Black Arrow Cyber Threat Briefing 05 May 2022
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Scams Cost Victims $6.9b-Plus Worldwide in 2021
Cyber-scams cost victims around the globe at least $6.9 billion last year, according to the FBI's latest Internet Crime Report.
Since 2017, the bureau's Internet Crime Complaint Center (IC3) received an average of 552,000 complaints per year. This includes reports of extortion, identity theft, phishing, fraud, and a slew of other nefarious schemes that cost victims no less than $18.7 billion in losses over the five-year period.
Unsurprisingly, the volume of these crimes — and related costs — have grown every year; 2021 set records for the total number of complaints (847,376) as well as losses exceeding $6.9 billion, a jump from the $4.2 billion reported a year earlier.
As with earlier years, phishing attacks were by far the most commonly reported crimes, with 323,972 last year. A subset of this category, business email compromise (BEC), is proving very lucrative and cost victims almost $2.4 billion from 19,954 victims, according to the Feds.
BEC involves a cyber criminal compromising a legitimate email account, and then tricking a business or individual into transferring funds, sending employees' personal data, or unlocking cryptocurrency wallets. The fraudster then steals the cash, drains the crypto wallet and/or sells employees' identities and credentials on the dark web.
https://www.theregister.com/2022/05/05/fbi_cyber_scams/
Bad Actors Are Maximising Remote Everything
The rise of remote work and learning opened new opportunities for many people – as we’ve seen by the number of people who have moved to new places or adapted to “workcations.” Cyber criminals are taking advantage of the same opportunities – just in a different way. Evaluating the prevalence of malware variants by region reveals a sustained interest by cyber adversaries in maximising the remote work and learning attack vector.
As hybrid work and learning become embedded paradigms in our culture, there are fewer layers of protection between malware and would-be victims. And bad actors are gaining access to more tools to help them pull off their nefarious deeds – like exploit kits. At the same time, the attack surface has rapidly expanded and continues to do so.
That means enterprises must take a work-from-anywhere approach to their security. They need to deploy solutions capable of following, enabling and protecting users no matter where they are located. They need security on the endpoint (EDR) combined with zero trust network access (ZTNA) approaches.
https://threatpost.com/bad-actors-remote-everything/179458/
This Sneaky Hacking Group Hid Inside Networks For 18 Months Without Being Detected
A previously undisclosed cyber-espionage group is using clever techniques to breach corporate networks and steal information related to mergers, acquisitions and other large financial transactions – and they've been able to remain undetected by victims for periods of more than 18 months.
Detailed by cyber security researchers at Mandiant, who've named it UNC3524, the hacking operation has been active since at least December 2019 and uses a range of advanced methods to infiltrate and maintain persistence on compromised networks that set it apart from most other hacking groups. These methods include the ability to immediately re-infect environments after access is removed. It's currently unknown how initial access is achieved.
One of the reasons UNC3524 is so successful at maintaining persistence on networks for such a long time is because it installs backdoors on applications and services that don't support security tools, such as anti-virus or endpoint protection.
FBI: Business Email Compromise: The $43 Billion Scam
According to the FBI, business email compromise (BEC) and email account compromise (EAC) losses have surpassed $43 billion globally. BEC/EAC is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.
The BEC/EAC scam continues to grow and evolve, targeting small local businesses to larger corporations, and personal transactions. Between July 2019 and December 2021, there was a 65% increase in identified global exposed losses, meaning the dollar loss that includes both actual and attempted loss in United States dollars.
The following information was derived from filings with financial institutions between June 2016 and December 2021:
Domestic and international incidents: 241,206
Domestic and international exposed dollar loss: $43,312,749,946
The following BEC/EAC statistics were reported in victim complaints to the IC3 between October 2013 and December 2021:
Total US victims: 116,401
Total US exposed dollar loss: $14,762,978,290
Total non-US victims: 5,260
Total non-US exposed dollar loss: $1,277,131,099
Disgruntled Employees Cashing in On Confidential Information Over Dark Web
Disgruntled employees are making hundreds of thousands of dollars by leaking confidential information over a new platform on the so-called dark web, cyber researchers have said.
Hidden in a part of the internet that is only accessible using special software, the Industrial Spy platform promises huge payouts to staff willing to hand over "dirty secrets" to competitors, according to experts at intelligence business Cyberint.
Industrial Spy currently has data on twelve companies from a range of industries available to people who sign up, Cyberint said.
The platform recently managed to sell two tranches of company data for $400,000 (£318,236) and $750,000 each.
An individual has advertised the platform to potential purchasers of the data on the dark web.
The post said: "With our information you could refuse partnership with an unscrupulous partner, reveal dirty secrets of your competitors and earn millions of dollars using insider information."
Cyber criminals have long approached employees individually and offered a bribe to release sensitive information such as internal data and passwords to access computer systems.
But this new platform allows employees to act on their own initiative to steal data and sell it online.
Google Sees More APTs Using Ukraine War-Related Themes
Researchers at Google's Threat Analysis Group (TAG) say the number of advanced threat actors using Ukraine war-related themes in cyber attacks went up in April with a surge in malware attacks targeting critical infrastructure.
