Threat Intelligence Blog

Contact our Experts Now

Subscribe to our Weekly Cyber Threat Intelligence Briefing

Black Arrow Admin 14/04/2024 Black Arrow Admin 14/04/2024

Black Arrow Cyber Threat Briefing 12 April 2024

Black Arrow Cyber Threat Intelligence Briefing 12 April 2024:

-UK Cyber Breaches Survey Finds Business Falling Short on Cyber, as Half Suffer Breach and Many Fail to Report

-The Cyber Attack Stopped by a Microsoft Engineer Was Scarier Than We Realise

-UK Government Urged to Get on ‘Front Foot’ with Ransomware Instead of ‘Absorbing the Punches’

-74% of Employees Falling Victim to Phishing Attacks Hit with Disciplinary Actions; Egress Reveals

-Why Are Many Businesses Turning to Third-Party Security Partners?

-60% of SMBs and 74% of Businesses with up to 500 Employees are Concerned About Cyber Security as Attacks Rise

-Cyber Attacks Cost Financial Firms $12bn Says IMF

-LastPass: Hackers Targeted Employee in Failed Deepfake CEO Call

-Most Cyber Criminal Threats are Concentrated in Just a Few Countries

-Why Incident Response is the Best Cyber Security ROI

-Ransomware Attacks are the Canaries in the Cyber Coal Mine

-Cyber Security is Crucial, but What is Risk and How do You Assess it?

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Governance, Risk and Compliance

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Other Social Engineering

Artificial Intelligence

2FA/MFA

How Hackers Can Hijack 2FA Calls with Sneaky Call Forwarding (404media.co)

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Insurance

Supply Chain and Third Parties

Encryption

How cryptographers finally cracked one of the Zodiac Killer’s hardest codes | Popular Science (popsci.com)

Linux and Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Regulations, Fines and Legislation

Models, Frameworks and Standards

Misinformation, Disinformation and Propaganda

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Nation State Actors

China

Russia

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence

Vulnerability Management

Vulnerabilities

Tools and Controls

Reports Published in the Last Week

Cyber security breaches survey 2024 - GOV.UK (www.gov.uk)

Other News

Sector Specific

Industry specific threat intelligence reports are available.

· Automotive

· Construction

· Critical National Infrastructure (CNI)

· Defence & Space

· Education & Academia

· Energy & Utilities

· Estate Agencies

· Financial Services

· FinTech

· Food & Agriculture

· Gaming & Gambling

· Government & Public Sector (including Law Enforcement)

· Health/Medical/Pharma

· Hotels & Hospitality

· Insurance

· Legal

· Manufacturing

· Maritime

· Oil, Gas & Mining

· OT, ICS, IIoT, SCADA & Cyber-Physical Systems

· Retail & eCommerce

· Small and Medium Sized Businesses (SMBs)

· Startups

· Telecoms

· Third Sector & Charities

· Transport & Aviation

· Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Black Arrow Admin 13/09/2023 Black Arrow Admin 13/09/2023

Black Arrow Cyber Advisory 13 September 2023 – Microsoft Patch Tuesday fixes 59 Vulnerabilities, including Two Actively Exploited, also Adobe, Chrome, Mozilla and SAP Updates

Executive summary

Microsoft’s September Patch Tuesday provides updates to address 59 security issues across its product range, including two actively exploited zero-day vulnerabilities. The exploited zero-days have both been added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) “Known Exploited Vulnerabilities Catalog”. Of the 59 security issues addressed by Microsoft , 5 were rated critical.

What’s the risk to me or my business?

The actively exploited vulnerabilities could allow an attacker to gain SYSTEM privileges or capture and relay hashes of user passwords to gain access to that users account. Both compromise the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerabilities and all other vulnerabilities that have a critical severity rating.

Technical Summary

CVE-2023-36802: The actively exploited allows a local attacker to gain SYSTEM privileges.

CVE-2023-36761: This actively exploited vulnerability can allow an attacker to steal user password NTLM hashes of users who open a document, even if just in the preview plane.

Adobe

This month, Adobe released fixes for 5 vulnerabilities, including 1 critical vulnerability, across Adobe Acrobat & Reader (1), Adobe Connect (2) and Adobe Experience Manager (2). The critical vulnerability, tracked as CVE-2023-26369, impacts both Windows and macOS versions of Adobe Acrobat & Reader and if exploited, can allow an attacker to execute malicious code.

Chrome

A new update for Google Chrome is available for Windows, Linux and macOS. The update addresses 16 security fixes, including one critical and actively exploited vulnerability which could cause for denial of service or allow code execution.

Mozilla

Mozilla released fixes for two critical vulnerabilities, impacting Firefox and Thunderbird. The vulnerabilities could allow an attacker to perform code execution.

