Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Morgan Stanley Client Accounts Breached in Social Engineering Attacks

Morgan Stanley Wealth Management says some of its customers had their accounts compromised in social engineering attacks.

The account breaches were the result of vishing (aka voice phishing), a social engineering attack where scammers impersonate a trusted entity (in this case Morgan Stanley) during a voice call to convince their targets into revealing sensitive information such as banking or login credentials.

The company said in a notice sent to affected clients that, "on or around February 11, 2022," a threat actor impersonating Morgan Stanley gained access to their accounts after tricking them into providing their Morgan Stanley Online account info.

After successfully breaching their accounts, the attacker also electronically transferred money to their own bank account by initiating payments using the Zelle payment service.

https://www.bleepingcomputer.com/news/security/morgan-stanley-client-accounts-breached-in-social-engineering-attacks/

• Ransomware Is Scary, But Another Scam Is Costing Victims Much, Much More

Business email compromise (BEC) remains the biggest source of financial losses, which totalled $2.4 billion in 2021, up from an estimated $1.8 billion in 2020, according to the Federal Bureau of Investigation's (FBI) Internet Crime Center (IC3).

The FBI says in its 2021 annual report that Americans last year lost $6.9 billion to scammers and cyber criminals through ransomware, BEC, and cryptocurrency theft related to financial and romance scams. In 2020, that figure stood at $4.2 billion.

Last year, FBI's Internet Crime Complaint Center (IC3) received 847,376 complaints about cybercrime losses, up 7% from 791,790 complaints in 2020.

BEC has been the largest source of fraud for several years despite ransomware attacks grabbing most headlines.

https://www.zdnet.com/article/ransomware-is-scary-but-another-scam-is-costing-victims-much-much-more-says-fbi/#ftag=RSSbaffb68

• Phishing Kits Constantly Evolve to Evade Security Software

Modern phishing kits sold on cybercrime forums as off-the-shelf packages feature multiple, sophisticated detection avoidance and traffic filtering systems to ensure that internet security solutions won’t mark them as a threat.

Fake websites that mimic well-known brands are abundant on the internet to lure victims and steal their payment details or account credentials.

Most of these websites are built using phishing kits that feature brand logos, realistic login pages, and in cases of advanced offerings, dynamic webpages assembled from a set of basic elements.

https://www.bleepingcomputer.com/news/security/phishing-kits-constantly-evolve-to-evade-security-software/

• Ransomware Payment Demands Rose Dramatically in 2021

Ransomware attackers demanded dramatically higher ransom fees last year, and the average ransom payment rose by 78% to $541,010, according to data from incident response (IR) cases investigated by Palo Alto Networks Unit 42.

IR cases by Unit 42 also saw a whopping 144% increase in ransom demands, to $2.2 million. According to the report, the most victimised sectors were professional and legal services, construction, wholesale and retail, healthcare, and manufacturing.

Cyber extortion spiked, with 85% of ransomware victims — some 2, 556 organisations — having their data dumped and exposed on leak sites, according to the "2022 Unit 42 Ransomware Threat Report."

Conti led the ransomware attack volume, representing some one in five cases Unit 42 investigated, followed by REvil, Hello Kitty, and Phobos.

https://www.darkreading.com/attacks-breaches/ransomware-payments-demands-rose-dramatically-in-2021

• 7 Suspected Members of LAPSUS$ Hacker Gang, aged 16 to 21, Arrested in UK

The City of London Police has arrested seven teenagers between the ages of 16 and 21 for their alleged connections to the prolific LAPSUS$ extortion gang that's linked to a recent burst of attacks targeting NVIDIA, Samsung, Ubisoft, LG, Microsoft, and Okta.

"The City of London Police has been conducting an investigation with its partners into members of a hacking group," Detective Inspector, Michael O'Sullivan, said in a statement shared with The Hacker News. "Seven people between the ages of 16 and 21 have been arrested in connection with this investigation and have all been released under investigation. Our enquiries remain ongoing."

