Black Arrow Cyber Threat Briefing 22 April 2022
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Why Ransomware Attacks Prefer Small Business Targets Rather Than Rich Enterprises
Enterprise businesses with 25,000 employees+ are less likely to get hit by a ransomware attack than smaller businesses — even though big companies typically can afford to pay higher ransoms, the 2022 CyberEdge Cyberthreat Defense Report concluded.
What explains hackers taking aim at small businesses more frequently than enterprise giants? The answer: Damaging a critical infrastructure facility or similar disruptions are certain to catch the eye of federal law enforcement, or national governments — something that no hacker wants, CyberEdge said. Smaller to medium-sized firms, as it turns out, get hit more frequently by ransomware attacks, on average at roughly 70 percent, the report said.
Overall, some 71 percent of organisations have been bitten by ransomware in 2022, up a point and a half from last year and by 8.5 points in 2020. It’s companies of 10,000 to 24,999 employees that are the sweet spot for ransomware hackers, nearly 75 percent of which are victimised by cyber extortionists.
The extensive study, which surveyed 1,200 security decision makers and practitioners employed by companies of greater than 500 people in 17 countries across 19 industries, is geared to helping gauge their internal practices and investments against those of their counterparts in other parts of the world.
Ransomware Plagues Finance Sector as Cyber Attacks Get More Complex
Cyber criminals have evolved from hacking wire transfers to targeting market data, as ransomware continues to hit financial firms, says a new VMware report. Here's what to do about it.
Ransomware plagues financial institutions as they face increasingly complex threats over previous years owing to the changing behaviour of cyber criminal cartels, according to VMware's latest Modern Bank Heists report.
This has happened as the cyber crime cartels have evolved beyond wire transfer frauds to target market strategies, take over brokerage accounts, and island-hop into banks, according to the report.
For the report, VMware surveyed 130 financial sector CISOs and security leaders from across different regions including North America, Europe, Asia Pacific, Central and South America, and Africa.
Report findings were consistent with observations by other security experts. "The Secret Service, in its investigative capacity to protect the nation's financial payment systems and financial infrastructure, has seen an evolution and increase in complex cyber-enabled fraud," says Jeremy Sheridan, former assistant director at the US Secret Service. "The persistent, inadequate security of systems connected to the internet provides opportunity and methodology."
76% of Organisations Worldwide Expect to Suffer a Cyber Attack This Year
Ransomware, phishing/social engineering, denial of service (DoS) attacks, and the business fallout of a data breach rank as the top concerns of global organisations, a new study shows.
The newly published Cyber Risk Index, a study by Trend Micro and the Ponemon Institute, shows that more than three-quarters of global organisations expect to suffer a cyber attack in the next 12 months — 25% of which say an attack is "very likely."
More than 80% of the 3,400 CISO and IT professionals and managers surveyed say their organisations were hit with one or more successful cyber attacks in the past 12 months, and 35% suffered seven or more attacks, according to the report, which covers the second half of 2021.
Most Email Security Approaches Fail to Block Common Threats
A full 89 percent of organisations experienced one or more successful email breaches during the previous 12 months, translating into big-time costs.
On overwhelming number of security teams believe their email security systems to be ineffective against the most serious inbound threats, including ransomware.
That’s according to a survey of business customers using Microsoft 365 for email commissioned by Cyren and conducted by Osterman Research, which examined concerns with phishing, business email compromise (BEC), and ransomware threats, attacks that became costly incidents, and preparedness to deal with attacks and incidents.
“Security team managers are most concerned that current email security solutions do not block serious inbound threats (particularly ransomware), which requires time for response and remediation by the security team before dangerous threats are triggered by users,” according to the report, released Wednesday.
Less than half of those surveyed said that their organisations can block delivery of email threats. And, correspondingly, less than half of organisations rank their currently deployed email security solutions as effective.
https://threatpost.com/email-security-fail-block-threats/179370/
Financial Leaders Grappling with More Aggressive and Sophisticated Attack Methods
VMware released a report which takes the pulse of the financial industry’s top CISOs and security leaders on the changing behaviour of cyber criminal cartels and the defensive shift of the financial sector.
