Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 14 October 2022
Black Arrow Cyber Threat Briefing 14 October 2022:
-Ransomware Report: Most Organisations Unprepared for an Attack, Lack Incident Playbook, Research Finds
-LinkedIn Scams, Fake Instagram Accounts Hit Businesses, Execs
-Study Highlights Surge in Identity Theft and Phishing Attacks
-Increase in Cyber Liability Insurance Claims as Cyber Crime Skyrockets
-UK Government Urges Action to Enhance Supply Chain Security
-For Most Companies Ransomware Is the Scariest Of All Cyber Attacks
-EDR Is Not a Silver Bullet
-Attackers Use Automation to Speed from Exploit to Compromise
-Rising Premiums, More Restricted Cyber Insurance Coverage Poses Big Risk for Companies
-Why CISO Roles Require Business and Technology Savvy
-Wi-Fi Spy Drones Used to Snoop on Financial Firm
-Magniber Ransomware Attacking Individuals and Home Users
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Ransomware Report: Most Organisations Unprepared for an Attack, Lack Incident Playbook, Research Finds
Some organisations have made significant improvements to their ransomware readiness profile in the last year, Axio said in a newly released report. However, a lack of fundamental cyber security practices and controls, inadequate vulnerability patching and employee training continues to leave ransomware defences lacking in potency.
Axio’s report reveals that only 30% of organisations have a ransomware-specific playbook for incident management in place. In 2021’s report Axio, maker of a cloud-based cyber management software platform, identified seven key areas emerged where organisations were deficient in implementing and sustaining basic cyber security practices.
The same patterns showed up in the 2022 report:
Managing privileged access.
Improving basic cyber hygiene.
Reducing exposure to supply chain and third-party risk.
Monitoring and defending networks.
Managing ransomware incidents.
Identifying and addressing vulnerabilities in a timely manner.
Improving cyber security training and awareness.
Overall, most organisations surveyed are not adequately prepared to manage the risk associated with a ransomware attack. Key data findings include:
The number of organisations with a functional privileged access management solution in place increased by 10% but remains low at 33% overall.
Limitations on the use of service and local administrator accounts remain average overall, with nearly 50% of organisations reporting implementing these practices.
Approximately 40% of organisations monitor third-party network access, evaluate third-party cyber security posture, and limit the use of third-party software.
Less than 50% of respondents implement basic network segmentation and only 40% monitor for anomalous connections.
Critical vulnerability patching within 24 hours was reported by only 24% of organisations.
Active phishing training has improved but is still not practiced by 40% of organisations.
LinkedIn Scams, Fake Instagram Accounts Hit Businesses, Execs
Business owners with public social media accounts are easy targets for scammers who lift information to create fake accounts. The arduous process for removing fraudulent accounts leaves victims frustrated and vulnerable to further data privacy issues. Victims say platform providers, particularly Facebook and Instagram, must improve their responses to reports of fraud.
Impersonation of a brand or executive contributed to more than 40% of all phishing and social media incidents in the second quarter, according to the Agari and Phish Labs Quarterly Threat Trends and Intelligence Report released in August. Q2 marks the second quarter that impersonation attacks have represented the majority of threats, despite a 6.1% decrease from Q1.
Executive impersonation has been on the rise over the past four quarters — representing more than 15% of attacks, according to the report — as impersonating a corporate figure or company on social media is simple and effective for threat actors.
Thom Singer, CEO for the Austin Technology Council and a public speaker, was recently impersonated on Instagram. A scammer created a fake Instagram account with his name and photos, creating a handle with an extra "r" at the end of Singer. That account appeared to amass over 2,300 followers – nearly as many as Singer's own account – lending to its appearance of authenticity.
He learned of the fake account from a contact who texted to ask if he'd reached out on Instagram, which wasn't a channel Singer typically uses to communicate. Singer reported the fraudulent account using the platform's report button and asked his followers to do the same.
"You can't reach anyone at these platforms, so it takes days to get a fake account removed," Singer said. "These social media sites have no liability, nothing to lose when fraud is happening. They need to up their game and have a better process to get [fraud] handled in a timely manner."
Study Highlights Surge in Identity Theft and Phishing Attacks
A new study from behavioural risk firm CybSafe and the National Cybersecurity Alliance (NCA) has been launched and it highlights an alarming surge in phishing and identity theft attacks.
The report, titled ‘Oh, Behave! The Annual Cybersecurity Attitudes and Behaviors report’, studied the opinions of 3,000 individuals across the US, the UK and Canada towards cyber security and revealed that nearly half (45%) of users are connected to the internet all the time, however, this has led to a surge in identity theft with almost 1 in 4 people being affected by the attack.
Furthermore, 1 in 3 (36%) respondents revealed they have lost money or data due to a phishing attack. Yet the study also revealed that 70% of respondents feel confident in their ability to identify a malicious email, but only 45% will confirm the authenticity of a suspicious email by reaching out to the apparent sender.
When it comes to implementing cyber security best practices, only 33% of respondents revealed they use a unique password for important online accounts, while only 16% utilise passwords of over 12 characters in length. Furthermore, only 18% of participants have downloaded a stand-alone password manager, while 43% of respondents have not even heard of multi-factor authentication.
Increase in Cyber Liability Insurance Claims as Cyber Crime Skyrockets
A cyber insurer, Acuity Insurance, is reporting an increased need for cyber liability insurance across both personal and business policyholders. From June 2021 to June 2022, the insurer saw cyber liability insurance claims on its commercial insurance policies increase by more than 50%. For personal policies, they saw more than a 90% increase in cyber claims being reported in 2021 compared with 2020.
Our lives, homes and businesses are more connected than ever before. Being connected leads to a greater risk of cyber attacks, which aren't covered under standard homeowners or business insurance policies.
The insurance experts caution that everyone is at risk — whether you are a small business owner or an individual — as cyber attacks continue to pose a serious financial threat. From 2019 to 2021, cyber attacks were up 50% from the previous year, according to recent research. Wire fraud and gift card scams are two of the most common types of cyber attacks impacting both businesses and individuals.
Scams involving social engineering are some of the easiest to fall for, as fraudsters exploit a person's trust to obtain money or personal information, which can then be used for unauthorised withdrawals of money. Cyber insurance can protect you from financial loss caused by wire transfer fraud, phishing attacks, cyber extortion, cyberbullying and more, Acuity reported.
While all cyber crimes have a financial impact, fraudulent wire transfers often come with greater losses. Banks are typically not responsible for funds lost as a result of a fraudulent wire transfer inadvertently authorised by the customer. Whether it's a wrongful money transfer by a business or an individual, cyber insurance can help mitigate some of the financial loss caused by these scams.
UK Government Urges Action to Enhance Supply Chain Security
The UK government has warned organisations to take steps to strengthen their supply chain security.
New National Cyber Security Centre (NCSC) guidance has been issued amid a significant increase in supply chain attacks in recent years, such as the SolarWinds incident in 2020. The NCSC cited official government data showing that just over one in 10 businesses review the risks posed by their immediate suppliers (13%), while the proportion covering the wider supply chain is just 7%.
