Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Average Cost of Data Breaches Hits Record High of $4.35 Million: IBM

The global average cost of data breaches reached an all-time high of $4.35 million in 2022 compared with $4.24 million in 2021, according to a new IBM Security report. About 60% of the breached organisations raised product and services prices due to the breaches.

The annual report, conducted by Ponemon Institute and analysed and sponsored by IBM Security, is based on the analysis of real-world data breaches experienced by 550 organisations globally between March 2021 and March 2022.

According to the report, about 83% of the organisations have experienced more than one breach in their lifetime, with nearly half of the costs reported to be incurred more than a year after the breach.

The report revealed that ransomware and destructive attacks represented 28% of breaches among the critical infrastructure organisations studied, indicating that threat actors are specifically targeting the sector to disrupt global supply chains. The critical infrastructure sector includes financial services, industrial, transportation, and healthcare companies.

https://www.csoonline.com/article/3668655/average-cost-of-data-breaches-hits-record-high-of-435-million-ibm.html#tk.rss_news

• Researchers Warns of Large-Scale Adversary-in-the-Middle (AiTM) Attacks Targeting Enterprise Users

A new, large-scale phishing campaign has been observed using adversary-in-the-middle (AitM) techniques to get around security protections and compromise enterprise email accounts.

It uses a technique capable of bypassing multi-factor authentication. The campaign is specifically designed to reach end users in enterprises that use Microsoft's email services.

Prominent targets include fintech, lending, insurance, energy, manufacturing, and federal credit union verticals located in the US, UK, New Zealand, and Australia.

This is not the first time such a phishing attack has come to light. Last month, Microsoft disclosed that over 10,000 organisations had been targeted since September 2021 by means of AitM techniques to breach accounts secured with multi-factor authentication (MFA).

The ongoing campaign, effective June 2022, commences with an invoice-themed email sent to targets containing an HTML attachment, which includes a phishing URL embedded within it.

https://thehackernews.com/2022/08/researchers-warns-of-large-scale-aitm.html

• UK NHS Suffers Outage After Cyber Attack on Managed Service Provider

The UK National Health Service (NHS) 111 emergency services were affected by a significant and ongoing outage triggered by a cyber attack that hit the systems of British managed service provider (MSP) Advanced.

Advanced's Adastra client patient management solution, which is used by 85% of NHS 111 services, was hit by a major outage together with several other services provided by the MSP, according to a status page.

"There was a major outage of a computer system that is used to refer patients from NHS 111 Wales to out-of-hours GP providers," the Welsh Ambulance Services said. "This system is used by Local Health Boards to coordinate these services for patients. The ongoing outage is significant and has been far-reaching, impacting each of the four nations in the UK."

The UK public was advised to access the NHS 111 emergency services using the online platform until the incident is resolved.

While no details were provided regarding the nature of the cyber attack, based on the wording, it is likely that this was a ransomware or data extortion attack.

https://www.bleepingcomputer.com/news/security/uk-nhs-suffers-outage-after-cyberattack-on-managed-service-provider/

• A Third of Organisations Experience a Ransomware Attack Once a Week

Ransomware attacks show no sign of slowing. According to new research published by Menlo Security, a third of organisations experience a ransomware attack at least once a week, with one in 10 experiencing them more than once a day.

The research, conducted among 500+ IT security decision makers at US and UK organisations with more than 1,000 employees, highlights the impact this is having on security professionals’ own wellbeing. When asked what keeps them awake at night, 41% of respondents say they worry about ransomware attacks evolving beyond their team’s knowledge and skillset, while 39% worry about them evolving beyond their company’s security capabilities.

Their biggest concern, however, is the risk of employees ignoring corporate security advice and clicking on links or attachments containing malware (46%). Respondents worry more about this than they do their own job security, with just a quarter (26%) of respondents worried about losing their job.

According to the report, around half of organisations (61% US and 44% UK) have been the victim of a successful ransomware attack in the last 18 months, with customers and prospects the most likely entry point for an attack.

Partners/suppliers and employees/contractors are also seen as serious security risks, although one in 10 admit they are unable to identify how the attacks got in. The top three ransomware attack vectors are email (54%), web browsers via a desktop or laptop (49%) and mobile devices (39%).

https://www.helpnetsecurity.com/2022/08/04/organizations-experience-ransomware-attack/

• Ransomware Products and Services Ads on Dark Web Show Clues to Danger

Why is ransomware’s destructive potential so daunting? Some clues are in the “for sale” ads. In an examination of some 35 million dark web URLs, a provider of machine identity management and a forensic specialist found some 475 web pages peddling sophisticated ransomware products and services with a number of high profile crews hawking ransomware-as-a-service.