The report found that financial institutions are facing increased destructive attacks and falling victim to ransomware more than in years past, as sophisticated cyber crime cartels evolve beyond wire transfer fraud to now target market strategies, take over brokerage accounts and island hop into banks.
In the Modern Bank Heists report, 63% of financial institutions admitted experiencing an increase in destructive attacks, with cyber criminals leveraging this method as a means to burn evidence as part of a counter incident response.
Additionally, 74% experienced at least one ransomware attack over the past year, with 63% paying the ransom. When asked about the nation-state actors behind these attacks, the majority of financial instructions stated that Russia posed the greatest concern, as geopolitical tension continues to escalate in cyberspace.
https://www.helpnetsecurity.com/2022/04/21/cybercriminal-cartels-financial-sector/
Hackers Sneak Malware into Resumes Sent to Corporate Hiring Managers
A new set of phishing attacks delivering the ‘more_eggs’ malware has been observed striking corporate hiring managers with bogus resumes as an infection vector, a year after potential candidates looking for work on LinkedIn were lured with weaponised job offers.
"This year the more_eggs operation has flipped the social engineering script, targeting hiring managers with fake resumes instead of targeting jobseekers with fake job offers," eSentire's research and reporting lead, Keegan Keplinger, said in a statement.
The Canadian cyber security company said it identified and disrupted four separate security incidents, three of which occurred at the end of March. Targeted entities include a US-based aerospace company, an accounting business located in the UK, a law firm, and a staffing agency, both based out of Canada.
The malware, suspected to be the handiwork of a threat actor called Golden Chickens (aka Venom Spider), is a stealthy, modular backdoor suite capable of stealing valuable information and conducting lateral movement across the compromised network.
"More_eggs achieves execution by passing malicious code to legitimate windows processes and letting those windows processes do the work for them," Keplinger said. The goal is to leverage the resumes as a decoy to launch the malware and sidestep detection.
https://thehackernews.com/2022/04/hackers-sneak-moreeggs-malware-into.html
West Warns of Russian Cyber Attacks as Concerns Rise Over Putin’s Nuclear Rhetoric
Cyber crime groups have publicly pledged support for Russia, western officials worry about Putin’s reliance on nuclear threats and the battle for Mariupol in Ukraine grinds on.
The US and four of its closest allies have warned that “evolving intelligence” shows that Russia is contemplating cyber attacks on countries backing Ukraine, as the Kremlin’s frustration grows at its failure to make military gains.
Vladimir Putin used the launch on Wednesday of a powerful new Sarmat intercontinental ballistic missile (ICBM), capable of carrying ten or more warheads, to make nuclear threats against western countries.
The Sarmat has long been in development and test flights were initially due to start in 2017. The Pentagon confirmed that the US had been given notice of the test and was not alarmed. Western officials are more concerned by the increasing emphasis Moscow puts on its nuclear arsenal as its conventional forces have faltered in Ukraine.
The Ukrainian army continued to put up resistance in the besieged and devastated city of Mariupol, but Putin’s Chechen ally, Ramzan Kadyrov, predicted that the last stand of the port’s defenders at the Azovstal steel works would fall on Thursday.
The Kremlin has made repeated threats against the many countries that have been supplying Ukraine’s army with modern weapons, and members of the “Five Eyes” intelligence sharing network – the US, Britain, Canada, Australia and New Zealand – predicted Moscow could also work with cyber crime groups to launch attacks on governments, institutions and businesses.
Criminals Adopting New Methods To Bypass Improved Defences, Says Zscaler
The number of phishing attacks worldwide jumped 29 percent last year as threat actors countered stronger enterprise defences with newer methods, according to researchers with Zscaler's ThreatLabz research team.
Cyber criminals have adapted to multi-factor authentication (MFA), employee security awareness training, and security controls by broadening who and where they will attack.
While the United States remained the country with the most phishing attempts, others are seeing faster growth in the number of incidents – exploiting new vectors like SMS and lowering the barrier of entry for launching attacks through pre-built tools made available on the market.