Aimed at medium-to-large organisations, the document sets out practical steps to better assess cyber security across increasingly complex supply chains. This includes a description of typical supplier relationships and ways that organisations are exposed to vulnerabilities and cyber-attacks via the supply chain, and the expected outcomes and key steps needed to assess suppliers’ approaches to security.
The new guidance followed a government response to a call for views last year which highlighted the need for further advice. Supply chain attacks are a major cyber threat facing organisations and incidents can have a profound, long-lasting impact on businesses and customers. With incidents on the rise, it is vital organisations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place.
https://www.infosecurity-magazine.com/news/uk-government-supply-chain-security/
For Most Companies Ransomware Is the Scariest Of All Cyber Attacks
SonicWall released the 2022 SonicWall Threat Mindset Survey which found that 66% of customers are more concerned about cyber attacks in 2022, with the main threat being focused on financially motivated attacks like ransomware.
“No one is safe from cyber attacks — businesses or individuals,” said SonicWall Executive Chairman of the Board Bill Conner. “Today’s business landscape requires persistent digital trust to exist. Supply-chain attacks have dramatically changed the attack surface of the typical enterprise in the past few years, with more suppliers and service providers touching sensitive data than ever before.
“It’s likely we’ll see continued acceleration and evolution of ransomware tactics, as well as other advanced persistent threats (APTs), as cyber crime continues to scale the globe seeking both valuable and weak targets.”
Companies are not only losing millions of dollars to unending malware and ransomware strikes, but cyber attacks on essential infrastructure are impacting real-world services. Despite the growing concern of cyber attacks, organisations are struggling to keep pace with the fast-moving threat landscape as they orient their business, networks, data and employees against unwavering cyber attacks.
“The evolving cyber threat landscape has made us train our staff significantly more,” said Stafford Fields, IT Director, Cavett Turner & Wyble. “It’s made us spend more on cyber security. And what scares me is that an end-user can click on something and bring all our systems down — despite being well protected.”
https://www.helpnetsecurity.com/2022/10/12/customers-concerned-ransomware/
EDR Is Not a Silver Bullet
Old lore held that shooting a werewolf, vampire, or even just your average nasty villain with a silver bullet was a sure-fire takedown: one hit, no more bad guy.
As cyber security professionals, we understand – much like folks in the Old West knew – that there are no panaceas, no actual silver bullets. Yet humans gravitate towards simple solutions to complex challenges, and we are constantly (if unconsciously) seeking silver bullet technology.
Endpoint Detection and Response (EDR) tools have become Standard Operating Procedures for cyber security regimes. They are every CIO’s starting point, and there’s nothing wrong with this. In a recent study by Cymulate of over one million tests conducted by customers in 2021, the most popular testing vector was EDR.
Yet cyber security stakeholders should not assume that EDR is a silver bullet. The fact is that EDR’s efficacy and protective prowess as a standalone solution has been slowly diminished over the decade since the term was first coined by Gartner. Even as it became a mainstay of enterprise and SMB/SME security posture – attacks have skyrocketed in frequency, severity, and success. Today, EDR is facing some of its greatest challenges, including threats laser-targeting EDR systems like the highly-successful Grandoiero banking trojan.
While EDR should not be your only line of defence against advanced threats, including it in a defence solution array is paramount. It should be installed on all organisational servers – including Linux-based ones. Yet installation is not enough. Your organisation is at significant risk if the underlying OS and EDR are not both implemented and fine-tuned.
https://www.helpnetsecurity.com/2022/10/11/edr-is-not-a-silver-bullet/
Attackers Use Automation to Speed from Exploit to Compromise
A report from Laceworks examines the cloud security threat landscape over the past three months and unveils the new techniques and avenues cyber criminals are exploiting for profit at the expense of businesses. In this latest edition, the Lacework Labs team found a significantly more sophisticated attacker landscape, with an increase in attacks against core networking and virtualisation software, and an unprecedented increase in the speed of attacks following a compromise. Key trends and threats identified include:
Increased speed from exposure to compromise: Attackers are advancing to keep pace with cloud adoption and response time. Many classes of attacks are now fully automated to capitalise on timing. Additionally, one of the most common targets is credential leakage. In a specific example from the report, a leaked AWS access key was caught and flagged by AWS in record time. Despite the limited exposure, an unknown adversary was able to log in and launch tens of GPU EC2 instances, underscoring just how quickly attackers can take advantage of a single simple mistake.
Increased focus on infrastructure, specifically attacks against core networking and virtualisation software: Commonly deployed core networking and related infrastructure consistently remains a key target for adversaries. Core flaws in infrastructure often appear suddenly and are shared openly online, creating opportunities for attackers of all kinds to exploit these potential targets.
Continued Log4j reconnaissance and exploitation: Nearly a year after the initial exploit, the Lacework Labs team is still commonly observing vulnerable software targeted via OAST requests. Analysis of Project Discovery (interact.sh) activity revealed Cloudflare and DigitalOcean as the top originators.
Rising Premiums, More Restricted Cyber Insurance Coverage Poses Big Risk for Companies
Among the many consequences of the rising number of costly data breaches, ransomware, and other security attacks are pricier premiums for cyber security insurance. The rise in costs could put many organisations out of the running for this essential coverage, a risky proposition given the current threat landscape.
Cyber insurance is a type of specialty insurance that protects organisations against a variety of risks related to information security attacks such as ransomware and data breaches. Ordinarily, these types of risks aren’t included with traditional commercial general liability policies or are not specifically defined in these insurance plans.
Given the rise in attacks, the growing sophistication of these incidents and the potential financial impact, having cyber insurance coverage has become critical for many organisations. Premiums for these plans have been on the rise because of the increase in security-related losses and rising demand for coverage.
Cyber insurance premiums increased by an average of 28% in the first quarter of 2022 compared with the fourth quarter of 2021, according to the Council of Insurance Agents & Brokers (CIAB), an association for commercial insurance and employee benefits intermediaries.
Among the primary drivers for the continued price increases were a reduced carrier appetite for the risk and high demand for coverage, CIAB said. The high demand for cyber coverage is in part fueled by greater awareness among companies of the threat cyber risk poses for businesses of all sizes, it said.
https://www.cnbc.com/2022/10/11/companies-are-finding-it-harder-to-get-cyber-insurance-.html
Why CISO Roles Require Business and Technology Savvy
Listening and communicating to both the technical and business sides is critical to successfully leading IT teams and business leaders to the same end-goal.
Of all the crazy postings that advertise for CISO jobs, the one asking for a CISO to code in Python was probably the most outrageous example of the disconnect about a CISO’s role, says Joe Head, CISO search director at UK-based search firm, Intaso. This was a few years ago, and one can only guess that the role had been created by a technologist who didn’t care about or didn’t understand the business — or, inversely by a businessperson who didn’t understand enough about technology.