According to Google, known state-backed APT groups from China, Iran, North Korea, and Russia, along with various unattributed groups have been using war-related themes in phishing and malware distribution campaigns.
Looking at the cyber attacks that target Eastern Europe, however, a new Google report notes there hasn't been a significant change from the normal levels of activity, despite the increased adoption of lures related to the Ukraine war.
https://www.securityweek.com/google-sees-more-apts-using-ukraine-war-related-themes
Cryptocurrency Regulators Are Scrambling to Catch Up with Hackers Who Are Swiping Billions
Just four months in, 2022 has been a banner year for hackers, and fraudsters targeting the industry have swindled more than $1 billion from cryptocurrency investors, according to separate estimates by cryptocurrency analysis firm Immunefi.
The rise in fraud has put US regulators on the offensive. The US Securities and Exchange Commission, which has positioned itself as the industry’s main regulator and enforcer, announced on Tuesday that it was going to double its staff working to resources to combat the rise in fraud.
“Crypto markets have exploded in recent years, with retail investors bearing the brunt of abuses in this space. Meanwhile, cyber-related threats continue to pose existential risks to our financial markets and participants,” Gurbir Grewal, director of the SEC’s Division of Enforcement said in a statement. “The bolstered Crypto Assets and Cyber Unit will be at the forefront of protecting investors and ensuring fair and orderly markets in the face of these critical challenges.”
https://www.cyberscoop.com/cryptocurrency-sec-cybersecurity-bitcoin-regulation-enforcement/
Tackling the Threats Posed by Shadow IT
While remote technologies have allowed businesses to shift their workforces online, this flexibility has created a swathe of challenges for IT teams who must provide a robust security framework for their organisation – encompassing all the personnel and devices within their remit. In addition to the ever-increasing number of personal devices, corporate devices and programs, more and more applications are moving to the cloud as workloads become increasingly distributed across public clouds and software-as-a-service (SaaS).
This means IT teams are even harder pressed to secure and manage the complex environments they operate in. The unsanctioned use of corporate IT systems, devices, and software – known as shadow IT – has increased significantly during the shift to remote work, and recent research found almost one in seven (68%) are concerned about information security because of employees following shadow IT practices.
Shadow IT can allow hackers to steal employee and customer identities, company intellectual property, and cause companies to fail compliance audits. It can also open the door to enterprises accidentally breaking laws and exposes organisations to data exfiltration, malware, and phishing.
https://www.helpnetsecurity.com/2022/05/05/shadow-it-risk/
Hackers Used the Log4j Flaw to Gain Access Before Moving Across a Company's Network, Say Security Researchers
State-backed hacking groups are some of the most advanced cyber attack operations in the world - but criminals don't need to rely on them if they can exploit unpatched cyber security flaws.
A North Korean hacking and cyber espionage operation breached the network of an engineering firm linked to military and energy organisations by exploiting a cyber security vulnerability in Log4j.
First detailed in December, the vulnerability (CVE-2021-44228) allows attackers to remotely execute code and gain access to systems that use Log4j, a widely used Java logging library.
The ubiquitous nature of Log4j meant cyber security agencies urged organisations globally to apply security updates as quickly as possible, but months on from disclosure, many are still vulnerable to the flaw.
According to cyber security researchers at Symantec, one of those companies that was still vulnerable was an undisclosed engineering firm that works in the energy and military sectors. That vulnerability resulted in the company being breached when attackers exploited the gap on a public-facing VMware View server in February this year. From there, attackers were able to move around the network and compromise at least 18 computers.
New Hacker Group Pursuing Corporate Employees Focused on Mergers and Acquisitions
[Explanatory note from Black Arrow: When a group of cyber attackers is identified by the cyber security community, it is given a code name usually composed of letters and digits. These groups are also sometimes referred to as APTs., or Advanced Persistent Threats, because the groups are highly skilled and are persistent in their attacks; they are often supported by their state government].
A newly discovered suspected espionage threat actor has been targeting employees focusing on mergers and acquisitions as well as large corporate transactions to facilitate bulk email collection from victim environments.
Mandiant is tracking the activity cluster under the uncategorised moniker UNC3524, citing a lack of evidence linking it to an existing group. However, some of the intrusions are said to mirror techniques used by different Russia-based hacking crews like APT28 and APT29.
"The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet set this group apart and emphasise the 'advanced' in Advanced Persistent Threat," the threat intelligence firm said in a report.