The work is a joint effort between the Salt Lake City-based Venafi and Forensic Pathways, which took place between November 2021 and March 2022. Researchers used Forensic’s Dark Search Engine to carry out the investigation.

Here are some of the research findings:

• 87% of the ransomware found on the dark web has been delivered via malicious macros to infect targeted systems.

• 30 different “brands” of ransomware were identified within marketplace listings and forum discussions.

• Many strains of ransomware being sold — such as Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry — have been successfully used in high-profile attacks.

• Ransomware strains used in high-profile attacks command a higher price for associated services. For example, the most expensive listing was $1,262 for a customised version of Darkside ransomware, which was used in the Colonial Pipeline ransomware attack.

• Source code listings for well-known ransomware generally command higher price points. For example, Babuk source code is listed for $950 and Paradise source code is selling for $593.

Ransomware Sold for as Little as $1: In addition to a variety of ransomware at various price points, a wide range of services and tools that help make it easier for attackers with minimal technical skills to launch ransomware attacks are for sale on the dark web, Venafi said. Services with the greatest number of listings include those offering source code, build services, custom development services and ransomware packages that include step-by-step tutorials.

https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/ransomware-products-services-ads-on-dark-web-show-clues-to-danger/

• Wolf In Sheep’s Clothing: How Malware Tricks Users and Antivirus

One of the primary methods used by malware distributors to infect devices is by deceiving people into downloading and running malicious files, and to achieve this deception, malware authors are using a variety of tricks.

Some of these tricks include masquerading malware executables as legitimate applications, signing them with valid certificates, or compromising trustworthy sites to use them as distribution points.

According to VirusTotal, a security platform for scanning uploaded files for malware, some of these tricks are happening on a much larger scale than initially thought.

The platform has compiled a report presenting stats from January 2021 until July 2022, based on the submission of two million files daily, illustrating trends in how malware is distributed.

• Abusing legitimate domains: Distributing malware through legitimate, popular, and high-ranking websites allows threat actors to evade IP-based blocklists, enjoy high availability, and provide a greater level of trust.

• Using stolen code-signing certificates: Signing malware samples with valid certificates stolen from companies is a reliable way to evade AV detection and security warnings on the host. Of all the malicious samples uploaded to VirusTotal between January 2021 and April 2022, over a million were signed, and 87% used a valid certificate.

• Disguised as popular software: Masquerading a malware executable as a legitimate, popular application has seen an upward trend in 2022. Victims download these files thinking they’re getting the applications they need, but upon running the installers, they infect their systems with malware. The most mimicked applications are Skype, Adobe Acrobat, VLC, and 7zip.

• Lacing legitimate installers - Finally, there’s the trick of hiding malware inside legitimate application installers and running the infection process in the background while the real apps execute in the foreground. Based on VirusTotal stats, this practice also appears to be on the rise this year, using Google Chrome, Malwarebytes, Windows Updates, Zoom, Brave, Firefox, ProtonVPN, and Telegram as lures.

https://www.bleepingcomputer.com/news/security/wolf-in-sheep-s-clothing-how-malware-tricks-users-and-antivirus/

• Microsoft Accounts Targeted with New MFA-Bypassing Phishing Kit

A new large-scale phishing campaign targeting credentials for Microsoft email services use a custom proxy-based phishing kit to bypass multi-factor authentication.

Researchers believe the campaign's goal is to breach corporate accounts to conduct BEC (business email compromise) attacks, diverting payments to bank accounts under their control using falsified documents.

The phishing campaign's targets include fin-tech, lending, accounting, insurance, and Federal Credit Union organisations in the US, UK, New Zealand, and Australia.

The campaign was discovered by Zscaler's ThreatLabz researchers, who report that the operation is still ongoing, and the phishing actors register new phishing domains almost daily.

Starting in June 2022, Zscaler's analysts noticed a spike in sophisticated phishing attempts against specific sectors and users of Microsoft email services.

Some of the newly registered domains used in the campaign are typo-squatted versions of legitimate domains.