In either case, the disconnect is real. However, Head and other experts say that when it comes to achieving the true, executive role and reporting to the CEO and board, business skills rule. That doesn’t mean, however, that most CISOs know nothing about technology, because most still start out with technology backgrounds.
In the 2022 CISO survey by executive placement firm, Heidrick & Struggles, most CISOs come from a functional IT background that reflects the issues of the time. For example, in 2022 10% of CISOs came from software engineering backgrounds, which tracks with the White House directive to protect the software supply chain. The report notes that the majority of CISOs have experience in the financial services industry, which has a low risk tolerance and where more money is spent on security.
The survey also indicates that only a small core of CISOs (working primarily for the Fortune 500) rise to the executive level with the combination of business and technical responsibilities that come with the role. In it, more than two-thirds of CISOs responding to the survey worked for companies worth over $5 billion. So, instead of bashing a CISO’s lack of IT skills, the real need lies in developing business skills for the technologists coming up the ranks.
Wi-Fi Spy Drones Used to Snoop on Financial Firm
Modified off-the-shelf drones have been found carrying wireless network-intrusion kit in a very unlikely place.
The idea of using consumer-oriented drones for hacking has been explored over the past decade at security conferences like Black Hat 2016, in both the US and in Europe, but now these sort of attacks are actually taking place. A security researcher recently recounted an incident that occurred over the summer at a US East Coast financial firm focused on private investment.
The hacking incident was discovered when the financial firm spotted unusual activity on its internal Atlassian Confluence page that originated from within the company's network. The company's security team responded and found that the user whose MAC address was used to gain partial access to the company Wi-Fi network was also logged in at home several miles away. That is to say, the user was active off-site but someone within Wi-Fi range of the building was trying to wirelessly use that user's MAC address, which is a red flag. The team then took steps to trace the Wi-Fi signal and used a Fluke system to identify the Wi-Fi device.
This led the team to the roof, where two modified commercially available consumer drones series were discovered. One drone was in fine condition and had a modified Wi-Fi Pineapple device, used for network penetration testing. The second drone was carrying a case that contained a Raspberry Pi, several batteries, a GPD mini laptop, a 4G modem, and another Wi-Fi device. It had landed near the building's heating and ventilation system and appeared to be damaged but still operable.
During their investigation, they determined that the first drone had originally been used a few days prior to intercept a worker's credentials and Wi-Fi, and this data was then hard coded into the tools that were deployed on the second drone.
https://www.theregister.com/2022/10/12/drone-roof-attack/
Magniber Ransomware Attacking Individuals and Home Users
A recent analysis shows that Magniber ransomware has been targeting home users by masquerading as software updates.
Reports have shown a ransomware campaign isolated by HP Wolf Security in September 2022 saw Magniber ransomware spread. The malware is known as a single-client ransomware family that demands $2,500 from victims. Magniber was previously primarily spread through MSI and EXE files, but in September 2022 HP Wolf Security began seeing campaigns distributing the ransomware in JavaScript files.
HP Wolf Security reported that some malware families rely exclusively on JavaScript, but have done so for some time. Currently, analysts are also seeing more HTML smuggling, such as with Qakbot and IcedID. This technique also makes use of JavaScript to decode malicious content. The only difference is that the HTML file is executed in the context of the browser and therefore usually requires further user interaction.
Remarkably, HP Wolf Security said, the attackers used clever techniques to evade detection, such as running the ransomware in memory, bypassing User Account Control (UAC) in Windows, and bypassing detection techniques that monitor user-mode hooks by using syscalls instead of standard Windows API libraries.
It appears that with the UAC bypass, the malware deletes the infected system’s shadow copy files and disables backup and recovery features, preventing the victim from recovering their data using Windows tools.
Having recently described the ransomware campaign in a recent interview, HP Wolf noted that the infection chain starts with a web download from an attacker-controlled website.
Threats
Ransomware and Extortion
More and more ransomware is just data theft, no encryption • The Register
Magniber ransomware now infects Windows users via JavaScript files (bleepingcomputer.com)
Fake adult sites push data wipers disguised as ransomware (bleepingcomputer.com)
It was LockBit that forced NHS tech supplier to shut down • The Register
Ransomware posing as Windows antivirus update will just empty your wallet | TechRadar
Microsoft: New Prestige ransomware targets orgs in Ukraine, Poland (bleepingcomputer.com)
BlackByte ransomware uses new EDR evasion technique (techtarget.com)
Prevent Ransomware Attacks on Critical Infrastructure (trendmicro.com)
Microsoft Exchange servers hacked to deploy LockBit ransomware (bleepingcomputer.com)
Harvard Business Publishing licensee hit by ransomware - Security Affairs
LockBit affiliates compromise Microsoft Exchange servers to deploy ransomware - Security Affairs
Police tricks DeadBolt ransomware out of 155 decryption keys (bleepingcomputer.com)
Phishing & Email Based Attacks
Caffeine service lets anyone launch Microsoft 365 phishing attacks (bleepingcomputer.com)
A whole load of phishing emails make it past Microsoft Defender, researchers say | TechRadar
Google Forms abused in new COVID-19 phishing wave in the U.S. (bleepingcomputer.com)
US election workers hit with phishing, malware emails • The Register
Cyber criminals are having it easy with phishing-as-a-service - Help Net Security
Other Social Engineering; Smishing, Vishing, etc
Malware
How a Microsoft blunder opened millions of PCs to potent malware attacks | Ars Technica
Banks face their 'darkest hour' as crimeware powers up • The Register
Emotet Rises Again With More Sophistication, Evasion (darkreading.com)
QAKBOT Attacks Spike Amid Concerning Cyber Criminal Collaborations (darkreading.com)
Hackers behind IcedID malware attacks diversify delivery tactics (bleepingcomputer.com)
Eternity threat group’s LilithBot: A criminal multitool • The Register
Here's another excellent reason not to browse adult websites at work | TechRadar
Experts analysed the evolution of the Emotet supply chain - Security Affairs
Mobile
Modified WhatsApp App Caught Infecting Android Devices with Malware (thehackernews.com)
Meta uncovers 400 malicious apps on Android and iOS apps | SC Media (scmagazine.com)
‘Zero-Click’ Spyware Emerges as a Menacing Mobile Threat - Bloomberg
Mullvad: Android may leak information when connected to a VPN - gHacks Tech News
Android Security Updates Patch Critical Vulnerabilities | SecurityWeek.Com
Hackers Using Vishing to Trick Victims into Installing Android Banking Malware (thehackernews.com)