SAP

Enterprise software vendor SAP has addressed 13 vulnerabilities in several of its products, including two critical-severity vulnerabilities that impact SAP BusinessObjects Business Intelligence Platform. 66Including remote execution and authentication bypass. A total of 5 vulnerabilities were given the “Hot News” priority, which is the highest priority according to SAP.

further details on other specific updates within this patch Tuesday can be found here:

https://www.ghacks.net/2023/09/12/the-windows-september-2023-security-updates-are-now-available/

Further information on Adobe Acrobat and Reader can be found here:

https://helpx.adobe.com/security/products/acrobat/apsb23-34.html

Further information on Adobe Connect can be found here:

https://helpx.adobe.com/security/products/connect/apsb23-33.html

Further information on Adobe Experience Manager can be found here:

https://helpx.adobe.com/security/products/experience-manager/apsb23-43.html

Further information on the patches by SAP can be found here:

https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Further information on Google Chrome can be found here:

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_12.html

Further information on Mozilla can be found here:

https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 10/08/2023 Black Arrow Admin 10/08/2023

Black Arrow Cyber Advisory 10 August 2023 – Microsoft Patch Tuesday Fixes 86 Vulnerabilities, including Two Actively Exploited, and Adobe Updates Summary

Executive summary

Microsoft’s August Patch Tuesday provides updates to address 86 security issues across its product range, including two zero-day vulnerabilities (CVE-2023-36884, CVE-2023-38180). The vulnerabilities allow remote code execution and denial of service. Among the updates provided by Microsoft, 6 addressed critical vulnerabilities.

What’s the risk to me or my business?

The vulnerabilities allow an attacker to remotely execute code and cause a denial-of-service, impacting the confidentiality, integrity and availability of data held by an organisation. CVE-2023-38180, which is a denial-of-service vulnerability has been recorded by the US Cybersecurity and Infrastructure Security Agency (CISA) in its “Known Exploited Vulnerabilities” Catalogue.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied immediately for the zero-day vulnerabilities and as soon as possible for all other vulnerabilities. Microsoft has also published an separate advisory for CVE-2023-36884.

Technical Summary

CVE-2023-36884: This vulnerability, if exploited allows threat actors to create specially crafted documents which bypass Mark of the Web (MoTW) security features, causing files to be opened with no warning, allowing a threat actor to perform remote code execution.

CVE-2023-38180: The actively exploited vulnerability allows an attacker to cause a denial-of-service attack on .NET applications and Visual Studio.

Adobe

In addition to Microsoft’s Patch Tuesday Adobe released fixes for 36 vulnerabilities, of which 19 were rated critical. The critical vulnerabilities spanned across Adobe Acrobat and Reader (16), Adobe Commerce and Adobe Dimension (2). At current, Adobe is not aware of any of these vulnerabilities being actively exploited. The vulnerabilities include remote code execution, memory leak and security bypass.

further details on other specific updates within this patch Tuesday can be found here:

https://www.ghacks.net/2023/08/08/the-windows-august-2023-security-updates-fix-critical-vulnerabilities-and-internet-explorer/

Further details about CVE-2023-38180 can be found here:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38180

Further details about CVE-2023-36884 can be found here:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884

The advisory from Microsoft can be found here:

Further information on CISA’s Known Exploited Vulnerabilities Catalog can be found here:

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

https://msrc.microsoft.com/update-guide/vulnerability/ADV230003

Further details of the vulnerabilities addressed in Adobe Acrobat DC and Reader can be found here: https://helpx.adobe.com/security/products/acrobat/apsb23-30.html

Further details of the vulnerabilities addressed in Adobe Commerce can be found here: https://helpx.adobe.com/security/products/magento/apsb23-42.html

Further details of the vulnerabilities addressed in Adobe Dimension can be found here: https://helpx.adobe.com/security/products/dimension/apsb23-44.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 17/04/2022 Black Arrow Admin 17/04/2022

Black Arrow Cyber Threat Briefing 15 April 2022

Black Arrow Cyber Threat Briefing 15 April 2022:

-Cyber Security Is Getting Harder: More Threats, More Complexity, Fewer People

-Terrible Cloud Security Is Leaving the Door Open for Hackers. Here's What You're Doing Wrong

-More Organisations Are Paying the Ransom. Why?

-Cyber Attack Puts City Firms on High Alert To Bolster Defences

-More Than 60% of Organisations Suffered a Breach in the Past 12 Months

-Account Takeover Poised to Surpass Malware as The No. 1 Security Concern

-Security Research Reveals 42% Rise In New Ransomware Programs In 2021

-Fraudsters Stole £58m with Remote Access Trojans (RATs) in 2021

-As State-Backed Cyber Threats Grow, Here's How the World Is Reacting

-Q1 Reported Data Compromises Up 14% Over 2021

-Europol Announces Operation to Hit Russian Sanctions-Evaders

Black Arrow Cyber Advisory 13/04/2022 – Adobe releases security patches to address various vulnerabilities.