Notably, many phishing emails originated from the accounts of executives working in these organisations, whom the threat actors most likely compromised earlier.

https://www.bleepingcomputer.com/news/security/microsoft-accounts-targeted-with-new-mfa-bypassing-phishing-kit/

• Cyber Attack Prevention Is Cost-Effective, So Why Aren’t Businesses Investing to Protect?

Cyber attacks like ransomware, BEC scams and data breaches are some of the key issues businesses are facing today, but despite the number of high-profile incidents, many boardrooms are reluctant to free up budget to invest in the cyber security measures necessary to avoid becoming the next victim.

In a Help Net Security interview, Former Pentagon Chief Strategy Officer Jonathan Reiber, VP Cyber security Strategy and Policy, AttackIQ, discusses how now, more than ever, companies need to protect themselves from cyber threat actors. He offers insight for CISOs, from talking to the Board to proper budget allocation.

https://www.helpnetsecurity.com/2022/08/01/cyberattack-prevention-investing/

• Securing Your Move to the Hybrid Cloud

The combination of private and public cloud infrastructure, which most organisations are already using, poses unique security challenges. There are many reasons why organisations adopt the public cloud, from enabling rapid growth without the burden of capacity planning to leveraging flexibility and agility in delivering customer-centric services. However, this use can leave companies open to threats.

Since regulatory requirements or other preferences dictate that certain applications remain on private (on-prem) infrastructure, many organisations choose to maintain a mix of private and public infrastructure. Additionally, organisations typically use multiple cloud providers simultaneously or preserve the option to move between providers. However, this hybrid approach presents unique and diverse security challenges. Different cloud providers and private cloud platforms may offer similar capabilities but different ways of implementing security controls, along with disparate management tools.

The question then becomes: How can an organisation maintain consistent governance, policy enforcement and controls across different clouds? And how can it ensure that it maintains its security posture when moving between them? Fortunately, there are steps professionals can take to ensure that applications are continuously secure, starting from the early stages of development and extending throughout the lifecycle.

https://threatpost.com/secure-move-cloud/180335/

• Lessons from the Russian Cyber Warfare Attacks

Cyber warfare tactics may not involve tanks and bombs, but they often go hand-in-hand with real combat.

The Russian invasion of Ukraine is a prime example. Before Russian troops crossed the border, Russian hackers had already taken down Ukrainian government websites. And after the conflict started, the hacktivist group Anonymous turned the tables by hacking Russian media to shut down propaganda about the war.

In these unprecedented times of targeted attacks against governments and financial institutions, every organisation should be on heightened alert about protecting their critical infrastructure and digital attack surface.

With the Russia-Ukraine conflict as a backdrop, two Trend Micro security experts recently discussed cyber warfare techniques and how they’re an important reminder for every business to proactively manage cyber risk.

https://www.trendmicro.com/en_us/ciso/22/h/russian-cyber-warfare-attacks.html

• Four Sneaky Attacker Evasion Techniques You Should Know About

Remember those portrayals of hackers in the 80s and 90s where you just knew when you got pwned? A blue screen of death, a scary message, a back-and-forth text exchange with a hacker—if you got pwned in a movie in the 80s and 90s, you knew it right off the bat.

What a shame that today’s hackers have learned to be quiet when infiltrating an environment. Sure, “loud” attacks like ransomware still exist, but threat actors have learned that if they keep themselves hidden, they can usually do far more damage. For hackers, a little stealth can go a long way. Some attack tactics are inherently quiet, making them arguably more dangerous as they can be harder to detect. Here are four of these attack tactics you should know about.

1. Trusted Application Abuse: Attackers know that many people have applications that they inherently trust, making those trusted applications the perfect launchpad for cyber attacks. Threat actors know that defenders and the tools they use are often on the hunt for new malware presenting itself in environments. What isn’t so easy to detect is when the malware masquerades under legitimate applications.

2. Trusted Infrastructure Abuse: Much like trusted application abuse, trusted infrastructure abuse is the act of using legitimate, publicly hosted services and toolsets (such as Dropbox or Google Drive) as part of the attack infrastructure. Threat actors know that people tend to trust Dropbox and Google Drive. As a result, this makes these tools a prime means for threat actors to carry out malicious activity. Threat actors often find trusted infrastructure abuse easy because these services aren’t usually blocked at an enterprise’s gateway. In turn, outbound communications can hide in plain sight.