Mystery iPhone update patches against iOS 16 mail crash-attack – Naked Security (sophos.com)
Internet of Things – IoT
Data Breaches/Leaks
Client data exfiltrated in Advanced NHS cyber attack (digitalhealth.net)
Mormon Church data stolen in 'state-sponsored' cyber attack • The Register
2K Customer Data Stolen, Sold Online After Support Desk Scam (kotaku.com)
Toyota discloses data leak after access key exposed on GitHub (bleepingcomputer.com)
Fast Company says Executive Board member info was not stolen in attack (bleepingcomputer.com)
State Bar of Georgia Confirms Data Breach Following Ransomware Attack | SecurityWeek.Com
Singtel's second unit faces cyber attack weeks after Optus data breach | Reuters
Zoetop pays $1.9m to settle customer data theft case • The Register
CommonSpirit Health IT still suffering after cyber attack • The Register
Over 80,000 DJI drone IDs exposed in data leak: Report (dronedj.com)
High-Value Targets: String of Aussie Telco Breaches Continues (darkreading.com)
Data of 380K patients compromised in hack of 13 anesthesia practices | SC Media (scmagazine.com)
Australian police secret agents exposed in Colombian data leak (bleepingcomputer.com)
Toyota Reveals Data Leak of 300,000 Customers - Infosecurity Magazine (infosecurity-magazine.com)
Organised Crime & Criminal Actors
INTERPOL arrests ‘Black Axe’ cyber crime syndicate members (bleepingcomputer.com)
Caffeine Phishing-as-a-Service toolkit available in the underground - Security Affairs
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
North Korea's Crypto Hackers Are Paving the Road to Nuclear Armageddon - CNET
Fake Solana Phantom security updates push crypto-stealing malware (bleepingcomputer.com)
'Baby Al Capone' to pay $22m to SIM-swap crypto-heist victim • The Register
Fraud, Scams & Financial Crime
Alternative payment methods are creating new fraud risks - Help Net Security
Prison inmate charged with $11m fraud via cell phone • The Register
Mastercard moves to protect ‘risky and frisky’ transactions • The Register
Deepfakes
AML/CFT/Sanctions
Insurance
Dark Web
Software Supply Chain
Denial of Service DoS/DDoS
US airports' sites taken down in DDoS attacks by pro-Russian hackers (bleepingcomputer.com)
Russian DDoS attack project pays contributors for more firepower (bleepingcomputer.com)
Cloud/SaaS
Encryption
Microsoft Office 365 uses insecure block ciphers • The Register
Microsoft Office 365 email encryption could expose message content (bleepingcomputer.com)
Passwords, Credential Stuffing & Brute Force Attacks
Social Media
Training, Education and Awareness
Parental Controls and Child Safety
Cyber Bullying and Cyber Stalking
Regulations, Fines and Legislation
Backup and Recovery
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Vladimir Putin’s hybrid war has begun and the West must be ready | Evening Standard
Internet outages hit Ukraine following Russian missile strikes (bitdefender.com)
Seven 'Creepy' Backdoors Used by Lebanese Cyberspy Group in Israel Attacks | SecurityWeek.Com
Researchers Uncover Custom Backdoors and Spying Tools Used by Polonium Hackers (thehackernews.com)
We must tackle Europe’s winter cyber threats head-on – POLITICO
Researchers Detail Malicious Tools Used by Cyber Espionage Group Earth Aughisky (thehackernews.com)
‘Zero-Click’ Spyware Emerges as a Menacing Mobile Threat - Bloomberg
SpaceX’s Starlink terminals in Ukraine back online after outages | Financial Times
Nation State Actors
Nation State Actors – Russia
German Cyber security Chief Accused of Russian Contact Faces Sacking - IT Security Guru
Russian DDoS attack project pays contributors for more firepower (bleepingcomputer.com)
Extreme Networks admits sales to banned Russian arms maker • The Register
Nation State Actors – China
UK Spy Chief to Warn of 'Huge' China Tech Threat | SecurityWeek.Com
China’s attack motivations, tactics, and how CISOs can mitigate threats | CSO Online
China will manipulate new tech for global influence, warns GCHQ boss | Metro News
UK telcos legally required to remove Huawei equipment • The Register
Chinese-linked hackers targeted U.S. state legislature, researchers say - CyberScoop
New Chinese Malware Attack Framework Targets Windows, macOS, and Linux Systems (thehackernews.com)
UK to designate China a ‘threat’ in hawkish foreign policy shift | Foreign policy | The Guardian
WIP19, a new Chinese APT targets IT Service Providers and Telcos - Security Affairs
China-linked Budworm APT returns to target a US entity - Security Affairs
We must tackle China’s satellite-busting technology, says GCHQ chief | News | The Times
GCHQ boss: China could use Digital Yuan to swerve sanctions • The Register
Young people using TikTok is no problem, GCHQ chief says | TikTok | The Guardian
Nation State Actors – North Korea
Nation State Actors – Misc
Vulnerability Management
Vulnerabilities
Concerns Over Fortinet Flaw Mount; PoC Released, Exploit Activity Grows (darkreading.com)
Microsoft October 2022 Patch Tuesday fixes zero-day used in attacks, 84 flaws (bleepingcomputer.com)
Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched (darkreading.com)
Auth bypass bug in FortiOS, FortiProxy is exploited in the wild (CVE-2022-40684) - Help Net Security
Chrome 106 Update Patches Several High-Severity Vulnerabilities | SecurityWeek.Com
Researchers Detail Windows Zero-Day Vulnerability Patched Last Month (thehackernews.com)
Almost 900 servers hacked using Zimbra zero-day flaw (bleepingcomputer.com)
Patch Tuesday: Critical Flaws in ColdFusion, Adobe Commerce | SecurityWeek.Com
Aruba fixes critical RCE and auth bypass flaws in EdgeConnect (bleepingcomputer.com)
WordPress Vulnerability In Shortcodes Ultimate Impacts 700,000 Sites (searchenginejournal.com)
Critical Open Source vm2 Sandbox Escape Bug Affects Millions (darkreading.com)
VMware vCenter Server bug disclosed last year still not patched (bleepingcomputer.com)
Other News
Board members should make CISOs their strategic partners - Help Net Security
5 Attack Elements Every Organisations Should Be Monitoring (darkreading.com)
Ukraine’s Starlink problems show the dangers of digital dependency | Financial Times (ft.com)
Here's 5 of the world's riskiest connected devices - Help Net Security
Older, Stored Data Is Cyber Security Risk, Report Warns - MSSP Alert
What the Uber Breach Verdict Means for CISOs in the US (darkreading.com)
Increasing network visibility is critical to improving security posture - Help Net Security
What the Uber Hack can teach us about navigating IT Security (bleepingcomputer.com)
Consumers want more transparency on how companies manage their data - Help Net Security
Gaming Is Booming. That’s Catnip for Cyber criminals. - The New York Times (nytimes.com)
Fear of cyber criminals drives cyber security improvements - Help Net Security
The next Ford Mustang won’t be easy to tune; blame cyber security | Ars Technica
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 07 October 2022
Black Arrow Cyber Threat Briefing 07 October 2022:
-Russian Sanctions Instigator Lloyd's Possibly Hit by Cyber Attack
-Former Uber Security Chief Convicted of Covering Up Data Breach
-First 72 Hours of Incident Response Critical to Taming Cyber Attack Chaos
-Email Defences Under Siege: Phishing Attacks Dramatically Improve
-Remote Services Are Becoming an Attractive Target for Ransomware
-Growing Reliance on Cloud Brings New Security Challenges
-Many IT Pros Don’t Think a Ransomware Attack Can Impact Microsoft 365 Data
-Ransomware Group Bypasses "Enormous" Range of EDR Tools
-MS Exchange Zero-Days: The Calm Before the Storm?