Black Arrow Cyber Advisory 13/04/2022 – Adobe releases security patches to address various vulnerabilities.

Executive Summary

Adobe has released several security updates deemed as ‘critical’ across their product range to address various vulnerabilities. The affected applications include Adobe Acrobat and Reader which are used by most commercial organisations, along with Photoshop and other products within their range. Some of these vulnerabilities could give a malicious actor access to remote code execution.

What’s the risk to me or my business?

While Adobe has disclosed that they are not aware of these vulnerabilities being currently exploited, it is highly likely that they will a target by malicious actors since products such as Adobe Reader are used by a large percentage of organisations.

What can I do?

Apply the available updates from Adobe as soon as possible for the software products deployed across your organisation, while taking into consideration any potential downtime that these updates may cause.

Technical Summary

The vulnerabilities have been confirmed to affect both Windows and MacOS versions of various Adobe products, including Acrobat, Reader, Photoshop, After Effects, commerce, Magento Open Source, DC. Some of the effects of the vulnerabilities may be mitigated by good security practices, such as limiting end users local privileged access on end points. Further details on the individual vulnerabilities can be found here: Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution (cisecurity.org)

Need help understanding your gaps, or just want some advice? Get in touch with us.

Black Arrow Admin 16/01/2022 Black Arrow Admin 16/01/2022

Black Arrow Cyber Threat Briefing 14 January 2022

-Businesses Suffered 50% More Cyber Attack Attempts per Week in 2021

-Cyber Attacks Against MSPs Jump 67%

-SMEs Still An Easy Target For Cyber Criminals

-World Economic Forum: Cyber Security Failures an Increasing Global Threat

-Microsoft Faces Wormable, Critical RCE Bug & 6 Zero-Days

-Russia Arrests REvil Ransomware Gang Responsible for High-Profile Cyber Attacks

-North Korea Hackers Stole $400m Of Cryptocurrency In 2021, Report Says

-No Lights, No Heat, No Money - That's Life In Ukraine During Cyber Warfare

-Ukrainian Police Arrest Five Members Of Ransomware Affiliate

-Fingers Point To Lazarus, Cobalt, Fin7 As Key Hacking Groups Attacking Finance Industry

-Ransomware, Supply Chain, And Deepfakes: The Top Threats The Finance Industry Needs To Prepare For

Black Arrow Cyber Threat Briefing 06 November 2020

Cyber Threat Briefing 06 November 2020

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest of open source intelligence (OSINT), collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

2020 could be 'the worst year in cyber security history'

Businesses around the world are severely unprepared to face the sheer scale of cyber threats facing us today, new research has claimed.

The latest 2020 Business Threat Landscape report from security firm Bitdefender has said that this could be the worst year in cyber security history, as despite multiple warnings, many firms still aren't ready to protect themselves.

Bitdefender's report found that the "new normal" of remote working had led many businesses to face difficulties in ensuring their online protection, with 50% of organisations "completely unprepared" to face a scenario in which they had to migrate their entire workforce in a working from home environment.

https://www.techradar.com/news/2020-could-be-the-worst-year-in-cybersecurity-history

Two-Thirds of Financial Services Firms Suffered Cyber-Attack in the Past Year

Almost two-thirds (65%) of large financial services companies have suffered a cyber attack in the past year, while 45% have experienced a rise in attack attempts since the start of the COVID-19 pandemic.

This is according to new research from HelpSystems, which surveyed 250 CISOs and CIOs in global financial services firms about the impact of the pandemic on their cybersecurity.

It highlighted that these organisations are taking cybersecurity increasingly seriously, with 92% stating that they have increased investment in this area over the past 12 months, with 26% doing so by a significant amount. The main targets of this investment have included secure file transfer (64%), protecting the remote workforce (63%) and cloud/office365 (56%).

https://www.infosecurity-magazine.com/news/two-thirds-financial-services/

Proofpoint survey: IT security leaders worry about and are ill-prepared to defeat cyber-attacks

IT security leaders say they are ill-prepared for a cyber attack and believe that human error and a lack of security awareness are major risk factors for their organisations, according to a series of reports and surveys from cyber security vendor Proofpoint. But there are some marked variations in both the rates and the types of cyber attack between the regions surveyed.

It’s a dynamic attack landscape: in the DACH countries of Germany, Austria and Switzerland 67 per cent of IT security leaders say they have suffered at least one attack in the last 12 months, while in Benelux 72 per cent of respondents say their business has suffered at least one cyber attack in the same time period. In Sweden 59 per cent of businesses have been attacked at least once, while in the UAE the figure is much higher at 82 per cent - with 51 per cent of IT security leaders in the UAE saying their business has been targeted multiple times.

https://www.theregister.com/2020/11/05/proofpoint_survey_it_security_leaders/

Akamai sees doubling in malicious internet traffic as remote world’s bad actors boom, too

Akamai Technologies’ CEO said he is impressed by the amazing traffic levels on the internet during the coronavirus pandemic, and the world technology infrastructure’s ability to handle it. But during the stay-at-home boom, the web and cyber security expert also has been closely watching a boom in bad actors.