The development, which was first disclosed by BBC News, comes after a report from Bloomberg revealed that a 16-year-old Oxford-based teenager is the mastermind of the group. It's not immediately clear if the minor is one among the arrested individuals. The said teen, under the online alias White or Breachbase, is alleged to have accumulated about $14 million in Bitcoin from hacking.

https://thehackernews.com/2022/03/7-suspected-members-of-lapsus-hacker.html

• Here's How Fast Ransomware Encrypts Files

Forty-two minutes and 54 seconds: that's how quickly the median ransomware variant can encrypt and lock out a victim from 100,000 of their files.

The data point came from Splunk's SURGe team, which analysed in its lab how quickly the 10 biggest ransomware strains — Lockbit, REvil, Blackmatter, Conti, Ryuk, Avaddon, Babuk, Darkside, Maize, and Mespinoza — could encrypt 100,000 files consisting of some 53.93 gigabytes of data. Lockbit won the race, with speeds of 86% faster than the median. One Lockbit sample was clocked at encrypting 25,000 files per minute.

Splunk's team found that ransomware variants are all over the map speed-wise, and the underlying hardware can dictate their encryption speeds.

https://www.darkreading.com/application-security/here-s-how-fast-ransomware-encrypts-files

• HEAT Attacks: A New Class of Cyber Threats Organisations Are Not Prepared For

Web malware (47%) and ransomware (42%) now top the list of security threats that organisations are most concerned about. Yet despite the growing risks, just 27% have advanced threat protection in place on every endpoint device that can access corporate applications and resources.

This is according to research published by Menlo Security, exploring what steps organisations are taking to secure themselves in the wake of a new class of cyber threats – known as Highly Evasive Adaptive Threats (HEAT).

As employees spend more time working in the browser and accessing cloud-based applications, the risk of HEAT attacks increases. Almost two-thirds of organisations have had a device compromised by a browser-based attack in the last 12 months. The report suggests that organisations are not being proactive enough in mitigating the risk of these threats, with 45% failing to add strength to their network security stack over the past year. There are also conflicting views on the most effective place to deploy security to prevent advanced threats, with 43% citing the network, and 37% the cloud.

https://www.helpnetsecurity.com/2022/03/22/web-security-threats/

• The Cyber Warfare Predicted in Ukraine May Be Yet to Come

In the build-up to Russia’s invasion of Ukraine, the national security community braced for a campaign combining military combat, disinformation, electronic warfare and cyber attacks. Vladimir Putin would deploy devastating cyber operations, the thinking went, to disable government and critical infrastructure, blind Ukrainian surveillance capabilities and limit lines of communications to help invading forces. But that’s not how it has played out. At least, not yet.

The danger is that as political and economic conditions deteriorate, the red lines and escalation judgments that kept Moscow’s most potent cyber capabilities in check may adjust. Western sanctions and lethal aid support to Ukraine may prompt Russian hackers to lash out against the west. Russian ransomware actors may also take advantage of the situation, possibly resorting to cyber crime as one of the few means of revenue generation.

https://www.ft.com/content/2938a3cd-1825-4013-8219-4ee6342e20ca

• The Three Russian Cyber Attacks the West Most Fears

The UK's cyber authorities are supporting the White House's calls for "increased cyber-security precautions", though neither has given any evidence that Russia is planning a cyber-attack.

Russia has previously stated that such accusations are "Russophobic".

However, Russia is a cyber-superpower with a serious arsenal of cyber-tools, and hackers capable of disruptive and potentially destructive cyber-attacks.

Ukraine has remained relatively untroubled by Russian cyber-offensives but experts now fear that Russia may go on a cyber-offensive against Ukraine's allies.

"Biden's warnings seem plausible, particularly as the West introduced more sanctions, hacktivists continue to join the fray, and the kinetic aspects of the invasion seemingly don't go to plan," says Jen Ellis, from cyber-security firm Rapid7.

This article from the BCC outlines the hacks that experts most fear, and they are repeats of things we have already seen coming out of Russia, only potentially a lot more destructive this time around.

https://www.bbc.co.uk/news/technology-60841924

• Do These 8 Things Now to Boost Your Security Ahead of Potential Russian Cyber Attacks

The message comes as the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) ramp up warnings about Russian hacking of everything from online accounts to satellite broadband networks. CISA's current campaign is called Shields Up, which urges all organisations to patch immediately and secure network boundaries. This messaging is being echoed by UK and other Western Cyber authorities:

The use of Multi-Factor Authentication (MFA) is being very strongly advocated. The White House and other agencies both sides of the Atlantic also urged companies to take seven other steps:

• Deploy modern security tools on your computers and devices to continuously look for and mitigate threats

• Make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors

• Back up your data and ensure you have offline backups beyond the reach of malicious actors

• Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack

• Encrypt your data so it cannot be used if it is stolen

• Educate your employees to common tactics that attackers will use over email or through websites

• Work with specialists to establish relationships in advance of any cyber incidents.

https://www.zdnet.com/article/white-house-warns-do-these-8-things-now-to-boost-your-security-ahead-of-potential-russian-cyberattacks/

• Cyber Crime Victims Suffered Losses of Over $6.9B in 2021 in the US Alone

The FBI's Internet Crime Complaint Center (IC3) reported a record-breaking year for 2021 in the number of complaints it received, among which business email compromise (BEC) attacks made up the majority of incidents.

IC3 handled 847,376 complaint reports last year — an increase of 7% over 2020 — which mainly revolved around phishing attacks, nonpayment/nondelivery scams, and personal data breaches. Overall, losses amounted to more than $6.9 billion.

BEC and email account compromises ranked as the No. 1 attack, accounting for 19,954 complaints and losses of around $2.4 billion.

"In 2021, heightened attention was brought to the urgent need for more cyber incident reporting to the federal government. Cyber incidents are in fact crimes deserving of an investigation, leading to judicial repercussions for the perpetrators who commit them," Paul Abbate, deputy director of the FBI wrote in the IC3's newly published annual report.

https://www.darkreading.com/attacks-breaches/fbi-cybercrime-victims-suffered-losses-of-over-6-9b-in-2021

• Expanding Threat Landscape: Cyber Criminals Attacking from All Sides

Research from Trend Micro warns of spiralling risk to digital infrastructure and remote workers as threat actors increase their rate of attack on organisations and individuals.

“Attackers are always working to increase their victim count and profit, whether through quantity or effectiveness of attacks,” said Jon Clay, VP of threat intelligence at Trend Micro.

“Our latest research shows that while Trend Micro threat detections rose 42% year-on-year in 2021 to over 94 billion, they shrank in some areas as attacks became more precisely targeted.”

Ransomware attackers are shifting their focus to critical businesses and industries more likely to pay, and double extortion tactics ensure that they are able to profit. Ransomware-as-a-service offerings have opened the market to attackers with limited technical knowledge – but also given rise to more specialisation, such as initial access brokers who are now an essential part of the cybercrime supply chain.

Threat actors are also getting better at exploiting human error to compromise cloud infrastructure and remote workers. Trend Micro detected and prevented 25.7 million email threats in 2021 compared to 16.7 million in 2020, with the volume of blocked phishing attempts nearly doubling over the period. Research shows home workers are often prone to take more risks than those in the office, which makes phishing a particular risk.

https://www.helpnetsecurity.com/2022/03/22/threat-actors-increase-attack/

Threats

Ransomware

• Ransomware Infections Follow Precursor Malware – Lumu • The Register

• Ransomware, Malware-as-a-Service Dominate Threat Landscape | SecurityWeek.Com

• Serious Security: DEADBOLT – The Ransomware That Goes Straight For Your Backups – Naked Security (sophos.com)

• AvosLocker Ransomware - What You Need To Know | The State of Security (tripwire.com)

• What the Conti Ransomware Group Data Leak Tells Us (darkreading.com)

• Ransomware Demands And Payments Increase With Use Of Leak Sites (computerweekly.com)

• Ten Notorious Ransomware Strains Put to The Encryption Speed Test (bleepingcomputer.com)

• Lockbit Wins Ransomware Speed Test, Encrypts 25k Files/Min • The Register

• Talos warns of BlackMatter-linked BlackCat Ransomware • The Register

• Report: 89% of Organizations Say Kubernetes Ransomware Is A Problem Today | VentureBeat

• Top Russian Meat Producer Hit with Windows BitLocker Encryption Attack (bleepingcomputer.com)

• Greece's Public Postal Service Offline Due To Ransomware Attack (bleepingcomputer.com)

• Hackers Demand $15 Million Ransom from TransUnion After Cracking "password" Password (bitdefender.com)

• Lawsuit Claims Kronos Breach Exposed Data For 'Millions' (techtarget.com)