-Average Company with Data in the Cloud Faces $28 Million in Data-Breach Risk
-Secureworks Finds Network Intruders See Little Resistance
-Regulations, Laws and Accountability are Changing the Cyber Security Landscape
-This Year’s Biggest Cyber Threats
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Russian Sanctions Instigator Lloyd's Possibly Hit by Cyber Attack
Lloyd’s of London, the London-based insurance market heavily involved in implementing sanctions against Russia, may have been hit by a cyber-attack. On Wednesday, October 5, 2022, the British insurance market revealed it had detected “unusual activity” on its systems and has turned off all external connectivity “as a precautionary measure.”
“We have informed market participants and relevant parties, and we will provide more information once our investigations have concluded,” said a Lloyd’s spokesperson.
The company did not comment on whether or not it has been contacted by hackers, if a ransom demand has been issued, or on the possible source of the attack.
However, the insurance market has been closely involved with the design and implementation of sanctions imposed on Russia in response to its invasion of Ukraine – a potential motive for the attack. Lloyd’s itself has confirmed it was working closely with British and international governments to implement such sanctions.
Around 100 insurance syndicates operate at Lloyd's.
Earlier in 2022, Lloyd’s instructed its 76 insurance syndicates to remove “nation-state-backed cyber attacks” from insurance policies by March 2023, as well as losses “arising from a war.”
https://www.infosecurity-magazine.com/news/lloyds-possibly-hit-by-cyberattack/
Former Uber Security Chief Convicted of Covering Up Data Breach
Uber’s former head of security has been convicted of covering up a 2016 data breach at the rideshare giant, hiding details from US regulators and paying off a pair of hackers in return for their discretion.
The trial, closely watched in cyber security circles, is believed to be the first criminal prosecution of a company executive over the handling of a data breach.
Joe Sullivan, who was fired in 2017 over the incident, was found guilty by a San Francisco jury of obstructing an investigation by the Federal Trade Commission. At the time of the 2016 breach, the regulator had been investigating the car-booking service over a different cyber security lapse that had occurred two years earlier.
Jurors also convicted Sullivan of a second count related to having knowledge of but failing to report the 2016 breach to the appropriate government authorities. The incident eventually became public in 2017 when Dara Khosrowshahi, who had just taken over as chief executive, disclosed details of the attack.
Prosecutors said Sullivan had taken steps to make sure data compromised in the attack would not be revealed. According to court documents, two hackers approached Sullivan’s team to notify Uber of a security flaw that exposed the personal information of almost 60mn drivers and riders on the platform.
https://www.ft.com/content/051af6a1-41d1-4a6c-9e5a-d23d46b2a9c9
First 72 Hours of Incident Response Critical to Taming Cyber Attack Chaos
Cyber security professionals tasked with responding to attacks experience stress, burnout, and mental health issues that are exacerbated by a lack of breach preparedness and sufficient incident response practice in their organisations.
A new IBM Security-sponsored survey published this week found that two-thirds (67%) of incident responders suffer stress and anxiety during at least some of their engagements, while 44% have sacrificed the well-being of their relationships, and 42% have suffered burnout, according to the survey conducted by Morning Consult. In addition, 68% of incidents responders often have to work on two or more incidents at the same time, increasing their stress, according to the survey's results.
Companies that plan and practice responding to a variety of incidents can lower the stress levels of their incident responders, employees, and executives, says John Dwyer, head of research for IBM Security's X-Force response team.
"Organisations are not effectively establishing their response strategies with the responders in mind — it does not need to be as stressful as it is," he says. "There is a lot of time when the responders are managing organisations during an incident, because those organisations were not prepared for the crisis that occurs. These attacks happen every day."
The IBM Security-funded study underscores why the cyber security community has focused increasingly on the mental health of its members. About half (51%) of cyber security defenders have suffered burnout or extreme stress in the past year, according to a VMware survey released in August 2021. Cyber security executives have also spotlighted the issue as one that affects the community and companies' ability to retain skilled workers.
Email Defences Under Siege: Phishing Attacks Dramatically Improve
This week's report that cyber attackers are laser-focused on crafting attacks specialised to bypass Microsoft's default security showcases an alarming evolution in phishing tactics, security experts said this week.
Threat actors are getting better at slipping phishing attacks through the weak spots in platform email defences, using a variety of techniques, such as zero-point font obfuscation, hiding behind cloud-messaging services, and delaying payload activation, for instance. They're also doing more targeting and research on victims.
As a result, nearly 1 in 5 phishing emails (18.8%) bypassed Microsoft's platform defences and landed in workers' inboxes in 2022, a rate that increased 74% compared to 2020, according to research published by cyber security firm Check Point Software. Attackers increasingly used techniques to pass security checks, such as Sender Policy Framework (SPF), and obfuscate functional components of an e-mail, such as using zero-size fonts or hiding malicious URLs from analysis.
The increasing capabilities of attackers is due to the better understanding of current defences, says Avanan, an email security firm acquired by Check Point in August 2021.
"It is a family of 10 to 20 techniques, but they all lead to the objective of deceiving a company's security layers," he says. "The end result is always an email that looks genuine to the recipient but looks different to the algorithm that analyses the content."
Microsoft declined to comment on the research. However, the company has warned of advanced techniques, such as adversary-in-the-middle phishing (AiTM), which uses a custom URL to place a proxy server between a victim and their desired site, allowing the attacker to capture sensitive data, such as usernames and passwords. In July, the company warned that more than 10,000 organisations had been targeted during one AiTM campaign.
Remote Services Are Becoming an Attractive Target for Ransomware
Stolen credentials are no longer the number one initial access vector for ransomware operators looking to infect a target network and its endpoints - instead, they’ve become more interested in exploiting vulnerabilities found in internet-facing systems.
A report from Secureworks claims ransomware-as-a-service developers are quick to add newly discovered vulnerabilities into their arsenals, allowing even less competent hackers to exploit them swiftly, and with relative ease.
In fact, the company's annual State of the Threat Report reveals that flaw exploitation in remote services accounted for 52% of all ransomware incidents the company analysed over the last 12 months.
Besides remote services, Secureworks also spotted a 150% increase in the use of infostealers, which became a “key precursor” to ransomware. Both these factors, the report stresses, kept ransomware as the number one threat for businesses of all sizes, “who must fight to stay abreast of the demands of new vulnerability prioritisation and patching”.
All things considered, ransomware is still the biggest threat for businesses. It takes up almost a quarter of all attacks that were reported in the last 12 months, Secureworks says, and despite law enforcement being actively involved, operators remained highly active.
https://www.techradar.com/news/remote-services-are-becoming-an-attractive-target-for-ransomware
Growing Reliance on Cloud Brings New Security Challenges
There was a time when cloud was just a small subset of IT infrastructure, and cloud security referred to a very specific set of tasks. The current reality is very different, organisations are heavily dependent on cloud technologies and cloud security has become a much more complex endeavour.