"Phishing attacks continue to remain one of the most prevalent attack vectors, often serving as a starting point for more advanced next stage attacks that may result in a large-scale breach," Deepen Desai, CISO and vice president of security research and operations at Zscaler, told The Register.
https://www.theregister.com/2022/04/20/phishing-attempts-on-rise-zscaler/
Cyber Criminals Are ‘Drinking the Tears’ of Ukrainians
In biology, when an insect drinks the tears of a large creature, it is called lachryphagy. And in cyberspace, malicious actors are likewise “drinking tears” by exploiting humanitarian concerns about the war in Ukraine for profit. Different forms of deception include tricking people into donating to bogus charities, clicking on Ukraine-themed malicious links and attachments, and even impersonating officials to extort payment for rescuing loved ones.
It is an unfortunate reality that cyber opportunists are engaging in lachryphagy to exploit humanitarian concerns about the war for profit or data collection. To date, one of the largest cryptocurrency scams involving fraudulent Ukrainian relief payments totalled $50 million in March, the Wall Street Journal reports.
Immediately following Russia’s invasion of Ukraine, cybersecurity companies warned the public that criminals were preying on Ukrainian relief fundraising efforts with cryptocurrency scams. Bitdefender Labs reports that cyber criminals have impersonated Ukrainian government entities and charitable organisations such as UNICEF, and the Australian humanitarian agency, Act for Peace. “Some [scammers] are even pretending to be Wladimir Klitschko, whose brother Vitali is mayor of Ukraine’s capital, Kyiv,” according to the BBC.
Hackers For Hire Attempt to Destroy Hedge Fund Manager's Reputation
Hackers bombarded a British hedge fund manager with 3,000 emails and fake news stories about his mortgage in an effort to destroy his reputation after being hired by a corporate rival.
Criminals even sought to gain personal information about Matthew Earl by pretending to be his sister in a three-year campaign when he raised concerns over the controversial German payments company Wirecard.
Mr Earl, a former City analyst who runs the hedge fund ShadowFall, said he was targeted by a group called Dark Basin.
This group has been linked to Aviram Azari, who this week pleaded guilty in New York to a conspiracy to target journalists and critics of Wirecard using phishing emails.
Mr Earl said the hacking attempts started in 2016 after ShadowFall, nicknamed the “dark destroyer” in the City, criticised the financial performance of Wirecard. The German company was later mired in a series of accounting scandals and went bust.
He said: “I was being sent very targeted emails, which were crafted with personal information about my interests, friends and family’s details. They were very specific.”
Mr Earl received news stories that appeared to be from media outlets such as Reuters and Bloomberg. Another email appeared to be sent by his sister, sharing family photographs, he added.
https://www.telegraph.co.uk/business/2022/04/21/reign-terror-hackers-hire-ramp-corporate-espionage/
New Threat Groups and Malware Families Emerging
Mandiant announced the findings of an annual report that provides timely data and insights based on frontline investigations and remediations of high-impact cyber attacks worldwide. The 2022 report––which tracks investigation metrics between October 1, 2020 and December 31, 2021—reveals over 1,100 new threat groups and 733 new malware families.
The report also notes a realignment and retooling of China cyber espionage operations to align with the implementation of China’s 14th Five-Year Plan in 2021. The report warns that the national-level priorities included in the plan “signal an upcoming increase in China-nexus actors conducting intrusion attempts against intellectual property or other strategically important economic concerns, as well as defence industry products and other dual-use technologies over the next few years.”
https://www.helpnetsecurity.com/2022/04/22/adversaries-innovating-and-adapting/
Economic Warfare: Attacks on Critical Infrastructure Part of Geopolitical Conflict
We’ve known for years that since at least March of 2016, Russian government threat actors have been targeting multiple U.S. critical infrastructure sectors including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. The Department of Homeland Security (DHS), the Federal Bureau of Investigations (FBI), and other agencies have acknowledged this for quite some time in many of their technical alerts and statements.