3. Obfuscation: Although cyber security has more than its fair share of tedious acronyms, the good news is that many terms can be broken down by their generic dictionary definitions. According to dictionary.com, this is what obfuscate means: “To make something unclear, obscure or difficult to understand.” And that’s exactly what it means in cyber security: finding ways to conceal malicious behaviour. In turn, this makes it more difficult for analysts and the tools they use to flag suspicious or malicious activity.

4. Persistence: Imagine writing up documentation using your computer, something you may well do in your role. You’ve spent a ton of time doing the research required, finding the right sources and compiling all your information into a document. Now, imagine not hitting save on that document and losing it as soon as you reboot your computer. Sound like a nightmare—or perhaps a real anxiety-inducing experience you’ve been through before? Threat actors agree. And that’s why they establish persistence. They don’t want all of their hard work to get into your systems in the first place to be in vain just because you restart your computer. They establish persistence to make sure they can still hang around even after you reboot.

https://www.msspalert.com/cybersecurity-guests/four-sneaky-attacker-evasion-techniques-you-should-know-about/

• Zero-Day Defence: Tips for Defusing the Threat

Because they leave so little time to patch and defuse, zero-day threats require a proactive, multi-layered approach based on zero trust.

The recent Atlassian Confluence remote code execution bug is just the latest example of zero-day threats targeting critical vulnerabilities within major infrastructure providers. The specific threat, an Object-Graph Navigation Language (OGNL) injection, has been around for years but took on new significance given the scope of the Atlassian exploit. And OGNL attacks are on the rise.

Once bad actors find such a vulnerability, proof-of-concept exploits start knocking at the door, seeking unauthenticated access to create new admin accounts, execute remote commands, and take over servers. In the Atlassian case, Akamai's threat research team identified that the number of unique IP addresses attempting these exploits grew to more than 200 within just 24 hours.

Defending against these exploits becomes a race against time worthy of a 007 movie. The clock is ticking and you don't have much time to implement a patch and "defuse" the threat before it's too late. But first you need to know that an exploit is underway. That requires a proactive, multi-layered approach to online security based on zero trust.

What do these layers look like? There are a number of different practices that security teams — and their third-party Web application and infrastructure partners — should be aware of.

https://www.darkreading.com/attacks-breaches/zero-day-defense-tips-for-defusing-the-threat

Threats

Ransomware

• Reported ransomware attacks are just the tip of the iceberg. That's a problem for everyone | ZDNet

• Initial Access Brokers - Key to Rise In Ransomware Attacks (informationsecuritybuzz.com)

• Ransomware gangs are hitting roadblocks, but aren't stopping (yet) - Help Net Security

• SonicWall: Ransomware Global Cyber Attack Volume Shrinks, Still Exceeds Totals for 2017-2019 - MSSP Alert

• 87% of the ransomware found on the dark web has been delivered via malicious macros - Help Net Security

• LockBit Ransomware Abuses Windows Defender for Payload Loading | SecurityWeek.Com

• German Chambers of Industry and Commerce hit by 'massive' cyber attack (bleepingcomputer.com)

• Brand-New HavanaCrypt Ransomware Poses as Google Software Update App Uses Microsoft Hosting Service IP Address as C&C Server (trendmicro.com)

• Ransomware Task Force releases SMB blueprint for defence and mitigation (scmagazine.com)

• Prepare for ransomware before you're hit • The Register

• German semiconductor giant Semikron says hackers encrypted its network | TechCrunch

• Ransomware Hit on European Pipeline & Energy Supplier Encevo Linked to BlackCat (darkreading.com)

• Luxembourg Energy Company Hit by Ransomware | SecurityWeek.Com

• Spanish research agency still recovering after ransomware attack (bleepingcomputer.com)

Phishing & Email Based Attacks

• Countdown Clock Puts Pressure on Phishing Targets - Infosecurity Magazine

• The most impersonated brand in phishing attacks? Microsoft - Help Net Security

• Open Redirect Flaw Snags Amex, Snapchat User Data | Threatpost

• American Express, Snapchat Open-Redirect Vulnerabilities Exploited in Phishing Scheme (darkreading.com)

• A new malware threat is spying on users' Gmail inbox — do this before you're next | Laptop Mag

• Massive New Phishing Campaign Targets Microsoft Email Service Users (darkreading.com)

• North Korean Hackers Use Browser Extension to Spy on Gmail and AOL Accounts - Infosecurity Magazine