Organisations increasingly rely on the cloud to deliver new applications, reduce costs, and support business operations. One in every four organisations already have majority workloads in the cloud, and 44% of workloads currently run in some form of public cloud, says Omdia, a research and advisory group.
Practically every midsize and large organisation now operates in some kind of a hybrid cloud environment, with a mix of cloud and on-premises systems. For most organisations, software-as-a-service constitute the bulk (80%) of their cloud environments, followed by infrastructure-as-a-service and platform-as-a-service deployments.
In the past, cloud security conversations tended to focus on making sure cloud environments are being configured properly, but cloud security nowadays goes far beyond just configuration management. The sprawling cloud environment means security management has to be centralised, Omdia said. Security functions also need to be integrated into existing application deployment workflows.
On top of all of this, multicloud is becoming more common among organisations as they shift their workloads to avoid being dependent on a single platform. The three major cloud providers – Amazon Web Services, Microsoft Azure, and Google Cloud Platform – account for 65% of the cloud market.
https://www.darkreading.com/dr-tech/growing-reliance-on-cloud-brings-new-security-challenges
Many IT Pros Don’t Think a Ransomware Attack Can Impact Microsoft 365 Data
The 2022 Ransomware Report, which surveyed over 2,000 IT leaders, revealed that 24% have been victims of a ransomware attack, with 20% of attacks happening in the last year.
Cyber attacks are happening more frequently. Last year’s ransomware survey revealed that 21% of companies experienced an attack. This year it rose by three percent to 24%.
“Attacks on businesses are increasing, and there is a shocking lack of awareness and preparation by IT pros. Our survey shows that many in the IT community have a false sense of security. As bad actors develop new techniques, companies like ours have to do what it takes to come out ahead and protect businesses around the world,” said Hornetsecurity.
The report highlighted a lack of knowledge on the security available to businesses. 25% of IT professionals either don’t know or don’t think that Microsoft 365 data can be impacted by a ransomware attack.
Just as worryingly, 40% of IT professionals that use Microsoft 365 in their organisation admitted they do not have a recovery plan in case their Microsoft 365 data was compromised by a ransomware attack.
“Microsoft 365 is vulnerable to phishing attacks and ransomware attacks, but with the help of third-party tools, IT admins can backup their Microsoft 365 data securely and protect themselves from such attacks,” said Hofmann.
https://www.helpnetsecurity.com/2022/10/03/ransomware-attack-impact-microsoft-365-data/
Ransomware Group Bypasses "Enormous" Range of EDR Tools
A notorious ransomware group has been spotted leveraging sophisticated techniques to bypass endpoint detection and response (EDR) tools.
BlackByte, which the US government has said poses a serious threat to critical infrastructure, used a “Bring Your Own Driver” technique to circumvent over 1000 drivers used by commercially available EDR products, according to Sophos. The UK cyber security vendor explained in a new report that the group had exploited a known vulnerability, CVE-2019-16098, in Windows graphics utility driver RTCorec6.sys. This enabled it to communicate directly with a victim system’s kernel and issue commands to disable callback routines used by EDR tools.
The group also used EDR bypass techniques borrowed from open source tool EDRSandblast to deactivate the Microsoft-Windows-Threat-Intelligence ETW (Event Tracing for Windows) provider. This is a Windows feature “that provides logs about the use of commonly maliciously abused API calls such as NtReadVirtualMemory to inject into another process’s memory,” explained Sophos. Neutralising it in this way renders any security tool relying on the feature also useless, the firm argued.
“If you think of computers as a fortress, for many EDR providers, ETW is the guard at the front gate,” said Sophos. “If the guard goes down, then that leaves the rest of the system extremely vulnerable. And, because ETW is used by so many different providers, BlackByte’s pool of potential targets for deploying this EDR bypass is enormous.”
BlackByte is not the only ransomware group using these advanced techniques to get around existing detection tools, illustrating the continued arms race between attackers and defenders. AvosLocker used a similar method in May, Sophos said. “Anecdotally, from what we’re seeing in the field, it does appear that EDR bypass is becoming a more popular technique for ransomware threat groups,” the firm confirmed. “This is not surprising. Threat actors often leverage tools and techniques developed by the ‘offensive security’ industry to launch attacks faster and with minimal effort.”
https://www.infosecurity-magazine.com/news/ransomware-bypasses-enormous-range/
MS Exchange Zero-Days: The Calm Before the Storm?
Two exploited MS Exchange zero-days that still have no official fix, have been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
But mitigating the risk of exploitation until patches are ready will require patience and doggedness, as Microsoft is still revising its advice to admins and network defenders, and still working on the patches.
The two vulnerabilities were publicly documented last Wednesday, by researchers with Vietnamese company GTSC, and Microsoft soon after sprung into (discernible) action by offering customer guidance, followed by an analysis of the attacks exploiting the two vulnerabilities. Several changes have been made to the documents since then, after the company found and other researchers pointed out several shortcomings.
Microsoft says its threat analysts observed “activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks,” and that the attackers breached fewer than 10 organisations globally. “MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organisation,” they added.
The other good news is there are still no public exploits for the two vulnerabilities. But, Microsoft says, “Prior Exchange vulnerabilities that require authentication have been adopted into the toolkits of attackers who deploy ransomware, and these vulnerabilities are likely to be included in similar attacks due to the highly privileged access Exchange systems confer onto an attacker.”
Enterprise defenders should expect trouble via this attack path in the near future, it seems, so keeping abreast of the changing situation and springing into action as quickly as possible once the patches are made available is advised. Scammers have since started impersonating security researchers and offering non-existing PoC exploits for CVE-2022-41082 for sale via GitHub
https://www.helpnetsecurity.com/2022/10/03/ms-exchange-cve-2022-41040-cve-2022-41082/
Average Company with Data in the Cloud Faces $28 Million in Data-Breach Risk
Hard-to-control collaboration, complex SaaS permissions, and risky misconfigurations — such as admin accounts without multi-factor authentication (MFA) — have left a dangerous amount of cloud data exposed to insider threats and cyber attacks, according to Varonis.
For the report, researchers analysed nearly 10 billion cloud objects (more than 15 petabytes of data) across a random sample of data risk assessments performed at more than 700 companies worldwide. In the average company, 157,000 sensitive records are exposed to everyone on the internet by SaaS sharing features, representing $28 million in data-breach risk, Varonis researchers have found.
One out of every 10 records in the cloud is exposed to all employees — creating an impossibly large internal blast radius, which maximises damage during a ransomware attack. The average company has 4,468 user accounts without MFA enabled, making it easier for attackers to compromise internally exposed data.