In the intervening years, with the acceleration of digital transformation, cyber criminals and nation-state actors have increasingly set their sights on these sectors. The convergence of physical and digital assets brings competitive advantage but also inevitable risks. Attacks against hospitals, oil pipelines, food supply chains, and other critical infrastructure, have brought into sharp focus the vulnerability of cyber-physical systems (CPS) and the impact on lives and livelihoods when they are disrupted. Now, overwhelming signs indicate critical infrastructure companies are in the bullseye of geopolitical conflict.
Threats
Ransomware
How Ready Are Organisations to Manage and Recover From A Ransomware Attack? - Help Net Security
FBI: BlackCat Ransomware Breached At Least 60 Entities Worldwide (bleepingcomputer.com)
Ransomware: This Gang Is Getting a Lot Quicker at Encrypting Networks | ZDNet
Hive Hackers Are Exploiting Microsoft Exchange Servers in Ransomware Spree | ZDNet
REvil's TOR Sites Come Alive to Redirect To New Ransomware Operation (bleepingcomputer.com)
PYSA Ransomware Attacks: Here's What MSSPs Need to Know - MSSP Alert
An Investigation of the BlackCat Ransomware via Trend Micro Vision One
REvil Resurrected? Ransomware Crew Appears to Be Back • The Register
FBI Warning: Ransomware Gangs Are Going After This Lucrative but Unexpected Target | ZDNet
Phishing & Email Based Attacks
LinkedIn Brand Takes Lead as Most Impersonated In Phishing Attacks (bleepingcomputer.com)
FBI Warns of 'Reverse' Instant Payments Phishing Schemes | SecurityWeek.Com
Spreading Malware Through Community Phishing - Help Net Security
Malware
Windows Malware Can Steal Social Media Credentials and Banking Logins (komando.com)
Emotet Botnet Switches to 64-bit Modules, Increases Activity (bleepingcomputer.com)
New SolarMarker Malware Variant Using Updated Techniques to Stay Under the Radar (thehackernews.com)
Emotet Reestablishes Itself at The Top Of The Malware World • The Register
Mobile
BYOD
IoT
How to Secure Smart Home (IOT) Devices | Reviews by Wirecutter (nytimes.com)
New Stealthy BotenaGo Malware Variant Targets DVR Devices (bleepingcomputer.com)
Organised Crime & Criminal Actors
Russian Hackers Are Seeking Alternative Money-Laundering Options (bleepingcomputer.com)
How Russia Is Isolating Its Own Cyber Criminals (darkreading.com)
Cryptocurrency/Cryptomining/Cryptojacking
Hackers Hammer SpringShell Vulnerability In Attempt To Install Cryptominers | Ars Technica
Beanstalk DeFi Platform Loses $182 Million In Flash-Loan Attack (bleepingcomputer.com)
Hackers Steal $655K After Picking MetaMask Seed from iCloud Backup (bleepingcomputer.com)
LemonDuck Botnet Plunders Docker Cloud Instances in Cryptocurrency Crime Wave | ZDNet
Fraud, Scams & Financial Crime
Security Lessons From a Payment Fraud Attack (darkreading.com)
Scammers Snatch Up Expired Domains, Vexing Google | TechCrunch
Insurance
Dark Web
Supply Chain and Third Parties
Cloud
Rethinking Cyber-Defence Strategies in the Public-Cloud Age | Threatpost
Cyber Criminals Are Shifting Their Gaze To Kubernetes - Information Security Buzz
Passwords & Credential Stuffing
Digital Transformation
Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Moving Towards Defence in Depth Under The Grey Skies Of Conflict - Help Net Security
Locked Shields ‘Live Fire’ Cyber Drills to be Held as War in Ukraine Continues - Bloomberg
Russian-Linked Shuckworm Crew Ups Attacks on Ukraine • The Register
Russian Gamaredon APT Continues to Target Ukraine - Security Affairs
Phishing Attacks Using the Topic "Azovstal" Targets Entities in Ukraine - Security Affairs