With so many people working from home, hackers are taking advantage, and massively increasing the number of attacks as daily routine changes caused by the pandemic are prolonged, and become potentially permanent.

“I think the threat actors are trying to take advantage of the pandemic, and of course, the prize is greater now that so much business has moved online”

Quarter-over-quarter — Akamai reported its Q3 results this week — the cyber security and cloud computing company has tracked a doubling of malicious traffic as telecommuting makes for easier targets.

https://www.cnbc.com/2020/10/29/akamai-malicious-net-traffic-doubles-as-remote-world-bad-actors-boom.html

Attacks Against Microsoft’s Remote Desktop Protocol Soar Under Work From Home Measures

The number of Remote Desktop Protocol (RDP) attacks soared by 140% in Q3 compared with the previous quarter, as cyber criminals looked to take advantage of companies relying on remote access while working from home.

RDP makes it possible for one computer to connect to another over a network and control it as though the individual was sat at the keyboard themselves. While the Microsoft tool is useful for businesses and popular among IT administrators, it has increasingly been targeted by hackers who try to gain administrator access to company servers. Once inside they are able to disable security software, steal files, delete data and install malicious software.

Slovak internet security firm ESET detected the surge between July and September, with the number of separate companies reporting brute-force attacks against their RDP connection increasing by 37% quarter-over-quarter.

https://www.verdict.co.uk/rdp-attacks-eset/

Threats

Ransomware

Ransomware gangs that steal your data don't always delete it

Ransomware gangs that steal a company's data and then get paid a ransom fee to delete it don't always follow through on their promise.

The number of cases where something like this has happened has increased, according to a report published by Coveware this week and according to several incidents shared by security researchers with ZDNet researchers over the past few months.

https://www.zdnet.com/article/ransomware-gangs-that-steal-your-data-dont-always-delete-it/

Spike in Emotet activity could mean big payday for ransomware gangs

There's been a massive increase in Emotet attacks and cyber criminals are taking advantage of machines compromised by the malware to launch more malware infections as well as ransomware campaigns.

The October 2020 HP-Bromium Threat Insights Report reports a 1,200% increase in Emotet detections from July to September compared to the previous three months in which deployment of the malware appeared to decline.

https://www.zdnet.com/article/spike-in-emotet-activity-could-mean-big-payday-for-ransomware-gangs/

Italian beverage vendor Campari knocked offline after ransomware attack

Campari Group, the famed Italian beverage vendor behind brands like Campari, Cinzano, and Appleton, has been hit by a ransomware attack and has taken down a large part of its IT network.

The attack took place last Sunday, on November 1, and has been linked to the RagnarLocker ransomware gang, according to a copy of the ransom note shared with ZDNet by a malware researcher who goes online by the name of Pancak3.

https://www.zdnet.com/article/italian-beverage-vendor-campari-knocked-offline-after-ransomware-attack/

Hackney Council still working to restore services as IT boss describes horror at cyber attack

Hackney’s director of information communication technology (ICT) Rob Miller was playing football with his family on a Sunday morning early in October when he got a message letting him know there was a systems outage being investigated at the Town Hall.

By the end of Sunday, the council had moved swiftly to shut down its systems, declared an emergency and notified national agencies after Miller’s team found “clear markers” that the local authority had been hit by a serious cyber attack.

https://www.hackneycitizen.co.uk/2020/11/04/council-still-working-restore-services-boss-horror-cyber-attack/

Leading toy maker Mattel hit by ransomware

Toy industry giant Mattel disclosed that they suffered a ransomware attack in July that impacted some of its business functions but did not lead to data theft.

Mattel is the second-largest toymaker in the world with 24,000 employees and $5.7 billion in revenue for 2019. Mattel is known for its popular brands, including Barbie, Hot Wheels, Fisher-Price, American Girl, and Thomas & Friends.

https://www.bleepingcomputer.com/news/security/leading-toy-maker-mattel-hit-by-ransomware/

Business Email Compromise (BEC)

BEC attacks increase in most industries, invoice and payment fraud rise by 155%

BEC attacks increased 15% quarter-over-quarter, driven by an explosion in invoice and payment fraud, Abnormal Security research reveals.

“As the industry’s only measure of BEC attack volume by industry, our quarterly BEC research is important for CISOs to prepare and stay ahead of attackers,” said Evan Reiser, CEO of Abnormal Security.