Out of 33 super admin accounts in the average organisation, more than half did not have MFA enabled. This makes it easier for attackers to compromise these powerful accounts, steal more data, and create backdoors. Companies have more than 40 million unique permissions across SaaS applications, creating a nightmare for IT and security teams responsible for managing and reducing cloud data risk.
“Cloud security shouldn’t be taken for granted. When security teams lack critical visibility to manage and protect SaaS and IaaS apps and services, it’s nearly impossible to ensure your data isn’t walking out the door,” said Varonis. “This report is a true-to-life picture of over 700 real-world risk assessments of production SaaS environments. The results underscore the urgent need for CISOs to uncover and remediate their cloud risk as quickly as possible.”
https://www.helpnetsecurity.com/2022/10/05/company-data-breach-risk/
Secureworks Finds Network Intruders See Little Resistance
Attackers who break into networks only need to take a few basic measures in order to avoid detection.
Security vendor Secureworks said in its annual State of the Threat report that it observed several data breaches between June 2021 and June 2022 and found that, by and large, once network intruders gained a foothold on the targets' environment, they had to do relatively little to stay concealed.
"One thing that is notable about them is that none of these techniques are particularly sophisticated," the vendor said. "That is because threat actors do not need them to be; the adversary will only innovate enough to achieve their objectives. So there is a direct relationship between the maturity of the controls in a target environment and the techniques they employ to bypass those controls."
Among the more basic measures taken by the attackers was coding their tools in newer languages such as Go or Rust. This tweak created enough of a difference in the software to evade signature-checking tools, according to Secureworks' report. In other cases, the network intruders hid their activity by packing their malware within a trusted Windows installer or by sneaking it into the Authenticode signature of a trusted DLL. In another case, a malware infection was seen moving data out of the victim's network via TOR nodes. While effective, Secureworks said the techniques are hardly innovative. Rather, they indicate that threat actors find themselves only needing to do the bare minimum to conceal themselves from detection.
Regulations, Laws and Accountability are Changing the Cyber Security Landscape
As cyber criminals continue to develop new ways to wreak havoc, regulators have been working to catch up. They aim to protect data and consumers while avoiding nation-state attacks that are a risk to national and economic security. But some of these regulations may provide an opportunity for MSSPs.
Some of these regulations are a response to what’s generally been a hands-off approach to telling organisations what to do. Unfortunately, cyber security isn’t always prioritised when budgets and resources are allocated. The result is a steadily rising tide of breaches and exploits that have held organisations hostage and made private information available on the dark web.
The new regulations are coming from all directions: at the state and federal levels in the US and around the world. While many of these regulations aren’t yet final, there’s no reason not to start aligning with where trends will ease the impact of changing rules. At the same time, many organisations want to hold the government responsible for some kinds of attacks. It will be interesting to see how regulating works, as most politicians and bureaucrats aren’t known for their technological savvy.
In the US, for example, new regulations are in development in the Federal Trade Commission, Food and Drug Administration, Department of Homeland Security, Department of Transportation, Department of Energy, and the Cybersecurity and Infrastructure Security Agency. Thirty-six states have enacted cyber security legislation, and the count increases as other countries join.
One of the motivating factors for all these new regulations is that most cyber attacks aren’t reported. Lawmakers realise cyber security threats continue to be one of the top national security and economic risks. In the last year and a half (2020-2022), there have been attacks on America’s gas supply, meat supply, and various other companies, courts, and government agencies. One FBI cyber security official estimated the government only learns about 20% to 25% of intrusions at US business and academic institutions.
In March, Congress passed legislation requiring critical infrastructure operators to report significant cyber attacks to CISA within 72 hours of learning about the attack. It also required them to report a ransomware payment within 24 hours. These regulations will also consider reporting “near misses” so that this data can also be studied and tracked. The problem is, how does one define a “near miss”?
This Year’s Biggest Cyber Threats
OpenText announced the Nastiest Malware of 2022, a ranking of the year’s biggest cyber threats. For the fifth year running, experts combed through the data, analysed different behaviours, and determined which malicious payloads are the nastiest.
Emotet regained its place at the top, reminding the world that while affiliates may be taken down, the masterminds are resilient. LockBit evolved its tactics into something never seen before: triple extortion. Analysis also revealed an almost 1100% increase in phishing during the first four months of 2022 compared to the same period in 2021, indicating a possible end to the “hacker holiday,” a hacker rest period following the busy holiday season.
“The key takeaway from this year’s findings is that malware remains centre stage in the threats posed towards individuals, businesses, and governments,” said OpenText.
“Cyber criminals continue to evolve their tactics, leaving the infosec community in a constant state of catch-up. With the mainstream adoption of ransomware payloads and cryptocurrency facilitating payments, the battle will continue. No person, no business—regardless of size—is immune to these threats.”
While this year’s list may designate payloads into different categories of malware, it’s important to note many of these bad actor groups contract work from others. This allows each group to specialise in their respective payload and perfect it.
https://www.helpnetsecurity.com/2022/10/06/2022-nastiest-malware/
Threats
Ransomware and Extortion
Ransomware Attacks On The Rise, Secureworks Reveals in its State of the Threat Report - MSSP Alert
Ransomware: This is how half of attacks begin, and this is how you can stop them | ZDNET
Fake adult sites push data wipers disguised as ransomware (bleepingcomputer.com)
BlackByte ransomware abuses legit driver to disable security products (bleepingcomputer.com)
Ransomware attacks ravage schools, municipal governments (techtarget.com)
More and more ransomware is just data theft, no encryption • The Register
Netwalker ransomware affiliate sentenced to 20 years in prison (bleepingcomputer.com)
Cheerscrypt ransomware is linked to Chinese DEV-0401 APT group - Security Affairs
ADATA denies RansomHouse cyber attack, says leaked data from 2021 breach (bleepingcomputer.com)
Avast releases a free decryptor for some Hades ransomware variants - Security Affairs
Cyber criminals Leak LA School Data After It Refuses to Ransom (vice.com)
How Ransomware Is Causing Chaos in American Schools (vice.com)
Ransomware hunters: the self-taught tech geniuses fighting cyber crime | Cyber crime | The Guardian
BEC – Business Email Compromise