Other Social Engineering; SMishing, Vishing, etc

• US FCC warns of the rise of smishing attacks - Security Affairs

Malware

• VirusTotal Reveals Most Impersonated Software in Malware Attacks (thehackernews.com)

• Gootkit Loader Resurfaces with Updated Tactic to Compromise Targeted Computers (thehackernews.com)

• Woody RAT: A new feature-rich malware spotted in the wild | Malwarebytes Labs

• VirusTotal: Threat Actors Mimic Legitimate Apps, Use Stolen Certs to Spread Malware (darkreading.com)

• New IoT RapperBot Malware Targeting Linux Servers via SSH Brute-Forcing Attack (thehackernews.com)

• New Linux malware brute-forces SSH servers to breach networks (bleepingcomputer.com)

• Credential Stealer Malware Raccoon Updated to Obtain Passwords More Efficiently - Infosecurity Magazine

• Attackers cause Discord discord with malicious npm packages • The Register

• Gootkit AaaS malware is still active and uses updated tactics - Security Affairs

Mobile

• Facebook finds new Android malware used by APT hackers (bleepingcomputer.com)

• Google Patches Critical Android Bluetooth Flaw in August Security Bulletin - Infosecurity Magazine

• Banking trojan finds new routes to accounts by infiltrating Google Play Store (scmagazine.com)

Internet of Things – IoT

• A Digital Home Has Many Open Doors (darkreading.com)

• All the Data Amazon's Ring Cameras Collect About You | WIRED

Organised Crime & Criminal Actors

• Thousands of hackers flock to 'Dark Utilities' C2-as-a-Service (bleepingcomputer.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Phishing campaign targets Coinbase wallet holders to steal cryptocurrency in real-time - Help Net Security

• Nearly $200 Million Stolen from Cryptocurrency Bridge Nomad | SecurityWeek.Com

• Crypto firm that promised security loses $200 million in 'frenzied free-for-all' hack | PC Gamer

• Nomad to crooks: Keep 10% as a bounty, return the rest • The Register

• Cyber attackers Drain Nearly $6M From Solana Crypto Wallets (darkreading.com)

• Man robbed of $800,000 in cryptocurrency sues Google • The Register

Insider Risk and Insider Threats

• T-Mobile Store Owner Made $25M Using Stolen Employee Credentials (darkreading.com)

Fraud, Scams & Financial Crime

• UK Branded Europe’s “Capital of Card Fraud” - Infosecurity Magazine

• Huge network of 11,000 fake investment sites targets Europe (bleepingcomputer.com)

• Online payment fraud losses accelerate at an alarming rate - Help Net Security

• COMMENT: 'Hi Mum, Hi Dad' Scams On The Rise - Britons Already (informationsecuritybuzz.com)

• Increase in Fake Tickets Being Sold by Cyber criminals on Social Media - IT Security Guru

AML/CFT/Sanctions

• Robinhood Crypto Penalized $30M for Violating NY Cybersecurity Regulations | SecurityWeek.Com

Dark Web

• A Ransomware Explosion Fosters Thriving Dark Web Ecosystem (darkreading.com)

• The popularity of Dark Utilities 'C2-as-a-Service' rapidly increases - Security Affairs

Software Supply Chain

• Now is the time to focus on software supply chain security improvements - Help Net Security

Cloud/SaaS

• Cyber attackers Increasingly Target Cloud IAM as a Weak Link (darkreading.com)

• What Worries Security Teams About the Cloud? (darkreading.com)

• Who Has Control: The SaaS App Admin Paradox (thehackernews.com)

• Enterprises face a multitude of barriers to securing diverse cloud environments - Help Net Security

Open Source

• New Linux malware brute-forces SSH servers to breach networks (bleepingcomputer.com)

Passwords, Credential Stuffing & Brute Force Attacks

• Hackers stole passwords for accessing 140,000 payment terminals | TechCrunch

• Credential Canaries Create Minefield for Attackers (darkreading.com)

• 5 reasons why businesses should never use consumer-grade password managers | TechRadar

Social Media

• Hackers Exploit Twitter Vulnerability to Exposes 5.4 Million Accounts (thehackernews.com)

• Parliament shuts down TikTok account over China data security concerns (telegraph.co.uk)

• Over 3,200 Apps Leak Twitter API Keys, Some Allowing Account Hijacks (informationsecuritybuzz.com)

• Increase in Fake Tickets Being Sold by Cyber criminals on Social Media - IT Security Guru