• Estonian Man Sentenced To Prison For Role In Cyber Intrusions, Ransomware Attacks - CyberScoop

Phishing & Email

• New Phishing Toolkit Lets Anyone Create Fake Chrome Browser Windows (bleepingcomputer.com)

• Browser-in-the-Browser Attack Makes Phishing Nearly Invisible | Threatpost

• 'Unique Attack Chain' Drops Backdoor in New Phishing Campaign (darkreading.com)

Other Social Engineering

• Social Engineering Attacks To Dominate Web3, The Metaverse | ZDNet

Malware

• Malicious Microsoft Excel Add-Ins Used to Deliver RAT Malware (bleepingcomputer.com)

• BitRAT Malware Now Spreading As A Windows 10 License Activator (bleepingcomputer.com)

Mobile

• URL Rendering Trick Enabled WhatsApp, Signal, iMessage Phishing (bleepingcomputer.com)

• Downloaders Currently the Most Prevalent Android Malware (darkreading.com)

• Experts Uncover Campaign Stealing Cryptocurrency from Android and iPhone Users (thehackernews.com)

• Android Password-Stealing Malware Infects 100,000 Google Play Users (bleepingcomputer.com)

IoT

• Botnet of Thousands of MikroTik Routers Abused in Glupteba, TrickBot Campaigns (thehackernews.com)

• Honda Civics Vulnerable To Remote Unlock, Start Hack • The Register

• How to Secure Your Home WiFi Router - The Washington Post

Data Breaches/Leaks

• UK MoD's Capita-Run Recruitment Portal Support Offline • The Register

• Background Check Company Sued Over Data Breach - Infosecurity Magazine (infosecurity-magazine.com)

• Over 40,000 London Voters Have Data Leaked to Strangers - Infosecurity Magazine (infosecurity-magazine.com)

Organised Crime & Criminal Actors

• Who is LAPSUS$, the Gang Hacking Microsoft, Samsung, and Okta? (gizmodo.com)

• Hackers Are Targeting European Refugee Charities -Ukrainian Official | Reuters

• Hackers Steal From Hackers By Pushing Fake Malware On Forums (bleepingcomputer.com)

• Oxford Teen Accused Of Making More Than £10m As A Leader Of International Cyber Gang (telegraph.co.uk)

Cryptocurrency/Cryptomining/Cryptojacking

• An Investigation of Cryptocurrency Scams and Schemes (trendmicro.com)

• Global Regulators Monitor Crypto Use in Ukraine War | Reuters

• Cryptocurrency Companies Impacted by HubSpot Breach (techtarget.com)

Insider Risk and Insider Threats

• 6 Types Of Insider Threats And How To Prevent Them (techtarget.com)

• HP Staffer Blew $5m On Personal Expenses With Company Card • The Register

Fraud, Scams & Financial Crime

• Internet Crime in 2021: Investment Fraud Losses Soar - Help Net Security

• NFT Fraud in the UK Soars 400% in 2021 - Infosecurity Magazine (infosecurity-magazine.com)

• DeFiance Capital Founder Loses $1.7M in NFTs To Phishing Scam - Decrypt

Insurance

• How The Increase in Ransomware Has Impacted The Cyber Insurance Market - Help Net Security

• Cyber Insurance and War Exclusions (darkreading.com)

Dark Web

• Dark Web Drug Peddler Gets Nine Years - Infosecurity Magazine

Supply Chain

• 'Secrets Sprawl' Haunts Software Supply Chain Security | SecurityWeek.Com

Cloud

• As Breaches Soar, Companies Must Turn to Cloud-Native Security Solutions For Protection - Help Net Security

Passwords & Credential Stuffing

• The Top 5 Things the 2022 Weak Password Report Means for IT Security (bleepingcomputer.com)

Spyware, Espionage & Cyber Warfare

• Russia Preparing To Conduct Cyber Attacks, White House warns - IT Security Guru

• New Mustang Panda Hacking Campaign Targets Diplomats, ISPs (bleepingcomputer.com)

• Vidar Spyware Is Now Hidden in Microsoft Help Files | ZDNet

• FCC Adds Kaspersky To Covered List Due To Unacceptable Risks To Security - Security Affairs