Hackers Claim to Target Russia with Cyber Attacks and Leaks - The New York Times (nytimes.com)
The Anonymous Collective Hacked Other Russian Organisations - Security Affairs
Spyware Was Used Against Catalan Targets and UK Prime Minister and Foreign Office | CSO Online
Stalkerware Detection Trends: Monitor and Spyware Findings - MSSP Alert
Catalan Chief Accuses Spain's Intelligence Agency of Hacking | SecurityWeek.Com
Anomaly 6 Tracked NSA and CIA Spies as Product Demo: Report (gizmodo.com)
Nation State Actors
Nation State Actors – Russia
Five Eyes Nations Warn of Russian Cyber Attacks Against Critical Infrastructure (thehackernews.com)
NATO Locked Shields War Games Prep for Real Russian Cyber Attack (gizmodo.com)
The Russian Cyber Threat Is Here to Stay and NATO Needs To Understand It | Fox News
A Russian Cyber Attack Is Coming —Lawmakers and Citizens Must Prepare | The Hill
US Officials Increase Warnings About Russian Cyber-Attacks - Infosecurity Magazine
Work From Home Software 'At Risk of Russian Cyber Attacks' (telegraph.co.uk)
US Officials Preparing for Potential Russian Cyber Attacks - CBS News
After Foiled Sandworm Attack, US Critical Infrastructure Should Stand Guard | CSO Online
Nation State Actors – China
Nation State Actors – North Korea
North Korea Funds Nuclear Program with Cyber Crime- IT Security Guru
North Korea Aims 'TraderTraitor' Malware at Cryptocurrency Workers (cyberscoop.com)
Blockchain Companies Warned of North Korean Hackers - IT Security Guru
Nation State Actors – Misc
Vulnerabilities
VMware, Chrome Flaws Added to Known Exploited Vulnerabilities Catalogue - Security Affairs
Cisco Releases Security Patches for TelePresence, RoomOS and Umbrella VA (thehackernews.com)
Time to get patching: Oracle's quarterly Critical Patch Update arrives with 520 fixes | ZDNet
7-Zip Zero-Day Vulnerability Grants Privilege Escalation | TechSpot
QNAP Warns of New Bugs in Its Network Attached Storage Devices – Naked Security (sophos.com)
Cisco Umbrella Default SSH Key Allows Theft of Admin Credentials (bleepingcomputer.com)
Researcher Releases PoC for Recent Java Cryptographic Vulnerability (thehackernews.com)
Critical Cryptographic Java Security Blunder Patched – Update Now! – Naked Security (sophos.com)
Atlassian Drops Patches for Critical Jira Authentication Bypass Vulnerability (thehackernews.com)
Unpatched Bug in RainLoop Webmail Could Give Hackers Access to all Emails (thehackernews.com)
Sector Specific
Financial Services Sector
Modern Bank Heists 5.0: The Escalation from Dwell to Destruction (vmware.com)
Two-Thirds of Global Banks Witness Surge in Destructive Attacks - Infosecurity Magazine
FinTech
Health/Medical/Pharma Sector
The New Cyberthreat To Healthcare: Killware - Information Security Buzz
Many Medical Device Makers Skimp on Security Practices (darkreading.com)
Transport and Aviation
Other News
Why Companies Should Make ERP Security a Top Priority (techtarget.com)
The Evolving Role of The Lawyer in Cyber Security - Help Net Security
Cyber Security Litigation Risks: 4 Top Concerns for CISOs | CSO Online
Ponemon Research - Businesses to Invest $172b On Cyber Security In 2022 - Information Security Buzz
Funkypigeon.com Suspends Orders After 'Cyber Security Incident' | Business News | Sky News
The SEC Is About To Force CISOs Into America’s Boardrooms (forbes.com)
Data Breaches, Ransomware Attacks Leave Security Teams “Exhausted” - MSSP Alert
When Attacks Surge, Turn to Data to Strengthen Detection and Response | SecurityWeek.Com
Attacker Accessed Dozens of Repositories After OAuth Token Theft - Information Security Buzz
7 Best Practices for Web3 Security Risk Mitigation (techtarget.com)
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.