Privacy

• DuckDuckGo browser now blocks all Microsoft trackers, most of the time (bleepingcomputer.com)

Cyber Bullying and Cyber Stalking

• Australia charges dev of Imminent Monitor RAT used by domestic abusers (bleepingcomputer.com)

Regulations, Fines and Legislation

• Most companies are unprepared for CCPA and GDPR compliance - Help Net Security

• Data privacy: Collect what you need, protect what you collect | CSO Online

• India scraps data protection law, promises better successor • The Register

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Austrian Investigation Reveals Spyware Targeting Law Firms, Finance Institutions - Infosecurity Magazine

• Ukraine takes down 1,000,000 bots used for disinformation (bleepingcomputer.com)

• Nancy Pelosi ties Chinese cyber-attacks to Taiwan visit • The Register

• Spanish Research Center Suffers Cyber attack Linked to Russia | SecurityWeek.Com

• Russian organisations attacked with new Woody RAT malware (bleepingcomputer.com)

• Greek intelligence spied on journalist with a surveillance spyware - Security Affairs

• Rare Pegasus screenshots depict NSO Group's spyware capabilities | AppleInsider

Nation State Actors

Nation State Actors – Russia

• Double Whammy: Russian Hackers Launch Cyber Attacks On Lockheed Martin; Armed Forces Hack Into HIMARS -- Reports (eurasiantimes.com)

• Ukraine Shutters Major Russian Bot Farm - Infosecurity Magazine

Nation State Actors – China

• Chinese hackers use new Cobalt Strike-like attack framework (bleepingcomputer.com)

• Massive China-Linked Disinformation Campaign Taps PR Firm for Help (darkreading.com)

• Parliament shuts down TikTok account over China data security concerns (telegraph.co.uk)

• China, Huawei, and the eavesdropping threat | CSO Online

• Global network of fake news sites push Chinese propaganda, researchers find - CyberScoop

• Taiwanese military reports DDoS in wake of US Speaker visit • The Register

Nation State Actors – North Korea

• Cyber crime a Key Revenue Stream For North Korea's Weapons Program - Infosecurity Magazine (infosecurity-magazine.com)

• North Korean Hackers Use Browser Extension to Spy on Gmail and AOL Accounts - Infosecurity Magazine (infosecurity-magazine.com)

Nation State Actors – Iran

• Iranian Hackers Likely Behind Disruptive Cyber attacks Against Albanian Government (thehackernews.com)

• Disruptive Cyber attacks on NATO Member Albania Linked to Iran | SecurityWeek.Com

Nation State Actors – Misc APT

• Twitter breach exposes anonymous accounts to nation state hackers - CyberScoop

Vulnerabilities

• VMware urges admins to patch critical auth bypass bug immediately (bleepingcomputer.com)

• Critical RCE Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks (darkreading.com)

• Cisco fixes critical remote code execution bug in VPN routers (bleepingcomputer.com)

• F5 Fixes 21 Vulnerabilities With Quarterly Security Patches | SecurityWeek.Com

• High-Severity Bug in Kaspersky VPN Client Opens Door to PC Takeover (darkreading.com)

• Hackers Exploit Atlassian Confluence Vulnerability to Deploy New 'Ljl' Backdoor - Infosecurity Magazine

• Slack Resets Passwords After a Bug Exposed Hashed Passwords for Some Users (thehackernews.com)

• VMware Releases Patches for Several New Flaws Affecting Multiple Products (thehackernews.com)

• Hackers are actively exploiting password-stealing flaw in Zimbra (bleepingcomputer.com)

• Google fixed Critical Remote Code Execution flaw in Android - Security Affairs

• CISA adds Zimbra bug to Known Exploited Vulnerabilities Catalogue - Security Affairs

• Warning! Critical flaws found in US Emergency Alert System • The Register

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

Other News

• APIs attacked in 94% of companies in past year - IT Security Guru

• Over 60% of Organisations Expose SSH to the Internet - Infosecurity Magazine

• How IT and security teams can work together to improve endpoint security - Microsoft Security Blog

• Burnout and attrition impact tech teams sustaining modern digital systems - Help Net Security

• Machine learning creates a new attack surface requiring specialized defences - Help Net Security

• Cyber security lessons learned from COVID-19 pandemic (techtarget.com)

• 10 enterprise database security best practices (techtarget.com)

• Resolving Availability vs. Security, a Constant Conflict in IT (thehackernews.com)