“Not only are BEC campaigns continuing to increase overall, they are rising in 75% of industries that we track. Since these attacks are targeted and sophisticated, these increases could indicate an ability for threat actors to scale that may overwhelm some businesses.”

For this research, BEC campaigns across eight major industries were tracked, including retail/consumer goods and manufacturing, technology, energy/infrastructure, services, medical, media/tv, finance and hospitality.

https://www.helpnetsecurity.com/2020/11/03/bec-attacks-increase-quarter-over-quarter/

Phishing

Sneaky Office 365 phishing inverts images to evade detection

A creative Office 365 phishing campaign has been inverting images used as backgrounds for landing pages to avoid getting flagged as malicious by crawlers designed to spot phishing sites.

These inverted backgrounds are commonly used as part of phishing kits that attempt to clone legitimate login pages as closely as possible to harvest a target's credentials by tricking them into entering them into a fake login form.

https://www.bleepingcomputer.com/news/security/sneaky-office-365-phishing-inverts-images-to-evade-detection/

The BBC Experiences Over 250,000 Malicious Email Attacks Per Day

The British Broadcasting Corporation (BBC), the UK’s public service broadcaster, faces in excess of a quarter of a million malicious email attacks every day, according to data obtained following a Freedom of Information (FoI) request.

The corporation blocked an average of 283,597 malicious emails per day during the first eight months of 2020.

According to the data, every month the BBC receives an average of 6,704,188 emails that are classified as scam or spam as well as 18,662 malware attacks such as viruses, ransomware and spyware. In total, 51,898,393 infected emails were blocked in the period from January to August 2020.

The month which contained the highest amount of recorded incidents was July, when the BBC received 6,787,635 spam and 13,592 malware attempts. The next highest was March, when the COVID-19 first struck the UK, with 6,768,632 spam emails and 14,089 malware attacks.

https://www.infosecurity-magazine.com/news/bbc-experiences-malicious-email/

Malware

US Cyber Command exposes new Russian malware

US Cyber Command has exposed eight new malware samples that were developed and deployed by Russian hackers in recent attacks

Six of the eight samples are for the ComRAT malware (used by the Turla hacking group), while the other two are samples for the Zebrocy malware (used by the APT28 hacking group).

Both ComRAT and Zebrocy are malware families that have been used by Russia hacking groups for years, with ComRAT being deployed in attacks for more than a decade, having evolved from the old Agent.BTZ malware.

https://www.zdnet.com/article/us-cyber-command-exposes-new-russian-malware/

IoT

New data shows just how badly home users overestimate IoT security

A new survey from the National Cyber Security Alliance (NCSA) shows adult workers vastly overestimate the security of the internet devices in their homes.

The survey polled 1,000 adults – 500 aged 18-34 and 500 aged 50-75 – and found that the overwhelming majority of both believed the internet of things devices they owned were secure.

IoT devices, particularly those that are cheap, outdated and hard to upgrade, are widely considered to be an easy target for hackers. Yet 87 percent of the younger group and 77 percent of the older group said they were either “somewhat” or “very confident” in the security of their connected things

https://www.scmagazine.com/home/security-news/with-work-from-home-booming-new-data-shows-just-how-badly-home-users-overestimate-iot-security/

Vulnerabilities

Windows 10 zero-day could allow hackers to seize control of your computer

A security bug has been discovered that affects every version of the Windows operating system, from Windows 7 to Windows 10. The vulnerability can be found within the Windows Kernel Cryptography Driver and enables attackers to gain admin-level control of a victim’s computer.

The flaw was discovered by Google’s Project Zero security team, which subsequently notified Microsoft. The Redmond-based firm was given seven days to patch the bug before Google published further details – a task that proved beyond the company.

https://www.techradar.com/uk/news/windows-10-zero-day-could-allow-hackers-to-seize-control-of-your-computer

Adobe warns Windows, MacOS users of critical acrobat and reader flaws

Adobe has fixed critical-severity flaws tied to four CVEs in the Windows and macOS versions of its Acrobat and Reader family of application software services. The vulnerabilities could be exploited to execute arbitrary code on affected products.

These critical flaws include a heap-based buffer overflow, out-of-bounds write glitch and two use-after free flaws. The bugs are part of Adobe’s regularly scheduled patches, which overall patched critical-, important- and moderate-severity vulnerabilities tied to 14 CVEs.

https://threatpost.com/adobe-windows-macos-critical-acrobat-reader-flaws/160903/

Zero-day in Cisco AnyConnect Secure Mobility Client yet to be fixed

Cisco has disclosed a zero-day vulnerability, in the Cisco AnyConnect Secure Mobility Client software with the public availability of a proof-of-concept exploit code.