Nation State Actors

Nation State Actors – Russia

• Internet Sanctions Against Russia Pose Risks, Challenges For Businesses | CSO Online

• Is It Safe To Use Russian-Based Kaspersky Antivirus? No, And Here's Why (komando.com)

• Anonymous Leaked 28gb of Data Stolen from The Central Bank of Russia - Security Affairs

• President Biden Says Russia Exploring Revenge Cyber Attacks • The Register

• Analysis: Putin's next escalation could be a direct cyberattack on the West - CNNPolitics

• Russia-backed Hackers Bypassed MFA, Exploited Print Vulnerability - MSSP Alert

• Hackers Around The World Deluge Russia's Internet With Simple, Effective Cyber Attacks (nbcnews.com)

• Anonymous Targets Western Companies Still Active in Russia - Security Affairs

• Ukrainian Enterprises Hit with the DoubleZero Wiper - Security Affairs

• NATO, G-7 Leaders Promise Bulwark Against Retaliatory Russian Cyber Attacks (cyberscoop.com)

• Russia Hacked Ukrainian Satellite Communications, Officials Believe - BBC News

• Russia-linked InvisiMole APT Targets State Organizations Of Ukraine - Security Affairs

• Corrupted Open-Source Software Enters the Russian Battlefield | ZDNet

• Nestlé Says 'Anonymous' Data Leak Actually A Self-Own • The Register

Nation State Actors – China

• Another Chinese Hacking Group Spotted Targeting Ukraine Amid Russia Invasion (thehackernews.com)

• Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection | Threatpost

• Mustang Panda Hacking Group Takes Advantage Of Ukraine Crisis In New Attacks | ZDNet

Nation State Actors – North Korea

• Dual North Korean Hacking Efforts Found Attacking Google Chrome Vulnerability for 6 Weeks - CyberScoop

Vulnerabilities

• CISA Adds 66 Vulnerabilities To List Of Bugs Exploited In Attacks (bleepingcomputer.com)

• Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability (thehackernews.com)

• Three Critical RCE Flaws Affect Hundreds of HP Printer Models - Security Affairs

• Critical Sophos Firewall vulnerability allows remote code execution (bleepingcomputer.com)

• Vulnerabilities Found in 250 HP Printer Models | CSO Online

• VMware Fixes Carbon Black Command Injection, Upload Bugs • The Register

• Western Digital Fixes Critical Bug Giving Root On My Cloud NAS Devices (bleepingcomputer.com)

Sector Specific

Health/Medical/Pharma Sector

• Scottish Mental Health Charity SAMH Targeted In Cyber Attack - BBC News

• 12,000 Sensitive Patient Images Leaked - IT Security Guru

• Over 1 Million Impacted in Data Breach at Texas Dental Services Provider | SecurityWeek.Com

Retail/eCommerce

• For Magecart groups and other credit-card skimmers, old and new opportunities abound - CyberScoop

Transport and Aviation

• SATCOM Networks on High Alert After US Govt Warning • The Register

Energy & Utilities

• US Charges Four Russians Over Hacking Campaign on Energy Sector - BBC News

Education and Academia

• Heriot-Watt University in Second Week of Outage • The Register

Reports Published in the Last Week

• The 2022 State of Cyber Assets Report (jupiterone.com)

• 2022 Weak Password Report - Specops Software

Other News

• A Better Grasp of Cyber Attack Tactics Can Stop Criminals Faster (bleepingcomputer.com)

• The Chaos (and Cost) of the Lapsus$ Hacking Carnage | SecurityWeek.Com

• Soldiers told to use Signal instead of WhatsApp for security | The Times

• Cyber Security Compliance: Start With Proven Best Practices - Help Net Security

• Only 27% of Orgs Have Advanced Threat Protection on Endpoints | VentureBeat

• Okta Breach Leads To Questions On Disclosure, Reliance On Third-Party Vendors - CyberScoop

• The Challenges Audit Leaders Need To Look Out For This Year - Help Net Security

• South Korean DarkHotel Hackers Targeted Luxury Hotels in Macau (thehackernews.com)

• ISACA: Two-Thirds of Cybersecurity Teams Are Understaffed - Infosecurity Magazine

• Security Teams are Responsible for Over 165k Assets - Infosecurity Magazine

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.