• Tips to prevent RDP and other remote attacks on Microsoft networks | CSO Online

• 5 ways to unite security and compliance | CSO Online

• The Myth of Protection Online — and What Comes Next (darkreading.com)

• The Importance of Data Security in the Enterprise (techtarget.com)

• Who Needs Macros? | Threat Actors Pivot to Abusing Explorer and Other LOLBins via Windows Shortcuts - SentinelOne

• How IT Teams Can Use 'Harm Reduction' for Better Cyber security Outcomes (darkreading.com)

• Businesses lack visibility into run-time threats against mobile apps and APIs - Help Net Security

• Browser synchronization abuse: Bookmarks as a covert data exfiltration channel - Help Net Security

• Threats emanating from digital ecosystems can be a blind spot for businesses - Help Net Security

• Busting the Myths of Hardware Based Security - Security Affairs

• New Traffic Light Protocol standard released after five years (bleepingcomputer.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Ransomware Demands Up By 43% So Far In 2021

The average demand for a digital extortion payment shot up in the first quarter of this year to $220,298, up 43% from the previous quarter. The median payment, too, jumped up 58% from $49,450 to $78,398. The majority of ransomware attacks in the first quarter also involved theft of corporate data, a continuation of a trend of ransomware actors increasingly relying on exfiltration and extortion demands. Seventy-seven percent of ransomware attacks included the threat to publish stolen data in the first quarter of this year, which is up 10%.

https://www.cyberscoop.com/ransomware-extortion-demands-increasing-coveware/

US Tech Pushes For Ransomware To Be Designated A National Security Threat

Big US tech companies and officials are urging governments to designate ransomware as a national security threat in a push to combat a hacking epidemic that has cost businesses tens of millions of dollars. Tech groups including Microsoft, Cisco and Amazon, cyber security companies such as FireEye and officials from the FBI and US Department of Justice have published a report calling for several measures to tackle the lucrative criminal enterprise.

https://www.ft.com/content/6e69efc8-66e2-4a1c-95d4-0a84d80091c7

Flubot Spyware Spreading Through Android Devices

Android mobile phone users across the U.K. and Europe are being targeted by text messages containing a particularly nasty piece of spyware called “Flubot”. The malware is delivered to targets through SMS texts and prompts them to install a “missed package delivery” app. Instead, it takes victims to a scam website where they download the “app” — which is just the spyware. Once installed, it then sets about gaining permissions, stealing banking information and credentials, lifting passwords stored on the device and squirreling away various pieces of personal information. It also sends out additional text messages to the infected device’s contact list, which allows it to “go viral” — like the flu.

https://threatpost.com/flubot-spyware-android-devices/165607/

Ransomware: Do Not Expect A Full Recovery, However Much You Pay

When it comes to all the various types of malware out there, none has ever dominated the headlines quite as much as ransomware. Sure, several individual malware outbreaks have turned into truly global stories over the years. The LoveBug mass-mailing virus of 2000 springs to mind, which blasted itself into hundreds of millions of mailboxes within a few days; so, does CodeRed in 2001, the truly fileless network worm that squeezed itself into a single network packet and spread worldwide literally within minutes.

https://nakedsecurity.sophos.com/2021/04/27/ransomware-dont-expect-a-full-recovery/

61% Of Organisations Impacted By Ransomware In 2020

A full 79% of respondents indicated their companies had experienced a business disruption, financial loss or other setback in 2020 due to a lack of cyber preparedness. Respondents identified ransomware as the chief culprit behind these disruptions. Other insights include: 61% indicated they had been impacted by ransomware in 2020, a 20% increase over the number of companies reporting such disruption in last year’s report. Companies impacted by ransomware lost an average of six working days to system downtime, with 37% saying downtime lasted one week or more. 52% of ransomware victims paid threat actor ransom demands, but only 66% of those were able to recover their data. The remaining 34% never saw their data again, despite paying the ransom.

https://www.helpnetsecurity.com/2021/04/26/ransomware-2020/

SolarWinds Campaign Even Wider Than First Thought

A new analysis of the SolarWinds breach suggests that the attacker infrastructure behind the campaign is far larger than first believed. The catastrophic SolarWinds security incident involved the compromise of the IT software vendor's network and later the deployment of malicious SolarWinds Orion updates to clients that contained a backdoor called Sunburst. Now researchers have now uncovered eighteen additional command-and-control servers used in the SolarWinds hacking campaign, indicating that the operation was broader in scope than previously known.  The researchers found that this infrastructure was registered under varying names and at different times over several years to avoid establishing a traceable pattern.

