Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Business Email Compromise (BEC) Attacks Have Risen 53% Year-Over-Year

Armorblox released a report which highlights the use of language-based attacks that bypass existing email security controls. The report uncovers how the continued increase in remote working has made critical business workflows even more vulnerable to new forms of email-based attacks, often resulting in financial fraud or credential theft.

Language-based attacks have become the new normal for business email compromise (BEC) with 74% of these attacks using language as the main attack vector.

Security teams spend a massive amount of time configuring rules and exceptions in their email security solutions to block impersonation emails – both for executives and other employees. Despite all of that manual work and rule writing, 70% of impersonation emails evaded email security controls.

https://www.helpnetsecurity.com/2022/06/06/language-based-attacks-email-video/

• Ransomware Attacks Setting New Records

Zscaler released the findings of its annual ThreatLabz Ransomware Report, which revealed an 80 percent increase in ransomware attacks year-over-year.

In 2022, the most prevalent ransomware trends include double-extortion, supply chain attacks, ransomware-as-a-service, ransomware rebranding, and geo-political incited ransomware attacks. The report details which industries are being targeted the most by cyber criminals, explains the damage caused by double-extortion and supply chain attacks, and catalogues the most active ransomware groups operating today.

Modern ransomware attacks require a single successful asset compromise to gain initial entry, move laterally, and breach the entire environment, making legacy VPN and flat networks extremely vulnerable. Attackers are finding success exploiting weaknesses across businesses’ supply chains as well as critical vulnerabilities like Log4Shell, PrintNightmare, and others. And with ransomware-as-a-service available on the darkweb, more and more criminals are turning to ransomware, realising that the odds of receiving a big payday are high.

The tactics and scope of ransomware attacks have been steadily evolving, but the end goal continues to be a disruption of the target organisation and theft of sensitive information for the purposes of ransom. The size of the ransom often depends on the number of systems infected and the value of the data stolen: the higher the stakes, the higher the payment. In 2019, many ransomware groups updated their tactics to include data exfiltration, commonly referred to as a ‘double extortion’ ransomware.

https://www.helpnetsecurity.com/2022/06/07/ransomware-attacks-increase/

• Hackers Are Now Hiding Inside Networks for Longer. That's Not a Good Sign

Cyber criminals are spending more time inside networks before they're discovered, and that's allowing them to do more damage.

The amount of time cyber criminal intruders are spending inside victims' networks is increasing, providing them with the ability to carry out higher complexity campaigns and more damaging cyber attacks.

According to analysis by cyber security researchers at Sophos, who examined incidents targeting organisations around the world and across a wide range of industry sectors, the median dwell time that cyber criminals spend inside compromised networks is now 15 days, up from 11 days the previous year.

Dwell time is the amount of time hackers are inside the network before they're discovered or before they leave – and being able to spend an increased amount of time inside a compromised network undetected means they're able to more carefully conduct malicious activity, such as monitoring users, stealing data or laying the foundations for a malware or ransomware attack.

https://www.zdnet.com/article/hackers-are-now-hiding-inside-networks-for-longer-thats-not-a-good-sign/

• Paying Ransomware Paints Bigger Bullseye on Target’s Back

Ransomware attackers often strike targets twice, regardless of whether the ransom was paid.

Paying ransomware attackers doesn’t pay off and often paints a bigger target on a victim’s back. Eighty percent of ransomware victims that paid their attackers were hit a second time by the malware scourge.

New ransomware numbers come from a Cybereason’s April ransomware survey of 1,456 cyber security professionals. According to the gated report (registration required), victims that were successfully extorted were not only targeted a second time, but frequently data encrypted by criminals later became unusable during the decryption process because of corruption issues.

The fact that ransomware gangs strike so quickly a second and third time isn’t surprising, because they will try to profit in any possible way so why not hit the same company, demand a higher ransom, and get paid again?

https://threatpost.com/paying-ransomware-bullseye-back/179915/

• Organisations Fix Only 1 in 10 Vulnerabilities Monthly

New research from SecurityScorecard features a couple of eye-popping “only” findings: Only 10 percent of vulnerabilities are remediated each month, and only 60 percent of companies have improved their security profile despite a 15-fold increase in the number of cyber incidents in the last three years.