BEC fraudster and romance scammer sent to prison for 25 years – Naked Security (sophos.com)
Hackers Target Homebuyers’ Life Savings in Real Estate Scam - Bloomberg
Phishing & Email Based Attacks
Other Social Engineering; Smishing, Vishing, etc
Callback phishing attacks evolve their social engineering tactics (bleepingcomputer.com)
3 ways enterprises can mitigate social engineering risks - Help Net Security
Malware
OpenText Releases List Of The Year’s “Nastiest” Malware - MSSP Alert
This devious malware is able to disable your antivirus | TechRadar
Bumblebee Malware Loader's Payloads Significantly Vary by Victim System (darkreading.com)
Live support service hacked to spread malware in supply chain attack (bleepingcomputer.com)
NullMixer Dropper Delivers a Multimalware Code Bomb (darkreading.com)
Maggie malware already infected over 250 Microsoft SQL servers - Security Affairs
Mobile
Internet of Things – IoT
7 IoT Devices That Make Security Pros Cringe (darkreading.com)
Ikea Smart Light System Flaw Lets Attackers Turn Bulbs on Full Blast (darkreading.com)
Acronis founder is afraid of his own vacuum cleaner • The Register
Data Breaches/Leaks
“Egypt Leaks” – Hacktivists are Leaking Financial Data - Security Affairs
No Shangri-La for you: Top hotel chain confirms data leak • The Register
NSA: Someone hacked military contractor and stole data • The Register
City of Tucson discloses data breach affecting over 123,000 people (bleepingcomputer.com)
Optus Says ID Numbers of 2.1 Million Compromised in Data Breach | SecurityWeek.Com
Aussie Telco Telstra Breached, Reportedly Exposing 30,000 Employees' Data (darkreading.com)
2K warns users their info has been stolen following breach of its help desk | Ars Technica
Russian retail chain 'DNS' confirms hack after data leaked online (bleepingcomputer.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Breaking: Scams Linked To Crypto Soared By 335% (informationsecuritybuzz.com)
Hacker steals $566 million worth of crypto from Binance Bridge (bleepingcomputer.com)
Hackers are breaching scam sites to hijack crypto transactions (bleepingcomputer.com)
Binance Says $100 Million Stolen in Latest Crypto Hack (gizmodo.com)
Hackers are breaching scam sites to hijack crypto transactions (bleepingcomputer.com)
Insider Risk and Insider Threats
Meta sues app dev for stealing over 1 million WhatsApp accounts (bleepingcomputer.com)
Microsoft publishes report on holistic insider risk management - Microsoft Security Blog
Unearth offboarding risks before your employees say goodbye - Help Net Security
Splunk alleges source code theft by former employee • The Register
Ex-NSA Employee Arrested for Trying to Sell U.S. Secrets to a Foreign Government (thehackernews.com)
Fraud, Scams & Financial Crime
Consumers Feel Hopeless in Protecting Themselves Against Cyber crime, ISACA Reports - MSSP Alert
BEC fraudster and romance scammer sent to prison for 25 years – Naked Security (sophos.com)
Hackers Target Homebuyers’ Life Savings in Real Estate Scam - Bloomberg
Russians dodging mobilization behind flourishing scam market (bleepingcomputer.com)
Scammers and rogue callers – can anything ever stop them? – Naked Security (sophos.com)
Online romance scam boss netted $9.5m, jailed for 25 years • The Register
Deepfakes
Supply Chain and Third Parties
Live support service hacked to spread malware in supply chain attack (bleepingcomputer.com)
Supply Chain Attack Targets Customer Engagement Firm Comm100 | SecurityWeek.Com
Denial of Service DoS/DDoS
Cloud/SaaS
Encryption
API
More Than 30% of All Malicious Attacks Target Shadow APIs (darkreading.com)
APIs are quickly becoming the most popular attack vector - Help Net Security
The Problem of API Security and How To Fix It (informationsecuritybuzz.com)
API authentication failures demonstrate the need for zero trust - Help Net Security
Shadow APIs hit with 5 billion malicious requests - Help Net Security
Open Source
When transparency is also obscurity: The conundrum that is open-source security - Help Net Security
How Secure is Using Open Source Components? - IT Security Guru
Passwords, Credential Stuffing & Brute Force Attacks
Microsoft warns Basic Auth users over password spray attacks • The Register
Is mandatory password expiration helping or hurting your password security? - Help Net Security
Detecting and preventing LSASS credential dumping attacks - Microsoft Security Blog
Meta Says It Has Busted More Than 400 Login-Stealing Apps This Year | WIRED
Privacy, Surveillance and Mass Monitoring
Regulations, Fines and Legislation
Models, Frameworks and Standards
Secure Disposal
Backup and Recovery
Law Enforcement Action and Take Downs
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Relentless Russian Cyber attacks on Ukraine Raise Important Policy Questions (darkreading.com)
Finnish intelligence warns of Russia's cyber espionage activities - Security Affairs
Kazakhstan Pins Wave Of Cyber attacks On Foreign Actors | OilPrice.com
Albania weighed invoking NATO’s Article 5 over Iranian cyber attack - POLITICO
We breached Russian satellite network, say pro-Ukraine partisans | Cybernews
Ukrainian forces report Starlink outages during push against Russia | Financial Times (ft.com)
Report: Mexico Continued to Use Spyware Against Activists | SecurityWeek.Com
Nation State Actors
Nation State Actors – China
US authorities name China's 20 favourite vulns to exploit • The Register
Cheerscrypt ransomware is linked to Chinese DEV-0401 APT group - Security Affairs
Nation State Actors – North Korea
Vulnerabilities
Fortinet warns admins to patch critical auth bypass bug immediately (bleepingcomputer.com)
Atlassian, Microsoft bugs make CISA’s must-patch list • The Register
US authorities name China's 20 favourite vulns to exploit • The Register
October 2022 Patch Tuesday forecast: Looking for treats, not more tricks - Help Net Security
Fake Microsoft Exchange ProxyNotShell exploits for sale on GitHub (bleepingcomputer.com)
CISA Warns of Attacks Exploiting Recent Atlassian Bitbucket Vulnerability | SecurityWeek.Com
No fix in sight for mile-wide loophole plaguing a key Windows defence for years | Ars Technica
Hackers Exploiting Unpatched RCE Flaw in Zimbra Collaboration Suite (thehackernews.com)
Lazarus employed an exploit in a Dell firmware driver in recent attacks - Security Affairs
Unpatched Zimbra flaw under attack is letting hackers backdoor servers | Ars Technica
macOS Archive Utility Bug Lets Malicious Apps Bypass Security Checks (darkreading.com)
Fortinet Warns of New Auth Bypass Flaw Affecting FortiGate and FortiProxy (thehackernews.com)
VMware fixed a high-severity bug in vCenter Server - Security Affairs
Reports Published in the Last Week
Other News
Guilty verdict in the Uber breach case makes personal liability real for CISOs | CSO Online
Cyber attackers view smaller organisations as easier targets - Help Net Security
Moody's turns up the heat on 'riskiest' sectors for attacks • The Register
5 reasons why security operations are getting harder | CSO Online
Former NSA Employee Faces Death Penalty for Selling Secrets (darkreading.com)
Fast Company Is Back From the Dead After Being Hacked (gizmodo.com)
Ready Or Not, Web 3 Is Coming And With It Comes Cybersquatting 2.0 (informationsecuritybuzz.com)
Cyber Hygiene: 5 Best Practices for Company Buy-In (trendmicro.com)
School Is in Session: 5 Lessons for Future Cyber Security Pros (darkreading.com)
Want More Secure Software? Start Recognizing Security-Skilled Developers (thehackernews.com)
Incident responders increasingly seek out mental health assistance - Help Net Security
You Are Not Alone If You're Unclear About Extended Detection and Response (XDR) - MSSP Alert
Why digital trust is the bedrock of business relationships - Help Net Security
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.