The flaw resided in the inter-process communication (IPC) channel of Cisco AnyConnect Client, it can be exploited by authenticated and local attackers to execute malicious scripts via a targeted user.

https://securityaffairs.co/wordpress/110414/security/zero-day-cisco-anyconnect-secure-mobility-client.html

Critical bug actively used to deploy Cobalt Strike on Oracle servers

Threat actors are actively exploiting Oracle WebLogic servers unpatched against CVE-2020-14882 to deploy Cobalt Strike beacons which allow for persistent remote access to compromised devices.

Cobalt Strike is a legitimate penetration testing tool also used by threat actors in post-exploitation tasks and to deploy so-called beacons that enable them to gain persistent remote access.

This later allows them to access the compromised servers to harvest data and to deploy second stage malware payloads.

https://www.bleepingcomputer.com/news/security/critical-bug-actively-used-to-deploy-cobalt-strike-on-oracle-servers/

Oracle Solaris Zero-Day Attack Revealed

A previously known threat group, called UNC1945, has been compromising telecommunications companies and targeting financial and professional consulting industries, by exploiting a security flaw in Oracle’s Solaris operating system.

Researchers said that the group was exploiting the bug when it was a zero-day, long before a patch arrived.

The bug, was recently addressed in Oracle’s October 2020 Critical Patch Update. The vulnerability exists in the Oracle Solaris Pluggable Authentication Module (PAM) and allows an unauthenticated attacker with network access via multiple protocols to exploit and compromise the operating system. Threat actors utilized a remote exploitation tool, which researchers call “EVILSUN,” to exploit the flaw.

https://threatpost.com/oracle-solaris-zero-day-attack/160929/

Data Breaches

Marriott Hotels fined £18.4m for data breach that hit millions

The UK's data privacy watchdog has fined the Marriott Hotels chain £18.4m for a major data breach that may have affected up to 339 million guests.

The Information Commissioner's Office (ICO) said names, contact information, and passport details may all have been compromised in a cyber-attack.

The breach included seven million guest records for people in the UK.

The ICO said the company failed to put appropriate safeguards in place but acknowledged it had improved.

https://www.bbc.co.uk/news/technology-54748843

23,600 hacked databases have leaked from a defunct 'data breach index' site

More than 23,000 hacked databases have been made available for download on several hacking forums and Telegram channels in what threat intel analysts are calling the biggest leak of its kind.

The database collection is said to have originated from Cit0Day.in, a private service advertised on hacking forums to other cybercriminals.

Cit0day operated by collecting hacked databases and then providing access to usernames, emails, addresses, and even cleartext passwords to other hackers for a daily or monthly fee.

Cybercriminals would then use the site to identify possible passwords for targeted users and then attempt to breach their accounts at other, more high-profile sites.

https://www.zdnet.com/article/23600-hacked-databases-have-leaked-from-a-defunct-data-breach-index-site/

Other News

Deloitte's 'Test your Hacker IQ' site fails itself after exposing database user name, password in config file

Suspended sentence for bank IT worker who hacked his boss's webcam because he didn't get a payrise

APT Groups Finding Success with Mix of Old and New Tools

Quantum computing may make current encryption obsolete, a quantum internet could be the solution

Reports Published in the Last Week

NCSC defends UK from more than 700 cyber attacks while supporting national pandemic response

The NCSC's fourth Annual Review reveals its ongoing work against cyber attacks, support for the UK during the coronavirus pandemic.

https://www.ncsc.gov.uk/news/ncsc-defends-uk-700-cyber-attack-national-pandemic

Ransomware Demands continue to rise as Data Exfiltration becomes common, and Maze subdues

The Coveware Quarterly Ransomware Report describes ransomware incident response trends during Q3 of 2020. Ransomware groups continue to leverage data exfiltration as a tactic, though trust that stolen data will be deleted is eroding as defaults become more frequent when exfiltrated data is made public despite the victim paying. In Q3, Coveware saw the Maze group sunset their operations as the active affiliates migrated to Egregor (a fork of Maze). We also saw the return of the original Ryuk group, which has been dormant since the end of Q1.

https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Black Arrow Admin 20/03/2020 Black Arrow Admin 20/03/2020

Cyber Weekly Flash Briefing for 20 March 2020 – Working from home brings security challenges, COVID-19 scams and malware, VPNs and MFA, broadband strain, critical patches

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Working from Home: COVID-19’s Constellation of Security Challenges

Organisations are sending employees and students home to work and learn — but implementing the plan opens the door to more attacks, IT headaches and brand-new security challenges.

As the threat of coronavirus continues to spread, businesses are sending employees home to work remotely, and students are moving to online classes. But with the social distancing comes a new threat – a cyber-related one.

As organisations rush to shift their businesses and classes online, cybercriminals are ramping up their tactics to take advantage of those who may have inadequate or naive security postures as a result. Given the challenges in securing work- and learn-from-home environments, the attack surface represents an attractive opportunity for threat actors

Thousands of COVID-19 scam and malware sites are being created on a daily basis

Malware authors and fraudsters aren't letting a tragedy go to waste.