That’s not good. The research, which sought to measure how long it took the 1.6 million organisations assessed to remediate vulnerabilities in the three-year period from 2019 to 2022, also found the following:

·       53% had at least one exposed vulnerability to the internet, while 22% of organisations amassed more than 1,000 vulnerabilities each, confirming more progress is required to protect organisations’ critical assets.

·       The financial sector is among the slowest remediation rates (median to fix 50% = 426 days), while utilities ranked among the fastest (median = 270 days).

·       Despite a 15-fold increase in exploitation activity for vulnerabilities with published exploit code, there was little evidence that organisations in the financial sector fixed exploited flaws faster.

·       The IT sector (62.6%) and public sector (61.6%) had the highest prevalence of open vulnerabilities.

·       The financial sector (48.6%) exhibited the lowest proportion of open vulnerabilities; however, there is less than a 10% difference between this and other sectors in terms of industries with the most open vulnerabilities.

·       It typically takes organisations 12 months to remediate half of the vulnerabilities in their internet-facing infrastructure.

·       When firms have fewer than 10 open vulnerabilities, it can take about a month to close just half of them, but when the list grows into the hundreds, it takes up to a year to reach the halfway point.

https://www.msspalert.com/cybersecurity-research/organizations-fix-only-1-in-10-vulnerabilities-monthly/

• Cyber Attack Surface "Spiralling Out of Control"

Global organisations are still beset with cyber visibility and control challenges, with two-fifths (43%) admitting their digital attack surface is out of control as a result, according to new Trend Micro research.

The security vendor polled over 6200 IT and business decision-makers to compile its new study, ‘Mapping the digital attack surface: Why global organisations are struggling to manage cyber risk’.

It revealed that nearly three-quarters (73%) are concerned about the increasing size of their attack surface. Over a third (37%) said it is “constantly evolving and messy,” and just half (51%) thought they were able to fully define its extent.

These visibility challenges are greatest in cloud environments, although problems persist across the board. The report highlights complex supply chains, tool bloat and home working-driven shadow IT as additional contributory factors.

On average, respondents estimated having just 62% visibility of their attack surface.

https://www.infosecurity-magazine.com/news/cyberattack-surface-out-of-control/

• Phishing Hits All-Time High in Q1 2022

The first quarter of 2022 saw phishing attacks hit a record high, topping one million for the first time, according to data from the Anti Phishing Working Group (APWG).

The industry, law enforcement and government coalition’s new Phishing Activity Trends Report also revealed that March was the worst month on record for phishing, with 384,291 attacks detected.

The financial sector was the worst hit, accounting for 24% of all detected attacks, although webmail and SaaS providers were also popular targets.

Attacks spoofing retailers dropped 17% from the previous quarter to 15% following the busy holiday shopping season, while those against social media services rose significantly, from nearly 9% percent of all attacks to 13% over the same period.

https://www.infosecurity-magazine.com/news/phishing-hits-all-time-high-q1/

• Ransomware's ROI Retreat Will Drive More BEC Attacks

Law enforcement crackdowns, tighter cryptocurrency regulations, and ransomware-as-a-service (RaaS) operator shutdowns are driving down the return on investment for ransomware operations across the globe.

A presentation at the RSA Conference last week laid out analysis of the ransomware threat landscape, predicting that there will be a pivot from ransomware toward renewed interest in basic business email compromise (BEC) attacks in the next 6 to 12 months.

Ransomware attacks grab headlines and have been supercharged by a few prolific RaaS operators, but crackdowns on just one group can make an enormous dent.

Ransomware is a centralised ecosystem with small numbers of operators responsible for the majority of attacks.

The recent disappearance of Pysa, left just two groups, Conti and Lockbit, with more than 50% of the share of the total ransomware attacks in the first half of 2022. BEC groups, on the other hand, are diffuse and scattered, making them much harder to eradicate.

