynamic analysis, the other more established method, runs untrusted code inside a secured "sandbox" to analyse what it does to confirm it's safe before allowing it to have full system access.

EDRs—which are forecasted to generate revenue of $18 billion by 2031 and are sold by dozens of security companies—take an entirely different approach. Rather than analyse the structure or execution of the code ahead of time, EDRs monitor the code's behaviour as it runs inside a machine or network. In theory, it can shut down a ransomware attack in progress by detecting that a process executed on hundreds of machines in the past 15 minutes is encrypting files en masse. Unlike static and dynamic analyses, EDR is akin to a security guard that uses machine learning to keep tabs in real time on the activities inside a machine or network.

Despite the buzz surrounding EDRs, new research suggests that the protection they provide isn't all that hard for skilled malware developers to circumvent. In fact, the researchers behind the study estimate EDR evasion adds only one additional week of development time to the typical infection of a large organisational network. That's because two fairly basic bypass techniques, particularly when combined, appear to work on most EDRs available in the industry.

https://arstechnica.com/information-technology/2022/08/newfangled-edr-malware-detection-generates-billions-but-is-easy-to-bypass/


Threats

Ransomware

BEC – Business Email Compromise

Malware

Mobile

Internet of Things – IoT

Data Breaches/Leaks

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Insurance

Dark Web

Supply Chain and Third Parties

Software Supply Chain

Denial of Service DoS/DDoS

Cloud/SaaS

Encryption

API

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

Privacy

Travel

Parental Controls and Child Safety

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine






Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3


As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Previous
Previous

Black Arrow Cyber Advisory 07/09/2022 – Phishing-as-a-Service Platform that bypasses MFA lets all hackers use advanced phishing tactics (Updated 25/11/2022)

Next
Next

Black Arrow Cyber Threat Briefing 26 August 2022