In the midst of a global coronavirus (COVID-19) pandemic, hackers are not letting a disaster go to waste and have now automated their coronavirus-related scams to industrial levels.

According to multiple reports, cybercriminals are now creating and putting out thousands of coronavirus-related websites on a daily basis.

Most of these sites are being used to host phishing attacks, distribute malware-laced files, or for financial fraud, for tricking users into paying for fake COVID-19 cures, supplements, or vaccines.

More here: https://www.zdnet.com/article/thousands-of-covid-19-scam-and-malware-sites-are-being-created-on-a-daily-basis/

EU warns of broadband strain as millions work from home

The EU has called on streaming services such as Netflix and YouTube to limit their services in order to prevent the continent’s broadband networks from crashing as tens of millions of people start working from home.

Until now, telecoms companies have been bullish that internet infrastructure can withstand the drastic change in online behaviour brought about by the coronavirus outbreak.

But on Wednesday evening, Thierry Breton, one of the European commissioners in charge of digital policy, said streaming platforms and telecoms companies had a “joint responsibility to take steps to ensure the smooth functioning of the internet” during the crisis.

COVID-19: With everyone working from home, VPN security has now become paramount

With most employees working from home amid today's COVID-19 (coronavirus) outbreak, enterprise VPN servers have now become paramount to a company's backbone, and their security and availability must be the focus going forward for IT teams.

It is critical that the VPN service is patched and up to date because there will be more scanning against these services.

It is also critical that multi factor authentication (MFA or 2FA) is used to protect connections over VPN.

More: https://www.zdnet.com/article/covid-19-with-everyone-working-from-home-vpn-security-has-now-become-paramount/

What do you not want right now? A bunch of Cisco SD-WAN, Webex vulnerabilities? Here are a bunch of them

Cisco has issued a series of security updates for its SD-WAN and Webex software, just when they're most needed.

SD-WAN is host to five vulnerabilities ranging from privilege escalation to remote code injection.

Meanwhile, the Webex video-conferencing software also needs some sorting out right when everyone's working from home amid the coronavirus pandemic.

The patch bundle includes a fix for Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows. A hacker can send a suitably crafted file in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF), and if the recipient clicks on it on a vulnerable computer, they get pwned. iOS users also need to patch an information-disclosure bug.

The other fixes mention SQL injection and cross-site scripting flaws.

More on The Register here: https://www.theregister.co.uk/2020/03/19/cisco_sdwan_bugs/

Windows 10 or Mac user? Patch Adobe Reader and Acrobat now to fix 9 critical security flaws

Adobe has released an important security update for its popular PDF products, Adobe Acrobat and Reader after missing its usual release aligned with Microsoft Patch Tuesday.

The company has released an update for the PDF software for Windows and macOS machines. The update addresses nine critical flaws and four vulnerabilities rated as important.

The critical flaws include an out-of-bounds write, a stack-based overflow flaw, a use-after-free, buffer overflow, and memory corruption bug.

All the critical flaws allow for arbitrary code execution, meaning attackers could use them to rig a PDF to install malware on a computer running a vulnerable version of the software.

More here: https://www.zdnet.com/article/windows-10-or-mac-user-patch-adobe-reader-and-acrobat-now-to-fix-9-critical-security-flaws/

WordPress and Apache Struts account for 55% of all weaponized vulnerabilities

Comprehensive study looks at the most attacked web technologies of the last decade.

A study that analysed all the vulnerability disclosures between 2010 and 2019 found that around 55% of all the security bugs that have been weaponized and exploited in the wild were for two major application frameworks, namely WordPress and Apache Struts.

The Drupal content management system ranked third, followed by Ruby on Rails and Laravel, according to a report published this week.

In terms of programming languages, vulnerabilities in PHP and Java apps were the most weaponized bugs of the last decade.

Read the full article here: https://www.zdnet.com/article/wordpress-and-apache-struts-account-for-55-of-all-weaponized-vulnerabilities/

Trickbot malware adds new feature to target telecoms, universities and finance companies

Researchers uncover a Trickbot campaign with new abilities that looks like it's being used in an effort to steal intellectual property, financial data - and potentially for espionage.

The new form of the infamous Trickbot malware is using never-before-seen behaviour in attacks targeting telecommunications providers, universities and financial services in a campaign that looks to be going after intellectual property and financial data.

Trickbot has been in operation since 2016 and, while it started life as a banking trojan, the modular nature of the malware means it can be easily re-purposed for other means, which has led to it becoming one of the most advanced and capable forms of malware attack delivery in the world today.

And now it has been updated with yet another new capability, with a module that uses brute force attacks against targets mostly in telecoms, education, and financial services in the US and Hong Kong. These targets are pre-selected based on IP addresses, indicating that the attackers are going after them specifically.