Although they're not as quick to make the headlines, BEC attacks have cost business more than $43 billion since 2016, according to the FBI, and make up $1 out of every $3 lost to cyber attacks, far outpacing ransomware losses.

Ransomware has had a moment over the past couple of years, in part because once threat actors were able to abandon arcane wire transfers to collect ransoms and rely on cryptocurrency, caps on transactions were lifted and it became simple to collect much larger amounts. But new crypto regulations are chilling the ability of these cyber criminals to rely on its infrastructure to do business, adding "friction" to the transactions.

BEC attacks, by comparison, rely on social engineering to corrupt a business's financial supply chain to get employees to willingly part with the cash, making them exponentially harder to track and stop. 

https://www.darkreading.com/threat-intelligence/retreat-of-ransomware-roi-will-drive-bec-attacks-analyst-warns

• The Real Cost of Cyber Attacks: What Organisations Should Be Prepared For

With each passing year, hackers and cyber criminals of all kinds are becoming more sophisticated, malicious, and greedy conducting brazen and often destructive cyber-attacks that can severely disrupt a company’s business operations. And this is a big problem, because, first and foremost, customers rely on a company’s ability to deliver services or products in a timely manner. Cyber attacks not only can affect customers’ data, but they can impact service delivery.

Data breaches and costs associated with them have been on the rise for the past few years, but, according to a 2021 report, the average cost per breach increased from $3.86 million in 2020 to $4.24 million in 2021. The report also identified four categories contributing most global data breach costs – Lost business cost (38%), Detection and escalation (29%), Post breach response (27%), and Notification (6%).

Ransomware attacks cost an average of $4.62 million (the cost of a ransom is not included), and destructive wiper-style attacks cost an average of $4.69 million, the report said.

For a business, a data breach is not just a loss of data, it can also have a long-lasting impact on operations and undermine customers’ trust in the company. In fact, a survey revealed that 87% of consumers are willing to take their business elsewhere if they don’t trust a company is handling their data responsibly. Therefore, the reputational damage might be detrimental to a business’ ability to attract new customers.

https://informationsecuritybuzz.com/articles/the-real-cost-of-cyber-attacks-what-organizations-should-be-prepared-for/

• Why Smishing and Vishing Attempts Surged In 2021

In The Human Factor Report 2022, security vendor Proofpoint found that SMS phishing (smishing) attacks more than doubled year-on-year in 2021. The report is based on their analysis of over 2.6 billion email messages, 49 billion URLs, 1.9 billion attachments, 28 million cloud accounts and 1.7 billion mobile messages.

The study details the most common attack surfaces and methods including categories of risk, vulnerabilities, attacks, Russian Aligned APT’s, and Privilege as a vector.

Key Findings:

• Managers and executives make up only 10% of users, but almost 50% of the most severe attack risk

• Attackers attempt to initiate more than 100,000 telephone-oriented attacks every day.

• Malicious URLS are 3-4x more common than malicious attachments.

• Smishing attempts more than doubled in the US over the year, while in the UK over 50% of lures are themed around delivery notification.

• More than 20 million messages attempted to deliver malware linked to eventual ransomware attack

• Data loss prevention alerts have stabilised as businesses adopt permanent hybrid work models.

• 80% of businesses are attacked by a compromised supplier account in any given month.

• 35% of cloud tenants that received a suspicious login also saw suspicious post-access activity.

https://informationsecuritybuzz.com/expert-comments/why-smishing-and-vishing-attempts-surged-in-2021/

• Know Your Enemy! Learn How Cyber Crime Adversaries Get In…

Cyber security vendor Sophos dug into the incident reports of 144 real-life cyber attacks investigated by its Rapid Response team during 2021.

What they found might not surprise you, but it’s vital information nevertheless, because it’s what really happened, not merely what might have.

Notably:

• Unpatched vulnerabilities were the entry point for close to 50% of the attackers.