https://www.cybersecurityintelligence.com/blog/solarwinds-campaign-even-wider-than-first-thought-5602.html

Buying Cyber Insurance In 2021? Expect Greater Scrutiny, Higher Premiums

Organisations will face significant challenges in purchasing, renewing, and benefitting from cyber insurance policies this year as various factors drive the sector towards a stricter, more specialized position, global specialists in law, risk, and cyber security predict. These include the continued evolution and impact of cyber threats throughout 2020 and the early months of 2021, chiefly in the form of ransomware attacks and wide-ranging supply chain security issues.

https://www.csoonline.com/article/3616595/buying-cyber-insurance-in-2021-expect-greater-scrutiny-higher-premiums-thanks-to-ransomware-supply.html

Ransomware Is Growing At An Alarming Rate, Warns GCHQ Chief

The scale and severity of ransomware is growing at an alarming rate as cyber criminals look to exploit poor cyber security to maximise profit, the director of GCHQ has warned. Organisations and their employees have been forced to adapt to different ways of working over the past year, with many now even more reliant on remote services and online collaboration platforms. But cyber-criminal gangs also represent a major threat and Fleming warned that ransomware represents a cyber security danger for organisations of all kinds.

https://www.zdnet.com/article/ransomware-is-growing-at-an-alarming-rate-warns-gchq-chief/

Threats

Ransomware

• A Ransomware Attack On Apple Shows The Future Of Cyber Crime

• Microsoft Office SharePoint Targeted With High-Risk Phish, Ransomware Attacks

• Ransomware Gang Threatens To Expose Police Informants If Ransom Is Not Paid

• A Ransomware Gang Made $260,000 In 5 Days Using The 7zip Utility

• Ransomware Task Force Calls For Aggressive Bitcoin Transaction Tracing Measures

• Ransomware Task Force Releases Long-Awaited Recommendations

• New Ransomware Group Uses SonicWall Zero-Day To Breach Networks

Phishing

• Scammers Imitate Windows Logo With Html Tables To Slip Through Email Gateways

• Phishing Attacks Target Chase Bank Customers

• Phishing Impersonates Global Recruitment Firm To Push Malware

Malware

• Rotajakiro: A Linux Backdoor That Has Flown Under The Radar For Years

• Security Firm Kaspersky Believes It Found New CIA Malware

• Prometei Botnet Exploiting Unpatched Microsoft Exchange Servers

Vulnerabilities

• Linux Kernel Vulnerability Exposes Stack Memory, Causes Data Leaks

• F5 BIG-IP Found Vulnerable to Kerberos KDC Spoofing Vulnerability

• Linux Kernel Bug Opens Door to Wider Cyber Attacks

• Nvidia GPU Owners Warned About Serious Driver Bugs — Update Now

• Apple Patches ‘Worst MacOS Bug In Recent Memory’ After It Was Used In The Wild

Data Breaches

• MangaDex Discloses Data Breach After Stolen Database Shared Online

Organised Crime & Criminal Actors

• Spotlight on Cyber Criminal Supply Chains

Supply Chain

• CISA Issues Guidance On Defending Against Software Supply Chain Attacks

Nation State Actors

• Cyber Spies Target Military Organisations With New Nebulae Backdoor

• FBI: Russian Hackers Are Still Trying To Break Into Networks, Here's How To Protect Yours From Attack

• APT Actors Increasingly Turn To Exploits To Launch Attacks

• Report: Russia 'Likely' Kept Access To US Networks After SolarWinds Hack

 Reports Published in the Last Week

• Q1 2021 Ransomware Trends: Most Attacks Involved Threat To Leak Stolen Data

• APT Trends Report Q1 2021

Other News

• What IT Leaders Are Prioritising In Network Security Investments?

• Cyber Security Is Not Just For Your Company – It Applies To Your Ecosystem Too

• Machine Learning Security Vulnerabilities Are A Growing Threat To The Web, Report Highlights

• Organisations Can No Longer Afford To Overlook Encrypted Traffic

• FBI Shares 4 Million Email Addresses Used By Emotet With Have I Been Pwned

• Smishing: Why Text-Based Phishing Should Be on Every CISO’s Radar 

• A Facebook Vulnerability Can Allow Hackers To Scrape Users' Email Addresses

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.