More here: https://www.zdnet.com/article/trickbot-malware-adds-new-feature-to-target-telecoms-universities-and-finance-companies/

Most organizations have yet to fix CVE-2020-0688 Microsoft Exchange flaw

Organisations are delaying in patching Microsoft Exchange Server flaw (CVE-2020-0688) that Microsoft fixed with February 2020 Patch Day updates.

The CVE-2020-0688 flaw resides in the Exchange Control Panel (ECP) component, the root cause of the problem is that Exchange servers fail to properly create unique keys at install time.

A remote, authenticated attacker could exploit the CVE-2020-0688 vulnerability to execute arbitrary code with SYSTEM privileges on a server and take full control.

More here: https://securityaffairs.co/wordpress/99752/hacking/companies-cve-2020-0688-fixed.html

Two Trend Micro zero-days exploited in the wild by hackers

Hackers tried to exploit two zero-days in Trend Micro antivirus products, the company said in a security alert this week.

The Japanese antivirus maker has released patches on Monday to address the two zero-days, along with three other similarly critical issues (although, not exploited in the wild).

According to the alert, the two zero-days impact the company's Apex One and OfficeScan XG enterprise security products.

Trend Micro did not release any details about the attacks.

These two zero-days mark the second and third Trend Micro antivirus bugs exploited in the wild in the last year.

Most ransomware attacks take place during the night or over the weekend

27% of all ransomware attacks take place during the weekend, 49% after working hours during weekdays

The vast majority of ransomware attacks targeting the enterprise sector occur outside normal working hours, during the night or over the weekend.

According to a report published this week, 76% of all ransomware infections in the enterprise sector occur outside working hours, with 49% taking place during night-time over the weekdays, and 27% taking place over the weekend.

The numbers were compiled from dozens of ransomware incident response investigations from 2017 to 2019.

The reason why attackers are choosing to trigger the ransomware encryption process during the night or weekend is because most companies don't have IT staff working those shifts, and if they do, they are most likely short-handed.

If a ransomware attack does trigger a security alert within the company, then there would be nobody to react right away and shut down a network, or the short-handed staff would have a hard time figuring what's actually happening before the ransomware encryption process ends and the company's network is down & ransomed.

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Threat Intelligence Blog

Top Cyber Stories of the Last Week

UK Cyber Breaches Survey Finds Business Falling Short on Cyber, as Half Suffer Breach and Many Fail to Report

Cyber Attacks Cost Financial Firms $12bn Says IMF

The Cyber Attack Stopped by a Microsoft Engineer Was Scarier Than We Realise

UK Government Urged to Get on ‘Front Foot’ with Ransomware Instead of ‘Absorbing the Punches’

74% of Employees Falling Victim to Phishing Attacks Hit with Disciplinary Actions

Why Are Many Businesses Turning to Third-Party Security Partners?

74% of Businesses with up to 500 Employees are Concerned About Cyber Security as Attacks Rise

LastPass: Hackers Targeted Employee in Failed Deepfake CEO Call

Most Cyber Criminal Threats are Concentrated in Just a Few Countries

Why Incident Response is the Best Cyber Security ROI

Ransomware Attacks are the Canaries in the Cyber Coal Mine

Cyber Security is Crucial, but What is Risk and How do You Assess it?

Governance, Risk and Compliance

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Other Social Engineering

Artificial Intelligence

2FA/MFA

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Insurance

Supply Chain and Third Parties

Encryption

Linux and Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Regulations, Fines and Legislation

Models, Frameworks and Standards

Backup and Recovery

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Misinformation, Disinformation and Propaganda

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Nation State Actors

China

Russia

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence

Vulnerability Management

Vulnerabilities

Tools and Controls

Reports Published in the Last Week

Other News

Sector Specific

Top Cyber Stories of the Last Week

Cyber Security Is Getting Harder: More Threats, More Complexity, Fewer People

Terrible Cloud Security Is Leaving the Door Open for Hackers. Here's What You're Doing Wrong

More Organisations Are Paying the Ransom. Why?

Cyber Attack Puts City Firms on High Alert to Bolster Defences

More Than 60% of Organisations Suffered a Breach in the Past 12 Months

Account Takeover Poised to Surpass Malware as The No. 1 Security Concern

Security Research Reveals 42% Rise in New Ransomware Programs In 2021

Fraudsters Stole £58m with Remote Access Trojans (RATs) in 2021

As State-Backed Cyber Threats Grow, Here's How the World Is Reacting

Q1 Reported Data Compromises Up 14% Over 2021

Europol Announces Operation to Hit Russian Sanctions-Evaders

Threats

Ransomware

Other Social Engineering

Malware

Mobile

IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Denial of Service DoS/DDoS

Cloud

Privacy