• Attackers stuck around for more than a month on average when ransomware wasn’t their primary goal.

• Attackers were known to have stolen data in about 40% of incidents. (Not all data thefts can be proved, of course, given that there isn’t a gaping hole where your copy of the data used to be, so the true number could be much higher.)

• RDP was abused to circumnavigate the network by more than 80% of attackers once they’d broken in.

Intriguingly, if perhaps unsurprisingly, the smaller the organisation, the longer the crooks had generally been in the network before anyone noticed and decided it was time to kick them out.

In businesses with 250 staff and below, the crooks stuck around (in the jargon, this is known by the quaintly archaic automotive metaphor of dwell time) for more than seven weeks on average.

This compared with an average dwell time of just under three weeks for organisations with more than 3000 employees.

As you can imagine, however, ransomware criminals typically stayed hidden for much shorter periods (just under two weeks, instead of just over a month), not least because ransomware attacks are inherently self-limiting.

After all, once ransomware crooks have scrambled all your data, they’re out of hiding and straight into their in-your-face blackmail phase.

https://nakedsecurity.sophos.com/2022/06/07/know-your-enemy-learn-how-cybercrime-adversaries-get-in/

• Small Businesses Struggle with an Increase in Cyber Attacks

Part of the problem: They don’t believe they are targets, so they don’t make security a priority. Cyber attacks are becoming more common for small businesses, and many aren’t prepared to deal with an attack.

As small businesses have accelerated their adoption of new technologies for remote work, communication, production and sales during the pandemic, their expanded computer networks have created new vulnerabilities to phishing and ransomware attacks. But many small businesses still don’t expect to be targeted by hackers, so preparing for a cyber attack is well down their list of priorities.

https://www.wsj.com/articles/small-business-cyberattacks-increase-11654540786

Threats

Ransomware

• Ransomware attacks have increased by 80% year-over-year - Help Net Security

• How the Russia-Ukraine war makes ransomware payments harder | CSO Online

• How Poor Communication Opens the Door to Ransomware and Extortion (darkreading.com)

• Cuba ransomware returns to extorting victims with updated encryptor (bleepingcomputer.com)

• Vice Society gang adds the Italian City of Palermo to its data leak site - Security Affairs

• Qbot - known channel for ransomware - delivered via phishing and Follina exploit - Help Net Security

• Black Basta Ransomware Targets ESXi Servers in Active Campaign (darkreading.com)

• Mandiant: Cyber extortion schemes increasing pressure to pay (techtarget.com)

• Roblox Game Pass store used to sell ransomware decryptor (bleepingcomputer.com)

• Costa Rican government held up by ransomware … again • The Register

• Gloucester Council IT Systems Still Not Fully Operational Six Months After Cyber-Attack - Infosecurity Magazine

• BEEF ALERT: Ransomware Group Very Mad at Being Associated with Lavish Russian Hackers (vice.com)

• Ransomware Pressure Forcing UK CISOs to Consider Quitting - Infosecurity Magazine

BEC – Business Email Compromise

• Business Email Compromise Scams Are Poised to Eclipse Ransomware | WIRED

Phishing & Email Based Attacks

• Evasive phishing mixes reverse tunnels and URL shortening services (bleepingcomputer.com)

• Proofpoint: We Block Up to Two Million Extortion Emails Daily - Infosecurity Magazine

• Massive Facebook Messenger phishing operation generates millions (bleepingcomputer.com)

• Facebook phishing campaign nets millions in IDs and cash • The Register

Other Social Engineering

• Smishing and Vishing Attempts Surged in 2021 - Infosecurity Magazine

Malware

• Symantec sees more malware operators exploiting Follina • The Register

• Potent Emotet Variant Spreads Via Stolen Email Credentials | Threatpost

• Symbiote Malware Poses Stealthy, Linux-Based Threat to Financial Industry (darkreading.com)

• This advanced new malware strain leaves you practically defenceless | TechRadar

• Be on the lookout for this malware that hijacks your browser and generates bogus search results | PC Gamer