The initial access route is unknown but upon gaining a foothold, attack chains involving UNC3524 culminate in the deployment of a novel backdoor called QUIETEXIT for persistent remote access for as long as 18 months without getting detected in some cases.
https://thehackernews.com/2022/05/new-hacker-group-pursuing-corporate.html
Threats
Ransomware
US DoS Offers a Reward of Up To $15M For Info on Conti Ransomware Gang - Security Affairs
Trend Micro Discovers AvosLocker Can Disable Antivirus Software (techtarget.com)
Experts Analyse Conti and Hive Ransomware Gangs' Chats with Their Victims (thehackernews.com)
New Ransomware Strains Linked to North Korean Govt Hackers (bleepingcomputer.com)
REvil Revival: Are Ransomware Gangs Ever Really Gone? (darkreading.com)
What We've Learned in the 12 Months Since the Colonial Pipeline Attack (darkreading.com)
Phishing & Email Based Attacks
Google SMTP Relay Service Abused for Sending Phishing Emails (bleepingcomputer.com)
US DoD Scammed Out of $23M in Phishing Attack on Jet-Fuel Vendors (darkreading.com)
1000s of Phishing Emails Sent from NHS Inboxes - IT Security Guru
Malware
This New Fileless Malware Hides Shellcode in Windows Event Logs (thehackernews.com)
Raspberry Robin Spreads Via Removable USB Devices - Security Affairs
Hackers Using PrivateLoader PPI Service to Distribute New NetDooka Malware (thehackernews.com)
Mobile
IoT
Unpatched DNS Bug Affects Millions of Routers and IoT Devices (bleepingcomputer.com)
What Should I Know About Defending IoT Attack Surfaces? (darkreading.com)
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs
Crypto Hackers Stole More Than $370 Million In April Alone (vice.com)
Ferrari Subdomain Hijacked to Push Fake Ferrari NFT Collection (bleepingcomputer.com)
Supply Chain
Open Source
Open-Source Security: It's Too Easy to Upload 'Devastating' Malicious Packages, Warns Google | ZDNet
How Linux Became the New Bullseye for Bad Guys | SecurityWeek.Com
Passwords & Credential Stuffing
Good End User Passwords Begin with A Well-Enforced Password Policy - Help Net Security
55% of People Rely on Their Memory To Manage Passwords - Help Net Security
A Third of Americans Use Easy-to-Guess Pet Passwords (darkreading.com)
Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Mandiant CEO: False-flag Ops a Red Line For Nation-States • The Register
Anonymous and Ukraine IT Army Continue to Target Russian Entities - Security Affairs
Pro-Ukraine Hackers Use Docker Images to DDoS Russian Sites (bleepingcomputer.com)
Russia Hammered by Pro-Ukrainian Hackers Following Invasion | Ars Technica
Nation State Actors
Nation State Actors – Russia
Russia-Linked APT29 Targets Diplomatic and Government Organisations - Security Affairs
Russian Ransomware Group Claims Attack on Bulgarian Refugee Agency - CyberScoop
Russia Cyber Attacks Raise Questions About Hacking Red Lines - Bloomberg
Putin Threatens Supply Chains with Counter-Sanction Order • The Register
Russian Hackers Targeting Diplomatic Entities in Europe, Americas, and Asia (thehackernews.com)
China-linked APT Curious Gorge Targeted Russian Govt Agencies - Security Affairs
Russia-Ukraine War Prompts Security Best Practices Refresher (techtarget.com)
Nation State Actors – China
China-Linked Winnti APT Group Silently Stole Trade Secrets for Years: Report | SecurityWeek.Com
State-Backed Chinese Hackers Target Russia - Infosecurity Magazine (infosecurity-magazine.com)
Chinese "Override Panda" Hackers Resurface With New Espionage Attacks (thehackernews.com)
Experts Uncover New Espionage Attacks by Chinese 'Mustang Panda' Hackers (thehackernews.com)
China Not Happy With South Korea Joining NATO Cyber Defense Center | SecurityWeek.Com
Nation State Actors – North Korea
Security Researchers: Here's How the Lazarus Hackers Start Their Attacks | ZDNet
VHD Ransomware Variant Linked to North Korean Cyber Army (darkreading.com)
Nation State Actors – Misc
Vulnerabilities
CISA Adds Five Known Exploited Vulnerabilities to Catalogue | CISA
Aruba and Avaya Network Switches Are Vulnerable to RCE Attacks (bleepingcomputer.com)
Cisco Issues Patches for 3 New Flaws Affecting Enterprise NFVIS Software (thehackernews.com)
F5 Warns of a New Critical BIG-IP Remote Code Execution Vulnerability (thehackernews.com)
May 2022 Patch Tuesday Forecast: Look Beyond Just Application and OS Updates - Help Net Security
Critical Cisco VM-Escape Bug Threatens Host Takeover (darkreading.com)
Researchers Disclose Years-Old Vulnerabilities in Avast and AVG Antivirus (thehackernews.com)
QNAP Releases Firmware Patches for 9 New Flaws Affecting NAS Devices (thehackernews.com)
Critical RCE Bug Reported in dotCMS Content Management Software (thehackernews.com)
Sector Specific
Financial Services Sector
Telecoms
Health/Medical/Pharma Sector
Education and Academia
Other News
Car Rental Company Sixt Hit by a Cyber Attack that Caused Disruptions - Security Affairs
White House Says To Prepare For Cryptography-Cracking Quantum Computers - Information Security Buzz
CMS-Based Sites Under Attack: The Latest Threats and Trends - Help Net Security
Mozilla Finds Mental Health Apps Fail 'Spectacularly' at User Security, Data Policies | ZDNet
UK to Place Security Requirements on App Developers and Store Operators - Infosecurity Magazine
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.