• MacOS malware attacks slipping through the cracks (techtarget.com)

• 11 infamous malware attacks: The first and the worst | CSO Online

• 9 types of computer virus and how they do their dirty work | CSO Online

Mobile

• Android June 2022 updates bring fix for critical RCE vulnerability (bleepingcomputer.com)

IoT

• New Privacy Framework for IoT Devices Gives Users Control Over Data Sharing (thehackernews.com)

• How to Compromise a Printer in Three Simple Steps | CrowdStrike

Data Breaches/Leaks

• Since 2004, the average American has had at least 7 data breaches (scmagazine.com)

Organised Crime & Criminal Actors

• World Economic Forum wants a global map of online crime • The Register

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

• Threat actors exploit recently disclosed Atlassian Confluence flaw in cryptomining campaign - Security Affairs

• Researchers Detail How Cyber Criminals Targeting Cryptocurrency Users (thehackernews.com)

• 7 NFT Scams That Could Be Targeting Your Brand (darkreading.com)

• Hackers stole +$250,000 in Ethereum from Bored Ape Yacht ClubSecurity Affairs

Fraud, Scams & Financial Crime

• Pandemic-related identity fraud: How serious is it? - Help Net Security

• Apple Release 2021 Fraud Prevention Analysis- IT Security Guru

AML/CFT/Sanctions

• Information, AML/CFT steps are key to fighting international digital crime, DOJ report says (cointelegraph.com)

Insurance

• Microsoft flags common pitfalls for cyber insurance (techtarget.com)

Dark Web

• Dark web sites selling alleged Western weapons sent to Ukraine (bleepingcomputer.com)

Software Supply Chain

• 82% of CIOs believe their software supply chains are vulnerable - Help Net Security

• Boards, CEOs demand software supply chain security improvements - Help Net Security

Denial of Service DoS/DDoS

• Major DDoS attacks increasing after invasion of Ukraine (techtarget.com)

Cloud/SaaS

• Cloud Security Tops Ransomware As Primary RSA Conference Attendee Concern - MSSP Alert

• Only 13.5% of IT pros have mastered security in the cloud native space - Help Net Security

• Is Cloud Security Losing Sight of Endpoints? - MSSP Alert

• OMIGOD: Cloud providers still using secret middleware • The Register

• Getting to grips with SaaS security - Help Net Security

Attack Surface Management

• Taming the Digital Asset Tsunami | Threatpost

Open Source

• Symbiote, a nearly-impossible-to-detect Linux malware - Security Affairs

Privacy

• Researchers Find Bluetooth Signals Can be Fingerprinted to Track Smartphones (thehackernews.com)

• New Privacy Framework for IoT Devices Gives Users Control Over Data Sharing (thehackernews.com)

Parental Controls and Child Safety

• Digital fingerprints of a million child abuse images made - BBC News

Law Enforcement Action and Take Downs

• US dismantled and seized SSNDOB cyber crime marketplace - Security Affairs

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• “Cyber Spetsnaz” is Attacking Government Agencies - Security Affairs

• Russian Ministry Website Reportedly Hacked- IT Security Guru

• Ordinary Ukrainians wage war with digital tools and drones | Financial Times (ft.com)

• Ukraine's secret cyber-defence: Excellent backups • The Register

• Major DDoS attacks increasing after invasion of Ukraine (techtarget.com)

Nation State Actors

Nation State Actors – Russia

• Russia escalates threats against West in response to cyber attacks - CyberScoop

• Russia, China, oppose US cyber support of Ukraine • The Register

Nation State Actors – China

• Russia, China, oppose US cyber support of Ukraine • The Register

• Chinese hacking group Aoqin Dragon quietly spied orgs for a decade (bleepingcomputer.com)

• China Is "Scanning" One Of World's Most Surveilled City; Now Risks Being Blinded By A Bill In The UK Parliament (eurasiantimes.com)

• People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices | CISA

• US: Chinese govt hackers breached telcos to snoop on network traffic (bleepingcomputer.com)

Nation State Actors – Iran

• Microsoft seized 41 domains used by Iran-linked Bohrium APT - Security Affairs

• Iranian hackers target energy sector with new DNS backdoor (bleepingcomputer.com)

Nation State Actors – Misc APT

• State-Backed Hackers Exploit Microsoft 'Follina' Bug to Target Entities in Europe and US (thehackernews.com)

Vulnerability Management

• CISA warning: Hackers are exploiting these 36 "significant" cyber security vulnerabilities - so patch now | ZDNet

• How CISA's list of 'must-patch' vulnerabilities has expanded both in size, and who's using it - CyberScoop

• Even the Most Advanced Threats Rely on Unpatched Systems (thehackernews.com)

Vulnerabilities

• Windows zero-day exploited in US local govt phishing attacks (bleepingcomputer.com)

• DogWalk zero-day Windows bug receives patch - but not from Microsoft (bitdefender.com)

• Chrome 102 Update Patches High-Severity Vulnerabilities | SecurityWeek.Com

• NSA, FBI warning: Hackers are using these flaws to target VPNs and network devices | ZDNet

• Ubuntu Users Get a Massive Linux Kernel Update, 35 Security Vulnerabilities Patched - 9to5Linux

• Vulnerability discovered in Apple M1 chip • The Register

• Threat Actors Start Exploiting Meeting Owl Pro Vulnerability Days After Disclosure | SecurityWeek.Com

• Critical U-Boot Vulnerability Allows Rooting of Embedded Systems | SecurityWeek.Com

Sector Specific

Financial Services Sector

• Symbiote Malware Poses Stealthy, Linux-Based Threat to Financial Industry (darkreading.com)

Telecoms

• String of attacks on French telecom infrastructure preceded April attack on fiber optic cables (cyberscoop.com)

• US: Chinese govt hackers breached telcos to snoop on network traffic (bleepingcomputer.com)

• People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices | CISA

Health/Medical/Pharma Sector

• Healthcare-specific cyber security problems and how to address them - Help Net Security

• Data for 2 million patients stolen in largest healthcare breach so far of 2022 (scmagazine.com)

Retail/eCommerce

• Online gun shops in the US hacked to steal credit cards (bleepingcomputer.com)

Energy & Utilities

• Iranian hackers target energy sector with new DNS backdoor (bleepingcomputer.com)

• US Water Utilities Prime Cyber Attack Target, Experts | Threatpost

Education and Academia

• Ransomware attacks keeping the educational sector on its toes - Help Net Security

• Personal Information of Over 30,000 Students Exposed in Unprotected Database | SecurityWeek.Com

Reports Published in the Last Week

• The Human Factor Report 2022 | Proofpoint US

• Router security report 2021 | Securelist

Other News

• 'Shields Up': the new normal in cyberspace - CyberScoop

• 37 Major Companies and Organisations Pledge to Enhance Cyber Resiliency and Counter Evolving Global Threats (darkreading.com)

• This hacking group quietly spied on their targets for 10 years | ZDNet

• Identity-based Attacks and Living-of-the-land Tactics Represent Top Threats - MSSP Alert

• Over Half of CISOs Struggling for Board Investment - Infosecurity Magazine

• Cisco EVP: Cyber security poverty line is human-rights issue • The Register

• Zero trust segmentation eliminates 5 cyber disasters per year and saves $20+ million annually - Help Net Security

• Top three most critical areas of web security - Help Net Security

• How the Colonial Pipeline attack has changed cyber security | CSO Online

• Five Eyes alliance’s top cop: tech is the future of Policing • The Register

• The costs and damages of DNS attacks - Help Net Security

• An Emerging Threat: Attacking 5G Via Network Slices (darkreading.com)

• How AI Is Useful — and Not Useful — for Cyber security (darkreading.com)

• Only 43% of security pros can respond to critical alerts in less than an hour - Help Net Security

• Now Is the Time to Plan for Post-Quantum Cryptography (darkreading.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.